xmrig | 166e84347f48390ba7e6d0eb526967b1d9e846688524af14594faf7386fd1cbe

Analysis

max time kernel
84s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29954f0f5eeb6745a7b808ca98480bd0N.exe
Size

1.4MB
MD5

29954f0f5eeb6745a7b808ca98480bd0
SHA1

eea3428ee6d3a412f3bac3605828f7e66a29ed31
SHA256

166e84347f48390ba7e6d0eb526967b1d9e846688524af14594faf7386fd1cbe
SHA512

fc6275ed316ceeb82c33b2b0c2e3e9e1a5fdc009151be7236dac66ad983c56c6b997bf0ac7801a35a369d567c7a6552001e479f887c0dd4fa29b906ed0ce2897
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zjP+sjI1vse+YSRHP:knw9oUUEEDl37jcq4nPgse4v

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 51 IoCs

miner

resource	yara_rule
behavioral2/memory/3500-60-0x00007FF7C5D30000-0x00007FF7C6121000-memory.dmp	xmrig
behavioral2/memory/1560-102-0x00007FF65CD80000-0x00007FF65D171000-memory.dmp	xmrig
behavioral2/memory/4548-112-0x00007FF676750000-0x00007FF676B41000-memory.dmp	xmrig
behavioral2/memory/5096-127-0x00007FF6DDAA0000-0x00007FF6DDE91000-memory.dmp	xmrig
behavioral2/memory/1876-139-0x00007FF6E3B80000-0x00007FF6E3F71000-memory.dmp	xmrig
behavioral2/memory/4772-683-0x00007FF77A710000-0x00007FF77AB01000-memory.dmp	xmrig
behavioral2/memory/4840-153-0x00007FF754720000-0x00007FF754B11000-memory.dmp	xmrig
behavioral2/memory/3812-146-0x00007FF7B58B0000-0x00007FF7B5CA1000-memory.dmp	xmrig
behavioral2/memory/4280-134-0x00007FF695D60000-0x00007FF696151000-memory.dmp	xmrig
behavioral2/memory/2896-118-0x00007FF7B6690000-0x00007FF7B6A81000-memory.dmp	xmrig
behavioral2/memory/4896-117-0x00007FF77B8A0000-0x00007FF77BC91000-memory.dmp	xmrig
behavioral2/memory/2260-105-0x00007FF6A0B70000-0x00007FF6A0F61000-memory.dmp	xmrig
behavioral2/memory/3552-101-0x00007FF752FD0000-0x00007FF7533C1000-memory.dmp	xmrig
behavioral2/memory/2340-94-0x00007FF71DEC0000-0x00007FF71E2B1000-memory.dmp	xmrig
behavioral2/memory/3156-58-0x00007FF638910000-0x00007FF638D01000-memory.dmp	xmrig
behavioral2/memory/5100-55-0x00007FF6206F0000-0x00007FF620AE1000-memory.dmp	xmrig
behavioral2/memory/4896-47-0x00007FF77B8A0000-0x00007FF77BC91000-memory.dmp	xmrig
behavioral2/memory/2172-802-0x00007FF7046A0000-0x00007FF704A91000-memory.dmp	xmrig
behavioral2/memory/244-950-0x00007FF7AF140000-0x00007FF7AF531000-memory.dmp	xmrig
behavioral2/memory/3832-1131-0x00007FF7797F0000-0x00007FF779BE1000-memory.dmp	xmrig
behavioral2/memory/3372-1263-0x00007FF632010000-0x00007FF632401000-memory.dmp	xmrig
behavioral2/memory/1892-1394-0x00007FF6E51C0000-0x00007FF6E55B1000-memory.dmp	xmrig
behavioral2/memory/4744-1522-0x00007FF7A6F10000-0x00007FF7A7301000-memory.dmp	xmrig
behavioral2/memory/4176-1645-0x00007FF7A05C0000-0x00007FF7A09B1000-memory.dmp	xmrig
behavioral2/memory/1728-1777-0x00007FF7CCE80000-0x00007FF7CD271000-memory.dmp	xmrig
behavioral2/memory/2908-1906-0x00007FF63A340000-0x00007FF63A731000-memory.dmp	xmrig
behavioral2/memory/2340-2116-0x00007FF71DEC0000-0x00007FF71E2B1000-memory.dmp	xmrig
behavioral2/memory/1560-2138-0x00007FF65CD80000-0x00007FF65D171000-memory.dmp	xmrig
behavioral2/memory/3552-2140-0x00007FF752FD0000-0x00007FF7533C1000-memory.dmp	xmrig
behavioral2/memory/4548-2144-0x00007FF676750000-0x00007FF676B41000-memory.dmp	xmrig
behavioral2/memory/3156-2143-0x00007FF638910000-0x00007FF638D01000-memory.dmp	xmrig
behavioral2/memory/2260-2147-0x00007FF6A0B70000-0x00007FF6A0F61000-memory.dmp	xmrig
behavioral2/memory/4896-2151-0x00007FF77B8A0000-0x00007FF77BC91000-memory.dmp	xmrig
behavioral2/memory/3500-2149-0x00007FF7C5D30000-0x00007FF7C6121000-memory.dmp	xmrig
behavioral2/memory/5100-2152-0x00007FF6206F0000-0x00007FF620AE1000-memory.dmp	xmrig
behavioral2/memory/5096-2154-0x00007FF6DDAA0000-0x00007FF6DDE91000-memory.dmp	xmrig
behavioral2/memory/4280-2156-0x00007FF695D60000-0x00007FF696151000-memory.dmp	xmrig
behavioral2/memory/1876-2180-0x00007FF6E3B80000-0x00007FF6E3F71000-memory.dmp	xmrig
behavioral2/memory/3812-2185-0x00007FF7B58B0000-0x00007FF7B5CA1000-memory.dmp	xmrig
behavioral2/memory/4840-2183-0x00007FF754720000-0x00007FF754B11000-memory.dmp	xmrig
behavioral2/memory/4772-2187-0x00007FF77A710000-0x00007FF77AB01000-memory.dmp	xmrig
behavioral2/memory/2172-2193-0x00007FF7046A0000-0x00007FF704A91000-memory.dmp	xmrig
behavioral2/memory/244-2192-0x00007FF7AF140000-0x00007FF7AF531000-memory.dmp	xmrig
behavioral2/memory/3832-2190-0x00007FF7797F0000-0x00007FF779BE1000-memory.dmp	xmrig
behavioral2/memory/1892-2212-0x00007FF6E51C0000-0x00007FF6E55B1000-memory.dmp	xmrig
behavioral2/memory/3372-2235-0x00007FF632010000-0x00007FF632401000-memory.dmp	xmrig
behavioral2/memory/1728-2229-0x00007FF7CCE80000-0x00007FF7CD271000-memory.dmp	xmrig
behavioral2/memory/4176-2222-0x00007FF7A05C0000-0x00007FF7A09B1000-memory.dmp	xmrig
behavioral2/memory/4744-2231-0x00007FF7A6F10000-0x00007FF7A7301000-memory.dmp	xmrig
behavioral2/memory/2908-2227-0x00007FF63A340000-0x00007FF63A731000-memory.dmp	xmrig
behavioral2/memory/2896-2670-0x00007FF7B6690000-0x00007FF7B6A81000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
3552	plAhNXi.exe
1560	IYOcfpT.exe
4548	qeMlAqN.exe
3156	RFunCGt.exe
2260	ESKTFML.exe
3500	kCCjGfj.exe
4896	sGaSkcN.exe
2896	tMAOTsm.exe
5100	MMJbRwO.exe
5096	ZpvVfbF.exe
4280	nFDGULl.exe
1876	gBDYela.exe
3812	zmgzTxI.exe
4840	ygSLsDB.exe
4772	wNrNncN.exe
2172	cKffiCm.exe
244	ZvfhBQm.exe
3832	bpmqxHg.exe
3372	MhOoHZl.exe
1892	aRKYoBr.exe
4744	BhZrwHw.exe
4176	eIeMSTQ.exe
1728	xfEibKu.exe
2908	sYKGLXF.exe
1572	yxDknSy.exe
384	TbAZWqd.exe
4852	xjlPYeg.exe
2284	ImYzPWg.exe
3160	nNJhgdX.exe
856	doPWXXR.exe
4672	MDEADCv.exe
3984	jMxpPxd.exe
3244	NumoYYX.exe
4632	GNvWIcQ.exe
624	bxgpuDC.exe
4144	jHRzzxB.exe
4804	kuzSVwr.exe
3688	ShaGQIo.exe
3592	OqWFSZT.exe
2692	lrgLXbi.exe
2788	SAqcjpD.exe
5068	GqlzHIk.exe
3692	RrzPqpO.exe
4400	KotMXyv.exe
632	YTCiPtd.exe
748	WVmEirh.exe
1388	pJUgviS.exe
1028	usFqYft.exe
5064	IFIqYTC.exe
3952	TYDxScB.exe
4608	bXCSaWO.exe
208	lngTmTr.exe
2632	MKCrkat.exe
4684	CjtNFax.exe
1464	zDKnxti.exe
4268	tcdZfVF.exe
4028	zEszGjk.exe
4308	BgSERQA.exe
3520	AVxglaV.exe
1180	BIdUOgB.exe
776	STmtvsU.exe
412	LaNLMKe.exe
2256	gMAVjiq.exe
4656	zPTtphV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2340-0-0x00007FF71DEC0000-0x00007FF71E2B1000-memory.dmp	upx
behavioral2/files/0x0008000000023498-4.dat	upx
behavioral2/files/0x000700000002349d-8.dat	upx
behavioral2/memory/1560-17-0x00007FF65CD80000-0x00007FF65D171000-memory.dmp	upx
behavioral2/files/0x00070000000234a0-36.dat	upx
behavioral2/files/0x00070000000234a2-39.dat	upx
behavioral2/files/0x00070000000234a1-43.dat	upx
behavioral2/files/0x00070000000234a3-50.dat	upx
behavioral2/files/0x00070000000234a4-56.dat	upx
behavioral2/memory/3500-60-0x00007FF7C5D30000-0x00007FF7C6121000-memory.dmp	upx
behavioral2/memory/5096-63-0x00007FF6DDAA0000-0x00007FF6DDE91000-memory.dmp	upx
behavioral2/files/0x00070000000234a5-66.dat	upx
behavioral2/memory/4840-82-0x00007FF754720000-0x00007FF754B11000-memory.dmp	upx
behavioral2/memory/4772-88-0x00007FF77A710000-0x00007FF77AB01000-memory.dmp	upx
behavioral2/memory/1560-102-0x00007FF65CD80000-0x00007FF65D171000-memory.dmp	upx
behavioral2/memory/4548-112-0x00007FF676750000-0x00007FF676B41000-memory.dmp	upx
behavioral2/memory/5096-127-0x00007FF6DDAA0000-0x00007FF6DDE91000-memory.dmp	upx
behavioral2/memory/1876-139-0x00007FF6E3B80000-0x00007FF6E3F71000-memory.dmp	upx
behavioral2/files/0x000600000001db34-152.dat	upx
behavioral2/files/0x000200000001e69c-164.dat	upx
behavioral2/files/0x00070000000234b1-184.dat	upx
behavioral2/memory/4772-683-0x00007FF77A710000-0x00007FF77AB01000-memory.dmp	upx
behavioral2/files/0x00070000000234b5-197.dat	upx
behavioral2/files/0x00070000000234b3-194.dat	upx
behavioral2/files/0x00070000000234b4-192.dat	upx
behavioral2/files/0x00070000000234b2-189.dat	upx
behavioral2/files/0x00070000000234b0-179.dat	upx
behavioral2/files/0x00070000000234af-174.dat	upx
behavioral2/files/0x00070000000234ae-168.dat	upx
behavioral2/files/0x000200000001e69a-159.dat	upx
behavioral2/memory/2908-156-0x00007FF63A340000-0x00007FF63A731000-memory.dmp	upx
behavioral2/memory/4840-153-0x00007FF754720000-0x00007FF754B11000-memory.dmp	upx
behavioral2/memory/1728-149-0x00007FF7CCE80000-0x00007FF7CD271000-memory.dmp	upx
behavioral2/memory/3812-146-0x00007FF7B58B0000-0x00007FF7B5CA1000-memory.dmp	upx
behavioral2/files/0x000400000001db32-145.dat	upx
behavioral2/memory/4176-142-0x00007FF7A05C0000-0x00007FF7A09B1000-memory.dmp	upx
behavioral2/files/0x000500000001db2f-138.dat	upx
behavioral2/memory/4744-135-0x00007FF7A6F10000-0x00007FF7A7301000-memory.dmp	upx
behavioral2/memory/4280-134-0x00007FF695D60000-0x00007FF696151000-memory.dmp	upx
behavioral2/files/0x000500000001db2b-131.dat	upx
behavioral2/memory/1892-128-0x00007FF6E51C0000-0x00007FF6E55B1000-memory.dmp	upx
behavioral2/files/0x00070000000234ad-124.dat	upx
behavioral2/memory/3372-121-0x00007FF632010000-0x00007FF632401000-memory.dmp	upx
behavioral2/memory/2896-118-0x00007FF7B6690000-0x00007FF7B6A81000-memory.dmp	upx
behavioral2/memory/4896-117-0x00007FF77B8A0000-0x00007FF77BC91000-memory.dmp	upx
behavioral2/files/0x00070000000234ac-116.dat	upx
behavioral2/memory/3832-113-0x00007FF7797F0000-0x00007FF779BE1000-memory.dmp	upx
behavioral2/files/0x00070000000234ab-109.dat	upx
behavioral2/memory/244-106-0x00007FF7AF140000-0x00007FF7AF531000-memory.dmp	upx
behavioral2/memory/2260-105-0x00007FF6A0B70000-0x00007FF6A0F61000-memory.dmp	upx
behavioral2/memory/3552-101-0x00007FF752FD0000-0x00007FF7533C1000-memory.dmp	upx
behavioral2/files/0x00070000000234aa-100.dat	upx
behavioral2/memory/2172-97-0x00007FF7046A0000-0x00007FF704A91000-memory.dmp	upx
behavioral2/memory/2340-94-0x00007FF71DEC0000-0x00007FF71E2B1000-memory.dmp	upx
behavioral2/files/0x00070000000234a9-91.dat	upx
behavioral2/files/0x00070000000234a8-87.dat	upx
behavioral2/files/0x00070000000234a7-81.dat	upx
behavioral2/memory/3812-78-0x00007FF7B58B0000-0x00007FF7B5CA1000-memory.dmp	upx
behavioral2/files/0x00070000000234a6-72.dat	upx
behavioral2/memory/1876-70-0x00007FF6E3B80000-0x00007FF6E3F71000-memory.dmp	upx
behavioral2/memory/4280-64-0x00007FF695D60000-0x00007FF696151000-memory.dmp	upx
behavioral2/memory/3156-58-0x00007FF638910000-0x00007FF638D01000-memory.dmp	upx
behavioral2/memory/5100-55-0x00007FF6206F0000-0x00007FF620AE1000-memory.dmp	upx
behavioral2/memory/2896-54-0x00007FF7B6690000-0x00007FF7B6A81000-memory.dmp	upx

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\NwoFsak.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\HMocnur.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\sEJnWtX.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\UkWqRwu.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\FscYtPX.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\RWiubII.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\TzrlDzH.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\RJSwQfj.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\cVSiYbo.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\FmQkyCH.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\wutPYvt.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\TqiRLqa.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\HvxdnPs.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\MtDKxSC.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\bxgpuDC.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\WZfqoxN.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\CHxPNJU.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\BXrKEpZ.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\tvkazqp.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\RFunCGt.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\fScJRzr.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\znUMWaG.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\gPUppwO.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\BDsykKu.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\YTCiPtd.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\uegsuur.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\fyWzmXq.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\AgkTURM.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\eUESisM.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\qeMlAqN.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\bLrPeWr.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\oMVlhVj.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\qAsYglT.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\ueCnUAw.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\vZMBkcF.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\SYofXEy.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\SybtICQ.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\BTeSweZ.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\GiHMJCJ.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\doPWXXR.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\BppksKC.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\CfwKuAX.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\XDeEXjw.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\MhOoHZl.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\itKUJNd.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\KphjlVa.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\BETSbjF.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\CIoSGGO.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\kHYlIzl.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\cKffiCm.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\XDNxWGh.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\TLHJArJ.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\cfLWVZb.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\HqcHvML.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\ajujJeC.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\YlAOoSY.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\cLPEMZC.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\pJWZdhA.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\szhJFhS.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\wbbbhLe.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\XzArqYj.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\bSFLgOS.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\GoYGxfs.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe
File created	C:\Windows\System32\GNvWIcQ.exe	29954f0f5eeb6745a7b808ca98480bd0N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{31570291-2D03-46BE-9F2D-00C7913545DE}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{4517B3D0-640D-4891-8CC9-3FACE4F56BF5}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{99AB7035-07D0-464D-AE6F-4FCF165D0D1C}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{30A7F4CC-C551-4440-BAFC-6A1FE87AE50E}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{99A0E659-17F7-42EC-89F1-EA6A1C56F7DE}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	13464	explorer.exe
Token: SeCreatePagefilePrivilege	13464	explorer.exe
Token: SeShutdownPrivilege	13464	explorer.exe
Token: SeCreatePagefilePrivilege	13464	explorer.exe
Token: SeShutdownPrivilege	13464	explorer.exe
Token: SeCreatePagefilePrivilege	13464	explorer.exe
Token: SeShutdownPrivilege	13464	explorer.exe
Token: SeCreatePagefilePrivilege	13464	explorer.exe
Token: SeShutdownPrivilege	13464	explorer.exe
Token: SeCreatePagefilePrivilege	13464	explorer.exe
Token: SeShutdownPrivilege	13464	explorer.exe
Token: SeCreatePagefilePrivilege	13464	explorer.exe
Token: SeShutdownPrivilege	13464	explorer.exe
Token: SeCreatePagefilePrivilege	13464	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	5796	explorer.exe
Token: SeCreatePagefilePrivilege	5796	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	7496	explorer.exe
Token: SeCreatePagefilePrivilege	7496	explorer.exe
Token: SeShutdownPrivilege	5164	explorer.exe
Token: SeCreatePagefilePrivilege	5164	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
14156	sihost.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
13464	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
5796	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
7496	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe
5164	explorer.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
5032	StartMenuExperienceHost.exe
14104	StartMenuExperienceHost.exe
8920	StartMenuExperienceHost.exe
9756	SearchApp.exe
3716	StartMenuExperienceHost.exe
3800	SearchApp.exe
6768	StartMenuExperienceHost.exe
3428	StartMenuExperienceHost.exe
7020	SearchApp.exe
5620	StartMenuExperienceHost.exe
11164	SearchApp.exe
4284	StartMenuExperienceHost.exe
11388	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3552	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	87
PID 2340 wrote to memory of 3552	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	87
PID 2340 wrote to memory of 1560	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	88
PID 2340 wrote to memory of 1560	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	88
PID 2340 wrote to memory of 4548	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	89
PID 2340 wrote to memory of 4548	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	89
PID 2340 wrote to memory of 3156	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	90
PID 2340 wrote to memory of 3156	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	90
PID 2340 wrote to memory of 2260	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	91
PID 2340 wrote to memory of 2260	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	91
PID 2340 wrote to memory of 3500	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	92
PID 2340 wrote to memory of 3500	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	92
PID 2340 wrote to memory of 4896	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	93
PID 2340 wrote to memory of 4896	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	93
PID 2340 wrote to memory of 2896	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	94
PID 2340 wrote to memory of 2896	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	94
PID 2340 wrote to memory of 5100	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	95
PID 2340 wrote to memory of 5100	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	95
PID 2340 wrote to memory of 5096	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	96
PID 2340 wrote to memory of 5096	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	96
PID 2340 wrote to memory of 4280	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	97
PID 2340 wrote to memory of 4280	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	97
PID 2340 wrote to memory of 1876	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	98
PID 2340 wrote to memory of 1876	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	98
PID 2340 wrote to memory of 3812	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	99
PID 2340 wrote to memory of 3812	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	99
PID 2340 wrote to memory of 4840	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	100
PID 2340 wrote to memory of 4840	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	100
PID 2340 wrote to memory of 4772	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	101
PID 2340 wrote to memory of 4772	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	101
PID 2340 wrote to memory of 2172	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	102
PID 2340 wrote to memory of 2172	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	102
PID 2340 wrote to memory of 244	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	103
PID 2340 wrote to memory of 244	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	103
PID 2340 wrote to memory of 3832	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	104
PID 2340 wrote to memory of 3832	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	104
PID 2340 wrote to memory of 3372	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	105
PID 2340 wrote to memory of 3372	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	105
PID 2340 wrote to memory of 1892	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	106
PID 2340 wrote to memory of 1892	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	106
PID 2340 wrote to memory of 4744	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	107
PID 2340 wrote to memory of 4744	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	107
PID 2340 wrote to memory of 4176	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	108
PID 2340 wrote to memory of 4176	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	108
PID 2340 wrote to memory of 1728	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	109
PID 2340 wrote to memory of 1728	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	109
PID 2340 wrote to memory of 2908	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	110
PID 2340 wrote to memory of 2908	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	110
PID 2340 wrote to memory of 1572	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	111
PID 2340 wrote to memory of 1572	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	111
PID 2340 wrote to memory of 384	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	112
PID 2340 wrote to memory of 384	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	112
PID 2340 wrote to memory of 4852	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	113
PID 2340 wrote to memory of 4852	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	113
PID 2340 wrote to memory of 2284	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	114
PID 2340 wrote to memory of 2284	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	114
PID 2340 wrote to memory of 3160	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	115
PID 2340 wrote to memory of 3160	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	115
PID 2340 wrote to memory of 856	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	116
PID 2340 wrote to memory of 856	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	116
PID 2340 wrote to memory of 4672	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	117
PID 2340 wrote to memory of 4672	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	117
PID 2340 wrote to memory of 3984	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	118
PID 2340 wrote to memory of 3984	2340	29954f0f5eeb6745a7b808ca98480bd0N.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\29954f0f5eeb6745a7b808ca98480bd0N.exe
"C:\Users\Admin\AppData\Local\Temp\29954f0f5eeb6745a7b808ca98480bd0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\System32\plAhNXi.exe
  C:\Windows\System32\plAhNXi.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System32\IYOcfpT.exe
  C:\Windows\System32\IYOcfpT.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System32\qeMlAqN.exe
  C:\Windows\System32\qeMlAqN.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System32\RFunCGt.exe
  C:\Windows\System32\RFunCGt.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\ESKTFML.exe
  C:\Windows\System32\ESKTFML.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System32\kCCjGfj.exe
  C:\Windows\System32\kCCjGfj.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System32\sGaSkcN.exe
  C:\Windows\System32\sGaSkcN.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System32\tMAOTsm.exe
  C:\Windows\System32\tMAOTsm.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System32\MMJbRwO.exe
  C:\Windows\System32\MMJbRwO.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System32\ZpvVfbF.exe
  C:\Windows\System32\ZpvVfbF.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System32\nFDGULl.exe
  C:\Windows\System32\nFDGULl.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System32\gBDYela.exe
  C:\Windows\System32\gBDYela.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System32\zmgzTxI.exe
  C:\Windows\System32\zmgzTxI.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System32\ygSLsDB.exe
  C:\Windows\System32\ygSLsDB.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System32\wNrNncN.exe
  C:\Windows\System32\wNrNncN.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System32\cKffiCm.exe
  C:\Windows\System32\cKffiCm.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System32\ZvfhBQm.exe
  C:\Windows\System32\ZvfhBQm.exe
  2⤵
  - Executes dropped EXE
  PID:244
- C:\Windows\System32\bpmqxHg.exe
  C:\Windows\System32\bpmqxHg.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System32\MhOoHZl.exe
  C:\Windows\System32\MhOoHZl.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System32\aRKYoBr.exe
  C:\Windows\System32\aRKYoBr.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System32\BhZrwHw.exe
  C:\Windows\System32\BhZrwHw.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System32\eIeMSTQ.exe
  C:\Windows\System32\eIeMSTQ.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System32\xfEibKu.exe
  C:\Windows\System32\xfEibKu.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System32\sYKGLXF.exe
  C:\Windows\System32\sYKGLXF.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System32\yxDknSy.exe
  C:\Windows\System32\yxDknSy.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System32\TbAZWqd.exe
  C:\Windows\System32\TbAZWqd.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System32\xjlPYeg.exe
  C:\Windows\System32\xjlPYeg.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\ImYzPWg.exe
  C:\Windows\System32\ImYzPWg.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System32\nNJhgdX.exe
  C:\Windows\System32\nNJhgdX.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System32\doPWXXR.exe
  C:\Windows\System32\doPWXXR.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System32\MDEADCv.exe
  C:\Windows\System32\MDEADCv.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System32\jMxpPxd.exe
  C:\Windows\System32\jMxpPxd.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System32\NumoYYX.exe
  C:\Windows\System32\NumoYYX.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System32\GNvWIcQ.exe
  C:\Windows\System32\GNvWIcQ.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System32\bxgpuDC.exe
  C:\Windows\System32\bxgpuDC.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\jHRzzxB.exe
  C:\Windows\System32\jHRzzxB.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System32\kuzSVwr.exe
  C:\Windows\System32\kuzSVwr.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\ShaGQIo.exe
  C:\Windows\System32\ShaGQIo.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System32\OqWFSZT.exe
  C:\Windows\System32\OqWFSZT.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System32\lrgLXbi.exe
  C:\Windows\System32\lrgLXbi.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System32\SAqcjpD.exe
  C:\Windows\System32\SAqcjpD.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\GqlzHIk.exe
  C:\Windows\System32\GqlzHIk.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\RrzPqpO.exe
  C:\Windows\System32\RrzPqpO.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System32\KotMXyv.exe
  C:\Windows\System32\KotMXyv.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\YTCiPtd.exe
  C:\Windows\System32\YTCiPtd.exe
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\System32\WVmEirh.exe
  C:\Windows\System32\WVmEirh.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System32\pJUgviS.exe
  C:\Windows\System32\pJUgviS.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System32\usFqYft.exe
  C:\Windows\System32\usFqYft.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System32\IFIqYTC.exe
  C:\Windows\System32\IFIqYTC.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System32\TYDxScB.exe
  C:\Windows\System32\TYDxScB.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System32\bXCSaWO.exe
  C:\Windows\System32\bXCSaWO.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System32\lngTmTr.exe
  C:\Windows\System32\lngTmTr.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System32\MKCrkat.exe
  C:\Windows\System32\MKCrkat.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System32\CjtNFax.exe
  C:\Windows\System32\CjtNFax.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\zDKnxti.exe
  C:\Windows\System32\zDKnxti.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System32\tcdZfVF.exe
  C:\Windows\System32\tcdZfVF.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System32\zEszGjk.exe
  C:\Windows\System32\zEszGjk.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System32\BgSERQA.exe
  C:\Windows\System32\BgSERQA.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System32\AVxglaV.exe
  C:\Windows\System32\AVxglaV.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System32\BIdUOgB.exe
  C:\Windows\System32\BIdUOgB.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System32\STmtvsU.exe
  C:\Windows\System32\STmtvsU.exe
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\System32\LaNLMKe.exe
  C:\Windows\System32\LaNLMKe.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System32\gMAVjiq.exe
  C:\Windows\System32\gMAVjiq.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System32\zPTtphV.exe
  C:\Windows\System32\zPTtphV.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System32\kczchij.exe
  C:\Windows\System32\kczchij.exe
  2⤵
  PID:2072
- C:\Windows\System32\LagkthO.exe
  C:\Windows\System32\LagkthO.exe
  2⤵
  PID:2808
- C:\Windows\System32\MlLtgiG.exe
  C:\Windows\System32\MlLtgiG.exe
  2⤵
  PID:1880
- C:\Windows\System32\sWXJuxF.exe
  C:\Windows\System32\sWXJuxF.exe
  2⤵
  PID:4248
- C:\Windows\System32\TZGcqOf.exe
  C:\Windows\System32\TZGcqOf.exe
  2⤵
  PID:1504
- C:\Windows\System32\OxJDBKl.exe
  C:\Windows\System32\OxJDBKl.exe
  2⤵
  PID:4748
- C:\Windows\System32\xqQEuZv.exe
  C:\Windows\System32\xqQEuZv.exe
  2⤵
  PID:3868
- C:\Windows\System32\ajVHZbV.exe
  C:\Windows\System32\ajVHZbV.exe
  2⤵
  PID:4856
- C:\Windows\System32\XHjZEju.exe
  C:\Windows\System32\XHjZEju.exe
  2⤵
  PID:4592
- C:\Windows\System32\bwVrrkQ.exe
  C:\Windows\System32\bwVrrkQ.exe
  2⤵
  PID:436
- C:\Windows\System32\IkbQjAG.exe
  C:\Windows\System32\IkbQjAG.exe
  2⤵
  PID:1176
- C:\Windows\System32\BYdkWjb.exe
  C:\Windows\System32\BYdkWjb.exe
  2⤵
  PID:5144
- C:\Windows\System32\BEchBzH.exe
  C:\Windows\System32\BEchBzH.exe
  2⤵
  PID:5164
- C:\Windows\System32\itKUJNd.exe
  C:\Windows\System32\itKUJNd.exe
  2⤵
  PID:5188
- C:\Windows\System32\vmygfiQ.exe
  C:\Windows\System32\vmygfiQ.exe
  2⤵
  PID:5244
- C:\Windows\System32\nHjHVkV.exe
  C:\Windows\System32\nHjHVkV.exe
  2⤵
  PID:5260
- C:\Windows\System32\TeWfNUs.exe
  C:\Windows\System32\TeWfNUs.exe
  2⤵
  PID:5288
- C:\Windows\System32\OUibgWF.exe
  C:\Windows\System32\OUibgWF.exe
  2⤵
  PID:5304
- C:\Windows\System32\rEUDurx.exe
  C:\Windows\System32\rEUDurx.exe
  2⤵
  PID:5332
- C:\Windows\System32\PBZfpTO.exe
  C:\Windows\System32\PBZfpTO.exe
  2⤵
  PID:5360
- C:\Windows\System32\fhkUYAY.exe
  C:\Windows\System32\fhkUYAY.exe
  2⤵
  PID:5388
- C:\Windows\System32\qSOylTj.exe
  C:\Windows\System32\qSOylTj.exe
  2⤵
  PID:5424
- C:\Windows\System32\BKATGRC.exe
  C:\Windows\System32\BKATGRC.exe
  2⤵
  PID:5448
- C:\Windows\System32\gAIReGe.exe
  C:\Windows\System32\gAIReGe.exe
  2⤵
  PID:5472
- C:\Windows\System32\FgPXTot.exe
  C:\Windows\System32\FgPXTot.exe
  2⤵
  PID:5512
- C:\Windows\System32\RoURXLu.exe
  C:\Windows\System32\RoURXLu.exe
  2⤵
  PID:5528
- C:\Windows\System32\XsSeboc.exe
  C:\Windows\System32\XsSeboc.exe
  2⤵
  PID:5568
- C:\Windows\System32\RJSwQfj.exe
  C:\Windows\System32\RJSwQfj.exe
  2⤵
  PID:5584
- C:\Windows\System32\hodsSTo.exe
  C:\Windows\System32\hodsSTo.exe
  2⤵
  PID:5616
- C:\Windows\System32\attAcjv.exe
  C:\Windows\System32\attAcjv.exe
  2⤵
  PID:5644
- C:\Windows\System32\WfoFqaW.exe
  C:\Windows\System32\WfoFqaW.exe
  2⤵
  PID:5668
- C:\Windows\System32\EZcmNeI.exe
  C:\Windows\System32\EZcmNeI.exe
  2⤵
  PID:5704
- C:\Windows\System32\ktkrBrE.exe
  C:\Windows\System32\ktkrBrE.exe
  2⤵
  PID:5724
- C:\Windows\System32\rDiWZEA.exe
  C:\Windows\System32\rDiWZEA.exe
  2⤵
  PID:5752
- C:\Windows\System32\GpChlVv.exe
  C:\Windows\System32\GpChlVv.exe
  2⤵
  PID:5776
- C:\Windows\System32\bCkkVsx.exe
  C:\Windows\System32\bCkkVsx.exe
  2⤵
  PID:5808
- C:\Windows\System32\XDNxWGh.exe
  C:\Windows\System32\XDNxWGh.exe
  2⤵
  PID:5836
- C:\Windows\System32\YPLdNLO.exe
  C:\Windows\System32\YPLdNLO.exe
  2⤵
  PID:5864
- C:\Windows\System32\YbtzgPS.exe
  C:\Windows\System32\YbtzgPS.exe
  2⤵
  PID:5896
- C:\Windows\System32\fScJRzr.exe
  C:\Windows\System32\fScJRzr.exe
  2⤵
  PID:5924
- C:\Windows\System32\YsBINue.exe
  C:\Windows\System32\YsBINue.exe
  2⤵
  PID:5948
- C:\Windows\System32\biJwnYh.exe
  C:\Windows\System32\biJwnYh.exe
  2⤵
  PID:5980
- C:\Windows\System32\KphjlVa.exe
  C:\Windows\System32\KphjlVa.exe
  2⤵
  PID:6004
- C:\Windows\System32\eoHyKvq.exe
  C:\Windows\System32\eoHyKvq.exe
  2⤵
  PID:6036
- C:\Windows\System32\kVSEfQq.exe
  C:\Windows\System32\kVSEfQq.exe
  2⤵
  PID:6060
- C:\Windows\System32\lUXXKbz.exe
  C:\Windows\System32\lUXXKbz.exe
  2⤵
  PID:6104
- C:\Windows\System32\UJuKrNA.exe
  C:\Windows\System32\UJuKrNA.exe
  2⤵
  PID:6124
- C:\Windows\System32\PzWKjRi.exe
  C:\Windows\System32\PzWKjRi.exe
  2⤵
  PID:4396
- C:\Windows\System32\iuOkSDQ.exe
  C:\Windows\System32\iuOkSDQ.exe
  2⤵
  PID:4184
- C:\Windows\System32\LHCbPkO.exe
  C:\Windows\System32\LHCbPkO.exe
  2⤵
  PID:4080
- C:\Windows\System32\HSMiWlb.exe
  C:\Windows\System32\HSMiWlb.exe
  2⤵
  PID:4940
- C:\Windows\System32\unKuZhG.exe
  C:\Windows\System32\unKuZhG.exe
  2⤵
  PID:4624
- C:\Windows\System32\RgIqkOc.exe
  C:\Windows\System32\RgIqkOc.exe
  2⤵
  PID:5152
- C:\Windows\System32\vkXXJxE.exe
  C:\Windows\System32\vkXXJxE.exe
  2⤵
  PID:5204
- C:\Windows\System32\ywSqnuP.exe
  C:\Windows\System32\ywSqnuP.exe
  2⤵
  PID:5296
- C:\Windows\System32\SsrIQVD.exe
  C:\Windows\System32\SsrIQVD.exe
  2⤵
  PID:5316
- C:\Windows\System32\NsMblbU.exe
  C:\Windows\System32\NsMblbU.exe
  2⤵
  PID:5380
- C:\Windows\System32\zvMbqkk.exe
  C:\Windows\System32\zvMbqkk.exe
  2⤵
  PID:5440
- C:\Windows\System32\qlECBPE.exe
  C:\Windows\System32\qlECBPE.exe
  2⤵
  PID:5524
- C:\Windows\System32\pYcqOju.exe
  C:\Windows\System32\pYcqOju.exe
  2⤵
  PID:5580
- C:\Windows\System32\ZHSlnPq.exe
  C:\Windows\System32\ZHSlnPq.exe
  2⤵
  PID:5660
- C:\Windows\System32\mdMSxwi.exe
  C:\Windows\System32\mdMSxwi.exe
  2⤵
  PID:516
- C:\Windows\System32\KTPOTOB.exe
  C:\Windows\System32\KTPOTOB.exe
  2⤵
  PID:5764
- C:\Windows\System32\bCoBnhn.exe
  C:\Windows\System32\bCoBnhn.exe
  2⤵
  PID:5792
- C:\Windows\System32\LywPYZk.exe
  C:\Windows\System32\LywPYZk.exe
  2⤵
  PID:1620
- C:\Windows\System32\xIXlhHe.exe
  C:\Windows\System32\xIXlhHe.exe
  2⤵
  PID:5932
- C:\Windows\System32\EROdgxF.exe
  C:\Windows\System32\EROdgxF.exe
  2⤵
  PID:4976
- C:\Windows\System32\JMtydgF.exe
  C:\Windows\System32\JMtydgF.exe
  2⤵
  PID:6044
- C:\Windows\System32\cVSiYbo.exe
  C:\Windows\System32\cVSiYbo.exe
  2⤵
  PID:6096
- C:\Windows\System32\MnFRnUf.exe
  C:\Windows\System32\MnFRnUf.exe
  2⤵
  PID:3376
- C:\Windows\System32\pcksQVg.exe
  C:\Windows\System32\pcksQVg.exe
  2⤵
  PID:380
- C:\Windows\System32\sCupBgH.exe
  C:\Windows\System32\sCupBgH.exe
  2⤵
  PID:3948
- C:\Windows\System32\bLrPeWr.exe
  C:\Windows\System32\bLrPeWr.exe
  2⤵
  PID:5256
- C:\Windows\System32\jCKKXcg.exe
  C:\Windows\System32\jCKKXcg.exe
  2⤵
  PID:5312
- C:\Windows\System32\UkWqRwu.exe
  C:\Windows\System32\UkWqRwu.exe
  2⤵
  PID:5456
- C:\Windows\System32\cZHoByE.exe
  C:\Windows\System32\cZHoByE.exe
  2⤵
  PID:5636
- C:\Windows\System32\lHHwgcE.exe
  C:\Windows\System32\lHHwgcE.exe
  2⤵
  PID:5744
- C:\Windows\System32\fZdNUHB.exe
  C:\Windows\System32\fZdNUHB.exe
  2⤵
  PID:452
- C:\Windows\System32\mBHxpJK.exe
  C:\Windows\System32\mBHxpJK.exe
  2⤵
  PID:5916
- C:\Windows\System32\LkqNZZJ.exe
  C:\Windows\System32\LkqNZZJ.exe
  2⤵
  PID:6000
- C:\Windows\System32\miPMwYO.exe
  C:\Windows\System32\miPMwYO.exe
  2⤵
  PID:6076
- C:\Windows\System32\kIhJUnT.exe
  C:\Windows\System32\kIhJUnT.exe
  2⤵
  PID:4580
- C:\Windows\System32\RjejAMv.exe
  C:\Windows\System32\RjejAMv.exe
  2⤵
  PID:5136
- C:\Windows\System32\dcRoiZx.exe
  C:\Windows\System32\dcRoiZx.exe
  2⤵
  PID:3496
- C:\Windows\System32\TEcqQnF.exe
  C:\Windows\System32\TEcqQnF.exe
  2⤵
  PID:5504
- C:\Windows\System32\bueYCuS.exe
  C:\Windows\System32\bueYCuS.exe
  2⤵
  PID:2796
- C:\Windows\System32\ekFbAng.exe
  C:\Windows\System32\ekFbAng.exe
  2⤵
  PID:4152
- C:\Windows\System32\uoFgKXR.exe
  C:\Windows\System32\uoFgKXR.exe
  2⤵
  PID:5888
- C:\Windows\System32\tkkwJJf.exe
  C:\Windows\System32\tkkwJJf.exe
  2⤵
  PID:4900
- C:\Windows\System32\eNHHgvk.exe
  C:\Windows\System32\eNHHgvk.exe
  2⤵
  PID:3544
- C:\Windows\System32\EOvXDZh.exe
  C:\Windows\System32\EOvXDZh.exe
  2⤵
  PID:4412
- C:\Windows\System32\gZmvIox.exe
  C:\Windows\System32\gZmvIox.exe
  2⤵
  PID:6176
- C:\Windows\System32\dLFYxri.exe
  C:\Windows\System32\dLFYxri.exe
  2⤵
  PID:6200
- C:\Windows\System32\zoZkkjt.exe
  C:\Windows\System32\zoZkkjt.exe
  2⤵
  PID:6232
- C:\Windows\System32\AxdtnRx.exe
  C:\Windows\System32\AxdtnRx.exe
  2⤵
  PID:6268
- C:\Windows\System32\caLkQBZ.exe
  C:\Windows\System32\caLkQBZ.exe
  2⤵
  PID:6288
- C:\Windows\System32\YiTBSil.exe
  C:\Windows\System32\YiTBSil.exe
  2⤵
  PID:6312
- C:\Windows\System32\OKUHHjB.exe
  C:\Windows\System32\OKUHHjB.exe
  2⤵
  PID:6344
- C:\Windows\System32\UBxyvMe.exe
  C:\Windows\System32\UBxyvMe.exe
  2⤵
  PID:6372
- C:\Windows\System32\AoFxVAU.exe
  C:\Windows\System32\AoFxVAU.exe
  2⤵
  PID:6400
- C:\Windows\System32\LBKWztZ.exe
  C:\Windows\System32\LBKWztZ.exe
  2⤵
  PID:6436
- C:\Windows\System32\WofzkaM.exe
  C:\Windows\System32\WofzkaM.exe
  2⤵
  PID:6456
- C:\Windows\System32\byWdBaI.exe
  C:\Windows\System32\byWdBaI.exe
  2⤵
  PID:6480
- C:\Windows\System32\TNpnqOV.exe
  C:\Windows\System32\TNpnqOV.exe
  2⤵
  PID:6512
- C:\Windows\System32\COFcmoc.exe
  C:\Windows\System32\COFcmoc.exe
  2⤵
  PID:6548
- C:\Windows\System32\XnIWLqs.exe
  C:\Windows\System32\XnIWLqs.exe
  2⤵
  PID:6568
- C:\Windows\System32\pfGQAcA.exe
  C:\Windows\System32\pfGQAcA.exe
  2⤵
  PID:6592
- C:\Windows\System32\ueCnUAw.exe
  C:\Windows\System32\ueCnUAw.exe
  2⤵
  PID:6620
- C:\Windows\System32\aQdboqH.exe
  C:\Windows\System32\aQdboqH.exe
  2⤵
  PID:6648
- C:\Windows\System32\pZOmBTx.exe
  C:\Windows\System32\pZOmBTx.exe
  2⤵
  PID:6680
- C:\Windows\System32\vIisnYO.exe
  C:\Windows\System32\vIisnYO.exe
  2⤵
  PID:6716
- C:\Windows\System32\bSjGjMR.exe
  C:\Windows\System32\bSjGjMR.exe
  2⤵
  PID:6736
- C:\Windows\System32\peGdyPK.exe
  C:\Windows\System32\peGdyPK.exe
  2⤵
  PID:6760
- C:\Windows\System32\FGdZVfJ.exe
  C:\Windows\System32\FGdZVfJ.exe
  2⤵
  PID:6792
- C:\Windows\System32\jVhmXvl.exe
  C:\Windows\System32\jVhmXvl.exe
  2⤵
  PID:6820
- C:\Windows\System32\oRirLzl.exe
  C:\Windows\System32\oRirLzl.exe
  2⤵
  PID:6848
- C:\Windows\System32\NCprZQE.exe
  C:\Windows\System32\NCprZQE.exe
  2⤵
  PID:6872
- C:\Windows\System32\cLPEMZC.exe
  C:\Windows\System32\cLPEMZC.exe
  2⤵
  PID:6904
- C:\Windows\System32\JzlQtuj.exe
  C:\Windows\System32\JzlQtuj.exe
  2⤵
  PID:6932
- C:\Windows\System32\SYUgCLX.exe
  C:\Windows\System32\SYUgCLX.exe
  2⤵
  PID:6960
- C:\Windows\System32\nFaaTmM.exe
  C:\Windows\System32\nFaaTmM.exe
  2⤵
  PID:6988
- C:\Windows\System32\viRqgnF.exe
  C:\Windows\System32\viRqgnF.exe
  2⤵
  PID:7012
- C:\Windows\System32\GtPNCac.exe
  C:\Windows\System32\GtPNCac.exe
  2⤵
  PID:7040
- C:\Windows\System32\atdPhuq.exe
  C:\Windows\System32\atdPhuq.exe
  2⤵
  PID:7072
- C:\Windows\System32\fqWRUAJ.exe
  C:\Windows\System32\fqWRUAJ.exe
  2⤵
  PID:7100
- C:\Windows\System32\BppksKC.exe
  C:\Windows\System32\BppksKC.exe
  2⤵
  PID:7128
- C:\Windows\System32\wUbKSVU.exe
  C:\Windows\System32\wUbKSVU.exe
  2⤵
  PID:7152
- C:\Windows\System32\ylRuPHy.exe
  C:\Windows\System32\ylRuPHy.exe
  2⤵
  PID:5772
- C:\Windows\System32\DWWsusB.exe
  C:\Windows\System32\DWWsusB.exe
  2⤵
  PID:3392
- C:\Windows\System32\BjQWgyF.exe
  C:\Windows\System32\BjQWgyF.exe
  2⤵
  PID:6184
- C:\Windows\System32\LVUHyCB.exe
  C:\Windows\System32\LVUHyCB.exe
  2⤵
  PID:6252
- C:\Windows\System32\qBNGzHs.exe
  C:\Windows\System32\qBNGzHs.exe
  2⤵
  PID:6380
- C:\Windows\System32\oMVlhVj.exe
  C:\Windows\System32\oMVlhVj.exe
  2⤵
  PID:6408
- C:\Windows\System32\qTLjfvI.exe
  C:\Windows\System32\qTLjfvI.exe
  2⤵
  PID:6468
- C:\Windows\System32\jQaIcqU.exe
  C:\Windows\System32\jQaIcqU.exe
  2⤵
  PID:6504
- C:\Windows\System32\WhycNMd.exe
  C:\Windows\System32\WhycNMd.exe
  2⤵
  PID:6544
- C:\Windows\System32\ULcrCia.exe
  C:\Windows\System32\ULcrCia.exe
  2⤵
  PID:6588
- C:\Windows\System32\WZfqoxN.exe
  C:\Windows\System32\WZfqoxN.exe
  2⤵
  PID:6616
- C:\Windows\System32\LMZSdCz.exe
  C:\Windows\System32\LMZSdCz.exe
  2⤵
  PID:6656
- C:\Windows\System32\WcHqCqY.exe
  C:\Windows\System32\WcHqCqY.exe
  2⤵
  PID:6688
- C:\Windows\System32\RtCPDLz.exe
  C:\Windows\System32\RtCPDLz.exe
  2⤵
  PID:4420
- C:\Windows\System32\lDoFGdJ.exe
  C:\Windows\System32\lDoFGdJ.exe
  2⤵
  PID:6776
- C:\Windows\System32\RyWmdwo.exe
  C:\Windows\System32\RyWmdwo.exe
  2⤵
  PID:3012
- C:\Windows\System32\jJpQFvj.exe
  C:\Windows\System32\jJpQFvj.exe
  2⤵
  PID:6860
- C:\Windows\System32\pJWZdhA.exe
  C:\Windows\System32\pJWZdhA.exe
  2⤵
  PID:6924
- C:\Windows\System32\IPYEkTy.exe
  C:\Windows\System32\IPYEkTy.exe
  2⤵
  PID:6940
- C:\Windows\System32\RKXoEaK.exe
  C:\Windows\System32\RKXoEaK.exe
  2⤵
  PID:6980
- C:\Windows\System32\rRLdxfv.exe
  C:\Windows\System32\rRLdxfv.exe
  2⤵
  PID:2236
- C:\Windows\System32\SIbhmMh.exe
  C:\Windows\System32\SIbhmMh.exe
  2⤵
  PID:7048
- C:\Windows\System32\pEFsamA.exe
  C:\Windows\System32\pEFsamA.exe
  2⤵
  PID:7092
- C:\Windows\System32\QMcflSj.exe
  C:\Windows\System32\QMcflSj.exe
  2⤵
  PID:7136
- C:\Windows\System32\voqcaWh.exe
  C:\Windows\System32\voqcaWh.exe
  2⤵
  PID:1500
- C:\Windows\System32\GjuUuLl.exe
  C:\Windows\System32\GjuUuLl.exe
  2⤵
  PID:6084
- C:\Windows\System32\uKClWFo.exe
  C:\Windows\System32\uKClWFo.exe
  2⤵
  PID:2448
- C:\Windows\System32\fAMpMDF.exe
  C:\Windows\System32\fAMpMDF.exe
  2⤵
  PID:4584
- C:\Windows\System32\TMYdqKP.exe
  C:\Windows\System32\TMYdqKP.exe
  2⤵
  PID:3308
- C:\Windows\System32\szhJFhS.exe
  C:\Windows\System32\szhJFhS.exe
  2⤵
  PID:2816
- C:\Windows\System32\tWGYqbq.exe
  C:\Windows\System32\tWGYqbq.exe
  2⤵
  PID:6420
- C:\Windows\System32\LAchPZs.exe
  C:\Windows\System32\LAchPZs.exe
  2⤵
  PID:6724
- C:\Windows\System32\Onuvfiz.exe
  C:\Windows\System32\Onuvfiz.exe
  2⤵
  PID:2708
- C:\Windows\System32\lNUGxCF.exe
  C:\Windows\System32\lNUGxCF.exe
  2⤵
  PID:2004
- C:\Windows\System32\vEZmtIU.exe
  C:\Windows\System32\vEZmtIU.exe
  2⤵
  PID:6496
- C:\Windows\System32\MKnAfGX.exe
  C:\Windows\System32\MKnAfGX.exe
  2⤵
  PID:6308
- C:\Windows\System32\RrYZbrH.exe
  C:\Windows\System32\RrYZbrH.exe
  2⤵
  PID:6700
- C:\Windows\System32\TbXDaLD.exe
  C:\Windows\System32\TbXDaLD.exe
  2⤵
  PID:8
- C:\Windows\System32\JjDFpwZ.exe
  C:\Windows\System32\JjDFpwZ.exe
  2⤵
  PID:7028
- C:\Windows\System32\HLoWIVf.exe
  C:\Windows\System32\HLoWIVf.exe
  2⤵
  PID:6732
- C:\Windows\System32\GIlzwCA.exe
  C:\Windows\System32\GIlzwCA.exe
  2⤵
  PID:7196
- C:\Windows\System32\FGneSVq.exe
  C:\Windows\System32\FGneSVq.exe
  2⤵
  PID:7220
- C:\Windows\System32\Bcjwojk.exe
  C:\Windows\System32\Bcjwojk.exe
  2⤵
  PID:7236
- C:\Windows\System32\fkTCgZU.exe
  C:\Windows\System32\fkTCgZU.exe
  2⤵
  PID:7264
- C:\Windows\System32\sGLXBuO.exe
  C:\Windows\System32\sGLXBuO.exe
  2⤵
  PID:7280
- C:\Windows\System32\uegsuur.exe
  C:\Windows\System32\uegsuur.exe
  2⤵
  PID:7328
- C:\Windows\System32\tEXTWvC.exe
  C:\Windows\System32\tEXTWvC.exe
  2⤵
  PID:7344
- C:\Windows\System32\kIHoIDX.exe
  C:\Windows\System32\kIHoIDX.exe
  2⤵
  PID:7364
- C:\Windows\System32\qBcogSq.exe
  C:\Windows\System32\qBcogSq.exe
  2⤵
  PID:7392
- C:\Windows\System32\FjYENoQ.exe
  C:\Windows\System32\FjYENoQ.exe
  2⤵
  PID:7416
- C:\Windows\System32\rCMFrnG.exe
  C:\Windows\System32\rCMFrnG.exe
  2⤵
  PID:7484
- C:\Windows\System32\EEacxGt.exe
  C:\Windows\System32\EEacxGt.exe
  2⤵
  PID:7528
- C:\Windows\System32\KRXHnuj.exe
  C:\Windows\System32\KRXHnuj.exe
  2⤵
  PID:7544
- C:\Windows\System32\bLmtCYW.exe
  C:\Windows\System32\bLmtCYW.exe
  2⤵
  PID:7568
- C:\Windows\System32\WNccVpk.exe
  C:\Windows\System32\WNccVpk.exe
  2⤵
  PID:7588
- C:\Windows\System32\FscYtPX.exe
  C:\Windows\System32\FscYtPX.exe
  2⤵
  PID:7636
- C:\Windows\System32\sEJdFvw.exe
  C:\Windows\System32\sEJdFvw.exe
  2⤵
  PID:7672
- C:\Windows\System32\exBIDqY.exe
  C:\Windows\System32\exBIDqY.exe
  2⤵
  PID:7696
- C:\Windows\System32\CFGsqgY.exe
  C:\Windows\System32\CFGsqgY.exe
  2⤵
  PID:7712
- C:\Windows\System32\BZiuzgz.exe
  C:\Windows\System32\BZiuzgz.exe
  2⤵
  PID:7732
- C:\Windows\System32\DNTHqSa.exe
  C:\Windows\System32\DNTHqSa.exe
  2⤵
  PID:7752
- C:\Windows\System32\fyWzmXq.exe
  C:\Windows\System32\fyWzmXq.exe
  2⤵
  PID:7800
- C:\Windows\System32\OfXJOYV.exe
  C:\Windows\System32\OfXJOYV.exe
  2⤵
  PID:7852
- C:\Windows\System32\HvtdAxP.exe
  C:\Windows\System32\HvtdAxP.exe
  2⤵
  PID:7868
- C:\Windows\System32\nUKAGTT.exe
  C:\Windows\System32\nUKAGTT.exe
  2⤵
  PID:7884
- C:\Windows\System32\cJixqHl.exe
  C:\Windows\System32\cJixqHl.exe
  2⤵
  PID:7908
- C:\Windows\System32\kOypRQA.exe
  C:\Windows\System32\kOypRQA.exe
  2⤵
  PID:7944
- C:\Windows\System32\gWSOjZy.exe
  C:\Windows\System32\gWSOjZy.exe
  2⤵
  PID:7972
- C:\Windows\System32\HbiBvXD.exe
  C:\Windows\System32\HbiBvXD.exe
  2⤵
  PID:8004
- C:\Windows\System32\TAARMyr.exe
  C:\Windows\System32\TAARMyr.exe
  2⤵
  PID:8024
- C:\Windows\System32\lxnUSWl.exe
  C:\Windows\System32\lxnUSWl.exe
  2⤵
  PID:8040
- C:\Windows\System32\tbdeCjw.exe
  C:\Windows\System32\tbdeCjw.exe
  2⤵
  PID:8056
- C:\Windows\System32\SRtMtGq.exe
  C:\Windows\System32\SRtMtGq.exe
  2⤵
  PID:8076
- C:\Windows\System32\xcHntCC.exe
  C:\Windows\System32\xcHntCC.exe
  2⤵
  PID:8104
- C:\Windows\System32\MQQkFIN.exe
  C:\Windows\System32\MQQkFIN.exe
  2⤵
  PID:8120
- C:\Windows\System32\pojehKp.exe
  C:\Windows\System32\pojehKp.exe
  2⤵
  PID:8156
- C:\Windows\System32\aRpAaRU.exe
  C:\Windows\System32\aRpAaRU.exe
  2⤵
  PID:8180
- C:\Windows\System32\nAJsrXH.exe
  C:\Windows\System32\nAJsrXH.exe
  2⤵
  PID:6636
- C:\Windows\System32\ITqAKfQ.exe
  C:\Windows\System32\ITqAKfQ.exe
  2⤵
  PID:7192
- C:\Windows\System32\GaKeEfJ.exe
  C:\Windows\System32\GaKeEfJ.exe
  2⤵
  PID:7276
- C:\Windows\System32\ZKrxKkG.exe
  C:\Windows\System32\ZKrxKkG.exe
  2⤵
  PID:7356
- C:\Windows\System32\dVOEBJN.exe
  C:\Windows\System32\dVOEBJN.exe
  2⤵
  PID:7428
- C:\Windows\System32\aTSUMMr.exe
  C:\Windows\System32\aTSUMMr.exe
  2⤵
  PID:7508
- C:\Windows\System32\oRLCIrf.exe
  C:\Windows\System32\oRLCIrf.exe
  2⤵
  PID:7576
- C:\Windows\System32\WpXhLiJ.exe
  C:\Windows\System32\WpXhLiJ.exe
  2⤵
  PID:7584
- C:\Windows\System32\EAaJfHp.exe
  C:\Windows\System32\EAaJfHp.exe
  2⤵
  PID:7668
- C:\Windows\System32\DhsgVCu.exe
  C:\Windows\System32\DhsgVCu.exe
  2⤵
  PID:7900
- C:\Windows\System32\WupxMhl.exe
  C:\Windows\System32\WupxMhl.exe
  2⤵
  PID:7964
- C:\Windows\System32\XkLCifz.exe
  C:\Windows\System32\XkLCifz.exe
  2⤵
  PID:8016
- C:\Windows\System32\HvTUysy.exe
  C:\Windows\System32\HvTUysy.exe
  2⤵
  PID:8084
- C:\Windows\System32\IPhhABi.exe
  C:\Windows\System32\IPhhABi.exe
  2⤵
  PID:8112
- C:\Windows\System32\OqpkBMi.exe
  C:\Windows\System32\OqpkBMi.exe
  2⤵
  PID:6692
- C:\Windows\System32\eVfTKPp.exe
  C:\Windows\System32\eVfTKPp.exe
  2⤵
  PID:7440
- C:\Windows\System32\CHxPNJU.exe
  C:\Windows\System32\CHxPNJU.exe
  2⤵
  PID:7624
- C:\Windows\System32\YpJrfjT.exe
  C:\Windows\System32\YpJrfjT.exe
  2⤵
  PID:7824
- C:\Windows\System32\mGxrGNa.exe
  C:\Windows\System32\mGxrGNa.exe
  2⤵
  PID:7688
- C:\Windows\System32\nUokzWz.exe
  C:\Windows\System32\nUokzWz.exe
  2⤵
  PID:7864
- C:\Windows\System32\mOXmrxV.exe
  C:\Windows\System32\mOXmrxV.exe
  2⤵
  PID:872
- C:\Windows\System32\TLHJArJ.exe
  C:\Windows\System32\TLHJArJ.exe
  2⤵
  PID:7208
- C:\Windows\System32\XqdwDuq.exe
  C:\Windows\System32\XqdwDuq.exe
  2⤵
  PID:7760
- C:\Windows\System32\TBcvVfa.exe
  C:\Windows\System32\TBcvVfa.exe
  2⤵
  PID:7616
- C:\Windows\System32\dxExVPe.exe
  C:\Windows\System32\dxExVPe.exe
  2⤵
  PID:7812
- C:\Windows\System32\gIiFNTu.exe
  C:\Windows\System32\gIiFNTu.exe
  2⤵
  PID:7408
- C:\Windows\System32\vzobObV.exe
  C:\Windows\System32\vzobObV.exe
  2⤵
  PID:7816
- C:\Windows\System32\nnsoDRO.exe
  C:\Windows\System32\nnsoDRO.exe
  2⤵
  PID:7684
- C:\Windows\System32\wgDvgDn.exe
  C:\Windows\System32\wgDvgDn.exe
  2⤵
  PID:8240
- C:\Windows\System32\uVqsiZq.exe
  C:\Windows\System32\uVqsiZq.exe
  2⤵
  PID:8256
- C:\Windows\System32\wnDioAS.exe
  C:\Windows\System32\wnDioAS.exe
  2⤵
  PID:8276
- C:\Windows\System32\NUqKFLM.exe
  C:\Windows\System32\NUqKFLM.exe
  2⤵
  PID:8296
- C:\Windows\System32\WFWZoLc.exe
  C:\Windows\System32\WFWZoLc.exe
  2⤵
  PID:8324
- C:\Windows\System32\WVtYSvj.exe
  C:\Windows\System32\WVtYSvj.exe
  2⤵
  PID:8344
- C:\Windows\System32\grKrlCN.exe
  C:\Windows\System32\grKrlCN.exe
  2⤵
  PID:8364
- C:\Windows\System32\cUYnlCI.exe
  C:\Windows\System32\cUYnlCI.exe
  2⤵
  PID:8392
- C:\Windows\System32\dnPzOEp.exe
  C:\Windows\System32\dnPzOEp.exe
  2⤵
  PID:8428
- C:\Windows\System32\iauGmKE.exe
  C:\Windows\System32\iauGmKE.exe
  2⤵
  PID:8464
- C:\Windows\System32\FsTTHcX.exe
  C:\Windows\System32\FsTTHcX.exe
  2⤵
  PID:8484
- C:\Windows\System32\xsNHmMd.exe
  C:\Windows\System32\xsNHmMd.exe
  2⤵
  PID:8504
- C:\Windows\System32\MVvbwOi.exe
  C:\Windows\System32\MVvbwOi.exe
  2⤵
  PID:8540
- C:\Windows\System32\VJTjhpW.exe
  C:\Windows\System32\VJTjhpW.exe
  2⤵
  PID:8556
- C:\Windows\System32\GjSsXQb.exe
  C:\Windows\System32\GjSsXQb.exe
  2⤵
  PID:8600
- C:\Windows\System32\VMdbYxS.exe
  C:\Windows\System32\VMdbYxS.exe
  2⤵
  PID:8636
- C:\Windows\System32\FnvBGqb.exe
  C:\Windows\System32\FnvBGqb.exe
  2⤵
  PID:8668
- C:\Windows\System32\soSahvw.exe
  C:\Windows\System32\soSahvw.exe
  2⤵
  PID:8684
- C:\Windows\System32\ONsjwbu.exe
  C:\Windows\System32\ONsjwbu.exe
  2⤵
  PID:8704
- C:\Windows\System32\NDjiOld.exe
  C:\Windows\System32\NDjiOld.exe
  2⤵
  PID:8772
- C:\Windows\System32\qixJdMY.exe
  C:\Windows\System32\qixJdMY.exe
  2⤵
  PID:8812
- C:\Windows\System32\bguZeKY.exe
  C:\Windows\System32\bguZeKY.exe
  2⤵
  PID:8828
- C:\Windows\System32\TwRTwaN.exe
  C:\Windows\System32\TwRTwaN.exe
  2⤵
  PID:8852
- C:\Windows\System32\cPqrvWu.exe
  C:\Windows\System32\cPqrvWu.exe
  2⤵
  PID:8872
- C:\Windows\System32\OJAFZjB.exe
  C:\Windows\System32\OJAFZjB.exe
  2⤵
  PID:8892
- C:\Windows\System32\qwzWSwi.exe
  C:\Windows\System32\qwzWSwi.exe
  2⤵
  PID:8984
- C:\Windows\System32\IyjKyOh.exe
  C:\Windows\System32\IyjKyOh.exe
  2⤵
  PID:9004
- C:\Windows\System32\JoFLtCK.exe
  C:\Windows\System32\JoFLtCK.exe
  2⤵
  PID:9020
- C:\Windows\System32\lsOKnRF.exe
  C:\Windows\System32\lsOKnRF.exe
  2⤵
  PID:9036
- C:\Windows\System32\lJwUkVq.exe
  C:\Windows\System32\lJwUkVq.exe
  2⤵
  PID:9052
- C:\Windows\System32\XDeEXjw.exe
  C:\Windows\System32\XDeEXjw.exe
  2⤵
  PID:9068
- C:\Windows\System32\tcZmrtA.exe
  C:\Windows\System32\tcZmrtA.exe
  2⤵
  PID:9084
- C:\Windows\System32\ungyClh.exe
  C:\Windows\System32\ungyClh.exe
  2⤵
  PID:9104
- C:\Windows\System32\UfYKXCR.exe
  C:\Windows\System32\UfYKXCR.exe
  2⤵
  PID:9120
- C:\Windows\System32\dcOsWMJ.exe
  C:\Windows\System32\dcOsWMJ.exe
  2⤵
  PID:9136
- C:\Windows\System32\GIlBdgv.exe
  C:\Windows\System32\GIlBdgv.exe
  2⤵
  PID:9152
- C:\Windows\System32\zDDeEmZ.exe
  C:\Windows\System32\zDDeEmZ.exe
  2⤵
  PID:9168
- C:\Windows\System32\ThluxtD.exe
  C:\Windows\System32\ThluxtD.exe
  2⤵
  PID:9184
- C:\Windows\System32\znUMWaG.exe
  C:\Windows\System32\znUMWaG.exe
  2⤵
  PID:9204
- C:\Windows\System32\OXZKwbf.exe
  C:\Windows\System32\OXZKwbf.exe
  2⤵
  PID:8012
- C:\Windows\System32\BoUTgRq.exe
  C:\Windows\System32\BoUTgRq.exe
  2⤵
  PID:8252
- C:\Windows\System32\jTQZKUa.exe
  C:\Windows\System32\jTQZKUa.exe
  2⤵
  PID:7876
- C:\Windows\System32\ewkdYFW.exe
  C:\Windows\System32\ewkdYFW.exe
  2⤵
  PID:8288
- C:\Windows\System32\FuVcjtm.exe
  C:\Windows\System32\FuVcjtm.exe
  2⤵
  PID:8476
- C:\Windows\System32\sYgrGBY.exe
  C:\Windows\System32\sYgrGBY.exe
  2⤵
  PID:8520
- C:\Windows\System32\yQyiOaL.exe
  C:\Windows\System32\yQyiOaL.exe
  2⤵
  PID:8840
- C:\Windows\System32\hWjXiMn.exe
  C:\Windows\System32\hWjXiMn.exe
  2⤵
  PID:8976
- C:\Windows\System32\poHREye.exe
  C:\Windows\System32\poHREye.exe
  2⤵
  PID:9048
- C:\Windows\System32\VWZzUWb.exe
  C:\Windows\System32\VWZzUWb.exe
  2⤵
  PID:9116
- C:\Windows\System32\BETSbjF.exe
  C:\Windows\System32\BETSbjF.exe
  2⤵
  PID:9196
- C:\Windows\System32\ikhAXyI.exe
  C:\Windows\System32\ikhAXyI.exe
  2⤵
  PID:8272
- C:\Windows\System32\WcggyQm.exe
  C:\Windows\System32\WcggyQm.exe
  2⤵
  PID:9028
- C:\Windows\System32\CfwKuAX.exe
  C:\Windows\System32\CfwKuAX.exe
  2⤵
  PID:8456
- C:\Windows\System32\fPCZHzs.exe
  C:\Windows\System32\fPCZHzs.exe
  2⤵
  PID:8780
- C:\Windows\System32\SybtICQ.exe
  C:\Windows\System32\SybtICQ.exe
  2⤵
  PID:8796
- C:\Windows\System32\qdmpUjU.exe
  C:\Windows\System32\qdmpUjU.exe
  2⤵
  PID:8612
- C:\Windows\System32\fVghXJt.exe
  C:\Windows\System32\fVghXJt.exe
  2⤵
  PID:8968
- C:\Windows\System32\yiwmHgv.exe
  C:\Windows\System32\yiwmHgv.exe
  2⤵
  PID:9096
- C:\Windows\System32\guSkMkm.exe
  C:\Windows\System32\guSkMkm.exe
  2⤵
  PID:9164
- C:\Windows\System32\WVCdRWt.exe
  C:\Windows\System32\WVCdRWt.exe
  2⤵
  PID:8212
- C:\Windows\System32\mvYxsEb.exe
  C:\Windows\System32\mvYxsEb.exe
  2⤵
  PID:9076
- C:\Windows\System32\UPiBEKO.exe
  C:\Windows\System32\UPiBEKO.exe
  2⤵
  PID:4604
- C:\Windows\System32\cEqmyOK.exe
  C:\Windows\System32\cEqmyOK.exe
  2⤵
  PID:9180
- C:\Windows\System32\zDTqzaN.exe
  C:\Windows\System32\zDTqzaN.exe
  2⤵
  PID:728
- C:\Windows\System32\QZYQtVc.exe
  C:\Windows\System32\QZYQtVc.exe
  2⤵
  PID:9228
- C:\Windows\System32\tWwNoKG.exe
  C:\Windows\System32\tWwNoKG.exe
  2⤵
  PID:9252
- C:\Windows\System32\EFrWWZJ.exe
  C:\Windows\System32\EFrWWZJ.exe
  2⤵
  PID:9292
- C:\Windows\System32\gZulLAl.exe
  C:\Windows\System32\gZulLAl.exe
  2⤵
  PID:9328
- C:\Windows\System32\zMssHvz.exe
  C:\Windows\System32\zMssHvz.exe
  2⤵
  PID:9344
- C:\Windows\System32\boZTwcL.exe
  C:\Windows\System32\boZTwcL.exe
  2⤵
  PID:9364
- C:\Windows\System32\BXrKEpZ.exe
  C:\Windows\System32\BXrKEpZ.exe
  2⤵
  PID:9384
- C:\Windows\System32\kbMCDAw.exe
  C:\Windows\System32\kbMCDAw.exe
  2⤵
  PID:9408
- C:\Windows\System32\alPiWpd.exe
  C:\Windows\System32\alPiWpd.exe
  2⤵
  PID:9440
- C:\Windows\System32\FmQkyCH.exe
  C:\Windows\System32\FmQkyCH.exe
  2⤵
  PID:9468
- C:\Windows\System32\UDPmGTr.exe
  C:\Windows\System32\UDPmGTr.exe
  2⤵
  PID:9500
- C:\Windows\System32\ZESdYnK.exe
  C:\Windows\System32\ZESdYnK.exe
  2⤵
  PID:9516
- C:\Windows\System32\rUzrDHn.exe
  C:\Windows\System32\rUzrDHn.exe
  2⤵
  PID:9540
- C:\Windows\System32\gefKvhz.exe
  C:\Windows\System32\gefKvhz.exe
  2⤵
  PID:9568
- C:\Windows\System32\LcpIEVb.exe
  C:\Windows\System32\LcpIEVb.exe
  2⤵
  PID:9620
- C:\Windows\System32\hZNuDGn.exe
  C:\Windows\System32\hZNuDGn.exe
  2⤵
  PID:9672
- C:\Windows\System32\SWVtHmW.exe
  C:\Windows\System32\SWVtHmW.exe
  2⤵
  PID:9692
- C:\Windows\System32\MzCxskW.exe
  C:\Windows\System32\MzCxskW.exe
  2⤵
  PID:9712
- C:\Windows\System32\itqCihY.exe
  C:\Windows\System32\itqCihY.exe
  2⤵
  PID:9760
- C:\Windows\System32\nzlYVgQ.exe
  C:\Windows\System32\nzlYVgQ.exe
  2⤵
  PID:9788
- C:\Windows\System32\vZMBkcF.exe
  C:\Windows\System32\vZMBkcF.exe
  2⤵
  PID:9808
- C:\Windows\System32\gPUppwO.exe
  C:\Windows\System32\gPUppwO.exe
  2⤵
  PID:9832
- C:\Windows\System32\ojegKaS.exe
  C:\Windows\System32\ojegKaS.exe
  2⤵
  PID:9852
- C:\Windows\System32\qaGDIKe.exe
  C:\Windows\System32\qaGDIKe.exe
  2⤵
  PID:9872
- C:\Windows\System32\QrTAfix.exe
  C:\Windows\System32\QrTAfix.exe
  2⤵
  PID:9896
- C:\Windows\System32\GrYHAeV.exe
  C:\Windows\System32\GrYHAeV.exe
  2⤵
  PID:9912
- C:\Windows\System32\DOsTlJq.exe
  C:\Windows\System32\DOsTlJq.exe
  2⤵
  PID:9932
- C:\Windows\System32\cjGNnek.exe
  C:\Windows\System32\cjGNnek.exe
  2⤵
  PID:9964
- C:\Windows\System32\NYlgjSx.exe
  C:\Windows\System32\NYlgjSx.exe
  2⤵
  PID:9992
- C:\Windows\System32\iHTfUIG.exe
  C:\Windows\System32\iHTfUIG.exe
  2⤵
  PID:10012
- C:\Windows\System32\XGERXgv.exe
  C:\Windows\System32\XGERXgv.exe
  2⤵
  PID:10036
- C:\Windows\System32\eAUcAzY.exe
  C:\Windows\System32\eAUcAzY.exe
  2⤵
  PID:10096
- C:\Windows\System32\NBmonFI.exe
  C:\Windows\System32\NBmonFI.exe
  2⤵
  PID:10156
- C:\Windows\System32\mKAyqdU.exe
  C:\Windows\System32\mKAyqdU.exe
  2⤵
  PID:10172
- C:\Windows\System32\AgLXngD.exe
  C:\Windows\System32\AgLXngD.exe
  2⤵
  PID:10192
- C:\Windows\System32\jeClGUa.exe
  C:\Windows\System32\jeClGUa.exe
  2⤵
  PID:10220
- C:\Windows\System32\eVFdlTF.exe
  C:\Windows\System32\eVFdlTF.exe
  2⤵
  PID:9112
- C:\Windows\System32\LFGXnLV.exe
  C:\Windows\System32\LFGXnLV.exe
  2⤵
  PID:9276
- C:\Windows\System32\QnnHfGH.exe
  C:\Windows\System32\QnnHfGH.exe
  2⤵
  PID:9312
- C:\Windows\System32\BUvUqgy.exe
  C:\Windows\System32\BUvUqgy.exe
  2⤵
  PID:9396
- C:\Windows\System32\zlIwFyb.exe
  C:\Windows\System32\zlIwFyb.exe
  2⤵
  PID:9488
- C:\Windows\System32\TXmAMVH.exe
  C:\Windows\System32\TXmAMVH.exe
  2⤵
  PID:9524
- C:\Windows\System32\CIoSGGO.exe
  C:\Windows\System32\CIoSGGO.exe
  2⤵
  PID:9584
- C:\Windows\System32\hlAiKjU.exe
  C:\Windows\System32\hlAiKjU.exe
  2⤵
  PID:9608
- C:\Windows\System32\rUilhEI.exe
  C:\Windows\System32\rUilhEI.exe
  2⤵
  PID:9632
- C:\Windows\System32\icJMWuM.exe
  C:\Windows\System32\icJMWuM.exe
  2⤵
  PID:9740
- C:\Windows\System32\UkbnyfA.exe
  C:\Windows\System32\UkbnyfA.exe
  2⤵
  PID:9904
- C:\Windows\System32\SlPsioj.exe
  C:\Windows\System32\SlPsioj.exe
  2⤵
  PID:8720
- C:\Windows\System32\IPQNVgE.exe
  C:\Windows\System32\IPQNVgE.exe
  2⤵
  PID:10056
- C:\Windows\System32\MtZsjLS.exe
  C:\Windows\System32\MtZsjLS.exe
  2⤵
  PID:10080
- C:\Windows\System32\eLNxaDM.exe
  C:\Windows\System32\eLNxaDM.exe
  2⤵
  PID:10168
- C:\Windows\System32\jRbfgGH.exe
  C:\Windows\System32\jRbfgGH.exe
  2⤵
  PID:10232
- C:\Windows\System32\RWiubII.exe
  C:\Windows\System32\RWiubII.exe
  2⤵
  PID:9360
- C:\Windows\System32\XHEehsc.exe
  C:\Windows\System32\XHEehsc.exe
  2⤵
  PID:9452
- C:\Windows\System32\vhTywuR.exe
  C:\Windows\System32\vhTywuR.exe
  2⤵
  PID:9636
- C:\Windows\System32\IOYUxCn.exe
  C:\Windows\System32\IOYUxCn.exe
  2⤵
  PID:9684
- C:\Windows\System32\OHaAmcl.exe
  C:\Windows\System32\OHaAmcl.exe
  2⤵
  PID:9908
- C:\Windows\System32\sxAsgfT.exe
  C:\Windows\System32\sxAsgfT.exe
  2⤵
  PID:9924
- C:\Windows\System32\cfLWVZb.exe
  C:\Windows\System32\cfLWVZb.exe
  2⤵
  PID:9224
- C:\Windows\System32\xXJCTWH.exe
  C:\Windows\System32\xXJCTWH.exe
  2⤵
  PID:9380
- C:\Windows\System32\ZRAOEhB.exe
  C:\Windows\System32\ZRAOEhB.exe
  2⤵
  PID:9508
- C:\Windows\System32\VtfHKSK.exe
  C:\Windows\System32\VtfHKSK.exe
  2⤵
  PID:9700
- C:\Windows\System32\SIlwKGf.exe
  C:\Windows\System32\SIlwKGf.exe
  2⤵
  PID:10072
- C:\Windows\System32\aKudrFh.exe
  C:\Windows\System32\aKudrFh.exe
  2⤵
  PID:10276
- C:\Windows\System32\JPzDcDZ.exe
  C:\Windows\System32\JPzDcDZ.exe
  2⤵
  PID:10304
- C:\Windows\System32\XnigvBD.exe
  C:\Windows\System32\XnigvBD.exe
  2⤵
  PID:10328
- C:\Windows\System32\SHvUPRN.exe
  C:\Windows\System32\SHvUPRN.exe
  2⤵
  PID:10360
- C:\Windows\System32\bvciHym.exe
  C:\Windows\System32\bvciHym.exe
  2⤵
  PID:10376
- C:\Windows\System32\gbWbCJn.exe
  C:\Windows\System32\gbWbCJn.exe
  2⤵
  PID:10408
- C:\Windows\System32\ZtDipgw.exe
  C:\Windows\System32\ZtDipgw.exe
  2⤵
  PID:10444
- C:\Windows\System32\TOBPmMe.exe
  C:\Windows\System32\TOBPmMe.exe
  2⤵
  PID:10480
- C:\Windows\System32\ySDHpYF.exe
  C:\Windows\System32\ySDHpYF.exe
  2⤵
  PID:10512
- C:\Windows\System32\zVOXlSm.exe
  C:\Windows\System32\zVOXlSm.exe
  2⤵
  PID:10540
- C:\Windows\System32\yGBvKFI.exe
  C:\Windows\System32\yGBvKFI.exe
  2⤵
  PID:10568
- C:\Windows\System32\ZzrfqlQ.exe
  C:\Windows\System32\ZzrfqlQ.exe
  2⤵
  PID:10588
- C:\Windows\System32\JrQXISf.exe
  C:\Windows\System32\JrQXISf.exe
  2⤵
  PID:10612
- C:\Windows\System32\CmbMmVW.exe
  C:\Windows\System32\CmbMmVW.exe
  2⤵
  PID:10632
- C:\Windows\System32\gSNjBBw.exe
  C:\Windows\System32\gSNjBBw.exe
  2⤵
  PID:10648
- C:\Windows\System32\oTCaIem.exe
  C:\Windows\System32\oTCaIem.exe
  2⤵
  PID:10696
- C:\Windows\System32\zBFTUkk.exe
  C:\Windows\System32\zBFTUkk.exe
  2⤵
  PID:10724
- C:\Windows\System32\GNGxEaN.exe
  C:\Windows\System32\GNGxEaN.exe
  2⤵
  PID:10756
- C:\Windows\System32\auyKkTq.exe
  C:\Windows\System32\auyKkTq.exe
  2⤵
  PID:10772
- C:\Windows\System32\xRECFZf.exe
  C:\Windows\System32\xRECFZf.exe
  2⤵
  PID:10804
- C:\Windows\System32\OhEWeYz.exe
  C:\Windows\System32\OhEWeYz.exe
  2⤵
  PID:10836
- C:\Windows\System32\AljeThC.exe
  C:\Windows\System32\AljeThC.exe
  2⤵
  PID:10864
- C:\Windows\System32\jAzDzPw.exe
  C:\Windows\System32\jAzDzPw.exe
  2⤵
  PID:10884
- C:\Windows\System32\NwoFsak.exe
  C:\Windows\System32\NwoFsak.exe
  2⤵
  PID:10908
- C:\Windows\System32\cxRkpgs.exe
  C:\Windows\System32\cxRkpgs.exe
  2⤵
  PID:10936
- C:\Windows\System32\mkwmzes.exe
  C:\Windows\System32\mkwmzes.exe
  2⤵
  PID:10956
- C:\Windows\System32\JesRebN.exe
  C:\Windows\System32\JesRebN.exe
  2⤵
  PID:10980
- C:\Windows\System32\IvdhNrt.exe
  C:\Windows\System32\IvdhNrt.exe
  2⤵
  PID:11004
- C:\Windows\System32\swoRimG.exe
  C:\Windows\System32\swoRimG.exe
  2⤵
  PID:11036
- C:\Windows\System32\IdSzIti.exe
  C:\Windows\System32\IdSzIti.exe
  2⤵
  PID:11056
- C:\Windows\System32\zHHdqDS.exe
  C:\Windows\System32\zHHdqDS.exe
  2⤵
  PID:11080
- C:\Windows\System32\fDRliaW.exe
  C:\Windows\System32\fDRliaW.exe
  2⤵
  PID:11152
- C:\Windows\System32\iTucrLp.exe
  C:\Windows\System32\iTucrLp.exe
  2⤵
  PID:11168
- C:\Windows\System32\AkVxdJW.exe
  C:\Windows\System32\AkVxdJW.exe
  2⤵
  PID:11188
- C:\Windows\System32\gxwztTk.exe
  C:\Windows\System32\gxwztTk.exe
  2⤵
  PID:11212
- C:\Windows\System32\ptRgZHP.exe
  C:\Windows\System32\ptRgZHP.exe
  2⤵
  PID:11256
- C:\Windows\System32\IVRgOLI.exe
  C:\Windows\System32\IVRgOLI.exe
  2⤵
  PID:10268
- C:\Windows\System32\YZWZjaa.exe
  C:\Windows\System32\YZWZjaa.exe
  2⤵
  PID:10204
- C:\Windows\System32\HMocnur.exe
  C:\Windows\System32\HMocnur.exe
  2⤵
  PID:10348
- C:\Windows\System32\HNMEahv.exe
  C:\Windows\System32\HNMEahv.exe
  2⤵
  PID:10392
- C:\Windows\System32\zdMYhbS.exe
  C:\Windows\System32\zdMYhbS.exe
  2⤵
  PID:10532
- C:\Windows\System32\QIJFdzv.exe
  C:\Windows\System32\QIJFdzv.exe
  2⤵
  PID:10604
- C:\Windows\System32\STfwSFV.exe
  C:\Windows\System32\STfwSFV.exe
  2⤵
  PID:10620
- C:\Windows\System32\pvgTjVA.exe
  C:\Windows\System32\pvgTjVA.exe
  2⤵
  PID:10660
- C:\Windows\System32\ePdELKc.exe
  C:\Windows\System32\ePdELKc.exe
  2⤵
  PID:10736
- C:\Windows\System32\kQUpMmJ.exe
  C:\Windows\System32\kQUpMmJ.exe
  2⤵
  PID:10788
- C:\Windows\System32\uDelEqB.exe
  C:\Windows\System32\uDelEqB.exe
  2⤵
  PID:10860
- C:\Windows\System32\UEtbGyB.exe
  C:\Windows\System32\UEtbGyB.exe
  2⤵
  PID:10916
- C:\Windows\System32\KeqBdjO.exe
  C:\Windows\System32\KeqBdjO.exe
  2⤵
  PID:11000
- C:\Windows\System32\fSRGwmc.exe
  C:\Windows\System32\fSRGwmc.exe
  2⤵
  PID:10948
- C:\Windows\System32\GOObXFt.exe
  C:\Windows\System32\GOObXFt.exe
  2⤵
  PID:11108
- C:\Windows\System32\YxcYlyG.exe
  C:\Windows\System32\YxcYlyG.exe
  2⤵
  PID:11248
- C:\Windows\System32\VsjSknM.exe
  C:\Windows\System32\VsjSknM.exe
  2⤵
  PID:9144
- C:\Windows\System32\fPBYNvr.exe
  C:\Windows\System32\fPBYNvr.exe
  2⤵
  PID:10384
- C:\Windows\System32\LZUemsY.exe
  C:\Windows\System32\LZUemsY.exe
  2⤵
  PID:10504
- C:\Windows\System32\lVFqCHa.exe
  C:\Windows\System32\lVFqCHa.exe
  2⤵
  PID:10628
- C:\Windows\System32\NUlwjYo.exe
  C:\Windows\System32\NUlwjYo.exe
  2⤵
  PID:10680
- C:\Windows\System32\VrxOXUw.exe
  C:\Windows\System32\VrxOXUw.exe
  2⤵
  PID:10904
- C:\Windows\System32\AgkTURM.exe
  C:\Windows\System32\AgkTURM.exe
  2⤵
  PID:10796
- C:\Windows\System32\TzrlDzH.exe
  C:\Windows\System32\TzrlDzH.exe
  2⤵
  PID:11088
- C:\Windows\System32\BTeSweZ.exe
  C:\Windows\System32\BTeSweZ.exe
  2⤵
  PID:11160
- C:\Windows\System32\TjHYBPC.exe
  C:\Windows\System32\TjHYBPC.exe
  2⤵
  PID:10688
- C:\Windows\System32\aAaNmxK.exe
  C:\Windows\System32\aAaNmxK.exe
  2⤵
  PID:10356
- C:\Windows\System32\USWGDto.exe
  C:\Windows\System32\USWGDto.exe
  2⤵
  PID:11112
- C:\Windows\System32\neJlQiH.exe
  C:\Windows\System32\neJlQiH.exe
  2⤵
  PID:11276
- C:\Windows\System32\SwcyGlp.exe
  C:\Windows\System32\SwcyGlp.exe
  2⤵
  PID:11296
- C:\Windows\System32\QNTfHhW.exe
  C:\Windows\System32\QNTfHhW.exe
  2⤵
  PID:11340
- C:\Windows\System32\etmPCSv.exe
  C:\Windows\System32\etmPCSv.exe
  2⤵
  PID:11372
- C:\Windows\System32\SYofXEy.exe
  C:\Windows\System32\SYofXEy.exe
  2⤵
  PID:11392
- C:\Windows\System32\HuXgiOh.exe
  C:\Windows\System32\HuXgiOh.exe
  2⤵
  PID:11412
- C:\Windows\System32\EpKohxr.exe
  C:\Windows\System32\EpKohxr.exe
  2⤵
  PID:11432
- C:\Windows\System32\qvJMecK.exe
  C:\Windows\System32\qvJMecK.exe
  2⤵
  PID:11460
- C:\Windows\System32\gqKeZiA.exe
  C:\Windows\System32\gqKeZiA.exe
  2⤵
  PID:11484
- C:\Windows\System32\qXanOGO.exe
  C:\Windows\System32\qXanOGO.exe
  2⤵
  PID:11504
- C:\Windows\System32\eiTrHev.exe
  C:\Windows\System32\eiTrHev.exe
  2⤵
  PID:11540
- C:\Windows\System32\iWWmqNO.exe
  C:\Windows\System32\iWWmqNO.exe
  2⤵
  PID:11580
- C:\Windows\System32\eHzwTds.exe
  C:\Windows\System32\eHzwTds.exe
  2⤵
  PID:11608
- C:\Windows\System32\CUiPKSG.exe
  C:\Windows\System32\CUiPKSG.exe
  2⤵
  PID:11636
- C:\Windows\System32\cIJwgBA.exe
  C:\Windows\System32\cIJwgBA.exe
  2⤵
  PID:11680
- C:\Windows\System32\jAojznh.exe
  C:\Windows\System32\jAojznh.exe
  2⤵
  PID:11708
- C:\Windows\System32\IOsUdRY.exe
  C:\Windows\System32\IOsUdRY.exe
  2⤵
  PID:11724
- C:\Windows\System32\UZEzWyf.exe
  C:\Windows\System32\UZEzWyf.exe
  2⤵
  PID:11740
- C:\Windows\System32\QVpzhZr.exe
  C:\Windows\System32\QVpzhZr.exe
  2⤵
  PID:11760
- C:\Windows\System32\eOFPlLH.exe
  C:\Windows\System32\eOFPlLH.exe
  2⤵
  PID:11820
- C:\Windows\System32\ONpiqcp.exe
  C:\Windows\System32\ONpiqcp.exe
  2⤵
  PID:11844
- C:\Windows\System32\aqNoUVS.exe
  C:\Windows\System32\aqNoUVS.exe
  2⤵
  PID:11864
- C:\Windows\System32\BzDNHBq.exe
  C:\Windows\System32\BzDNHBq.exe
  2⤵
  PID:11884
- C:\Windows\System32\yrZsMfR.exe
  C:\Windows\System32\yrZsMfR.exe
  2⤵
  PID:11920
- C:\Windows\System32\IVAPgRj.exe
  C:\Windows\System32\IVAPgRj.exe
  2⤵
  PID:11948
- C:\Windows\System32\lzSjyKz.exe
  C:\Windows\System32\lzSjyKz.exe
  2⤵
  PID:11972
- C:\Windows\System32\mFMZxdQ.exe
  C:\Windows\System32\mFMZxdQ.exe
  2⤵
  PID:12004
- C:\Windows\System32\kAiNlON.exe
  C:\Windows\System32\kAiNlON.exe
  2⤵
  PID:12024
- C:\Windows\System32\IHElFqL.exe
  C:\Windows\System32\IHElFqL.exe
  2⤵
  PID:12044
- C:\Windows\System32\FhQQleR.exe
  C:\Windows\System32\FhQQleR.exe
  2⤵
  PID:12064
- C:\Windows\System32\wutPYvt.exe
  C:\Windows\System32\wutPYvt.exe
  2⤵
  PID:12096
- C:\Windows\System32\Xqisnzl.exe
  C:\Windows\System32\Xqisnzl.exe
  2⤵
  PID:12112
- C:\Windows\System32\hbNhqeM.exe
  C:\Windows\System32\hbNhqeM.exe
  2⤵
  PID:12136
- C:\Windows\System32\DiLqfJc.exe
  C:\Windows\System32\DiLqfJc.exe
  2⤵
  PID:12164
- C:\Windows\System32\cRPohLq.exe
  C:\Windows\System32\cRPohLq.exe
  2⤵
  PID:12196
- C:\Windows\System32\NNWNQrQ.exe
  C:\Windows\System32\NNWNQrQ.exe
  2⤵
  PID:12220
- C:\Windows\System32\uDJPVrH.exe
  C:\Windows\System32\uDJPVrH.exe
  2⤵
  PID:12252
- C:\Windows\System32\xQbzhzd.exe
  C:\Windows\System32\xQbzhzd.exe
  2⤵
  PID:12276
- C:\Windows\System32\csIPShR.exe
  C:\Windows\System32\csIPShR.exe
  2⤵
  PID:11324
- C:\Windows\System32\xsPErJz.exe
  C:\Windows\System32\xsPErJz.exe
  2⤵
  PID:11380
- C:\Windows\System32\EzNVkIE.exe
  C:\Windows\System32\EzNVkIE.exe
  2⤵
  PID:11536
- C:\Windows\System32\POQBLMe.exe
  C:\Windows\System32\POQBLMe.exe
  2⤵
  PID:11596
- C:\Windows\System32\rLUwpzQ.exe
  C:\Windows\System32\rLUwpzQ.exe
  2⤵
  PID:11620
- C:\Windows\System32\zrHeyqL.exe
  C:\Windows\System32\zrHeyqL.exe
  2⤵
  PID:11700
- C:\Windows\System32\fTfITdF.exe
  C:\Windows\System32\fTfITdF.exe
  2⤵
  PID:11776
- C:\Windows\System32\ExZCNuJ.exe
  C:\Windows\System32\ExZCNuJ.exe
  2⤵
  PID:11856
- C:\Windows\System32\DEZGdrR.exe
  C:\Windows\System32\DEZGdrR.exe
  2⤵
  PID:11892
- C:\Windows\System32\NbkanVB.exe
  C:\Windows\System32\NbkanVB.exe
  2⤵
  PID:11932
- C:\Windows\System32\YWirQhK.exe
  C:\Windows\System32\YWirQhK.exe
  2⤵
  PID:12108
- C:\Windows\System32\eUESisM.exe
  C:\Windows\System32\eUESisM.exe
  2⤵
  PID:12088
- C:\Windows\System32\HUzPdWl.exe
  C:\Windows\System32\HUzPdWl.exe
  2⤵
  PID:12148
- C:\Windows\System32\wbbbhLe.exe
  C:\Windows\System32\wbbbhLe.exe
  2⤵
  PID:12216
- C:\Windows\System32\zpdtUFY.exe
  C:\Windows\System32\zpdtUFY.exe
  2⤵
  PID:12284
- C:\Windows\System32\vDrnDIb.exe
  C:\Windows\System32\vDrnDIb.exe
  2⤵
  PID:12272
- C:\Windows\System32\FtJVqtf.exe
  C:\Windows\System32\FtJVqtf.exe
  2⤵
  PID:11476
- C:\Windows\System32\PHQBEXn.exe
  C:\Windows\System32\PHQBEXn.exe
  2⤵
  PID:11560
- C:\Windows\System32\MlGFaUO.exe
  C:\Windows\System32\MlGFaUO.exe
  2⤵
  PID:11676
- C:\Windows\System32\soKWYUK.exe
  C:\Windows\System32\soKWYUK.exe
  2⤵
  PID:11904
- C:\Windows\System32\XzArqYj.exe
  C:\Windows\System32\XzArqYj.exe
  2⤵
  PID:12104
- C:\Windows\System32\cssdKoT.exe
  C:\Windows\System32\cssdKoT.exe
  2⤵
  PID:11452
- C:\Windows\System32\ttFhkam.exe
  C:\Windows\System32\ttFhkam.exe
  2⤵
  PID:12144
- C:\Windows\System32\omLHbDf.exe
  C:\Windows\System32\omLHbDf.exe
  2⤵
  PID:11400
- C:\Windows\System32\oxDOhch.exe
  C:\Windows\System32\oxDOhch.exe
  2⤵
  PID:12312
- C:\Windows\System32\HaRXcgJ.exe
  C:\Windows\System32\HaRXcgJ.exe
  2⤵
  PID:12348
- C:\Windows\System32\LCPeJNv.exe
  C:\Windows\System32\LCPeJNv.exe
  2⤵
  PID:12372
- C:\Windows\System32\MimAHjx.exe
  C:\Windows\System32\MimAHjx.exe
  2⤵
  PID:12392
- C:\Windows\System32\HqcHvML.exe
  C:\Windows\System32\HqcHvML.exe
  2⤵
  PID:12428
- C:\Windows\System32\qQduVKD.exe
  C:\Windows\System32\qQduVKD.exe
  2⤵
  PID:12460
- C:\Windows\System32\bSFLgOS.exe
  C:\Windows\System32\bSFLgOS.exe
  2⤵
  PID:12484
- C:\Windows\System32\RlkOjEV.exe
  C:\Windows\System32\RlkOjEV.exe
  2⤵
  PID:12500
- C:\Windows\System32\HGTtDxD.exe
  C:\Windows\System32\HGTtDxD.exe
  2⤵
  PID:12560
- C:\Windows\System32\piHMFEd.exe
  C:\Windows\System32\piHMFEd.exe
  2⤵
  PID:12580
- C:\Windows\System32\wRxZIiF.exe
  C:\Windows\System32\wRxZIiF.exe
  2⤵
  PID:12604
- C:\Windows\System32\gDcjmHd.exe
  C:\Windows\System32\gDcjmHd.exe
  2⤵
  PID:12636
- C:\Windows\System32\oabYRtw.exe
  C:\Windows\System32\oabYRtw.exe
  2⤵
  PID:12656
- C:\Windows\System32\VehZvrf.exe
  C:\Windows\System32\VehZvrf.exe
  2⤵
  PID:12712
- C:\Windows\System32\cawQwAM.exe
  C:\Windows\System32\cawQwAM.exe
  2⤵
  PID:12740
- C:\Windows\System32\KbJOrBp.exe
  C:\Windows\System32\KbJOrBp.exe
  2⤵
  PID:12756
- C:\Windows\System32\ZomzTyB.exe
  C:\Windows\System32\ZomzTyB.exe
  2⤵
  PID:12784
- C:\Windows\System32\qAsYglT.exe
  C:\Windows\System32\qAsYglT.exe
  2⤵
  PID:12804
- C:\Windows\System32\nzzzasF.exe
  C:\Windows\System32\nzzzasF.exe
  2⤵
  PID:12836
- C:\Windows\System32\uTfpwmp.exe
  C:\Windows\System32\uTfpwmp.exe
  2⤵
  PID:12852
- C:\Windows\System32\ohAqWYK.exe
  C:\Windows\System32\ohAqWYK.exe
  2⤵
  PID:12884
- C:\Windows\System32\mWeZNHS.exe
  C:\Windows\System32\mWeZNHS.exe
  2⤵
  PID:12924
- C:\Windows\System32\DzMKNUn.exe
  C:\Windows\System32\DzMKNUn.exe
  2⤵
  PID:12952
- C:\Windows\System32\ISrjUHP.exe
  C:\Windows\System32\ISrjUHP.exe
  2⤵
  PID:12996
- C:\Windows\System32\ZUVOuck.exe
  C:\Windows\System32\ZUVOuck.exe
  2⤵
  PID:13012
- C:\Windows\System32\lxLHmLl.exe
  C:\Windows\System32\lxLHmLl.exe
  2⤵
  PID:13040
- C:\Windows\System32\ihPizwU.exe
  C:\Windows\System32\ihPizwU.exe
  2⤵
  PID:13056
- C:\Windows\System32\xDWvISZ.exe
  C:\Windows\System32\xDWvISZ.exe
  2⤵
  PID:13092
- C:\Windows\System32\mhglVeM.exe
  C:\Windows\System32\mhglVeM.exe
  2⤵
  PID:13116
- C:\Windows\System32\mVSpOUT.exe
  C:\Windows\System32\mVSpOUT.exe
  2⤵
  PID:13132
- C:\Windows\System32\JdCIyuQ.exe
  C:\Windows\System32\JdCIyuQ.exe
  2⤵
  PID:13168
- C:\Windows\System32\lWVxGBZ.exe
  C:\Windows\System32\lWVxGBZ.exe
  2⤵
  PID:13184
- C:\Windows\System32\HnJvcGo.exe
  C:\Windows\System32\HnJvcGo.exe
  2⤵
  PID:13212
- C:\Windows\System32\wrKCmIz.exe
  C:\Windows\System32\wrKCmIz.exe
  2⤵
  PID:13232
- C:\Windows\System32\GrqrWaA.exe
  C:\Windows\System32\GrqrWaA.exe
  2⤵
  PID:13260
- C:\Windows\System32\TqiRLqa.exe
  C:\Windows\System32\TqiRLqa.exe
  2⤵
  PID:13280
- C:\Windows\System32\jwqHZJJ.exe
  C:\Windows\System32\jwqHZJJ.exe
  2⤵
  PID:13300
- C:\Windows\System32\EOzTfGy.exe
  C:\Windows\System32\EOzTfGy.exe
  2⤵
  PID:12368
- C:\Windows\System32\gTDMSrl.exe
  C:\Windows\System32\gTDMSrl.exe
  2⤵
  PID:12384
- C:\Windows\System32\kHYlIzl.exe
  C:\Windows\System32\kHYlIzl.exe
  2⤵
  PID:12456
- C:\Windows\System32\uLCqMXm.exe
  C:\Windows\System32\uLCqMXm.exe
  2⤵
  PID:12532
- C:\Windows\System32\hXkfDsO.exe
  C:\Windows\System32\hXkfDsO.exe
  2⤵
  PID:12600
- C:\Windows\System32\PRuykfE.exe
  C:\Windows\System32\PRuykfE.exe
  2⤵
  PID:12684
- C:\Windows\System32\mposwJC.exe
  C:\Windows\System32\mposwJC.exe
  2⤵
  PID:12700
- C:\Windows\System32\XTMyNXy.exe
  C:\Windows\System32\XTMyNXy.exe
  2⤵
  PID:12792
- C:\Windows\System32\DfSelRg.exe
  C:\Windows\System32\DfSelRg.exe
  2⤵
  PID:12800
- C:\Windows\System32\tZLkekN.exe
  C:\Windows\System32\tZLkekN.exe
  2⤵
  PID:12844
- C:\Windows\System32\PZaLRvC.exe
  C:\Windows\System32\PZaLRvC.exe
  2⤵
  PID:12948
- C:\Windows\System32\wDpBhrx.exe
  C:\Windows\System32\wDpBhrx.exe
  2⤵
  PID:13004
- C:\Windows\System32\uzdoMFN.exe
  C:\Windows\System32\uzdoMFN.exe
  2⤵
  PID:13048
- C:\Windows\System32\BbUTABE.exe
  C:\Windows\System32\BbUTABE.exe
  2⤵
  PID:13140
- C:\Windows\System32\HvxdnPs.exe
  C:\Windows\System32\HvxdnPs.exe
  2⤵
  PID:13200
- C:\Windows\System32\OVQISUv.exe
  C:\Windows\System32\OVQISUv.exe
  2⤵
  PID:13248
- C:\Windows\System32\QuFsxKb.exe
  C:\Windows\System32\QuFsxKb.exe
  2⤵
  PID:13296
- C:\Windows\System32\GoYGxfs.exe
  C:\Windows\System32\GoYGxfs.exe
  2⤵
  PID:12468
- C:\Windows\System32\tvkazqp.exe
  C:\Windows\System32\tvkazqp.exe
  2⤵
  PID:12720
- C:\Windows\System32\GTEYsWH.exe
  C:\Windows\System32\GTEYsWH.exe
  2⤵
  PID:13024
- C:\Windows\System32\pEhnQwr.exe
  C:\Windows\System32\pEhnQwr.exe
  2⤵
  PID:12892
- C:\Windows\System32\ajujJeC.exe
  C:\Windows\System32\ajujJeC.exe
  2⤵
  PID:13072
- C:\Windows\System32\xwBqesh.exe
  C:\Windows\System32\xwBqesh.exe
  2⤵
  PID:13292
- C:\Windows\System32\AawscSw.exe
  C:\Windows\System32\AawscSw.exe
  2⤵
  PID:13308
- C:\Windows\System32\MtDKxSC.exe
  C:\Windows\System32\MtDKxSC.exe
  2⤵
  PID:13272
- C:\Windows\System32\KCOorCb.exe
  C:\Windows\System32\KCOorCb.exe
  2⤵
  PID:13052
- C:\Windows\System32\zgxrVJP.exe
  C:\Windows\System32\zgxrVJP.exe
  2⤵
  PID:12668
- C:\Windows\System32\vximOwo.exe
  C:\Windows\System32\vximOwo.exe
  2⤵
  PID:13356
- C:\Windows\System32\TchzPQh.exe
  C:\Windows\System32\TchzPQh.exe
  2⤵
  PID:13380
- C:\Windows\System32\FqwVnHs.exe
  C:\Windows\System32\FqwVnHs.exe
  2⤵
  PID:13408
- C:\Windows\System32\WvmRHRE.exe
  C:\Windows\System32\WvmRHRE.exe
  2⤵
  PID:13440
- C:\Windows\System32\xMNBAyJ.exe
  C:\Windows\System32\xMNBAyJ.exe
  2⤵
  PID:13480
- C:\Windows\System32\sbLnkPt.exe
  C:\Windows\System32\sbLnkPt.exe
  2⤵
  PID:13508
- C:\Windows\System32\rTYelbK.exe
  C:\Windows\System32\rTYelbK.exe
  2⤵
  PID:13528
- C:\Windows\System32\hFEVIUm.exe
  C:\Windows\System32\hFEVIUm.exe
  2⤵
  PID:13556
- C:\Windows\System32\XmBBYKK.exe
  C:\Windows\System32\XmBBYKK.exe
  2⤵
  PID:13580
- C:\Windows\System32\lDOrLvx.exe
  C:\Windows\System32\lDOrLvx.exe
  2⤵
  PID:13632
- C:\Windows\System32\elHNBkn.exe
  C:\Windows\System32\elHNBkn.exe
  2⤵
  PID:13660
- C:\Windows\System32\QuXGIgc.exe
  C:\Windows\System32\QuXGIgc.exe
  2⤵
  PID:13684
- C:\Windows\System32\VHsbHiq.exe
  C:\Windows\System32\VHsbHiq.exe
  2⤵
  PID:13700

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:14156
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:13464

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5796

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:14104

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7496

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9756

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3716

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3800

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:6540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6768

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3428

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:8080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5620

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:11164

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:8900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:11388

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6096

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4956

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11188

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:764

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7552

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10556

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11884

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12196

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11492

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:760

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4128

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14276

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1EALJNKU\microsoft.windows[1].xml

Filesize
97B

MD5
e9474f76e56e4f8298ed32d85776ddc0

SHA1
85b5c1919bb4fe74dc30b4dd0911d1994dd0974f

SHA256
b62242af1adf03ea40e4dff979f8b28430afebd75f7bf0e04a54745a47972c61

SHA512
7b1b354c53b204e1ac9b9fba462dd2474cedf64607be42d5865ca2dca611b9b2224ed84ff696978d1ac35adccb2f2199111dffcf54cd4189dc5b989678b55ab6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133702858507514035.txt

Filesize
75KB

MD5
bdd1d788ccfaaf24b6c6e290567ca419

SHA1
01224686aaf3513c61ca9c199cbd44dd9908105d

SHA256
e7e4ee2b2cb594b38de26195f4a93ac51e0fd93049e9a1fbf861615a64e61cab

SHA512
ab3cebb7d2dcf3b43e9fb2deac16fd0d85a0f8c24112542c32ebf26dc52fed2db9b01557b60b730149a600c7bc446384404f381dd6d1753b9dbcb874914910a6

Download Submit
C:\Windows\System32\BhZrwHw.exe

Filesize
1.4MB

MD5
b19882bb24bede2cd2003639af50f0b8

SHA1
83df984111eb71ce81ee9b9e43346688832772e2

SHA256
cb8b32fe68b15b97ebc68ebfa1ebb766c15060fdad17f3a0121bb2de781604fc

SHA512
c3cc8b37d377e0ed92c8dd95db008825d2596fa2a96285d2ada4a95d44f8fd8752052af5e6bb81446f3e921bc57ecfc19e5020d6cddb2c7ddd876b5ddb38c324

Download Submit
C:\Windows\System32\ESKTFML.exe

Filesize
1.4MB

MD5
446ec814be8d5d5d81e8a2d31fc1229f

SHA1
147402fc1824e9f41c58c5f717bd626b6a2bfb24

SHA256
fec47c4f98c7c189d1f16f1b9c080f9f647d48f0e9c0247e7e761c13bea38420

SHA512
4798e9c58e6355c40b509591b5b3b9e054bd08c4e1179df7568a15d7f34f87c631b1eda413ab7de4ec5e53fc41e0144d7df409b04f73ee045bbbd96f9852a39b

Download Submit
C:\Windows\System32\IYOcfpT.exe

Filesize
1.4MB

MD5
c9a13478fb8651f3d9169955aac7c9d5

SHA1
a72b0fef2cc3bd0f23df6ab263209924c971bee2

SHA256
6f994aaf3f471f9553b18b2f612039db69257c3c9fbc0ca69db3c3e4ed99d905

SHA512
6cf5f9c986a14bb1ef68fc1322bf2d7273605f50e01e16d1a2da51b512beb12ac6302f7ec6672ce0f4d11b3c46526eb7ff490a8bbabb6613f4d473cd7260ef55

Download Submit
C:\Windows\System32\ImYzPWg.exe

Filesize
1.4MB

MD5
b780ea7835ca94b3a6c1bd8eea8a5ad6

SHA1
6259055e93a8694c8c078f816966a2cd4e99f4e6

SHA256
a16e43baf03d8f63115cac03f69938bbec3b9a03b079bb2968d8644fbcd7aad3

SHA512
bbc888ae13a155d2334e0e7494ba5c8d67ed50ad32e9e89043ad52a880162d6ce1af1f1b01e54a7ac204a4d4405d005c1480a47a8dbda500cfe18d8d97762f71

Download Submit
C:\Windows\System32\MDEADCv.exe

Filesize
1.4MB

MD5
cb5a2a3b1f41761a86ca8673c5cd16fd

SHA1
c09557bd343f79e0cdd2a8746c2ef8b43d1d79df

SHA256
60cc04e038fec7d7ae898147239d4dad75221bae6bfb0d020bd8cd7ba80c5bf2

SHA512
68108d236dca7db8aa2c4e92664dbcdc1c696f8fc8a3e6f6773c555910b6b23742459f71c9a213391ebabf8e6cdf864c85caa53a635ef78fcd236e4ed2f43fec

Download Submit
C:\Windows\System32\MMJbRwO.exe

Filesize
1.4MB

MD5
83ffd5c155695489a3abca0900448d2e

SHA1
ff20f1871a839a39ebc5b8959026f228e6c8d1bb

SHA256
041b33fe67e6c1625184a786dca6e5eb876cc8a017fa3a188fe35a06e606115b

SHA512
0f7825637b99b93fd86002ef76cc05a7916c8c312c64f862badef86e7c5cd6e708b2511734a5458970c510a1ea41914afc59e315c3832027f21e78cffdcb6900

Download Submit
C:\Windows\System32\MhOoHZl.exe

Filesize
1.4MB

MD5
09011199b7dc580d39c452baea0890a2

SHA1
158a9a57a3c7d838471fef30ad0548ce9ee6944d

SHA256
cabe49fdc7a615c662d846fcfb5acc70c6f233b11df9a963d1804c27c4aceef5

SHA512
30de3ab7bdb2eb9ff6340f7c173b141f7134a7a0d7aa66922955ecac1bb54f9748a0f7393ac749186e1942f59fc71a9cb35a6c7fcb952c5c9cdb6877d15147fe

Download Submit
C:\Windows\System32\NumoYYX.exe

Filesize
1.4MB

MD5
eeb8aa446e3d7082d6a952f3a37c391b

SHA1
451fb7477f87847974488227664bf75b0cff4e6a

SHA256
2769e4866d2b3d46e08c47e4ba0ea362012ec61e00af2e47ef4db1807a47735a

SHA512
39ffce1205851778a1e4195c5e479c668b77cef3da5b34affede531ad518ecba8620152844e518f604bd93ed028ab8b2f4ee41113e19c1e2cb0063c4635d7a12

Download Submit
C:\Windows\System32\RFunCGt.exe

Filesize
1.4MB

MD5
7ed4600dbc6b3a03e9126e2752727150

SHA1
ec04bcbe17a612b7bb379c51c798eec75c1fc619

SHA256
d376dbd3aab2dc18f39b5b00d2746a3292d132ff3dc5bd4b4b755350a4bb0d5b

SHA512
5e7a0e47c289978af212b2edf4aa8b4b04c3c3b4c220c1956effaa10437b84fc46768dd19dd6b796cf68ac62ff853bfb52aa47e763470f95eabc00e9df305fd6

Download Submit
C:\Windows\System32\TbAZWqd.exe

Filesize
1.4MB

MD5
44cc00b16b4072315c17eb48d1763bcd

SHA1
531d0d5427765b8c671b47c0162e43d9d5be1ecf

SHA256
3c00635ef571d8bb9677c1529f56c94678abdbd8f58c63c70b0f383d6e09e586

SHA512
30bf4cb90da632468c4caeb5312785f25eb6ac073128edc5f38aac21bcf4322c0ec7e54c9606806104a3dc023e5e647a795705fcbbe3833ec50a6cdfe79cbd01

Download Submit
C:\Windows\System32\ZpvVfbF.exe

Filesize
1.4MB

MD5
acfa391e40a1c619768e3eb6bf57a676

SHA1
0ca0c89f2b9555383f4d5c14845fa286b78716f8

SHA256
797813d3679d007f8ba0d5e722b18df592b7fd8c7b230f6133a0be118cc46044

SHA512
ac8a228328b579b73eeef647ca771add814be0b2dcc3baa154b1fc27c52b634e2b84b0ddb0d4a74cab2f29a034da09fd02ed7f7a9409fee047e3e3a68c5f7d95

Download Submit
C:\Windows\System32\ZvfhBQm.exe

Filesize
1.4MB

MD5
74192b6fd5bab61ac8f674e67d399486

SHA1
25571d61512c260b350242b533f059938c87283c

SHA256
88876cb30c4ee3eca318debf2f23054f5fc643e6ccd09494748b45a53948365f

SHA512
990ca87206230bd71e782de795ffa7113ce4617645e2aed6bb406d32ec428b22c9645d6d4665d0c668083184e854113f78012caed36d7a9ce39f5c4ce11686c7

Download Submit
C:\Windows\System32\aRKYoBr.exe

Filesize
1.4MB

MD5
0fe60f1849e61a8b58f9472dafd6434e

SHA1
db928cd2dfc655e45e830e734824685887d3ab97

SHA256
3e14e60b7ad47b01a27ac49c03741c979d6d943c489c2f5fc52f52d2dc65700f

SHA512
41be694244971d4186d3b573c06e3d6e4f07afeae7481b6ae7ab275ee3989260e7ba90a2ccb6761629ca4b8a5a4c0f6f3d8ee5c446062eb91a66d27994f7b57b

Download Submit
C:\Windows\System32\bpmqxHg.exe

Filesize
1.4MB

MD5
645886f1d9725bdacfed09511ecb406d

SHA1
b0fe231484cca7b4f63488594126a0977353c0c3

SHA256
b2c5ccae99675474c8501d6fcf6df03048687043edb5707b83ec0ab5d8d65e87

SHA512
66d95d6751e70b61ae346d419843e02c22897fe5b54ec5d9fc353a7980c886769afee2ae2102245cbc47dfe64e759919358d53a2e61fbf86ae327a2cc9f490a1

Download Submit
C:\Windows\System32\cKffiCm.exe

Filesize
1.4MB

MD5
850d9190c2c61af3370efdb9b8b55efd

SHA1
a492a73bd5c6baf195556eaa6fc3657bfaf1186c

SHA256
d4da37d31b234c87353c1153c818c4892b65b1f9962501d0cc9eaa0059dff564

SHA512
06531b3e7275bcfadb8314886e6828062e4336f551efa1178ecbd3b67fa65723a5b8e8c0935d89135fdb88db4bc59a92b539a2b8b1ba3ad02900a1cc174fb829

Download Submit
C:\Windows\System32\doPWXXR.exe

Filesize
1.4MB

MD5
1f788190f1808cff6c9bc78212248cd0

SHA1
e32ab35293f256af9b101ea313598723b9f3cca5

SHA256
187a9829f32c6df74858c6e06b1185b4e07795887d13e0a72a1a0fdcd2fd8338

SHA512
3b50c957327f25def3661980110924270662781022381c1b837cd4bbd2e79b31bfc1e4a7b253cd164f82c06534e9831ec493a7b2bce0db449236172949ae5c19

Download Submit
C:\Windows\System32\eIeMSTQ.exe

Filesize
1.4MB

MD5
2ff33edd0c357ada3d9950df0e35031d

SHA1
7db147ac1158b888225a262ef01076e65542e42d

SHA256
690dc97768804758e9f22dceab37e52fc4f355ff6461a49e65cde2ca012fe96d

SHA512
1b2a01b454be9e3974e3c6d7f547cc3d08ec0dc46d80b3e96faa47a779af78453d458061c42bbc5dc0b6e7817e44f36ab029b44da713ac6e60517deb705d208a

Download Submit
C:\Windows\System32\gBDYela.exe

Filesize
1.4MB

MD5
473ee06b870eca1c3c6e023eb659a02a

SHA1
f8f792a67dd5d91e293a128b5d7c4fdb7a755853

SHA256
ae12766a50f3376a3bca7e8f5c9eefb0f602d23899973dc5394ead2db4dbb438

SHA512
537fdddb16e158ba0cef2c877eced6b7227dd4e0d5f3b24d7470697386a18227e074164ca3bb93e3d83ee6e78826d139b8ff17284c4981e5a3051351a8c019d7

Download Submit
C:\Windows\System32\jMxpPxd.exe

Filesize
1.4MB

MD5
abf935a5bfde8462719de7f43559a70b

SHA1
2254f6637f520b96ec2b31f068f86725a7c562d1

SHA256
a4ee6da8603a59bfb85c6e63047584328b188f867f70b2178c5052024670ae03

SHA512
6bc51187b8afe0a0be63c8becde4dfa06da8009cf95a098dc960c49fe0d43d1cc124fbdac8ac517bd0e64074aa2e57294ae0d14690e0810868f1a79bdcc6a408

Download Submit
C:\Windows\System32\kCCjGfj.exe

Filesize
1.4MB

MD5
f5fb4534a1033d414ccefb2e0508db34

SHA1
bf3ef1910946892a0e1fa1278d7b4d691ac5838e

SHA256
1f0930a18b109901edbda8014cd4f79c1ee39e231ca20a299e836ff1db748bf0

SHA512
9e1de88f308d9da83a2949682a7a7dec3e36563467a8a3ed7664fab31f047ae15676f002b78c4b5f60980e581806a12bc50fca64e1d5f4dc91d676c2318b1e3b

Download Submit
C:\Windows\System32\nFDGULl.exe

Filesize
1.4MB

MD5
31e4ca511ebcc3ddc58c75dcbb4e09ab

SHA1
f5e3c51255085f57ed70e25cfda8ca75896a2065

SHA256
c3b42c3684959be999210119c69d80c519472cddfe479fee546da28706b2b195

SHA512
6f2369863e4c23c0feebe6d63709e815f82f1014768056210490ec6edbd401d141285a4afb875364d48adc44af3a72ad37a0c0d37bf6adaa29c157d74abd4cf9

Download Submit
C:\Windows\System32\nNJhgdX.exe

Filesize
1.4MB

MD5
a331e4dd648f8ab31edafac01cfeee77

SHA1
29daa93f11907a9235506bc95e9507609ccda92f

SHA256
7a708e7e84acf11083452afc00c5f7fcb4be8dca799ba3a0740f0c9b6f24165d

SHA512
93c495d5f96a39490439cce20111180eca4c21c0ca2f52d5c765406c3b7527429b1b12494ab9ab160334305f751c79e4bb6a67ab8e765947c8c3cd340b813fe1

Download Submit
C:\Windows\System32\plAhNXi.exe

Filesize
1.4MB

MD5
c8e4aacec9ff9f75734194c9a6c2ae29

SHA1
81e8c490f06cfc67f67cda764203c35d7625e049

SHA256
65357ade703d1fd064a23c019dc14dc8358cc9471284f220a2fabc50348d2447

SHA512
d605fbdba1a9387d70e87fa3e17423e63848d273c6dfa56543789b5a6187ade411292bcc0f5f3fb70ed1fd1857ee0388d00012b752e7b3f683a7250d97cd4d9f

Download Submit
C:\Windows\System32\qeMlAqN.exe

Filesize
1.4MB

MD5
1dcaa371e914b404260b19ea9399723c

SHA1
d1e0a9116a7c49428c1c49e60e9e7a316248563b

SHA256
b8ae221c781f909521e49a05eda67274b8017af3a770dca4b84f87bb17ab0402

SHA512
b8a80d3df5c9e9d3d425f0906a9271ddeb0d8d03b1d5c7023a3dac296e008281cfaa33200808b6a7ae7d5c57a84b0734295971480974e56d13f97d8c049044c6

Download Submit
C:\Windows\System32\sGaSkcN.exe

Filesize
1.4MB

MD5
ed6dd38da91eafde78ba420b372656e6

SHA1
ab23534af8b96fa9b6bd80a94cf44d94a433fdd0

SHA256
62ac965170b9a8c5ec4793a22727f746d158c6c27e4c658158d4e7a0b11442a7

SHA512
b7e56f7b6364b259d70319bc66a788a74580c9459b710041504f10f085ed09ee23ab2f547e513e8f6e7799572e4ce8abd2fce2e6f337a8debd55a04b48e7bbe6

Download Submit
C:\Windows\System32\sYKGLXF.exe

Filesize
1.4MB

MD5
fa88521006e37a92d1b37f7da427afdc

SHA1
5288da50bb0053aad1fc42d8a2594f682c438019

SHA256
5bb96c07f0b75dbd970cfa7f18acfe82041ff28f3e9a1b417238bbf2a20bcf29

SHA512
18f0e0b3b6b513a749371a930e601b7e1d23140c7ae691e555830e63a9ffdfbc7502fc4c1f4177b760effda93f26ce3cab66f560c1fdc0160fd66e950bcf9c0c

Download Submit
C:\Windows\System32\tMAOTsm.exe

Filesize
1.4MB

MD5
b2d5d46c184cd0bb8d5b2c6c5626bcda

SHA1
b3cd86f2a57972e6742c808513a4827699dd3255

SHA256
739bc58765535dfb13463c390b7927650faab2c5c47910c90a9a595d80704c40

SHA512
c7f1390977fe3521db1462b255c5bafeed64f0456b52027d261264eaf79bb8f4372035eccca79d49edb220131bf89dc51a42c0378214de40012e782e287daa5a

Download Submit
C:\Windows\System32\wNrNncN.exe

Filesize
1.4MB

MD5
0b3f8b96b9ad83722341999d8621b9a0

SHA1
97c571781d58975aa8b03ed27ad87a49a3e72e34

SHA256
fc0c9158b1556ec35de62839003e773df16cd5550eeb32e31327c99e6dd8a3d1

SHA512
9886405856144d3f378b2b71b1761e91c5761f9e2b64e3f8ef9f63296bdd6e22f3478748c617ca09b327fa01a8c7e03dcf5b25b2fd5a8ca4bc9fa2e407481a16

Download Submit
C:\Windows\System32\xfEibKu.exe

Filesize
1.4MB

MD5
73130bcec8953bceff4ff506f7f2c60e

SHA1
78419f41b2a9363accce899a19226e2b87e6f6b3

SHA256
399b1e7230208537373ef38e933b46a7d93c7b31968ef42f36a9490f79912110

SHA512
762f8f3ee15580273d7de686730879af742c35a6701633e0fd98aaf0faff437deb7db5fcc7627fbd0dd6817115c00a4687125f9d5f25d6e6d8a59b8157d736b4

Download Submit
C:\Windows\System32\xjlPYeg.exe

Filesize
1.4MB

MD5
675813e0e4a322300d6175f2c3d05922

SHA1
6a0adf999af31aa36f6105b7b9478b6b9a2ef8c5

SHA256
1f0552c311c2f87ff26f8b0c61f2c9ab2f5c82b3a7aac5dfdb9463b2d271c87b

SHA512
009c75193d5a20922a71827c6e75860e4178e25418559f2ab6bdebd16325ba4fffe6df5b0737083e77bf669f4c4914c5660582aa2fd760f30fd01b071f89e517

Download Submit
C:\Windows\System32\ygSLsDB.exe

Filesize
1.4MB

MD5
f098495204fa15e4073a0aa19ef8714b

SHA1
d756be0dce5b0708d295d438de19632461d18288

SHA256
a54fbffb13a7225b0d480edc25d3ca360b36d41e9ebd906419d1292eed18d63a

SHA512
d9628f82aa2cccc0d79bf83891339187728639538b7a0b07676028d856dcd902f484c2c2297dcc5bfe6491c32c028b1b18220f47cd8175993bf82e1769e800be

Download Submit
C:\Windows\System32\yxDknSy.exe

Filesize
1.4MB

MD5
1111b4a76c5fd4fb38677a49174c7a45

SHA1
2b4de08ffeea06c2dec3c37a78659259114ff4d6

SHA256
54e958ec7b8ed51c9b60495fe2f728711bb8c09b7d82f20b4bc9a2e6d66f0e89

SHA512
2b998fcdb94c7ae9943e4236f480b9e849e97e925e6e94513e708e97ad7fe1436ad8496588486ea824ed6e6a53d08408737b72243a51967f5bc6349547e1323f

Download Submit
C:\Windows\System32\zmgzTxI.exe

Filesize
1.4MB

MD5
604829f6eb41088cc5a1b40d8b185b0d

SHA1
d53792e0a7fd544b1ed1b3367bacc00bd09b6bdf

SHA256
e9de431adc967dcc0dffca3f8d6a4192d69f63bb0c3b8ec11fa8e66ba335dda2

SHA512
4b806132b6916150d75106105b627364541f4c70bb31a7b5a614fb8cb1ccdb963abaa78165d98870df0b50c4a34894bfb93048720ad552ae67b2726c17f7d2e3

Download Submit
memory/244-106-0x00007FF7AF140000-0x00007FF7AF531000-memory.dmp

Filesize
3.9MB

Download
memory/244-950-0x00007FF7AF140000-0x00007FF7AF531000-memory.dmp

Filesize
3.9MB

Download
memory/244-2192-0x00007FF7AF140000-0x00007FF7AF531000-memory.dmp

Filesize
3.9MB

Download
memory/1560-2138-0x00007FF65CD80000-0x00007FF65D171000-memory.dmp

Filesize
3.9MB

Download
memory/1560-102-0x00007FF65CD80000-0x00007FF65D171000-memory.dmp

Filesize
3.9MB

Download
memory/1560-17-0x00007FF65CD80000-0x00007FF65D171000-memory.dmp

Filesize
3.9MB

Download
memory/1728-149-0x00007FF7CCE80000-0x00007FF7CD271000-memory.dmp

Filesize
3.9MB

Download
memory/1728-2229-0x00007FF7CCE80000-0x00007FF7CD271000-memory.dmp

Filesize
3.9MB

Download
memory/1728-1777-0x00007FF7CCE80000-0x00007FF7CD271000-memory.dmp

Filesize
3.9MB

Download
memory/1876-70-0x00007FF6E3B80000-0x00007FF6E3F71000-memory.dmp

Filesize
3.9MB

Download
memory/1876-2180-0x00007FF6E3B80000-0x00007FF6E3F71000-memory.dmp

Filesize
3.9MB

Download
memory/1876-139-0x00007FF6E3B80000-0x00007FF6E3F71000-memory.dmp

Filesize
3.9MB

Download
memory/1892-128-0x00007FF6E51C0000-0x00007FF6E55B1000-memory.dmp

Filesize
3.9MB

Download
memory/1892-2212-0x00007FF6E51C0000-0x00007FF6E55B1000-memory.dmp

Filesize
3.9MB

Download
memory/1892-1394-0x00007FF6E51C0000-0x00007FF6E55B1000-memory.dmp

Filesize
3.9MB

Download
memory/2172-97-0x00007FF7046A0000-0x00007FF704A91000-memory.dmp

Filesize
3.9MB

Download
memory/2172-2193-0x00007FF7046A0000-0x00007FF704A91000-memory.dmp

Filesize
3.9MB

Download
memory/2172-802-0x00007FF7046A0000-0x00007FF704A91000-memory.dmp

Filesize
3.9MB

Download
memory/2260-105-0x00007FF6A0B70000-0x00007FF6A0F61000-memory.dmp

Filesize
3.9MB

Download
memory/2260-45-0x00007FF6A0B70000-0x00007FF6A0F61000-memory.dmp

Filesize
3.9MB

Download
memory/2260-2147-0x00007FF6A0B70000-0x00007FF6A0F61000-memory.dmp

Filesize
3.9MB

Download
memory/2340-0-0x00007FF71DEC0000-0x00007FF71E2B1000-memory.dmp

Filesize
3.9MB

Download
memory/2340-94-0x00007FF71DEC0000-0x00007FF71E2B1000-memory.dmp

Filesize
3.9MB

Download
memory/2340-2116-0x00007FF71DEC0000-0x00007FF71E2B1000-memory.dmp

Filesize
3.9MB

Download
memory/2340-1-0x000002761F490000-0x000002761F4A0000-memory.dmp

Filesize
64KB

Download
memory/2896-118-0x00007FF7B6690000-0x00007FF7B6A81000-memory.dmp

Filesize
3.9MB

Download
memory/2896-2670-0x00007FF7B6690000-0x00007FF7B6A81000-memory.dmp

Filesize
3.9MB

Download
memory/2896-54-0x00007FF7B6690000-0x00007FF7B6A81000-memory.dmp

Filesize
3.9MB

Download
memory/2908-2227-0x00007FF63A340000-0x00007FF63A731000-memory.dmp

Filesize
3.9MB

Download
memory/2908-156-0x00007FF63A340000-0x00007FF63A731000-memory.dmp

Filesize
3.9MB

Download
memory/2908-1906-0x00007FF63A340000-0x00007FF63A731000-memory.dmp

Filesize
3.9MB

Download
memory/3156-58-0x00007FF638910000-0x00007FF638D01000-memory.dmp

Filesize
3.9MB

Download
memory/3156-2143-0x00007FF638910000-0x00007FF638D01000-memory.dmp

Filesize
3.9MB

Download
memory/3372-2235-0x00007FF632010000-0x00007FF632401000-memory.dmp

Filesize
3.9MB

Download
memory/3372-121-0x00007FF632010000-0x00007FF632401000-memory.dmp

Filesize
3.9MB

Download
memory/3372-1263-0x00007FF632010000-0x00007FF632401000-memory.dmp

Filesize
3.9MB

Download
memory/3500-2149-0x00007FF7C5D30000-0x00007FF7C6121000-memory.dmp

Filesize
3.9MB

Download
memory/3500-60-0x00007FF7C5D30000-0x00007FF7C6121000-memory.dmp

Filesize
3.9MB

Download
memory/3552-101-0x00007FF752FD0000-0x00007FF7533C1000-memory.dmp

Filesize
3.9MB

Download
memory/3552-2140-0x00007FF752FD0000-0x00007FF7533C1000-memory.dmp

Filesize
3.9MB

Download
memory/3552-7-0x00007FF752FD0000-0x00007FF7533C1000-memory.dmp

Filesize
3.9MB

Download
memory/3812-2185-0x00007FF7B58B0000-0x00007FF7B5CA1000-memory.dmp

Filesize
3.9MB

Download
memory/3812-146-0x00007FF7B58B0000-0x00007FF7B5CA1000-memory.dmp

Filesize
3.9MB

Download
memory/3812-78-0x00007FF7B58B0000-0x00007FF7B5CA1000-memory.dmp

Filesize
3.9MB

Download
memory/3832-1131-0x00007FF7797F0000-0x00007FF779BE1000-memory.dmp

Filesize
3.9MB

Download
memory/3832-2190-0x00007FF7797F0000-0x00007FF779BE1000-memory.dmp

Filesize
3.9MB

Download
memory/3832-113-0x00007FF7797F0000-0x00007FF779BE1000-memory.dmp

Filesize
3.9MB

Download
memory/4176-1645-0x00007FF7A05C0000-0x00007FF7A09B1000-memory.dmp

Filesize
3.9MB

Download
memory/4176-2222-0x00007FF7A05C0000-0x00007FF7A09B1000-memory.dmp

Filesize
3.9MB

Download
memory/4176-142-0x00007FF7A05C0000-0x00007FF7A09B1000-memory.dmp

Filesize
3.9MB

Download
memory/4280-2156-0x00007FF695D60000-0x00007FF696151000-memory.dmp

Filesize
3.9MB

Download
memory/4280-64-0x00007FF695D60000-0x00007FF696151000-memory.dmp

Filesize
3.9MB

Download
memory/4280-134-0x00007FF695D60000-0x00007FF696151000-memory.dmp

Filesize
3.9MB

Download
memory/4548-2144-0x00007FF676750000-0x00007FF676B41000-memory.dmp

Filesize
3.9MB

Download
memory/4548-27-0x00007FF676750000-0x00007FF676B41000-memory.dmp

Filesize
3.9MB

Download
memory/4548-112-0x00007FF676750000-0x00007FF676B41000-memory.dmp

Filesize
3.9MB

Download
memory/4744-135-0x00007FF7A6F10000-0x00007FF7A7301000-memory.dmp

Filesize
3.9MB

Download
memory/4744-2231-0x00007FF7A6F10000-0x00007FF7A7301000-memory.dmp

Filesize
3.9MB

Download
memory/4744-1522-0x00007FF7A6F10000-0x00007FF7A7301000-memory.dmp

Filesize
3.9MB

Download
memory/4772-2187-0x00007FF77A710000-0x00007FF77AB01000-memory.dmp

Filesize
3.9MB

Download
memory/4772-88-0x00007FF77A710000-0x00007FF77AB01000-memory.dmp

Filesize
3.9MB

Download
memory/4772-683-0x00007FF77A710000-0x00007FF77AB01000-memory.dmp

Filesize
3.9MB

Download
memory/4840-153-0x00007FF754720000-0x00007FF754B11000-memory.dmp

Filesize
3.9MB

Download
memory/4840-2183-0x00007FF754720000-0x00007FF754B11000-memory.dmp

Filesize
3.9MB

Download
memory/4840-82-0x00007FF754720000-0x00007FF754B11000-memory.dmp

Filesize
3.9MB

Download
memory/4896-117-0x00007FF77B8A0000-0x00007FF77BC91000-memory.dmp

Filesize
3.9MB

Download
memory/4896-2151-0x00007FF77B8A0000-0x00007FF77BC91000-memory.dmp

Filesize
3.9MB

Download
memory/4896-47-0x00007FF77B8A0000-0x00007FF77BC91000-memory.dmp

Filesize
3.9MB

Download
memory/5096-63-0x00007FF6DDAA0000-0x00007FF6DDE91000-memory.dmp

Filesize
3.9MB

Download
memory/5096-127-0x00007FF6DDAA0000-0x00007FF6DDE91000-memory.dmp

Filesize
3.9MB

Download
memory/5096-2154-0x00007FF6DDAA0000-0x00007FF6DDE91000-memory.dmp

Filesize
3.9MB

Download
memory/5100-55-0x00007FF6206F0000-0x00007FF620AE1000-memory.dmp

Filesize
3.9MB

Download
memory/5100-2152-0x00007FF6206F0000-0x00007FF620AE1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads