cobaltstrike | cb934f13ac12c7f5dc4b9b0b8ca950a854793d9d86fb2a57a10d0a912737f69e

Analysis

max time kernel
91s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
Size

6.0MB
MD5

f95e46b9a603deca5531073979f73655
SHA1

de536a91c1c70096a7e2d20d8d78a137ec88d0bf
SHA256

cb934f13ac12c7f5dc4b9b0b8ca950a854793d9d86fb2a57a10d0a912737f69e
SHA512

769af89ef9e9cda13968d5564a362b22b0ba0b4d4a4228a5413a16e2df1f2e3ec920c6c13523bbc8f12ebe577e55f78d7e4862f6ef6438dfdaa089622aa94dfb
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lU0:T+q56utgpPF8u/70

Score

10^/10

cobaltstrike xmrig 0 backdoor defense_evasion miner privilege_escalation trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 32 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023ba7-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-134.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-162.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-182.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-188.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-190.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-181.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-168.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-166.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2300-0-0x00007FF743E60000-0x00007FF7441B4000-memory.dmp	xmrig
behavioral2/files/0x000c000000023ba7-4.dat	xmrig
behavioral2/files/0x0007000000023c92-12.dat	xmrig
behavioral2/files/0x0007000000023c93-11.dat	xmrig
behavioral2/memory/1052-14-0x00007FF7C32D0000-0x00007FF7C3624000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c94-21.dat	xmrig
behavioral2/memory/2816-20-0x00007FF626140000-0x00007FF626494000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c95-32.dat	xmrig
behavioral2/files/0x0007000000023c97-35.dat	xmrig
behavioral2/files/0x0007000000023c98-44.dat	xmrig
behavioral2/files/0x0007000000023c9b-58.dat	xmrig
behavioral2/files/0x0007000000023c9c-63.dat	xmrig
behavioral2/files/0x0007000000023c9d-67.dat	xmrig
behavioral2/files/0x0007000000023c9f-79.dat	xmrig
behavioral2/files/0x0007000000023ca2-94.dat	xmrig
behavioral2/files/0x0007000000023ca4-104.dat	xmrig
behavioral2/files/0x0007000000023ca6-113.dat	xmrig
behavioral2/memory/3624-124-0x00007FF74B2D0000-0x00007FF74B624000-memory.dmp	xmrig
behavioral2/memory/2272-138-0x00007FF765C50000-0x00007FF765FA4000-memory.dmp	xmrig
behavioral2/memory/5052-142-0x00007FF6F27F0000-0x00007FF6F2B44000-memory.dmp	xmrig
behavioral2/memory/1368-147-0x00007FF76A260000-0x00007FF76A5B4000-memory.dmp	xmrig
behavioral2/memory/3064-152-0x00007FF6579E0000-0x00007FF657D34000-memory.dmp	xmrig
behavioral2/memory/1072-151-0x00007FF6E2C30000-0x00007FF6E2F84000-memory.dmp	xmrig
behavioral2/memory/3508-150-0x00007FF775CC0000-0x00007FF776014000-memory.dmp	xmrig
behavioral2/memory/1916-149-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp	xmrig
behavioral2/memory/4408-148-0x00007FF633950000-0x00007FF633CA4000-memory.dmp	xmrig
behavioral2/memory/4576-146-0x00007FF705CA0000-0x00007FF705FF4000-memory.dmp	xmrig
behavioral2/memory/2224-145-0x00007FF60A670000-0x00007FF60A9C4000-memory.dmp	xmrig
behavioral2/memory/4960-144-0x00007FF7989D0000-0x00007FF798D24000-memory.dmp	xmrig
behavioral2/memory/2596-143-0x00007FF6A4C40000-0x00007FF6A4F94000-memory.dmp	xmrig
behavioral2/memory/4468-141-0x00007FF7077A0000-0x00007FF707AF4000-memory.dmp	xmrig
behavioral2/memory/3980-140-0x00007FF766590000-0x00007FF7668E4000-memory.dmp	xmrig
behavioral2/memory/1912-139-0x00007FF67A200000-0x00007FF67A554000-memory.dmp	xmrig
behavioral2/memory/3900-137-0x00007FF65F2A0000-0x00007FF65F5F4000-memory.dmp	xmrig
behavioral2/memory/4812-136-0x00007FF685DC0000-0x00007FF686114000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca9-134.dat	xmrig
behavioral2/files/0x0007000000023ca8-132.dat	xmrig
behavioral2/memory/5056-131-0x00007FF79D5A0000-0x00007FF79D8F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca7-129.dat	xmrig
behavioral2/memory/4416-126-0x00007FF762DF0000-0x00007FF763144000-memory.dmp	xmrig
behavioral2/memory/4560-125-0x00007FF6C7DE0000-0x00007FF6C8134000-memory.dmp	xmrig
behavioral2/memory/3444-118-0x00007FF67CD70000-0x00007FF67D0C4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca5-109.dat	xmrig
behavioral2/files/0x0007000000023ca3-99.dat	xmrig
behavioral2/files/0x0007000000023ca1-89.dat	xmrig
behavioral2/files/0x0007000000023ca0-84.dat	xmrig
behavioral2/files/0x0007000000023c9e-74.dat	xmrig
behavioral2/files/0x0007000000023c9a-54.dat	xmrig
behavioral2/files/0x0007000000023c99-49.dat	xmrig
behavioral2/files/0x0007000000023c96-34.dat	xmrig
behavioral2/memory/2136-9-0x00007FF63FAC0000-0x00007FF63FE14000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cac-162.dat	xmrig
behavioral2/memory/452-164-0x00007FF692990000-0x00007FF692CE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cad-182.dat	xmrig
behavioral2/files/0x0007000000023caf-188.dat	xmrig
behavioral2/files/0x0007000000023cb0-190.dat	xmrig
behavioral2/files/0x0007000000023cae-181.dat	xmrig
behavioral2/memory/1384-180-0x00007FF750DF0000-0x00007FF751144000-memory.dmp	xmrig
behavioral2/memory/2300-219-0x00007FF743E60000-0x00007FF7441B4000-memory.dmp	xmrig
behavioral2/memory/1740-175-0x00007FF738D50000-0x00007FF7390A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cab-168.dat	xmrig
behavioral2/memory/2136-265-0x00007FF63FAC0000-0x00007FF63FE14000-memory.dmp	xmrig
behavioral2/files/0x0007000000023caa-166.dat	xmrig
behavioral2/memory/2084-160-0x00007FF6AF920000-0x00007FF6AFC74000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2136	mKweLMr.exe
1052	WgmfRxi.exe
2816	JClSYki.exe
3444	ujoYQdw.exe
1072	OAqbFhD.exe
3624	lJzvfJD.exe
4560	sqPXesz.exe
4416	LDSnuwP.exe
5056	SIaFWjR.exe
4812	FGllJim.exe
3900	qqUyqIB.exe
2272	xOXXelE.exe
1912	kNLoznj.exe
3980	AlDnZQy.exe
4468	JYJPBce.exe
5052	HIIueNl.exe
2596	nEyfjyE.exe
4960	DButnik.exe
2224	TMsortd.exe
4576	pOEDAWz.exe
1368	ccRxdHU.exe
4408	VAdLuQc.exe
3064	pjoreyU.exe
1916	pWYkOwO.exe
3508	KhNEuBR.exe
2084	WrZwVhQ.exe
1740	fAXWDmO.exe
452	MWNPoWi.exe
1384	VnWaNvG.exe
5064	kjmMNfi.exe
3752	eBxSVQF.exe
4816	kUplkyF.exe
1672	tKuZwFn.exe
3228	pmPivKX.exe
1532	mOddESY.exe
4956	MFFZfCy.exe
3104	grMlrSU.exe
4364	VGEjBmi.exe
4608	OVogWpw.exe
3452	OqUwqPC.exe
5040	qXLVqKR.exe
464	HyDzWvY.exe
1360	niPLxrw.exe
2204	CFdUkCy.exe
4672	YgvMXVS.exe
4184	wPamtpm.exe
3076	TsWfimt.exe
1372	HlGBbzA.exe
2928	lajyjzw.exe
4100	AHbuPFX.exe
4136	fdFxiji.exe
4860	YDhAKgR.exe
4068	QVyxYvl.exe
1704	riCszpz.exe
1220	HeknReZ.exe
3160	LedmoWu.exe
4776	TuTxjxc.exe
4460	BkdDekv.exe
640	xVRBzUY.exe
1628	PvghXou.exe
1880	obiywcK.exe
2792	kFYaATa.exe
972	LvBbReQ.exe
2932	CDGLObR.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2300-0-0x00007FF743E60000-0x00007FF7441B4000-memory.dmp	upx
behavioral2/files/0x000c000000023ba7-4.dat	upx
behavioral2/files/0x0007000000023c92-12.dat	upx
behavioral2/files/0x0007000000023c93-11.dat	upx
behavioral2/memory/1052-14-0x00007FF7C32D0000-0x00007FF7C3624000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-21.dat	upx
behavioral2/memory/2816-20-0x00007FF626140000-0x00007FF626494000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-32.dat	upx
behavioral2/files/0x0007000000023c97-35.dat	upx
behavioral2/files/0x0007000000023c98-44.dat	upx
behavioral2/files/0x0007000000023c9b-58.dat	upx
behavioral2/files/0x0007000000023c9c-63.dat	upx
behavioral2/files/0x0007000000023c9d-67.dat	upx
behavioral2/files/0x0007000000023c9f-79.dat	upx
behavioral2/files/0x0007000000023ca2-94.dat	upx
behavioral2/files/0x0007000000023ca4-104.dat	upx
behavioral2/files/0x0007000000023ca6-113.dat	upx
behavioral2/memory/3624-124-0x00007FF74B2D0000-0x00007FF74B624000-memory.dmp	upx
behavioral2/memory/2272-138-0x00007FF765C50000-0x00007FF765FA4000-memory.dmp	upx
behavioral2/memory/5052-142-0x00007FF6F27F0000-0x00007FF6F2B44000-memory.dmp	upx
behavioral2/memory/1368-147-0x00007FF76A260000-0x00007FF76A5B4000-memory.dmp	upx
behavioral2/memory/3064-152-0x00007FF6579E0000-0x00007FF657D34000-memory.dmp	upx
behavioral2/memory/1072-151-0x00007FF6E2C30000-0x00007FF6E2F84000-memory.dmp	upx
behavioral2/memory/3508-150-0x00007FF775CC0000-0x00007FF776014000-memory.dmp	upx
behavioral2/memory/1916-149-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp	upx
behavioral2/memory/4408-148-0x00007FF633950000-0x00007FF633CA4000-memory.dmp	upx
behavioral2/memory/4576-146-0x00007FF705CA0000-0x00007FF705FF4000-memory.dmp	upx
behavioral2/memory/2224-145-0x00007FF60A670000-0x00007FF60A9C4000-memory.dmp	upx
behavioral2/memory/4960-144-0x00007FF7989D0000-0x00007FF798D24000-memory.dmp	upx
behavioral2/memory/2596-143-0x00007FF6A4C40000-0x00007FF6A4F94000-memory.dmp	upx
behavioral2/memory/4468-141-0x00007FF7077A0000-0x00007FF707AF4000-memory.dmp	upx
behavioral2/memory/3980-140-0x00007FF766590000-0x00007FF7668E4000-memory.dmp	upx
behavioral2/memory/1912-139-0x00007FF67A200000-0x00007FF67A554000-memory.dmp	upx
behavioral2/memory/3900-137-0x00007FF65F2A0000-0x00007FF65F5F4000-memory.dmp	upx
behavioral2/memory/4812-136-0x00007FF685DC0000-0x00007FF686114000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-134.dat	upx
behavioral2/files/0x0007000000023ca8-132.dat	upx
behavioral2/memory/5056-131-0x00007FF79D5A0000-0x00007FF79D8F4000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-129.dat	upx
behavioral2/memory/4416-126-0x00007FF762DF0000-0x00007FF763144000-memory.dmp	upx
behavioral2/memory/4560-125-0x00007FF6C7DE0000-0x00007FF6C8134000-memory.dmp	upx
behavioral2/memory/3444-118-0x00007FF67CD70000-0x00007FF67D0C4000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-109.dat	upx
behavioral2/files/0x0007000000023ca3-99.dat	upx
behavioral2/files/0x0007000000023ca1-89.dat	upx
behavioral2/files/0x0007000000023ca0-84.dat	upx
behavioral2/files/0x0007000000023c9e-74.dat	upx
behavioral2/files/0x0007000000023c9a-54.dat	upx
behavioral2/files/0x0007000000023c99-49.dat	upx
behavioral2/files/0x0007000000023c96-34.dat	upx
behavioral2/memory/2136-9-0x00007FF63FAC0000-0x00007FF63FE14000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-162.dat	upx
behavioral2/memory/452-164-0x00007FF692990000-0x00007FF692CE4000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-182.dat	upx
behavioral2/files/0x0007000000023caf-188.dat	upx
behavioral2/files/0x0007000000023cb0-190.dat	upx
behavioral2/files/0x0007000000023cae-181.dat	upx
behavioral2/memory/1384-180-0x00007FF750DF0000-0x00007FF751144000-memory.dmp	upx
behavioral2/memory/2300-219-0x00007FF743E60000-0x00007FF7441B4000-memory.dmp	upx
behavioral2/memory/1740-175-0x00007FF738D50000-0x00007FF7390A4000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-168.dat	upx
behavioral2/memory/2136-265-0x00007FF63FAC0000-0x00007FF63FE14000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-166.dat	upx
behavioral2/memory/2084-160-0x00007FF6AF920000-0x00007FF6AFC74000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\BmVKVJu.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cFBhRqH.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VjKGGie.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HpCMoLH.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Rtqkajw.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZVwtkMZ.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\evsttFm.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nyflbKq.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WnwqdQh.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YFTDvLY.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nsReHqV.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\thqcmLP.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lFFnhoq.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\akwjiag.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EGjSIKk.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JClSYki.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mOddESY.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lkpXmZj.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CBwAIRX.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VGuEnoQ.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iiDcHFa.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hdapNAX.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UxCwWRH.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gBcXknX.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wFHARjE.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TImyPxK.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EzqRzTE.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QvHESZG.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CKKcBYT.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ixYwUUF.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JLLrYYn.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\syIjvlP.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yVAektI.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\numFJNj.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fGQYPoq.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lESAylA.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KhNEuBR.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HHKtTvo.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gnLHbGS.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RUiPGdl.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BZtTUwn.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ENXdXAK.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ErbUwXt.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uklWJVY.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FJnJOtb.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MLmlBkY.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oDVNASt.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QVyxYvl.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UygigjD.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LmXpqgy.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HmSvebK.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EQUPYMV.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\texqYoi.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ATOjlbP.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EPCxzrZ.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BFUYjBJ.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yWQfOHy.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KAPBvnl.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UBMKkdG.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ePEXOfa.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EcZFAmC.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ayCYvIK.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PqCjvZq.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lJzvfJD.exe	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
9480	TDrUNAS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2136	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2300 wrote to memory of 2136	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2300 wrote to memory of 1052	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2300 wrote to memory of 1052	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2300 wrote to memory of 2816	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2300 wrote to memory of 2816	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2300 wrote to memory of 3444	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2300 wrote to memory of 3444	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2300 wrote to memory of 1072	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2300 wrote to memory of 1072	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2300 wrote to memory of 3624	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2300 wrote to memory of 3624	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2300 wrote to memory of 4560	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2300 wrote to memory of 4560	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2300 wrote to memory of 4416	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2300 wrote to memory of 4416	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2300 wrote to memory of 5056	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2300 wrote to memory of 5056	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2300 wrote to memory of 4812	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2300 wrote to memory of 4812	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2300 wrote to memory of 3900	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2300 wrote to memory of 3900	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2300 wrote to memory of 2272	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2300 wrote to memory of 2272	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2300 wrote to memory of 1912	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2300 wrote to memory of 1912	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2300 wrote to memory of 3980	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2300 wrote to memory of 3980	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2300 wrote to memory of 4468	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2300 wrote to memory of 4468	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2300 wrote to memory of 5052	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2300 wrote to memory of 5052	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2300 wrote to memory of 2596	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2300 wrote to memory of 2596	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2300 wrote to memory of 4960	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2300 wrote to memory of 4960	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2300 wrote to memory of 2224	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2300 wrote to memory of 2224	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2300 wrote to memory of 4576	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2300 wrote to memory of 4576	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2300 wrote to memory of 1368	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2300 wrote to memory of 1368	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2300 wrote to memory of 4408	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2300 wrote to memory of 4408	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2300 wrote to memory of 3064	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2300 wrote to memory of 3064	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2300 wrote to memory of 1916	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2300 wrote to memory of 1916	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2300 wrote to memory of 3508	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2300 wrote to memory of 3508	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2300 wrote to memory of 2084	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2300 wrote to memory of 2084	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2300 wrote to memory of 1740	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 2300 wrote to memory of 1740	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 2300 wrote to memory of 452	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 2300 wrote to memory of 452	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 2300 wrote to memory of 1384	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 2300 wrote to memory of 1384	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 2300 wrote to memory of 5064	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 2300 wrote to memory of 5064	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 2300 wrote to memory of 3752	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	117
PID 2300 wrote to memory of 3752	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	117
PID 2300 wrote to memory of 4816	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	118
PID 2300 wrote to memory of 4816	2300	2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-24_f95e46b9a603deca5531073979f73655_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System\mKweLMr.exe
  C:\Windows\System\mKweLMr.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System\WgmfRxi.exe
  C:\Windows\System\WgmfRxi.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\JClSYki.exe
  C:\Windows\System\JClSYki.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\ujoYQdw.exe
  C:\Windows\System\ujoYQdw.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System\OAqbFhD.exe
  C:\Windows\System\OAqbFhD.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System\lJzvfJD.exe
  C:\Windows\System\lJzvfJD.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System\sqPXesz.exe
  C:\Windows\System\sqPXesz.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System\LDSnuwP.exe
  C:\Windows\System\LDSnuwP.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\SIaFWjR.exe
  C:\Windows\System\SIaFWjR.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\FGllJim.exe
  C:\Windows\System\FGllJim.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\qqUyqIB.exe
  C:\Windows\System\qqUyqIB.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System\xOXXelE.exe
  C:\Windows\System\xOXXelE.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\kNLoznj.exe
  C:\Windows\System\kNLoznj.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\AlDnZQy.exe
  C:\Windows\System\AlDnZQy.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\JYJPBce.exe
  C:\Windows\System\JYJPBce.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\HIIueNl.exe
  C:\Windows\System\HIIueNl.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\nEyfjyE.exe
  C:\Windows\System\nEyfjyE.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\DButnik.exe
  C:\Windows\System\DButnik.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\TMsortd.exe
  C:\Windows\System\TMsortd.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\pOEDAWz.exe
  C:\Windows\System\pOEDAWz.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\ccRxdHU.exe
  C:\Windows\System\ccRxdHU.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\VAdLuQc.exe
  C:\Windows\System\VAdLuQc.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\pjoreyU.exe
  C:\Windows\System\pjoreyU.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\pWYkOwO.exe
  C:\Windows\System\pWYkOwO.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System\KhNEuBR.exe
  C:\Windows\System\KhNEuBR.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\WrZwVhQ.exe
  C:\Windows\System\WrZwVhQ.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\fAXWDmO.exe
  C:\Windows\System\fAXWDmO.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\MWNPoWi.exe
  C:\Windows\System\MWNPoWi.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System\VnWaNvG.exe
  C:\Windows\System\VnWaNvG.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\kjmMNfi.exe
  C:\Windows\System\kjmMNfi.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\eBxSVQF.exe
  C:\Windows\System\eBxSVQF.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System\kUplkyF.exe
  C:\Windows\System\kUplkyF.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\tKuZwFn.exe
  C:\Windows\System\tKuZwFn.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\pmPivKX.exe
  C:\Windows\System\pmPivKX.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\mOddESY.exe
  C:\Windows\System\mOddESY.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\MFFZfCy.exe
  C:\Windows\System\MFFZfCy.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\grMlrSU.exe
  C:\Windows\System\grMlrSU.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\VGEjBmi.exe
  C:\Windows\System\VGEjBmi.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\OVogWpw.exe
  C:\Windows\System\OVogWpw.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\OqUwqPC.exe
  C:\Windows\System\OqUwqPC.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System\qXLVqKR.exe
  C:\Windows\System\qXLVqKR.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\HyDzWvY.exe
  C:\Windows\System\HyDzWvY.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\niPLxrw.exe
  C:\Windows\System\niPLxrw.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System\CFdUkCy.exe
  C:\Windows\System\CFdUkCy.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\YgvMXVS.exe
  C:\Windows\System\YgvMXVS.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\wPamtpm.exe
  C:\Windows\System\wPamtpm.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\TsWfimt.exe
  C:\Windows\System\TsWfimt.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System\HlGBbzA.exe
  C:\Windows\System\HlGBbzA.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System\lajyjzw.exe
  C:\Windows\System\lajyjzw.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\AHbuPFX.exe
  C:\Windows\System\AHbuPFX.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\fdFxiji.exe
  C:\Windows\System\fdFxiji.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\YDhAKgR.exe
  C:\Windows\System\YDhAKgR.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\QVyxYvl.exe
  C:\Windows\System\QVyxYvl.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\riCszpz.exe
  C:\Windows\System\riCszpz.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\HeknReZ.exe
  C:\Windows\System\HeknReZ.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\LedmoWu.exe
  C:\Windows\System\LedmoWu.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System\TuTxjxc.exe
  C:\Windows\System\TuTxjxc.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\BkdDekv.exe
  C:\Windows\System\BkdDekv.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\xVRBzUY.exe
  C:\Windows\System\xVRBzUY.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System\PvghXou.exe
  C:\Windows\System\PvghXou.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\obiywcK.exe
  C:\Windows\System\obiywcK.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\kFYaATa.exe
  C:\Windows\System\kFYaATa.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\LvBbReQ.exe
  C:\Windows\System\LvBbReQ.exe
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\System\CDGLObR.exe
  C:\Windows\System\CDGLObR.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\fKqBrzb.exe
  C:\Windows\System\fKqBrzb.exe
  2⤵
  PID:3572
- C:\Windows\System\eOdtSQk.exe
  C:\Windows\System\eOdtSQk.exe
  2⤵
  PID:1088
- C:\Windows\System\cXZnZly.exe
  C:\Windows\System\cXZnZly.exe
  2⤵
  PID:4572
- C:\Windows\System\CfcHMVU.exe
  C:\Windows\System\CfcHMVU.exe
  2⤵
  PID:2140
- C:\Windows\System\nquRmrW.exe
  C:\Windows\System\nquRmrW.exe
  2⤵
  PID:3724
- C:\Windows\System\gTkNhVi.exe
  C:\Windows\System\gTkNhVi.exe
  2⤵
  PID:2016
- C:\Windows\System\HHKtTvo.exe
  C:\Windows\System\HHKtTvo.exe
  2⤵
  PID:456
- C:\Windows\System\lCVGpXq.exe
  C:\Windows\System\lCVGpXq.exe
  2⤵
  PID:3400
- C:\Windows\System\TIiYpoH.exe
  C:\Windows\System\TIiYpoH.exe
  2⤵
  PID:1792
- C:\Windows\System\YFjcRmn.exe
  C:\Windows\System\YFjcRmn.exe
  2⤵
  PID:4348
- C:\Windows\System\sSihors.exe
  C:\Windows\System\sSihors.exe
  2⤵
  PID:3868
- C:\Windows\System\JLLrYYn.exe
  C:\Windows\System\JLLrYYn.exe
  2⤵
  PID:768
- C:\Windows\System\CIESdpo.exe
  C:\Windows\System\CIESdpo.exe
  2⤵
  PID:1944
- C:\Windows\System\JSdchJD.exe
  C:\Windows\System\JSdchJD.exe
  2⤵
  PID:2328
- C:\Windows\System\XufQovL.exe
  C:\Windows\System\XufQovL.exe
  2⤵
  PID:5140
- C:\Windows\System\qkuYpfw.exe
  C:\Windows\System\qkuYpfw.exe
  2⤵
  PID:5200
- C:\Windows\System\MyMhrLu.exe
  C:\Windows\System\MyMhrLu.exe
  2⤵
  PID:5252
- C:\Windows\System\eEzrlbO.exe
  C:\Windows\System\eEzrlbO.exe
  2⤵
  PID:5272
- C:\Windows\System\oCsTTsr.exe
  C:\Windows\System\oCsTTsr.exe
  2⤵
  PID:5292
- C:\Windows\System\wqRKkGS.exe
  C:\Windows\System\wqRKkGS.exe
  2⤵
  PID:5332
- C:\Windows\System\rPdBWOK.exe
  C:\Windows\System\rPdBWOK.exe
  2⤵
  PID:5392
- C:\Windows\System\AUmgfON.exe
  C:\Windows\System\AUmgfON.exe
  2⤵
  PID:5428
- C:\Windows\System\ivHybEb.exe
  C:\Windows\System\ivHybEb.exe
  2⤵
  PID:5464
- C:\Windows\System\uMPebFE.exe
  C:\Windows\System\uMPebFE.exe
  2⤵
  PID:5492
- C:\Windows\System\cURXNpi.exe
  C:\Windows\System\cURXNpi.exe
  2⤵
  PID:5512
- C:\Windows\System\pRFfrAH.exe
  C:\Windows\System\pRFfrAH.exe
  2⤵
  PID:5548
- C:\Windows\System\JYYqExH.exe
  C:\Windows\System\JYYqExH.exe
  2⤵
  PID:5596
- C:\Windows\System\KKafmQv.exe
  C:\Windows\System\KKafmQv.exe
  2⤵
  PID:5616
- C:\Windows\System\rJJPdsI.exe
  C:\Windows\System\rJJPdsI.exe
  2⤵
  PID:5644
- C:\Windows\System\bCPZJvx.exe
  C:\Windows\System\bCPZJvx.exe
  2⤵
  PID:5676
- C:\Windows\System\otOibZw.exe
  C:\Windows\System\otOibZw.exe
  2⤵
  PID:5720
- C:\Windows\System\ltLWBiI.exe
  C:\Windows\System\ltLWBiI.exe
  2⤵
  PID:5748
- C:\Windows\System\VwgPlqM.exe
  C:\Windows\System\VwgPlqM.exe
  2⤵
  PID:5784
- C:\Windows\System\VyAyJIT.exe
  C:\Windows\System\VyAyJIT.exe
  2⤵
  PID:5808
- C:\Windows\System\xWyDinu.exe
  C:\Windows\System\xWyDinu.exe
  2⤵
  PID:5828
- C:\Windows\System\syIjvlP.exe
  C:\Windows\System\syIjvlP.exe
  2⤵
  PID:5856
- C:\Windows\System\XRbejdn.exe
  C:\Windows\System\XRbejdn.exe
  2⤵
  PID:5892
- C:\Windows\System\jVOxkti.exe
  C:\Windows\System\jVOxkti.exe
  2⤵
  PID:5924
- C:\Windows\System\HJBIaAD.exe
  C:\Windows\System\HJBIaAD.exe
  2⤵
  PID:5948
- C:\Windows\System\JIPjjeP.exe
  C:\Windows\System\JIPjjeP.exe
  2⤵
  PID:5972
- C:\Windows\System\sHJCUPK.exe
  C:\Windows\System\sHJCUPK.exe
  2⤵
  PID:6000
- C:\Windows\System\lGRwRDK.exe
  C:\Windows\System\lGRwRDK.exe
  2⤵
  PID:6036
- C:\Windows\System\TbNtbzz.exe
  C:\Windows\System\TbNtbzz.exe
  2⤵
  PID:6068
- C:\Windows\System\cRfvpOj.exe
  C:\Windows\System\cRfvpOj.exe
  2⤵
  PID:6100
- C:\Windows\System\TamrSDC.exe
  C:\Windows\System\TamrSDC.exe
  2⤵
  PID:6128
- C:\Windows\System\Xjmdgvd.exe
  C:\Windows\System\Xjmdgvd.exe
  2⤵
  PID:5192
- C:\Windows\System\onwgFXX.exe
  C:\Windows\System\onwgFXX.exe
  2⤵
  PID:5284
- C:\Windows\System\tOgfaWw.exe
  C:\Windows\System\tOgfaWw.exe
  2⤵
  PID:5312
- C:\Windows\System\epJHLOe.exe
  C:\Windows\System\epJHLOe.exe
  2⤵
  PID:5372
- C:\Windows\System\spRwrWL.exe
  C:\Windows\System\spRwrWL.exe
  2⤵
  PID:5444
- C:\Windows\System\gVyhwQG.exe
  C:\Windows\System\gVyhwQG.exe
  2⤵
  PID:5484
- C:\Windows\System\XwRwvaG.exe
  C:\Windows\System\XwRwvaG.exe
  2⤵
  PID:5576
- C:\Windows\System\pHWopMz.exe
  C:\Windows\System\pHWopMz.exe
  2⤵
  PID:5664
- C:\Windows\System\CAmIgmR.exe
  C:\Windows\System\CAmIgmR.exe
  2⤵
  PID:3196
- C:\Windows\System\lFFnhoq.exe
  C:\Windows\System\lFFnhoq.exe
  2⤵
  PID:5876
- C:\Windows\System\ZyuBjfW.exe
  C:\Windows\System\ZyuBjfW.exe
  2⤵
  PID:5912
- C:\Windows\System\LllqxVU.exe
  C:\Windows\System\LllqxVU.exe
  2⤵
  PID:5996
- C:\Windows\System\PmtVoFp.exe
  C:\Windows\System\PmtVoFp.exe
  2⤵
  PID:6080
- C:\Windows\System\NRUvIUh.exe
  C:\Windows\System\NRUvIUh.exe
  2⤵
  PID:4756
- C:\Windows\System\KOazgKO.exe
  C:\Windows\System\KOazgKO.exe
  2⤵
  PID:5304
- C:\Windows\System\eXKxQgO.exe
  C:\Windows\System\eXKxQgO.exe
  2⤵
  PID:5408
- C:\Windows\System\xbLdTUE.exe
  C:\Windows\System\xbLdTUE.exe
  2⤵
  PID:5692
- C:\Windows\System\FouuYhv.exe
  C:\Windows\System\FouuYhv.exe
  2⤵
  PID:5328
- C:\Windows\System\qokTCVc.exe
  C:\Windows\System\qokTCVc.exe
  2⤵
  PID:5024
- C:\Windows\System\zeJXgjF.exe
  C:\Windows\System\zeJXgjF.exe
  2⤵
  PID:4636
- C:\Windows\System\DnHNCyi.exe
  C:\Windows\System\DnHNCyi.exe
  2⤵
  PID:1012
- C:\Windows\System\UBMKkdG.exe
  C:\Windows\System\UBMKkdG.exe
  2⤵
  PID:5760
- C:\Windows\System\WyHxglT.exe
  C:\Windows\System\WyHxglT.exe
  2⤵
  PID:6112
- C:\Windows\System\YQkANgm.exe
  C:\Windows\System\YQkANgm.exe
  2⤵
  PID:5744
- C:\Windows\System\dgBrUCP.exe
  C:\Windows\System\dgBrUCP.exe
  2⤵
  PID:6160
- C:\Windows\System\myFnaeK.exe
  C:\Windows\System\myFnaeK.exe
  2⤵
  PID:6204
- C:\Windows\System\otFSIgh.exe
  C:\Windows\System\otFSIgh.exe
  2⤵
  PID:6228
- C:\Windows\System\LXWiZZz.exe
  C:\Windows\System\LXWiZZz.exe
  2⤵
  PID:6260
- C:\Windows\System\xFUgnLt.exe
  C:\Windows\System\xFUgnLt.exe
  2⤵
  PID:6276
- C:\Windows\System\XATiOkw.exe
  C:\Windows\System\XATiOkw.exe
  2⤵
  PID:6312
- C:\Windows\System\prwXDkL.exe
  C:\Windows\System\prwXDkL.exe
  2⤵
  PID:6340
- C:\Windows\System\ahkOtaW.exe
  C:\Windows\System\ahkOtaW.exe
  2⤵
  PID:6376
- C:\Windows\System\eFiVyql.exe
  C:\Windows\System\eFiVyql.exe
  2⤵
  PID:6404
- C:\Windows\System\TXBccmu.exe
  C:\Windows\System\TXBccmu.exe
  2⤵
  PID:6432
- C:\Windows\System\mtfNsck.exe
  C:\Windows\System\mtfNsck.exe
  2⤵
  PID:6460
- C:\Windows\System\hLVOrBt.exe
  C:\Windows\System\hLVOrBt.exe
  2⤵
  PID:6488
- C:\Windows\System\fAGyboc.exe
  C:\Windows\System\fAGyboc.exe
  2⤵
  PID:6516
- C:\Windows\System\tQKXDYS.exe
  C:\Windows\System\tQKXDYS.exe
  2⤵
  PID:6544
- C:\Windows\System\jgSCWOc.exe
  C:\Windows\System\jgSCWOc.exe
  2⤵
  PID:6572
- C:\Windows\System\byUyesN.exe
  C:\Windows\System\byUyesN.exe
  2⤵
  PID:6600
- C:\Windows\System\uGelqtH.exe
  C:\Windows\System\uGelqtH.exe
  2⤵
  PID:6628
- C:\Windows\System\eZucOWo.exe
  C:\Windows\System\eZucOWo.exe
  2⤵
  PID:6656
- C:\Windows\System\hxBGPSr.exe
  C:\Windows\System\hxBGPSr.exe
  2⤵
  PID:6684
- C:\Windows\System\qNBumOh.exe
  C:\Windows\System\qNBumOh.exe
  2⤵
  PID:6712
- C:\Windows\System\KokMcua.exe
  C:\Windows\System\KokMcua.exe
  2⤵
  PID:6740
- C:\Windows\System\lADsdKn.exe
  C:\Windows\System\lADsdKn.exe
  2⤵
  PID:6772
- C:\Windows\System\bUOLWzq.exe
  C:\Windows\System\bUOLWzq.exe
  2⤵
  PID:6804
- C:\Windows\System\NomvTsV.exe
  C:\Windows\System\NomvTsV.exe
  2⤵
  PID:6832
- C:\Windows\System\Ggdevkf.exe
  C:\Windows\System\Ggdevkf.exe
  2⤵
  PID:6856
- C:\Windows\System\twcdGik.exe
  C:\Windows\System\twcdGik.exe
  2⤵
  PID:6892
- C:\Windows\System\IAURwFT.exe
  C:\Windows\System\IAURwFT.exe
  2⤵
  PID:6916
- C:\Windows\System\wMjOWUP.exe
  C:\Windows\System\wMjOWUP.exe
  2⤵
  PID:6948
- C:\Windows\System\vmnSnav.exe
  C:\Windows\System\vmnSnav.exe
  2⤵
  PID:6976
- C:\Windows\System\CCiDzOZ.exe
  C:\Windows\System\CCiDzOZ.exe
  2⤵
  PID:7000
- C:\Windows\System\UygigjD.exe
  C:\Windows\System\UygigjD.exe
  2⤵
  PID:7028
- C:\Windows\System\fbhfGbH.exe
  C:\Windows\System\fbhfGbH.exe
  2⤵
  PID:7056
- C:\Windows\System\MjLqjog.exe
  C:\Windows\System\MjLqjog.exe
  2⤵
  PID:7088
- C:\Windows\System\HjSUzUs.exe
  C:\Windows\System\HjSUzUs.exe
  2⤵
  PID:7116
- C:\Windows\System\AmpJbOn.exe
  C:\Windows\System\AmpJbOn.exe
  2⤵
  PID:7144
- C:\Windows\System\SdLKrRy.exe
  C:\Windows\System\SdLKrRy.exe
  2⤵
  PID:6152
- C:\Windows\System\wGQXnKY.exe
  C:\Windows\System\wGQXnKY.exe
  2⤵
  PID:6220
- C:\Windows\System\hBgFUaD.exe
  C:\Windows\System\hBgFUaD.exe
  2⤵
  PID:6288
- C:\Windows\System\dAqsXiT.exe
  C:\Windows\System\dAqsXiT.exe
  2⤵
  PID:6328
- C:\Windows\System\HFKcMLS.exe
  C:\Windows\System\HFKcMLS.exe
  2⤵
  PID:6392
- C:\Windows\System\ixeYgNH.exe
  C:\Windows\System\ixeYgNH.exe
  2⤵
  PID:6448
- C:\Windows\System\UxCwWRH.exe
  C:\Windows\System\UxCwWRH.exe
  2⤵
  PID:6512
- C:\Windows\System\nfzGwtY.exe
  C:\Windows\System\nfzGwtY.exe
  2⤵
  PID:2696
- C:\Windows\System\uYChDSb.exe
  C:\Windows\System\uYChDSb.exe
  2⤵
  PID:6616
- C:\Windows\System\NzuQaGX.exe
  C:\Windows\System\NzuQaGX.exe
  2⤵
  PID:6700
- C:\Windows\System\ayBmIYr.exe
  C:\Windows\System\ayBmIYr.exe
  2⤵
  PID:2236
- C:\Windows\System\ATaDhRl.exe
  C:\Windows\System\ATaDhRl.exe
  2⤵
  PID:6864
- C:\Windows\System\DfgEBnW.exe
  C:\Windows\System\DfgEBnW.exe
  2⤵
  PID:6924
- C:\Windows\System\YrWtXrQ.exe
  C:\Windows\System\YrWtXrQ.exe
  2⤵
  PID:4596
- C:\Windows\System\HmSvebK.exe
  C:\Windows\System\HmSvebK.exe
  2⤵
  PID:4252
- C:\Windows\System\AeRhZmP.exe
  C:\Windows\System\AeRhZmP.exe
  2⤵
  PID:4684
- C:\Windows\System\XdrqQSK.exe
  C:\Windows\System\XdrqQSK.exe
  2⤵
  PID:784
- C:\Windows\System\TtvwNgk.exe
  C:\Windows\System\TtvwNgk.exe
  2⤵
  PID:6984
- C:\Windows\System\zqTHYri.exe
  C:\Windows\System\zqTHYri.exe
  2⤵
  PID:7048
- C:\Windows\System\ZYBpqmg.exe
  C:\Windows\System\ZYBpqmg.exe
  2⤵
  PID:1940
- C:\Windows\System\dYgJQvW.exe
  C:\Windows\System\dYgJQvW.exe
  2⤵
  PID:7152
- C:\Windows\System\ZJfTvhE.exe
  C:\Windows\System\ZJfTvhE.exe
  2⤵
  PID:6480
- C:\Windows\System\xcXNHtV.exe
  C:\Windows\System\xcXNHtV.exe
  2⤵
  PID:6824
- C:\Windows\System\TLAoOtj.exe
  C:\Windows\System\TLAoOtj.exe
  2⤵
  PID:4796
- C:\Windows\System\SYoaSfB.exe
  C:\Windows\System\SYoaSfB.exe
  2⤵
  PID:2484
- C:\Windows\System\xOXaZjM.exe
  C:\Windows\System\xOXaZjM.exe
  2⤵
  PID:7080
- C:\Windows\System\OIQLvYb.exe
  C:\Windows\System\OIQLvYb.exe
  2⤵
  PID:6440
- C:\Windows\System\pHnXOer.exe
  C:\Windows\System\pHnXOer.exe
  2⤵
  PID:3668
- C:\Windows\System\vCxQvDZ.exe
  C:\Windows\System\vCxQvDZ.exe
  2⤵
  PID:6728
- C:\Windows\System\KrLoAfq.exe
  C:\Windows\System\KrLoAfq.exe
  2⤵
  PID:4528
- C:\Windows\System\LcIJlei.exe
  C:\Windows\System\LcIJlei.exe
  2⤵
  PID:7184
- C:\Windows\System\paLwCUP.exe
  C:\Windows\System\paLwCUP.exe
  2⤵
  PID:7212
- C:\Windows\System\idKxvTC.exe
  C:\Windows\System\idKxvTC.exe
  2⤵
  PID:7244
- C:\Windows\System\zBqOFIv.exe
  C:\Windows\System\zBqOFIv.exe
  2⤵
  PID:7272
- C:\Windows\System\gexhbxw.exe
  C:\Windows\System\gexhbxw.exe
  2⤵
  PID:7300
- C:\Windows\System\vZsbYgu.exe
  C:\Windows\System\vZsbYgu.exe
  2⤵
  PID:7328
- C:\Windows\System\meFQZKI.exe
  C:\Windows\System\meFQZKI.exe
  2⤵
  PID:7356
- C:\Windows\System\evsttFm.exe
  C:\Windows\System\evsttFm.exe
  2⤵
  PID:7384
- C:\Windows\System\jmEQAOr.exe
  C:\Windows\System\jmEQAOr.exe
  2⤵
  PID:7408
- C:\Windows\System\sPtHekg.exe
  C:\Windows\System\sPtHekg.exe
  2⤵
  PID:7440
- C:\Windows\System\InfzozL.exe
  C:\Windows\System\InfzozL.exe
  2⤵
  PID:7464
- C:\Windows\System\gBcXknX.exe
  C:\Windows\System\gBcXknX.exe
  2⤵
  PID:7496
- C:\Windows\System\MLmlBkY.exe
  C:\Windows\System\MLmlBkY.exe
  2⤵
  PID:7524
- C:\Windows\System\wFHARjE.exe
  C:\Windows\System\wFHARjE.exe
  2⤵
  PID:7552
- C:\Windows\System\numFJNj.exe
  C:\Windows\System\numFJNj.exe
  2⤵
  PID:7576
- C:\Windows\System\cjHdJdM.exe
  C:\Windows\System\cjHdJdM.exe
  2⤵
  PID:7600
- C:\Windows\System\NZdhCeX.exe
  C:\Windows\System\NZdhCeX.exe
  2⤵
  PID:7640
- C:\Windows\System\hkZTPMi.exe
  C:\Windows\System\hkZTPMi.exe
  2⤵
  PID:7672
- C:\Windows\System\SdBYsjy.exe
  C:\Windows\System\SdBYsjy.exe
  2⤵
  PID:7700
- C:\Windows\System\InNqNqp.exe
  C:\Windows\System\InNqNqp.exe
  2⤵
  PID:7724
- C:\Windows\System\dhkPYmc.exe
  C:\Windows\System\dhkPYmc.exe
  2⤵
  PID:7756
- C:\Windows\System\ztLOuiP.exe
  C:\Windows\System\ztLOuiP.exe
  2⤵
  PID:7784
- C:\Windows\System\ZLNskCn.exe
  C:\Windows\System\ZLNskCn.exe
  2⤵
  PID:7812
- C:\Windows\System\XJCKpZi.exe
  C:\Windows\System\XJCKpZi.exe
  2⤵
  PID:7840
- C:\Windows\System\ehVwPoG.exe
  C:\Windows\System\ehVwPoG.exe
  2⤵
  PID:7864
- C:\Windows\System\nyflbKq.exe
  C:\Windows\System\nyflbKq.exe
  2⤵
  PID:7896
- C:\Windows\System\HMqXtao.exe
  C:\Windows\System\HMqXtao.exe
  2⤵
  PID:7924
- C:\Windows\System\SnkRTtr.exe
  C:\Windows\System\SnkRTtr.exe
  2⤵
  PID:7956
- C:\Windows\System\YbzYjoj.exe
  C:\Windows\System\YbzYjoj.exe
  2⤵
  PID:7988
- C:\Windows\System\akwjiag.exe
  C:\Windows\System\akwjiag.exe
  2⤵
  PID:8016
- C:\Windows\System\kWpvgji.exe
  C:\Windows\System\kWpvgji.exe
  2⤵
  PID:8044
- C:\Windows\System\EQUPYMV.exe
  C:\Windows\System\EQUPYMV.exe
  2⤵
  PID:8072
- C:\Windows\System\SdnPBMY.exe
  C:\Windows\System\SdnPBMY.exe
  2⤵
  PID:8100
- C:\Windows\System\VtlLfis.exe
  C:\Windows\System\VtlLfis.exe
  2⤵
  PID:8128
- C:\Windows\System\SONGXDE.exe
  C:\Windows\System\SONGXDE.exe
  2⤵
  PID:8156
- C:\Windows\System\MSWooQy.exe
  C:\Windows\System\MSWooQy.exe
  2⤵
  PID:8176
- C:\Windows\System\ULyGlMP.exe
  C:\Windows\System\ULyGlMP.exe
  2⤵
  PID:7204
- C:\Windows\System\MSImaSk.exe
  C:\Windows\System\MSImaSk.exe
  2⤵
  PID:7296
- C:\Windows\System\AsBKqGp.exe
  C:\Windows\System\AsBKqGp.exe
  2⤵
  PID:7336
- C:\Windows\System\rytuBzj.exe
  C:\Windows\System\rytuBzj.exe
  2⤵
  PID:7400
- C:\Windows\System\PSJkXXR.exe
  C:\Windows\System\PSJkXXR.exe
  2⤵
  PID:7472
- C:\Windows\System\TpVjuWB.exe
  C:\Windows\System\TpVjuWB.exe
  2⤵
  PID:7512
- C:\Windows\System\xhARhHt.exe
  C:\Windows\System\xhARhHt.exe
  2⤵
  PID:7588
- C:\Windows\System\LyUucoH.exe
  C:\Windows\System\LyUucoH.exe
  2⤵
  PID:7652
- C:\Windows\System\NvWhUjL.exe
  C:\Windows\System\NvWhUjL.exe
  2⤵
  PID:7716
- C:\Windows\System\SCnqAlC.exe
  C:\Windows\System\SCnqAlC.exe
  2⤵
  PID:7808
- C:\Windows\System\XzQqzVF.exe
  C:\Windows\System\XzQqzVF.exe
  2⤵
  PID:7876
- C:\Windows\System\pODBfxG.exe
  C:\Windows\System\pODBfxG.exe
  2⤵
  PID:7976
- C:\Windows\System\EGjSIKk.exe
  C:\Windows\System\EGjSIKk.exe
  2⤵
  PID:8040
- C:\Windows\System\gnSMKcg.exe
  C:\Windows\System\gnSMKcg.exe
  2⤵
  PID:8140
- C:\Windows\System\lFpmEky.exe
  C:\Windows\System\lFpmEky.exe
  2⤵
  PID:7196
- C:\Windows\System\vhvqZFX.exe
  C:\Windows\System\vhvqZFX.exe
  2⤵
  PID:7308
- C:\Windows\System\CPDxHoT.exe
  C:\Windows\System\CPDxHoT.exe
  2⤵
  PID:7436
- C:\Windows\System\WYsvKZY.exe
  C:\Windows\System\WYsvKZY.exe
  2⤵
  PID:6588
- C:\Windows\System\lhUvLRa.exe
  C:\Windows\System\lhUvLRa.exe
  2⤵
  PID:7792
- C:\Windows\System\oQjxVqT.exe
  C:\Windows\System\oQjxVqT.exe
  2⤵
  PID:8012
- C:\Windows\System\tilIYdQ.exe
  C:\Windows\System\tilIYdQ.exe
  2⤵
  PID:8164
- C:\Windows\System\xSCvEku.exe
  C:\Windows\System\xSCvEku.exe
  2⤵
  PID:7584
- C:\Windows\System\YkqrSnD.exe
  C:\Windows\System\YkqrSnD.exe
  2⤵
  PID:7892
- C:\Windows\System\xpJhHum.exe
  C:\Windows\System\xpJhHum.exe
  2⤵
  PID:884
- C:\Windows\System\obnNstb.exe
  C:\Windows\System\obnNstb.exe
  2⤵
  PID:8068
- C:\Windows\System\vbPlEca.exe
  C:\Windows\System\vbPlEca.exe
  2⤵
  PID:8212
- C:\Windows\System\yaQrdQh.exe
  C:\Windows\System\yaQrdQh.exe
  2⤵
  PID:8244
- C:\Windows\System\yBshFFf.exe
  C:\Windows\System\yBshFFf.exe
  2⤵
  PID:8264
- C:\Windows\System\ItDuWDF.exe
  C:\Windows\System\ItDuWDF.exe
  2⤵
  PID:8296
- C:\Windows\System\ePEXOfa.exe
  C:\Windows\System\ePEXOfa.exe
  2⤵
  PID:8328
- C:\Windows\System\IZeLeqD.exe
  C:\Windows\System\IZeLeqD.exe
  2⤵
  PID:8348
- C:\Windows\System\FSHmKjt.exe
  C:\Windows\System\FSHmKjt.exe
  2⤵
  PID:8376
- C:\Windows\System\toSdGUQ.exe
  C:\Windows\System\toSdGUQ.exe
  2⤵
  PID:8412
- C:\Windows\System\BmVKVJu.exe
  C:\Windows\System\BmVKVJu.exe
  2⤵
  PID:8436
- C:\Windows\System\EXNzTUu.exe
  C:\Windows\System\EXNzTUu.exe
  2⤵
  PID:8460
- C:\Windows\System\pIiJAoh.exe
  C:\Windows\System\pIiJAoh.exe
  2⤵
  PID:8488
- C:\Windows\System\qBmXKHG.exe
  C:\Windows\System\qBmXKHG.exe
  2⤵
  PID:8524
- C:\Windows\System\WxuCfvt.exe
  C:\Windows\System\WxuCfvt.exe
  2⤵
  PID:8552
- C:\Windows\System\jZNQnuW.exe
  C:\Windows\System\jZNQnuW.exe
  2⤵
  PID:8584
- C:\Windows\System\PinRARR.exe
  C:\Windows\System\PinRARR.exe
  2⤵
  PID:8604
- C:\Windows\System\XWFFXND.exe
  C:\Windows\System\XWFFXND.exe
  2⤵
  PID:8632
- C:\Windows\System\ZxQPlNX.exe
  C:\Windows\System\ZxQPlNX.exe
  2⤵
  PID:8660
- C:\Windows\System\texqYoi.exe
  C:\Windows\System\texqYoi.exe
  2⤵
  PID:8688
- C:\Windows\System\kfLcBBD.exe
  C:\Windows\System\kfLcBBD.exe
  2⤵
  PID:8716
- C:\Windows\System\McUCDRE.exe
  C:\Windows\System\McUCDRE.exe
  2⤵
  PID:8744
- C:\Windows\System\FXESOiV.exe
  C:\Windows\System\FXESOiV.exe
  2⤵
  PID:8776
- C:\Windows\System\OgGSrIG.exe
  C:\Windows\System\OgGSrIG.exe
  2⤵
  PID:8812
- C:\Windows\System\LvNecRk.exe
  C:\Windows\System\LvNecRk.exe
  2⤵
  PID:8840
- C:\Windows\System\jvPjbMR.exe
  C:\Windows\System\jvPjbMR.exe
  2⤵
  PID:8868
- C:\Windows\System\CpUaEWS.exe
  C:\Windows\System\CpUaEWS.exe
  2⤵
  PID:8896
- C:\Windows\System\KzWvhjt.exe
  C:\Windows\System\KzWvhjt.exe
  2⤵
  PID:8924
- C:\Windows\System\gUcetnL.exe
  C:\Windows\System\gUcetnL.exe
  2⤵
  PID:8952
- C:\Windows\System\RoiGUbX.exe
  C:\Windows\System\RoiGUbX.exe
  2⤵
  PID:8976
- C:\Windows\System\cmNLpyl.exe
  C:\Windows\System\cmNLpyl.exe
  2⤵
  PID:9012
- C:\Windows\System\cFBhRqH.exe
  C:\Windows\System\cFBhRqH.exe
  2⤵
  PID:9040
- C:\Windows\System\SQrETAs.exe
  C:\Windows\System\SQrETAs.exe
  2⤵
  PID:9068
- C:\Windows\System\fNHQuFW.exe
  C:\Windows\System\fNHQuFW.exe
  2⤵
  PID:9096
- C:\Windows\System\vFgZhuw.exe
  C:\Windows\System\vFgZhuw.exe
  2⤵
  PID:9124
- C:\Windows\System\OtiAmKa.exe
  C:\Windows\System\OtiAmKa.exe
  2⤵
  PID:9144
- C:\Windows\System\vPCEZwn.exe
  C:\Windows\System\vPCEZwn.exe
  2⤵
  PID:9176
- C:\Windows\System\JQouEBW.exe
  C:\Windows\System\JQouEBW.exe
  2⤵
  PID:9200
- C:\Windows\System\fEOUZoN.exe
  C:\Windows\System\fEOUZoN.exe
  2⤵
  PID:4368
- C:\Windows\System\SVzGcGE.exe
  C:\Windows\System\SVzGcGE.exe
  2⤵
  PID:2384
- C:\Windows\System\uklWJVY.exe
  C:\Windows\System\uklWJVY.exe
  2⤵
  PID:7364
- C:\Windows\System\beWNAIH.exe
  C:\Windows\System\beWNAIH.exe
  2⤵
  PID:8252
- C:\Windows\System\oSzzqAY.exe
  C:\Windows\System\oSzzqAY.exe
  2⤵
  PID:8312
- C:\Windows\System\qESWanh.exe
  C:\Windows\System\qESWanh.exe
  2⤵
  PID:8372
- C:\Windows\System\QidQDSg.exe
  C:\Windows\System\QidQDSg.exe
  2⤵
  PID:8448
- C:\Windows\System\CivDKiZ.exe
  C:\Windows\System\CivDKiZ.exe
  2⤵
  PID:8500
- C:\Windows\System\QoQZiqh.exe
  C:\Windows\System\QoQZiqh.exe
  2⤵
  PID:8564
- C:\Windows\System\ToiWcUW.exe
  C:\Windows\System\ToiWcUW.exe
  2⤵
  PID:8644
- C:\Windows\System\XWlpWlw.exe
  C:\Windows\System\XWlpWlw.exe
  2⤵
  PID:8684
- C:\Windows\System\GMGisoM.exe
  C:\Windows\System\GMGisoM.exe
  2⤵
  PID:8756
- C:\Windows\System\yqAYtRF.exe
  C:\Windows\System\yqAYtRF.exe
  2⤵
  PID:8852
- C:\Windows\System\HYvtJSD.exe
  C:\Windows\System\HYvtJSD.exe
  2⤵
  PID:8904
- C:\Windows\System\BGvAcIq.exe
  C:\Windows\System\BGvAcIq.exe
  2⤵
  PID:8964
- C:\Windows\System\cMshIXo.exe
  C:\Windows\System\cMshIXo.exe
  2⤵
  PID:9028
- C:\Windows\System\hYWrCRV.exe
  C:\Windows\System\hYWrCRV.exe
  2⤵
  PID:9104
- C:\Windows\System\jfXOmCp.exe
  C:\Windows\System\jfXOmCp.exe
  2⤵
  PID:9164
- C:\Windows\System\leFcshu.exe
  C:\Windows\System\leFcshu.exe
  2⤵
  PID:8208
- C:\Windows\System\ClZJJog.exe
  C:\Windows\System\ClZJJog.exe
  2⤵
  PID:1444
- C:\Windows\System\rfvkGyO.exe
  C:\Windows\System\rfvkGyO.exe
  2⤵
  PID:8360
- C:\Windows\System\PPniNJK.exe
  C:\Windows\System\PPniNJK.exe
  2⤵
  PID:8480
- C:\Windows\System\mLDvvJX.exe
  C:\Windows\System\mLDvvJX.exe
  2⤵
  PID:8616
- C:\Windows\System\VjKGGie.exe
  C:\Windows\System\VjKGGie.exe
  2⤵
  PID:8880
- C:\Windows\System\kejkBta.exe
  C:\Windows\System\kejkBta.exe
  2⤵
  PID:9020
- C:\Windows\System\pDhtCFU.exe
  C:\Windows\System\pDhtCFU.exe
  2⤵
  PID:9132
- C:\Windows\System\VBGWALo.exe
  C:\Windows\System\VBGWALo.exe
  2⤵
  PID:8196
- C:\Windows\System\cLctFtQ.exe
  C:\Windows\System\cLctFtQ.exe
  2⤵
  PID:7592
- C:\Windows\System\UNvKkeL.exe
  C:\Windows\System\UNvKkeL.exe
  2⤵
  PID:8740
- C:\Windows\System\bFtDqMN.exe
  C:\Windows\System\bFtDqMN.exe
  2⤵
  PID:9192
- C:\Windows\System\FiWFoof.exe
  C:\Windows\System\FiWFoof.exe
  2⤵
  PID:8600
- C:\Windows\System\MsuzIUi.exe
  C:\Windows\System\MsuzIUi.exe
  2⤵
  PID:9084
- C:\Windows\System\NorAqxh.exe
  C:\Windows\System\NorAqxh.exe
  2⤵
  PID:8428
- C:\Windows\System\ZbjodNe.exe
  C:\Windows\System\ZbjodNe.exe
  2⤵
  PID:9236
- C:\Windows\System\lkpXmZj.exe
  C:\Windows\System\lkpXmZj.exe
  2⤵
  PID:9264
- C:\Windows\System\zHhDNBc.exe
  C:\Windows\System\zHhDNBc.exe
  2⤵
  PID:9300
- C:\Windows\System\pmORsCR.exe
  C:\Windows\System\pmORsCR.exe
  2⤵
  PID:9320
- C:\Windows\System\vyvsZJI.exe
  C:\Windows\System\vyvsZJI.exe
  2⤵
  PID:9372
- C:\Windows\System\THstdTq.exe
  C:\Windows\System\THstdTq.exe
  2⤵
  PID:9416
- C:\Windows\System\MVUyOUv.exe
  C:\Windows\System\MVUyOUv.exe
  2⤵
  PID:9444
- C:\Windows\System\OwxbfcN.exe
  C:\Windows\System\OwxbfcN.exe
  2⤵
  PID:9472
- C:\Windows\System\VerYaGs.exe
  C:\Windows\System\VerYaGs.exe
  2⤵
  PID:9520
- C:\Windows\System\DYFZndv.exe
  C:\Windows\System\DYFZndv.exe
  2⤵
  PID:9548
- C:\Windows\System\cyBGviO.exe
  C:\Windows\System\cyBGviO.exe
  2⤵
  PID:9576
- C:\Windows\System\xPdpusH.exe
  C:\Windows\System\xPdpusH.exe
  2⤵
  PID:9608
- C:\Windows\System\BHiANuJ.exe
  C:\Windows\System\BHiANuJ.exe
  2⤵
  PID:9636
- C:\Windows\System\oRYwrWA.exe
  C:\Windows\System\oRYwrWA.exe
  2⤵
  PID:9668
- C:\Windows\System\FerbtiD.exe
  C:\Windows\System\FerbtiD.exe
  2⤵
  PID:9700
- C:\Windows\System\DDsDnGE.exe
  C:\Windows\System\DDsDnGE.exe
  2⤵
  PID:9728
- C:\Windows\System\ZRaDvfn.exe
  C:\Windows\System\ZRaDvfn.exe
  2⤵
  PID:9756
- C:\Windows\System\ckyUvab.exe
  C:\Windows\System\ckyUvab.exe
  2⤵
  PID:9796
- C:\Windows\System\BqpJhqW.exe
  C:\Windows\System\BqpJhqW.exe
  2⤵
  PID:9816
- C:\Windows\System\JfdFnHw.exe
  C:\Windows\System\JfdFnHw.exe
  2⤵
  PID:9836
- C:\Windows\System\ATOjlbP.exe
  C:\Windows\System\ATOjlbP.exe
  2⤵
  PID:9872
- C:\Windows\System\kCaNGmP.exe
  C:\Windows\System\kCaNGmP.exe
  2⤵
  PID:9900
- C:\Windows\System\obYcWKO.exe
  C:\Windows\System\obYcWKO.exe
  2⤵
  PID:9928
- C:\Windows\System\yOQuSVI.exe
  C:\Windows\System\yOQuSVI.exe
  2⤵
  PID:9956
- C:\Windows\System\duwSOJx.exe
  C:\Windows\System\duwSOJx.exe
  2⤵
  PID:9984
- C:\Windows\System\TyxyGxg.exe
  C:\Windows\System\TyxyGxg.exe
  2⤵
  PID:10012
- C:\Windows\System\bPVYJwh.exe
  C:\Windows\System\bPVYJwh.exe
  2⤵
  PID:10040
- C:\Windows\System\YNAWJza.exe
  C:\Windows\System\YNAWJza.exe
  2⤵
  PID:10068
- C:\Windows\System\qSiDWPa.exe
  C:\Windows\System\qSiDWPa.exe
  2⤵
  PID:10096
- C:\Windows\System\CBwAIRX.exe
  C:\Windows\System\CBwAIRX.exe
  2⤵
  PID:10124
- C:\Windows\System\eXttgnh.exe
  C:\Windows\System\eXttgnh.exe
  2⤵
  PID:10152
- C:\Windows\System\TImyPxK.exe
  C:\Windows\System\TImyPxK.exe
  2⤵
  PID:10172
- C:\Windows\System\xHJReCp.exe
  C:\Windows\System\xHJReCp.exe
  2⤵
  PID:10200
- C:\Windows\System\wSLCEIW.exe
  C:\Windows\System\wSLCEIW.exe
  2⤵
  PID:9232
- C:\Windows\System\ktAenzT.exe
  C:\Windows\System\ktAenzT.exe
  2⤵
  PID:9276
- C:\Windows\System\GBGkTJC.exe
  C:\Windows\System\GBGkTJC.exe
  2⤵
  PID:3216
- C:\Windows\System\hAtItrq.exe
  C:\Windows\System\hAtItrq.exe
  2⤵
  PID:9360
- C:\Windows\System\jBdlGKA.exe
  C:\Windows\System\jBdlGKA.exe
  2⤵
  PID:9452
- C:\Windows\System\HoWeyVg.exe
  C:\Windows\System\HoWeyVg.exe
  2⤵
  PID:9532
- C:\Windows\System\qLmVKEN.exe
  C:\Windows\System\qLmVKEN.exe
  2⤵
  PID:9600
- C:\Windows\System\hqMmlql.exe
  C:\Windows\System\hqMmlql.exe
  2⤵
  PID:9680
- C:\Windows\System\zWQmGVk.exe
  C:\Windows\System\zWQmGVk.exe
  2⤵
  PID:9724
- C:\Windows\System\HTjkWYN.exe
  C:\Windows\System\HTjkWYN.exe
  2⤵
  PID:976
- C:\Windows\System\dGVSbmj.exe
  C:\Windows\System\dGVSbmj.exe
  2⤵
  PID:9808
- C:\Windows\System\ZtrzHVO.exe
  C:\Windows\System\ZtrzHVO.exe
  2⤵
  PID:9856
- C:\Windows\System\ZKcnuzQ.exe
  C:\Windows\System\ZKcnuzQ.exe
  2⤵
  PID:9924
- C:\Windows\System\HdBoJnr.exe
  C:\Windows\System\HdBoJnr.exe
  2⤵
  PID:9996
- C:\Windows\System\EqbltNi.exe
  C:\Windows\System\EqbltNi.exe
  2⤵
  PID:10036
- C:\Windows\System\jYuhdEZ.exe
  C:\Windows\System\jYuhdEZ.exe
  2⤵
  PID:10080
- C:\Windows\System\wvapOYZ.exe
  C:\Windows\System\wvapOYZ.exe
  2⤵
  PID:10136
- C:\Windows\System\cUyWGuB.exe
  C:\Windows\System\cUyWGuB.exe
  2⤵
  PID:548
- C:\Windows\System\HpCMoLH.exe
  C:\Windows\System\HpCMoLH.exe
  2⤵
  PID:2228
- C:\Windows\System\dOHYncC.exe
  C:\Windows\System\dOHYncC.exe
  2⤵
  PID:9288
- C:\Windows\System\wkfMjEy.exe
  C:\Windows\System\wkfMjEy.exe
  2⤵
  PID:4752
- C:\Windows\System\TDrUNAS.exe
  C:\Windows\System\TDrUNAS.exe
  2⤵
  - Access Token Manipulation: Create Process with Token
  PID:9480
- C:\Windows\System\laFaWZR.exe
  C:\Windows\System\laFaWZR.exe
  2⤵
  PID:4332
- C:\Windows\System\hZRuEbm.exe
  C:\Windows\System\hZRuEbm.exe
  2⤵
  PID:3664
- C:\Windows\System\PpsUJAf.exe
  C:\Windows\System\PpsUJAf.exe
  2⤵
  PID:9828
- C:\Windows\System\wQHKtgJ.exe
  C:\Windows\System\wQHKtgJ.exe
  2⤵
  PID:9952
- C:\Windows\System\syDndJt.exe
  C:\Windows\System\syDndJt.exe
  2⤵
  PID:10104
- C:\Windows\System\ZWIISfN.exe
  C:\Windows\System\ZWIISfN.exe
  2⤵
  PID:9256
- C:\Windows\System\PFAtDfg.exe
  C:\Windows\System\PFAtDfg.exe
  2⤵
  PID:1320
- C:\Windows\System\HhNEmmB.exe
  C:\Windows\System\HhNEmmB.exe
  2⤵
  PID:9712
- C:\Windows\System\ZeEzSRF.exe
  C:\Windows\System\ZeEzSRF.exe
  2⤵
  PID:1748
- C:\Windows\System\FJnJOtb.exe
  C:\Windows\System\FJnJOtb.exe
  2⤵
  PID:10224
- C:\Windows\System\XKuKJNx.exe
  C:\Windows\System\XKuKJNx.exe
  2⤵
  PID:9628
- C:\Windows\System\zbCaYNs.exe
  C:\Windows\System\zbCaYNs.exe
  2⤵
  PID:2776
- C:\Windows\System\FYrAUdS.exe
  C:\Windows\System\FYrAUdS.exe
  2⤵
  PID:10248
- C:\Windows\System\qQjuqkm.exe
  C:\Windows\System\qQjuqkm.exe
  2⤵
  PID:10276
- C:\Windows\System\UEmszbB.exe
  C:\Windows\System\UEmszbB.exe
  2⤵
  PID:10304
- C:\Windows\System\BJjdqRu.exe
  C:\Windows\System\BJjdqRu.exe
  2⤵
  PID:10320
- C:\Windows\System\KAtWuTF.exe
  C:\Windows\System\KAtWuTF.exe
  2⤵
  PID:10360
- C:\Windows\System\udhgHSU.exe
  C:\Windows\System\udhgHSU.exe
  2⤵
  PID:10388
- C:\Windows\System\YLlrRAa.exe
  C:\Windows\System\YLlrRAa.exe
  2⤵
  PID:10416
- C:\Windows\System\KDYVThF.exe
  C:\Windows\System\KDYVThF.exe
  2⤵
  PID:10436
- C:\Windows\System\ooCfkPJ.exe
  C:\Windows\System\ooCfkPJ.exe
  2⤵
  PID:10468
- C:\Windows\System\Rtqkajw.exe
  C:\Windows\System\Rtqkajw.exe
  2⤵
  PID:10492
- C:\Windows\System\PyZfhHT.exe
  C:\Windows\System\PyZfhHT.exe
  2⤵
  PID:10528
- C:\Windows\System\KuWsgjc.exe
  C:\Windows\System\KuWsgjc.exe
  2⤵
  PID:10556
- C:\Windows\System\mPCFEFb.exe
  C:\Windows\System\mPCFEFb.exe
  2⤵
  PID:10584
- C:\Windows\System\EpicYuD.exe
  C:\Windows\System\EpicYuD.exe
  2⤵
  PID:10612
- C:\Windows\System\FNpztWm.exe
  C:\Windows\System\FNpztWm.exe
  2⤵
  PID:10628
- C:\Windows\System\RNIBGZX.exe
  C:\Windows\System\RNIBGZX.exe
  2⤵
  PID:10656
- C:\Windows\System\qcaTTxb.exe
  C:\Windows\System\qcaTTxb.exe
  2⤵
  PID:10696
- C:\Windows\System\fYzNjBd.exe
  C:\Windows\System\fYzNjBd.exe
  2⤵
  PID:10724
- C:\Windows\System\DaQIYlE.exe
  C:\Windows\System\DaQIYlE.exe
  2⤵
  PID:10752
- C:\Windows\System\ygJWeCf.exe
  C:\Windows\System\ygJWeCf.exe
  2⤵
  PID:10784
- C:\Windows\System\VHBPCOE.exe
  C:\Windows\System\VHBPCOE.exe
  2⤵
  PID:10812
- C:\Windows\System\ddLzAmI.exe
  C:\Windows\System\ddLzAmI.exe
  2⤵
  PID:10840
- C:\Windows\System\ZVwtkMZ.exe
  C:\Windows\System\ZVwtkMZ.exe
  2⤵
  PID:10868
- C:\Windows\System\UudjOaA.exe
  C:\Windows\System\UudjOaA.exe
  2⤵
  PID:10896
- C:\Windows\System\MsBjvUq.exe
  C:\Windows\System\MsBjvUq.exe
  2⤵
  PID:10924
- C:\Windows\System\SWsLpoS.exe
  C:\Windows\System\SWsLpoS.exe
  2⤵
  PID:10952
- C:\Windows\System\UJSQAzu.exe
  C:\Windows\System\UJSQAzu.exe
  2⤵
  PID:10984
- C:\Windows\System\eISvClf.exe
  C:\Windows\System\eISvClf.exe
  2⤵
  PID:11008
- C:\Windows\System\XkQdPUM.exe
  C:\Windows\System\XkQdPUM.exe
  2⤵
  PID:11048
- C:\Windows\System\XccAeaS.exe
  C:\Windows\System\XccAeaS.exe
  2⤵
  PID:11064
- C:\Windows\System\ccDQvGM.exe
  C:\Windows\System\ccDQvGM.exe
  2⤵
  PID:11092
- C:\Windows\System\vNgEMML.exe
  C:\Windows\System\vNgEMML.exe
  2⤵
  PID:11120
- C:\Windows\System\rqlgWAu.exe
  C:\Windows\System\rqlgWAu.exe
  2⤵
  PID:11148
- C:\Windows\System\KVyXEWK.exe
  C:\Windows\System\KVyXEWK.exe
  2⤵
  PID:11176
- C:\Windows\System\CadWefL.exe
  C:\Windows\System\CadWefL.exe
  2⤵
  PID:11204
- C:\Windows\System\EwwEiNE.exe
  C:\Windows\System\EwwEiNE.exe
  2⤵
  PID:11236
- C:\Windows\System\BjiGRdy.exe
  C:\Windows\System\BjiGRdy.exe
  2⤵
  PID:11260
- C:\Windows\System\tzLSCxK.exe
  C:\Windows\System\tzLSCxK.exe
  2⤵
  PID:10272
- C:\Windows\System\lLZlmHt.exe
  C:\Windows\System\lLZlmHt.exe
  2⤵
  PID:10344
- C:\Windows\System\SGjfPyi.exe
  C:\Windows\System\SGjfPyi.exe
  2⤵
  PID:10404
- C:\Windows\System\UgnkpvO.exe
  C:\Windows\System\UgnkpvO.exe
  2⤵
  PID:10476
- C:\Windows\System\EPCxzrZ.exe
  C:\Windows\System\EPCxzrZ.exe
  2⤵
  PID:10548
- C:\Windows\System\DQBSlDg.exe
  C:\Windows\System\DQBSlDg.exe
  2⤵
  PID:10600
- C:\Windows\System\apfGWRT.exe
  C:\Windows\System\apfGWRT.exe
  2⤵
  PID:10676
- C:\Windows\System\LlqUojD.exe
  C:\Windows\System\LlqUojD.exe
  2⤵
  PID:10720
- C:\Windows\System\TvoYUUs.exe
  C:\Windows\System\TvoYUUs.exe
  2⤵
  PID:10796
- C:\Windows\System\EAUfLht.exe
  C:\Windows\System\EAUfLht.exe
  2⤵
  PID:10852
- C:\Windows\System\uvMkLLK.exe
  C:\Windows\System\uvMkLLK.exe
  2⤵
  PID:10920
- C:\Windows\System\axlVaQR.exe
  C:\Windows\System\axlVaQR.exe
  2⤵
  PID:10992
- C:\Windows\System\RpCWnhO.exe
  C:\Windows\System\RpCWnhO.exe
  2⤵
  PID:11056
- C:\Windows\System\lsjFbXK.exe
  C:\Windows\System\lsjFbXK.exe
  2⤵
  PID:11104
- C:\Windows\System\EtpRJSQ.exe
  C:\Windows\System\EtpRJSQ.exe
  2⤵
  PID:11168
- C:\Windows\System\GfJuJYN.exe
  C:\Windows\System\GfJuJYN.exe
  2⤵
  PID:11228
- C:\Windows\System\QRsCOdH.exe
  C:\Windows\System\QRsCOdH.exe
  2⤵
  PID:10300
- C:\Windows\System\mihAMTW.exe
  C:\Windows\System\mihAMTW.exe
  2⤵
  PID:10452
- C:\Windows\System\utoZglu.exe
  C:\Windows\System\utoZglu.exe
  2⤵
  PID:10596
- C:\Windows\System\fGQYPoq.exe
  C:\Windows\System\fGQYPoq.exe
  2⤵
  PID:10768
- C:\Windows\System\UTVfxtV.exe
  C:\Windows\System\UTVfxtV.exe
  2⤵
  PID:10908
- C:\Windows\System\EzqRzTE.exe
  C:\Windows\System\EzqRzTE.exe
  2⤵
  PID:11032
- C:\Windows\System\pmlgaJy.exe
  C:\Windows\System\pmlgaJy.exe
  2⤵
  PID:11196
- C:\Windows\System\tdbUQwM.exe
  C:\Windows\System\tdbUQwM.exe
  2⤵
  PID:10400
- C:\Windows\System\JRoaolG.exe
  C:\Windows\System\JRoaolG.exe
  2⤵
  PID:10716
- C:\Windows\System\FJpOzkM.exe
  C:\Windows\System\FJpOzkM.exe
  2⤵
  PID:11112
- C:\Windows\System\kslTZgY.exe
  C:\Windows\System\kslTZgY.exe
  2⤵
  PID:10568
- C:\Windows\System\wtgqpjl.exe
  C:\Windows\System\wtgqpjl.exe
  2⤵
  PID:1720
- C:\Windows\System\nsReHqV.exe
  C:\Windows\System\nsReHqV.exe
  2⤵
  PID:11272
- C:\Windows\System\NRAbRQG.exe
  C:\Windows\System\NRAbRQG.exe
  2⤵
  PID:11300
- C:\Windows\System\VGuEnoQ.exe
  C:\Windows\System\VGuEnoQ.exe
  2⤵
  PID:11332
- C:\Windows\System\sAtutGy.exe
  C:\Windows\System\sAtutGy.exe
  2⤵
  PID:11360
- C:\Windows\System\STQfFXC.exe
  C:\Windows\System\STQfFXC.exe
  2⤵
  PID:11388
- C:\Windows\System\WWbDquU.exe
  C:\Windows\System\WWbDquU.exe
  2⤵
  PID:11416
- C:\Windows\System\BcMKaTw.exe
  C:\Windows\System\BcMKaTw.exe
  2⤵
  PID:11444
- C:\Windows\System\OHXUPuq.exe
  C:\Windows\System\OHXUPuq.exe
  2⤵
  PID:11472
- C:\Windows\System\anzmCuv.exe
  C:\Windows\System\anzmCuv.exe
  2⤵
  PID:11500
- C:\Windows\System\xhqhlBs.exe
  C:\Windows\System\xhqhlBs.exe
  2⤵
  PID:11528
- C:\Windows\System\uNWYgtU.exe
  C:\Windows\System\uNWYgtU.exe
  2⤵
  PID:11556
- C:\Windows\System\zYnVgCX.exe
  C:\Windows\System\zYnVgCX.exe
  2⤵
  PID:11584
- C:\Windows\System\xsjFWhE.exe
  C:\Windows\System\xsjFWhE.exe
  2⤵
  PID:11612
- C:\Windows\System\QvHESZG.exe
  C:\Windows\System\QvHESZG.exe
  2⤵
  PID:11640
- C:\Windows\System\KEGbaUZ.exe
  C:\Windows\System\KEGbaUZ.exe
  2⤵
  PID:11668
- C:\Windows\System\PbbBkHp.exe
  C:\Windows\System\PbbBkHp.exe
  2⤵
  PID:11696
- C:\Windows\System\PafQpdw.exe
  C:\Windows\System\PafQpdw.exe
  2⤵
  PID:11724
- C:\Windows\System\dFDTrZk.exe
  C:\Windows\System\dFDTrZk.exe
  2⤵
  PID:11752
- C:\Windows\System\XfLrOby.exe
  C:\Windows\System\XfLrOby.exe
  2⤵
  PID:11780
- C:\Windows\System\ZExOJKE.exe
  C:\Windows\System\ZExOJKE.exe
  2⤵
  PID:11808
- C:\Windows\System\gnLHbGS.exe
  C:\Windows\System\gnLHbGS.exe
  2⤵
  PID:11836
- C:\Windows\System\hQCqFzt.exe
  C:\Windows\System\hQCqFzt.exe
  2⤵
  PID:11864
- C:\Windows\System\uFjTTab.exe
  C:\Windows\System\uFjTTab.exe
  2⤵
  PID:11892
- C:\Windows\System\ulxTFuE.exe
  C:\Windows\System\ulxTFuE.exe
  2⤵
  PID:11920
- C:\Windows\System\EcZFAmC.exe
  C:\Windows\System\EcZFAmC.exe
  2⤵
  PID:11948
- C:\Windows\System\ktsTlBX.exe
  C:\Windows\System\ktsTlBX.exe
  2⤵
  PID:11976
- C:\Windows\System\GnoNsgb.exe
  C:\Windows\System\GnoNsgb.exe
  2⤵
  PID:12004
- C:\Windows\System\YNwOXKV.exe
  C:\Windows\System\YNwOXKV.exe
  2⤵
  PID:12032
- C:\Windows\System\IjTnaTs.exe
  C:\Windows\System\IjTnaTs.exe
  2⤵
  PID:12068
- C:\Windows\System\NblTlyH.exe
  C:\Windows\System\NblTlyH.exe
  2⤵
  PID:12088
- C:\Windows\System\CKKcBYT.exe
  C:\Windows\System\CKKcBYT.exe
  2⤵
  PID:12120
- C:\Windows\System\wrIMhPU.exe
  C:\Windows\System\wrIMhPU.exe
  2⤵
  PID:12148
- C:\Windows\System\vnJAiAe.exe
  C:\Windows\System\vnJAiAe.exe
  2⤵
  PID:12176
- C:\Windows\System\wqyPoEj.exe
  C:\Windows\System\wqyPoEj.exe
  2⤵
  PID:12204
- C:\Windows\System\IfbHUya.exe
  C:\Windows\System\IfbHUya.exe
  2⤵
  PID:12232
- C:\Windows\System\KfoOzxS.exe
  C:\Windows\System\KfoOzxS.exe
  2⤵
  PID:12260
- C:\Windows\System\VihtAMV.exe
  C:\Windows\System\VihtAMV.exe
  2⤵
  PID:10316
- C:\Windows\System\fkQFtwx.exe
  C:\Windows\System\fkQFtwx.exe
  2⤵
  PID:11328
- C:\Windows\System\FtwZIrf.exe
  C:\Windows\System\FtwZIrf.exe
  2⤵
  PID:11400
- C:\Windows\System\pRsFlhk.exe
  C:\Windows\System\pRsFlhk.exe
  2⤵
  PID:11464
- C:\Windows\System\EKzyGnQ.exe
  C:\Windows\System\EKzyGnQ.exe
  2⤵
  PID:11524
- C:\Windows\System\thqcmLP.exe
  C:\Windows\System\thqcmLP.exe
  2⤵
  PID:11596
- C:\Windows\System\zDYUhLm.exe
  C:\Windows\System\zDYUhLm.exe
  2⤵
  PID:11660
- C:\Windows\System\YsYQObJ.exe
  C:\Windows\System\YsYQObJ.exe
  2⤵
  PID:11720
- C:\Windows\System\ihvvVLU.exe
  C:\Windows\System\ihvvVLU.exe
  2⤵
  PID:11792
- C:\Windows\System\NzVzMNE.exe
  C:\Windows\System\NzVzMNE.exe
  2⤵
  PID:11856
- C:\Windows\System\mXdZWrb.exe
  C:\Windows\System\mXdZWrb.exe
  2⤵
  PID:11912
- C:\Windows\System\FggtmHy.exe
  C:\Windows\System\FggtmHy.exe
  2⤵
  PID:11972
- C:\Windows\System\eJCbyZO.exe
  C:\Windows\System\eJCbyZO.exe
  2⤵
  PID:12044
- C:\Windows\System\USvapcd.exe
  C:\Windows\System\USvapcd.exe
  2⤵
  PID:12112
- C:\Windows\System\BWDuqVs.exe
  C:\Windows\System\BWDuqVs.exe
  2⤵
  PID:12172
- C:\Windows\System\VVAkYxw.exe
  C:\Windows\System\VVAkYxw.exe
  2⤵
  PID:12224
- C:\Windows\System\rJPfypt.exe
  C:\Windows\System\rJPfypt.exe
  2⤵
  PID:12284
- C:\Windows\System\yIziLYw.exe
  C:\Windows\System\yIziLYw.exe
  2⤵
  PID:11428
- C:\Windows\System\ByjuTZT.exe
  C:\Windows\System\ByjuTZT.exe
  2⤵
  PID:11636
- C:\Windows\System\GMMEKpS.exe
  C:\Windows\System\GMMEKpS.exe
  2⤵
  PID:11820
- C:\Windows\System\BFUYjBJ.exe
  C:\Windows\System\BFUYjBJ.exe
  2⤵
  PID:11968
- C:\Windows\System\wbskdoC.exe
  C:\Windows\System\wbskdoC.exe
  2⤵
  PID:12168
- C:\Windows\System\ixYwUUF.exe
  C:\Windows\System\ixYwUUF.exe
  2⤵
  PID:11492
- C:\Windows\System\QFIKVVz.exe
  C:\Windows\System\QFIKVVz.exe
  2⤵
  PID:12076
- C:\Windows\System\Pbcvruj.exe
  C:\Windows\System\Pbcvruj.exe
  2⤵
  PID:11960
- C:\Windows\System\woLIUCC.exe
  C:\Windows\System\woLIUCC.exe
  2⤵
  PID:9392
- C:\Windows\System\lpqCZpN.exe
  C:\Windows\System\lpqCZpN.exe
  2⤵
  PID:11356
- C:\Windows\System\qIdYDLG.exe
  C:\Windows\System\qIdYDLG.exe
  2⤵
  PID:9348
- C:\Windows\System\uUtsGXD.exe
  C:\Windows\System\uUtsGXD.exe
  2⤵
  PID:12304
- C:\Windows\System\YgeRtBZ.exe
  C:\Windows\System\YgeRtBZ.exe
  2⤵
  PID:12332
- C:\Windows\System\ELUCijI.exe
  C:\Windows\System\ELUCijI.exe
  2⤵
  PID:12360
- C:\Windows\System\nhekqfr.exe
  C:\Windows\System\nhekqfr.exe
  2⤵
  PID:12388
- C:\Windows\System\dYSjssf.exe
  C:\Windows\System\dYSjssf.exe
  2⤵
  PID:12416
- C:\Windows\System\NuXgbyb.exe
  C:\Windows\System\NuXgbyb.exe
  2⤵
  PID:12444
- C:\Windows\System\RaDocQb.exe
  C:\Windows\System\RaDocQb.exe
  2⤵
  PID:12472
- C:\Windows\System\nhhlLHA.exe
  C:\Windows\System\nhhlLHA.exe
  2⤵
  PID:12500
- C:\Windows\System\lubtYki.exe
  C:\Windows\System\lubtYki.exe
  2⤵
  PID:12528
- C:\Windows\System\aXjbmAk.exe
  C:\Windows\System\aXjbmAk.exe
  2⤵
  PID:12556
- C:\Windows\System\VjVspvx.exe
  C:\Windows\System\VjVspvx.exe
  2⤵
  PID:12596
- C:\Windows\System\UWuKcKS.exe
  C:\Windows\System\UWuKcKS.exe
  2⤵
  PID:12612
- C:\Windows\System\dJAdlWI.exe
  C:\Windows\System\dJAdlWI.exe
  2⤵
  PID:12640
- C:\Windows\System\nirOqOR.exe
  C:\Windows\System\nirOqOR.exe
  2⤵
  PID:12668
- C:\Windows\System\EMyetdm.exe
  C:\Windows\System\EMyetdm.exe
  2⤵
  PID:12696
- C:\Windows\System\XdcfDhU.exe
  C:\Windows\System\XdcfDhU.exe
  2⤵
  PID:12724
- C:\Windows\System\RYBVixe.exe
  C:\Windows\System\RYBVixe.exe
  2⤵
  PID:12756
- C:\Windows\System\qvJiQSO.exe
  C:\Windows\System\qvJiQSO.exe
  2⤵
  PID:12784
- C:\Windows\System\vGdsgcr.exe
  C:\Windows\System\vGdsgcr.exe
  2⤵
  PID:12812
- C:\Windows\System\OeHzPlL.exe
  C:\Windows\System\OeHzPlL.exe
  2⤵
  PID:12840
- C:\Windows\System\qDOAzca.exe
  C:\Windows\System\qDOAzca.exe
  2⤵
  PID:12868
- C:\Windows\System\FENUJEu.exe
  C:\Windows\System\FENUJEu.exe
  2⤵
  PID:12896
- C:\Windows\System\OVYMPtK.exe
  C:\Windows\System\OVYMPtK.exe
  2⤵
  PID:12924
- C:\Windows\System\UYefxsg.exe
  C:\Windows\System\UYefxsg.exe
  2⤵
  PID:12952
- C:\Windows\System\LmXpqgy.exe
  C:\Windows\System\LmXpqgy.exe
  2⤵
  PID:12980
- C:\Windows\System\cWCfvkW.exe
  C:\Windows\System\cWCfvkW.exe
  2⤵
  PID:13008
- C:\Windows\System\xSBfogp.exe
  C:\Windows\System\xSBfogp.exe
  2⤵
  PID:13036
- C:\Windows\System\DfSZmrj.exe
  C:\Windows\System\DfSZmrj.exe
  2⤵
  PID:13064
- C:\Windows\System\ENBdEwo.exe
  C:\Windows\System\ENBdEwo.exe
  2⤵
  PID:13092
- C:\Windows\System\HTFoRpF.exe
  C:\Windows\System\HTFoRpF.exe
  2⤵
  PID:13120
- C:\Windows\System\mAGitDk.exe
  C:\Windows\System\mAGitDk.exe
  2⤵
  PID:13148
- C:\Windows\System\nVnwWvk.exe
  C:\Windows\System\nVnwWvk.exe
  2⤵
  PID:13176
- C:\Windows\System\SOurPMv.exe
  C:\Windows\System\SOurPMv.exe
  2⤵
  PID:13204
- C:\Windows\System\RUiPGdl.exe
  C:\Windows\System\RUiPGdl.exe
  2⤵
  PID:13232
- C:\Windows\System\OJCUzXD.exe
  C:\Windows\System\OJCUzXD.exe
  2⤵
  PID:13260
- C:\Windows\System\PQFmcPD.exe
  C:\Windows\System\PQFmcPD.exe
  2⤵
  PID:13288
- C:\Windows\System\wIjswPb.exe
  C:\Windows\System\wIjswPb.exe
  2⤵
  PID:12296
- C:\Windows\System\nyJfjwG.exe
  C:\Windows\System\nyJfjwG.exe
  2⤵
  PID:12356
- C:\Windows\System\amQAnHc.exe
  C:\Windows\System\amQAnHc.exe
  2⤵
  PID:12428
- C:\Windows\System\KsSuyjI.exe
  C:\Windows\System\KsSuyjI.exe
  2⤵
  PID:12492
- C:\Windows\System\xVFwVCU.exe
  C:\Windows\System\xVFwVCU.exe
  2⤵
  PID:12552
- C:\Windows\System\VBfOXYL.exe
  C:\Windows\System\VBfOXYL.exe
  2⤵
  PID:12608
- C:\Windows\System\Iwqixlu.exe
  C:\Windows\System\Iwqixlu.exe
  2⤵
  PID:12680
- C:\Windows\System\qwAjGza.exe
  C:\Windows\System\qwAjGza.exe
  2⤵
  PID:12748
- C:\Windows\System\AxiRPEv.exe
  C:\Windows\System\AxiRPEv.exe
  2⤵
  PID:12824
- C:\Windows\System\nuYITMk.exe
  C:\Windows\System\nuYITMk.exe
  2⤵
  PID:12888
- C:\Windows\System\mQYzpRV.exe
  C:\Windows\System\mQYzpRV.exe
  2⤵
  PID:12948
- C:\Windows\System\KpvUzal.exe
  C:\Windows\System\KpvUzal.exe
  2⤵
  PID:13020
- C:\Windows\System\oOZpZwP.exe
  C:\Windows\System\oOZpZwP.exe
  2⤵
  PID:13084
- C:\Windows\System\XzYOowy.exe
  C:\Windows\System\XzYOowy.exe
  2⤵
  PID:13144
- C:\Windows\System\NiNzFgy.exe
  C:\Windows\System\NiNzFgy.exe
  2⤵
  PID:13224
- C:\Windows\System\cjpbuJM.exe
  C:\Windows\System\cjpbuJM.exe
  2⤵
  PID:13308
- C:\Windows\System\AGTGzZi.exe
  C:\Windows\System\AGTGzZi.exe
  2⤵
  PID:12384
- C:\Windows\System\LioZZBX.exe
  C:\Windows\System\LioZZBX.exe
  2⤵
  PID:12540
- C:\Windows\System\tFcAIDQ.exe
  C:\Windows\System\tFcAIDQ.exe
  2⤵
  PID:12664
- C:\Windows\System\LdVYONP.exe
  C:\Windows\System\LdVYONP.exe
  2⤵
  PID:12864
- C:\Windows\System\mfRrIIR.exe
  C:\Windows\System\mfRrIIR.exe
  2⤵
  PID:13048
- C:\Windows\System\YeqLEda.exe
  C:\Windows\System\YeqLEda.exe
  2⤵
  PID:13200
- C:\Windows\System\yWQfOHy.exe
  C:\Windows\System\yWQfOHy.exe
  2⤵
  PID:12344
- C:\Windows\System\nprtqlP.exe
  C:\Windows\System\nprtqlP.exe
  2⤵
  PID:12736
- C:\Windows\System\BZtTUwn.exe
  C:\Windows\System\BZtTUwn.exe
  2⤵
  PID:4780
- C:\Windows\System\lsGkYid.exe
  C:\Windows\System\lsGkYid.exe
  2⤵
  PID:4508
- C:\Windows\System\cGyaBlR.exe
  C:\Windows\System\cGyaBlR.exe
  2⤵
  PID:13132
- C:\Windows\System\PeLJqbR.exe
  C:\Windows\System\PeLJqbR.exe
  2⤵
  PID:1608
- C:\Windows\System\FZwYEKS.exe
  C:\Windows\System\FZwYEKS.exe
  2⤵
  PID:13320
- C:\Windows\System\LyFcHvv.exe
  C:\Windows\System\LyFcHvv.exe
  2⤵
  PID:13344
- C:\Windows\System\LyHjBiV.exe
  C:\Windows\System\LyHjBiV.exe
  2⤵
  PID:13416
- C:\Windows\System\LadobWw.exe
  C:\Windows\System\LadobWw.exe
  2⤵
  PID:13472
- C:\Windows\System\oDVNASt.exe
  C:\Windows\System\oDVNASt.exe
  2⤵
  PID:13492
- C:\Windows\System\pKSCyRG.exe
  C:\Windows\System\pKSCyRG.exe
  2⤵
  PID:13512
- C:\Windows\System\jQUUFXe.exe
  C:\Windows\System\jQUUFXe.exe
  2⤵
  PID:13572
- C:\Windows\System\LGqaJUd.exe
  C:\Windows\System\LGqaJUd.exe
  2⤵
  PID:13596
- C:\Windows\System\AmBeKgV.exe
  C:\Windows\System\AmBeKgV.exe
  2⤵
  PID:13624
- C:\Windows\System\WEMJkDZ.exe
  C:\Windows\System\WEMJkDZ.exe
  2⤵
  PID:13664
- C:\Windows\System\XfNHUOl.exe
  C:\Windows\System\XfNHUOl.exe
  2⤵
  PID:13680
- C:\Windows\System\qwKBuRq.exe
  C:\Windows\System\qwKBuRq.exe
  2⤵
  PID:13708
- C:\Windows\System\dNNtynC.exe
  C:\Windows\System\dNNtynC.exe
  2⤵
  PID:13744
- C:\Windows\System\YZAzxeh.exe
  C:\Windows\System\YZAzxeh.exe
  2⤵
  PID:13764
- C:\Windows\System\cxYvjQw.exe
  C:\Windows\System\cxYvjQw.exe
  2⤵
  PID:13792
- C:\Windows\System\WiNceka.exe
  C:\Windows\System\WiNceka.exe
  2⤵
  PID:13820
- C:\Windows\System\rvgITnx.exe
  C:\Windows\System\rvgITnx.exe
  2⤵
  PID:13848
- C:\Windows\System\HLMwtna.exe
  C:\Windows\System\HLMwtna.exe
  2⤵
  PID:13876
- C:\Windows\System\iiDcHFa.exe
  C:\Windows\System\iiDcHFa.exe
  2⤵
  PID:13904
- C:\Windows\System\EAzttKj.exe
  C:\Windows\System\EAzttKj.exe
  2⤵
  PID:13932
- C:\Windows\System\vKmfNGM.exe
  C:\Windows\System\vKmfNGM.exe
  2⤵
  PID:13960
- C:\Windows\System\PpfZBXn.exe
  C:\Windows\System\PpfZBXn.exe
  2⤵
  PID:13988
- C:\Windows\System\jueXirG.exe
  C:\Windows\System\jueXirG.exe
  2⤵
  PID:14016
- C:\Windows\System\xnmyejS.exe
  C:\Windows\System\xnmyejS.exe
  2⤵
  PID:14056
- C:\Windows\System\PZjyuQi.exe
  C:\Windows\System\PZjyuQi.exe
  2⤵
  PID:14072
- C:\Windows\System\njktvHz.exe
  C:\Windows\System\njktvHz.exe
  2⤵
  PID:14100
- C:\Windows\System\XfHAFwu.exe
  C:\Windows\System\XfHAFwu.exe
  2⤵
  PID:14128
- C:\Windows\System\DZbuoqE.exe
  C:\Windows\System\DZbuoqE.exe
  2⤵
  PID:14160
- C:\Windows\System\bykzXOy.exe
  C:\Windows\System\bykzXOy.exe
  2⤵
  PID:14188
- C:\Windows\System\argbhGY.exe
  C:\Windows\System\argbhGY.exe
  2⤵
  PID:14216
- C:\Windows\System\IaVtEwY.exe
  C:\Windows\System\IaVtEwY.exe
  2⤵
  PID:14244
- C:\Windows\System\uzPfzzC.exe
  C:\Windows\System\uzPfzzC.exe
  2⤵
  PID:14272
- C:\Windows\System\yJaLLSf.exe
  C:\Windows\System\yJaLLSf.exe
  2⤵
  PID:14300
- C:\Windows\System\NRjzegm.exe
  C:\Windows\System\NRjzegm.exe
  2⤵
  PID:14328
- C:\Windows\System\siJGIJO.exe
  C:\Windows\System\siJGIJO.exe
  2⤵
  PID:13316
- C:\Windows\System\yKHZoUk.exe
  C:\Windows\System\yKHZoUk.exe
  2⤵
  PID:13196
- C:\Windows\System\eZGrdwu.exe
  C:\Windows\System\eZGrdwu.exe
  2⤵
  PID:3536
- C:\Windows\System\QZhOUqr.exe
  C:\Windows\System\QZhOUqr.exe
  2⤵
  PID:13452
- C:\Windows\System\sCOYeyF.exe
  C:\Windows\System\sCOYeyF.exe
  2⤵
  PID:4884
- C:\Windows\System\SyfOwHx.exe
  C:\Windows\System\SyfOwHx.exe
  2⤵
  PID:13524
- C:\Windows\System\TBmfuEH.exe
  C:\Windows\System\TBmfuEH.exe
  2⤵
  PID:1160
- C:\Windows\System\lXZkaKe.exe
  C:\Windows\System\lXZkaKe.exe
  2⤵
  PID:4748
- C:\Windows\System\rMIPSgx.exe
  C:\Windows\System\rMIPSgx.exe
  2⤵
  PID:5088
- C:\Windows\System\hdWSmVg.exe
  C:\Windows\System\hdWSmVg.exe
  2⤵
  PID:1580
- C:\Windows\System\BRgTulY.exe
  C:\Windows\System\BRgTulY.exe
  2⤵
  PID:13000
- C:\Windows\System\GZFjyBc.exe
  C:\Windows\System\GZFjyBc.exe
  2⤵
  PID:13564
- C:\Windows\System\gRpiTar.exe
  C:\Windows\System\gRpiTar.exe
  2⤵
  PID:13608
- C:\Windows\System\ThzPJBh.exe
  C:\Windows\System\ThzPJBh.exe
  2⤵
  PID:13636
- C:\Windows\System\ffaYjlM.exe
  C:\Windows\System\ffaYjlM.exe
  2⤵
  PID:13676
- C:\Windows\System\hzkqkmt.exe
  C:\Windows\System\hzkqkmt.exe
  2⤵
  PID:13720
- C:\Windows\System\PUzbkci.exe
  C:\Windows\System\PUzbkci.exe
  2⤵
  PID:13752
- C:\Windows\System\BugIPDU.exe
  C:\Windows\System\BugIPDU.exe
  2⤵
  PID:13784
- C:\Windows\System\BqjqJNh.exe
  C:\Windows\System\BqjqJNh.exe
  2⤵
  PID:13816
- C:\Windows\System\ZNXepHW.exe
  C:\Windows\System\ZNXepHW.exe
  2⤵
  PID:13860
- C:\Windows\System\iIUswYe.exe
  C:\Windows\System\iIUswYe.exe
  2⤵
  PID:13368
- C:\Windows\System\MNirsTO.exe
  C:\Windows\System\MNirsTO.exe
  2⤵
  PID:13924
- C:\Windows\System\lilLQdK.exe
  C:\Windows\System\lilLQdK.exe
  2⤵
  PID:13980
- C:\Windows\System\ncgqgHA.exe
  C:\Windows\System\ncgqgHA.exe
  2⤵
  PID:14052
- C:\Windows\System\WnwqdQh.exe
  C:\Windows\System\WnwqdQh.exe
  2⤵
  PID:13428
- C:\Windows\System\vxVjlXD.exe
  C:\Windows\System\vxVjlXD.exe
  2⤵
  PID:14096
- C:\Windows\System\qYOrBGI.exe
  C:\Windows\System\qYOrBGI.exe
  2⤵
  PID:14140
- C:\Windows\System\WNHhUhM.exe
  C:\Windows\System\WNHhUhM.exe
  2⤵
  PID:14180
- C:\Windows\System\kFDsHoS.exe
  C:\Windows\System\kFDsHoS.exe
  2⤵
  PID:14228
- C:\Windows\System\nzseCAv.exe
  C:\Windows\System\nzseCAv.exe
  2⤵
  PID:13536
- C:\Windows\System\FWQVewk.exe
  C:\Windows\System\FWQVewk.exe
  2⤵
  PID:3788
- C:\Windows\System\oyLVFqS.exe
  C:\Windows\System\oyLVFqS.exe
  2⤵
  PID:3264
- C:\Windows\System\UIOcKXR.exe
  C:\Windows\System\UIOcKXR.exe
  2⤵
  PID:13340
- C:\Windows\System\ooiRHox.exe
  C:\Windows\System\ooiRHox.exe
  2⤵
  PID:13412
- C:\Windows\System\dljUmBS.exe
  C:\Windows\System\dljUmBS.exe
  2⤵
  PID:13464
- C:\Windows\System\HXujVul.exe
  C:\Windows\System\HXujVul.exe
  2⤵
  PID:2936
- C:\Windows\System\FEjtJwG.exe
  C:\Windows\System\FEjtJwG.exe
  2⤵
  PID:1132
- C:\Windows\System\yVAektI.exe
  C:\Windows\System\yVAektI.exe
  2⤵
  PID:3676
- C:\Windows\System\dOpUcft.exe
  C:\Windows\System\dOpUcft.exe
  2⤵
  PID:700
- C:\Windows\System\qQhDLrF.exe
  C:\Windows\System\qQhDLrF.exe
  2⤵
  PID:13560
- C:\Windows\System\IuRaoRb.exe
  C:\Windows\System\IuRaoRb.exe
  2⤵
  PID:1644
- C:\Windows\System\enRKjuB.exe
  C:\Windows\System\enRKjuB.exe
  2⤵
  PID:13592
- C:\Windows\System\UsVZwgm.exe
  C:\Windows\System\UsVZwgm.exe
  2⤵
  PID:1284
- C:\Windows\System\qNIYrJJ.exe
  C:\Windows\System\qNIYrJJ.exe
  2⤵
  PID:3584
- C:\Windows\System\gzsdpnR.exe
  C:\Windows\System\gzsdpnR.exe
  2⤵
  PID:2552
- C:\Windows\System\ENXdXAK.exe
  C:\Windows\System\ENXdXAK.exe
  2⤵
  PID:13812
- C:\Windows\System\vCiBCTg.exe
  C:\Windows\System\vCiBCTg.exe
  2⤵
  PID:380
- C:\Windows\System\eyehclI.exe
  C:\Windows\System\eyehclI.exe
  2⤵
  PID:2192
- C:\Windows\System\IehMLIT.exe
  C:\Windows\System\IehMLIT.exe
  2⤵
  PID:14008
- C:\Windows\System\kgUIhyL.exe
  C:\Windows\System\kgUIhyL.exe
  2⤵
  PID:14028
- C:\Windows\System\zUZvHhk.exe
  C:\Windows\System\zUZvHhk.exe
  2⤵
  PID:14092
- C:\Windows\System\OybSDtQ.exe
  C:\Windows\System\OybSDtQ.exe
  2⤵
  PID:3044
- C:\Windows\System\ErbUwXt.exe
  C:\Windows\System\ErbUwXt.exe
  2⤵
  PID:5368
- C:\Windows\System\igLiIjX.exe
  C:\Windows\System\igLiIjX.exe
  2⤵
  PID:14284
- C:\Windows\System\MQqBmrb.exe
  C:\Windows\System\MQqBmrb.exe
  2⤵
  PID:5416
- C:\Windows\System\ayCYvIK.exe
  C:\Windows\System\ayCYvIK.exe
  2⤵
  PID:5448
- C:\Windows\System\YOxdnkI.exe
  C:\Windows\System\YOxdnkI.exe
  2⤵
  PID:13508
- C:\Windows\System\bgBYVUO.exe
  C:\Windows\System\bgBYVUO.exe
  2⤵
  PID:13732
- C:\Windows\System\KNXprZD.exe
  C:\Windows\System\KNXprZD.exe
  2⤵
  PID:1000
- C:\Windows\System\KsgjUDr.exe
  C:\Windows\System\KsgjUDr.exe
  2⤵
  PID:3728
- C:\Windows\System\isBBSgh.exe
  C:\Windows\System\isBBSgh.exe
  2⤵
  PID:5656
- C:\Windows\System\cjmeOYz.exe
  C:\Windows\System\cjmeOYz.exe
  2⤵
  PID:2340
- C:\Windows\System\rYnpGjA.exe
  C:\Windows\System\rYnpGjA.exe
  2⤵
  PID:864
- C:\Windows\System\YFTDvLY.exe
  C:\Windows\System\YFTDvLY.exe
  2⤵
  PID:4428
- C:\Windows\System\WFsbRDf.exe
  C:\Windows\System\WFsbRDf.exe
  2⤵
  PID:4032
- C:\Windows\System\KAPBvnl.exe
  C:\Windows\System\KAPBvnl.exe
  2⤵
  PID:2244
- C:\Windows\System\DkxFnRM.exe
  C:\Windows\System\DkxFnRM.exe
  2⤵
  PID:5864
- C:\Windows\System\GIyjwPs.exe
  C:\Windows\System\GIyjwPs.exe
  2⤵
  PID:5360
- C:\Windows\System\joCXILb.exe
  C:\Windows\System\joCXILb.exe
  2⤵
  PID:436
- C:\Windows\System\JmFSHjR.exe
  C:\Windows\System\JmFSHjR.exe
  2⤵
  PID:5456
- C:\Windows\System\zxRdPQv.exe
  C:\Windows\System\zxRdPQv.exe
  2⤵
  PID:468
- C:\Windows\System\wHulRku.exe
  C:\Windows\System\wHulRku.exe
  2⤵
  PID:6064
- C:\Windows\System\aKlMwoi.exe
  C:\Windows\System\aKlMwoi.exe
  2⤵
  PID:13588
- C:\Windows\System\hmOgdle.exe
  C:\Windows\System\hmOgdle.exe
  2⤵
  PID:2516
- C:\Windows\System\BiEQmTb.exe
  C:\Windows\System\BiEQmTb.exe
  2⤵
  PID:5264
- C:\Windows\System\nVrfANn.exe
  C:\Windows\System\nVrfANn.exe
  2⤵
  PID:2096
- C:\Windows\System\rbsnYqE.exe
  C:\Windows\System\rbsnYqE.exe
  2⤵
  PID:5872
- C:\Windows\System\eoqOcJI.exe
  C:\Windows\System\eoqOcJI.exe
  2⤵
  PID:5940
- C:\Windows\System\bpFVQRI.exe
  C:\Windows\System\bpFVQRI.exe
  2⤵
  PID:5768
- C:\Windows\System\CxdFhEq.exe
  C:\Windows\System\CxdFhEq.exe
  2⤵
  PID:6008
- C:\Windows\System\lVxzZRJ.exe
  C:\Windows\System\lVxzZRJ.exe
  2⤵
  PID:5936
- C:\Windows\System\DddaXxw.exe
  C:\Windows\System\DddaXxw.exe
  2⤵
  PID:1584
- C:\Windows\System\VtmBMCS.exe
  C:\Windows\System\VtmBMCS.exe
  2⤵
  PID:13728
- C:\Windows\System\ZQgxJVp.exe
  C:\Windows\System\ZQgxJVp.exe
  2⤵
  PID:5320
- C:\Windows\System\lXiKckH.exe
  C:\Windows\System\lXiKckH.exe
  2⤵
  PID:14064
- C:\Windows\System\zXSyeFc.exe
  C:\Windows\System\zXSyeFc.exe
  2⤵
  PID:14324
- C:\Windows\System\QCeoIdu.exe
  C:\Windows\System\QCeoIdu.exe
  2⤵
  PID:5920
- C:\Windows\System\sEfkNho.exe
  C:\Windows\System\sEfkNho.exe
  2⤵
  PID:6052
- C:\Windows\System\kJsNOJn.exe
  C:\Windows\System\kJsNOJn.exe
  2⤵
  PID:6076
- C:\Windows\System\ozMiIJD.exe
  C:\Windows\System\ozMiIJD.exe
  2⤵
  PID:6020
- C:\Windows\System\KjbmURs.exe
  C:\Windows\System\KjbmURs.exe
  2⤵
  PID:4452
- C:\Windows\System\ZqLErTq.exe
  C:\Windows\System\ZqLErTq.exe
  2⤵
  PID:6180
- C:\Windows\System\WYjwBBC.exe
  C:\Windows\System\WYjwBBC.exe
  2⤵
  PID:5852
- C:\Windows\System\NISdofD.exe
  C:\Windows\System\NISdofD.exe
  2⤵
  PID:6016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AlDnZQy.exe

Filesize
6.0MB

MD5
12034d1b06884c134a6e3cd373d6031d

SHA1
2d5c7d25b2a6a4aecfead9a62bc3e035b41b04fd

SHA256
3075885157dcbe47fd265cbf867a817d80410eb8adadaae5ff5fcffe7a76201b

SHA512
3262b54af4a3ef814ecf29451ceacab305d26564f781250f7c6481a70c0191f88679ae54c80f0554a3bfb84da75a7532856eb8262462dc6535beb34152221807

Download Submit
C:\Windows\System\DButnik.exe

Filesize
6.0MB

MD5
7a12b30e2f48cc3f2907644e337bad7c

SHA1
b025772a4a0a66775753886d90968790c49abe4a

SHA256
daa9c0ae458b450683d6da4e947bfd4a25a7367dccc35b6185f819f9dec9d31b

SHA512
11a718fb83289eae4582f765378b99b46d620014b1ae7e480ce8f1a2f7e3cf1963c2a925c3d887916141b6d7bc0a12b25221bf90f5d2bed6e29b737cf2e9d5d2

Download Submit
C:\Windows\System\FGllJim.exe

Filesize
6.0MB

MD5
11c3770a7a1bdabbd9aa14c41b4f0c1b

SHA1
1d7e0303eafc700f952090a3373d4ba033cbd6be

SHA256
09cbc4437bfc9c1a684868848f2152742a977e54f2add751f69bd88ab06fbda4

SHA512
3cefb0ae76efacb41d572bccc819e968e0122c76d4a365daacaff6c63d373eea713a1f5f4f8afa3d8baca2f8eb937b147c63353c46e91c0f650f2013cedce56a

Download Submit
C:\Windows\System\HIIueNl.exe

Filesize
6.0MB

MD5
ee2c858c388633dddb0e1e0f68c6f577

SHA1
26beba619700272f3c7f5b12de51b4a5c4a468f6

SHA256
c339f4543e16fee09588cf2642e9e40996671c181a27dffe2f1bec6c8c93e829

SHA512
9359fe19afe8ca4c452b888a8daa8bf42b5058733a80ec0d9c221bbfb6bd66a2709d6a6337972edfb0ba6b93fafe6fce47b4a9f3a8706203371c13f3b86d157c

Download Submit
C:\Windows\System\JClSYki.exe

Filesize
6.0MB

MD5
64b29a337bad4ce4f074f5f0e139c7c0

SHA1
0c9fb44ba0b263f476c6119be4bb8461ab33ddd4

SHA256
40e6d383fd5d4903e065193bf0a6c1d592b1ca5f6f1b4078202ffc4973efc823

SHA512
0605a747a5fec6b0de9e238f178cdb56d4ca816adb751430b52cbea69e01af1b1a00d423e2b97916873f194ce8960fcf06cd130b965d1c92d15178517ace4596

Download Submit
C:\Windows\System\JYJPBce.exe

Filesize
6.0MB

MD5
6b7b49669ded4ae704aacd3b95c46b94

SHA1
ffccb5c49090161dda8cc97abeaffb4c101172f0

SHA256
5675b75229e8709b00ad5664f50661b5250582ffc774da52ffb198e29c810bcd

SHA512
3301e3312fdd31f98cb3f71ca893570d2821f628cf7e8f3c8d657c397da437eace0c9d7a8fa6bdf4b6d9a8788fdd175df1fa3088ed88b63eec638259244ce3c0

Download Submit
C:\Windows\System\KhNEuBR.exe

Filesize
6.0MB

MD5
fbf14707dcc9fb8f7ec82fcbf8b8b4fb

SHA1
767cf7c1a05b248a6aa41815dee7ab1253a2e8d0

SHA256
02e1054d1ec85940c7e17a13fa077e50ba68ced9e19e5eacbb7170d3c765c936

SHA512
708606e76ec78cda3d4aef3694daa4922ed2b8d7550167bceb8477725bd483f8592b8f146881312b00643e09102ae7e7bf4dbaa39dff2d5e6db1cc1f5337cf14

Download Submit
C:\Windows\System\LDSnuwP.exe

Filesize
6.0MB

MD5
519d7f664662326234a15600c2a475f0

SHA1
f9ed4ab70f1d6c9fe25d7b7945ded7b034a4f971

SHA256
58a2203e69e9aad2ef29d76eebcb8c7797993bec48acc22545559be2e509814f

SHA512
9a1461d666fea1d8b7c7d5a2b86ca50ee4d5e774e34b088225ec9751f6b1141ac15a345a8041c4a9a9784970a4a4e24798952bb5b245946ea8e462ba7555dc10

Download Submit
C:\Windows\System\MWNPoWi.exe

Filesize
6.0MB

MD5
ff2a68b3b4c500e0a1b9ec43a1197e08

SHA1
e1bbe127982015d215674114661fce7614ae6090

SHA256
19f3df331599eb6629080876a1d6188c4c023a3b9892eb2dfdecaebcda74a126

SHA512
e60fd1fd3fc8a3a9d9cf7b0384d5ff5e21a5e68dfeb33196728d0bdb60b4668e928cdd0dd7dcd8715282bdac79f05078173b2867477dd985025adcc615a8bf17

Download Submit
C:\Windows\System\OAqbFhD.exe

Filesize
6.0MB

MD5
65d1fa0523cac7e25e8555bfcac78220

SHA1
8f7a5805aba672aa9c354e72bc1861ef46f9d899

SHA256
37996408d08d5f7c32865fc25e36053fd8f7c8579ef826e047e1346b95b89e53

SHA512
79fc80043f340b40116bbbabbb4c9278cfe2715d2ada352d59511480fe8104728e12a806e751facd967f4db2d5a336fdc6e953e5b7327bc247de96e06e3359a3

Download Submit
C:\Windows\System\SIaFWjR.exe

Filesize
6.0MB

MD5
a6bd1d0836c20d286be0f64bf0100cfc

SHA1
bbf50279be27d611a0d9d5a1c823c4c83c65af19

SHA256
426ca7b8b4b5e6da40a7af711cac10029dc88725a40811936a69d91278dba2a3

SHA512
6e79e4b8bd945a49126733f1d5693c7b0a6c4fa2312cc4cebb771117667173f81467af181fec7741fe43ff1a4a53b9c855ed8110b9d4924488b3bf51b2b7aee6

Download Submit
C:\Windows\System\TMsortd.exe

Filesize
6.0MB

MD5
cb4a3b285b1fef7414b0aa25708d9858

SHA1
5bf7544942b449f28792b840691d306f882d65e2

SHA256
b0e03a14b01fb088dc0e6fe2827a5f1b777f98f720c68730c1ee66b41411c445

SHA512
bab49cd7c7919461de7710e8838f19258838365097686831b1fc3203897d8480ffb4a374df7773b22d145aacfdb96b70d6893819078c0ee4a3fb789f947644b8

Download Submit
C:\Windows\System\VAdLuQc.exe

Filesize
6.0MB

MD5
f5dc95f1a80e9b471aba1fac59b4d59c

SHA1
7e111fce85b0ff985ca3932036f058b8465a94b0

SHA256
4c951f938ac0194ed9e30f47cdbc609cf0338a9520fe0f74fb688e34889b9aac

SHA512
9159051bffa317729db7f07a1a76279d7b8ed3ca4221888b0e1050d44644f56ce87dcdbcea13f1ec7aec19e13b3562ab1eac9a4e8a543d8e3390e56e4a23e632

Download Submit
C:\Windows\System\VnWaNvG.exe

Filesize
6.0MB

MD5
4413e41e74caa36d4f43bcfee271ac33

SHA1
72a77da179a9fd0c1805a8a4473a5a951bd730e7

SHA256
83ff1d44b78a9cc3c4a7e868c103710b8e4beb445888849e87e23ff3f6185501

SHA512
268fd53e18dabf068293ce74f8e912983423aa4842092963888cb3a78013efc8f286af6235820caf8d5553c61c964cbda730b120b5562eaed4a96dd429689ad6

Download Submit
C:\Windows\System\WgmfRxi.exe

Filesize
6.0MB

MD5
e967e016ba1eb2384f336e1899f53df0

SHA1
7f86b32f74489016369f71436070d6435558f42b

SHA256
738f36129c937208e8b9aa5d6c1510a66a1dfad7eb0a93d05c7fdde1eb5053e7

SHA512
1b275b5d13958f131dc05a530ccf0e5aa46962f5512338a5f6e46d8391d627218153b14942e336b18819e4f515fea63995623b3f9a66058f05e31abde5549846

Download Submit
C:\Windows\System\WrZwVhQ.exe

Filesize
6.0MB

MD5
9a9e40653cda42a3e5bc5d70031dc94a

SHA1
f80b29779d4421c537639a732c40d4c46a3dcd0a

SHA256
686de152d52b773273dfaca7e34e130eecc37fd22d1c1754bad0951b53618728

SHA512
3f8a5096238e72fa292b912e1c3ac2da4fab3656f710df58ecfa23abde4a77376489ac6b3d674f70668a0dde3a61a358e1ce484299e73de2a768819b5b303f2f

Download Submit
C:\Windows\System\ccRxdHU.exe

Filesize
6.0MB

MD5
c004e76cbcb9087e0b014aedf77ecd90

SHA1
119ae687e877cc31df81bf416bed1c2b9c6cccca

SHA256
dfa64d337997095089191528ea75eecbfe4a5a50b0d8f0d63cf138303e8e06d0

SHA512
2a8929bf42e81fe227cce6c4d2b072cd97ba8abdd54af7b8af7bc4baf9416e0b4f57d8571db722f34a193d788acd45a45ef6ace09b083e3aadb611922e380eb4

Download Submit
C:\Windows\System\eBxSVQF.exe

Filesize
6.0MB

MD5
39bec3a842efeb229695b6f6485bed96

SHA1
899394fc36fa283812cdb4b7c78addbf7cca93e0

SHA256
d4daf87cd10fc7ea49017ac27d56c43108bbcf90d867d54c880510cffe96c465

SHA512
f7683b85fbc362ec12616c590426faaf778fc80a80d1aa74a317f48482e8b6ac43c05ece93ea66ee7ca2c641d2daf328faa524df3d4989fcdc31eca3a14a14fe

Download Submit
C:\Windows\System\fAXWDmO.exe

Filesize
6.0MB

MD5
12c954c881adb32db2964173c7bc8243

SHA1
0745c54bf8d1f75ad187c12442a4d0ffbec5c574

SHA256
932b1d31adeffef69038f883b63a18ac845d48ce5830ba018e2256feab31c597

SHA512
7c4558fcabc4764df2f57efb26ff1d3f36b0cbf0a62342fb06e3d9632957488a3fe1541ff5126ef8fc1ce87709f9688a43cdb734af1d08a3c3ab6821c17ee294

Download Submit
C:\Windows\System\kNLoznj.exe

Filesize
6.0MB

MD5
bb8e35c75cda9b652e6c999241a20b7b

SHA1
c09b185bd4934ec221a474a75e515a0ce59ab0bb

SHA256
10a1db16efa65258e411cdd2d7b2cb89702cb8b67b968511a30632358e5a309d

SHA512
e4076cd1ef04d288077946101eb907e40342cdbe637b1929f40f991b4ab655cb44f15fe355a270147d682c9934261ed5376fd26429d7a1e5df6ba614079088b5

Download Submit
C:\Windows\System\kUplkyF.exe

Filesize
6.0MB

MD5
beaca93a197262e5da5a14b3ecdb1a0b

SHA1
9b8925ff8efa6f07b30ac92d270bab5eb33015e6

SHA256
7710dddc7f84acfb9d0ef97fe90af62c9107d2e960a6880ed6ef6dd3b7fdfda4

SHA512
aa7615352b0ff4581d6fb021fcaa2682e61ae02d94645734088af05c64d2e21338bc648de548d73fd0f1bf7504e9440154e9e7f3f43b6df288c23c001c51dc69

Download Submit
C:\Windows\System\kjmMNfi.exe

Filesize
6.0MB

MD5
40dcbc282e5786dc07cf1a0b6ee6b83b

SHA1
7b456533b4185e5e123e3b31b0e3851155fb475e

SHA256
d7527b8f405228ffac9382a1f853709b003fe6c5d8295d1eeb4926aa65bba035

SHA512
bc00d818c0e05bf0176e5db7394bfc2db5f3d1817409c4cd6576d83ba840dbb31836d6f3a92707fd3cc298421af91d41c22c9c0ce0a57e938aa1e77e2fd06dda

Download Submit
C:\Windows\System\lJzvfJD.exe

Filesize
6.0MB

MD5
082099fb4a347a83471a1d6539bbc6ce

SHA1
9bee45723d5b84969139d50119955f34fa1a8fdb

SHA256
c1a04c8a6714b87c7ebde2efdd17c85f61a58074730a6270c148cad19c86f2a7

SHA512
c78dbeb65db7f4a3227f4e416204d6f0b7b3659e34688cb22bdeffe8d6b6fd782ad13213a7496bbc6ce4713e3d9676780837179639243f2ba238dd069110a195

Download Submit
C:\Windows\System\mKweLMr.exe

Filesize
6.0MB

MD5
acfa14ec8cc4cef77585fb910a9c1071

SHA1
8abd549d2187cb744d26031bbb5b2113cdd6e609

SHA256
9d3646ac97feb4b2c6f63d52ea7c84592f2a8fb0dea065704ee4cb54ca5725b3

SHA512
3ce520d38ceb4ba7e505c8c67ee980433cc767332bb4aa6b8e6ad5a365e8866e0b8235c95b3d719db8ac086f2f3c69750244734bac991581c910baba23387a8e

Download Submit
C:\Windows\System\nEyfjyE.exe

Filesize
6.0MB

MD5
07793fb01c4f071f463555465dc7b794

SHA1
04846c7a70d9b9fe83aad64fbb7b4e1fbfb5292e

SHA256
ebbb55730df75630b00476fc5a5090b51628b759313c875ec90b06d73a667478

SHA512
57738189974f6301aa43c8c7e98680e3620493d607ce7c1a989425e291fcacd1901c79c0623332a8bc8cff597e995f3a3989bea1a03c4b80eaaa6e70be9f945e

Download Submit
C:\Windows\System\pOEDAWz.exe

Filesize
6.0MB

MD5
377737d1392004edb6cf7f7c2e59ee65

SHA1
3140495b346ca0556619aa9baa171e2c20d99f00

SHA256
defa1a93be0ad653d6abde5e4d459f1d1015858ed6446888450138dd2762fb54

SHA512
fd86ce8dc37802728c8cf9fac0f6de0500c6df5a01aacdc1060ef103e45aa69174f80fa8331b1611f25d1ece088b10387d7a29412fff4471b911d27dbecf0c5f

Download Submit
C:\Windows\System\pWYkOwO.exe

Filesize
6.0MB

MD5
850defd72745efea6d736d79f62071e3

SHA1
37f8876167db3b38084beb19c17adc9e503b4982

SHA256
8a038e351e16075864980b88a71e9f5904d0468b3be576a7df16d8954b5409f0

SHA512
2743df7a850b8d31324e3ae57307d037fed0c6b36e78fb31d17fcb4c2372beb2e22e3390e92a0d4a20322bdbd82063362cc297c020dda3f0f5fca7cc3138fa6f

Download Submit
C:\Windows\System\pjoreyU.exe

Filesize
6.0MB

MD5
8e2cf8ad639af0e9b5c1e1e91c93a822

SHA1
f348c7283ae7746cd36a0e92f2b82a6ed73f96ff

SHA256
a2d7c625d9666165a04294c0bbdab26c364eb783f747bef22d2e27718a273ba1

SHA512
48d6fee09d24d6686d06298fb872cf4a723958dfb4445da84487b1b2e5cd7b79b301b3102997504d48576facf54f906d8dcca783b26b0f1c513e222078238b25

Download Submit
C:\Windows\System\qqUyqIB.exe

Filesize
6.0MB

MD5
fbf4a3a880a9ff0b8153a204450bf6f6

SHA1
a728dfd37633293eb97b0850203b20e5ae7fdd09

SHA256
6a3d12fdb792871e4775331730457978114169aba4ccdebb14e403179f04b602

SHA512
682cb619be412cdd2da376079f60ef7823579b8176e9dfd672c56ed21ede8705e091fb30693084ea43a17c1f702d4cb535ba253f5f1799eaf6590b4750cf00f5

Download Submit
C:\Windows\System\sqPXesz.exe

Filesize
6.0MB

MD5
b1bbe7229a29783c4c2f299d904395dd

SHA1
74f43bd5160cfafe70274c873596aaf96246e48e

SHA256
d577b6a44be78d4c3b25efd74e5224f4b7da296eb5e298eb9721c1e77c9b37a4

SHA512
70695a3192bd3f65289ef94c64669efe65dbc9fc3e6e5b13cb37cd70f54205eb996429a48e2f836087ba62a68e42f50e3361eff718c2074b5be7d6f3531a2c63

Download Submit
C:\Windows\System\ujoYQdw.exe

Filesize
6.0MB

MD5
30bc8d78aff1cf18e24474ee03daa40d

SHA1
b9c4ab585238ec1d273d6ea44186995ea857c642

SHA256
1a82a98f196db8b2581dd4ea29aab0a44b7a6218fa80f1fb1014bf0b3a4198fc

SHA512
7c3833bb82caa33f57bb909306325d5a69454598a76494dbbd09c314084df65304994b8cb1e121bece1f991b1ab94aa4511f8a4f766631e4c3fd2cbca8adaa6a

Download Submit
C:\Windows\System\xOXXelE.exe

Filesize
6.0MB

MD5
b3e37d4b3eeb49747a6381affae4c4fc

SHA1
c93f484e63ae081d49e401ca139c2b8fd45bf7e1

SHA256
6c200078834ad44b53f281cbb373b795aa6728febdc4517e926b8a1620741422

SHA512
79f9ddd7ffda7aa30f20388232af90f5f6e933bd918a322725b44aeff8a1dd83c88f0c345c5395663ac3eff2f97c30195a51db5e7997931ae5f2a1ec9421cc1d

Download Submit
memory/452-164-0x00007FF692990000-0x00007FF692CE4000-memory.dmp

Filesize
3.3MB

Download
memory/452-628-0x00007FF692990000-0x00007FF692CE4000-memory.dmp

Filesize
3.3MB

Download
memory/1052-14-0x00007FF7C32D0000-0x00007FF7C3624000-memory.dmp

Filesize
3.3MB

Download
memory/1052-1826-0x00007FF7C32D0000-0x00007FF7C3624000-memory.dmp

Filesize
3.3MB

Download
memory/1052-317-0x00007FF7C32D0000-0x00007FF7C3624000-memory.dmp

Filesize
3.3MB

Download
memory/1072-1851-0x00007FF6E2C30000-0x00007FF6E2F84000-memory.dmp

Filesize
3.3MB

Download
memory/1072-151-0x00007FF6E2C30000-0x00007FF6E2F84000-memory.dmp

Filesize
3.3MB

Download
memory/1368-147-0x00007FF76A260000-0x00007FF76A5B4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-1889-0x00007FF76A260000-0x00007FF76A5B4000-memory.dmp

Filesize
3.3MB

Download
memory/1384-740-0x00007FF750DF0000-0x00007FF751144000-memory.dmp

Filesize
3.3MB

Download
memory/1384-180-0x00007FF750DF0000-0x00007FF751144000-memory.dmp

Filesize
3.3MB

Download
memory/1384-2339-0x00007FF750DF0000-0x00007FF751144000-memory.dmp

Filesize
3.3MB

Download
memory/1740-175-0x00007FF738D50000-0x00007FF7390A4000-memory.dmp

Filesize
3.3MB

Download
memory/1912-139-0x00007FF67A200000-0x00007FF67A554000-memory.dmp

Filesize
3.3MB

Download
memory/1912-1875-0x00007FF67A200000-0x00007FF67A554000-memory.dmp

Filesize
3.3MB

Download
memory/1916-149-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp

Filesize
3.3MB

Download
memory/1916-1906-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp

Filesize
3.3MB

Download
memory/2084-160-0x00007FF6AF920000-0x00007FF6AFC74000-memory.dmp

Filesize
3.3MB

Download
memory/2084-569-0x00007FF6AF920000-0x00007FF6AFC74000-memory.dmp

Filesize
3.3MB

Download
memory/2136-1823-0x00007FF63FAC0000-0x00007FF63FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2136-9-0x00007FF63FAC0000-0x00007FF63FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2136-265-0x00007FF63FAC0000-0x00007FF63FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2224-1892-0x00007FF60A670000-0x00007FF60A9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2224-145-0x00007FF60A670000-0x00007FF60A9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-138-0x00007FF765C50000-0x00007FF765FA4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-1869-0x00007FF765C50000-0x00007FF765FA4000-memory.dmp

Filesize
3.3MB

Download
memory/2300-0-0x00007FF743E60000-0x00007FF7441B4000-memory.dmp

Filesize
3.3MB

Download
memory/2300-1-0x00000154D1970000-0x00000154D1980000-memory.dmp

Filesize
64KB

Download
memory/2300-219-0x00007FF743E60000-0x00007FF7441B4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-1890-0x00007FF6A4C40000-0x00007FF6A4F94000-memory.dmp

Filesize
3.3MB

Download
memory/2596-143-0x00007FF6A4C40000-0x00007FF6A4F94000-memory.dmp

Filesize
3.3MB

Download
memory/2816-20-0x00007FF626140000-0x00007FF626494000-memory.dmp

Filesize
3.3MB

Download
memory/2816-320-0x00007FF626140000-0x00007FF626494000-memory.dmp

Filesize
3.3MB

Download
memory/2816-1845-0x00007FF626140000-0x00007FF626494000-memory.dmp

Filesize
3.3MB

Download
memory/3064-1898-0x00007FF6579E0000-0x00007FF657D34000-memory.dmp

Filesize
3.3MB

Download
memory/3064-152-0x00007FF6579E0000-0x00007FF657D34000-memory.dmp

Filesize
3.3MB

Download
memory/3444-1843-0x00007FF67CD70000-0x00007FF67D0C4000-memory.dmp

Filesize
3.3MB

Download
memory/3444-372-0x00007FF67CD70000-0x00007FF67D0C4000-memory.dmp

Filesize
3.3MB

Download
memory/3444-118-0x00007FF67CD70000-0x00007FF67D0C4000-memory.dmp

Filesize
3.3MB

Download
memory/3508-150-0x00007FF775CC0000-0x00007FF776014000-memory.dmp

Filesize
3.3MB

Download
memory/3508-1905-0x00007FF775CC0000-0x00007FF776014000-memory.dmp

Filesize
3.3MB

Download
memory/3624-1850-0x00007FF74B2D0000-0x00007FF74B624000-memory.dmp

Filesize
3.3MB

Download
memory/3624-124-0x00007FF74B2D0000-0x00007FF74B624000-memory.dmp

Filesize
3.3MB

Download
memory/3900-1868-0x00007FF65F2A0000-0x00007FF65F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/3900-137-0x00007FF65F2A0000-0x00007FF65F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/3980-1882-0x00007FF766590000-0x00007FF7668E4000-memory.dmp

Filesize
3.3MB

Download
memory/3980-140-0x00007FF766590000-0x00007FF7668E4000-memory.dmp

Filesize
3.3MB

Download
memory/4408-148-0x00007FF633950000-0x00007FF633CA4000-memory.dmp

Filesize
3.3MB

Download
memory/4408-1900-0x00007FF633950000-0x00007FF633CA4000-memory.dmp

Filesize
3.3MB

Download
memory/4416-1858-0x00007FF762DF0000-0x00007FF763144000-memory.dmp

Filesize
3.3MB

Download
memory/4416-126-0x00007FF762DF0000-0x00007FF763144000-memory.dmp

Filesize
3.3MB

Download
memory/4468-141-0x00007FF7077A0000-0x00007FF707AF4000-memory.dmp

Filesize
3.3MB

Download
memory/4468-1884-0x00007FF7077A0000-0x00007FF707AF4000-memory.dmp

Filesize
3.3MB

Download
memory/4560-125-0x00007FF6C7DE0000-0x00007FF6C8134000-memory.dmp

Filesize
3.3MB

Download
memory/4560-1854-0x00007FF6C7DE0000-0x00007FF6C8134000-memory.dmp

Filesize
3.3MB

Download
memory/4576-146-0x00007FF705CA0000-0x00007FF705FF4000-memory.dmp

Filesize
3.3MB

Download
memory/4576-1894-0x00007FF705CA0000-0x00007FF705FF4000-memory.dmp

Filesize
3.3MB

Download
memory/4812-136-0x00007FF685DC0000-0x00007FF686114000-memory.dmp

Filesize
3.3MB

Download
memory/4812-1860-0x00007FF685DC0000-0x00007FF686114000-memory.dmp

Filesize
3.3MB

Download
memory/4960-144-0x00007FF7989D0000-0x00007FF798D24000-memory.dmp

Filesize
3.3MB

Download
memory/4960-1891-0x00007FF7989D0000-0x00007FF798D24000-memory.dmp

Filesize
3.3MB

Download
memory/5052-1886-0x00007FF6F27F0000-0x00007FF6F2B44000-memory.dmp

Filesize
3.3MB

Download
memory/5052-142-0x00007FF6F27F0000-0x00007FF6F2B44000-memory.dmp

Filesize
3.3MB

Download
memory/5056-131-0x00007FF79D5A0000-0x00007FF79D8F4000-memory.dmp

Filesize
3.3MB

Download
memory/5056-1863-0x00007FF79D5A0000-0x00007FF79D8F4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads