xmrig | 278a58bb465d2be7b99ecd5dbd5e47d7c185351f7c125401f2d5f95e220f791c

Analysis

max time kernel
67s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
Size

1.5MB
MD5

a6f14fa7448438b1d2b9889a80083482
SHA1

36630b6e5409f537370fa3b372207fdb309b171e
SHA256

278a58bb465d2be7b99ecd5dbd5e47d7c185351f7c125401f2d5f95e220f791c
SHA512

1183f21255ac3dd1fe21b7dd820e42b352dc412b36aa910921f1bf10f54d76dabac27a4e46f8977cbc8078d81146ffca9fa5870b8bf28e8b4c2171b706aa921e
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO6zRIhRmuSOVehqHpYlTdNnS:knw9oUUEEDlGUh+hNg7T/S

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/1296-36-0x00007FF6EA1E0000-0x00007FF6EA5D1000-memory.dmp	xmrig
behavioral2/memory/4320-57-0x00007FF7C3970000-0x00007FF7C3D61000-memory.dmp	xmrig
behavioral2/memory/1796-94-0x00007FF739430000-0x00007FF739821000-memory.dmp	xmrig
behavioral2/memory/4016-144-0x00007FF7548A0000-0x00007FF754C91000-memory.dmp	xmrig
behavioral2/memory/4828-148-0x00007FF707720000-0x00007FF707B11000-memory.dmp	xmrig
behavioral2/memory/3540-146-0x00007FF61ED60000-0x00007FF61F151000-memory.dmp	xmrig
behavioral2/memory/3440-137-0x00007FF63C330000-0x00007FF63C721000-memory.dmp	xmrig
behavioral2/memory/2736-98-0x00007FF7C95F0000-0x00007FF7C99E1000-memory.dmp	xmrig
behavioral2/memory/1088-95-0x00007FF757E40000-0x00007FF758231000-memory.dmp	xmrig
behavioral2/memory/3344-89-0x00007FF618560000-0x00007FF618951000-memory.dmp	xmrig
behavioral2/memory/3752-85-0x00007FF7AAA50000-0x00007FF7AAE41000-memory.dmp	xmrig
behavioral2/memory/4676-69-0x00007FF653820000-0x00007FF653C11000-memory.dmp	xmrig
behavioral2/memory/4576-65-0x00007FF6957C0000-0x00007FF695BB1000-memory.dmp	xmrig
behavioral2/memory/2256-835-0x00007FF6E4050000-0x00007FF6E4441000-memory.dmp	xmrig
behavioral2/memory/1464-847-0x00007FF691710000-0x00007FF691B01000-memory.dmp	xmrig
behavioral2/memory/4968-846-0x00007FF68BC90000-0x00007FF68C081000-memory.dmp	xmrig
behavioral2/memory/4424-958-0x00007FF6B1B10000-0x00007FF6B1F01000-memory.dmp	xmrig
behavioral2/memory/1072-1087-0x00007FF679C60000-0x00007FF67A051000-memory.dmp	xmrig
behavioral2/memory/2000-1211-0x00007FF6BE5E0000-0x00007FF6BE9D1000-memory.dmp	xmrig
behavioral2/memory/1532-1310-0x00007FF760D60000-0x00007FF761151000-memory.dmp	xmrig
behavioral2/memory/1320-1407-0x00007FF7F9640000-0x00007FF7F9A31000-memory.dmp	xmrig
behavioral2/memory/2556-1521-0x00007FF6AB610000-0x00007FF6ABA01000-memory.dmp	xmrig
behavioral2/memory/5020-1643-0x00007FF6B1C20000-0x00007FF6B2011000-memory.dmp	xmrig
behavioral2/memory/1124-1756-0x00007FF6AA890000-0x00007FF6AAC81000-memory.dmp	xmrig
behavioral2/memory/1888-1893-0x00007FF726A40000-0x00007FF726E31000-memory.dmp	xmrig
behavioral2/memory/3440-2051-0x00007FF63C330000-0x00007FF63C721000-memory.dmp	xmrig
behavioral2/memory/3540-2069-0x00007FF61ED60000-0x00007FF61F151000-memory.dmp	xmrig
behavioral2/memory/4016-2071-0x00007FF7548A0000-0x00007FF754C91000-memory.dmp	xmrig
behavioral2/memory/1296-2074-0x00007FF6EA1E0000-0x00007FF6EA5D1000-memory.dmp	xmrig
behavioral2/memory/3752-2075-0x00007FF7AAA50000-0x00007FF7AAE41000-memory.dmp	xmrig
behavioral2/memory/4320-2077-0x00007FF7C3970000-0x00007FF7C3D61000-memory.dmp	xmrig
behavioral2/memory/4676-2109-0x00007FF653820000-0x00007FF653C11000-memory.dmp	xmrig
behavioral2/memory/4576-2104-0x00007FF6957C0000-0x00007FF695BB1000-memory.dmp	xmrig
behavioral2/memory/2256-2117-0x00007FF6E4050000-0x00007FF6E4441000-memory.dmp	xmrig
behavioral2/memory/2000-2127-0x00007FF6BE5E0000-0x00007FF6BE9D1000-memory.dmp	xmrig
behavioral2/memory/1320-2129-0x00007FF7F9640000-0x00007FF7F9A31000-memory.dmp	xmrig
behavioral2/memory/2556-2131-0x00007FF6AB610000-0x00007FF6ABA01000-memory.dmp	xmrig
behavioral2/memory/5020-2133-0x00007FF6B1C20000-0x00007FF6B2011000-memory.dmp	xmrig
behavioral2/memory/1532-2125-0x00007FF760D60000-0x00007FF761151000-memory.dmp	xmrig
behavioral2/memory/1072-2123-0x00007FF679C60000-0x00007FF67A051000-memory.dmp	xmrig
behavioral2/memory/4424-2122-0x00007FF6B1B10000-0x00007FF6B1F01000-memory.dmp	xmrig
behavioral2/memory/2736-2119-0x00007FF7C95F0000-0x00007FF7C99E1000-memory.dmp	xmrig
behavioral2/memory/4968-2116-0x00007FF68BC90000-0x00007FF68C081000-memory.dmp	xmrig
behavioral2/memory/1088-2113-0x00007FF757E40000-0x00007FF758231000-memory.dmp	xmrig
behavioral2/memory/1464-2112-0x00007FF691710000-0x00007FF691B01000-memory.dmp	xmrig
behavioral2/memory/4828-2108-0x00007FF707720000-0x00007FF707B11000-memory.dmp	xmrig
behavioral2/memory/3344-2105-0x00007FF618560000-0x00007FF618951000-memory.dmp	xmrig
behavioral2/memory/1796-2102-0x00007FF739430000-0x00007FF739821000-memory.dmp	xmrig
behavioral2/memory/1888-2210-0x00007FF726A40000-0x00007FF726E31000-memory.dmp	xmrig
behavioral2/memory/1124-2162-0x00007FF6AA890000-0x00007FF6AAC81000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
4016	aRWKxFN.exe
3540	YRXkkrG.exe
3752	DweXUMP.exe
1296	fUvbCap.exe
4320	FdNrYpV.exe
3344	VcQyIIl.exe
4576	jIujlIu.exe
1796	FuxJSra.exe
4676	OjQHTiN.exe
2256	DycwhTR.exe
4968	rUvdcJj.exe
4828	fMPPrpq.exe
1464	CPEcrRV.exe
1088	AoSHdup.exe
2736	aJRaFoE.exe
1072	tbfpfAz.exe
4424	wDIJhRV.exe
2000	hvyYozA.exe
1532	xLTZaZl.exe
1320	JVPPSHe.exe
2556	frDVPkn.exe
5020	NcNMyiQ.exe
1124	CBMWMFr.exe
1888	NbmQlHh.exe
2712	yKnYJsc.exe
5092	fqRKvic.exe
4140	NRSEkJE.exe
4384	DzmTTwx.exe
3152	HWltwdn.exe
4904	EMohnHz.exe
2348	BUjOPJn.exe
4248	LlHywye.exe
3380	atDwqwo.exe
3480	MkYkBCd.exe
780	gcjWXEI.exe
2456	rrUrvHh.exe
4736	gkUoZSA.exe
1200	ebhrCSM.exe
3560	UCnOLci.exe
5128	PWLPjlc.exe
5172	GXuuLEf.exe
5196	rcrngiJ.exe
5224	XuragVF.exe
5244	HAoHYGE.exe
5272	bABvHSE.exe
5304	eWqPIMb.exe
5328	saHJVHJ.exe
5356	qhbOuOZ.exe
5380	ZzIDFFR.exe
5412	BGdaiDd.exe
5436	OhPDAbw.exe
5464	AaoFwNA.exe
5492	dwneZTX.exe
5516	gHYJMpB.exe
5552	HetfqHG.exe
5576	CsjlYFJ.exe
5628	JgJJtCi.exe
5644	KjVwcnk.exe
5660	TlfDbei.exe
5688	UdxgBug.exe
5716	sMgDOHL.exe
5744	FtTEGgP.exe
5772	FOExHhj.exe
5800	sOISUTx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3440-0-0x00007FF63C330000-0x00007FF63C721000-memory.dmp	upx
behavioral2/memory/4016-7-0x00007FF7548A0000-0x00007FF754C91000-memory.dmp	upx
behavioral2/files/0x000800000002361f-5.dat	upx
behavioral2/files/0x0007000000023623-9.dat	upx
behavioral2/files/0x0007000000023625-14.dat	upx
behavioral2/files/0x0007000000023624-13.dat	upx
behavioral2/files/0x0007000000023626-24.dat	upx
behavioral2/files/0x0007000000023628-34.dat	upx
behavioral2/memory/1296-36-0x00007FF6EA1E0000-0x00007FF6EA5D1000-memory.dmp	upx
behavioral2/files/0x000700000002362a-46.dat	upx
behavioral2/memory/4320-57-0x00007FF7C3970000-0x00007FF7C3D61000-memory.dmp	upx
behavioral2/files/0x0007000000023629-68.dat	upx
behavioral2/memory/2256-70-0x00007FF6E4050000-0x00007FF6E4441000-memory.dmp	upx
behavioral2/memory/4828-76-0x00007FF707720000-0x00007FF707B11000-memory.dmp	upx
behavioral2/memory/1464-84-0x00007FF691710000-0x00007FF691B01000-memory.dmp	upx
behavioral2/memory/1796-94-0x00007FF739430000-0x00007FF739821000-memory.dmp	upx
behavioral2/files/0x0008000000023620-101.dat	upx
behavioral2/memory/5020-131-0x00007FF6B1C20000-0x00007FF6B2011000-memory.dmp	upx
behavioral2/memory/4016-144-0x00007FF7548A0000-0x00007FF754C91000-memory.dmp	upx
behavioral2/files/0x0007000000023639-157.dat	upx
behavioral2/files/0x000700000002363e-182.dat	upx
behavioral2/files/0x0007000000023640-189.dat	upx
behavioral2/files/0x000700000002363f-187.dat	upx
behavioral2/files/0x000700000002363d-177.dat	upx
behavioral2/files/0x000700000002363c-172.dat	upx
behavioral2/files/0x000700000002363b-165.dat	upx
behavioral2/files/0x000700000002363a-159.dat	upx
behavioral2/files/0x0007000000023638-152.dat	upx
behavioral2/memory/1888-149-0x00007FF726A40000-0x00007FF726E31000-memory.dmp	upx
behavioral2/memory/4828-148-0x00007FF707720000-0x00007FF707B11000-memory.dmp	upx
behavioral2/memory/3540-146-0x00007FF61ED60000-0x00007FF61F151000-memory.dmp	upx
behavioral2/files/0x0007000000023637-143.dat	upx
behavioral2/memory/1124-140-0x00007FF6AA890000-0x00007FF6AAC81000-memory.dmp	upx
behavioral2/memory/3440-137-0x00007FF63C330000-0x00007FF63C721000-memory.dmp	upx
behavioral2/files/0x0007000000023636-136.dat	upx
behavioral2/files/0x0007000000023635-130.dat	upx
behavioral2/memory/2556-127-0x00007FF6AB610000-0x00007FF6ABA01000-memory.dmp	upx
behavioral2/files/0x0007000000023634-124.dat	upx
behavioral2/memory/1320-121-0x00007FF7F9640000-0x00007FF7F9A31000-memory.dmp	upx
behavioral2/files/0x0007000000023633-118.dat	upx
behavioral2/memory/1532-115-0x00007FF760D60000-0x00007FF761151000-memory.dmp	upx
behavioral2/files/0x0007000000023631-107.dat	upx
behavioral2/files/0x0007000000023632-105.dat	upx
behavioral2/memory/2000-104-0x00007FF6BE5E0000-0x00007FF6BE9D1000-memory.dmp	upx
behavioral2/memory/4424-103-0x00007FF6B1B10000-0x00007FF6B1F01000-memory.dmp	upx
behavioral2/memory/1072-100-0x00007FF679C60000-0x00007FF67A051000-memory.dmp	upx
behavioral2/memory/2736-98-0x00007FF7C95F0000-0x00007FF7C99E1000-memory.dmp	upx
behavioral2/memory/1088-95-0x00007FF757E40000-0x00007FF758231000-memory.dmp	upx
behavioral2/files/0x0007000000023630-90.dat	upx
behavioral2/memory/3344-89-0x00007FF618560000-0x00007FF618951000-memory.dmp	upx
behavioral2/memory/3752-85-0x00007FF7AAA50000-0x00007FF7AAE41000-memory.dmp	upx
behavioral2/files/0x000700000002362c-80.dat	upx
behavioral2/files/0x000700000002362f-79.dat	upx
behavioral2/files/0x000700000002362d-78.dat	upx
behavioral2/files/0x000700000002362e-77.dat	upx
behavioral2/memory/4968-72-0x00007FF68BC90000-0x00007FF68C081000-memory.dmp	upx
behavioral2/memory/4676-69-0x00007FF653820000-0x00007FF653C11000-memory.dmp	upx
behavioral2/memory/4576-65-0x00007FF6957C0000-0x00007FF695BB1000-memory.dmp	upx
behavioral2/files/0x000700000002362b-51.dat	upx
behavioral2/files/0x0007000000023627-39.dat	upx
behavioral2/memory/3540-26-0x00007FF61ED60000-0x00007FF61F151000-memory.dmp	upx
behavioral2/memory/2256-835-0x00007FF6E4050000-0x00007FF6E4441000-memory.dmp	upx
behavioral2/memory/1464-847-0x00007FF691710000-0x00007FF691B01000-memory.dmp	upx
behavioral2/memory/4968-846-0x00007FF68BC90000-0x00007FF68C081000-memory.dmp	upx

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\EvSnXjk.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\KQCyAPS.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\HOqRDTy.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\UgShrAh.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\jbTeNxt.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\dgmgZrv.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\ZGrTfsc.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\jRkcIwN.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\GuSAyJK.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\CQReKFe.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\uFpoofV.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\BhfBZPb.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\qbPXgDd.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\jaDABZd.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\GItYeYo.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\ZktQaiO.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\UdxgBug.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\hbJRdpD.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\BDSTNJm.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\AafCfkW.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\NSmuMyx.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\AMdCsKb.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\eUSNfpE.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\MWISqUH.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\BPcVPVp.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\SDXCCjF.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\xFTCtLq.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\tsJuAyi.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\wxIERQL.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\wKeEObW.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\COzdBIX.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\jYymPca.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\ccAYkwF.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\fiGnfpi.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\qrxRpqG.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\VKdEoHG.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\Adaveto.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\oIcVSvt.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\gbcvsml.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\mIWefpT.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\qghhHcN.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\IYIjajv.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\OjQHTiN.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\BUjOPJn.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\IfHGphj.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\NnHAvNE.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\QlaBkDK.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\CeMZJQo.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\UXOoVQY.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\XdUpqak.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\NRSEkJE.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\oTtykaH.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\ZjNTQBd.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\yeWlHMH.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\gXKFgGF.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\zPzWKwa.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\WwRCikW.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\VrqcJxf.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\BcgcjnU.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\mAUEpFp.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\jxPZOfp.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\jGxmfbW.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\QGMgvPw.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
File created	C:\Windows\System32\fOMMSNL.exe	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{4275B096-1ABB-422B-9992-0CC4033FA118}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{C5949D93-32FD-49D0-8A60-5C5DC45998BF}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{256B8BA2-A683-440C-8560-2679ACA80EB8}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{F66CC2C6-EDC6-48A8-8F0C-0177C0B47FF2}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{A09E598C-4915-4B58-87CC-E78C4F0B57F0}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	13968	explorer.exe
Token: SeCreatePagefilePrivilege	13968	explorer.exe
Token: SeShutdownPrivilege	13968	explorer.exe
Token: SeCreatePagefilePrivilege	13968	explorer.exe
Token: SeShutdownPrivilege	13968	explorer.exe
Token: SeCreatePagefilePrivilege	13968	explorer.exe
Token: SeShutdownPrivilege	13968	explorer.exe
Token: SeCreatePagefilePrivilege	13968	explorer.exe
Token: SeShutdownPrivilege	13968	explorer.exe
Token: SeCreatePagefilePrivilege	13968	explorer.exe
Token: SeShutdownPrivilege	13968	explorer.exe
Token: SeCreatePagefilePrivilege	13968	explorer.exe
Token: SeShutdownPrivilege	13968	explorer.exe
Token: SeCreatePagefilePrivilege	13968	explorer.exe
Token: SeShutdownPrivilege	13968	explorer.exe
Token: SeCreatePagefilePrivilege	13968	explorer.exe
Token: SeShutdownPrivilege	13968	explorer.exe
Token: SeCreatePagefilePrivilege	13968	explorer.exe
Token: SeShutdownPrivilege	13968	explorer.exe
Token: SeCreatePagefilePrivilege	13968	explorer.exe
Token: SeShutdownPrivilege	13968	explorer.exe
Token: SeCreatePagefilePrivilege	13968	explorer.exe
Token: SeShutdownPrivilege	13968	explorer.exe
Token: SeCreatePagefilePrivilege	13968	explorer.exe
Token: SeShutdownPrivilege	8440	explorer.exe
Token: SeCreatePagefilePrivilege	8440	explorer.exe
Token: SeShutdownPrivilege	8440	explorer.exe
Token: SeCreatePagefilePrivilege	8440	explorer.exe
Token: SeShutdownPrivilege	8440	explorer.exe
Token: SeCreatePagefilePrivilege	8440	explorer.exe
Token: SeShutdownPrivilege	8440	explorer.exe
Token: SeCreatePagefilePrivilege	8440	explorer.exe
Token: SeShutdownPrivilege	8440	explorer.exe
Token: SeCreatePagefilePrivilege	8440	explorer.exe
Token: SeShutdownPrivilege	8440	explorer.exe
Token: SeCreatePagefilePrivilege	8440	explorer.exe
Token: SeShutdownPrivilege	8440	explorer.exe
Token: SeCreatePagefilePrivilege	8440	explorer.exe
Token: SeShutdownPrivilege	8440	explorer.exe
Token: SeCreatePagefilePrivilege	8440	explorer.exe
Token: SeShutdownPrivilege	8440	explorer.exe
Token: SeCreatePagefilePrivilege	8440	explorer.exe
Token: SeShutdownPrivilege	8440	explorer.exe
Token: SeCreatePagefilePrivilege	8440	explorer.exe
Token: SeShutdownPrivilege	8440	explorer.exe
Token: SeCreatePagefilePrivilege	8440	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe
Token: SeShutdownPrivilege	3152	explorer.exe
Token: SeCreatePagefilePrivilege	3152	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
14324	sihost.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
13968	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
8440	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
3152	explorer.exe
6752	explorer.exe
6752	explorer.exe
6752	explorer.exe
6752	explorer.exe
6752	explorer.exe
6752	explorer.exe
6752	explorer.exe
6752	explorer.exe
6752	explorer.exe
6752	explorer.exe
6752	explorer.exe
6752	explorer.exe
6752	explorer.exe
6752	explorer.exe
6752	explorer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1512	StartMenuExperienceHost.exe
5572	StartMenuExperienceHost.exe
4932	StartMenuExperienceHost.exe
5400	SearchApp.exe
1072	StartMenuExperienceHost.exe
6668	SearchApp.exe
5584	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 4016	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	92
PID 3440 wrote to memory of 4016	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	92
PID 3440 wrote to memory of 3540	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	93
PID 3440 wrote to memory of 3540	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	93
PID 3440 wrote to memory of 3752	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	94
PID 3440 wrote to memory of 3752	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	94
PID 3440 wrote to memory of 1296	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	95
PID 3440 wrote to memory of 1296	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	95
PID 3440 wrote to memory of 4320	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	96
PID 3440 wrote to memory of 4320	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	96
PID 3440 wrote to memory of 3344	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	97
PID 3440 wrote to memory of 3344	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	97
PID 3440 wrote to memory of 4576	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	98
PID 3440 wrote to memory of 4576	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	98
PID 3440 wrote to memory of 2256	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	99
PID 3440 wrote to memory of 2256	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	99
PID 3440 wrote to memory of 1796	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	100
PID 3440 wrote to memory of 1796	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	100
PID 3440 wrote to memory of 4676	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	101
PID 3440 wrote to memory of 4676	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	101
PID 3440 wrote to memory of 4968	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	102
PID 3440 wrote to memory of 4968	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	102
PID 3440 wrote to memory of 4828	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	103
PID 3440 wrote to memory of 4828	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	103
PID 3440 wrote to memory of 1464	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	104
PID 3440 wrote to memory of 1464	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	104
PID 3440 wrote to memory of 1088	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	105
PID 3440 wrote to memory of 1088	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	105
PID 3440 wrote to memory of 2736	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	106
PID 3440 wrote to memory of 2736	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	106
PID 3440 wrote to memory of 1072	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	107
PID 3440 wrote to memory of 1072	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	107
PID 3440 wrote to memory of 4424	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	108
PID 3440 wrote to memory of 4424	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	108
PID 3440 wrote to memory of 2000	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	109
PID 3440 wrote to memory of 2000	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	109
PID 3440 wrote to memory of 1532	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	110
PID 3440 wrote to memory of 1532	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	110
PID 3440 wrote to memory of 1320	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	111
PID 3440 wrote to memory of 1320	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	111
PID 3440 wrote to memory of 2556	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	112
PID 3440 wrote to memory of 2556	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	112
PID 3440 wrote to memory of 5020	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	113
PID 3440 wrote to memory of 5020	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	113
PID 3440 wrote to memory of 1124	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	114
PID 3440 wrote to memory of 1124	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	114
PID 3440 wrote to memory of 1888	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	115
PID 3440 wrote to memory of 1888	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	115
PID 3440 wrote to memory of 2712	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	116
PID 3440 wrote to memory of 2712	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	116
PID 3440 wrote to memory of 5092	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	117
PID 3440 wrote to memory of 5092	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	117
PID 3440 wrote to memory of 4140	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	118
PID 3440 wrote to memory of 4140	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	118
PID 3440 wrote to memory of 4384	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	119
PID 3440 wrote to memory of 4384	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	119
PID 3440 wrote to memory of 3152	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	120
PID 3440 wrote to memory of 3152	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	120
PID 3440 wrote to memory of 4904	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	121
PID 3440 wrote to memory of 4904	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	121
PID 3440 wrote to memory of 2348	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	122
PID 3440 wrote to memory of 2348	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	122
PID 3440 wrote to memory of 4248	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	123
PID 3440 wrote to memory of 4248	3440	a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6f14fa7448438b1d2b9889a80083482_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\System32\aRWKxFN.exe
  C:\Windows\System32\aRWKxFN.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System32\YRXkkrG.exe
  C:\Windows\System32\YRXkkrG.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System32\DweXUMP.exe
  C:\Windows\System32\DweXUMP.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System32\fUvbCap.exe
  C:\Windows\System32\fUvbCap.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System32\FdNrYpV.exe
  C:\Windows\System32\FdNrYpV.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System32\VcQyIIl.exe
  C:\Windows\System32\VcQyIIl.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System32\jIujlIu.exe
  C:\Windows\System32\jIujlIu.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System32\DycwhTR.exe
  C:\Windows\System32\DycwhTR.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System32\FuxJSra.exe
  C:\Windows\System32\FuxJSra.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System32\OjQHTiN.exe
  C:\Windows\System32\OjQHTiN.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System32\rUvdcJj.exe
  C:\Windows\System32\rUvdcJj.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System32\fMPPrpq.exe
  C:\Windows\System32\fMPPrpq.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\CPEcrRV.exe
  C:\Windows\System32\CPEcrRV.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System32\AoSHdup.exe
  C:\Windows\System32\AoSHdup.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System32\aJRaFoE.exe
  C:\Windows\System32\aJRaFoE.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System32\tbfpfAz.exe
  C:\Windows\System32\tbfpfAz.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System32\wDIJhRV.exe
  C:\Windows\System32\wDIJhRV.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\hvyYozA.exe
  C:\Windows\System32\hvyYozA.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System32\xLTZaZl.exe
  C:\Windows\System32\xLTZaZl.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System32\JVPPSHe.exe
  C:\Windows\System32\JVPPSHe.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System32\frDVPkn.exe
  C:\Windows\System32\frDVPkn.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System32\NcNMyiQ.exe
  C:\Windows\System32\NcNMyiQ.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System32\CBMWMFr.exe
  C:\Windows\System32\CBMWMFr.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System32\NbmQlHh.exe
  C:\Windows\System32\NbmQlHh.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System32\yKnYJsc.exe
  C:\Windows\System32\yKnYJsc.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System32\fqRKvic.exe
  C:\Windows\System32\fqRKvic.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System32\NRSEkJE.exe
  C:\Windows\System32\NRSEkJE.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System32\DzmTTwx.exe
  C:\Windows\System32\DzmTTwx.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\HWltwdn.exe
  C:\Windows\System32\HWltwdn.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System32\EMohnHz.exe
  C:\Windows\System32\EMohnHz.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System32\BUjOPJn.exe
  C:\Windows\System32\BUjOPJn.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System32\LlHywye.exe
  C:\Windows\System32\LlHywye.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System32\atDwqwo.exe
  C:\Windows\System32\atDwqwo.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System32\MkYkBCd.exe
  C:\Windows\System32\MkYkBCd.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System32\gcjWXEI.exe
  C:\Windows\System32\gcjWXEI.exe
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\System32\rrUrvHh.exe
  C:\Windows\System32\rrUrvHh.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System32\gkUoZSA.exe
  C:\Windows\System32\gkUoZSA.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System32\ebhrCSM.exe
  C:\Windows\System32\ebhrCSM.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System32\UCnOLci.exe
  C:\Windows\System32\UCnOLci.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System32\PWLPjlc.exe
  C:\Windows\System32\PWLPjlc.exe
  2⤵
  - Executes dropped EXE
  PID:5128
- C:\Windows\System32\GXuuLEf.exe
  C:\Windows\System32\GXuuLEf.exe
  2⤵
  - Executes dropped EXE
  PID:5172
- C:\Windows\System32\rcrngiJ.exe
  C:\Windows\System32\rcrngiJ.exe
  2⤵
  - Executes dropped EXE
  PID:5196
- C:\Windows\System32\XuragVF.exe
  C:\Windows\System32\XuragVF.exe
  2⤵
  - Executes dropped EXE
  PID:5224
- C:\Windows\System32\HAoHYGE.exe
  C:\Windows\System32\HAoHYGE.exe
  2⤵
  - Executes dropped EXE
  PID:5244
- C:\Windows\System32\bABvHSE.exe
  C:\Windows\System32\bABvHSE.exe
  2⤵
  - Executes dropped EXE
  PID:5272
- C:\Windows\System32\eWqPIMb.exe
  C:\Windows\System32\eWqPIMb.exe
  2⤵
  - Executes dropped EXE
  PID:5304
- C:\Windows\System32\saHJVHJ.exe
  C:\Windows\System32\saHJVHJ.exe
  2⤵
  - Executes dropped EXE
  PID:5328
- C:\Windows\System32\qhbOuOZ.exe
  C:\Windows\System32\qhbOuOZ.exe
  2⤵
  - Executes dropped EXE
  PID:5356
- C:\Windows\System32\ZzIDFFR.exe
  C:\Windows\System32\ZzIDFFR.exe
  2⤵
  - Executes dropped EXE
  PID:5380
- C:\Windows\System32\BGdaiDd.exe
  C:\Windows\System32\BGdaiDd.exe
  2⤵
  - Executes dropped EXE
  PID:5412
- C:\Windows\System32\OhPDAbw.exe
  C:\Windows\System32\OhPDAbw.exe
  2⤵
  - Executes dropped EXE
  PID:5436
- C:\Windows\System32\AaoFwNA.exe
  C:\Windows\System32\AaoFwNA.exe
  2⤵
  - Executes dropped EXE
  PID:5464
- C:\Windows\System32\dwneZTX.exe
  C:\Windows\System32\dwneZTX.exe
  2⤵
  - Executes dropped EXE
  PID:5492
- C:\Windows\System32\gHYJMpB.exe
  C:\Windows\System32\gHYJMpB.exe
  2⤵
  - Executes dropped EXE
  PID:5516
- C:\Windows\System32\HetfqHG.exe
  C:\Windows\System32\HetfqHG.exe
  2⤵
  - Executes dropped EXE
  PID:5552
- C:\Windows\System32\CsjlYFJ.exe
  C:\Windows\System32\CsjlYFJ.exe
  2⤵
  - Executes dropped EXE
  PID:5576
- C:\Windows\System32\JgJJtCi.exe
  C:\Windows\System32\JgJJtCi.exe
  2⤵
  - Executes dropped EXE
  PID:5628
- C:\Windows\System32\KjVwcnk.exe
  C:\Windows\System32\KjVwcnk.exe
  2⤵
  - Executes dropped EXE
  PID:5644
- C:\Windows\System32\TlfDbei.exe
  C:\Windows\System32\TlfDbei.exe
  2⤵
  - Executes dropped EXE
  PID:5660
- C:\Windows\System32\UdxgBug.exe
  C:\Windows\System32\UdxgBug.exe
  2⤵
  - Executes dropped EXE
  PID:5688
- C:\Windows\System32\sMgDOHL.exe
  C:\Windows\System32\sMgDOHL.exe
  2⤵
  - Executes dropped EXE
  PID:5716
- C:\Windows\System32\FtTEGgP.exe
  C:\Windows\System32\FtTEGgP.exe
  2⤵
  - Executes dropped EXE
  PID:5744
- C:\Windows\System32\FOExHhj.exe
  C:\Windows\System32\FOExHhj.exe
  2⤵
  - Executes dropped EXE
  PID:5772
- C:\Windows\System32\sOISUTx.exe
  C:\Windows\System32\sOISUTx.exe
  2⤵
  - Executes dropped EXE
  PID:5800
- C:\Windows\System32\fmHjbCT.exe
  C:\Windows\System32\fmHjbCT.exe
  2⤵
  PID:5824
- C:\Windows\System32\dBZqotA.exe
  C:\Windows\System32\dBZqotA.exe
  2⤵
  PID:5856
- C:\Windows\System32\NHsbuUo.exe
  C:\Windows\System32\NHsbuUo.exe
  2⤵
  PID:5884
- C:\Windows\System32\JogBQlp.exe
  C:\Windows\System32\JogBQlp.exe
  2⤵
  PID:5912
- C:\Windows\System32\bYHGVUN.exe
  C:\Windows\System32\bYHGVUN.exe
  2⤵
  PID:5940
- C:\Windows\System32\YoYcECw.exe
  C:\Windows\System32\YoYcECw.exe
  2⤵
  PID:5964
- C:\Windows\System32\TFWEvkz.exe
  C:\Windows\System32\TFWEvkz.exe
  2⤵
  PID:5996
- C:\Windows\System32\DXyRNXt.exe
  C:\Windows\System32\DXyRNXt.exe
  2⤵
  PID:6024
- C:\Windows\System32\CLSUmJH.exe
  C:\Windows\System32\CLSUmJH.exe
  2⤵
  PID:6052
- C:\Windows\System32\KAtFyxt.exe
  C:\Windows\System32\KAtFyxt.exe
  2⤵
  PID:6080
- C:\Windows\System32\jqDSuTS.exe
  C:\Windows\System32\jqDSuTS.exe
  2⤵
  PID:6112
- C:\Windows\System32\dCXIYBL.exe
  C:\Windows\System32\dCXIYBL.exe
  2⤵
  PID:6136
- C:\Windows\System32\dQzQGJG.exe
  C:\Windows\System32\dQzQGJG.exe
  2⤵
  PID:2260
- C:\Windows\System32\oTtGAkK.exe
  C:\Windows\System32\oTtGAkK.exe
  2⤵
  PID:3880
- C:\Windows\System32\yzJLQyd.exe
  C:\Windows\System32\yzJLQyd.exe
  2⤵
  PID:3436
- C:\Windows\System32\Rnkmdgn.exe
  C:\Windows\System32\Rnkmdgn.exe
  2⤵
  PID:3040
- C:\Windows\System32\XWVsESM.exe
  C:\Windows\System32\XWVsESM.exe
  2⤵
  PID:4328
- C:\Windows\System32\oyuYsVv.exe
  C:\Windows\System32\oyuYsVv.exe
  2⤵
  PID:5140
- C:\Windows\System32\fglJCfk.exe
  C:\Windows\System32\fglJCfk.exe
  2⤵
  PID:5232
- C:\Windows\System32\fzexokx.exe
  C:\Windows\System32\fzexokx.exe
  2⤵
  PID:5288
- C:\Windows\System32\JtaKjuH.exe
  C:\Windows\System32\JtaKjuH.exe
  2⤵
  PID:5336
- C:\Windows\System32\sLMVxUZ.exe
  C:\Windows\System32\sLMVxUZ.exe
  2⤵
  PID:5388
- C:\Windows\System32\jqoSNdS.exe
  C:\Windows\System32\jqoSNdS.exe
  2⤵
  PID:5448
- C:\Windows\System32\nHRcZCR.exe
  C:\Windows\System32\nHRcZCR.exe
  2⤵
  PID:5512
- C:\Windows\System32\oTtykaH.exe
  C:\Windows\System32\oTtykaH.exe
  2⤵
  PID:1032
- C:\Windows\System32\iPpXnCZ.exe
  C:\Windows\System32\iPpXnCZ.exe
  2⤵
  PID:5640
- C:\Windows\System32\brOZXkQ.exe
  C:\Windows\System32\brOZXkQ.exe
  2⤵
  PID:5708
- C:\Windows\System32\RpmvOJx.exe
  C:\Windows\System32\RpmvOJx.exe
  2⤵
  PID:5752
- C:\Windows\System32\YSOootM.exe
  C:\Windows\System32\YSOootM.exe
  2⤵
  PID:5820
- C:\Windows\System32\oLqgoiH.exe
  C:\Windows\System32\oLqgoiH.exe
  2⤵
  PID:5892
- C:\Windows\System32\MiHNTPz.exe
  C:\Windows\System32\MiHNTPz.exe
  2⤵
  PID:5948
- C:\Windows\System32\YsdkpNB.exe
  C:\Windows\System32\YsdkpNB.exe
  2⤵
  PID:6012
- C:\Windows\System32\yyafFKT.exe
  C:\Windows\System32\yyafFKT.exe
  2⤵
  PID:6064
- C:\Windows\System32\HJINeuq.exe
  C:\Windows\System32\HJINeuq.exe
  2⤵
  PID:6128
- C:\Windows\System32\bovdsKM.exe
  C:\Windows\System32\bovdsKM.exe
  2⤵
  PID:2756
- C:\Windows\System32\EwKDGaq.exe
  C:\Windows\System32\EwKDGaq.exe
  2⤵
  PID:4840
- C:\Windows\System32\qCSVrwd.exe
  C:\Windows\System32\qCSVrwd.exe
  2⤵
  PID:5216
- C:\Windows\System32\ZjNTQBd.exe
  C:\Windows\System32\ZjNTQBd.exe
  2⤵
  PID:3472
- C:\Windows\System32\HktLImT.exe
  C:\Windows\System32\HktLImT.exe
  2⤵
  PID:5504
- C:\Windows\System32\JICDtSH.exe
  C:\Windows\System32\JICDtSH.exe
  2⤵
  PID:6156
- C:\Windows\System32\yeWlHMH.exe
  C:\Windows\System32\yeWlHMH.exe
  2⤵
  PID:6180
- C:\Windows\System32\SHEJMoN.exe
  C:\Windows\System32\SHEJMoN.exe
  2⤵
  PID:6208
- C:\Windows\System32\jiXMWjd.exe
  C:\Windows\System32\jiXMWjd.exe
  2⤵
  PID:6240
- C:\Windows\System32\MdPAreN.exe
  C:\Windows\System32\MdPAreN.exe
  2⤵
  PID:6264
- C:\Windows\System32\LqqzpvE.exe
  C:\Windows\System32\LqqzpvE.exe
  2⤵
  PID:6296
- C:\Windows\System32\IfHGphj.exe
  C:\Windows\System32\IfHGphj.exe
  2⤵
  PID:6324
- C:\Windows\System32\sMYEdeg.exe
  C:\Windows\System32\sMYEdeg.exe
  2⤵
  PID:6352
- C:\Windows\System32\qBQcAWp.exe
  C:\Windows\System32\qBQcAWp.exe
  2⤵
  PID:6380
- C:\Windows\System32\VmewWCi.exe
  C:\Windows\System32\VmewWCi.exe
  2⤵
  PID:6408
- C:\Windows\System32\uPjeoLu.exe
  C:\Windows\System32\uPjeoLu.exe
  2⤵
  PID:6432
- C:\Windows\System32\pzrLeLy.exe
  C:\Windows\System32\pzrLeLy.exe
  2⤵
  PID:6464
- C:\Windows\System32\LwbFniN.exe
  C:\Windows\System32\LwbFniN.exe
  2⤵
  PID:6492
- C:\Windows\System32\rBWpioz.exe
  C:\Windows\System32\rBWpioz.exe
  2⤵
  PID:6520
- C:\Windows\System32\vqIQskE.exe
  C:\Windows\System32\vqIQskE.exe
  2⤵
  PID:6544
- C:\Windows\System32\mozLird.exe
  C:\Windows\System32\mozLird.exe
  2⤵
  PID:6576
- C:\Windows\System32\NpgYWeI.exe
  C:\Windows\System32\NpgYWeI.exe
  2⤵
  PID:6604
- C:\Windows\System32\EvSnXjk.exe
  C:\Windows\System32\EvSnXjk.exe
  2⤵
  PID:6632
- C:\Windows\System32\YTZSdzx.exe
  C:\Windows\System32\YTZSdzx.exe
  2⤵
  PID:6660
- C:\Windows\System32\JBehmNv.exe
  C:\Windows\System32\JBehmNv.exe
  2⤵
  PID:6688
- C:\Windows\System32\FxcRbmM.exe
  C:\Windows\System32\FxcRbmM.exe
  2⤵
  PID:6716
- C:\Windows\System32\GIvlrMD.exe
  C:\Windows\System32\GIvlrMD.exe
  2⤵
  PID:6744
- C:\Windows\System32\zeAPOVu.exe
  C:\Windows\System32\zeAPOVu.exe
  2⤵
  PID:6780
- C:\Windows\System32\EnNCETX.exe
  C:\Windows\System32\EnNCETX.exe
  2⤵
  PID:6800
- C:\Windows\System32\oMuOhho.exe
  C:\Windows\System32\oMuOhho.exe
  2⤵
  PID:6828
- C:\Windows\System32\wfOMHhM.exe
  C:\Windows\System32\wfOMHhM.exe
  2⤵
  PID:6856
- C:\Windows\System32\VbHtAKv.exe
  C:\Windows\System32\VbHtAKv.exe
  2⤵
  PID:6880
- C:\Windows\System32\dwGxwfO.exe
  C:\Windows\System32\dwGxwfO.exe
  2⤵
  PID:6912
- C:\Windows\System32\KRKzxJb.exe
  C:\Windows\System32\KRKzxJb.exe
  2⤵
  PID:6940
- C:\Windows\System32\otppDmr.exe
  C:\Windows\System32\otppDmr.exe
  2⤵
  PID:6968
- C:\Windows\System32\oUtjELH.exe
  C:\Windows\System32\oUtjELH.exe
  2⤵
  PID:6996
- C:\Windows\System32\gdmKkGr.exe
  C:\Windows\System32\gdmKkGr.exe
  2⤵
  PID:7020
- C:\Windows\System32\BZepeKz.exe
  C:\Windows\System32\BZepeKz.exe
  2⤵
  PID:7052
- C:\Windows\System32\YQNXNQi.exe
  C:\Windows\System32\YQNXNQi.exe
  2⤵
  PID:7076
- C:\Windows\System32\wKeEObW.exe
  C:\Windows\System32\wKeEObW.exe
  2⤵
  PID:7108
- C:\Windows\System32\KJfGvIi.exe
  C:\Windows\System32\KJfGvIi.exe
  2⤵
  PID:7144
- C:\Windows\System32\HQglGsg.exe
  C:\Windows\System32\HQglGsg.exe
  2⤵
  PID:7164
- C:\Windows\System32\GKePaFE.exe
  C:\Windows\System32\GKePaFE.exe
  2⤵
  PID:2316
- C:\Windows\System32\zGspEkq.exe
  C:\Windows\System32\zGspEkq.exe
  2⤵
  PID:5764
- C:\Windows\System32\CKXMdam.exe
  C:\Windows\System32\CKXMdam.exe
  2⤵
  PID:396
- C:\Windows\System32\IqRlrfQ.exe
  C:\Windows\System32\IqRlrfQ.exe
  2⤵
  PID:6032
- C:\Windows\System32\TmnLmEf.exe
  C:\Windows\System32\TmnLmEf.exe
  2⤵
  PID:4116
- C:\Windows\System32\yEeDIKe.exe
  C:\Windows\System32\yEeDIKe.exe
  2⤵
  PID:5300
- C:\Windows\System32\nSzwbol.exe
  C:\Windows\System32\nSzwbol.exe
  2⤵
  PID:5560
- C:\Windows\System32\eUpwAlI.exe
  C:\Windows\System32\eUpwAlI.exe
  2⤵
  PID:6196
- C:\Windows\System32\OUouovc.exe
  C:\Windows\System32\OUouovc.exe
  2⤵
  PID:6260
- C:\Windows\System32\eVECxMp.exe
  C:\Windows\System32\eVECxMp.exe
  2⤵
  PID:6344
- C:\Windows\System32\cNlmQzl.exe
  C:\Windows\System32\cNlmQzl.exe
  2⤵
  PID:6400
- C:\Windows\System32\XFTKeOv.exe
  C:\Windows\System32\XFTKeOv.exe
  2⤵
  PID:6448
- C:\Windows\System32\mAUEpFp.exe
  C:\Windows\System32\mAUEpFp.exe
  2⤵
  PID:1180
- C:\Windows\System32\nZcqgtP.exe
  C:\Windows\System32\nZcqgtP.exe
  2⤵
  PID:6528
- C:\Windows\System32\YuQMViF.exe
  C:\Windows\System32\YuQMViF.exe
  2⤵
  PID:6588
- C:\Windows\System32\bHwQnvk.exe
  C:\Windows\System32\bHwQnvk.exe
  2⤵
  PID:6644
- C:\Windows\System32\nfOGUsL.exe
  C:\Windows\System32\nfOGUsL.exe
  2⤵
  PID:6736
- C:\Windows\System32\jWGyLuq.exe
  C:\Windows\System32\jWGyLuq.exe
  2⤵
  PID:6752
- C:\Windows\System32\HzQcdON.exe
  C:\Windows\System32\HzQcdON.exe
  2⤵
  PID:6848
- C:\Windows\System32\jxPZOfp.exe
  C:\Windows\System32\jxPZOfp.exe
  2⤵
  PID:6920
- C:\Windows\System32\DaNrOqV.exe
  C:\Windows\System32\DaNrOqV.exe
  2⤵
  PID:6980
- C:\Windows\System32\MnDkRBr.exe
  C:\Windows\System32\MnDkRBr.exe
  2⤵
  PID:7028
- C:\Windows\System32\luqSwTF.exe
  C:\Windows\System32\luqSwTF.exe
  2⤵
  PID:7100
- C:\Windows\System32\KopognG.exe
  C:\Windows\System32\KopognG.exe
  2⤵
  PID:7116
- C:\Windows\System32\lCnVoeA.exe
  C:\Windows\System32\lCnVoeA.exe
  2⤵
  PID:5668
- C:\Windows\System32\oeXcszN.exe
  C:\Windows\System32\oeXcszN.exe
  2⤵
  PID:5924
- C:\Windows\System32\iOkdzXO.exe
  C:\Windows\System32\iOkdzXO.exe
  2⤵
  PID:4752
- C:\Windows\System32\wPZqkzX.exe
  C:\Windows\System32\wPZqkzX.exe
  2⤵
  PID:5420
- C:\Windows\System32\WZPUIma.exe
  C:\Windows\System32\WZPUIma.exe
  2⤵
  PID:6252
- C:\Windows\System32\AMdCsKb.exe
  C:\Windows\System32\AMdCsKb.exe
  2⤵
  PID:6332
- C:\Windows\System32\UgShrAh.exe
  C:\Windows\System32\UgShrAh.exe
  2⤵
  PID:3724
- C:\Windows\System32\ApjyMLK.exe
  C:\Windows\System32\ApjyMLK.exe
  2⤵
  PID:6624
- C:\Windows\System32\eUSNfpE.exe
  C:\Windows\System32\eUSNfpE.exe
  2⤵
  PID:6680
- C:\Windows\System32\uDsyNHb.exe
  C:\Windows\System32\uDsyNHb.exe
  2⤵
  PID:6796
- C:\Windows\System32\weCPzHe.exe
  C:\Windows\System32\weCPzHe.exe
  2⤵
  PID:6952
- C:\Windows\System32\fOMMSNL.exe
  C:\Windows\System32\fOMMSNL.exe
  2⤵
  PID:1688
- C:\Windows\System32\RxdeIZb.exe
  C:\Windows\System32\RxdeIZb.exe
  2⤵
  PID:888
- C:\Windows\System32\YhkbmaX.exe
  C:\Windows\System32\YhkbmaX.exe
  2⤵
  PID:2816
- C:\Windows\System32\ieyFESp.exe
  C:\Windows\System32\ieyFESp.exe
  2⤵
  PID:5372
- C:\Windows\System32\itsechl.exe
  C:\Windows\System32\itsechl.exe
  2⤵
  PID:6304
- C:\Windows\System32\vbsaeZV.exe
  C:\Windows\System32\vbsaeZV.exe
  2⤵
  PID:4816
- C:\Windows\System32\xsUXFYC.exe
  C:\Windows\System32\xsUXFYC.exe
  2⤵
  PID:6668
- C:\Windows\System32\tSCIYfv.exe
  C:\Windows\System32\tSCIYfv.exe
  2⤵
  PID:6836
- C:\Windows\System32\mnwuVsZ.exe
  C:\Windows\System32\mnwuVsZ.exe
  2⤵
  PID:1704
- C:\Windows\System32\IlnCvVq.exe
  C:\Windows\System32\IlnCvVq.exe
  2⤵
  PID:1108
- C:\Windows\System32\klzjSlw.exe
  C:\Windows\System32\klzjSlw.exe
  2⤵
  PID:7152
- C:\Windows\System32\FfkqdnY.exe
  C:\Windows\System32\FfkqdnY.exe
  2⤵
  PID:6216
- C:\Windows\System32\ptQCDof.exe
  C:\Windows\System32\ptQCDof.exe
  2⤵
  PID:6728
- C:\Windows\System32\OuVGJVo.exe
  C:\Windows\System32\OuVGJVo.exe
  2⤵
  PID:7180
- C:\Windows\System32\lrOagwN.exe
  C:\Windows\System32\lrOagwN.exe
  2⤵
  PID:7208
- C:\Windows\System32\ccCQDHb.exe
  C:\Windows\System32\ccCQDHb.exe
  2⤵
  PID:7236
- C:\Windows\System32\iMncWQN.exe
  C:\Windows\System32\iMncWQN.exe
  2⤵
  PID:7264
- C:\Windows\System32\wLfvFFI.exe
  C:\Windows\System32\wLfvFFI.exe
  2⤵
  PID:7292
- C:\Windows\System32\HuQUkHn.exe
  C:\Windows\System32\HuQUkHn.exe
  2⤵
  PID:7316
- C:\Windows\System32\MHWpfKu.exe
  C:\Windows\System32\MHWpfKu.exe
  2⤵
  PID:7344
- C:\Windows\System32\stWSTzN.exe
  C:\Windows\System32\stWSTzN.exe
  2⤵
  PID:7372
- C:\Windows\System32\bkNOYQi.exe
  C:\Windows\System32\bkNOYQi.exe
  2⤵
  PID:7412
- C:\Windows\System32\jbTeNxt.exe
  C:\Windows\System32\jbTeNxt.exe
  2⤵
  PID:7432
- C:\Windows\System32\dwfUmpS.exe
  C:\Windows\System32\dwfUmpS.exe
  2⤵
  PID:7456
- C:\Windows\System32\OdaLfVR.exe
  C:\Windows\System32\OdaLfVR.exe
  2⤵
  PID:7488
- C:\Windows\System32\WAIXKcF.exe
  C:\Windows\System32\WAIXKcF.exe
  2⤵
  PID:7504
- C:\Windows\System32\ZmtHytM.exe
  C:\Windows\System32\ZmtHytM.exe
  2⤵
  PID:7544
- C:\Windows\System32\rVdchCb.exe
  C:\Windows\System32\rVdchCb.exe
  2⤵
  PID:7568
- C:\Windows\System32\aODgvoP.exe
  C:\Windows\System32\aODgvoP.exe
  2⤵
  PID:7600
- C:\Windows\System32\iBMhaoY.exe
  C:\Windows\System32\iBMhaoY.exe
  2⤵
  PID:7624
- C:\Windows\System32\rkkKXSG.exe
  C:\Windows\System32\rkkKXSG.exe
  2⤵
  PID:7652
- C:\Windows\System32\SDyGMgG.exe
  C:\Windows\System32\SDyGMgG.exe
  2⤵
  PID:7684
- C:\Windows\System32\QmhTlvu.exe
  C:\Windows\System32\QmhTlvu.exe
  2⤵
  PID:7712
- C:\Windows\System32\vNfgBzJ.exe
  C:\Windows\System32\vNfgBzJ.exe
  2⤵
  PID:7740
- C:\Windows\System32\VKdEoHG.exe
  C:\Windows\System32\VKdEoHG.exe
  2⤵
  PID:7768
- C:\Windows\System32\NyXpPRn.exe
  C:\Windows\System32\NyXpPRn.exe
  2⤵
  PID:7796
- C:\Windows\System32\pNuHehZ.exe
  C:\Windows\System32\pNuHehZ.exe
  2⤵
  PID:7820
- C:\Windows\System32\OBhtAHG.exe
  C:\Windows\System32\OBhtAHG.exe
  2⤵
  PID:7848
- C:\Windows\System32\grZvQNB.exe
  C:\Windows\System32\grZvQNB.exe
  2⤵
  PID:7876
- C:\Windows\System32\tRqbBXz.exe
  C:\Windows\System32\tRqbBXz.exe
  2⤵
  PID:7908
- C:\Windows\System32\tgVvHgu.exe
  C:\Windows\System32\tgVvHgu.exe
  2⤵
  PID:7932
- C:\Windows\System32\cArLYGX.exe
  C:\Windows\System32\cArLYGX.exe
  2⤵
  PID:7964
- C:\Windows\System32\COzdBIX.exe
  C:\Windows\System32\COzdBIX.exe
  2⤵
  PID:7992
- C:\Windows\System32\czyuQgz.exe
  C:\Windows\System32\czyuQgz.exe
  2⤵
  PID:8016
- C:\Windows\System32\WJTauwT.exe
  C:\Windows\System32\WJTauwT.exe
  2⤵
  PID:8044
- C:\Windows\System32\IKmCozW.exe
  C:\Windows\System32\IKmCozW.exe
  2⤵
  PID:8076
- C:\Windows\System32\bMvORsY.exe
  C:\Windows\System32\bMvORsY.exe
  2⤵
  PID:8104
- C:\Windows\System32\GoWgWnK.exe
  C:\Windows\System32\GoWgWnK.exe
  2⤵
  PID:8128
- C:\Windows\System32\sPjUgCn.exe
  C:\Windows\System32\sPjUgCn.exe
  2⤵
  PID:8160
- C:\Windows\System32\AWyfBjP.exe
  C:\Windows\System32\AWyfBjP.exe
  2⤵
  PID:8184
- C:\Windows\System32\jYymPca.exe
  C:\Windows\System32\jYymPca.exe
  2⤵
  PID:3848
- C:\Windows\System32\kOsiZcf.exe
  C:\Windows\System32\kOsiZcf.exe
  2⤵
  PID:2484
- C:\Windows\System32\wsFBDSt.exe
  C:\Windows\System32\wsFBDSt.exe
  2⤵
  PID:7216
- C:\Windows\System32\vLLDSsH.exe
  C:\Windows\System32\vLLDSsH.exe
  2⤵
  PID:7272
- C:\Windows\System32\wVqWCFF.exe
  C:\Windows\System32\wVqWCFF.exe
  2⤵
  PID:7352
- C:\Windows\System32\pwczlZh.exe
  C:\Windows\System32\pwczlZh.exe
  2⤵
  PID:7444
- C:\Windows\System32\GkKorsM.exe
  C:\Windows\System32\GkKorsM.exe
  2⤵
  PID:7480
- C:\Windows\System32\WLZtoKl.exe
  C:\Windows\System32\WLZtoKl.exe
  2⤵
  PID:7512
- C:\Windows\System32\jfYSYwF.exe
  C:\Windows\System32\jfYSYwF.exe
  2⤵
  PID:7608
- C:\Windows\System32\IIcABxG.exe
  C:\Windows\System32\IIcABxG.exe
  2⤵
  PID:7752
- C:\Windows\System32\ZQwZUiJ.exe
  C:\Windows\System32\ZQwZUiJ.exe
  2⤵
  PID:7884
- C:\Windows\System32\fpSSMNy.exe
  C:\Windows\System32\fpSSMNy.exe
  2⤵
  PID:4428
- C:\Windows\System32\XYfPnnG.exe
  C:\Windows\System32\XYfPnnG.exe
  2⤵
  PID:7200
- C:\Windows\System32\hkefvVI.exe
  C:\Windows\System32\hkefvVI.exe
  2⤵
  PID:7276
- C:\Windows\System32\jRkcIwN.exe
  C:\Windows\System32\jRkcIwN.exe
  2⤵
  PID:7324
- C:\Windows\System32\xcZoZlG.exe
  C:\Windows\System32\xcZoZlG.exe
  2⤵
  PID:7380
- C:\Windows\System32\JdssAhi.exe
  C:\Windows\System32\JdssAhi.exe
  2⤵
  PID:4916
- C:\Windows\System32\CjAlrdK.exe
  C:\Windows\System32\CjAlrdK.exe
  2⤵
  PID:7500
- C:\Windows\System32\ZWtvDNg.exe
  C:\Windows\System32\ZWtvDNg.exe
  2⤵
  PID:1836
- C:\Windows\System32\lvtyLyg.exe
  C:\Windows\System32\lvtyLyg.exe
  2⤵
  PID:2124
- C:\Windows\System32\UiKnJOX.exe
  C:\Windows\System32\UiKnJOX.exe
  2⤵
  PID:624
- C:\Windows\System32\gXKFgGF.exe
  C:\Windows\System32\gXKFgGF.exe
  2⤵
  PID:7592
- C:\Windows\System32\pbLKUUC.exe
  C:\Windows\System32\pbLKUUC.exe
  2⤵
  PID:7780
- C:\Windows\System32\hbJRdpD.exe
  C:\Windows\System32\hbJRdpD.exe
  2⤵
  PID:4868
- C:\Windows\System32\iIpHXUE.exe
  C:\Windows\System32\iIpHXUE.exe
  2⤵
  PID:2412
- C:\Windows\System32\kTtNkBf.exe
  C:\Windows\System32\kTtNkBf.exe
  2⤵
  PID:4192
- C:\Windows\System32\agdwJbV.exe
  C:\Windows\System32\agdwJbV.exe
  2⤵
  PID:4792
- C:\Windows\System32\wymCHyi.exe
  C:\Windows\System32\wymCHyi.exe
  2⤵
  PID:7856
- C:\Windows\System32\yTpmYJT.exe
  C:\Windows\System32\yTpmYJT.exe
  2⤵
  PID:7928
- C:\Windows\System32\HBBuZBe.exe
  C:\Windows\System32\HBBuZBe.exe
  2⤵
  PID:7976
- C:\Windows\System32\StLZvdb.exe
  C:\Windows\System32\StLZvdb.exe
  2⤵
  PID:7248
- C:\Windows\System32\BXkxRTz.exe
  C:\Windows\System32\BXkxRTz.exe
  2⤵
  PID:8152
- C:\Windows\System32\XjhFsMI.exe
  C:\Windows\System32\XjhFsMI.exe
  2⤵
  PID:3116
- C:\Windows\System32\NDGlmVn.exe
  C:\Windows\System32\NDGlmVn.exe
  2⤵
  PID:4416
- C:\Windows\System32\KQCyAPS.exe
  C:\Windows\System32\KQCyAPS.exe
  2⤵
  PID:8116
- C:\Windows\System32\PQdRCVC.exe
  C:\Windows\System32\PQdRCVC.exe
  2⤵
  PID:3860
- C:\Windows\System32\jmmXkEx.exe
  C:\Windows\System32\jmmXkEx.exe
  2⤵
  PID:8204
- C:\Windows\System32\CAGGjeU.exe
  C:\Windows\System32\CAGGjeU.exe
  2⤵
  PID:8228
- C:\Windows\System32\UOlokYF.exe
  C:\Windows\System32\UOlokYF.exe
  2⤵
  PID:8256
- C:\Windows\System32\lopEsyG.exe
  C:\Windows\System32\lopEsyG.exe
  2⤵
  PID:8284
- C:\Windows\System32\rrwESjH.exe
  C:\Windows\System32\rrwESjH.exe
  2⤵
  PID:8300
- C:\Windows\System32\JLvpLCV.exe
  C:\Windows\System32\JLvpLCV.exe
  2⤵
  PID:8356
- C:\Windows\System32\BDSTNJm.exe
  C:\Windows\System32\BDSTNJm.exe
  2⤵
  PID:8392
- C:\Windows\System32\wLEBSig.exe
  C:\Windows\System32\wLEBSig.exe
  2⤵
  PID:8408
- C:\Windows\System32\raOvwFk.exe
  C:\Windows\System32\raOvwFk.exe
  2⤵
  PID:8448
- C:\Windows\System32\nZOINrs.exe
  C:\Windows\System32\nZOINrs.exe
  2⤵
  PID:8496
- C:\Windows\System32\fPEjbBt.exe
  C:\Windows\System32\fPEjbBt.exe
  2⤵
  PID:8524
- C:\Windows\System32\TjjFLUG.exe
  C:\Windows\System32\TjjFLUG.exe
  2⤵
  PID:8540
- C:\Windows\System32\zXXExcc.exe
  C:\Windows\System32\zXXExcc.exe
  2⤵
  PID:8580
- C:\Windows\System32\VUzNEBK.exe
  C:\Windows\System32\VUzNEBK.exe
  2⤵
  PID:8596
- C:\Windows\System32\AekbOuG.exe
  C:\Windows\System32\AekbOuG.exe
  2⤵
  PID:8620
- C:\Windows\System32\vsmWNYq.exe
  C:\Windows\System32\vsmWNYq.exe
  2⤵
  PID:8636
- C:\Windows\System32\rdgelcD.exe
  C:\Windows\System32\rdgelcD.exe
  2⤵
  PID:8680
- C:\Windows\System32\uwZBwkE.exe
  C:\Windows\System32\uwZBwkE.exe
  2⤵
  PID:8704
- C:\Windows\System32\VVSqYbu.exe
  C:\Windows\System32\VVSqYbu.exe
  2⤵
  PID:8760
- C:\Windows\System32\yUYTCRX.exe
  C:\Windows\System32\yUYTCRX.exe
  2⤵
  PID:8776
- C:\Windows\System32\bIsRiSL.exe
  C:\Windows\System32\bIsRiSL.exe
  2⤵
  PID:8800
- C:\Windows\System32\haWyjCv.exe
  C:\Windows\System32\haWyjCv.exe
  2⤵
  PID:8820
- C:\Windows\System32\VejArSJ.exe
  C:\Windows\System32\VejArSJ.exe
  2⤵
  PID:8844
- C:\Windows\System32\LPcxYCX.exe
  C:\Windows\System32\LPcxYCX.exe
  2⤵
  PID:8864
- C:\Windows\System32\vKAGAbN.exe
  C:\Windows\System32\vKAGAbN.exe
  2⤵
  PID:8892
- C:\Windows\System32\GcuRRmL.exe
  C:\Windows\System32\GcuRRmL.exe
  2⤵
  PID:8908
- C:\Windows\System32\rbXmBPJ.exe
  C:\Windows\System32\rbXmBPJ.exe
  2⤵
  PID:8956
- C:\Windows\System32\ZRMkaVw.exe
  C:\Windows\System32\ZRMkaVw.exe
  2⤵
  PID:8988
- C:\Windows\System32\QqAmlrm.exe
  C:\Windows\System32\QqAmlrm.exe
  2⤵
  PID:9016
- C:\Windows\System32\avRJpEq.exe
  C:\Windows\System32\avRJpEq.exe
  2⤵
  PID:9048
- C:\Windows\System32\aHezVWb.exe
  C:\Windows\System32\aHezVWb.exe
  2⤵
  PID:9080
- C:\Windows\System32\vyqUsVg.exe
  C:\Windows\System32\vyqUsVg.exe
  2⤵
  PID:9100
- C:\Windows\System32\HspUOaH.exe
  C:\Windows\System32\HspUOaH.exe
  2⤵
  PID:9136
- C:\Windows\System32\EJdeswX.exe
  C:\Windows\System32\EJdeswX.exe
  2⤵
  PID:9176
- C:\Windows\System32\GuSAyJK.exe
  C:\Windows\System32\GuSAyJK.exe
  2⤵
  PID:9196
- C:\Windows\System32\qVodCfG.exe
  C:\Windows\System32\qVodCfG.exe
  2⤵
  PID:8004
- C:\Windows\System32\pLmFUdV.exe
  C:\Windows\System32\pLmFUdV.exe
  2⤵
  PID:8212
- C:\Windows\System32\GdWnXGJ.exe
  C:\Windows\System32\GdWnXGJ.exe
  2⤵
  PID:8264
- C:\Windows\System32\OHucueL.exe
  C:\Windows\System32\OHucueL.exe
  2⤵
  PID:8388
- C:\Windows\System32\GXUuqaJ.exe
  C:\Windows\System32\GXUuqaJ.exe
  2⤵
  PID:8368
- C:\Windows\System32\NnHAvNE.exe
  C:\Windows\System32\NnHAvNE.exe
  2⤵
  PID:8488
- C:\Windows\System32\VVCsxdU.exe
  C:\Windows\System32\VVCsxdU.exe
  2⤵
  PID:8532
- C:\Windows\System32\INqNinN.exe
  C:\Windows\System32\INqNinN.exe
  2⤵
  PID:8616
- C:\Windows\System32\lrOgAoM.exe
  C:\Windows\System32\lrOgAoM.exe
  2⤵
  PID:8628
- C:\Windows\System32\sqozuge.exe
  C:\Windows\System32\sqozuge.exe
  2⤵
  PID:692
- C:\Windows\System32\jdJpuTz.exe
  C:\Windows\System32\jdJpuTz.exe
  2⤵
  PID:8748
- C:\Windows\System32\ESvJYrS.exe
  C:\Windows\System32\ESvJYrS.exe
  2⤵
  PID:8792
- C:\Windows\System32\ScxIoOk.exe
  C:\Windows\System32\ScxIoOk.exe
  2⤵
  PID:8860
- C:\Windows\System32\iYBrXyf.exe
  C:\Windows\System32\iYBrXyf.exe
  2⤵
  PID:8904
- C:\Windows\System32\ngEjOWZ.exe
  C:\Windows\System32\ngEjOWZ.exe
  2⤵
  PID:9004
- C:\Windows\System32\ulNJjFJ.exe
  C:\Windows\System32\ulNJjFJ.exe
  2⤵
  PID:9060
- C:\Windows\System32\hJptSmj.exe
  C:\Windows\System32\hJptSmj.exe
  2⤵
  PID:9096
- C:\Windows\System32\LVnFAyF.exe
  C:\Windows\System32\LVnFAyF.exe
  2⤵
  PID:9164
- C:\Windows\System32\MINvrvv.exe
  C:\Windows\System32\MINvrvv.exe
  2⤵
  PID:9192
- C:\Windows\System32\zPzWKwa.exe
  C:\Windows\System32\zPzWKwa.exe
  2⤵
  PID:8404
- C:\Windows\System32\JoGoFPS.exe
  C:\Windows\System32\JoGoFPS.exe
  2⤵
  PID:3476
- C:\Windows\System32\wShCLzP.exe
  C:\Windows\System32\wShCLzP.exe
  2⤵
  PID:8568
- C:\Windows\System32\elltNdF.exe
  C:\Windows\System32\elltNdF.exe
  2⤵
  PID:8832
- C:\Windows\System32\cfrEUzR.exe
  C:\Windows\System32\cfrEUzR.exe
  2⤵
  PID:9088
- C:\Windows\System32\SSutsOl.exe
  C:\Windows\System32\SSutsOl.exe
  2⤵
  PID:8328
- C:\Windows\System32\yywJNIq.exe
  C:\Windows\System32\yywJNIq.exe
  2⤵
  PID:8644
- C:\Windows\System32\oNBfATI.exe
  C:\Windows\System32\oNBfATI.exe
  2⤵
  PID:8560
- C:\Windows\System32\wQsajgK.exe
  C:\Windows\System32\wQsajgK.exe
  2⤵
  PID:4920
- C:\Windows\System32\aeXLkPw.exe
  C:\Windows\System32\aeXLkPw.exe
  2⤵
  PID:8712
- C:\Windows\System32\uAuXRZd.exe
  C:\Windows\System32\uAuXRZd.exe
  2⤵
  PID:9220
- C:\Windows\System32\HTyqycp.exe
  C:\Windows\System32\HTyqycp.exe
  2⤵
  PID:9252
- C:\Windows\System32\dmzsNmh.exe
  C:\Windows\System32\dmzsNmh.exe
  2⤵
  PID:9308
- C:\Windows\System32\LwDhdiH.exe
  C:\Windows\System32\LwDhdiH.exe
  2⤵
  PID:9332
- C:\Windows\System32\ojGouET.exe
  C:\Windows\System32\ojGouET.exe
  2⤵
  PID:9352
- C:\Windows\System32\aLodNLY.exe
  C:\Windows\System32\aLodNLY.exe
  2⤵
  PID:9380
- C:\Windows\System32\ccXSGsg.exe
  C:\Windows\System32\ccXSGsg.exe
  2⤵
  PID:9400
- C:\Windows\System32\sOwUyVe.exe
  C:\Windows\System32\sOwUyVe.exe
  2⤵
  PID:9420
- C:\Windows\System32\nocYvFG.exe
  C:\Windows\System32\nocYvFG.exe
  2⤵
  PID:9444
- C:\Windows\System32\vmzfEMO.exe
  C:\Windows\System32\vmzfEMO.exe
  2⤵
  PID:9476
- C:\Windows\System32\kKKmNsR.exe
  C:\Windows\System32\kKKmNsR.exe
  2⤵
  PID:9508
- C:\Windows\System32\jGxmfbW.exe
  C:\Windows\System32\jGxmfbW.exe
  2⤵
  PID:9524
- C:\Windows\System32\jhcOZsq.exe
  C:\Windows\System32\jhcOZsq.exe
  2⤵
  PID:9548
- C:\Windows\System32\QHhUtda.exe
  C:\Windows\System32\QHhUtda.exe
  2⤵
  PID:9576
- C:\Windows\System32\nWjvQQR.exe
  C:\Windows\System32\nWjvQQR.exe
  2⤵
  PID:9608
- C:\Windows\System32\WwRCikW.exe
  C:\Windows\System32\WwRCikW.exe
  2⤵
  PID:9624
- C:\Windows\System32\qyLAEkR.exe
  C:\Windows\System32\qyLAEkR.exe
  2⤵
  PID:9664
- C:\Windows\System32\DrVIxjA.exe
  C:\Windows\System32\DrVIxjA.exe
  2⤵
  PID:9720
- C:\Windows\System32\QndANdX.exe
  C:\Windows\System32\QndANdX.exe
  2⤵
  PID:9740
- C:\Windows\System32\VrqcJxf.exe
  C:\Windows\System32\VrqcJxf.exe
  2⤵
  PID:9764
- C:\Windows\System32\GjhNjIs.exe
  C:\Windows\System32\GjhNjIs.exe
  2⤵
  PID:9800
- C:\Windows\System32\sCqeGzj.exe
  C:\Windows\System32\sCqeGzj.exe
  2⤵
  PID:9848
- C:\Windows\System32\oXnKKlx.exe
  C:\Windows\System32\oXnKKlx.exe
  2⤵
  PID:9868
- C:\Windows\System32\xxOeAcN.exe
  C:\Windows\System32\xxOeAcN.exe
  2⤵
  PID:9888
- C:\Windows\System32\PcDfFgN.exe
  C:\Windows\System32\PcDfFgN.exe
  2⤵
  PID:9912
- C:\Windows\System32\Fsiqtij.exe
  C:\Windows\System32\Fsiqtij.exe
  2⤵
  PID:9936
- C:\Windows\System32\Adaveto.exe
  C:\Windows\System32\Adaveto.exe
  2⤵
  PID:9976
- C:\Windows\System32\ONLmedD.exe
  C:\Windows\System32\ONLmedD.exe
  2⤵
  PID:10004
- C:\Windows\System32\ExdNXZO.exe
  C:\Windows\System32\ExdNXZO.exe
  2⤵
  PID:10044
- C:\Windows\System32\eVheWoK.exe
  C:\Windows\System32\eVheWoK.exe
  2⤵
  PID:10064
- C:\Windows\System32\MeAiJEx.exe
  C:\Windows\System32\MeAiJEx.exe
  2⤵
  PID:10080
- C:\Windows\System32\FPAwGeG.exe
  C:\Windows\System32\FPAwGeG.exe
  2⤵
  PID:10108
- C:\Windows\System32\DWiDdwx.exe
  C:\Windows\System32\DWiDdwx.exe
  2⤵
  PID:10144
- C:\Windows\System32\QJcBSRr.exe
  C:\Windows\System32\QJcBSRr.exe
  2⤵
  PID:10164
- C:\Windows\System32\zSabRpG.exe
  C:\Windows\System32\zSabRpG.exe
  2⤵
  PID:10184
- C:\Windows\System32\LuQLOpO.exe
  C:\Windows\System32\LuQLOpO.exe
  2⤵
  PID:10204
- C:\Windows\System32\JdUykGR.exe
  C:\Windows\System32\JdUykGR.exe
  2⤵
  PID:10224
- C:\Windows\System32\WveztKZ.exe
  C:\Windows\System32\WveztKZ.exe
  2⤵
  PID:8884
- C:\Windows\System32\niNMWcR.exe
  C:\Windows\System32\niNMWcR.exe
  2⤵
  PID:9248
- C:\Windows\System32\qHBUNee.exe
  C:\Windows\System32\qHBUNee.exe
  2⤵
  PID:9316
- C:\Windows\System32\nXBWdhx.exe
  C:\Windows\System32\nXBWdhx.exe
  2⤵
  PID:9340
- C:\Windows\System32\leEqyns.exe
  C:\Windows\System32\leEqyns.exe
  2⤵
  PID:9412
- C:\Windows\System32\UvUKxFV.exe
  C:\Windows\System32\UvUKxFV.exe
  2⤵
  PID:9392
- C:\Windows\System32\JhcQNTy.exe
  C:\Windows\System32\JhcQNTy.exe
  2⤵
  PID:9532
- C:\Windows\System32\ohPNRqj.exe
  C:\Windows\System32\ohPNRqj.exe
  2⤵
  PID:9632
- C:\Windows\System32\TJNjRhe.exe
  C:\Windows\System32\TJNjRhe.exe
  2⤵
  PID:9700
- C:\Windows\System32\XizUTmz.exe
  C:\Windows\System32\XizUTmz.exe
  2⤵
  PID:9772
- C:\Windows\System32\csgyJSx.exe
  C:\Windows\System32\csgyJSx.exe
  2⤵
  PID:9904
- C:\Windows\System32\RRplTLO.exe
  C:\Windows\System32\RRplTLO.exe
  2⤵
  PID:9984
- C:\Windows\System32\elOGGXx.exe
  C:\Windows\System32\elOGGXx.exe
  2⤵
  PID:10092
- C:\Windows\System32\KASiqdg.exe
  C:\Windows\System32\KASiqdg.exe
  2⤵
  PID:10136
- C:\Windows\System32\pulCEle.exe
  C:\Windows\System32\pulCEle.exe
  2⤵
  PID:10180
- C:\Windows\System32\BnfyBMv.exe
  C:\Windows\System32\BnfyBMv.exe
  2⤵
  PID:10236
- C:\Windows\System32\uwVPmQE.exe
  C:\Windows\System32\uwVPmQE.exe
  2⤵
  PID:9300
- C:\Windows\System32\MiPhgqG.exe
  C:\Windows\System32\MiPhgqG.exe
  2⤵
  PID:9592
- C:\Windows\System32\fPllvXy.exe
  C:\Windows\System32\fPllvXy.exe
  2⤵
  PID:9620
- C:\Windows\System32\mGDzXvr.exe
  C:\Windows\System32\mGDzXvr.exe
  2⤵
  PID:9808
- C:\Windows\System32\yJOFrii.exe
  C:\Windows\System32\yJOFrii.exe
  2⤵
  PID:9932
- C:\Windows\System32\wIVuest.exe
  C:\Windows\System32\wIVuest.exe
  2⤵
  PID:10056
- C:\Windows\System32\QlaBkDK.exe
  C:\Windows\System32\QlaBkDK.exe
  2⤵
  PID:10200
- C:\Windows\System32\OzOLxAy.exe
  C:\Windows\System32\OzOLxAy.exe
  2⤵
  PID:9504
- C:\Windows\System32\VsLnDtn.exe
  C:\Windows\System32\VsLnDtn.exe
  2⤵
  PID:10216
- C:\Windows\System32\qbPXgDd.exe
  C:\Windows\System32\qbPXgDd.exe
  2⤵
  PID:9144
- C:\Windows\System32\jSZISHO.exe
  C:\Windows\System32\jSZISHO.exe
  2⤵
  PID:4848
- C:\Windows\System32\CeMZJQo.exe
  C:\Windows\System32\CeMZJQo.exe
  2⤵
  PID:10264
- C:\Windows\System32\JFHNGwu.exe
  C:\Windows\System32\JFHNGwu.exe
  2⤵
  PID:10280
- C:\Windows\System32\MWISqUH.exe
  C:\Windows\System32\MWISqUH.exe
  2⤵
  PID:10304
- C:\Windows\System32\NPRPYob.exe
  C:\Windows\System32\NPRPYob.exe
  2⤵
  PID:10344
- C:\Windows\System32\LfLuqIM.exe
  C:\Windows\System32\LfLuqIM.exe
  2⤵
  PID:10376
- C:\Windows\System32\JxMTzXY.exe
  C:\Windows\System32\JxMTzXY.exe
  2⤵
  PID:10392
- C:\Windows\System32\PpEmhhN.exe
  C:\Windows\System32\PpEmhhN.exe
  2⤵
  PID:10436
- C:\Windows\System32\uSvBeud.exe
  C:\Windows\System32\uSvBeud.exe
  2⤵
  PID:10452
- C:\Windows\System32\DlIasbu.exe
  C:\Windows\System32\DlIasbu.exe
  2⤵
  PID:10472
- C:\Windows\System32\QLVfGuH.exe
  C:\Windows\System32\QLVfGuH.exe
  2⤵
  PID:10500
- C:\Windows\System32\CPgQwKq.exe
  C:\Windows\System32\CPgQwKq.exe
  2⤵
  PID:10540
- C:\Windows\System32\bkQUNAp.exe
  C:\Windows\System32\bkQUNAp.exe
  2⤵
  PID:10568
- C:\Windows\System32\ptUDdom.exe
  C:\Windows\System32\ptUDdom.exe
  2⤵
  PID:10584
- C:\Windows\System32\AsDJGlr.exe
  C:\Windows\System32\AsDJGlr.exe
  2⤵
  PID:10600
- C:\Windows\System32\aejAlRQ.exe
  C:\Windows\System32\aejAlRQ.exe
  2⤵
  PID:10616
- C:\Windows\System32\QGMgvPw.exe
  C:\Windows\System32\QGMgvPw.exe
  2⤵
  PID:10632
- C:\Windows\System32\JrwgBri.exe
  C:\Windows\System32\JrwgBri.exe
  2⤵
  PID:10692
- C:\Windows\System32\EqWntrP.exe
  C:\Windows\System32\EqWntrP.exe
  2⤵
  PID:10724
- C:\Windows\System32\oIcVSvt.exe
  C:\Windows\System32\oIcVSvt.exe
  2⤵
  PID:10756
- C:\Windows\System32\HOqRDTy.exe
  C:\Windows\System32\HOqRDTy.exe
  2⤵
  PID:10776
- C:\Windows\System32\vhtblmX.exe
  C:\Windows\System32\vhtblmX.exe
  2⤵
  PID:10808
- C:\Windows\System32\mkVnxoJ.exe
  C:\Windows\System32\mkVnxoJ.exe
  2⤵
  PID:10856
- C:\Windows\System32\fMVWsyF.exe
  C:\Windows\System32\fMVWsyF.exe
  2⤵
  PID:10880
- C:\Windows\System32\sNrOwmU.exe
  C:\Windows\System32\sNrOwmU.exe
  2⤵
  PID:10908
- C:\Windows\System32\LRLsRbV.exe
  C:\Windows\System32\LRLsRbV.exe
  2⤵
  PID:10948
- C:\Windows\System32\xwogEUO.exe
  C:\Windows\System32\xwogEUO.exe
  2⤵
  PID:10964
- C:\Windows\System32\EMUGMGl.exe
  C:\Windows\System32\EMUGMGl.exe
  2⤵
  PID:11004
- C:\Windows\System32\DLTwTLS.exe
  C:\Windows\System32\DLTwTLS.exe
  2⤵
  PID:11024
- C:\Windows\System32\lqtbyvA.exe
  C:\Windows\System32\lqtbyvA.exe
  2⤵
  PID:11048
- C:\Windows\System32\kqlWvko.exe
  C:\Windows\System32\kqlWvko.exe
  2⤵
  PID:11064
- C:\Windows\System32\ahsZjEV.exe
  C:\Windows\System32\ahsZjEV.exe
  2⤵
  PID:11080
- C:\Windows\System32\dauGAqx.exe
  C:\Windows\System32\dauGAqx.exe
  2⤵
  PID:11100
- C:\Windows\System32\PsEzuzZ.exe
  C:\Windows\System32\PsEzuzZ.exe
  2⤵
  PID:11124
- C:\Windows\System32\PSjiaoP.exe
  C:\Windows\System32\PSjiaoP.exe
  2⤵
  PID:11172
- C:\Windows\System32\zbhsIka.exe
  C:\Windows\System32\zbhsIka.exe
  2⤵
  PID:11208
- C:\Windows\System32\XDyJcWe.exe
  C:\Windows\System32\XDyJcWe.exe
  2⤵
  PID:11232
- C:\Windows\System32\rJoiILn.exe
  C:\Windows\System32\rJoiILn.exe
  2⤵
  PID:11252
- C:\Windows\System32\kEaHbSy.exe
  C:\Windows\System32\kEaHbSy.exe
  2⤵
  PID:10288
- C:\Windows\System32\UwdpQQa.exe
  C:\Windows\System32\UwdpQQa.exe
  2⤵
  PID:1744
- C:\Windows\System32\OMOwXeP.exe
  C:\Windows\System32\OMOwXeP.exe
  2⤵
  PID:10364
- C:\Windows\System32\xivIxul.exe
  C:\Windows\System32\xivIxul.exe
  2⤵
  PID:10464
- C:\Windows\System32\aDXsYyi.exe
  C:\Windows\System32\aDXsYyi.exe
  2⤵
  PID:10520
- C:\Windows\System32\CGdpfvX.exe
  C:\Windows\System32\CGdpfvX.exe
  2⤵
  PID:10536
- C:\Windows\System32\ZuTAAAf.exe
  C:\Windows\System32\ZuTAAAf.exe
  2⤵
  PID:10576
- C:\Windows\System32\XJYFrTS.exe
  C:\Windows\System32\XJYFrTS.exe
  2⤵
  PID:10676
- C:\Windows\System32\gbcvsml.exe
  C:\Windows\System32\gbcvsml.exe
  2⤵
  PID:10700
- C:\Windows\System32\KdMTZLY.exe
  C:\Windows\System32\KdMTZLY.exe
  2⤵
  PID:10712
- C:\Windows\System32\xoCdKBf.exe
  C:\Windows\System32\xoCdKBf.exe
  2⤵
  PID:10784
- C:\Windows\System32\YRPqVuF.exe
  C:\Windows\System32\YRPqVuF.exe
  2⤵
  PID:10876
- C:\Windows\System32\SVKudaY.exe
  C:\Windows\System32\SVKudaY.exe
  2⤵
  PID:10944
- C:\Windows\System32\rFPKhUF.exe
  C:\Windows\System32\rFPKhUF.exe
  2⤵
  PID:11076
- C:\Windows\System32\OXPbdWV.exe
  C:\Windows\System32\OXPbdWV.exe
  2⤵
  PID:1780
- C:\Windows\System32\OPipeKW.exe
  C:\Windows\System32\OPipeKW.exe
  2⤵
  PID:11168
- C:\Windows\System32\XQbaJZS.exe
  C:\Windows\System32\XQbaJZS.exe
  2⤵
  PID:11192
- C:\Windows\System32\dIzpRCq.exe
  C:\Windows\System32\dIzpRCq.exe
  2⤵
  PID:9792
- C:\Windows\System32\krnoqes.exe
  C:\Windows\System32\krnoqes.exe
  2⤵
  PID:10484
- C:\Windows\System32\pZBJaYS.exe
  C:\Windows\System32\pZBJaYS.exe
  2⤵
  PID:4952
- C:\Windows\System32\GQsJeMS.exe
  C:\Windows\System32\GQsJeMS.exe
  2⤵
  PID:10612
- C:\Windows\System32\nCbTXRv.exe
  C:\Windows\System32\nCbTXRv.exe
  2⤵
  PID:10596
- C:\Windows\System32\lMqhXyz.exe
  C:\Windows\System32\lMqhXyz.exe
  2⤵
  PID:10752
- C:\Windows\System32\oZgMCoK.exe
  C:\Windows\System32\oZgMCoK.exe
  2⤵
  PID:11096
- C:\Windows\System32\wNQiamf.exe
  C:\Windows\System32\wNQiamf.exe
  2⤵
  PID:11140
- C:\Windows\System32\dRzkrwr.exe
  C:\Windows\System32\dRzkrwr.exe
  2⤵
  PID:11248
- C:\Windows\System32\eLOggkK.exe
  C:\Windows\System32\eLOggkK.exe
  2⤵
  PID:10388
- C:\Windows\System32\mIWefpT.exe
  C:\Windows\System32\mIWefpT.exe
  2⤵
  PID:10824
- C:\Windows\System32\yTxmxqd.exe
  C:\Windows\System32\yTxmxqd.exe
  2⤵
  PID:11020
- C:\Windows\System32\NFkmfeS.exe
  C:\Windows\System32\NFkmfeS.exe
  2⤵
  PID:2204
- C:\Windows\System32\oqlNNrj.exe
  C:\Windows\System32\oqlNNrj.exe
  2⤵
  PID:10744
- C:\Windows\System32\kSTHDFf.exe
  C:\Windows\System32\kSTHDFf.exe
  2⤵
  PID:1060
- C:\Windows\System32\CAcvifa.exe
  C:\Windows\System32\CAcvifa.exe
  2⤵
  PID:11272
- C:\Windows\System32\yNnreDK.exe
  C:\Windows\System32\yNnreDK.exe
  2⤵
  PID:11292
- C:\Windows\System32\qghhHcN.exe
  C:\Windows\System32\qghhHcN.exe
  2⤵
  PID:11332
- C:\Windows\System32\XWtNnTu.exe
  C:\Windows\System32\XWtNnTu.exe
  2⤵
  PID:11356
- C:\Windows\System32\EnhDVuk.exe
  C:\Windows\System32\EnhDVuk.exe
  2⤵
  PID:11372
- C:\Windows\System32\UlckKkh.exe
  C:\Windows\System32\UlckKkh.exe
  2⤵
  PID:11412
- C:\Windows\System32\rdUvJyn.exe
  C:\Windows\System32\rdUvJyn.exe
  2⤵
  PID:11456
- C:\Windows\System32\Favjawv.exe
  C:\Windows\System32\Favjawv.exe
  2⤵
  PID:11488
- C:\Windows\System32\vvwdnBd.exe
  C:\Windows\System32\vvwdnBd.exe
  2⤵
  PID:11520
- C:\Windows\System32\iJlOzim.exe
  C:\Windows\System32\iJlOzim.exe
  2⤵
  PID:11540
- C:\Windows\System32\PeONALb.exe
  C:\Windows\System32\PeONALb.exe
  2⤵
  PID:11580
- C:\Windows\System32\YMWcMLK.exe
  C:\Windows\System32\YMWcMLK.exe
  2⤵
  PID:11608
- C:\Windows\System32\CQReKFe.exe
  C:\Windows\System32\CQReKFe.exe
  2⤵
  PID:11636
- C:\Windows\System32\vZaBggU.exe
  C:\Windows\System32\vZaBggU.exe
  2⤵
  PID:11668
- C:\Windows\System32\eBaiuvQ.exe
  C:\Windows\System32\eBaiuvQ.exe
  2⤵
  PID:11704
- C:\Windows\System32\PzgMqfz.exe
  C:\Windows\System32\PzgMqfz.exe
  2⤵
  PID:11752
- C:\Windows\System32\WgnoVRQ.exe
  C:\Windows\System32\WgnoVRQ.exe
  2⤵
  PID:11792
- C:\Windows\System32\CoxOTFs.exe
  C:\Windows\System32\CoxOTFs.exe
  2⤵
  PID:11812
- C:\Windows\System32\aWXVovk.exe
  C:\Windows\System32\aWXVovk.exe
  2⤵
  PID:11828
- C:\Windows\System32\fhlGPDU.exe
  C:\Windows\System32\fhlGPDU.exe
  2⤵
  PID:11868
- C:\Windows\System32\UjqvJvY.exe
  C:\Windows\System32\UjqvJvY.exe
  2⤵
  PID:11892
- C:\Windows\System32\WxlklmL.exe
  C:\Windows\System32\WxlklmL.exe
  2⤵
  PID:11928
- C:\Windows\System32\JukHzrk.exe
  C:\Windows\System32\JukHzrk.exe
  2⤵
  PID:11952
- C:\Windows\System32\hVonlMA.exe
  C:\Windows\System32\hVonlMA.exe
  2⤵
  PID:11968
- C:\Windows\System32\wUkwwXW.exe
  C:\Windows\System32\wUkwwXW.exe
  2⤵
  PID:11988
- C:\Windows\System32\BPcVPVp.exe
  C:\Windows\System32\BPcVPVp.exe
  2⤵
  PID:12020
- C:\Windows\System32\bCOXKvZ.exe
  C:\Windows\System32\bCOXKvZ.exe
  2⤵
  PID:12040
- C:\Windows\System32\vKvPYYp.exe
  C:\Windows\System32\vKvPYYp.exe
  2⤵
  PID:12100
- C:\Windows\System32\uKcGARn.exe
  C:\Windows\System32\uKcGARn.exe
  2⤵
  PID:12132
- C:\Windows\System32\JbjEkks.exe
  C:\Windows\System32\JbjEkks.exe
  2⤵
  PID:12164
- C:\Windows\System32\ccAYkwF.exe
  C:\Windows\System32\ccAYkwF.exe
  2⤵
  PID:12204
- C:\Windows\System32\bSkcZDi.exe
  C:\Windows\System32\bSkcZDi.exe
  2⤵
  PID:12236
- C:\Windows\System32\IpVlyxg.exe
  C:\Windows\System32\IpVlyxg.exe
  2⤵
  PID:12264
- C:\Windows\System32\VqTWwtd.exe
  C:\Windows\System32\VqTWwtd.exe
  2⤵
  PID:12284
- C:\Windows\System32\zPikZJm.exe
  C:\Windows\System32\zPikZJm.exe
  2⤵
  PID:11300
- C:\Windows\System32\UNjMzAV.exe
  C:\Windows\System32\UNjMzAV.exe
  2⤵
  PID:11312
- C:\Windows\System32\rTLeFDA.exe
  C:\Windows\System32\rTLeFDA.exe
  2⤵
  PID:11408
- C:\Windows\System32\OkFmmIm.exe
  C:\Windows\System32\OkFmmIm.exe
  2⤵
  PID:11440
- C:\Windows\System32\BMElZbD.exe
  C:\Windows\System32\BMElZbD.exe
  2⤵
  PID:11536
- C:\Windows\System32\wsNcqNF.exe
  C:\Windows\System32\wsNcqNF.exe
  2⤵
  PID:11588
- C:\Windows\System32\AafCfkW.exe
  C:\Windows\System32\AafCfkW.exe
  2⤵
  PID:11676
- C:\Windows\System32\atKnVej.exe
  C:\Windows\System32\atKnVej.exe
  2⤵
  PID:11760
- C:\Windows\System32\QbXIXQj.exe
  C:\Windows\System32\QbXIXQj.exe
  2⤵
  PID:11804
- C:\Windows\System32\TGRtqTm.exe
  C:\Windows\System32\TGRtqTm.exe
  2⤵
  PID:11852
- C:\Windows\System32\xFTCtLq.exe
  C:\Windows\System32\xFTCtLq.exe
  2⤵
  PID:11964
- C:\Windows\System32\rsmdtjL.exe
  C:\Windows\System32\rsmdtjL.exe
  2⤵
  PID:12076
- C:\Windows\System32\SkKRXou.exe
  C:\Windows\System32\SkKRXou.exe
  2⤵
  PID:12048
- C:\Windows\System32\sJhTgfS.exe
  C:\Windows\System32\sJhTgfS.exe
  2⤵
  PID:12116
- C:\Windows\System32\GrhIEBh.exe
  C:\Windows\System32\GrhIEBh.exe
  2⤵
  PID:12172
- C:\Windows\System32\iuhdjUZ.exe
  C:\Windows\System32\iuhdjUZ.exe
  2⤵
  PID:12176
- C:\Windows\System32\DCpGAda.exe
  C:\Windows\System32\DCpGAda.exe
  2⤵
  PID:12252
- C:\Windows\System32\bflPnLd.exe
  C:\Windows\System32\bflPnLd.exe
  2⤵
  PID:10252
- C:\Windows\System32\JLTGxNe.exe
  C:\Windows\System32\JLTGxNe.exe
  2⤵
  PID:11388
- C:\Windows\System32\cFkqtRp.exe
  C:\Windows\System32\cFkqtRp.exe
  2⤵
  PID:11496
- C:\Windows\System32\iWAXsif.exe
  C:\Windows\System32\iWAXsif.exe
  2⤵
  PID:11404
- C:\Windows\System32\BcgcjnU.exe
  C:\Windows\System32\BcgcjnU.exe
  2⤵
  PID:11560
- C:\Windows\System32\tIIoVnN.exe
  C:\Windows\System32\tIIoVnN.exe
  2⤵
  PID:12036
- C:\Windows\System32\XvwvouY.exe
  C:\Windows\System32\XvwvouY.exe
  2⤵
  PID:11728
- C:\Windows\System32\fGKOOwK.exe
  C:\Windows\System32\fGKOOwK.exe
  2⤵
  PID:12248
- C:\Windows\System32\WpiJbfk.exe
  C:\Windows\System32\WpiJbfk.exe
  2⤵
  PID:11480
- C:\Windows\System32\opADCNw.exe
  C:\Windows\System32\opADCNw.exe
  2⤵
  PID:12112
- C:\Windows\System32\gBAOdLW.exe
  C:\Windows\System32\gBAOdLW.exe
  2⤵
  PID:12200
- C:\Windows\System32\ngHZFoh.exe
  C:\Windows\System32\ngHZFoh.exe
  2⤵
  PID:11472
- C:\Windows\System32\fiGnfpi.exe
  C:\Windows\System32\fiGnfpi.exe
  2⤵
  PID:1952
- C:\Windows\System32\eQifEOE.exe
  C:\Windows\System32\eQifEOE.exe
  2⤵
  PID:12148
- C:\Windows\System32\JpndhnN.exe
  C:\Windows\System32\JpndhnN.exe
  2⤵
  PID:12304
- C:\Windows\System32\wIrQDJO.exe
  C:\Windows\System32\wIrQDJO.exe
  2⤵
  PID:12324
- C:\Windows\System32\jaDABZd.exe
  C:\Windows\System32\jaDABZd.exe
  2⤵
  PID:12460
- C:\Windows\System32\pvBAXsP.exe
  C:\Windows\System32\pvBAXsP.exe
  2⤵
  PID:12572
- C:\Windows\System32\jFIzxVQ.exe
  C:\Windows\System32\jFIzxVQ.exe
  2⤵
  PID:12612
- C:\Windows\System32\QapeHFB.exe
  C:\Windows\System32\QapeHFB.exe
  2⤵
  PID:12632
- C:\Windows\System32\jReJTjB.exe
  C:\Windows\System32\jReJTjB.exe
  2⤵
  PID:12668
- C:\Windows\System32\HXgTsoR.exe
  C:\Windows\System32\HXgTsoR.exe
  2⤵
  PID:12704
- C:\Windows\System32\JYXQkSf.exe
  C:\Windows\System32\JYXQkSf.exe
  2⤵
  PID:12720
- C:\Windows\System32\tfDFRhz.exe
  C:\Windows\System32\tfDFRhz.exe
  2⤵
  PID:12760
- C:\Windows\System32\nwFdqYd.exe
  C:\Windows\System32\nwFdqYd.exe
  2⤵
  PID:12804
- C:\Windows\System32\jpcLKhP.exe
  C:\Windows\System32\jpcLKhP.exe
  2⤵
  PID:12880
- C:\Windows\System32\XBnTdFt.exe
  C:\Windows\System32\XBnTdFt.exe
  2⤵
  PID:12896
- C:\Windows\System32\cwrwkMx.exe
  C:\Windows\System32\cwrwkMx.exe
  2⤵
  PID:12912
- C:\Windows\System32\xECHwgQ.exe
  C:\Windows\System32\xECHwgQ.exe
  2⤵
  PID:12952
- C:\Windows\System32\LtwLkZT.exe
  C:\Windows\System32\LtwLkZT.exe
  2⤵
  PID:12968
- C:\Windows\System32\BXpKByP.exe
  C:\Windows\System32\BXpKByP.exe
  2⤵
  PID:12988
- C:\Windows\System32\OqWCZMG.exe
  C:\Windows\System32\OqWCZMG.exe
  2⤵
  PID:13008
- C:\Windows\System32\wOvUXJJ.exe
  C:\Windows\System32\wOvUXJJ.exe
  2⤵
  PID:13052
- C:\Windows\System32\oSumExt.exe
  C:\Windows\System32\oSumExt.exe
  2⤵
  PID:13096
- C:\Windows\System32\FHuZjmV.exe
  C:\Windows\System32\FHuZjmV.exe
  2⤵
  PID:13112
- C:\Windows\System32\yUKDlUO.exe
  C:\Windows\System32\yUKDlUO.exe
  2⤵
  PID:13140
- C:\Windows\System32\qaWmXdA.exe
  C:\Windows\System32\qaWmXdA.exe
  2⤵
  PID:13168
- C:\Windows\System32\qrxRpqG.exe
  C:\Windows\System32\qrxRpqG.exe
  2⤵
  PID:13204
- C:\Windows\System32\zpWhJYg.exe
  C:\Windows\System32\zpWhJYg.exe
  2⤵
  PID:13224
- C:\Windows\System32\DPGyMKu.exe
  C:\Windows\System32\DPGyMKu.exe
  2⤵
  PID:13252
- C:\Windows\System32\HjPMZrg.exe
  C:\Windows\System32\HjPMZrg.exe
  2⤵
  PID:13292
- C:\Windows\System32\uFpoofV.exe
  C:\Windows\System32\uFpoofV.exe
  2⤵
  PID:11288
- C:\Windows\System32\acfbHTa.exe
  C:\Windows\System32\acfbHTa.exe
  2⤵
  PID:12032
- C:\Windows\System32\IYIjajv.exe
  C:\Windows\System32\IYIjajv.exe
  2⤵
  PID:12080
- C:\Windows\System32\BhfBZPb.exe
  C:\Windows\System32\BhfBZPb.exe
  2⤵
  PID:12312
- C:\Windows\System32\DFTFIsP.exe
  C:\Windows\System32\DFTFIsP.exe
  2⤵
  PID:12416
- C:\Windows\System32\GItYeYo.exe
  C:\Windows\System32\GItYeYo.exe
  2⤵
  PID:12364
- C:\Windows\System32\SPAiAEB.exe
  C:\Windows\System32\SPAiAEB.exe
  2⤵
  PID:12588
- C:\Windows\System32\aDvDcBX.exe
  C:\Windows\System32\aDvDcBX.exe
  2⤵
  PID:12620
- C:\Windows\System32\ADEGrup.exe
  C:\Windows\System32\ADEGrup.exe
  2⤵
  PID:2084
- C:\Windows\System32\hCUPoli.exe
  C:\Windows\System32\hCUPoli.exe
  2⤵
  PID:12676
- C:\Windows\System32\iRWvAQi.exe
  C:\Windows\System32\iRWvAQi.exe
  2⤵
  PID:12824
- C:\Windows\System32\YXRddOG.exe
  C:\Windows\System32\YXRddOG.exe
  2⤵
  PID:12860
- C:\Windows\System32\qjQAmEE.exe
  C:\Windows\System32\qjQAmEE.exe
  2⤵
  PID:12876
- C:\Windows\System32\ZktQaiO.exe
  C:\Windows\System32\ZktQaiO.exe
  2⤵
  PID:12980
- C:\Windows\System32\ErAdcTD.exe
  C:\Windows\System32\ErAdcTD.exe
  2⤵
  PID:13004
- C:\Windows\System32\uWhIYJn.exe
  C:\Windows\System32\uWhIYJn.exe
  2⤵
  PID:11940
- C:\Windows\System32\lBpeEuf.exe
  C:\Windows\System32\lBpeEuf.exe
  2⤵
  PID:13152
- C:\Windows\System32\tsJuAyi.exe
  C:\Windows\System32\tsJuAyi.exe
  2⤵
  PID:13200
- C:\Windows\System32\nIWMMcj.exe
  C:\Windows\System32\nIWMMcj.exe
  2⤵
  PID:13216
- C:\Windows\System32\dgmgZrv.exe
  C:\Windows\System32\dgmgZrv.exe
  2⤵
  PID:13300
- C:\Windows\System32\XylYQZi.exe
  C:\Windows\System32\XylYQZi.exe
  2⤵
  PID:12336
- C:\Windows\System32\jEgyMHi.exe
  C:\Windows\System32\jEgyMHi.exe
  2⤵
  PID:12468
- C:\Windows\System32\jGtPnAe.exe
  C:\Windows\System32\jGtPnAe.exe
  2⤵
  PID:12636
- C:\Windows\System32\FJWaOUm.exe
  C:\Windows\System32\FJWaOUm.exe
  2⤵
  PID:4284
- C:\Windows\System32\pyELJXJ.exe
  C:\Windows\System32\pyELJXJ.exe
  2⤵
  PID:12904
- C:\Windows\System32\aqAgTxI.exe
  C:\Windows\System32\aqAgTxI.exe
  2⤵
  PID:13244
- C:\Windows\System32\konsGAV.exe
  C:\Windows\System32\konsGAV.exe
  2⤵
  PID:11284
- C:\Windows\System32\shkqrqv.exe
  C:\Windows\System32\shkqrqv.exe
  2⤵
  PID:12780
- C:\Windows\System32\wxIERQL.exe
  C:\Windows\System32\wxIERQL.exe
  2⤵
  PID:12888
- C:\Windows\System32\KlmtHBM.exe
  C:\Windows\System32\KlmtHBM.exe
  2⤵
  PID:13136
- C:\Windows\System32\bOeLwXE.exe
  C:\Windows\System32\bOeLwXE.exe
  2⤵
  PID:13072
- C:\Windows\System32\auLIEGw.exe
  C:\Windows\System32\auLIEGw.exe
  2⤵
  PID:12232
- C:\Windows\System32\BqUByCS.exe
  C:\Windows\System32\BqUByCS.exe
  2⤵
  PID:12928
- C:\Windows\System32\CjiQmMs.exe
  C:\Windows\System32\CjiQmMs.exe
  2⤵
  PID:12976
- C:\Windows\System32\peJgauS.exe
  C:\Windows\System32\peJgauS.exe
  2⤵
  PID:13316
- C:\Windows\System32\MUNNYEL.exe
  C:\Windows\System32\MUNNYEL.exe
  2⤵
  PID:13340
- C:\Windows\System32\LLIhXBw.exe
  C:\Windows\System32\LLIhXBw.exe
  2⤵
  PID:13396
- C:\Windows\System32\oodretI.exe
  C:\Windows\System32\oodretI.exe
  2⤵
  PID:13420
- C:\Windows\System32\dBvhQqQ.exe
  C:\Windows\System32\dBvhQqQ.exe
  2⤵
  PID:13444
- C:\Windows\System32\UKWkUsb.exe
  C:\Windows\System32\UKWkUsb.exe
  2⤵
  PID:13476
- C:\Windows\System32\SDXCCjF.exe
  C:\Windows\System32\SDXCCjF.exe
  2⤵
  PID:13508
- C:\Windows\System32\QbaFkWt.exe
  C:\Windows\System32\QbaFkWt.exe
  2⤵
  PID:13564
- C:\Windows\System32\EPjasLp.exe
  C:\Windows\System32\EPjasLp.exe
  2⤵
  PID:13588
- C:\Windows\System32\LmvSMSI.exe
  C:\Windows\System32\LmvSMSI.exe
  2⤵
  PID:13640
- C:\Windows\System32\ucnwFaV.exe
  C:\Windows\System32\ucnwFaV.exe
  2⤵
  PID:13656
- C:\Windows\System32\ZTfDDnf.exe
  C:\Windows\System32\ZTfDDnf.exe
  2⤵
  PID:13692
- C:\Windows\System32\ZGrTfsc.exe
  C:\Windows\System32\ZGrTfsc.exe
  2⤵
  PID:13712
- C:\Windows\System32\aUNaZvT.exe
  C:\Windows\System32\aUNaZvT.exe
  2⤵
  PID:13732
- C:\Windows\System32\lPZMXuk.exe
  C:\Windows\System32\lPZMXuk.exe
  2⤵
  PID:13756
- C:\Windows\System32\SWMTXCa.exe
  C:\Windows\System32\SWMTXCa.exe
  2⤵
  PID:13772
- C:\Windows\System32\PtejUeh.exe
  C:\Windows\System32\PtejUeh.exe
  2⤵
  PID:13792
- C:\Windows\System32\RWzJtAC.exe
  C:\Windows\System32\RWzJtAC.exe
  2⤵
  PID:13828
- C:\Windows\System32\nIVAcJE.exe
  C:\Windows\System32\nIVAcJE.exe
  2⤵
  PID:13848
- C:\Windows\System32\UXOoVQY.exe
  C:\Windows\System32\UXOoVQY.exe
  2⤵
  PID:13864
- C:\Windows\System32\UKISNRg.exe
  C:\Windows\System32\UKISNRg.exe
  2⤵
  PID:13908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
1⤵
PID:7696

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:14324
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:13968

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5572

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3152

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4932

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5400

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:6752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1072

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6668

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:9432

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5584

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:6040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8392

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9580

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9940

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2360

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:396

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10652

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6652

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11072

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10956

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12360

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12432

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12280

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4964

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9160

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6488

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9620

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14016

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9416

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1468

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14144

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9400

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2684

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14192

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12912

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13468

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13084

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13928

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8340

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8908

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14252

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\EH25NGOT\microsoft.windows[1].xml

Filesize
97B

MD5
f729e9923d3053c3555af6436eb8568b

SHA1
343e60bf32531a8e8ba71536961ca1afbf7bf6ec

SHA256
8d2875304491260051610fedda03092631f8c4436ae2a86226cb77dc7ef95e7c

SHA512
031083c972e7ac59c725d7b618bbf414bd52aa472b8c5597a50fdcbab3b9aa5540f394aff1a15709ce6f8eb5cb33717d62fd5c7f31de1bf7f6f79854ead31f6c

Download Submit
C:\Windows\System32\AoSHdup.exe

Filesize
1.5MB

MD5
da4fd82ff13f95037aea64812269026d

SHA1
916f5899406a807cc0ba3b11acef9538b1404cc7

SHA256
c267926e7e724cedec95a18318447dd47394336ac00d8b273669b179a4018bfd

SHA512
9aea4dd6e3fd1f7ead7475d56f0ca39490a8672123a1c4b076668327d4b393ab6d1d35e48a12411bab7d7690baef7422667cb7f8e12027f2bee2eb75f444b1c6

Download Submit
C:\Windows\System32\BUjOPJn.exe

Filesize
1.5MB

MD5
fbbe6a935a22e982c647ff5f59996e10

SHA1
a8ea5784017060cd5bb3cef8ce1ece17f388fdb1

SHA256
ff84d713a56d2aa5f91d6a185e19f6317e46c3de85915e69dc131d6cc2f2cc1c

SHA512
852f3e387c3c5f2ac864d7545480f46eeda74520385e46bc1ae0498010879edaff29ff75b7efaae92c1f8f1d595a53187ac62cb05a3007825dd03341dd137a12

Download Submit
C:\Windows\System32\CBMWMFr.exe

Filesize
1.5MB

MD5
2570e87c185cd3f834ea0c6daead61df

SHA1
d669cd116b263987f4b3265db08c56c59e183d8c

SHA256
cf14b61772c39fa30cda259609037fab6ec96ee8135cdf3abb4a8fc79883ba7f

SHA512
6de13a205fd307b6837535c87f19ac7bb1811fcd9a9f5bc9fd7cdcdfed92d3b91186d4d75a48db990fc55ce03206263d69f006aacfc1f8b861b9ee8d87f9a8bc

Download Submit
C:\Windows\System32\CPEcrRV.exe

Filesize
1.5MB

MD5
c1b4491e4c0b72984fef07468f9db73f

SHA1
55485c2148da01a2ab16e217ec93665c25ed6689

SHA256
c5bb46ca7abef4c28a3cac5b2a6b4e177a799b2604c35788174e026c4e7b3686

SHA512
c9e90c7e9db7ddb1a55ff823cf66c7154240678d950533af1d9b208a936536869a71028b51dbad5d5f3c839940cffadb3b01bb375c55272e444fab8725b2d410

Download Submit
C:\Windows\System32\DweXUMP.exe

Filesize
1.5MB

MD5
fe6f9e9a8b6263a59c25a5940c8c7c8a

SHA1
bb6fa5a6ee583290c5f614f13ad5f0f1d2b2e2d4

SHA256
bceca9e0b1efc2b9629d56015222f5f05080a15e687e3eac2666f3fa9f341510

SHA512
cd44d20f9e0c6ef9d21eec12b43ef430b382bdce85f10ad769a66c7d60d982ea1edfe0e6f3f3a2bdcfae8c8b2d4776f81b5dcc8f87390dcb9d46a7d494772d68

Download Submit
C:\Windows\System32\DycwhTR.exe

Filesize
1.5MB

MD5
c40e488b1cbfbcce102916f2d6a3c012

SHA1
ac71091b9942d1c27495d5a2d5396669cbe7c047

SHA256
7f0606a83d79c4f60eae4a390fb4bfa48abd6499ccd3776135fbae58a67466a8

SHA512
26381e81f5aec458973df671bb57068b8196dc96ad44eccf7e220f28122e8f54b56443ed60366db0deb08cb64bc9a5d997d7a6b94b626b68e04e82555a36b2d4

Download Submit
C:\Windows\System32\DzmTTwx.exe

Filesize
1.5MB

MD5
bbeadbc51e7dcf4036763277565bf072

SHA1
8d4f001ac9882b415ca51821e2c6bed81c950750

SHA256
c7d961d9c9d7a8e71c223130186dbb7720a90933c80ce6092aaadd01832df31e

SHA512
8a32f997694c864a9a84531b38f3684df034690f517f5ba456e31dea06abf2c39db9caf9e510161010175feb8dcf104595b367f0537b1745e59a6834099aad6e

Download Submit
C:\Windows\System32\EMohnHz.exe

Filesize
1.5MB

MD5
9c1a8e4fafaa3a834f5b121af4e2878b

SHA1
3c95741584c5d8139572729b530f4fd4f349a293

SHA256
71b62b0a99f77deb5affe8158306358dbb8f4996f5aaf67ee8e59a849c3fc206

SHA512
2ce258a7ef1843fc1d22fac379fd904ea3e179258f584c3fa8203fd7c2d2af1d7bba893d3b707d12ce566addf775f46a1dd393dcf36299f579946101c7142d11

Download Submit
C:\Windows\System32\FdNrYpV.exe

Filesize
1.5MB

MD5
6af3c98735bc22c7e4ea2d7edbe11941

SHA1
1c84391f21f74cccedaf025c3a5c5f30f00f1e00

SHA256
99cd5b6a0818449bfe2a4d5ecd9af07c9770ff360965d76bc690a26fa06c70fb

SHA512
3590d2244a64e5e32755a475d9304e5caeca12db1ff650ebd0d16abf9e32b571efaaf622725d3f2c09eb5670323cd796c00e6fa1b066365c5b499dab9129c85b

Download Submit
C:\Windows\System32\FuxJSra.exe

Filesize
1.5MB

MD5
b6243579a5f301aec30a23c85acb2c09

SHA1
b70165c97520e9622261509f2aef735e4c36b7ee

SHA256
c9fc69e0ffd31b57ff1350cc5ddf5e2184ceefed3fd991dffe6458a2ea95cda9

SHA512
2d21a5663e15ccf9300488479e0de111a96c60fbae2894cb1515ae5529d5625d825cd9dd472bab8eae31a0533d363d7101b50ebe7af1d0fb9ef8847d2bd8aaa8

Download Submit
C:\Windows\System32\HWltwdn.exe

Filesize
1.5MB

MD5
c09ec930f373520bc8bcef29bd8c6e21

SHA1
b707782bbf391fb6014268bca201cd3d9153a571

SHA256
f60f30e833dc2407083640011e9eb3f889054a94c7557150e6bff33ac8d25e60

SHA512
3760d3b47046802a456bc49360324f75292453facb99efafbed0d870266f1d06fc5aef4241d1ba0fe2ee159036eec822f84d8ce194a879015cee563e84f50c77

Download Submit
C:\Windows\System32\JVPPSHe.exe

Filesize
1.5MB

MD5
1f6ab0e9680d2aca2902e2511256189a

SHA1
52d3d0276890f9dd07835d9946b1ae8f718ad69e

SHA256
982f63debb859f37f226cbc5444bf8ea22c4817a7b0636ed09f0f1d80db1361c

SHA512
d4e05cbc2b2967a9549bca4f715940534e19423be27be6ece608f21fa7c0c76020505f8c621ad2cf617ff5a53a04e820b889ac1b721bfd03f6ff93254997f000

Download Submit
C:\Windows\System32\LlHywye.exe

Filesize
1.5MB

MD5
cb7387417a326b2ae9ec0c9b209fc7a6

SHA1
b63abf5ed7f83cb099a79c8268ded71854e8172e

SHA256
5f7800969f7980cdb48ebe57c818486e7c1f838d44193d51c0a5047710609387

SHA512
cf2e5821c7158f00ec87db100a74c3fa6a833de18fa71eae72ae87d7026cc992373d76fca9017e950920832f791f29cb4da83ebe12a65d88c57d832f20992b5a

Download Submit
C:\Windows\System32\NRSEkJE.exe

Filesize
1.5MB

MD5
8d1fef3f130674fc1736bf1e0e8778d9

SHA1
ce8922bce535c0d3dccd4f2448d711e77342b46d

SHA256
7de084c68e97125ff50661eabf54797128594b50cfe6b46035cdf794bf186c50

SHA512
266e7e4196d2d9bac7a5030294d5e25850cd4d88a14ee501c5bc6b0b85cab4bf4eb3983f320b3909e32b83a1be694a0878f09f2892683f2eda855083664ed25e

Download Submit
C:\Windows\System32\NbmQlHh.exe

Filesize
1.5MB

MD5
319b5faec399419ca936a7c9f2aa1e86

SHA1
9222ea9d728d0d6fd058acb29475ee988a1efbaf

SHA256
ec848a2cac460ab1e567d183bfbd18c74e5125d57c415aa423151eb27085f718

SHA512
6cabcd62cb23f308d9d24cbab90fe3e2d2f7a72875493fcfa675a707e608804b6ff6ba85cd16b44ba03f6e2fd651efcf251f505ee898372ceb122fbe7cc9d4cb

Download Submit
C:\Windows\System32\NcNMyiQ.exe

Filesize
1.5MB

MD5
9b8cc2188e8d4129da6534c2e7f27ed7

SHA1
eb3b004709faca1b498dd3328b01c7c4f02624fa

SHA256
a57065ee6d50bbe39579793515e199512b53b1f68d134ea651e24ed64210033f

SHA512
01f625ae69b3f5015a4e7dbe17f2e3f1576c0f124025fa60a3444539e5a2c11f68e7158fdfc2e7a81aa4d06162e53c53b49c5be6fbedfa23a63d9d2dbd07500a

Download Submit
C:\Windows\System32\OjQHTiN.exe

Filesize
1.5MB

MD5
e40743cc4cdfcb7cb6933fdc0978b56c

SHA1
efe346e2c04c18becd058263072cf825308ebd82

SHA256
240ce10cf0c1fd466ac0a9370d81d1c239cf8c6aa26a96e5481388a5a24bfc7a

SHA512
e929d34f18e4c0491540cadbc4dccb68298d2a1760a1f12386a94d493847b018f0c937ac777740549d17655158642e43ac32666a2d7b121370503ec653c245d4

Download Submit
C:\Windows\System32\VcQyIIl.exe

Filesize
1.5MB

MD5
cb756e1a53d0ebe916d87958dc3fbb63

SHA1
9864d69e182b27656265eded256a9878d4044acd

SHA256
f7e50b7e1e37440e30abd29943f9cdde800513d1cd572de4f3b07d13928aae20

SHA512
b3974b109b242f73caf0290b36fa4f86e1d4ac18641f75798d795459ad5e8848155a87602e8de4f350e5b108e9b404d090a718f71965032b3c9e18a7f545d27b

Download Submit
C:\Windows\System32\YRXkkrG.exe

Filesize
1.5MB

MD5
79541bcf9f4c25b447059ffe143e1143

SHA1
83771b71acbf76059b0684dd8b2621a338d48832

SHA256
68b735745b215f02a6720b2dca6de0ca5bd7f7e469f85c9e8d63513633d86a23

SHA512
c6d4f45615e27be408fd2aeba35c125a068caabcc722a18be7fe55438d7cbe1e50f1981d692f9b51ee0ded3c36bc176d407aac5c80573e4e65c024aeaa063d9f

Download Submit
C:\Windows\System32\aJRaFoE.exe

Filesize
1.5MB

MD5
bbc972fcc4e0b5764479779f3df38466

SHA1
31f006b3bb5cd0f181a22dd7d0a619ca331e34da

SHA256
6aa4ef9a410df73d2451fcde1ba46c4e6df47650208908d26524194f19295cdd

SHA512
08bb9fb017259c07653cf8ab28d2b9e36abcaafeeb2bcfc5464d8738f1e3a915074864dd41d918aeb7cd5082df11fd51e3d68790b1b64be751502b6bf0b65954

Download Submit
C:\Windows\System32\aRWKxFN.exe

Filesize
1.5MB

MD5
4f8ffe46da71d6356c77adbaca70b89e

SHA1
6575fad71b9925ff64d6f61a650b268063bf5ee2

SHA256
75654dd0583fad86ddaaa850729b31ad27a0ad601ae2683158baf958d242c34d

SHA512
0f9da2a686b722173a6ce1b0688c55523e6fa88ed7ff3f3d9f9819c08b1229010f89fded46ec48e1e0416153dd136b9150c6ba0b0467d2a58f66318849e03166

Download Submit
C:\Windows\System32\fMPPrpq.exe

Filesize
1.5MB

MD5
0f132f6d00f35febd29cc49a056623e2

SHA1
6488e3e9f64240b27fef8bb71bafa16a7c1cdc53

SHA256
5f96763f807b0cd41408d4b3606048b636acbedaed332bbaf33deeb12b696128

SHA512
d95a5f34a780b77dd4ee2a4b2c39c8d700211de7ede785475d43e62ce0e17d11e418838074d31cc87029b3e7baacf600ed13a3bd726703b2a59192da2a50bd75

Download Submit
C:\Windows\System32\fUvbCap.exe

Filesize
1.5MB

MD5
c0b085c22e876b190e72f72612bae4ab

SHA1
fd68c69adf4501dec34ab1af67c9d97edee6f4b3

SHA256
766840486b4bb36f5e43a7fc8e2e0b965d24c7c737847946642a55075b7bb58d

SHA512
0468404761977b80afcbe338a6104953042a3d38fdf314188085692c9666c1805b09ce8dce3815a08df5149d250db513610a761bf2ffd2db3c24a7aa8f93cbd0

Download Submit
C:\Windows\System32\fqRKvic.exe

Filesize
1.5MB

MD5
bc5e37dd681232e2c61c44e389138d3c

SHA1
0d18d3ce20a829a4fdf9ea1709f44d67ec001744

SHA256
453556884e7b3a4a1f88ff0f85af9375f54dbe8f42dcba120e3eabbe6aea33d1

SHA512
143310c29cb98f387f1f28df40df572ffa6beb43f8d8a9baef44d1252c3bbe1d02a4f7aed8a5d01b45ff4c7eeb34eee5259d226ff6494654efb8ea88937daacd

Download Submit
C:\Windows\System32\frDVPkn.exe

Filesize
1.5MB

MD5
fbf26746776b5eb6e8eb05b3af8fb5ba

SHA1
74c4025d860935aa7ca70086b20caf5dc0e62ddb

SHA256
b96e8dcfbe559981b11fbef5bea96187656f5f4e128507ad864c015b37579845

SHA512
7b0123b78933131c4f4da8364845e5f6a00330a62d1d1ddcde46b4b40f27285d30e77cae41d6bff907729968e38d7837088ae38f2b11b64464b6b958424857c4

Download Submit
C:\Windows\System32\hvyYozA.exe

Filesize
1.5MB

MD5
033a0d82ab07ead20531b7b06471e170

SHA1
51c3998e5176fa262a78df92bb94485ab28e93b4

SHA256
8b469f68532f2dc678d2901886766404d5005a9382543e1bc51c3a8acca88b88

SHA512
2014018ddd13c373a5a5a1e592be6e7c2cde7527fef9292af4123838b9f457991ce8e2caaed26eeb80de61cfae5114a381d5bb745ccd93d61be28a882c8a3b0c

Download Submit
C:\Windows\System32\jIujlIu.exe

Filesize
1.5MB

MD5
a52e8d5c021dd2fc5f69dadd0e6b4af7

SHA1
d456b4855e1aee2146b944a9f07f81cf0da469d3

SHA256
e074d30013d39ec6e543548545622a81209ed8d5fe504ba6374e24b642f22d00

SHA512
d2bb1b9d93671efd4dd4876be12407040348b544a5eabc89fbff1d4bdd707539a8d07f38a00ab59eb4689824c98268b2499f2ff0b664647f77cc33d8a4925a98

Download Submit
C:\Windows\System32\rUvdcJj.exe

Filesize
1.5MB

MD5
8256f47dc5208972d739675feb9b445c

SHA1
a811b7e407c491d64e7586ef69a8b7ad096f6382

SHA256
e913c8537b955515ca51962da89ecbd8edc4f326c30eb613e10b398264544841

SHA512
d28ac415ef159c6d9cbd6e48c826abcf52943aa3ea3794dfd1da551d0c691ae4766e49654bbf70146a9a78741435df213320db3c4c2507890baa2025ad400e05

Download Submit
C:\Windows\System32\tbfpfAz.exe

Filesize
1.5MB

MD5
313a465a41a15b03a78a5b94ef3368d7

SHA1
1347afef9fc670b30dc73321f9c7b7623e07f6f5

SHA256
214b1081e76e5e93d78555a2f3009548eb188040ad13c170129cf4cb5a5c348e

SHA512
f4c91909859566c8474de544965ffccaf39849aad8237e6d783a86f5c3e6fb2dc1f2dc005909b4c6ea8e30f0aadefcad52c3c278e10455ff9af44ba7f664c41d

Download Submit
C:\Windows\System32\wDIJhRV.exe

Filesize
1.5MB

MD5
3bb0aec2b0a031c6044c68eb81127d37

SHA1
3eb8ee5cf04e6c7ee0e06e81525802d405c23875

SHA256
dd2154771e5b15bccb34a045a94d1f55b47ea3a505b8c2e4e4b735a76eb422e7

SHA512
fc5ff2a9d76479db0846f54d89ff4e86ea3822240eb500f5a50815668ccd6bdc1905006c0f0455126695c2ce65c2974aa3296a85479bc120b6f5f35371bf1dd5

Download Submit
C:\Windows\System32\xLTZaZl.exe

Filesize
1.5MB

MD5
1be56f17be8b2d3f81a6f78be3913524

SHA1
fa1522c7e6d1613e42ae5943955538594c937b88

SHA256
6444f960faab826203f2ca53c83876d6ddc3daddcff1eed8f27a24dcfd4098ad

SHA512
c7b3be11debe4b39055ca326a5dc41e4b8d6676807e43573c3f0c20664283e2a92a4e2a0f5af8570efbff3b3882fa942900caf76791c9ec6ff05e0c4860442b5

Download Submit
C:\Windows\System32\yKnYJsc.exe

Filesize
1.5MB

MD5
5ebaa6b33f6c50fb7ac0d467d04fbd85

SHA1
4c3fb8230428744f0d60e7150b547268b44cae0a

SHA256
3e749b9fe6054a4d3c93732bbbe5eecc969e3306f757d5b7306987e0aeed511d

SHA512
362fb2da986fcd1fa8f096523680fc94c4f531ae835c72d9530ce905abf5f7416aab28270a2a447b4fda329b9d954ea36f35455438c8f4caafb8915ead03c662

Download Submit
memory/1072-2123-0x00007FF679C60000-0x00007FF67A051000-memory.dmp

Filesize
3.9MB

Download
memory/1072-100-0x00007FF679C60000-0x00007FF67A051000-memory.dmp

Filesize
3.9MB

Download
memory/1072-1087-0x00007FF679C60000-0x00007FF67A051000-memory.dmp

Filesize
3.9MB

Download
memory/1088-95-0x00007FF757E40000-0x00007FF758231000-memory.dmp

Filesize
3.9MB

Download
memory/1088-2113-0x00007FF757E40000-0x00007FF758231000-memory.dmp

Filesize
3.9MB

Download
memory/1124-1756-0x00007FF6AA890000-0x00007FF6AAC81000-memory.dmp

Filesize
3.9MB

Download
memory/1124-140-0x00007FF6AA890000-0x00007FF6AAC81000-memory.dmp

Filesize
3.9MB

Download
memory/1124-2162-0x00007FF6AA890000-0x00007FF6AAC81000-memory.dmp

Filesize
3.9MB

Download
memory/1296-2074-0x00007FF6EA1E0000-0x00007FF6EA5D1000-memory.dmp

Filesize
3.9MB

Download
memory/1296-36-0x00007FF6EA1E0000-0x00007FF6EA5D1000-memory.dmp

Filesize
3.9MB

Download
memory/1320-2129-0x00007FF7F9640000-0x00007FF7F9A31000-memory.dmp

Filesize
3.9MB

Download
memory/1320-1407-0x00007FF7F9640000-0x00007FF7F9A31000-memory.dmp

Filesize
3.9MB

Download
memory/1320-121-0x00007FF7F9640000-0x00007FF7F9A31000-memory.dmp

Filesize
3.9MB

Download
memory/1464-84-0x00007FF691710000-0x00007FF691B01000-memory.dmp

Filesize
3.9MB

Download
memory/1464-2112-0x00007FF691710000-0x00007FF691B01000-memory.dmp

Filesize
3.9MB

Download
memory/1464-847-0x00007FF691710000-0x00007FF691B01000-memory.dmp

Filesize
3.9MB

Download
memory/1532-2125-0x00007FF760D60000-0x00007FF761151000-memory.dmp

Filesize
3.9MB

Download
memory/1532-1310-0x00007FF760D60000-0x00007FF761151000-memory.dmp

Filesize
3.9MB

Download
memory/1532-115-0x00007FF760D60000-0x00007FF761151000-memory.dmp

Filesize
3.9MB

Download
memory/1796-2102-0x00007FF739430000-0x00007FF739821000-memory.dmp

Filesize
3.9MB

Download
memory/1796-94-0x00007FF739430000-0x00007FF739821000-memory.dmp

Filesize
3.9MB

Download
memory/1888-2210-0x00007FF726A40000-0x00007FF726E31000-memory.dmp

Filesize
3.9MB

Download
memory/1888-149-0x00007FF726A40000-0x00007FF726E31000-memory.dmp

Filesize
3.9MB

Download
memory/1888-1893-0x00007FF726A40000-0x00007FF726E31000-memory.dmp

Filesize
3.9MB

Download
memory/2000-2127-0x00007FF6BE5E0000-0x00007FF6BE9D1000-memory.dmp

Filesize
3.9MB

Download
memory/2000-104-0x00007FF6BE5E0000-0x00007FF6BE9D1000-memory.dmp

Filesize
3.9MB

Download
memory/2000-1211-0x00007FF6BE5E0000-0x00007FF6BE9D1000-memory.dmp

Filesize
3.9MB

Download
memory/2256-2117-0x00007FF6E4050000-0x00007FF6E4441000-memory.dmp

Filesize
3.9MB

Download
memory/2256-70-0x00007FF6E4050000-0x00007FF6E4441000-memory.dmp

Filesize
3.9MB

Download
memory/2256-835-0x00007FF6E4050000-0x00007FF6E4441000-memory.dmp

Filesize
3.9MB

Download
memory/2556-1521-0x00007FF6AB610000-0x00007FF6ABA01000-memory.dmp

Filesize
3.9MB

Download
memory/2556-127-0x00007FF6AB610000-0x00007FF6ABA01000-memory.dmp

Filesize
3.9MB

Download
memory/2556-2131-0x00007FF6AB610000-0x00007FF6ABA01000-memory.dmp

Filesize
3.9MB

Download
memory/2736-2119-0x00007FF7C95F0000-0x00007FF7C99E1000-memory.dmp

Filesize
3.9MB

Download
memory/2736-98-0x00007FF7C95F0000-0x00007FF7C99E1000-memory.dmp

Filesize
3.9MB

Download
memory/3344-89-0x00007FF618560000-0x00007FF618951000-memory.dmp

Filesize
3.9MB

Download
memory/3344-2105-0x00007FF618560000-0x00007FF618951000-memory.dmp

Filesize
3.9MB

Download
memory/3440-1-0x000001A485710000-0x000001A485720000-memory.dmp

Filesize
64KB

Download
memory/3440-2051-0x00007FF63C330000-0x00007FF63C721000-memory.dmp

Filesize
3.9MB

Download
memory/3440-137-0x00007FF63C330000-0x00007FF63C721000-memory.dmp

Filesize
3.9MB

Download
memory/3440-0-0x00007FF63C330000-0x00007FF63C721000-memory.dmp

Filesize
3.9MB

Download
memory/3540-26-0x00007FF61ED60000-0x00007FF61F151000-memory.dmp

Filesize
3.9MB

Download
memory/3540-146-0x00007FF61ED60000-0x00007FF61F151000-memory.dmp

Filesize
3.9MB

Download
memory/3540-2069-0x00007FF61ED60000-0x00007FF61F151000-memory.dmp

Filesize
3.9MB

Download
memory/3752-85-0x00007FF7AAA50000-0x00007FF7AAE41000-memory.dmp

Filesize
3.9MB

Download
memory/3752-2075-0x00007FF7AAA50000-0x00007FF7AAE41000-memory.dmp

Filesize
3.9MB

Download
memory/4016-2071-0x00007FF7548A0000-0x00007FF754C91000-memory.dmp

Filesize
3.9MB

Download
memory/4016-144-0x00007FF7548A0000-0x00007FF754C91000-memory.dmp

Filesize
3.9MB

Download
memory/4016-7-0x00007FF7548A0000-0x00007FF754C91000-memory.dmp

Filesize
3.9MB

Download
memory/4320-2077-0x00007FF7C3970000-0x00007FF7C3D61000-memory.dmp

Filesize
3.9MB

Download
memory/4320-57-0x00007FF7C3970000-0x00007FF7C3D61000-memory.dmp

Filesize
3.9MB

Download
memory/4424-103-0x00007FF6B1B10000-0x00007FF6B1F01000-memory.dmp

Filesize
3.9MB

Download
memory/4424-958-0x00007FF6B1B10000-0x00007FF6B1F01000-memory.dmp

Filesize
3.9MB

Download
memory/4424-2122-0x00007FF6B1B10000-0x00007FF6B1F01000-memory.dmp

Filesize
3.9MB

Download
memory/4576-2104-0x00007FF6957C0000-0x00007FF695BB1000-memory.dmp

Filesize
3.9MB

Download
memory/4576-65-0x00007FF6957C0000-0x00007FF695BB1000-memory.dmp

Filesize
3.9MB

Download
memory/4676-69-0x00007FF653820000-0x00007FF653C11000-memory.dmp

Filesize
3.9MB

Download
memory/4676-2109-0x00007FF653820000-0x00007FF653C11000-memory.dmp

Filesize
3.9MB

Download
memory/4828-148-0x00007FF707720000-0x00007FF707B11000-memory.dmp

Filesize
3.9MB

Download
memory/4828-2108-0x00007FF707720000-0x00007FF707B11000-memory.dmp

Filesize
3.9MB

Download
memory/4828-76-0x00007FF707720000-0x00007FF707B11000-memory.dmp

Filesize
3.9MB

Download
memory/4968-2116-0x00007FF68BC90000-0x00007FF68C081000-memory.dmp

Filesize
3.9MB

Download
memory/4968-72-0x00007FF68BC90000-0x00007FF68C081000-memory.dmp

Filesize
3.9MB

Download
memory/4968-846-0x00007FF68BC90000-0x00007FF68C081000-memory.dmp

Filesize
3.9MB

Download
memory/5020-131-0x00007FF6B1C20000-0x00007FF6B2011000-memory.dmp

Filesize
3.9MB

Download
memory/5020-1643-0x00007FF6B1C20000-0x00007FF6B2011000-memory.dmp

Filesize
3.9MB

Download
memory/5020-2133-0x00007FF6B1C20000-0x00007FF6B2011000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads