xmrig | 4ddebb61868ba6d1395c91d2a531cb4d8b0bb1ff228ea04c523570ae63f8bfce

Analysis

max time kernel
64s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 00:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
Size

1020KB
MD5

bda849849773f02c7ce38b9eab87ab0d
SHA1

1e32cf84cefec8c4595f7058ac4fdc8c98929ed7
SHA256

4ddebb61868ba6d1395c91d2a531cb4d8b0bb1ff228ea04c523570ae63f8bfce
SHA512

0e7d63bb52154b80ee3d3da4a0057f56dd40cf6be70cbb1e5b1f62043be5c5b41f503f474745014d8767f054c59408a3e1983f318d1f8debffd89693247de55e
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zEeBW:knw9oUUEEDl37jcq4o

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/2892-344-0x00007FF791840000-0x00007FF791C31000-memory.dmp	xmrig
behavioral2/memory/1624-347-0x00007FF739400000-0x00007FF7397F1000-memory.dmp	xmrig
behavioral2/memory/2044-349-0x00007FF6FC3A0000-0x00007FF6FC791000-memory.dmp	xmrig
behavioral2/memory/1692-355-0x00007FF7AC4A0000-0x00007FF7AC891000-memory.dmp	xmrig
behavioral2/memory/1520-343-0x00007FF6DCFB0000-0x00007FF6DD3A1000-memory.dmp	xmrig
behavioral2/memory/1648-365-0x00007FF7BB7C0000-0x00007FF7BBBB1000-memory.dmp	xmrig
behavioral2/memory/4952-374-0x00007FF7587C0000-0x00007FF758BB1000-memory.dmp	xmrig
behavioral2/memory/3228-379-0x00007FF73E760000-0x00007FF73EB51000-memory.dmp	xmrig
behavioral2/memory/4888-385-0x00007FF763DE0000-0x00007FF7641D1000-memory.dmp	xmrig
behavioral2/memory/4788-393-0x00007FF7F60E0000-0x00007FF7F64D1000-memory.dmp	xmrig
behavioral2/memory/752-399-0x00007FF688D00000-0x00007FF6890F1000-memory.dmp	xmrig
behavioral2/memory/2272-407-0x00007FF799DF0000-0x00007FF79A1E1000-memory.dmp	xmrig
behavioral2/memory/756-412-0x00007FF6DCEF0000-0x00007FF6DD2E1000-memory.dmp	xmrig
behavioral2/memory/3728-418-0x00007FF70F300000-0x00007FF70F6F1000-memory.dmp	xmrig
behavioral2/memory/1588-421-0x00007FF7ABC30000-0x00007FF7AC021000-memory.dmp	xmrig
behavioral2/memory/3972-422-0x00007FF759F70000-0x00007FF75A361000-memory.dmp	xmrig
behavioral2/memory/660-420-0x00007FF7DD6A0000-0x00007FF7DDA91000-memory.dmp	xmrig
behavioral2/memory/2264-390-0x00007FF6F1E50000-0x00007FF6F2241000-memory.dmp	xmrig
behavioral2/memory/3968-363-0x00007FF62FEF0000-0x00007FF6302E1000-memory.dmp	xmrig
behavioral2/memory/4768-69-0x00007FF7AD7D0000-0x00007FF7ADBC1000-memory.dmp	xmrig
behavioral2/memory/4820-39-0x00007FF793250000-0x00007FF793641000-memory.dmp	xmrig
behavioral2/memory/2332-1382-0x00007FF675C80000-0x00007FF676071000-memory.dmp	xmrig
behavioral2/memory/4320-1395-0x00007FF734880000-0x00007FF734C71000-memory.dmp	xmrig
behavioral2/memory/3416-1377-0x00007FF7536E0000-0x00007FF753AD1000-memory.dmp	xmrig
behavioral2/memory/4584-1373-0x00007FF662BD0000-0x00007FF662FC1000-memory.dmp	xmrig
behavioral2/memory/4584-2097-0x00007FF662BD0000-0x00007FF662FC1000-memory.dmp	xmrig
behavioral2/memory/3416-2123-0x00007FF7536E0000-0x00007FF753AD1000-memory.dmp	xmrig
behavioral2/memory/4820-2125-0x00007FF793250000-0x00007FF793641000-memory.dmp	xmrig
behavioral2/memory/2272-2127-0x00007FF799DF0000-0x00007FF79A1E1000-memory.dmp	xmrig
behavioral2/memory/2332-2129-0x00007FF675C80000-0x00007FF676071000-memory.dmp	xmrig
behavioral2/memory/756-2131-0x00007FF6DCEF0000-0x00007FF6DD2E1000-memory.dmp	xmrig
behavioral2/memory/4320-2134-0x00007FF734880000-0x00007FF734C71000-memory.dmp	xmrig
behavioral2/memory/1624-2137-0x00007FF739400000-0x00007FF7397F1000-memory.dmp	xmrig
behavioral2/memory/2892-2142-0x00007FF791840000-0x00007FF791C31000-memory.dmp	xmrig
behavioral2/memory/1588-2145-0x00007FF7ABC30000-0x00007FF7AC021000-memory.dmp	xmrig
behavioral2/memory/3972-2161-0x00007FF759F70000-0x00007FF75A361000-memory.dmp	xmrig
behavioral2/memory/3968-2160-0x00007FF62FEF0000-0x00007FF6302E1000-memory.dmp	xmrig
behavioral2/memory/1692-2159-0x00007FF7AC4A0000-0x00007FF7AC891000-memory.dmp	xmrig
behavioral2/memory/660-2157-0x00007FF7DD6A0000-0x00007FF7DDA91000-memory.dmp	xmrig
behavioral2/memory/4768-2139-0x00007FF7AD7D0000-0x00007FF7ADBC1000-memory.dmp	xmrig
behavioral2/memory/3728-2135-0x00007FF70F300000-0x00007FF70F6F1000-memory.dmp	xmrig
behavioral2/memory/4952-2164-0x00007FF7587C0000-0x00007FF758BB1000-memory.dmp	xmrig
behavioral2/memory/2044-2167-0x00007FF6FC3A0000-0x00007FF6FC791000-memory.dmp	xmrig
behavioral2/memory/4788-2191-0x00007FF7F60E0000-0x00007FF7F64D1000-memory.dmp	xmrig
behavioral2/memory/4888-2195-0x00007FF763DE0000-0x00007FF7641D1000-memory.dmp	xmrig
behavioral2/memory/2264-2193-0x00007FF6F1E50000-0x00007FF6F2241000-memory.dmp	xmrig
behavioral2/memory/1648-2189-0x00007FF7BB7C0000-0x00007FF7BBBB1000-memory.dmp	xmrig
behavioral2/memory/3228-2166-0x00007FF73E760000-0x00007FF73EB51000-memory.dmp	xmrig
behavioral2/memory/752-2199-0x00007FF688D00000-0x00007FF6890F1000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
3416	woVYRGG.exe
2272	Scwwjrp.exe
2332	BbokqBK.exe
4820	jmFihur.exe
756	qmpiEYB.exe
3728	pUXsFNW.exe
4320	vtKjYuw.exe
4768	wGZCKAE.exe
1520	RLzdUup.exe
2892	IHwbrUt.exe
660	nZbyzzm.exe
1624	huVROqY.exe
1588	rrOmXwG.exe
3972	UCtOaUe.exe
2044	lolejzR.exe
1692	OGiSxkQ.exe
3968	qhOinVo.exe
1648	XAwRpeY.exe
4952	jpJfSJY.exe
3228	sUAwNKO.exe
4888	mrNpRFN.exe
2264	sBUSarq.exe
4788	UFDELvx.exe
752	DAhNLXr.exe
4984	TgOKaVQ.exe
3696	gWRZsvV.exe
3496	vJOurzo.exe
3012	XxgoNwc.exe
696	AOeZKBw.exe
368	BOzHlmT.exe
448	WgSFdgd.exe
2132	TnnNJnw.exe
3332	SexTbsN.exe
1684	pIfSqYI.exe
1680	xPEJAyr.exe
3832	hWwHuJn.exe
4824	wwiahlc.exe
1712	aqtCBbc.exe
1960	lwymSLZ.exe
4860	mMWdSCN.exe
436	DGISZSx.exe
5080	dlgXUni.exe
1860	dcOMSfe.exe
2216	qHLduEy.exe
3436	jnKNSWN.exe
3976	upurhkK.exe
4348	Vptvxco.exe
1172	rRjavxy.exe
2716	ZJgSurD.exe
1204	ftkalkJ.exe
3768	OweviEl.exe
4880	juWTtvT.exe
4040	PegrsuE.exe
5036	RywpblU.exe
2588	mCMZcEc.exe
4740	dwiWXBT.exe
852	aUCHPEx.exe
740	DMGOiVB.exe
1440	eVdQAPT.exe
60	VbBHOOw.exe
4868	tzubaFq.exe
1452	KTtFnIG.exe
4900	rAELPuk.exe
5068	GaGfqcF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4584-0-0x00007FF662BD0000-0x00007FF662FC1000-memory.dmp	upx
behavioral2/files/0x00070000000234c4-7.dat	upx
behavioral2/files/0x000900000002346a-9.dat	upx
behavioral2/memory/3416-17-0x00007FF7536E0000-0x00007FF753AD1000-memory.dmp	upx
behavioral2/files/0x00070000000234c5-16.dat	upx
behavioral2/files/0x00070000000234c6-23.dat	upx
behavioral2/files/0x00070000000234c9-41.dat	upx
behavioral2/files/0x00070000000234cb-44.dat	upx
behavioral2/files/0x00070000000234c7-47.dat	upx
behavioral2/files/0x00070000000234cc-52.dat	upx
behavioral2/files/0x00070000000234ce-67.dat	upx
behavioral2/files/0x00070000000234cf-79.dat	upx
behavioral2/files/0x00070000000234d3-92.dat	upx
behavioral2/files/0x00070000000234d5-103.dat	upx
behavioral2/files/0x00070000000234d7-115.dat	upx
behavioral2/files/0x00070000000234dd-143.dat	upx
behavioral2/memory/2892-344-0x00007FF791840000-0x00007FF791C31000-memory.dmp	upx
behavioral2/memory/1624-347-0x00007FF739400000-0x00007FF7397F1000-memory.dmp	upx
behavioral2/memory/2044-349-0x00007FF6FC3A0000-0x00007FF6FC791000-memory.dmp	upx
behavioral2/memory/1692-355-0x00007FF7AC4A0000-0x00007FF7AC891000-memory.dmp	upx
behavioral2/memory/1520-343-0x00007FF6DCFB0000-0x00007FF6DD3A1000-memory.dmp	upx
behavioral2/memory/1648-365-0x00007FF7BB7C0000-0x00007FF7BBBB1000-memory.dmp	upx
behavioral2/memory/4952-374-0x00007FF7587C0000-0x00007FF758BB1000-memory.dmp	upx
behavioral2/memory/3228-379-0x00007FF73E760000-0x00007FF73EB51000-memory.dmp	upx
behavioral2/memory/4888-385-0x00007FF763DE0000-0x00007FF7641D1000-memory.dmp	upx
behavioral2/memory/4788-393-0x00007FF7F60E0000-0x00007FF7F64D1000-memory.dmp	upx
behavioral2/memory/752-399-0x00007FF688D00000-0x00007FF6890F1000-memory.dmp	upx
behavioral2/memory/2272-407-0x00007FF799DF0000-0x00007FF79A1E1000-memory.dmp	upx
behavioral2/memory/756-412-0x00007FF6DCEF0000-0x00007FF6DD2E1000-memory.dmp	upx
behavioral2/memory/3728-418-0x00007FF70F300000-0x00007FF70F6F1000-memory.dmp	upx
behavioral2/memory/1588-421-0x00007FF7ABC30000-0x00007FF7AC021000-memory.dmp	upx
behavioral2/memory/3972-422-0x00007FF759F70000-0x00007FF75A361000-memory.dmp	upx
behavioral2/memory/660-420-0x00007FF7DD6A0000-0x00007FF7DDA91000-memory.dmp	upx
behavioral2/memory/2264-390-0x00007FF6F1E50000-0x00007FF6F2241000-memory.dmp	upx
behavioral2/memory/3968-363-0x00007FF62FEF0000-0x00007FF6302E1000-memory.dmp	upx
behavioral2/files/0x00070000000234e2-167.dat	upx
behavioral2/files/0x00070000000234e1-164.dat	upx
behavioral2/files/0x00070000000234e0-161.dat	upx
behavioral2/files/0x00070000000234df-157.dat	upx
behavioral2/files/0x00070000000234de-154.dat	upx
behavioral2/files/0x00070000000234dc-141.dat	upx
behavioral2/files/0x00070000000234db-139.dat	upx
behavioral2/files/0x00070000000234da-131.dat	upx
behavioral2/files/0x00070000000234d9-126.dat	upx
behavioral2/files/0x00070000000234d8-124.dat	upx
behavioral2/files/0x00070000000234d6-111.dat	upx
behavioral2/files/0x00070000000234d4-101.dat	upx
behavioral2/files/0x00070000000234d2-94.dat	upx
behavioral2/files/0x00070000000234d1-86.dat	upx
behavioral2/files/0x00070000000234d0-84.dat	upx
behavioral2/memory/4768-69-0x00007FF7AD7D0000-0x00007FF7ADBC1000-memory.dmp	upx
behavioral2/memory/4320-64-0x00007FF734880000-0x00007FF734C71000-memory.dmp	upx
behavioral2/files/0x00070000000234cd-61.dat	upx
behavioral2/files/0x00070000000234ca-55.dat	upx
behavioral2/files/0x00070000000234c8-46.dat	upx
behavioral2/memory/4820-39-0x00007FF793250000-0x00007FF793641000-memory.dmp	upx
behavioral2/memory/2332-26-0x00007FF675C80000-0x00007FF676071000-memory.dmp	upx
behavioral2/files/0x00080000000234c0-20.dat	upx
behavioral2/memory/2332-1382-0x00007FF675C80000-0x00007FF676071000-memory.dmp	upx
behavioral2/memory/4320-1395-0x00007FF734880000-0x00007FF734C71000-memory.dmp	upx
behavioral2/memory/3416-1377-0x00007FF7536E0000-0x00007FF753AD1000-memory.dmp	upx
behavioral2/memory/4584-1373-0x00007FF662BD0000-0x00007FF662FC1000-memory.dmp	upx
behavioral2/memory/4584-2097-0x00007FF662BD0000-0x00007FF662FC1000-memory.dmp	upx
behavioral2/memory/3416-2123-0x00007FF7536E0000-0x00007FF753AD1000-memory.dmp	upx

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\XuhxcCd.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\VlqyAjg.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\ijYlKwB.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\XvhsKdQ.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\woCruoK.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\mcthaQG.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\kNmZqBN.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\MaQztrl.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\rUbaXEs.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\NEnViGB.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\VjJcMWt.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\uGBwsyv.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\uwtJyzj.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\kRZkcFZ.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\ZshDhdk.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\fMqtoAd.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\MGhjCAF.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\KOROzwA.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\MmxoNvL.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\GPGnUNm.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\KbTnMGz.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\aUEkmlj.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\qRtWTvL.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\dHMfiZe.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\KgPqCXF.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\sZXmXgC.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\MgRYsvh.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\WGIfNmN.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\olTLIDE.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\afeGebJ.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\pQBuXhm.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\pZLPLgu.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\PpaAwLT.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\LUuNJEe.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\HofqBMh.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\dwKbwbz.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\AZclGYl.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\HeUAdkq.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\DHynLvi.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\xOUbiBV.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\EoKhrhi.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\UqBQNdr.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\bxYXQwJ.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\faGQciQ.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\DljGBJR.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\sCtkJUY.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\vtKjYuw.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\nNrDbdt.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\GVoMlXJ.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\pFiDNul.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\AsgZudX.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\upurhkK.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\oVOxSjM.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\VWtxAqP.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\TvmXpCj.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\Vqapiov.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\qEVCxqV.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\DonPyXd.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\tJaybrC.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\dwRdoOe.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\teogfcX.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\WxBcQsM.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\nervUQG.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
File created	C:\Windows\System32\cJxKodP.exe	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{C8DB1F64-5033-4BE9-90C5-37230E4BF92E}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{8542DAE3-6BF5-4D22-99FC-723A06C00E53}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	13664	explorer.exe
Token: SeCreatePagefilePrivilege	13664	explorer.exe
Token: SeShutdownPrivilege	13664	explorer.exe
Token: SeCreatePagefilePrivilege	13664	explorer.exe
Token: SeShutdownPrivilege	13664	explorer.exe
Token: SeCreatePagefilePrivilege	13664	explorer.exe
Token: SeShutdownPrivilege	13664	explorer.exe
Token: SeCreatePagefilePrivilege	13664	explorer.exe
Token: SeShutdownPrivilege	13664	explorer.exe
Token: SeCreatePagefilePrivilege	13664	explorer.exe
Token: SeShutdownPrivilege	13664	explorer.exe
Token: SeCreatePagefilePrivilege	13664	explorer.exe
Token: SeShutdownPrivilege	13664	explorer.exe
Token: SeCreatePagefilePrivilege	13664	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	3732	explorer.exe
Token: SeCreatePagefilePrivilege	3732	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
14152	sihost.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
13664	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe
8220	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
220	StartMenuExperienceHost.exe
13812	StartMenuExperienceHost.exe
1568	SearchApp.exe
3960	StartMenuExperienceHost.exe
5128	StartMenuExperienceHost.exe
5744	SearchApp.exe
7968	StartMenuExperienceHost.exe
10200	SearchApp.exe
9328	StartMenuExperienceHost.exe
7484	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 3416	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	85
PID 4584 wrote to memory of 3416	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	85
PID 4584 wrote to memory of 2272	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	86
PID 4584 wrote to memory of 2272	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	86
PID 4584 wrote to memory of 2332	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	87
PID 4584 wrote to memory of 2332	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	87
PID 4584 wrote to memory of 4820	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	88
PID 4584 wrote to memory of 4820	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	88
PID 4584 wrote to memory of 756	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	89
PID 4584 wrote to memory of 756	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	89
PID 4584 wrote to memory of 3728	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	90
PID 4584 wrote to memory of 3728	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	90
PID 4584 wrote to memory of 4320	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	91
PID 4584 wrote to memory of 4320	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	91
PID 4584 wrote to memory of 4768	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	92
PID 4584 wrote to memory of 4768	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	92
PID 4584 wrote to memory of 1520	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	93
PID 4584 wrote to memory of 1520	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	93
PID 4584 wrote to memory of 2892	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	94
PID 4584 wrote to memory of 2892	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	94
PID 4584 wrote to memory of 660	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	95
PID 4584 wrote to memory of 660	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	95
PID 4584 wrote to memory of 1624	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	96
PID 4584 wrote to memory of 1624	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	96
PID 4584 wrote to memory of 1588	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	97
PID 4584 wrote to memory of 1588	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	97
PID 4584 wrote to memory of 3972	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	98
PID 4584 wrote to memory of 3972	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	98
PID 4584 wrote to memory of 2044	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	99
PID 4584 wrote to memory of 2044	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	99
PID 4584 wrote to memory of 1692	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	100
PID 4584 wrote to memory of 1692	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	100
PID 4584 wrote to memory of 3968	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	101
PID 4584 wrote to memory of 3968	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	101
PID 4584 wrote to memory of 1648	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	102
PID 4584 wrote to memory of 1648	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	102
PID 4584 wrote to memory of 4952	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	103
PID 4584 wrote to memory of 4952	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	103
PID 4584 wrote to memory of 3228	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	104
PID 4584 wrote to memory of 3228	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	104
PID 4584 wrote to memory of 4888	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	105
PID 4584 wrote to memory of 4888	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	105
PID 4584 wrote to memory of 2264	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	106
PID 4584 wrote to memory of 2264	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	106
PID 4584 wrote to memory of 4788	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	107
PID 4584 wrote to memory of 4788	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	107
PID 4584 wrote to memory of 752	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	108
PID 4584 wrote to memory of 752	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	108
PID 4584 wrote to memory of 4984	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	109
PID 4584 wrote to memory of 4984	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	109
PID 4584 wrote to memory of 3696	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	110
PID 4584 wrote to memory of 3696	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	110
PID 4584 wrote to memory of 3496	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	111
PID 4584 wrote to memory of 3496	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	111
PID 4584 wrote to memory of 3012	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	112
PID 4584 wrote to memory of 3012	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	112
PID 4584 wrote to memory of 696	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	113
PID 4584 wrote to memory of 696	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	113
PID 4584 wrote to memory of 368	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	114
PID 4584 wrote to memory of 368	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	114
PID 4584 wrote to memory of 448	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	115
PID 4584 wrote to memory of 448	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	115
PID 4584 wrote to memory of 2132	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	116
PID 4584 wrote to memory of 2132	4584	bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bda849849773f02c7ce38b9eab87ab0d_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\System32\woVYRGG.exe
  C:\Windows\System32\woVYRGG.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System32\Scwwjrp.exe
  C:\Windows\System32\Scwwjrp.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System32\BbokqBK.exe
  C:\Windows\System32\BbokqBK.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System32\jmFihur.exe
  C:\Windows\System32\jmFihur.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System32\qmpiEYB.exe
  C:\Windows\System32\qmpiEYB.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System32\pUXsFNW.exe
  C:\Windows\System32\pUXsFNW.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\System32\vtKjYuw.exe
  C:\Windows\System32\vtKjYuw.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System32\wGZCKAE.exe
  C:\Windows\System32\wGZCKAE.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System32\RLzdUup.exe
  C:\Windows\System32\RLzdUup.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System32\IHwbrUt.exe
  C:\Windows\System32\IHwbrUt.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System32\nZbyzzm.exe
  C:\Windows\System32\nZbyzzm.exe
  2⤵
  - Executes dropped EXE
  PID:660
- C:\Windows\System32\huVROqY.exe
  C:\Windows\System32\huVROqY.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System32\rrOmXwG.exe
  C:\Windows\System32\rrOmXwG.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System32\UCtOaUe.exe
  C:\Windows\System32\UCtOaUe.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System32\lolejzR.exe
  C:\Windows\System32\lolejzR.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System32\OGiSxkQ.exe
  C:\Windows\System32\OGiSxkQ.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System32\qhOinVo.exe
  C:\Windows\System32\qhOinVo.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System32\XAwRpeY.exe
  C:\Windows\System32\XAwRpeY.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System32\jpJfSJY.exe
  C:\Windows\System32\jpJfSJY.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System32\sUAwNKO.exe
  C:\Windows\System32\sUAwNKO.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System32\mrNpRFN.exe
  C:\Windows\System32\mrNpRFN.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System32\sBUSarq.exe
  C:\Windows\System32\sBUSarq.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System32\UFDELvx.exe
  C:\Windows\System32\UFDELvx.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\DAhNLXr.exe
  C:\Windows\System32\DAhNLXr.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System32\TgOKaVQ.exe
  C:\Windows\System32\TgOKaVQ.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System32\gWRZsvV.exe
  C:\Windows\System32\gWRZsvV.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System32\vJOurzo.exe
  C:\Windows\System32\vJOurzo.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System32\XxgoNwc.exe
  C:\Windows\System32\XxgoNwc.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System32\AOeZKBw.exe
  C:\Windows\System32\AOeZKBw.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System32\BOzHlmT.exe
  C:\Windows\System32\BOzHlmT.exe
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\System32\WgSFdgd.exe
  C:\Windows\System32\WgSFdgd.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System32\TnnNJnw.exe
  C:\Windows\System32\TnnNJnw.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System32\SexTbsN.exe
  C:\Windows\System32\SexTbsN.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\System32\pIfSqYI.exe
  C:\Windows\System32\pIfSqYI.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System32\xPEJAyr.exe
  C:\Windows\System32\xPEJAyr.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System32\hWwHuJn.exe
  C:\Windows\System32\hWwHuJn.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System32\wwiahlc.exe
  C:\Windows\System32\wwiahlc.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\aqtCBbc.exe
  C:\Windows\System32\aqtCBbc.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System32\lwymSLZ.exe
  C:\Windows\System32\lwymSLZ.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System32\mMWdSCN.exe
  C:\Windows\System32\mMWdSCN.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\DGISZSx.exe
  C:\Windows\System32\DGISZSx.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\dlgXUni.exe
  C:\Windows\System32\dlgXUni.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System32\dcOMSfe.exe
  C:\Windows\System32\dcOMSfe.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System32\qHLduEy.exe
  C:\Windows\System32\qHLduEy.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System32\jnKNSWN.exe
  C:\Windows\System32\jnKNSWN.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System32\upurhkK.exe
  C:\Windows\System32\upurhkK.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System32\Vptvxco.exe
  C:\Windows\System32\Vptvxco.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System32\rRjavxy.exe
  C:\Windows\System32\rRjavxy.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System32\ZJgSurD.exe
  C:\Windows\System32\ZJgSurD.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System32\ftkalkJ.exe
  C:\Windows\System32\ftkalkJ.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System32\OweviEl.exe
  C:\Windows\System32\OweviEl.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System32\juWTtvT.exe
  C:\Windows\System32\juWTtvT.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\PegrsuE.exe
  C:\Windows\System32\PegrsuE.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System32\RywpblU.exe
  C:\Windows\System32\RywpblU.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System32\mCMZcEc.exe
  C:\Windows\System32\mCMZcEc.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System32\dwiWXBT.exe
  C:\Windows\System32\dwiWXBT.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System32\aUCHPEx.exe
  C:\Windows\System32\aUCHPEx.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System32\DMGOiVB.exe
  C:\Windows\System32\DMGOiVB.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System32\eVdQAPT.exe
  C:\Windows\System32\eVdQAPT.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System32\VbBHOOw.exe
  C:\Windows\System32\VbBHOOw.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System32\tzubaFq.exe
  C:\Windows\System32\tzubaFq.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\KTtFnIG.exe
  C:\Windows\System32\KTtFnIG.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System32\rAELPuk.exe
  C:\Windows\System32\rAELPuk.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System32\GaGfqcF.exe
  C:\Windows\System32\GaGfqcF.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\KWGQsQq.exe
  C:\Windows\System32\KWGQsQq.exe
  2⤵
  PID:3928
- C:\Windows\System32\rbxpEjy.exe
  C:\Windows\System32\rbxpEjy.exe
  2⤵
  PID:1808
- C:\Windows\System32\lXafxeG.exe
  C:\Windows\System32\lXafxeG.exe
  2⤵
  PID:5060
- C:\Windows\System32\MSRUzzN.exe
  C:\Windows\System32\MSRUzzN.exe
  2⤵
  PID:3004
- C:\Windows\System32\olTLIDE.exe
  C:\Windows\System32\olTLIDE.exe
  2⤵
  PID:4084
- C:\Windows\System32\KOROzwA.exe
  C:\Windows\System32\KOROzwA.exe
  2⤵
  PID:4336
- C:\Windows\System32\dHMfiZe.exe
  C:\Windows\System32\dHMfiZe.exe
  2⤵
  PID:1612
- C:\Windows\System32\YoIjLbW.exe
  C:\Windows\System32\YoIjLbW.exe
  2⤵
  PID:1500
- C:\Windows\System32\cPdQNWP.exe
  C:\Windows\System32\cPdQNWP.exe
  2⤵
  PID:2400
- C:\Windows\System32\ScnKVFW.exe
  C:\Windows\System32\ScnKVFW.exe
  2⤵
  PID:3984
- C:\Windows\System32\dSVSkAs.exe
  C:\Windows\System32\dSVSkAs.exe
  2⤵
  PID:4996
- C:\Windows\System32\FEODvBW.exe
  C:\Windows\System32\FEODvBW.exe
  2⤵
  PID:4852
- C:\Windows\System32\OSYSkze.exe
  C:\Windows\System32\OSYSkze.exe
  2⤵
  PID:1836
- C:\Windows\System32\MmSrYMd.exe
  C:\Windows\System32\MmSrYMd.exe
  2⤵
  PID:2732
- C:\Windows\System32\uGBwsyv.exe
  C:\Windows\System32\uGBwsyv.exe
  2⤵
  PID:4912
- C:\Windows\System32\LsDJCly.exe
  C:\Windows\System32\LsDJCly.exe
  2⤵
  PID:1280
- C:\Windows\System32\wEyKuff.exe
  C:\Windows\System32\wEyKuff.exe
  2⤵
  PID:876
- C:\Windows\System32\IDYlOVM.exe
  C:\Windows\System32\IDYlOVM.exe
  2⤵
  PID:3640
- C:\Windows\System32\NwsHXLS.exe
  C:\Windows\System32\NwsHXLS.exe
  2⤵
  PID:5140
- C:\Windows\System32\HHAglVZ.exe
  C:\Windows\System32\HHAglVZ.exe
  2⤵
  PID:5172
- C:\Windows\System32\PpaAwLT.exe
  C:\Windows\System32\PpaAwLT.exe
  2⤵
  PID:5200
- C:\Windows\System32\zBwVxtv.exe
  C:\Windows\System32\zBwVxtv.exe
  2⤵
  PID:5236
- C:\Windows\System32\HxwGWjj.exe
  C:\Windows\System32\HxwGWjj.exe
  2⤵
  PID:5264
- C:\Windows\System32\jnqQzZR.exe
  C:\Windows\System32\jnqQzZR.exe
  2⤵
  PID:5292
- C:\Windows\System32\zDDmzyD.exe
  C:\Windows\System32\zDDmzyD.exe
  2⤵
  PID:5320
- C:\Windows\System32\fUgTLMr.exe
  C:\Windows\System32\fUgTLMr.exe
  2⤵
  PID:5348
- C:\Windows\System32\igfEVsD.exe
  C:\Windows\System32\igfEVsD.exe
  2⤵
  PID:5364
- C:\Windows\System32\zyYnGsT.exe
  C:\Windows\System32\zyYnGsT.exe
  2⤵
  PID:5428
- C:\Windows\System32\reLgMUQ.exe
  C:\Windows\System32\reLgMUQ.exe
  2⤵
  PID:5448
- C:\Windows\System32\NpshYHi.exe
  C:\Windows\System32\NpshYHi.exe
  2⤵
  PID:5472
- C:\Windows\System32\yZovdfu.exe
  C:\Windows\System32\yZovdfu.exe
  2⤵
  PID:5492
- C:\Windows\System32\qEVCxqV.exe
  C:\Windows\System32\qEVCxqV.exe
  2⤵
  PID:5520
- C:\Windows\System32\JyNsEoJ.exe
  C:\Windows\System32\JyNsEoJ.exe
  2⤵
  PID:5556
- C:\Windows\System32\QtUiGQC.exe
  C:\Windows\System32\QtUiGQC.exe
  2⤵
  PID:5604
- C:\Windows\System32\zCSehDh.exe
  C:\Windows\System32\zCSehDh.exe
  2⤵
  PID:5632
- C:\Windows\System32\nHzwaku.exe
  C:\Windows\System32\nHzwaku.exe
  2⤵
  PID:5660
- C:\Windows\System32\mIWgaGf.exe
  C:\Windows\System32\mIWgaGf.exe
  2⤵
  PID:5680
- C:\Windows\System32\zPyidIW.exe
  C:\Windows\System32\zPyidIW.exe
  2⤵
  PID:5696
- C:\Windows\System32\WylmoWt.exe
  C:\Windows\System32\WylmoWt.exe
  2⤵
  PID:5732
- C:\Windows\System32\kZdcdok.exe
  C:\Windows\System32\kZdcdok.exe
  2⤵
  PID:5776
- C:\Windows\System32\liHGFjd.exe
  C:\Windows\System32\liHGFjd.exe
  2⤵
  PID:5824
- C:\Windows\System32\LPxrPGK.exe
  C:\Windows\System32\LPxrPGK.exe
  2⤵
  PID:5840
- C:\Windows\System32\faGQciQ.exe
  C:\Windows\System32\faGQciQ.exe
  2⤵
  PID:5876
- C:\Windows\System32\tIpvuTP.exe
  C:\Windows\System32\tIpvuTP.exe
  2⤵
  PID:5900
- C:\Windows\System32\kUAsmhv.exe
  C:\Windows\System32\kUAsmhv.exe
  2⤵
  PID:5916
- C:\Windows\System32\tVgsIIf.exe
  C:\Windows\System32\tVgsIIf.exe
  2⤵
  PID:5948
- C:\Windows\System32\TpUHnpP.exe
  C:\Windows\System32\TpUHnpP.exe
  2⤵
  PID:5988
- C:\Windows\System32\rMlWloD.exe
  C:\Windows\System32\rMlWloD.exe
  2⤵
  PID:6036
- C:\Windows\System32\TmEDDIP.exe
  C:\Windows\System32\TmEDDIP.exe
  2⤵
  PID:6088
- C:\Windows\System32\yaMBVPr.exe
  C:\Windows\System32\yaMBVPr.exe
  2⤵
  PID:6104
- C:\Windows\System32\BhWehhA.exe
  C:\Windows\System32\BhWehhA.exe
  2⤵
  PID:1504
- C:\Windows\System32\LrVencj.exe
  C:\Windows\System32\LrVencj.exe
  2⤵
  PID:1336
- C:\Windows\System32\EwrSxZF.exe
  C:\Windows\System32\EwrSxZF.exe
  2⤵
  PID:1940
- C:\Windows\System32\igwpcPd.exe
  C:\Windows\System32\igwpcPd.exe
  2⤵
  PID:116
- C:\Windows\System32\fqbujZc.exe
  C:\Windows\System32\fqbujZc.exe
  2⤵
  PID:1664
- C:\Windows\System32\zJYwzmO.exe
  C:\Windows\System32\zJYwzmO.exe
  2⤵
  PID:5184
- C:\Windows\System32\wrVEIWe.exe
  C:\Windows\System32\wrVEIWe.exe
  2⤵
  PID:5208
- C:\Windows\System32\qPvVKAq.exe
  C:\Windows\System32\qPvVKAq.exe
  2⤵
  PID:5284
- C:\Windows\System32\SEhcrRS.exe
  C:\Windows\System32\SEhcrRS.exe
  2⤵
  PID:5332
- C:\Windows\System32\cvuWrKJ.exe
  C:\Windows\System32\cvuWrKJ.exe
  2⤵
  PID:5360
- C:\Windows\System32\yZPdniX.exe
  C:\Windows\System32\yZPdniX.exe
  2⤵
  PID:5412
- C:\Windows\System32\tGLHHtf.exe
  C:\Windows\System32\tGLHHtf.exe
  2⤵
  PID:5424
- C:\Windows\System32\jmFnCrm.exe
  C:\Windows\System32\jmFnCrm.exe
  2⤵
  PID:988
- C:\Windows\System32\FIWJzcF.exe
  C:\Windows\System32\FIWJzcF.exe
  2⤵
  PID:5480
- C:\Windows\System32\aeKIvkP.exe
  C:\Windows\System32\aeKIvkP.exe
  2⤵
  PID:4316
- C:\Windows\System32\cXapHSx.exe
  C:\Windows\System32\cXapHSx.exe
  2⤵
  PID:2952
- C:\Windows\System32\hklsBVB.exe
  C:\Windows\System32\hklsBVB.exe
  2⤵
  PID:3428
- C:\Windows\System32\TUObdpI.exe
  C:\Windows\System32\TUObdpI.exe
  2⤵
  PID:4460
- C:\Windows\System32\VFjyOGG.exe
  C:\Windows\System32\VFjyOGG.exe
  2⤵
  PID:1012
- C:\Windows\System32\LkdNyYi.exe
  C:\Windows\System32\LkdNyYi.exe
  2⤵
  PID:5792
- C:\Windows\System32\Boorvpl.exe
  C:\Windows\System32\Boorvpl.exe
  2⤵
  PID:5836
- C:\Windows\System32\MTTxpAT.exe
  C:\Windows\System32\MTTxpAT.exe
  2⤵
  PID:5940
- C:\Windows\System32\QWVEIQa.exe
  C:\Windows\System32\QWVEIQa.exe
  2⤵
  PID:5984
- C:\Windows\System32\Yamexmp.exe
  C:\Windows\System32\Yamexmp.exe
  2⤵
  PID:1616
- C:\Windows\System32\nNrDbdt.exe
  C:\Windows\System32\nNrDbdt.exe
  2⤵
  PID:1848
- C:\Windows\System32\CBRRfYp.exe
  C:\Windows\System32\CBRRfYp.exe
  2⤵
  PID:1516
- C:\Windows\System32\RKKskBJ.exe
  C:\Windows\System32\RKKskBJ.exe
  2⤵
  PID:5124
- C:\Windows\System32\ZydInlw.exe
  C:\Windows\System32\ZydInlw.exe
  2⤵
  PID:5148
- C:\Windows\System32\ULfGECu.exe
  C:\Windows\System32\ULfGECu.exe
  2⤵
  PID:4376
- C:\Windows\System32\LHTiEBz.exe
  C:\Windows\System32\LHTiEBz.exe
  2⤵
  PID:5300
- C:\Windows\System32\TXpGhnP.exe
  C:\Windows\System32\TXpGhnP.exe
  2⤵
  PID:1756
- C:\Windows\System32\lLxgVIq.exe
  C:\Windows\System32\lLxgVIq.exe
  2⤵
  PID:1776
- C:\Windows\System32\bHUQpbG.exe
  C:\Windows\System32\bHUQpbG.exe
  2⤵
  PID:1388
- C:\Windows\System32\bKaRhVe.exe
  C:\Windows\System32\bKaRhVe.exe
  2⤵
  PID:1064
- C:\Windows\System32\osXcNbj.exe
  C:\Windows\System32\osXcNbj.exe
  2⤵
  PID:5848
- C:\Windows\System32\ZtbzwCY.exe
  C:\Windows\System32\ZtbzwCY.exe
  2⤵
  PID:5908
- C:\Windows\System32\bxYXQwJ.exe
  C:\Windows\System32\bxYXQwJ.exe
  2⤵
  PID:6100
- C:\Windows\System32\DGkRCJF.exe
  C:\Windows\System32\DGkRCJF.exe
  2⤵
  PID:1760
- C:\Windows\System32\nervUQG.exe
  C:\Windows\System32\nervUQG.exe
  2⤵
  PID:5000
- C:\Windows\System32\WsAvsVr.exe
  C:\Windows\System32\WsAvsVr.exe
  2⤵
  PID:5372
- C:\Windows\System32\RAKRxxo.exe
  C:\Windows\System32\RAKRxxo.exe
  2⤵
  PID:5584
- C:\Windows\System32\YRzqDJm.exe
  C:\Windows\System32\YRzqDJm.exe
  2⤵
  PID:6148
- C:\Windows\System32\yCERYdO.exe
  C:\Windows\System32\yCERYdO.exe
  2⤵
  PID:6172
- C:\Windows\System32\jDzLjBe.exe
  C:\Windows\System32\jDzLjBe.exe
  2⤵
  PID:6192
- C:\Windows\System32\cElOFnU.exe
  C:\Windows\System32\cElOFnU.exe
  2⤵
  PID:6208
- C:\Windows\System32\Bywgjoc.exe
  C:\Windows\System32\Bywgjoc.exe
  2⤵
  PID:6232
- C:\Windows\System32\qklOhmO.exe
  C:\Windows\System32\qklOhmO.exe
  2⤵
  PID:6284
- C:\Windows\System32\PweNHrS.exe
  C:\Windows\System32\PweNHrS.exe
  2⤵
  PID:6300
- C:\Windows\System32\teRmsiF.exe
  C:\Windows\System32\teRmsiF.exe
  2⤵
  PID:6332
- C:\Windows\System32\qLPQetZ.exe
  C:\Windows\System32\qLPQetZ.exe
  2⤵
  PID:6348
- C:\Windows\System32\rAAwgTw.exe
  C:\Windows\System32\rAAwgTw.exe
  2⤵
  PID:6368
- C:\Windows\System32\GKCyGvs.exe
  C:\Windows\System32\GKCyGvs.exe
  2⤵
  PID:6392
- C:\Windows\System32\lmLCZPW.exe
  C:\Windows\System32\lmLCZPW.exe
  2⤵
  PID:6412
- C:\Windows\System32\CfYCKta.exe
  C:\Windows\System32\CfYCKta.exe
  2⤵
  PID:6432
- C:\Windows\System32\cJxKodP.exe
  C:\Windows\System32\cJxKodP.exe
  2⤵
  PID:6500
- C:\Windows\System32\lxvYfsV.exe
  C:\Windows\System32\lxvYfsV.exe
  2⤵
  PID:6540
- C:\Windows\System32\NKCqIcU.exe
  C:\Windows\System32\NKCqIcU.exe
  2⤵
  PID:6584
- C:\Windows\System32\oVOxSjM.exe
  C:\Windows\System32\oVOxSjM.exe
  2⤵
  PID:6600
- C:\Windows\System32\tTWygjj.exe
  C:\Windows\System32\tTWygjj.exe
  2⤵
  PID:6616
- C:\Windows\System32\RkBJeht.exe
  C:\Windows\System32\RkBJeht.exe
  2⤵
  PID:6672
- C:\Windows\System32\eYGXhcq.exe
  C:\Windows\System32\eYGXhcq.exe
  2⤵
  PID:6688
- C:\Windows\System32\nvdQMqn.exe
  C:\Windows\System32\nvdQMqn.exe
  2⤵
  PID:6704
- C:\Windows\System32\wquVMaT.exe
  C:\Windows\System32\wquVMaT.exe
  2⤵
  PID:6728
- C:\Windows\System32\RtViTAb.exe
  C:\Windows\System32\RtViTAb.exe
  2⤵
  PID:6748
- C:\Windows\System32\RLiajNy.exe
  C:\Windows\System32\RLiajNy.exe
  2⤵
  PID:6780
- C:\Windows\System32\sHHtojU.exe
  C:\Windows\System32\sHHtojU.exe
  2⤵
  PID:6840
- C:\Windows\System32\UgGkjYp.exe
  C:\Windows\System32\UgGkjYp.exe
  2⤵
  PID:6856
- C:\Windows\System32\khaSsFb.exe
  C:\Windows\System32\khaSsFb.exe
  2⤵
  PID:6900
- C:\Windows\System32\GVoMlXJ.exe
  C:\Windows\System32\GVoMlXJ.exe
  2⤵
  PID:6916
- C:\Windows\System32\ZHSgQCM.exe
  C:\Windows\System32\ZHSgQCM.exe
  2⤵
  PID:6960
- C:\Windows\System32\EgWIlpf.exe
  C:\Windows\System32\EgWIlpf.exe
  2⤵
  PID:6984
- C:\Windows\System32\UHOuAKq.exe
  C:\Windows\System32\UHOuAKq.exe
  2⤵
  PID:7016
- C:\Windows\System32\IJStgLj.exe
  C:\Windows\System32\IJStgLj.exe
  2⤵
  PID:7044
- C:\Windows\System32\EiGtgAi.exe
  C:\Windows\System32\EiGtgAi.exe
  2⤵
  PID:7072
- C:\Windows\System32\uwtJyzj.exe
  C:\Windows\System32\uwtJyzj.exe
  2⤵
  PID:7092
- C:\Windows\System32\uoIFWgK.exe
  C:\Windows\System32\uoIFWgK.exe
  2⤵
  PID:7112
- C:\Windows\System32\OvBzAGc.exe
  C:\Windows\System32\OvBzAGc.exe
  2⤵
  PID:7148
- C:\Windows\System32\cPYYeQI.exe
  C:\Windows\System32\cPYYeQI.exe
  2⤵
  PID:7164
- C:\Windows\System32\MmZAyog.exe
  C:\Windows\System32\MmZAyog.exe
  2⤵
  PID:1112
- C:\Windows\System32\VQILbxK.exe
  C:\Windows\System32\VQILbxK.exe
  2⤵
  PID:6156
- C:\Windows\System32\QmsaPob.exe
  C:\Windows\System32\QmsaPob.exe
  2⤵
  PID:6216
- C:\Windows\System32\USCpKAs.exe
  C:\Windows\System32\USCpKAs.exe
  2⤵
  PID:6292
- C:\Windows\System32\bmyjxQv.exe
  C:\Windows\System32\bmyjxQv.exe
  2⤵
  PID:5416
- C:\Windows\System32\jFsnshR.exe
  C:\Windows\System32\jFsnshR.exe
  2⤵
  PID:6376
- C:\Windows\System32\acaAFiE.exe
  C:\Windows\System32\acaAFiE.exe
  2⤵
  PID:6444
- C:\Windows\System32\cAKqYZS.exe
  C:\Windows\System32\cAKqYZS.exe
  2⤵
  PID:6492
- C:\Windows\System32\GpgPEqe.exe
  C:\Windows\System32\GpgPEqe.exe
  2⤵
  PID:6592
- C:\Windows\System32\WpndSec.exe
  C:\Windows\System32\WpndSec.exe
  2⤵
  PID:6624
- C:\Windows\System32\RpGqHVZ.exe
  C:\Windows\System32\RpGqHVZ.exe
  2⤵
  PID:6712
- C:\Windows\System32\skLXOtp.exe
  C:\Windows\System32\skLXOtp.exe
  2⤵
  PID:6736
- C:\Windows\System32\fzRxtnX.exe
  C:\Windows\System32\fzRxtnX.exe
  2⤵
  PID:6884
- C:\Windows\System32\EgHSBSo.exe
  C:\Windows\System32\EgHSBSo.exe
  2⤵
  PID:6852
- C:\Windows\System32\YQUwYTW.exe
  C:\Windows\System32\YQUwYTW.exe
  2⤵
  PID:1720
- C:\Windows\System32\vndNghD.exe
  C:\Windows\System32\vndNghD.exe
  2⤵
  PID:5588
- C:\Windows\System32\UYeGwnn.exe
  C:\Windows\System32\UYeGwnn.exe
  2⤵
  PID:7032
- C:\Windows\System32\iJSgKFQ.exe
  C:\Windows\System32\iJSgKFQ.exe
  2⤵
  PID:7100
- C:\Windows\System32\kIwfeTi.exe
  C:\Windows\System32\kIwfeTi.exe
  2⤵
  PID:7156
- C:\Windows\System32\hLbWcTz.exe
  C:\Windows\System32\hLbWcTz.exe
  2⤵
  PID:6052
- C:\Windows\System32\AoFSQLK.exe
  C:\Windows\System32\AoFSQLK.exe
  2⤵
  PID:6380
- C:\Windows\System32\QYhdKrm.exe
  C:\Windows\System32\QYhdKrm.exe
  2⤵
  PID:6420
- C:\Windows\System32\RTmAiOJ.exe
  C:\Windows\System32\RTmAiOJ.exe
  2⤵
  PID:6612
- C:\Windows\System32\WLfUCFE.exe
  C:\Windows\System32\WLfUCFE.exe
  2⤵
  PID:6696
- C:\Windows\System32\yrKUoUe.exe
  C:\Windows\System32\yrKUoUe.exe
  2⤵
  PID:6848
- C:\Windows\System32\EAEKHce.exe
  C:\Windows\System32\EAEKHce.exe
  2⤵
  PID:6056
- C:\Windows\System32\bNNUXsp.exe
  C:\Windows\System32\bNNUXsp.exe
  2⤵
  PID:7068
- C:\Windows\System32\LoAZQjN.exe
  C:\Windows\System32\LoAZQjN.exe
  2⤵
  PID:7000
- C:\Windows\System32\ooaYhhQ.exe
  C:\Windows\System32\ooaYhhQ.exe
  2⤵
  PID:5740
- C:\Windows\System32\mcthaQG.exe
  C:\Windows\System32\mcthaQG.exe
  2⤵
  PID:6268
- C:\Windows\System32\HeUAdkq.exe
  C:\Windows\System32\HeUAdkq.exe
  2⤵
  PID:6404
- C:\Windows\System32\UagxTxO.exe
  C:\Windows\System32\UagxTxO.exe
  2⤵
  PID:6720
- C:\Windows\System32\ohLwFFE.exe
  C:\Windows\System32\ohLwFFE.exe
  2⤵
  PID:6888
- C:\Windows\System32\OYEWiFp.exe
  C:\Windows\System32\OYEWiFp.exe
  2⤵
  PID:6024
- C:\Windows\System32\mPRINdg.exe
  C:\Windows\System32\mPRINdg.exe
  2⤵
  PID:7228
- C:\Windows\System32\cqvdBbB.exe
  C:\Windows\System32\cqvdBbB.exe
  2⤵
  PID:7244
- C:\Windows\System32\EhOCdyX.exe
  C:\Windows\System32\EhOCdyX.exe
  2⤵
  PID:7284
- C:\Windows\System32\moMbyGg.exe
  C:\Windows\System32\moMbyGg.exe
  2⤵
  PID:7308
- C:\Windows\System32\ZBbzWkr.exe
  C:\Windows\System32\ZBbzWkr.exe
  2⤵
  PID:7328
- C:\Windows\System32\TeotIhC.exe
  C:\Windows\System32\TeotIhC.exe
  2⤵
  PID:7352
- C:\Windows\System32\hHhlzDB.exe
  C:\Windows\System32\hHhlzDB.exe
  2⤵
  PID:7372
- C:\Windows\System32\iJNYNuq.exe
  C:\Windows\System32\iJNYNuq.exe
  2⤵
  PID:7392
- C:\Windows\System32\mKAbJiD.exe
  C:\Windows\System32\mKAbJiD.exe
  2⤵
  PID:7412
- C:\Windows\System32\mkNDtZe.exe
  C:\Windows\System32\mkNDtZe.exe
  2⤵
  PID:7436
- C:\Windows\System32\xjVZQNu.exe
  C:\Windows\System32\xjVZQNu.exe
  2⤵
  PID:7464
- C:\Windows\System32\DWkWLwj.exe
  C:\Windows\System32\DWkWLwj.exe
  2⤵
  PID:7484
- C:\Windows\System32\DHynLvi.exe
  C:\Windows\System32\DHynLvi.exe
  2⤵
  PID:7500
- C:\Windows\System32\fQMJtve.exe
  C:\Windows\System32\fQMJtve.exe
  2⤵
  PID:7520
- C:\Windows\System32\tFHjFyE.exe
  C:\Windows\System32\tFHjFyE.exe
  2⤵
  PID:7536
- C:\Windows\System32\kNmZqBN.exe
  C:\Windows\System32\kNmZqBN.exe
  2⤵
  PID:7560
- C:\Windows\System32\QazgWtC.exe
  C:\Windows\System32\QazgWtC.exe
  2⤵
  PID:7580
- C:\Windows\System32\mezvVgV.exe
  C:\Windows\System32\mezvVgV.exe
  2⤵
  PID:7696
- C:\Windows\System32\QkPMSJP.exe
  C:\Windows\System32\QkPMSJP.exe
  2⤵
  PID:7724
- C:\Windows\System32\oRfScBJ.exe
  C:\Windows\System32\oRfScBJ.exe
  2⤵
  PID:7764
- C:\Windows\System32\nHPxbqX.exe
  C:\Windows\System32\nHPxbqX.exe
  2⤵
  PID:7788
- C:\Windows\System32\ifKKvhM.exe
  C:\Windows\System32\ifKKvhM.exe
  2⤵
  PID:7804
- C:\Windows\System32\pRCZNBZ.exe
  C:\Windows\System32\pRCZNBZ.exe
  2⤵
  PID:7840
- C:\Windows\System32\iUkCEvI.exe
  C:\Windows\System32\iUkCEvI.exe
  2⤵
  PID:7868
- C:\Windows\System32\KWkBGYC.exe
  C:\Windows\System32\KWkBGYC.exe
  2⤵
  PID:7884
- C:\Windows\System32\GkRMkSY.exe
  C:\Windows\System32\GkRMkSY.exe
  2⤵
  PID:7908
- C:\Windows\System32\DonPyXd.exe
  C:\Windows\System32\DonPyXd.exe
  2⤵
  PID:7924
- C:\Windows\System32\kNbvkTI.exe
  C:\Windows\System32\kNbvkTI.exe
  2⤵
  PID:7944
- C:\Windows\System32\aDkHViX.exe
  C:\Windows\System32\aDkHViX.exe
  2⤵
  PID:7992
- C:\Windows\System32\afeGebJ.exe
  C:\Windows\System32\afeGebJ.exe
  2⤵
  PID:8008
- C:\Windows\System32\nZXYMNa.exe
  C:\Windows\System32\nZXYMNa.exe
  2⤵
  PID:8028
- C:\Windows\System32\Ourjdny.exe
  C:\Windows\System32\Ourjdny.exe
  2⤵
  PID:8052
- C:\Windows\System32\TWEHOHT.exe
  C:\Windows\System32\TWEHOHT.exe
  2⤵
  PID:8072
- C:\Windows\System32\GXRgfhY.exe
  C:\Windows\System32\GXRgfhY.exe
  2⤵
  PID:8088
- C:\Windows\System32\PEPOuVm.exe
  C:\Windows\System32\PEPOuVm.exe
  2⤵
  PID:8112
- C:\Windows\System32\IhiGWrQ.exe
  C:\Windows\System32\IhiGWrQ.exe
  2⤵
  PID:8148
- C:\Windows\System32\qbcMRpk.exe
  C:\Windows\System32\qbcMRpk.exe
  2⤵
  PID:8188
- C:\Windows\System32\PiOBxdo.exe
  C:\Windows\System32\PiOBxdo.exe
  2⤵
  PID:7208
- C:\Windows\System32\GjlTrRi.exe
  C:\Windows\System32\GjlTrRi.exe
  2⤵
  PID:7252
- C:\Windows\System32\DljGBJR.exe
  C:\Windows\System32\DljGBJR.exe
  2⤵
  PID:7324
- C:\Windows\System32\uqWQRrn.exe
  C:\Windows\System32\uqWQRrn.exe
  2⤵
  PID:7340
- C:\Windows\System32\IrbFqnF.exe
  C:\Windows\System32\IrbFqnF.exe
  2⤵
  PID:7388
- C:\Windows\System32\leIYnIP.exe
  C:\Windows\System32\leIYnIP.exe
  2⤵
  PID:7528
- C:\Windows\System32\xOUbiBV.exe
  C:\Windows\System32\xOUbiBV.exe
  2⤵
  PID:7732
- C:\Windows\System32\uoPnHhS.exe
  C:\Windows\System32\uoPnHhS.exe
  2⤵
  PID:7848
- C:\Windows\System32\KgPqCXF.exe
  C:\Windows\System32\KgPqCXF.exe
  2⤵
  PID:7892
- C:\Windows\System32\fhyyCBo.exe
  C:\Windows\System32\fhyyCBo.exe
  2⤵
  PID:7952
- C:\Windows\System32\WbLqMGX.exe
  C:\Windows\System32\WbLqMGX.exe
  2⤵
  PID:7964
- C:\Windows\System32\VWtxAqP.exe
  C:\Windows\System32\VWtxAqP.exe
  2⤵
  PID:8024
- C:\Windows\System32\hEruHBg.exe
  C:\Windows\System32\hEruHBg.exe
  2⤵
  PID:8080
- C:\Windows\System32\IpIzVmg.exe
  C:\Windows\System32\IpIzVmg.exe
  2⤵
  PID:7384
- C:\Windows\System32\kRZkcFZ.exe
  C:\Windows\System32\kRZkcFZ.exe
  2⤵
  PID:7496
- C:\Windows\System32\BtfOkyU.exe
  C:\Windows\System32\BtfOkyU.exe
  2⤵
  PID:7456
- C:\Windows\System32\tJaybrC.exe
  C:\Windows\System32\tJaybrC.exe
  2⤵
  PID:7676
- C:\Windows\System32\aTLoYxq.exe
  C:\Windows\System32\aTLoYxq.exe
  2⤵
  PID:7736
- C:\Windows\System32\qRtWTvL.exe
  C:\Windows\System32\qRtWTvL.exe
  2⤵
  PID:7836
- C:\Windows\System32\VslBWnn.exe
  C:\Windows\System32\VslBWnn.exe
  2⤵
  PID:8040
- C:\Windows\System32\oCJUQaO.exe
  C:\Windows\System32\oCJUQaO.exe
  2⤵
  PID:8104
- C:\Windows\System32\SuEVQZL.exe
  C:\Windows\System32\SuEVQZL.exe
  2⤵
  PID:6636
- C:\Windows\System32\nZdrVwL.exe
  C:\Windows\System32\nZdrVwL.exe
  2⤵
  PID:7572
- C:\Windows\System32\YgqGsLu.exe
  C:\Windows\System32\YgqGsLu.exe
  2⤵
  PID:8000
- C:\Windows\System32\DyYYIdv.exe
  C:\Windows\System32\DyYYIdv.exe
  2⤵
  PID:7424
- C:\Windows\System32\sCYuidG.exe
  C:\Windows\System32\sCYuidG.exe
  2⤵
  PID:8212
- C:\Windows\System32\MQPxrGL.exe
  C:\Windows\System32\MQPxrGL.exe
  2⤵
  PID:8228
- C:\Windows\System32\rhhMDCB.exe
  C:\Windows\System32\rhhMDCB.exe
  2⤵
  PID:8244
- C:\Windows\System32\fRVasSy.exe
  C:\Windows\System32\fRVasSy.exe
  2⤵
  PID:8272
- C:\Windows\System32\pQBuXhm.exe
  C:\Windows\System32\pQBuXhm.exe
  2⤵
  PID:8288
- C:\Windows\System32\MmxoNvL.exe
  C:\Windows\System32\MmxoNvL.exe
  2⤵
  PID:8316
- C:\Windows\System32\bMhwjvN.exe
  C:\Windows\System32\bMhwjvN.exe
  2⤵
  PID:8336
- C:\Windows\System32\QHhfEJa.exe
  C:\Windows\System32\QHhfEJa.exe
  2⤵
  PID:8352
- C:\Windows\System32\vcUJWzX.exe
  C:\Windows\System32\vcUJWzX.exe
  2⤵
  PID:8372
- C:\Windows\System32\XGBCFSG.exe
  C:\Windows\System32\XGBCFSG.exe
  2⤵
  PID:8388
- C:\Windows\System32\voKJrCV.exe
  C:\Windows\System32\voKJrCV.exe
  2⤵
  PID:8452
- C:\Windows\System32\NnyJQDh.exe
  C:\Windows\System32\NnyJQDh.exe
  2⤵
  PID:8496
- C:\Windows\System32\BslfGFL.exe
  C:\Windows\System32\BslfGFL.exe
  2⤵
  PID:8556
- C:\Windows\System32\yfuglLi.exe
  C:\Windows\System32\yfuglLi.exe
  2⤵
  PID:8592
- C:\Windows\System32\RUYjEMW.exe
  C:\Windows\System32\RUYjEMW.exe
  2⤵
  PID:8628
- C:\Windows\System32\KFdHXLP.exe
  C:\Windows\System32\KFdHXLP.exe
  2⤵
  PID:8668
- C:\Windows\System32\VAahVOp.exe
  C:\Windows\System32\VAahVOp.exe
  2⤵
  PID:8696
- C:\Windows\System32\quofMde.exe
  C:\Windows\System32\quofMde.exe
  2⤵
  PID:8720
- C:\Windows\System32\nLMtLLt.exe
  C:\Windows\System32\nLMtLLt.exe
  2⤵
  PID:8736
- C:\Windows\System32\vEqaahz.exe
  C:\Windows\System32\vEqaahz.exe
  2⤵
  PID:8768
- C:\Windows\System32\LCoBYqc.exe
  C:\Windows\System32\LCoBYqc.exe
  2⤵
  PID:8796
- C:\Windows\System32\hgLfECU.exe
  C:\Windows\System32\hgLfECU.exe
  2⤵
  PID:8816
- C:\Windows\System32\pFiDNul.exe
  C:\Windows\System32\pFiDNul.exe
  2⤵
  PID:8832
- C:\Windows\System32\bvZjzXT.exe
  C:\Windows\System32\bvZjzXT.exe
  2⤵
  PID:8856
- C:\Windows\System32\ohgCNys.exe
  C:\Windows\System32\ohgCNys.exe
  2⤵
  PID:8884
- C:\Windows\System32\MaQztrl.exe
  C:\Windows\System32\MaQztrl.exe
  2⤵
  PID:8960
- C:\Windows\System32\stqICkI.exe
  C:\Windows\System32\stqICkI.exe
  2⤵
  PID:8984
- C:\Windows\System32\pNzjEan.exe
  C:\Windows\System32\pNzjEan.exe
  2⤵
  PID:9004
- C:\Windows\System32\iWyLUqu.exe
  C:\Windows\System32\iWyLUqu.exe
  2⤵
  PID:9036
- C:\Windows\System32\gYoCbQD.exe
  C:\Windows\System32\gYoCbQD.exe
  2⤵
  PID:9052
- C:\Windows\System32\ACeMKLK.exe
  C:\Windows\System32\ACeMKLK.exe
  2⤵
  PID:9096
- C:\Windows\System32\NkMmgxJ.exe
  C:\Windows\System32\NkMmgxJ.exe
  2⤵
  PID:9116
- C:\Windows\System32\kHrUiMg.exe
  C:\Windows\System32\kHrUiMg.exe
  2⤵
  PID:9192
- C:\Windows\System32\Waepogl.exe
  C:\Windows\System32\Waepogl.exe
  2⤵
  PID:9208
- C:\Windows\System32\iPUXDIu.exe
  C:\Windows\System32\iPUXDIu.exe
  2⤵
  PID:8240
- C:\Windows\System32\aPrfUaF.exe
  C:\Windows\System32\aPrfUaF.exe
  2⤵
  PID:8368
- C:\Windows\System32\AzcLdiH.exe
  C:\Windows\System32\AzcLdiH.exe
  2⤵
  PID:8404
- C:\Windows\System32\jMqcUec.exe
  C:\Windows\System32\jMqcUec.exe
  2⤵
  PID:8380
- C:\Windows\System32\GFvhaoY.exe
  C:\Windows\System32\GFvhaoY.exe
  2⤵
  PID:8476
- C:\Windows\System32\OpHSUws.exe
  C:\Windows\System32\OpHSUws.exe
  2⤵
  PID:8504
- C:\Windows\System32\TvmXpCj.exe
  C:\Windows\System32\TvmXpCj.exe
  2⤵
  PID:8624
- C:\Windows\System32\QyxtNzk.exe
  C:\Windows\System32\QyxtNzk.exe
  2⤵
  PID:8680
- C:\Windows\System32\zkWjIVo.exe
  C:\Windows\System32\zkWjIVo.exe
  2⤵
  PID:8744
- C:\Windows\System32\OqizBZe.exe
  C:\Windows\System32\OqizBZe.exe
  2⤵
  PID:8812
- C:\Windows\System32\fVQovgK.exe
  C:\Windows\System32\fVQovgK.exe
  2⤵
  PID:8876
- C:\Windows\System32\rXvUnBn.exe
  C:\Windows\System32\rXvUnBn.exe
  2⤵
  PID:8980
- C:\Windows\System32\NnFxuoi.exe
  C:\Windows\System32\NnFxuoi.exe
  2⤵
  PID:9024
- C:\Windows\System32\CLyShZd.exe
  C:\Windows\System32\CLyShZd.exe
  2⤵
  PID:9080
- C:\Windows\System32\jNlusAC.exe
  C:\Windows\System32\jNlusAC.exe
  2⤵
  PID:9104
- C:\Windows\System32\GPGnUNm.exe
  C:\Windows\System32\GPGnUNm.exe
  2⤵
  PID:9064
- C:\Windows\System32\lVDtvsg.exe
  C:\Windows\System32\lVDtvsg.exe
  2⤵
  PID:9168
- C:\Windows\System32\ugZHeNC.exe
  C:\Windows\System32\ugZHeNC.exe
  2⤵
  PID:9152
- C:\Windows\System32\rUbaXEs.exe
  C:\Windows\System32\rUbaXEs.exe
  2⤵
  PID:8296
- C:\Windows\System32\KSkflAg.exe
  C:\Windows\System32\KSkflAg.exe
  2⤵
  PID:8468
- C:\Windows\System32\uqzgJTN.exe
  C:\Windows\System32\uqzgJTN.exe
  2⤵
  PID:8548
- C:\Windows\System32\EoKhrhi.exe
  C:\Windows\System32\EoKhrhi.exe
  2⤵
  PID:8712
- C:\Windows\System32\TfXRHur.exe
  C:\Windows\System32\TfXRHur.exe
  2⤵
  PID:8868
- C:\Windows\System32\osjRZNf.exe
  C:\Windows\System32\osjRZNf.exe
  2⤵
  PID:9160
- C:\Windows\System32\fHZYDAN.exe
  C:\Windows\System32\fHZYDAN.exe
  2⤵
  PID:9200
- C:\Windows\System32\KbTnMGz.exe
  C:\Windows\System32\KbTnMGz.exe
  2⤵
  PID:8200
- C:\Windows\System32\UCvdJQG.exe
  C:\Windows\System32\UCvdJQG.exe
  2⤵
  PID:8652
- C:\Windows\System32\uwESjOd.exe
  C:\Windows\System32\uwESjOd.exe
  2⤵
  PID:8840
- C:\Windows\System32\LELVvaJ.exe
  C:\Windows\System32\LELVvaJ.exe
  2⤵
  PID:9180
- C:\Windows\System32\RIdhixG.exe
  C:\Windows\System32\RIdhixG.exe
  2⤵
  PID:8692
- C:\Windows\System32\KWfhpSd.exe
  C:\Windows\System32\KWfhpSd.exe
  2⤵
  PID:9232
- C:\Windows\System32\OOPmdXH.exe
  C:\Windows\System32\OOPmdXH.exe
  2⤵
  PID:9284
- C:\Windows\System32\zoyyPTl.exe
  C:\Windows\System32\zoyyPTl.exe
  2⤵
  PID:9300
- C:\Windows\System32\gmCDOKD.exe
  C:\Windows\System32\gmCDOKD.exe
  2⤵
  PID:9336
- C:\Windows\System32\lQooeXP.exe
  C:\Windows\System32\lQooeXP.exe
  2⤵
  PID:9356
- C:\Windows\System32\sCtkJUY.exe
  C:\Windows\System32\sCtkJUY.exe
  2⤵
  PID:9404
- C:\Windows\System32\vCqMzfE.exe
  C:\Windows\System32\vCqMzfE.exe
  2⤵
  PID:9424
- C:\Windows\System32\VMevSnk.exe
  C:\Windows\System32\VMevSnk.exe
  2⤵
  PID:9444
- C:\Windows\System32\LUuNJEe.exe
  C:\Windows\System32\LUuNJEe.exe
  2⤵
  PID:9476
- C:\Windows\System32\UjQCSal.exe
  C:\Windows\System32\UjQCSal.exe
  2⤵
  PID:9492
- C:\Windows\System32\IWMKABZ.exe
  C:\Windows\System32\IWMKABZ.exe
  2⤵
  PID:9532
- C:\Windows\System32\Forznuo.exe
  C:\Windows\System32\Forznuo.exe
  2⤵
  PID:9584
- C:\Windows\System32\ImtDhEv.exe
  C:\Windows\System32\ImtDhEv.exe
  2⤵
  PID:9612
- C:\Windows\System32\jovFCEK.exe
  C:\Windows\System32\jovFCEK.exe
  2⤵
  PID:9640
- C:\Windows\System32\FQmEdGz.exe
  C:\Windows\System32\FQmEdGz.exe
  2⤵
  PID:9664
- C:\Windows\System32\JEaDPOn.exe
  C:\Windows\System32\JEaDPOn.exe
  2⤵
  PID:9680
- C:\Windows\System32\KlIQoTv.exe
  C:\Windows\System32\KlIQoTv.exe
  2⤵
  PID:9700
- C:\Windows\System32\UlDqalK.exe
  C:\Windows\System32\UlDqalK.exe
  2⤵
  PID:9716
- C:\Windows\System32\REqEdJv.exe
  C:\Windows\System32\REqEdJv.exe
  2⤵
  PID:9748
- C:\Windows\System32\NOoJfna.exe
  C:\Windows\System32\NOoJfna.exe
  2⤵
  PID:9788
- C:\Windows\System32\iVxBvlY.exe
  C:\Windows\System32\iVxBvlY.exe
  2⤵
  PID:9844
- C:\Windows\System32\QXpoDYw.exe
  C:\Windows\System32\QXpoDYw.exe
  2⤵
  PID:9872
- C:\Windows\System32\dZiNOPk.exe
  C:\Windows\System32\dZiNOPk.exe
  2⤵
  PID:9916
- C:\Windows\System32\YdKFxZE.exe
  C:\Windows\System32\YdKFxZE.exe
  2⤵
  PID:9940
- C:\Windows\System32\owtfoJn.exe
  C:\Windows\System32\owtfoJn.exe
  2⤵
  PID:9968
- C:\Windows\System32\aBArLbg.exe
  C:\Windows\System32\aBArLbg.exe
  2⤵
  PID:9984
- C:\Windows\System32\OlMcADd.exe
  C:\Windows\System32\OlMcADd.exe
  2⤵
  PID:10008
- C:\Windows\System32\qWPrXya.exe
  C:\Windows\System32\qWPrXya.exe
  2⤵
  PID:10044
- C:\Windows\System32\CQdOHJa.exe
  C:\Windows\System32\CQdOHJa.exe
  2⤵
  PID:10064
- C:\Windows\System32\pPZspKn.exe
  C:\Windows\System32\pPZspKn.exe
  2⤵
  PID:10092
- C:\Windows\System32\jkJEHRH.exe
  C:\Windows\System32\jkJEHRH.exe
  2⤵
  PID:10116
- C:\Windows\System32\yqHoHGM.exe
  C:\Windows\System32\yqHoHGM.exe
  2⤵
  PID:10136
- C:\Windows\System32\mJuccMI.exe
  C:\Windows\System32\mJuccMI.exe
  2⤵
  PID:10160
- C:\Windows\System32\Vqapiov.exe
  C:\Windows\System32\Vqapiov.exe
  2⤵
  PID:10208
- C:\Windows\System32\QpxUCMj.exe
  C:\Windows\System32\QpxUCMj.exe
  2⤵
  PID:8848
- C:\Windows\System32\zSjycJb.exe
  C:\Windows\System32\zSjycJb.exe
  2⤵
  PID:6664
- C:\Windows\System32\YnKyFhM.exe
  C:\Windows\System32\YnKyFhM.exe
  2⤵
  PID:7612
- C:\Windows\System32\rGhjtCJ.exe
  C:\Windows\System32\rGhjtCJ.exe
  2⤵
  PID:9332
- C:\Windows\System32\xOWGOVF.exe
  C:\Windows\System32\xOWGOVF.exe
  2⤵
  PID:9376
- C:\Windows\System32\JNJNNKL.exe
  C:\Windows\System32\JNJNNKL.exe
  2⤵
  PID:9416
- C:\Windows\System32\qTofEXt.exe
  C:\Windows\System32\qTofEXt.exe
  2⤵
  PID:9488
- C:\Windows\System32\sZXmXgC.exe
  C:\Windows\System32\sZXmXgC.exe
  2⤵
  PID:9572
- C:\Windows\System32\vLHlWSX.exe
  C:\Windows\System32\vLHlWSX.exe
  2⤵
  PID:9620
- C:\Windows\System32\eHYRjJj.exe
  C:\Windows\System32\eHYRjJj.exe
  2⤵
  PID:9696
- C:\Windows\System32\ESIHBPz.exe
  C:\Windows\System32\ESIHBPz.exe
  2⤵
  PID:9728
- C:\Windows\System32\LWVmcOp.exe
  C:\Windows\System32\LWVmcOp.exe
  2⤵
  PID:9868
- C:\Windows\System32\CdeIBdo.exe
  C:\Windows\System32\CdeIBdo.exe
  2⤵
  PID:9932
- C:\Windows\System32\UmRrmSQ.exe
  C:\Windows\System32\UmRrmSQ.exe
  2⤵
  PID:9980
- C:\Windows\System32\tgvSWgV.exe
  C:\Windows\System32\tgvSWgV.exe
  2⤵
  PID:10052
- C:\Windows\System32\CYVxyIf.exe
  C:\Windows\System32\CYVxyIf.exe
  2⤵
  PID:10144
- C:\Windows\System32\yZdCEJz.exe
  C:\Windows\System32\yZdCEJz.exe
  2⤵
  PID:10224
- C:\Windows\System32\JLeAAKx.exe
  C:\Windows\System32\JLeAAKx.exe
  2⤵
  PID:9072
- C:\Windows\System32\ynjjblD.exe
  C:\Windows\System32\ynjjblD.exe
  2⤵
  PID:9368
- C:\Windows\System32\CGCuuZY.exe
  C:\Windows\System32\CGCuuZY.exe
  2⤵
  PID:9432
- C:\Windows\System32\xOVeeYS.exe
  C:\Windows\System32\xOVeeYS.exe
  2⤵
  PID:9564
- C:\Windows\System32\LBfLbqZ.exe
  C:\Windows\System32\LBfLbqZ.exe
  2⤵
  PID:9688
- C:\Windows\System32\PCBbDdp.exe
  C:\Windows\System32\PCBbDdp.exe
  2⤵
  PID:9896
- C:\Windows\System32\dwRdoOe.exe
  C:\Windows\System32\dwRdoOe.exe
  2⤵
  PID:9996
- C:\Windows\System32\pbbWWlh.exe
  C:\Windows\System32\pbbWWlh.exe
  2⤵
  PID:9124
- C:\Windows\System32\yrtCzrp.exe
  C:\Windows\System32\yrtCzrp.exe
  2⤵
  PID:9456
- C:\Windows\System32\JDTWDpn.exe
  C:\Windows\System32\JDTWDpn.exe
  2⤵
  PID:4456
- C:\Windows\System32\OfStIIn.exe
  C:\Windows\System32\OfStIIn.exe
  2⤵
  PID:10088
- C:\Windows\System32\vcOXqzG.exe
  C:\Windows\System32\vcOXqzG.exe
  2⤵
  PID:8660
- C:\Windows\System32\qubozjI.exe
  C:\Windows\System32\qubozjI.exe
  2⤵
  PID:10288
- C:\Windows\System32\ZshDhdk.exe
  C:\Windows\System32\ZshDhdk.exe
  2⤵
  PID:10332
- C:\Windows\System32\DybJVqy.exe
  C:\Windows\System32\DybJVqy.exe
  2⤵
  PID:10348
- C:\Windows\System32\PwXbJfo.exe
  C:\Windows\System32\PwXbJfo.exe
  2⤵
  PID:10368
- C:\Windows\System32\uXKEVnB.exe
  C:\Windows\System32\uXKEVnB.exe
  2⤵
  PID:10384
- C:\Windows\System32\hNoRnwm.exe
  C:\Windows\System32\hNoRnwm.exe
  2⤵
  PID:10404
- C:\Windows\System32\pCLlcnN.exe
  C:\Windows\System32\pCLlcnN.exe
  2⤵
  PID:10432
- C:\Windows\System32\wXmNzgX.exe
  C:\Windows\System32\wXmNzgX.exe
  2⤵
  PID:10448
- C:\Windows\System32\RrUBpRs.exe
  C:\Windows\System32\RrUBpRs.exe
  2⤵
  PID:10472
- C:\Windows\System32\FUClbru.exe
  C:\Windows\System32\FUClbru.exe
  2⤵
  PID:10488
- C:\Windows\System32\UqBQNdr.exe
  C:\Windows\System32\UqBQNdr.exe
  2⤵
  PID:10544
- C:\Windows\System32\IKEdWIM.exe
  C:\Windows\System32\IKEdWIM.exe
  2⤵
  PID:10600
- C:\Windows\System32\PZqhxzc.exe
  C:\Windows\System32\PZqhxzc.exe
  2⤵
  PID:10636
- C:\Windows\System32\DNOtVTG.exe
  C:\Windows\System32\DNOtVTG.exe
  2⤵
  PID:10660
- C:\Windows\System32\qLqLKJf.exe
  C:\Windows\System32\qLqLKJf.exe
  2⤵
  PID:10680
- C:\Windows\System32\vgOJFxp.exe
  C:\Windows\System32\vgOJFxp.exe
  2⤵
  PID:10700
- C:\Windows\System32\HofqBMh.exe
  C:\Windows\System32\HofqBMh.exe
  2⤵
  PID:10716
- C:\Windows\System32\AaNewue.exe
  C:\Windows\System32\AaNewue.exe
  2⤵
  PID:10732
- C:\Windows\System32\JsyIbXR.exe
  C:\Windows\System32\JsyIbXR.exe
  2⤵
  PID:10768
- C:\Windows\System32\jPwxppH.exe
  C:\Windows\System32\jPwxppH.exe
  2⤵
  PID:10788
- C:\Windows\System32\VWIVHPx.exe
  C:\Windows\System32\VWIVHPx.exe
  2⤵
  PID:10812
- C:\Windows\System32\pZLPLgu.exe
  C:\Windows\System32\pZLPLgu.exe
  2⤵
  PID:10832
- C:\Windows\System32\NQKxqTI.exe
  C:\Windows\System32\NQKxqTI.exe
  2⤵
  PID:10852
- C:\Windows\System32\LtmPeOP.exe
  C:\Windows\System32\LtmPeOP.exe
  2⤵
  PID:10912
- C:\Windows\System32\EoXSZRk.exe
  C:\Windows\System32\EoXSZRk.exe
  2⤵
  PID:10968
- C:\Windows\System32\GfxsvIn.exe
  C:\Windows\System32\GfxsvIn.exe
  2⤵
  PID:11024
- C:\Windows\System32\fBAgQlW.exe
  C:\Windows\System32\fBAgQlW.exe
  2⤵
  PID:11044
- C:\Windows\System32\juIOUOh.exe
  C:\Windows\System32\juIOUOh.exe
  2⤵
  PID:11076
- C:\Windows\System32\VxZafkS.exe
  C:\Windows\System32\VxZafkS.exe
  2⤵
  PID:11092
- C:\Windows\System32\BTRuYGg.exe
  C:\Windows\System32\BTRuYGg.exe
  2⤵
  PID:11112
- C:\Windows\System32\MOwXmxY.exe
  C:\Windows\System32\MOwXmxY.exe
  2⤵
  PID:11152
- C:\Windows\System32\lxkpPUr.exe
  C:\Windows\System32\lxkpPUr.exe
  2⤵
  PID:11168
- C:\Windows\System32\kFrUkSd.exe
  C:\Windows\System32\kFrUkSd.exe
  2⤵
  PID:11188
- C:\Windows\System32\GdzBdRr.exe
  C:\Windows\System32\GdzBdRr.exe
  2⤵
  PID:11216
- C:\Windows\System32\dwKbwbz.exe
  C:\Windows\System32\dwKbwbz.exe
  2⤵
  PID:11260
- C:\Windows\System32\uvXfaAn.exe
  C:\Windows\System32\uvXfaAn.exe
  2⤵
  PID:9520
- C:\Windows\System32\fMqtoAd.exe
  C:\Windows\System32\fMqtoAd.exe
  2⤵
  PID:9440
- C:\Windows\System32\AEUAvQP.exe
  C:\Windows\System32\AEUAvQP.exe
  2⤵
  PID:10032
- C:\Windows\System32\pjjaljj.exe
  C:\Windows\System32\pjjaljj.exe
  2⤵
  PID:10376
- C:\Windows\System32\lTPrReL.exe
  C:\Windows\System32\lTPrReL.exe
  2⤵
  PID:10340
- C:\Windows\System32\jSjuXnV.exe
  C:\Windows\System32\jSjuXnV.exe
  2⤵
  PID:10364
- C:\Windows\System32\XCqjayf.exe
  C:\Windows\System32\XCqjayf.exe
  2⤵
  PID:10520
- C:\Windows\System32\IcGFnQX.exe
  C:\Windows\System32\IcGFnQX.exe
  2⤵
  PID:10688
- C:\Windows\System32\LbFBAql.exe
  C:\Windows\System32\LbFBAql.exe
  2⤵
  PID:10692
- C:\Windows\System32\zLoINvl.exe
  C:\Windows\System32\zLoINvl.exe
  2⤵
  PID:10804
- C:\Windows\System32\tUZotxf.exe
  C:\Windows\System32\tUZotxf.exe
  2⤵
  PID:10844
- C:\Windows\System32\tVaAolH.exe
  C:\Windows\System32\tVaAolH.exe
  2⤵
  PID:10948
- C:\Windows\System32\AatCrSi.exe
  C:\Windows\System32\AatCrSi.exe
  2⤵
  PID:10940
- C:\Windows\System32\PuVzwuG.exe
  C:\Windows\System32\PuVzwuG.exe
  2⤵
  PID:10392
- C:\Windows\System32\EubXLRr.exe
  C:\Windows\System32\EubXLRr.exe
  2⤵
  PID:11052
- C:\Windows\System32\NaQCZab.exe
  C:\Windows\System32\NaQCZab.exe
  2⤵
  PID:11184
- C:\Windows\System32\JWwaLdY.exe
  C:\Windows\System32\JWwaLdY.exe
  2⤵
  PID:10380
- C:\Windows\System32\pVpeqAR.exe
  C:\Windows\System32\pVpeqAR.exe
  2⤵
  PID:9672
- C:\Windows\System32\hwXOItN.exe
  C:\Windows\System32\hwXOItN.exe
  2⤵
  PID:10516
- C:\Windows\System32\IxqVbPx.exe
  C:\Windows\System32\IxqVbPx.exe
  2⤵
  PID:10724
- C:\Windows\System32\ZWSQrPo.exe
  C:\Windows\System32\ZWSQrPo.exe
  2⤵
  PID:10784
- C:\Windows\System32\laMimWy.exe
  C:\Windows\System32\laMimWy.exe
  2⤵
  PID:11036
- C:\Windows\System32\IvyUpdX.exe
  C:\Windows\System32\IvyUpdX.exe
  2⤵
  PID:10924
- C:\Windows\System32\KJAwmqA.exe
  C:\Windows\System32\KJAwmqA.exe
  2⤵
  PID:11104
- C:\Windows\System32\dJMBaBQ.exe
  C:\Windows\System32\dJMBaBQ.exe
  2⤵
  PID:10424
- C:\Windows\System32\XuJCaZT.exe
  C:\Windows\System32\XuJCaZT.exe
  2⤵
  PID:11224
- C:\Windows\System32\CVPGXeP.exe
  C:\Windows\System32\CVPGXeP.exe
  2⤵
  PID:10592
- C:\Windows\System32\woCruoK.exe
  C:\Windows\System32\woCruoK.exe
  2⤵
  PID:11084
- C:\Windows\System32\FjwqAZr.exe
  C:\Windows\System32\FjwqAZr.exe
  2⤵
  PID:11312
- C:\Windows\System32\nyJBRxQ.exe
  C:\Windows\System32\nyJBRxQ.exe
  2⤵
  PID:11340
- C:\Windows\System32\iWaBQUZ.exe
  C:\Windows\System32\iWaBQUZ.exe
  2⤵
  PID:11356
- C:\Windows\System32\dCDWzVD.exe
  C:\Windows\System32\dCDWzVD.exe
  2⤵
  PID:11376
- C:\Windows\System32\XuhxcCd.exe
  C:\Windows\System32\XuhxcCd.exe
  2⤵
  PID:11400
- C:\Windows\System32\yrktKFU.exe
  C:\Windows\System32\yrktKFU.exe
  2⤵
  PID:11440
- C:\Windows\System32\MGhjCAF.exe
  C:\Windows\System32\MGhjCAF.exe
  2⤵
  PID:11472
- C:\Windows\System32\QhcWCfK.exe
  C:\Windows\System32\QhcWCfK.exe
  2⤵
  PID:11492
- C:\Windows\System32\bvJqGOP.exe
  C:\Windows\System32\bvJqGOP.exe
  2⤵
  PID:11516
- C:\Windows\System32\pCSaOeP.exe
  C:\Windows\System32\pCSaOeP.exe
  2⤵
  PID:11536
- C:\Windows\System32\ASRigir.exe
  C:\Windows\System32\ASRigir.exe
  2⤵
  PID:11556
- C:\Windows\System32\gbGhmir.exe
  C:\Windows\System32\gbGhmir.exe
  2⤵
  PID:11580
- C:\Windows\System32\cDXGZid.exe
  C:\Windows\System32\cDXGZid.exe
  2⤵
  PID:11600
- C:\Windows\System32\rxwsnZg.exe
  C:\Windows\System32\rxwsnZg.exe
  2⤵
  PID:11620
- C:\Windows\System32\CWbZcZH.exe
  C:\Windows\System32\CWbZcZH.exe
  2⤵
  PID:11648
- C:\Windows\System32\qtgUKAE.exe
  C:\Windows\System32\qtgUKAE.exe
  2⤵
  PID:11692
- C:\Windows\System32\GyUluxj.exe
  C:\Windows\System32\GyUluxj.exe
  2⤵
  PID:11768
- C:\Windows\System32\aZaDUKX.exe
  C:\Windows\System32\aZaDUKX.exe
  2⤵
  PID:11784
- C:\Windows\System32\JeAlvWN.exe
  C:\Windows\System32\JeAlvWN.exe
  2⤵
  PID:11804
- C:\Windows\System32\WJWwJZS.exe
  C:\Windows\System32\WJWwJZS.exe
  2⤵
  PID:11840
- C:\Windows\System32\RTAwqtC.exe
  C:\Windows\System32\RTAwqtC.exe
  2⤵
  PID:11860
- C:\Windows\System32\CKKUGDh.exe
  C:\Windows\System32\CKKUGDh.exe
  2⤵
  PID:11888
- C:\Windows\System32\UvuXyeL.exe
  C:\Windows\System32\UvuXyeL.exe
  2⤵
  PID:11908
- C:\Windows\System32\HFtmgjd.exe
  C:\Windows\System32\HFtmgjd.exe
  2⤵
  PID:11936
- C:\Windows\System32\mUkBfBT.exe
  C:\Windows\System32\mUkBfBT.exe
  2⤵
  PID:11956
- C:\Windows\System32\AsgZudX.exe
  C:\Windows\System32\AsgZudX.exe
  2⤵
  PID:11980
- C:\Windows\System32\KkIdyZc.exe
  C:\Windows\System32\KkIdyZc.exe
  2⤵
  PID:11996
- C:\Windows\System32\DrxwSXz.exe
  C:\Windows\System32\DrxwSXz.exe
  2⤵
  PID:12024
- C:\Windows\System32\wUoXpLX.exe
  C:\Windows\System32\wUoXpLX.exe
  2⤵
  PID:12040
- C:\Windows\System32\lgfSGfb.exe
  C:\Windows\System32\lgfSGfb.exe
  2⤵
  PID:12056
- C:\Windows\System32\jgGFDXt.exe
  C:\Windows\System32\jgGFDXt.exe
  2⤵
  PID:12088
- C:\Windows\System32\prZGzpJ.exe
  C:\Windows\System32\prZGzpJ.exe
  2⤵
  PID:12148
- C:\Windows\System32\jlRqzlJ.exe
  C:\Windows\System32\jlRqzlJ.exe
  2⤵
  PID:12180
- C:\Windows\System32\txfmrBt.exe
  C:\Windows\System32\txfmrBt.exe
  2⤵
  PID:12216
- C:\Windows\System32\wYzViXo.exe
  C:\Windows\System32\wYzViXo.exe
  2⤵
  PID:12236
- C:\Windows\System32\DPXrxBG.exe
  C:\Windows\System32\DPXrxBG.exe
  2⤵
  PID:12252
- C:\Windows\System32\bUlBIOO.exe
  C:\Windows\System32\bUlBIOO.exe
  2⤵
  PID:12268
- C:\Windows\System32\bOrVrVw.exe
  C:\Windows\System32\bOrVrVw.exe
  2⤵
  PID:10976
- C:\Windows\System32\LzLgvxs.exe
  C:\Windows\System32\LzLgvxs.exe
  2⤵
  PID:11296
- C:\Windows\System32\NEnViGB.exe
  C:\Windows\System32\NEnViGB.exe
  2⤵
  PID:11320
- C:\Windows\System32\KibQNBJ.exe
  C:\Windows\System32\KibQNBJ.exe
  2⤵
  PID:11372
- C:\Windows\System32\xgqlLoq.exe
  C:\Windows\System32\xgqlLoq.exe
  2⤵
  PID:11408
- C:\Windows\System32\hYeonyu.exe
  C:\Windows\System32\hYeonyu.exe
  2⤵
  PID:11568
- C:\Windows\System32\gBtTFPO.exe
  C:\Windows\System32\gBtTFPO.exe
  2⤵
  PID:11676
- C:\Windows\System32\vtzHFiK.exe
  C:\Windows\System32\vtzHFiK.exe
  2⤵
  PID:11744
- C:\Windows\System32\xHDCHtM.exe
  C:\Windows\System32\xHDCHtM.exe
  2⤵
  PID:11800
- C:\Windows\System32\OnvvuWq.exe
  C:\Windows\System32\OnvvuWq.exe
  2⤵
  PID:11796
- C:\Windows\System32\EfdBcsb.exe
  C:\Windows\System32\EfdBcsb.exe
  2⤵
  PID:11952
- C:\Windows\System32\IyvJJtM.exe
  C:\Windows\System32\IyvJJtM.exe
  2⤵
  PID:12052
- C:\Windows\System32\tguZpVn.exe
  C:\Windows\System32\tguZpVn.exe
  2⤵
  PID:12064
- C:\Windows\System32\BENHvoH.exe
  C:\Windows\System32\BENHvoH.exe
  2⤵
  PID:12192
- C:\Windows\System32\YtERGjh.exe
  C:\Windows\System32\YtERGjh.exe
  2⤵
  PID:12264
- C:\Windows\System32\FkLkvZR.exe
  C:\Windows\System32\FkLkvZR.exe
  2⤵
  PID:12244
- C:\Windows\System32\HWXbfTp.exe
  C:\Windows\System32\HWXbfTp.exe
  2⤵
  PID:11456
- C:\Windows\System32\rygLLJR.exe
  C:\Windows\System32\rygLLJR.exe
  2⤵
  PID:11616
- C:\Windows\System32\nvxUnhC.exe
  C:\Windows\System32\nvxUnhC.exe
  2⤵
  PID:11776
- C:\Windows\System32\LMJqLnq.exe
  C:\Windows\System32\LMJqLnq.exe
  2⤵
  PID:11868
- C:\Windows\System32\SxiQahO.exe
  C:\Windows\System32\SxiQahO.exe
  2⤵
  PID:11976
- C:\Windows\System32\GIuxELm.exe
  C:\Windows\System32\GIuxELm.exe
  2⤵
  PID:12112
- C:\Windows\System32\PnEBQZT.exe
  C:\Windows\System32\PnEBQZT.exe
  2⤵
  PID:11276
- C:\Windows\System32\SMPXoQZ.exe
  C:\Windows\System32\SMPXoQZ.exe
  2⤵
  PID:11432
- C:\Windows\System32\KYPBhNC.exe
  C:\Windows\System32\KYPBhNC.exe
  2⤵
  PID:11988
- C:\Windows\System32\uYUbUCh.exe
  C:\Windows\System32\uYUbUCh.exe
  2⤵
  PID:11656
- C:\Windows\System32\jpFWjcZ.exe
  C:\Windows\System32\jpFWjcZ.exe
  2⤵
  PID:12304
- C:\Windows\System32\AZclGYl.exe
  C:\Windows\System32\AZclGYl.exe
  2⤵
  PID:12328
- C:\Windows\System32\cnvkkSX.exe
  C:\Windows\System32\cnvkkSX.exe
  2⤵
  PID:12356
- C:\Windows\System32\ATFYapx.exe
  C:\Windows\System32\ATFYapx.exe
  2⤵
  PID:12376
- C:\Windows\System32\VXVKyvj.exe
  C:\Windows\System32\VXVKyvj.exe
  2⤵
  PID:12456
- C:\Windows\System32\CoUuIMJ.exe
  C:\Windows\System32\CoUuIMJ.exe
  2⤵
  PID:12480
- C:\Windows\System32\XOcPUpH.exe
  C:\Windows\System32\XOcPUpH.exe
  2⤵
  PID:12500
- C:\Windows\System32\EeSIqLd.exe
  C:\Windows\System32\EeSIqLd.exe
  2⤵
  PID:12516
- C:\Windows\System32\JfXHckN.exe
  C:\Windows\System32\JfXHckN.exe
  2⤵
  PID:12544
- C:\Windows\System32\jKizJKg.exe
  C:\Windows\System32\jKizJKg.exe
  2⤵
  PID:12568
- C:\Windows\System32\VjJcMWt.exe
  C:\Windows\System32\VjJcMWt.exe
  2⤵
  PID:12588
- C:\Windows\System32\VsWSmuo.exe
  C:\Windows\System32\VsWSmuo.exe
  2⤵
  PID:12604
- C:\Windows\System32\jQQnITZ.exe
  C:\Windows\System32\jQQnITZ.exe
  2⤵
  PID:12640
- C:\Windows\System32\zFcRHqp.exe
  C:\Windows\System32\zFcRHqp.exe
  2⤵
  PID:12684
- C:\Windows\System32\RUoftLZ.exe
  C:\Windows\System32\RUoftLZ.exe
  2⤵
  PID:12700
- C:\Windows\System32\UbhfPun.exe
  C:\Windows\System32\UbhfPun.exe
  2⤵
  PID:12724
- C:\Windows\System32\sjNemIp.exe
  C:\Windows\System32\sjNemIp.exe
  2⤵
  PID:12764
- C:\Windows\System32\HcZWlGi.exe
  C:\Windows\System32\HcZWlGi.exe
  2⤵
  PID:12812
- C:\Windows\System32\nXRRFye.exe
  C:\Windows\System32\nXRRFye.exe
  2⤵
  PID:12832
- C:\Windows\System32\TcKXZHl.exe
  C:\Windows\System32\TcKXZHl.exe
  2⤵
  PID:12852
- C:\Windows\System32\mOrmIla.exe
  C:\Windows\System32\mOrmIla.exe
  2⤵
  PID:12868
- C:\Windows\System32\mbDZqMQ.exe
  C:\Windows\System32\mbDZqMQ.exe
  2⤵
  PID:12904
- C:\Windows\System32\ldsXyhR.exe
  C:\Windows\System32\ldsXyhR.exe
  2⤵
  PID:12932
- C:\Windows\System32\utaFNHS.exe
  C:\Windows\System32\utaFNHS.exe
  2⤵
  PID:12952
- C:\Windows\System32\PFEPixi.exe
  C:\Windows\System32\PFEPixi.exe
  2⤵
  PID:12976
- C:\Windows\System32\zaRHrec.exe
  C:\Windows\System32\zaRHrec.exe
  2⤵
  PID:13004
- C:\Windows\System32\sdydZfw.exe
  C:\Windows\System32\sdydZfw.exe
  2⤵
  PID:13024
- C:\Windows\System32\UQVzILV.exe
  C:\Windows\System32\UQVzILV.exe
  2⤵
  PID:13044
- C:\Windows\System32\oVXmpMq.exe
  C:\Windows\System32\oVXmpMq.exe
  2⤵
  PID:13076
- C:\Windows\System32\ovgdPET.exe
  C:\Windows\System32\ovgdPET.exe
  2⤵
  PID:13108
- C:\Windows\System32\funVcnE.exe
  C:\Windows\System32\funVcnE.exe
  2⤵
  PID:13148
- C:\Windows\System32\qyPuvGV.exe
  C:\Windows\System32\qyPuvGV.exe
  2⤵
  PID:13172
- C:\Windows\System32\Pftlgej.exe
  C:\Windows\System32\Pftlgej.exe
  2⤵
  PID:13224
- C:\Windows\System32\gFVzrun.exe
  C:\Windows\System32\gFVzrun.exe
  2⤵
  PID:13260
- C:\Windows\System32\GLhrMHz.exe
  C:\Windows\System32\GLhrMHz.exe
  2⤵
  PID:13280
- C:\Windows\System32\jnSqGaB.exe
  C:\Windows\System32\jnSqGaB.exe
  2⤵
  PID:13296
- C:\Windows\System32\ynlKfaf.exe
  C:\Windows\System32\ynlKfaf.exe
  2⤵
  PID:12300
- C:\Windows\System32\IxIsAYT.exe
  C:\Windows\System32\IxIsAYT.exe
  2⤵
  PID:12296
- C:\Windows\System32\GeXUDvw.exe
  C:\Windows\System32\GeXUDvw.exe
  2⤵
  PID:12448
- C:\Windows\System32\CaXhoSQ.exe
  C:\Windows\System32\CaXhoSQ.exe
  2⤵
  PID:12488
- C:\Windows\System32\aXGQaeT.exe
  C:\Windows\System32\aXGQaeT.exe
  2⤵
  PID:12524
- C:\Windows\System32\eVJJDlI.exe
  C:\Windows\System32\eVJJDlI.exe
  2⤵
  PID:12576
- C:\Windows\System32\uLhuEXt.exe
  C:\Windows\System32\uLhuEXt.exe
  2⤵
  PID:12696
- C:\Windows\System32\QKpMojB.exe
  C:\Windows\System32\QKpMojB.exe
  2⤵
  PID:12672
- C:\Windows\System32\jzJqPuY.exe
  C:\Windows\System32\jzJqPuY.exe
  2⤵
  PID:12824
- C:\Windows\System32\KXKnnwp.exe
  C:\Windows\System32\KXKnnwp.exe
  2⤵
  PID:12864
- C:\Windows\System32\uxNdckP.exe
  C:\Windows\System32\uxNdckP.exe
  2⤵
  PID:12840
- C:\Windows\System32\CvqRIbP.exe
  C:\Windows\System32\CvqRIbP.exe
  2⤵
  PID:12984
- C:\Windows\System32\AFvfYVb.exe
  C:\Windows\System32\AFvfYVb.exe
  2⤵
  PID:12964
- C:\Windows\System32\yJTILFT.exe
  C:\Windows\System32\yJTILFT.exe
  2⤵
  PID:13072
- C:\Windows\System32\unLdaXC.exe
  C:\Windows\System32\unLdaXC.exe
  2⤵
  PID:13116
- C:\Windows\System32\EAecwTL.exe
  C:\Windows\System32\EAecwTL.exe
  2⤵
  PID:13160
- C:\Windows\System32\mNhuoPO.exe
  C:\Windows\System32\mNhuoPO.exe
  2⤵
  PID:5096
- C:\Windows\System32\oAbclXY.exe
  C:\Windows\System32\oAbclXY.exe
  2⤵
  PID:13236
- C:\Windows\System32\PasRkAF.exe
  C:\Windows\System32\PasRkAF.exe
  2⤵
  PID:13308
- C:\Windows\System32\VlqyAjg.exe
  C:\Windows\System32\VlqyAjg.exe
  2⤵
  PID:12320
- C:\Windows\System32\glyXvlb.exe
  C:\Windows\System32\glyXvlb.exe
  2⤵
  PID:12476
- C:\Windows\System32\zRTILhd.exe
  C:\Windows\System32\zRTILhd.exe
  2⤵
  PID:12712
- C:\Windows\System32\MgRYsvh.exe
  C:\Windows\System32\MgRYsvh.exe
  2⤵
  PID:13156
- C:\Windows\System32\CAIHOhu.exe
  C:\Windows\System32\CAIHOhu.exe
  2⤵
  PID:1800
- C:\Windows\System32\LCcwBXG.exe
  C:\Windows\System32\LCcwBXG.exe
  2⤵
  PID:13248
- C:\Windows\System32\GgNeLqF.exe
  C:\Windows\System32\GgNeLqF.exe
  2⤵
  PID:12472
- C:\Windows\System32\bCtpnqF.exe
  C:\Windows\System32\bCtpnqF.exe
  2⤵
  PID:12708
- C:\Windows\System32\qtunzyC.exe
  C:\Windows\System32\qtunzyC.exe
  2⤵
  PID:12772
- C:\Windows\System32\NVeBLml.exe
  C:\Windows\System32\NVeBLml.exe
  2⤵
  PID:13184
- C:\Windows\System32\teogfcX.exe
  C:\Windows\System32\teogfcX.exe
  2⤵
  PID:12736
- C:\Windows\System32\BtTaFWx.exe
  C:\Windows\System32\BtTaFWx.exe
  2⤵
  PID:13168
- C:\Windows\System32\UQHnZaj.exe
  C:\Windows\System32\UQHnZaj.exe
  2⤵
  PID:13360
- C:\Windows\System32\qyzTTMm.exe
  C:\Windows\System32\qyzTTMm.exe
  2⤵
  PID:13392
- C:\Windows\System32\ZILInOU.exe
  C:\Windows\System32\ZILInOU.exe
  2⤵
  PID:13412
- C:\Windows\System32\ysUQttn.exe
  C:\Windows\System32\ysUQttn.exe
  2⤵
  PID:13440
- C:\Windows\System32\WGIfNmN.exe
  C:\Windows\System32\WGIfNmN.exe
  2⤵
  PID:13464
- C:\Windows\System32\PoaFmeM.exe
  C:\Windows\System32\PoaFmeM.exe
  2⤵
  PID:13496
- C:\Windows\System32\BUqdImB.exe
  C:\Windows\System32\BUqdImB.exe
  2⤵
  PID:13516
- C:\Windows\System32\ENhEhNF.exe
  C:\Windows\System32\ENhEhNF.exe
  2⤵
  PID:13540
- C:\Windows\System32\jVeCHky.exe
  C:\Windows\System32\jVeCHky.exe
  2⤵
  PID:13576
- C:\Windows\System32\eiGwkvD.exe
  C:\Windows\System32\eiGwkvD.exe
  2⤵
  PID:13592
- C:\Windows\System32\HwxWVis.exe
  C:\Windows\System32\HwxWVis.exe
  2⤵
  PID:13628
- C:\Windows\System32\EmfxeDf.exe
  C:\Windows\System32\EmfxeDf.exe
  2⤵
  PID:13648

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:14152
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:13664

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:220

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:13812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5796

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3960

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:8220

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5128

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5744

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:10200

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:14040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:9328

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:7232

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7484

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11132

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4576

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2112

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11436

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11584

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12176

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12656

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12804

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12928

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13348

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13500

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8544

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3124

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7280

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11180

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3276

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8224

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3600

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3404

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4468

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5632

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5140

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1596

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6124

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11724

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12632

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13048

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13568

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8276

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6052

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1196

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9556

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7860

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5324

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:396

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4ZLXTYAF\microsoft.windows[1].xml

Filesize
97B

MD5
561d428fca25aaeff220ca801100323c

SHA1
703808c3abb1172a6a05ea8a7bdc297eed3d01e6

SHA256
1fd2a6b24b2e481e24953b38587394eab230127867ca14b0f9ac3e365561a83c

SHA512
72f5711ee30b7d41a4bac8bb59ec4c9d488de5a138079ec897a407917b0c4199985077045cbf345654a06352310881c9baef5eaaeb75fb774faad5ee938e1d00

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133689331632279365.txt.~tmp

Filesize
75KB

MD5
8e6df03331eca98decdd50e0ae375a41

SHA1
303f20b51a15a606804189cd4b73d1d4e03cfb04

SHA256
fb438e4b6b01f2ce63873dffbbb90298356b9414099d7d2d4dbf00acf53ae62d

SHA512
08397f7435b5a4a7c21b21b6c54063d578d157fc504b31996f862b2dc6aa3e5f39f58fc475dd7c4804d2c3c8e4a5928a5b5311b43f97a1cd13c8930f6b4a1437

Download Submit
C:\Windows\System32\AOeZKBw.exe

Filesize
1.0MB

MD5
74ad8c8be8f9d8775555a9e2cb0a26a8

SHA1
8fda43877f20e43f165bb4c69ce4595dd8cd148c

SHA256
63f9a871946e9997ce272adb371f31319136426f093a65a7c9576f4ea929f076

SHA512
a96b2d21919f68a7f369dbcbcd0b10d1f8889adac73699282b3ba5a07a3c1194ca38ba88d34c37f0cfbb2983830a59d4ed323ce202e38ddda6df7711ce471b71

Download Submit
C:\Windows\System32\BOzHlmT.exe

Filesize
1.0MB

MD5
b6f3f5bea33a596e2e7306760d849d5c

SHA1
1efcedf84ddcfffd4aa0891e85a6787beb326aa5

SHA256
9ebd9bee3c01a05167f9b434d5467f5436226c5a6e07d984c7b82bdca93a1417

SHA512
0ac1879232a7cdbab3f0f45c203cc89f896c738f580fb47be44ad06808debb4f47d6feba8f41326baaffd428dc8d914ab6b860658a895b92877054e88250f42b

Download Submit
C:\Windows\System32\BbokqBK.exe

Filesize
1020KB

MD5
78c944154136afe976f4c1d4e979a369

SHA1
2ca33d69180f31c836bc7998f76310702e6fbb5d

SHA256
a0d32a5d00c0594a64bbf72eb04895a6d15b85d9f56faa56c5282a6958963c61

SHA512
ac03c18984048026a509c544af8ad710305daf92a22070090ca3f664172c5d10672d42d7c7e2e7062482ca21a84c60669829a042b63b0b6efa321d02cab923d0

Download Submit
C:\Windows\System32\DAhNLXr.exe

Filesize
1.0MB

MD5
07181a939aeb404728efc8563106a1aa

SHA1
d7f2f9b7d922026a3019d814b2d707e563e839fb

SHA256
7e1447879b75cfff4992aeddb3dd3aa8e28a12f70b45b4ec8956cb9e6f711135

SHA512
56591d0f4badd1fe313d22856d5142948a0e906fc267aaabe941175076c76cd1fd16586a544adaebb3b8d526c2f52c557813a676ae81b908fa32b980d9d580d5

Download Submit
C:\Windows\System32\IHwbrUt.exe

Filesize
1022KB

MD5
1a8990f42a4506bf59f2252d48b23615

SHA1
ad7df74be2fe45111ce9f1abd0e190c02f7e23d4

SHA256
27e7b0d2322c990dc1d2bdc67f41d574a9dba61e1d955d0e3fe139ce8cd31987

SHA512
17a3b9b16aac96e70fba9c51764a160b9e8115d2c0fa96951385cbb9ee53a655a447effe07f585b99f947d897d43e0c27c5ebe9ff2e68be47badb793fb13a844

Download Submit
C:\Windows\System32\OGiSxkQ.exe

Filesize
1023KB

MD5
b9df3d1538ef5e05b863e21fe68f957e

SHA1
efc6bedce5d8873d22384070aef321baeb84fcf4

SHA256
823fe66cb8b6def4efe53af482fe616a3a65f82f2f3f6bd0c2a0a36f0805547a

SHA512
8caa2e3842134f327a179fcd566908fa054249184358db87131f400139cd543d6bbe81b04f9dbd5eb3c90230a0bc26876318e09a618865e87e49bb6cd2a94a5c

Download Submit
C:\Windows\System32\RLzdUup.exe

Filesize
1022KB

MD5
28b8be80f94a2578af4db258d2daaf39

SHA1
4316ec3fa607feaf254e3da204cfcdc87cbfc560

SHA256
05e9556d14da1866614645968aa52fd0f7cda96bd527bef0355cfc42ba7e0e2d

SHA512
58d977df67af9df3e6866ba373003b1f8b38b3217fec32c2540a5ac833d23c63648f285eda335a51dfc222c4ee48ad71912db726e0e340d0816838f70a480f74

Download Submit
C:\Windows\System32\Scwwjrp.exe

Filesize
1020KB

MD5
d27c558d84cfbe1ea245523fdcb763d1

SHA1
c4b30a57dffe10ccd04a6ecff289b680b42e9ec9

SHA256
7ff9b30ec0b9788a41b27f7f3670c767a7ad2fc2ea4453840c5940dd2ffde422

SHA512
f362832c5739b08508f24be6ff0fca119b3fd0d70b2387add0b1539d659b8c625bb87f3883cd87c7c2d3f25fabf6a99459d5dd73b7589db7065ab8928bd46e0d

Download Submit
C:\Windows\System32\SexTbsN.exe

Filesize
1.0MB

MD5
2bc6e82e87890f8f61b307156536c7d4

SHA1
46e542f1cb9c3f3114c2add9593edcc5481fb8d2

SHA256
c995d3ec4fd605686d3f977a69298a544727b31bf7391893b221692dc71397fc

SHA512
d1d726500b97dac982d1cac2f6f56ef45afb2d6bc9c0a7eb104e2d15b85a2431ebbb9687a0058834cd2ad4d59bd1798d3d9b7b3496271000a7727e7401c6acec

Download Submit
C:\Windows\System32\TgOKaVQ.exe

Filesize
1.0MB

MD5
90d8b8274ac8c25f313aab5dab130cfc

SHA1
ed071e76cae0df0c2afb149f7382865f15d66a04

SHA256
acfd658eeebbb026288c2b6963cdaa32a689d890bde931b3ef109e2ac6120a31

SHA512
6fee1c22b90d7016dfef847c5a1a8487d3a0a66dc97959bbbdd617aaa673ea211a473d5442baa769e8171656d610e2e30af4c2dce856396bb078dbd174a5743a

Download Submit
C:\Windows\System32\TnnNJnw.exe

Filesize
1.0MB

MD5
fc2e8802f96546e170729f0aaf567aa4

SHA1
3716c77a09ead40b3cbe6f011caa9a27bfd84025

SHA256
a7078c27aa5d9c619634a058d1bb9b0bb0bb187c5dcff4a76e2403daf776762c

SHA512
7e7e81387dee7c0429c20e8ec62e6dea21b6ae549e08a4c6d46fc3e40027be96d246adf14b03947474b2ada7d2be39f4fb6cefd284955f00b79e720160f4f6cf

Download Submit
C:\Windows\System32\UCtOaUe.exe

Filesize
1023KB

MD5
4548973c080ef5d849327957ab40e6f8

SHA1
ccb5681abdd3ac78ce3d7d125951f84cff4a9b25

SHA256
1b7d1c61dc091375797207e13845be4fa528a0098389f17769886dc76162406b

SHA512
b2045ecac9ed843e504fd6978fa480b4d4af437e4bf60d7df1f1d2f6d02da187de3ada0e7d9d1fa08e5bcef177bb903495c9e47e46616995907f304318bddffe

Download Submit
C:\Windows\System32\UFDELvx.exe

Filesize
1.0MB

MD5
9894bd1529ce4c560f2c17fc0b7d75f9

SHA1
2969dc39d472505e5f7b0f267546594a88fdb718

SHA256
ac5256bb176c4f2dc172563f3ab3c7d90ae65145262fbe47dcb446b991ac509a

SHA512
bc0cf6cf247a8a98d12ac95620d1aedf02b25b00b747316f8265f25f0fdc014ac1e62b8eaf8965b6d01c289007c7372ddc2e5c374b4dbf657bd5cd893d677113

Download Submit
C:\Windows\System32\WgSFdgd.exe

Filesize
1.0MB

MD5
df05043f933e4052e558cc1328abdc4d

SHA1
054dec8db9c88b5d1839265d2cea39a7250cb290

SHA256
bcbc82da2ddb18601e1d3e1f662d7237a6828328fcd1fa7967606b374ba34a15

SHA512
d91da83ca167131af862996e29771d0b30733cff3f0107b963c39ef5c2374b747ed51253833b0e9d2e22bc039084f9bc67b9d8ea4ae07bd1840dbb74f9ff80af

Download Submit
C:\Windows\System32\XAwRpeY.exe

Filesize
1.0MB

MD5
4cbd9fc86b451655c8ad3f01b10c0cda

SHA1
269c782fc4a5bbddb643af8f8d2fddc38e14eb90

SHA256
f1fbe3938f695b241842e2742d928e5f4a0129eb52d259b9792124364894947d

SHA512
ed9329b8099df9b335ee3091d117dfb66351b91761407613d541f301d9ded137f2fad453db4e9b8a58a89eda716f8d4008582e67ee21feaad9baed231f2c83e5

Download Submit
C:\Windows\System32\XxgoNwc.exe

Filesize
1.0MB

MD5
c0c09acb6814ce701cc5595165de9d2d

SHA1
1903af1b815fe5180aa7587bc7772e260545aca6

SHA256
297415e79c7c9ba92403d7af4909116e73ce7a8481940d109d67a2a834841205

SHA512
d45f0713044b3ff6229a5a5040edeef11f051a341e5c5fd310f9c572acc613d5210bd8e347ce7b193239d01cfd25d15b83e5c878c4a33bdbd0626472b16a7c87

Download Submit
C:\Windows\System32\gWRZsvV.exe

Filesize
1.0MB

MD5
4e24bc5cdc599e7a7790c9c59beb2bd4

SHA1
0f36450fed402a7ab6e183fd31efc77881855c14

SHA256
f4409eae7b2b8533fc83a060a2d015d26c98bd48439e069947b3a754b9f9f84c

SHA512
e327da1731361a3a0ed0b73acdc7f9c8cb958b8ad85b106bf5a49835a18308b4797b77168ca441931aaf09c6e09d47a44d3f94f68984a0ce8a627297f9a80299

Download Submit
C:\Windows\System32\huVROqY.exe

Filesize
1022KB

MD5
208c050bfed628e0a6b31e9eb694d00e

SHA1
785130bdd611c3e5e160014365da12fe5c253c3d

SHA256
ebb74362c39bc80f941cac47d042bd6bfa23da7ab5e0b1eec7c1072be181b067

SHA512
2b18561145a786742033dce17edd5167aa9e9b7566dcf8dcaddd2e78409609f51b3d58ce9a4738775b54199677b1eeeede0b98d46dcae59be84d54ea76f51882

Download Submit
C:\Windows\System32\jmFihur.exe

Filesize
1020KB

MD5
6f3ae1b794fb9df06f6a8c536d7d2ead

SHA1
ad4bc1552ad03a6c99facfffda9aab0746d4cdd0

SHA256
a51d72eb7c9009fdbcc66eb1cdae1c9dd2d7a2139bf76bf6fe42e5d80df76704

SHA512
6b428b9a07ba2a33678e4a469d8f9af1217252a8460fcf455e1acee1b1270ecb8d7fe2c25d9a8a96da7f7e02d46a8908c17e4fd6b4ed0c93ec4ac499413e3e53

Download Submit
C:\Windows\System32\jpJfSJY.exe

Filesize
1.0MB

MD5
4e7eb9aac99321fb63a2a28939fdef6c

SHA1
e881db1cffb2cf7a750e2d18fac678207b8774d5

SHA256
7591eed2cdded98a175bb4eaadee738b874456671a56b8acdda6512e97a635d1

SHA512
25de16aa0fc399116b18d3c170ebbe958e0eeb51cc1e48c679d019632b9806b9397dd92c57f38b137c295ce6e7dedc18a5038da3fcd6a653570102cf42ac0acb

Download Submit
C:\Windows\System32\lolejzR.exe

Filesize
1023KB

MD5
900af9e14a96081f06bb82c8216d37b4

SHA1
a1370ecdd6da223d39b6b12fcead077f1421b63a

SHA256
600cad9e3b54f4e934f6e2eefd3188d51a4d3f16205cc62142c36943f47742ac

SHA512
f521c704b9af006722fe54d09dbd8c17c55ab04f396a1cda29fad96491cb4fd78595b7c31394f4ba11c84188c38fdb4d92d1786b1a4de95c81ef83f7419c3966

Download Submit
C:\Windows\System32\mrNpRFN.exe

Filesize
1.0MB

MD5
7bd88f930dd7ecefe5058ea4067b6097

SHA1
7fdbb11e568eab55da3be8fd9d9524a4f15a6117

SHA256
2ed449dd60200b7f5de090ff3df4dccb6ab9eec04c6fa534034012a83d124900

SHA512
b2064da53a1b0d33367da468980b884011facb4ee54561d1961ad38b725b118db44688882f3598df4ce56398f2c378a6468e7d67c5e8d38df8ca9e93543bb489

Download Submit
C:\Windows\System32\nZbyzzm.exe

Filesize
1022KB

MD5
8681eafe9c726157f400974b177a7715

SHA1
d2ead8dc021cc5e66f8c64d6e66b07e369976d76

SHA256
320ffe2ef4f172a9ede68bd3f18aa60f412699d15f25dfe3ec5154990ab3acd4

SHA512
d08590abb56e20d62693f6c67b66adedb3d6cd61177fc66e97f971bb8f97cfe07b9b2c5dd3135085ceea20230ab04973bac432d8a31cf0cba382c5a57f44f36c

Download Submit
C:\Windows\System32\pUXsFNW.exe

Filesize
1021KB

MD5
0709b82a99cd8907d2eb67942dbae5b5

SHA1
cf9def539b075d6b0ad98e91e17a34e35522888c

SHA256
93bb714bb30b6481fcff70a3315e742f590f92db6ba67fbe529af46873d72bf8

SHA512
a6b02ecedbe9be2648f5d7a2e3e8256d813ee1191e0a289fcb4fdc77a5c9ff17515a311d392bf1314706831f641e6b6dcc8f0a9d97277fe304d6e69891b58d1c

Download Submit
C:\Windows\System32\qhOinVo.exe

Filesize
1.0MB

MD5
e29e34140e749e7c36c83b496834ee60

SHA1
50132a59fed83eeb1122ef0c8e1d1f628e669840

SHA256
1a33c7177a8c50221467d4ffecacf02e1ad6aa7547c1044bcd051c0bca43c261

SHA512
326c3b117cbe483577827db58ecad208102710936d6d3ab94ce518fd65746e1f4ad542932859923126a5716abd8700619c34ac965d928975d47c609f49f08404

Download Submit
C:\Windows\System32\qmpiEYB.exe

Filesize
1021KB

MD5
4783fdd22c862391fb4e1640a84e039b

SHA1
166bbcad517bc5e16e9abc379fa7743a47ff7189

SHA256
a475fa70ee26eec1e02e257c99525d1d3da9bb3afaae86a125f7d2206dcd64b6

SHA512
0791253e9188a06a4c2693ed20e27046cd368e6feac0dd34f8dd39856f00246f5b8621f2c240c13a65e9395a45b8a3017bb70706110099699630e3d6109a1726

Download Submit
C:\Windows\System32\rrOmXwG.exe

Filesize
1023KB

MD5
0766fb1f3539c1bc5039bca463b668fb

SHA1
90882640122fb7ddf2d576836e2cf75831f87af8

SHA256
4d958d9dbc26bf4b07adccc195939e2da8d505069e564627dc6e6cca0d5f52bc

SHA512
8f3f52cf6c5a06ed1451e890c0b726cc5ecdeec726df8e739f0390335a3d4f4756afcdb8f9826c141004958dee585cf5147b1779d583d2203d8c211f931a9e02

Download Submit
C:\Windows\System32\sBUSarq.exe

Filesize
1.0MB

MD5
cc95991bd80d3626f19966fdf611bf4a

SHA1
ff716b5a1fa9f3c3108cffb9befe9ffa6ce73a7a

SHA256
ccd5a311192e2a423c275135581372abce9c5a8fd9e230b45a8ebc71f8718fb9

SHA512
3600410efb4ce564f53b431e3b0e729c7e225bf24406d29c59cf19956f89a3be9210893ebb08aec47ec14f741fea59f5d7d7d27e563e01878919be0891f3b9cf

Download Submit
C:\Windows\System32\sUAwNKO.exe

Filesize
1.0MB

MD5
8caab5982b6b04825de0c4df8c771d17

SHA1
673fbbd85eec114eda8bf285802a758e62ddc2fe

SHA256
527207b2dce2aa7659408eed91d40201cab0bfa748bcb79c9184ae7a42de7900

SHA512
7f3efeda8a7153e69289177f6ed9223c99005648238af64af4978009078c2e0babd40776d1cc9de5fcc1935705c674ad8ee93ac767ac8a96132d7e1e7bd8c3ae

Download Submit
C:\Windows\System32\vJOurzo.exe

Filesize
1.0MB

MD5
846d6396f670725fccfbc1989d2e807f

SHA1
50e4bfaecff4e7320d8a3272e9a11b476a084665

SHA256
c6ba8324d2e054a6943fe68ba5521dfe477ccb27387ffe9cf1845d5bde6108fb

SHA512
99d8e17930963e62798f0955b7d1f480ad935c84e8564a287b6d9d4ffc06fe34346135de3a55256410d26e529f08dc445b7858e9daac31cc61769dcccead3b36

Download Submit
C:\Windows\System32\vtKjYuw.exe

Filesize
1021KB

MD5
f1a703b1114dc573afc3b50ebe9a751f

SHA1
4d47707541cfb4b74b57542c09d32b49f8e636ee

SHA256
aa092d79364f11e1689eb11168f52a02a950f0488658df88ddbbb46c812f4fa0

SHA512
bca77582531f23da7af7e9f587e4ad0c04b9b7621a36dabd5164d5f00c66816e33334189655da3d65bf788ee0cef5358a5763a6a90de222a33cacec58fc75ac8

Download Submit
C:\Windows\System32\wGZCKAE.exe

Filesize
1021KB

MD5
00bdbcce5a48ade2b127aa6549a4ec78

SHA1
e2005d0624f7d22330381f8d0d29387ebe7ccbf8

SHA256
d605dc7e8413dda1603476d2cd5b5fcddcc39d5c2fae9a8a47ffa5fa0f75938b

SHA512
f808a39e42693095e5603a948447df4bf3a5ef75e5064ab0825ef34f1b86df9c6789ab119418b31e34cfafa1045f3214160f22e28ad18b8001d309e804bf97b9

Download Submit
C:\Windows\System32\woVYRGG.exe

Filesize
1020KB

MD5
0e6f356235d7d32b5409d55b1db5a866

SHA1
b3bac29e9ca15d4a1a16ebb74215c3d473de47a3

SHA256
2752cc4709e514ac92fe4a6887de7418add159f4054a5d530d33d0cac71d7a3f

SHA512
abd1eda967893c49e0ddc6f6887695c46092e4fe5da59a6657bdb07e1906101e3873c98bdfec4a58be42db980c3dec7ec6923f09118393b97e9d46f73c4b0776

Download Submit
memory/660-420-0x00007FF7DD6A0000-0x00007FF7DDA91000-memory.dmp

Filesize
3.9MB

Download
memory/660-2157-0x00007FF7DD6A0000-0x00007FF7DDA91000-memory.dmp

Filesize
3.9MB

Download
memory/752-399-0x00007FF688D00000-0x00007FF6890F1000-memory.dmp

Filesize
3.9MB

Download
memory/752-2199-0x00007FF688D00000-0x00007FF6890F1000-memory.dmp

Filesize
3.9MB

Download
memory/756-412-0x00007FF6DCEF0000-0x00007FF6DD2E1000-memory.dmp

Filesize
3.9MB

Download
memory/756-2131-0x00007FF6DCEF0000-0x00007FF6DD2E1000-memory.dmp

Filesize
3.9MB

Download
memory/1520-343-0x00007FF6DCFB0000-0x00007FF6DD3A1000-memory.dmp

Filesize
3.9MB

Download
memory/1588-421-0x00007FF7ABC30000-0x00007FF7AC021000-memory.dmp

Filesize
3.9MB

Download
memory/1588-2145-0x00007FF7ABC30000-0x00007FF7AC021000-memory.dmp

Filesize
3.9MB

Download
memory/1624-2137-0x00007FF739400000-0x00007FF7397F1000-memory.dmp

Filesize
3.9MB

Download
memory/1624-347-0x00007FF739400000-0x00007FF7397F1000-memory.dmp

Filesize
3.9MB

Download
memory/1648-365-0x00007FF7BB7C0000-0x00007FF7BBBB1000-memory.dmp

Filesize
3.9MB

Download
memory/1648-2189-0x00007FF7BB7C0000-0x00007FF7BBBB1000-memory.dmp

Filesize
3.9MB

Download
memory/1692-2159-0x00007FF7AC4A0000-0x00007FF7AC891000-memory.dmp

Filesize
3.9MB

Download
memory/1692-355-0x00007FF7AC4A0000-0x00007FF7AC891000-memory.dmp

Filesize
3.9MB

Download
memory/2044-2167-0x00007FF6FC3A0000-0x00007FF6FC791000-memory.dmp

Filesize
3.9MB

Download
memory/2044-349-0x00007FF6FC3A0000-0x00007FF6FC791000-memory.dmp

Filesize
3.9MB

Download
memory/2264-390-0x00007FF6F1E50000-0x00007FF6F2241000-memory.dmp

Filesize
3.9MB

Download
memory/2264-2193-0x00007FF6F1E50000-0x00007FF6F2241000-memory.dmp

Filesize
3.9MB

Download
memory/2272-2127-0x00007FF799DF0000-0x00007FF79A1E1000-memory.dmp

Filesize
3.9MB

Download
memory/2272-407-0x00007FF799DF0000-0x00007FF79A1E1000-memory.dmp

Filesize
3.9MB

Download
memory/2332-2129-0x00007FF675C80000-0x00007FF676071000-memory.dmp

Filesize
3.9MB

Download
memory/2332-1382-0x00007FF675C80000-0x00007FF676071000-memory.dmp

Filesize
3.9MB

Download
memory/2332-26-0x00007FF675C80000-0x00007FF676071000-memory.dmp

Filesize
3.9MB

Download
memory/2892-2142-0x00007FF791840000-0x00007FF791C31000-memory.dmp

Filesize
3.9MB

Download
memory/2892-344-0x00007FF791840000-0x00007FF791C31000-memory.dmp

Filesize
3.9MB

Download
memory/3228-379-0x00007FF73E760000-0x00007FF73EB51000-memory.dmp

Filesize
3.9MB

Download
memory/3228-2166-0x00007FF73E760000-0x00007FF73EB51000-memory.dmp

Filesize
3.9MB

Download
memory/3416-17-0x00007FF7536E0000-0x00007FF753AD1000-memory.dmp

Filesize
3.9MB

Download
memory/3416-1377-0x00007FF7536E0000-0x00007FF753AD1000-memory.dmp

Filesize
3.9MB

Download
memory/3416-2123-0x00007FF7536E0000-0x00007FF753AD1000-memory.dmp

Filesize
3.9MB

Download
memory/3728-418-0x00007FF70F300000-0x00007FF70F6F1000-memory.dmp

Filesize
3.9MB

Download
memory/3728-2135-0x00007FF70F300000-0x00007FF70F6F1000-memory.dmp

Filesize
3.9MB

Download
memory/3968-363-0x00007FF62FEF0000-0x00007FF6302E1000-memory.dmp

Filesize
3.9MB

Download
memory/3968-2160-0x00007FF62FEF0000-0x00007FF6302E1000-memory.dmp

Filesize
3.9MB

Download
memory/3972-422-0x00007FF759F70000-0x00007FF75A361000-memory.dmp

Filesize
3.9MB

Download
memory/3972-2161-0x00007FF759F70000-0x00007FF75A361000-memory.dmp

Filesize
3.9MB

Download
memory/4320-2134-0x00007FF734880000-0x00007FF734C71000-memory.dmp

Filesize
3.9MB

Download
memory/4320-64-0x00007FF734880000-0x00007FF734C71000-memory.dmp

Filesize
3.9MB

Download
memory/4320-1395-0x00007FF734880000-0x00007FF734C71000-memory.dmp

Filesize
3.9MB

Download
memory/4584-0-0x00007FF662BD0000-0x00007FF662FC1000-memory.dmp

Filesize
3.9MB

Download
memory/4584-1-0x000001FD4FFC0000-0x000001FD4FFD0000-memory.dmp

Filesize
64KB

Download
memory/4584-2097-0x00007FF662BD0000-0x00007FF662FC1000-memory.dmp

Filesize
3.9MB

Download
memory/4584-1373-0x00007FF662BD0000-0x00007FF662FC1000-memory.dmp

Filesize
3.9MB

Download
memory/4768-2139-0x00007FF7AD7D0000-0x00007FF7ADBC1000-memory.dmp

Filesize
3.9MB

Download
memory/4768-69-0x00007FF7AD7D0000-0x00007FF7ADBC1000-memory.dmp

Filesize
3.9MB

Download
memory/4788-2191-0x00007FF7F60E0000-0x00007FF7F64D1000-memory.dmp

Filesize
3.9MB

Download
memory/4788-393-0x00007FF7F60E0000-0x00007FF7F64D1000-memory.dmp

Filesize
3.9MB

Download
memory/4820-39-0x00007FF793250000-0x00007FF793641000-memory.dmp

Filesize
3.9MB

Download
memory/4820-2125-0x00007FF793250000-0x00007FF793641000-memory.dmp

Filesize
3.9MB

Download
memory/4888-2195-0x00007FF763DE0000-0x00007FF7641D1000-memory.dmp

Filesize
3.9MB

Download
memory/4888-385-0x00007FF763DE0000-0x00007FF7641D1000-memory.dmp

Filesize
3.9MB

Download
memory/4952-2164-0x00007FF7587C0000-0x00007FF758BB1000-memory.dmp

Filesize
3.9MB

Download
memory/4952-374-0x00007FF7587C0000-0x00007FF758BB1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads