cobaltstrike | b44d2af6ba11b908a47aecf3c7512e59068400bd3d509f4fb4e836157f32351e

Analysis

max time kernel
98s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
Size

6.0MB
MD5

2488845be835c77298dafb1f3157dc96
SHA1

8dfc169183b231a7b069fc48cd821d4197565b33
SHA256

b44d2af6ba11b908a47aecf3c7512e59068400bd3d509f4fb4e836157f32351e
SHA512

c84400aadab73ad524c3e4b38c375cc343714f94277afcd487b939bee0eddbf350e2f767ac06b468c1f25559704f4fdf1736d7d94092687112e2374318ceebe1
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUs:T+q56utgpPF8u/7s

Score

10^/10

cobaltstrike xmrig 0 backdoor miner persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 32 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023cc6-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cca-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccd-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cce-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccf-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd0-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd3-59.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cc7-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd7-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd6-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd9-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd8-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd5-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd4-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd2-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd1-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccc-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccb-19.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cda-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdc-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdd-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cde-128.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce0-140.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce1-148.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce2-157.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdf-155.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce5-171.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce6-185.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce3-174.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce7-189.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce8-192.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce9-202.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/548-0-0x00007FF7C9CA0000-0x00007FF7C9FF4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023cc6-4.dat	xmrig
behavioral2/memory/1224-8-0x00007FF6A4C90000-0x00007FF6A4FE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cca-12.dat	xmrig
behavioral2/memory/4356-16-0x00007FF6ACF90000-0x00007FF6AD2E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ccd-25.dat	xmrig
behavioral2/files/0x0007000000023cce-29.dat	xmrig
behavioral2/files/0x0007000000023ccf-39.dat	xmrig
behavioral2/files/0x0007000000023cd0-43.dat	xmrig
behavioral2/files/0x0007000000023cd3-59.dat	xmrig
behavioral2/memory/3100-63-0x00007FF755FB0000-0x00007FF756304000-memory.dmp	xmrig
behavioral2/memory/540-74-0x00007FF674D50000-0x00007FF6750A4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023cc7-82.dat	xmrig
behavioral2/files/0x0007000000023cd7-87.dat	xmrig
behavioral2/files/0x0007000000023cd6-99.dat	xmrig
behavioral2/memory/5036-104-0x00007FF788C70000-0x00007FF788FC4000-memory.dmp	xmrig
behavioral2/memory/3272-106-0x00007FF7E8DC0000-0x00007FF7E9114000-memory.dmp	xmrig
behavioral2/memory/1052-105-0x00007FF798F10000-0x00007FF799264000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cd9-103.dat	xmrig
behavioral2/files/0x0007000000023cd8-102.dat	xmrig
behavioral2/memory/3304-101-0x00007FF73A4B0000-0x00007FF73A804000-memory.dmp	xmrig
behavioral2/memory/5040-98-0x00007FF6F1310000-0x00007FF6F1664000-memory.dmp	xmrig
behavioral2/memory/4640-97-0x00007FF6764A0000-0x00007FF6767F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cd5-93.dat	xmrig
behavioral2/memory/4916-84-0x00007FF7DD7E0000-0x00007FF7DDB34000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cd4-79.dat	xmrig
behavioral2/memory/1508-75-0x00007FF772A60000-0x00007FF772DB4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cd2-70.dat	xmrig
behavioral2/memory/1832-69-0x00007FF607AF0000-0x00007FF607E44000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cd1-61.dat	xmrig
behavioral2/memory/3624-60-0x00007FF72B5F0000-0x00007FF72B944000-memory.dmp	xmrig
behavioral2/memory/228-55-0x00007FF7254F0000-0x00007FF725844000-memory.dmp	xmrig
behavioral2/memory/3836-50-0x00007FF746B50000-0x00007FF746EA4000-memory.dmp	xmrig
behavioral2/memory/4540-36-0x00007FF6AEC60000-0x00007FF6AEFB4000-memory.dmp	xmrig
behavioral2/memory/220-27-0x00007FF7B7430000-0x00007FF7B7784000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ccc-26.dat	xmrig
behavioral2/files/0x0007000000023ccb-19.dat	xmrig
behavioral2/files/0x0007000000023cda-113.dat	xmrig
behavioral2/memory/2312-117-0x00007FF7410F0000-0x00007FF741444000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cdc-122.dat	xmrig
behavioral2/files/0x0007000000023cdd-127.dat	xmrig
behavioral2/memory/548-129-0x00007FF7C9CA0000-0x00007FF7C9FF4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cde-128.dat	xmrig
behavioral2/memory/2156-123-0x00007FF7E8000000-0x00007FF7E8354000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ce0-140.dat	xmrig
behavioral2/files/0x0007000000023ce1-148.dat	xmrig
behavioral2/memory/904-150-0x00007FF768CF0000-0x00007FF769044000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ce2-157.dat	xmrig
behavioral2/memory/1832-160-0x00007FF607AF0000-0x00007FF607E44000-memory.dmp	xmrig
behavioral2/memory/2408-162-0x00007FF77F180000-0x00007FF77F4D4000-memory.dmp	xmrig
behavioral2/memory/4640-161-0x00007FF6764A0000-0x00007FF6767F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cdf-155.dat	xmrig
behavioral2/memory/4264-154-0x00007FF7BABE0000-0x00007FF7BAF34000-memory.dmp	xmrig
behavioral2/memory/3100-151-0x00007FF755FB0000-0x00007FF756304000-memory.dmp	xmrig
behavioral2/memory/2008-149-0x00007FF73A690000-0x00007FF73A9E4000-memory.dmp	xmrig
behavioral2/memory/4540-146-0x00007FF6AEC60000-0x00007FF6AEFB4000-memory.dmp	xmrig
behavioral2/memory/4356-145-0x00007FF6ACF90000-0x00007FF6AD2E4000-memory.dmp	xmrig
behavioral2/memory/372-131-0x00007FF7E8AF0000-0x00007FF7E8E44000-memory.dmp	xmrig
behavioral2/memory/2324-130-0x00007FF74C490000-0x00007FF74C7E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ce5-171.dat	xmrig
behavioral2/memory/1052-178-0x00007FF798F10000-0x00007FF799264000-memory.dmp	xmrig
behavioral2/memory/1068-183-0x00007FF7B71D0000-0x00007FF7B7524000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ce6-185.dat	xmrig
behavioral2/memory/2312-184-0x00007FF7410F0000-0x00007FF741444000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

Processes:

ddlsbZj.exeDGhdObF.exeRsnRtgu.exeHbHnFZf.exewkmkWGs.exeZsoOyzu.exevKXemjp.exeroBremN.exeBWcgDEX.exeCwiMhOj.exevzmEUtI.exetoCpcBm.exetOAjBBA.exeaRlNdmD.exeoWrvvHf.exedhNpbJg.exeMjtRoPw.exeZcbyzZQ.exewjebPwE.exeLWJxcFL.exeCEFbZYE.exeYSHCNIA.exehFiApkL.exeyXKoAKL.exeRgFlzPi.exeuIWhVGK.exeKukdTPN.exeNnlpflB.exeNDYFWhl.exeLUERYou.exeWtdlZxp.exemSNlmBB.exeKBCpmro.exebZImGkX.exeDUErxDC.exehpjOvGC.exeDEKRzgi.exeiXLaBbr.exeepjHzLW.exeVYYvyea.exeJkBpQwJ.exesNWZNcd.exekzJpcjK.exeDRVEGqM.exefNXthNR.exeQMGJZNN.exeYMYmEIm.exeCjcBIBR.exeZRJAjpg.exeYvirrYP.exePArCHPS.exejjzEPbK.exeytYcdvB.exeubgcjUj.exenTwmhcr.exeuRYPwzp.exegQXefQd.exebeHNPXm.exeoLlpgIa.exeNPgEDHN.exeGzgcdDb.exefHMwQjj.exenxsXBqo.exeSxuZKJV.exe

pid	Process
1224	ddlsbZj.exe
4356	DGhdObF.exe
220	RsnRtgu.exe
4540	HbHnFZf.exe
3836	wkmkWGs.exe
228	ZsoOyzu.exe
540	vKXemjp.exe
3624	roBremN.exe
3100	BWcgDEX.exe
1508	CwiMhOj.exe
1832	vzmEUtI.exe
4916	toCpcBm.exe
3304	tOAjBBA.exe
5036	aRlNdmD.exe
1052	oWrvvHf.exe
4640	dhNpbJg.exe
3272	MjtRoPw.exe
5040	ZcbyzZQ.exe
2312	wjebPwE.exe
2156	LWJxcFL.exe
2324	CEFbZYE.exe
372	YSHCNIA.exe
2008	hFiApkL.exe
4264	yXKoAKL.exe
904	RgFlzPi.exe
2408	uIWhVGK.exe
1748	KukdTPN.exe
4076	NnlpflB.exe
1068	NDYFWhl.exe
1196	LUERYou.exe
3400	WtdlZxp.exe
3948	mSNlmBB.exe
1436	KBCpmro.exe
3992	bZImGkX.exe
4324	DUErxDC.exe
1400	hpjOvGC.exe
2656	DEKRzgi.exe
2088	iXLaBbr.exe
2796	epjHzLW.exe
1612	VYYvyea.exe
4492	JkBpQwJ.exe
1496	sNWZNcd.exe
3332	kzJpcjK.exe
4840	DRVEGqM.exe
1060	fNXthNR.exe
1432	QMGJZNN.exe
3460	YMYmEIm.exe
3216	CjcBIBR.exe
616	ZRJAjpg.exe
2840	YvirrYP.exe
3016	PArCHPS.exe
3784	jjzEPbK.exe
2564	ytYcdvB.exe
2708	ubgcjUj.exe
4876	nTwmhcr.exe
1044	uRYPwzp.exe
2908	gQXefQd.exe
3484	beHNPXm.exe
2608	oLlpgIa.exe
1684	NPgEDHN.exe
4892	GzgcdDb.exe
1636	fHMwQjj.exe
3440	nxsXBqo.exe
3872	SxuZKJV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/548-0-0x00007FF7C9CA0000-0x00007FF7C9FF4000-memory.dmp	upx
behavioral2/files/0x0008000000023cc6-4.dat	upx
behavioral2/memory/1224-8-0x00007FF6A4C90000-0x00007FF6A4FE4000-memory.dmp	upx
behavioral2/files/0x0007000000023cca-12.dat	upx
behavioral2/memory/4356-16-0x00007FF6ACF90000-0x00007FF6AD2E4000-memory.dmp	upx
behavioral2/files/0x0007000000023ccd-25.dat	upx
behavioral2/files/0x0007000000023cce-29.dat	upx
behavioral2/files/0x0007000000023ccf-39.dat	upx
behavioral2/files/0x0007000000023cd0-43.dat	upx
behavioral2/files/0x0007000000023cd3-59.dat	upx
behavioral2/memory/3100-63-0x00007FF755FB0000-0x00007FF756304000-memory.dmp	upx
behavioral2/memory/540-74-0x00007FF674D50000-0x00007FF6750A4000-memory.dmp	upx
behavioral2/files/0x0008000000023cc7-82.dat	upx
behavioral2/files/0x0007000000023cd7-87.dat	upx
behavioral2/files/0x0007000000023cd6-99.dat	upx
behavioral2/memory/5036-104-0x00007FF788C70000-0x00007FF788FC4000-memory.dmp	upx
behavioral2/memory/3272-106-0x00007FF7E8DC0000-0x00007FF7E9114000-memory.dmp	upx
behavioral2/memory/1052-105-0x00007FF798F10000-0x00007FF799264000-memory.dmp	upx
behavioral2/files/0x0007000000023cd9-103.dat	upx
behavioral2/files/0x0007000000023cd8-102.dat	upx
behavioral2/memory/3304-101-0x00007FF73A4B0000-0x00007FF73A804000-memory.dmp	upx
behavioral2/memory/5040-98-0x00007FF6F1310000-0x00007FF6F1664000-memory.dmp	upx
behavioral2/memory/4640-97-0x00007FF6764A0000-0x00007FF6767F4000-memory.dmp	upx
behavioral2/files/0x0007000000023cd5-93.dat	upx
behavioral2/memory/4916-84-0x00007FF7DD7E0000-0x00007FF7DDB34000-memory.dmp	upx
behavioral2/files/0x0007000000023cd4-79.dat	upx
behavioral2/memory/1508-75-0x00007FF772A60000-0x00007FF772DB4000-memory.dmp	upx
behavioral2/files/0x0007000000023cd2-70.dat	upx
behavioral2/memory/1832-69-0x00007FF607AF0000-0x00007FF607E44000-memory.dmp	upx
behavioral2/files/0x0007000000023cd1-61.dat	upx
behavioral2/memory/3624-60-0x00007FF72B5F0000-0x00007FF72B944000-memory.dmp	upx
behavioral2/memory/228-55-0x00007FF7254F0000-0x00007FF725844000-memory.dmp	upx
behavioral2/memory/3836-50-0x00007FF746B50000-0x00007FF746EA4000-memory.dmp	upx
behavioral2/memory/4540-36-0x00007FF6AEC60000-0x00007FF6AEFB4000-memory.dmp	upx
behavioral2/memory/220-27-0x00007FF7B7430000-0x00007FF7B7784000-memory.dmp	upx
behavioral2/files/0x0007000000023ccc-26.dat	upx
behavioral2/files/0x0007000000023ccb-19.dat	upx
behavioral2/files/0x0007000000023cda-113.dat	upx
behavioral2/memory/2312-117-0x00007FF7410F0000-0x00007FF741444000-memory.dmp	upx
behavioral2/files/0x0007000000023cdc-122.dat	upx
behavioral2/files/0x0007000000023cdd-127.dat	upx
behavioral2/memory/548-129-0x00007FF7C9CA0000-0x00007FF7C9FF4000-memory.dmp	upx
behavioral2/files/0x0007000000023cde-128.dat	upx
behavioral2/memory/2156-123-0x00007FF7E8000000-0x00007FF7E8354000-memory.dmp	upx
behavioral2/files/0x0007000000023ce0-140.dat	upx
behavioral2/files/0x0007000000023ce1-148.dat	upx
behavioral2/memory/904-150-0x00007FF768CF0000-0x00007FF769044000-memory.dmp	upx
behavioral2/files/0x0007000000023ce2-157.dat	upx
behavioral2/memory/1832-160-0x00007FF607AF0000-0x00007FF607E44000-memory.dmp	upx
behavioral2/memory/2408-162-0x00007FF77F180000-0x00007FF77F4D4000-memory.dmp	upx
behavioral2/memory/4640-161-0x00007FF6764A0000-0x00007FF6767F4000-memory.dmp	upx
behavioral2/files/0x0007000000023cdf-155.dat	upx
behavioral2/memory/4264-154-0x00007FF7BABE0000-0x00007FF7BAF34000-memory.dmp	upx
behavioral2/memory/3100-151-0x00007FF755FB0000-0x00007FF756304000-memory.dmp	upx
behavioral2/memory/2008-149-0x00007FF73A690000-0x00007FF73A9E4000-memory.dmp	upx
behavioral2/memory/4540-146-0x00007FF6AEC60000-0x00007FF6AEFB4000-memory.dmp	upx
behavioral2/memory/4356-145-0x00007FF6ACF90000-0x00007FF6AD2E4000-memory.dmp	upx
behavioral2/memory/372-131-0x00007FF7E8AF0000-0x00007FF7E8E44000-memory.dmp	upx
behavioral2/memory/2324-130-0x00007FF74C490000-0x00007FF74C7E4000-memory.dmp	upx
behavioral2/files/0x0007000000023ce5-171.dat	upx
behavioral2/memory/1052-178-0x00007FF798F10000-0x00007FF799264000-memory.dmp	upx
behavioral2/memory/1068-183-0x00007FF7B71D0000-0x00007FF7B7524000-memory.dmp	upx
behavioral2/files/0x0007000000023ce6-185.dat	upx
behavioral2/memory/2312-184-0x00007FF7410F0000-0x00007FF741444000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

Processes:

2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\sXflXyL.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HOywdac.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fNXthNR.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ClDcAov.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wmZuEdZ.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FYLVjAz.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CHMktWQ.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nAQtlej.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YSHCNIA.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zhpinzN.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dbtSjUF.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QFCThIp.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yCnmkxV.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lvvylnQ.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EUnPrWS.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QNemQZd.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ASYmqLZ.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GnPWkrc.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bWuuJFX.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KNvUWCw.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BjUCDPP.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RWOuGCm.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\anvONrZ.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EaqIMyW.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DGhdObF.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kgAXOIp.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uPYDxWl.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OFSkulg.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fVqhXbX.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bxKwJeh.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zTEmzjO.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vuOuFTO.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oWimayE.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uGzijTh.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RvBVKqt.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QrssUPL.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OBhmyMZ.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Foyhyow.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NluJZFv.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EaDOylS.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xCelnOX.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LmKrmdP.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TMLKTyQ.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SyefnpB.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NZTvDFm.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WtdlZxp.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uRYPwzp.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oLlpgIa.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sXHFHrZ.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lHmAuFy.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RTQFIuR.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vvQjBLO.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xjLyOlW.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZMokTCq.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MwEBNmM.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sfEKfGw.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AzhFsei.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RPmfywP.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LOUCXyw.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NZeIVXV.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BkQHpNO.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FhlsIwx.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IzylVVg.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cVJaPgZ.exe	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 548 wrote to memory of 1224	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 548 wrote to memory of 1224	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 548 wrote to memory of 4356	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 548 wrote to memory of 4356	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 548 wrote to memory of 220	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 548 wrote to memory of 220	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 548 wrote to memory of 4540	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 548 wrote to memory of 4540	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 548 wrote to memory of 3836	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 548 wrote to memory of 3836	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 548 wrote to memory of 228	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 548 wrote to memory of 228	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 548 wrote to memory of 540	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 548 wrote to memory of 540	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 548 wrote to memory of 3624	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 548 wrote to memory of 3624	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 548 wrote to memory of 3100	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 548 wrote to memory of 3100	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 548 wrote to memory of 1508	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 548 wrote to memory of 1508	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 548 wrote to memory of 1832	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 548 wrote to memory of 1832	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 548 wrote to memory of 4916	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 548 wrote to memory of 4916	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 548 wrote to memory of 5036	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 548 wrote to memory of 5036	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 548 wrote to memory of 3304	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 548 wrote to memory of 3304	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 548 wrote to memory of 1052	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 548 wrote to memory of 1052	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 548 wrote to memory of 4640	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 548 wrote to memory of 4640	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 548 wrote to memory of 3272	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 548 wrote to memory of 3272	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 548 wrote to memory of 5040	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 548 wrote to memory of 5040	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 548 wrote to memory of 2312	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 548 wrote to memory of 2312	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 548 wrote to memory of 2156	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 548 wrote to memory of 2156	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 548 wrote to memory of 2324	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 548 wrote to memory of 2324	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 548 wrote to memory of 372	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 548 wrote to memory of 372	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 548 wrote to memory of 4264	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 548 wrote to memory of 4264	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 548 wrote to memory of 2008	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 548 wrote to memory of 2008	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 548 wrote to memory of 904	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 548 wrote to memory of 904	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 548 wrote to memory of 2408	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 548 wrote to memory of 2408	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 548 wrote to memory of 1748	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 548 wrote to memory of 1748	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 548 wrote to memory of 4076	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 548 wrote to memory of 4076	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 548 wrote to memory of 1068	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 548 wrote to memory of 1068	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 548 wrote to memory of 1196	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 548 wrote to memory of 1196	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 548 wrote to memory of 3400	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	118
PID 548 wrote to memory of 3400	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	118
PID 548 wrote to memory of 3948	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	119
PID 548 wrote to memory of 3948	548	2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-25_2488845be835c77298dafb1f3157dc96_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\System\ddlsbZj.exe
  C:\Windows\System\ddlsbZj.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\DGhdObF.exe
  C:\Windows\System\DGhdObF.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\RsnRtgu.exe
  C:\Windows\System\RsnRtgu.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\HbHnFZf.exe
  C:\Windows\System\HbHnFZf.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\wkmkWGs.exe
  C:\Windows\System\wkmkWGs.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System\ZsoOyzu.exe
  C:\Windows\System\ZsoOyzu.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\vKXemjp.exe
  C:\Windows\System\vKXemjp.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\roBremN.exe
  C:\Windows\System\roBremN.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System\BWcgDEX.exe
  C:\Windows\System\BWcgDEX.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\CwiMhOj.exe
  C:\Windows\System\CwiMhOj.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\vzmEUtI.exe
  C:\Windows\System\vzmEUtI.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\toCpcBm.exe
  C:\Windows\System\toCpcBm.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\aRlNdmD.exe
  C:\Windows\System\aRlNdmD.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\tOAjBBA.exe
  C:\Windows\System\tOAjBBA.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\oWrvvHf.exe
  C:\Windows\System\oWrvvHf.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\dhNpbJg.exe
  C:\Windows\System\dhNpbJg.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\MjtRoPw.exe
  C:\Windows\System\MjtRoPw.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\ZcbyzZQ.exe
  C:\Windows\System\ZcbyzZQ.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\wjebPwE.exe
  C:\Windows\System\wjebPwE.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System\LWJxcFL.exe
  C:\Windows\System\LWJxcFL.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\CEFbZYE.exe
  C:\Windows\System\CEFbZYE.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\YSHCNIA.exe
  C:\Windows\System\YSHCNIA.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\yXKoAKL.exe
  C:\Windows\System\yXKoAKL.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System\hFiApkL.exe
  C:\Windows\System\hFiApkL.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\RgFlzPi.exe
  C:\Windows\System\RgFlzPi.exe
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\System\uIWhVGK.exe
  C:\Windows\System\uIWhVGK.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\KukdTPN.exe
  C:\Windows\System\KukdTPN.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\NnlpflB.exe
  C:\Windows\System\NnlpflB.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System\NDYFWhl.exe
  C:\Windows\System\NDYFWhl.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\LUERYou.exe
  C:\Windows\System\LUERYou.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\WtdlZxp.exe
  C:\Windows\System\WtdlZxp.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\mSNlmBB.exe
  C:\Windows\System\mSNlmBB.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\KBCpmro.exe
  C:\Windows\System\KBCpmro.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\bZImGkX.exe
  C:\Windows\System\bZImGkX.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\DUErxDC.exe
  C:\Windows\System\DUErxDC.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System\hpjOvGC.exe
  C:\Windows\System\hpjOvGC.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\DEKRzgi.exe
  C:\Windows\System\DEKRzgi.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\iXLaBbr.exe
  C:\Windows\System\iXLaBbr.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\epjHzLW.exe
  C:\Windows\System\epjHzLW.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\VYYvyea.exe
  C:\Windows\System\VYYvyea.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\JkBpQwJ.exe
  C:\Windows\System\JkBpQwJ.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\sNWZNcd.exe
  C:\Windows\System\sNWZNcd.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\kzJpcjK.exe
  C:\Windows\System\kzJpcjK.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\System\DRVEGqM.exe
  C:\Windows\System\DRVEGqM.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\fNXthNR.exe
  C:\Windows\System\fNXthNR.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\QMGJZNN.exe
  C:\Windows\System\QMGJZNN.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\YMYmEIm.exe
  C:\Windows\System\YMYmEIm.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\CjcBIBR.exe
  C:\Windows\System\CjcBIBR.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System\ZRJAjpg.exe
  C:\Windows\System\ZRJAjpg.exe
  2⤵
  - Executes dropped EXE
  PID:616
- C:\Windows\System\YvirrYP.exe
  C:\Windows\System\YvirrYP.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\PArCHPS.exe
  C:\Windows\System\PArCHPS.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\jjzEPbK.exe
  C:\Windows\System\jjzEPbK.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\ytYcdvB.exe
  C:\Windows\System\ytYcdvB.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\ubgcjUj.exe
  C:\Windows\System\ubgcjUj.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\nTwmhcr.exe
  C:\Windows\System\nTwmhcr.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\uRYPwzp.exe
  C:\Windows\System\uRYPwzp.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System\gQXefQd.exe
  C:\Windows\System\gQXefQd.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System\beHNPXm.exe
  C:\Windows\System\beHNPXm.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\oLlpgIa.exe
  C:\Windows\System\oLlpgIa.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\NPgEDHN.exe
  C:\Windows\System\NPgEDHN.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\GzgcdDb.exe
  C:\Windows\System\GzgcdDb.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\fHMwQjj.exe
  C:\Windows\System\fHMwQjj.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\nxsXBqo.exe
  C:\Windows\System\nxsXBqo.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System\SxuZKJV.exe
  C:\Windows\System\SxuZKJV.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\FKEXemU.exe
  C:\Windows\System\FKEXemU.exe
  2⤵
  PID:2012
- C:\Windows\System\stvHyyg.exe
  C:\Windows\System\stvHyyg.exe
  2⤵
  PID:2780
- C:\Windows\System\ClDcAov.exe
  C:\Windows\System\ClDcAov.exe
  2⤵
  PID:4328
- C:\Windows\System\qYjPvln.exe
  C:\Windows\System\qYjPvln.exe
  2⤵
  PID:1600
- C:\Windows\System\HgojPog.exe
  C:\Windows\System\HgojPog.exe
  2⤵
  PID:1480
- C:\Windows\System\GbKsYwL.exe
  C:\Windows\System\GbKsYwL.exe
  2⤵
  PID:3864
- C:\Windows\System\PEGFrMJ.exe
  C:\Windows\System\PEGFrMJ.exe
  2⤵
  PID:3592
- C:\Windows\System\JvzXMag.exe
  C:\Windows\System\JvzXMag.exe
  2⤵
  PID:4632
- C:\Windows\System\zTEmzjO.exe
  C:\Windows\System\zTEmzjO.exe
  2⤵
  PID:2180
- C:\Windows\System\nhmVWZJ.exe
  C:\Windows\System\nhmVWZJ.exe
  2⤵
  PID:2316
- C:\Windows\System\YEHjaGg.exe
  C:\Windows\System\YEHjaGg.exe
  2⤵
  PID:760
- C:\Windows\System\NibxKAw.exe
  C:\Windows\System\NibxKAw.exe
  2⤵
  PID:2664
- C:\Windows\System\FXvoRWA.exe
  C:\Windows\System\FXvoRWA.exe
  2⤵
  PID:1264
- C:\Windows\System\WwKuCXO.exe
  C:\Windows\System\WwKuCXO.exe
  2⤵
  PID:3932
- C:\Windows\System\omgeHgr.exe
  C:\Windows\System\omgeHgr.exe
  2⤵
  PID:832
- C:\Windows\System\BqyIigI.exe
  C:\Windows\System\BqyIigI.exe
  2⤵
  PID:5108
- C:\Windows\System\rLfoheB.exe
  C:\Windows\System\rLfoheB.exe
  2⤵
  PID:804
- C:\Windows\System\biZhZUS.exe
  C:\Windows\System\biZhZUS.exe
  2⤵
  PID:4580
- C:\Windows\System\EtMNrty.exe
  C:\Windows\System\EtMNrty.exe
  2⤵
  PID:1448
- C:\Windows\System\DAdXtFy.exe
  C:\Windows\System\DAdXtFy.exe
  2⤵
  PID:1876
- C:\Windows\System\zRrGyZZ.exe
  C:\Windows\System\zRrGyZZ.exe
  2⤵
  PID:4852
- C:\Windows\System\kHwrwcg.exe
  C:\Windows\System\kHwrwcg.exe
  2⤵
  PID:2104
- C:\Windows\System\DEbbrxA.exe
  C:\Windows\System\DEbbrxA.exe
  2⤵
  PID:2600
- C:\Windows\System\cTEULTx.exe
  C:\Windows\System\cTEULTx.exe
  2⤵
  PID:944
- C:\Windows\System\TQIHCGC.exe
  C:\Windows\System\TQIHCGC.exe
  2⤵
  PID:3628
- C:\Windows\System\LVzTzNn.exe
  C:\Windows\System\LVzTzNn.exe
  2⤵
  PID:404
- C:\Windows\System\JLOhFoI.exe
  C:\Windows\System\JLOhFoI.exe
  2⤵
  PID:916
- C:\Windows\System\RFkqwcU.exe
  C:\Windows\System\RFkqwcU.exe
  2⤵
  PID:4800
- C:\Windows\System\dLKUiUl.exe
  C:\Windows\System\dLKUiUl.exe
  2⤵
  PID:684
- C:\Windows\System\wFZIkGN.exe
  C:\Windows\System\wFZIkGN.exe
  2⤵
  PID:1048
- C:\Windows\System\xHAnOgR.exe
  C:\Windows\System\xHAnOgR.exe
  2⤵
  PID:4644
- C:\Windows\System\jBVGFXC.exe
  C:\Windows\System\jBVGFXC.exe
  2⤵
  PID:5136
- C:\Windows\System\rZXVrPY.exe
  C:\Windows\System\rZXVrPY.exe
  2⤵
  PID:5168
- C:\Windows\System\azRKCbF.exe
  C:\Windows\System\azRKCbF.exe
  2⤵
  PID:5204
- C:\Windows\System\VtNgmfS.exe
  C:\Windows\System\VtNgmfS.exe
  2⤵
  PID:5228
- C:\Windows\System\BUQHvhk.exe
  C:\Windows\System\BUQHvhk.exe
  2⤵
  PID:5260
- C:\Windows\System\nYRAFWD.exe
  C:\Windows\System\nYRAFWD.exe
  2⤵
  PID:5288
- C:\Windows\System\EIuVQTm.exe
  C:\Windows\System\EIuVQTm.exe
  2⤵
  PID:5308
- C:\Windows\System\tfUsDRK.exe
  C:\Windows\System\tfUsDRK.exe
  2⤵
  PID:5344
- C:\Windows\System\pmzNXOl.exe
  C:\Windows\System\pmzNXOl.exe
  2⤵
  PID:5372
- C:\Windows\System\pBwhAEo.exe
  C:\Windows\System\pBwhAEo.exe
  2⤵
  PID:5400
- C:\Windows\System\ZoOybtg.exe
  C:\Windows\System\ZoOybtg.exe
  2⤵
  PID:5428
- C:\Windows\System\wROACbL.exe
  C:\Windows\System\wROACbL.exe
  2⤵
  PID:5452
- C:\Windows\System\ZgMwXLJ.exe
  C:\Windows\System\ZgMwXLJ.exe
  2⤵
  PID:5484
- C:\Windows\System\HSLmIFh.exe
  C:\Windows\System\HSLmIFh.exe
  2⤵
  PID:5512
- C:\Windows\System\cGzbVoG.exe
  C:\Windows\System\cGzbVoG.exe
  2⤵
  PID:5544
- C:\Windows\System\kvqGtDs.exe
  C:\Windows\System\kvqGtDs.exe
  2⤵
  PID:5568
- C:\Windows\System\CFhjQPS.exe
  C:\Windows\System\CFhjQPS.exe
  2⤵
  PID:5600
- C:\Windows\System\tLnkevU.exe
  C:\Windows\System\tLnkevU.exe
  2⤵
  PID:5628
- C:\Windows\System\xcCLLPc.exe
  C:\Windows\System\xcCLLPc.exe
  2⤵
  PID:5656
- C:\Windows\System\semFucm.exe
  C:\Windows\System\semFucm.exe
  2⤵
  PID:5676
- C:\Windows\System\fTwLmjC.exe
  C:\Windows\System\fTwLmjC.exe
  2⤵
  PID:5724
- C:\Windows\System\KndPumw.exe
  C:\Windows\System\KndPumw.exe
  2⤵
  PID:5768
- C:\Windows\System\retPUHC.exe
  C:\Windows\System\retPUHC.exe
  2⤵
  PID:5848
- C:\Windows\System\uoQnYtc.exe
  C:\Windows\System\uoQnYtc.exe
  2⤵
  PID:5920
- C:\Windows\System\jiLtlyW.exe
  C:\Windows\System\jiLtlyW.exe
  2⤵
  PID:5952
- C:\Windows\System\klZiBQJ.exe
  C:\Windows\System\klZiBQJ.exe
  2⤵
  PID:5968
- C:\Windows\System\GkUPFQx.exe
  C:\Windows\System\GkUPFQx.exe
  2⤵
  PID:6020
- C:\Windows\System\vFTpDMm.exe
  C:\Windows\System\vFTpDMm.exe
  2⤵
  PID:6072
- C:\Windows\System\sRuMbTH.exe
  C:\Windows\System\sRuMbTH.exe
  2⤵
  PID:6108
- C:\Windows\System\AzhFsei.exe
  C:\Windows\System\AzhFsei.exe
  2⤵
  PID:6140
- C:\Windows\System\fgICgCR.exe
  C:\Windows\System\fgICgCR.exe
  2⤵
  PID:5176
- C:\Windows\System\CNsSAEp.exe
  C:\Windows\System\CNsSAEp.exe
  2⤵
  PID:5248
- C:\Windows\System\nxuOVRU.exe
  C:\Windows\System\nxuOVRU.exe
  2⤵
  PID:5316
- C:\Windows\System\DtGwFum.exe
  C:\Windows\System\DtGwFum.exe
  2⤵
  PID:5360
- C:\Windows\System\gjuppCV.exe
  C:\Windows\System\gjuppCV.exe
  2⤵
  PID:5424
- C:\Windows\System\ZezHvEv.exe
  C:\Windows\System\ZezHvEv.exe
  2⤵
  PID:5492
- C:\Windows\System\uKllkbU.exe
  C:\Windows\System\uKllkbU.exe
  2⤵
  PID:5560
- C:\Windows\System\uivvBUO.exe
  C:\Windows\System\uivvBUO.exe
  2⤵
  PID:5636
- C:\Windows\System\YirAEQk.exe
  C:\Windows\System\YirAEQk.exe
  2⤵
  PID:5736
- C:\Windows\System\sXHFHrZ.exe
  C:\Windows\System\sXHFHrZ.exe
  2⤵
  PID:5752
- C:\Windows\System\fZNPTnV.exe
  C:\Windows\System\fZNPTnV.exe
  2⤵
  PID:5964
- C:\Windows\System\CdCxeIK.exe
  C:\Windows\System\CdCxeIK.exe
  2⤵
  PID:6056
- C:\Windows\System\QNemQZd.exe
  C:\Windows\System\QNemQZd.exe
  2⤵
  PID:6128
- C:\Windows\System\rMoTNBO.exe
  C:\Windows\System\rMoTNBO.exe
  2⤵
  PID:6116
- C:\Windows\System\yFlDcaJ.exe
  C:\Windows\System\yFlDcaJ.exe
  2⤵
  PID:5220
- C:\Windows\System\qLmPaar.exe
  C:\Windows\System\qLmPaar.exe
  2⤵
  PID:5388
- C:\Windows\System\RPmfywP.exe
  C:\Windows\System\RPmfywP.exe
  2⤵
  PID:5524
- C:\Windows\System\FqXjVSO.exe
  C:\Windows\System\FqXjVSO.exe
  2⤵
  PID:5652
- C:\Windows\System\EaDOylS.exe
  C:\Windows\System\EaDOylS.exe
  2⤵
  PID:5928
- C:\Windows\System\svmQpkj.exe
  C:\Windows\System\svmQpkj.exe
  2⤵
  PID:6092
- C:\Windows\System\hagSziB.exe
  C:\Windows\System\hagSziB.exe
  2⤵
  PID:5240
- C:\Windows\System\vuOuFTO.exe
  C:\Windows\System\vuOuFTO.exe
  2⤵
  PID:5580
- C:\Windows\System\YVbbyUA.exe
  C:\Windows\System\YVbbyUA.exe
  2⤵
  PID:6100
- C:\Windows\System\qYscjLB.exe
  C:\Windows\System\qYscjLB.exe
  2⤵
  PID:5520
- C:\Windows\System\lViOXOx.exe
  C:\Windows\System\lViOXOx.exe
  2⤵
  PID:5508
- C:\Windows\System\BGerOYx.exe
  C:\Windows\System\BGerOYx.exe
  2⤵
  PID:6172
- C:\Windows\System\rvKoWDh.exe
  C:\Windows\System\rvKoWDh.exe
  2⤵
  PID:6200
- C:\Windows\System\uZRHADL.exe
  C:\Windows\System\uZRHADL.exe
  2⤵
  PID:6228
- C:\Windows\System\usoFCVH.exe
  C:\Windows\System\usoFCVH.exe
  2⤵
  PID:6252
- C:\Windows\System\TCghprG.exe
  C:\Windows\System\TCghprG.exe
  2⤵
  PID:6280
- C:\Windows\System\OrBNIpX.exe
  C:\Windows\System\OrBNIpX.exe
  2⤵
  PID:6312
- C:\Windows\System\VHZfTMv.exe
  C:\Windows\System\VHZfTMv.exe
  2⤵
  PID:6332
- C:\Windows\System\LXDKPqj.exe
  C:\Windows\System\LXDKPqj.exe
  2⤵
  PID:6368
- C:\Windows\System\pxRUOeN.exe
  C:\Windows\System\pxRUOeN.exe
  2⤵
  PID:6388
- C:\Windows\System\jWhIoZq.exe
  C:\Windows\System\jWhIoZq.exe
  2⤵
  PID:6420
- C:\Windows\System\lJSyPSc.exe
  C:\Windows\System\lJSyPSc.exe
  2⤵
  PID:6456
- C:\Windows\System\zMBOCLe.exe
  C:\Windows\System\zMBOCLe.exe
  2⤵
  PID:6480
- C:\Windows\System\ysDxIsA.exe
  C:\Windows\System\ysDxIsA.exe
  2⤵
  PID:6512
- C:\Windows\System\hsDqBnT.exe
  C:\Windows\System\hsDqBnT.exe
  2⤵
  PID:6540
- C:\Windows\System\JMDLwze.exe
  C:\Windows\System\JMDLwze.exe
  2⤵
  PID:6568
- C:\Windows\System\aqotyax.exe
  C:\Windows\System\aqotyax.exe
  2⤵
  PID:6596
- C:\Windows\System\pWEnLdW.exe
  C:\Windows\System\pWEnLdW.exe
  2⤵
  PID:6624
- C:\Windows\System\rMTvgbt.exe
  C:\Windows\System\rMTvgbt.exe
  2⤵
  PID:6648
- C:\Windows\System\CYSXeHk.exe
  C:\Windows\System\CYSXeHk.exe
  2⤵
  PID:6680
- C:\Windows\System\RdXmVnt.exe
  C:\Windows\System\RdXmVnt.exe
  2⤵
  PID:6704
- C:\Windows\System\vvQjBLO.exe
  C:\Windows\System\vvQjBLO.exe
  2⤵
  PID:6732
- C:\Windows\System\EHmBEqH.exe
  C:\Windows\System\EHmBEqH.exe
  2⤵
  PID:6752
- C:\Windows\System\LOUCXyw.exe
  C:\Windows\System\LOUCXyw.exe
  2⤵
  PID:6784
- C:\Windows\System\ZJuLhGo.exe
  C:\Windows\System\ZJuLhGo.exe
  2⤵
  PID:6816
- C:\Windows\System\dprsJFu.exe
  C:\Windows\System\dprsJFu.exe
  2⤵
  PID:6852
- C:\Windows\System\caWFVyp.exe
  C:\Windows\System\caWFVyp.exe
  2⤵
  PID:6904
- C:\Windows\System\TGQxzJw.exe
  C:\Windows\System\TGQxzJw.exe
  2⤵
  PID:6928
- C:\Windows\System\sUbOIOC.exe
  C:\Windows\System\sUbOIOC.exe
  2⤵
  PID:7012
- C:\Windows\System\lSmvuKZ.exe
  C:\Windows\System\lSmvuKZ.exe
  2⤵
  PID:7068
- C:\Windows\System\RfznVFn.exe
  C:\Windows\System\RfznVFn.exe
  2⤵
  PID:7100
- C:\Windows\System\pcTZRWo.exe
  C:\Windows\System\pcTZRWo.exe
  2⤵
  PID:7132
- C:\Windows\System\wmZuEdZ.exe
  C:\Windows\System\wmZuEdZ.exe
  2⤵
  PID:7152
- C:\Windows\System\yWaXSNV.exe
  C:\Windows\System\yWaXSNV.exe
  2⤵
  PID:6036
- C:\Windows\System\QSbTHSF.exe
  C:\Windows\System\QSbTHSF.exe
  2⤵
  PID:5748
- C:\Windows\System\OCtVyfm.exe
  C:\Windows\System\OCtVyfm.exe
  2⤵
  PID:6344
- C:\Windows\System\NZeIVXV.exe
  C:\Windows\System\NZeIVXV.exe
  2⤵
  PID:6396
- C:\Windows\System\FuxZMpk.exe
  C:\Windows\System\FuxZMpk.exe
  2⤵
  PID:6488
- C:\Windows\System\QLmJnme.exe
  C:\Windows\System\QLmJnme.exe
  2⤵
  PID:6536
- C:\Windows\System\xCelnOX.exe
  C:\Windows\System\xCelnOX.exe
  2⤵
  PID:6576
- C:\Windows\System\IquPHnA.exe
  C:\Windows\System\IquPHnA.exe
  2⤵
  PID:6688
- C:\Windows\System\LmKrmdP.exe
  C:\Windows\System\LmKrmdP.exe
  2⤵
  PID:6772
- C:\Windows\System\TgHrdKo.exe
  C:\Windows\System\TgHrdKo.exe
  2⤵
  PID:6840
- C:\Windows\System\ZXOeiUM.exe
  C:\Windows\System\ZXOeiUM.exe
  2⤵
  PID:6888
- C:\Windows\System\XTAuEuA.exe
  C:\Windows\System\XTAuEuA.exe
  2⤵
  PID:6952
- C:\Windows\System\YNHuLFo.exe
  C:\Windows\System\YNHuLFo.exe
  2⤵
  PID:6988
- C:\Windows\System\zUWlkcc.exe
  C:\Windows\System\zUWlkcc.exe
  2⤵
  PID:6976
- C:\Windows\System\QKtqMwa.exe
  C:\Windows\System\QKtqMwa.exe
  2⤵
  PID:1796
- C:\Windows\System\vjKtwqd.exe
  C:\Windows\System\vjKtwqd.exe
  2⤵
  PID:7164
- C:\Windows\System\HSiHiYN.exe
  C:\Windows\System\HSiHiYN.exe
  2⤵
  PID:6300
- C:\Windows\System\vWPrHkx.exe
  C:\Windows\System\vWPrHkx.exe
  2⤵
  PID:6444
- C:\Windows\System\CYnJIdK.exe
  C:\Windows\System\CYnJIdK.exe
  2⤵
  PID:6604
- C:\Windows\System\YzLmvNM.exe
  C:\Windows\System\YzLmvNM.exe
  2⤵
  PID:3240
- C:\Windows\System\GuZBUDy.exe
  C:\Windows\System\GuZBUDy.exe
  2⤵
  PID:1760
- C:\Windows\System\EZeLcjH.exe
  C:\Windows\System\EZeLcjH.exe
  2⤵
  PID:6764
- C:\Windows\System\sOhpXLB.exe
  C:\Windows\System\sOhpXLB.exe
  2⤵
  PID:6804
- C:\Windows\System\ASYmqLZ.exe
  C:\Windows\System\ASYmqLZ.exe
  2⤵
  PID:6920
- C:\Windows\System\KnRVTIq.exe
  C:\Windows\System\KnRVTIq.exe
  2⤵
  PID:7004
- C:\Windows\System\LIxoAam.exe
  C:\Windows\System\LIxoAam.exe
  2⤵
  PID:7144
- C:\Windows\System\SgwqMFN.exe
  C:\Windows\System\SgwqMFN.exe
  2⤵
  PID:6428
- C:\Windows\System\alXguhr.exe
  C:\Windows\System\alXguhr.exe
  2⤵
  PID:2604
- C:\Windows\System\eegKwRw.exe
  C:\Windows\System\eegKwRw.exe
  2⤵
  PID:6748
- C:\Windows\System\uMPYGab.exe
  C:\Windows\System\uMPYGab.exe
  2⤵
  PID:6912
- C:\Windows\System\FTVSSZi.exe
  C:\Windows\System\FTVSSZi.exe
  2⤵
  PID:3336
- C:\Windows\System\gLKDwbK.exe
  C:\Windows\System\gLKDwbK.exe
  2⤵
  PID:3080
- C:\Windows\System\jgQaIFK.exe
  C:\Windows\System\jgQaIFK.exe
  2⤵
  PID:808
- C:\Windows\System\xKoEmcf.exe
  C:\Windows\System\xKoEmcf.exe
  2⤵
  PID:6640
- C:\Windows\System\XvYstrE.exe
  C:\Windows\System\XvYstrE.exe
  2⤵
  PID:7188
- C:\Windows\System\oWimayE.exe
  C:\Windows\System\oWimayE.exe
  2⤵
  PID:7224
- C:\Windows\System\xMytzCd.exe
  C:\Windows\System\xMytzCd.exe
  2⤵
  PID:7244
- C:\Windows\System\IagpzmC.exe
  C:\Windows\System\IagpzmC.exe
  2⤵
  PID:7272
- C:\Windows\System\ApMJVwn.exe
  C:\Windows\System\ApMJVwn.exe
  2⤵
  PID:7312
- C:\Windows\System\rdgdila.exe
  C:\Windows\System\rdgdila.exe
  2⤵
  PID:7372
- C:\Windows\System\qYYdKiM.exe
  C:\Windows\System\qYYdKiM.exe
  2⤵
  PID:7404
- C:\Windows\System\OCypVpP.exe
  C:\Windows\System\OCypVpP.exe
  2⤵
  PID:7432
- C:\Windows\System\MCvxqXA.exe
  C:\Windows\System\MCvxqXA.exe
  2⤵
  PID:7464
- C:\Windows\System\EAqxIXI.exe
  C:\Windows\System\EAqxIXI.exe
  2⤵
  PID:7492
- C:\Windows\System\KOpSXhN.exe
  C:\Windows\System\KOpSXhN.exe
  2⤵
  PID:7520
- C:\Windows\System\zhpinzN.exe
  C:\Windows\System\zhpinzN.exe
  2⤵
  PID:7544
- C:\Windows\System\LWyiMGv.exe
  C:\Windows\System\LWyiMGv.exe
  2⤵
  PID:7564
- C:\Windows\System\SJYIHoI.exe
  C:\Windows\System\SJYIHoI.exe
  2⤵
  PID:7596
- C:\Windows\System\GySUtga.exe
  C:\Windows\System\GySUtga.exe
  2⤵
  PID:7620
- C:\Windows\System\JHfhLdo.exe
  C:\Windows\System\JHfhLdo.exe
  2⤵
  PID:7648
- C:\Windows\System\lztLoFY.exe
  C:\Windows\System\lztLoFY.exe
  2⤵
  PID:7676
- C:\Windows\System\gcDSFOM.exe
  C:\Windows\System\gcDSFOM.exe
  2⤵
  PID:7708
- C:\Windows\System\RmNWGxf.exe
  C:\Windows\System\RmNWGxf.exe
  2⤵
  PID:7744
- C:\Windows\System\VzNnsIV.exe
  C:\Windows\System\VzNnsIV.exe
  2⤵
  PID:7776
- C:\Windows\System\lFdOXvU.exe
  C:\Windows\System\lFdOXvU.exe
  2⤵
  PID:7804
- C:\Windows\System\zlQAQvG.exe
  C:\Windows\System\zlQAQvG.exe
  2⤵
  PID:7832
- C:\Windows\System\UBRDkaP.exe
  C:\Windows\System\UBRDkaP.exe
  2⤵
  PID:7852
- C:\Windows\System\WlLHXlK.exe
  C:\Windows\System\WlLHXlK.exe
  2⤵
  PID:7880
- C:\Windows\System\JtqPYtw.exe
  C:\Windows\System\JtqPYtw.exe
  2⤵
  PID:7908
- C:\Windows\System\mebqSlf.exe
  C:\Windows\System\mebqSlf.exe
  2⤵
  PID:7936
- C:\Windows\System\lpGenQa.exe
  C:\Windows\System\lpGenQa.exe
  2⤵
  PID:7964
- C:\Windows\System\AENNSWQ.exe
  C:\Windows\System\AENNSWQ.exe
  2⤵
  PID:7992
- C:\Windows\System\jYQncvv.exe
  C:\Windows\System\jYQncvv.exe
  2⤵
  PID:8020
- C:\Windows\System\fPqUzVk.exe
  C:\Windows\System\fPqUzVk.exe
  2⤵
  PID:8048
- C:\Windows\System\wBbMzYe.exe
  C:\Windows\System\wBbMzYe.exe
  2⤵
  PID:8084
- C:\Windows\System\AYPICXe.exe
  C:\Windows\System\AYPICXe.exe
  2⤵
  PID:8108
- C:\Windows\System\FYLVjAz.exe
  C:\Windows\System\FYLVjAz.exe
  2⤵
  PID:8140
- C:\Windows\System\bkjBqaQ.exe
  C:\Windows\System\bkjBqaQ.exe
  2⤵
  PID:8168
- C:\Windows\System\ylslKSt.exe
  C:\Windows\System\ylslKSt.exe
  2⤵
  PID:3220
- C:\Windows\System\oucwFYF.exe
  C:\Windows\System\oucwFYF.exe
  2⤵
  PID:7232
- C:\Windows\System\SLjRcGH.exe
  C:\Windows\System\SLjRcGH.exe
  2⤵
  PID:7300
- C:\Windows\System\XlqNEUu.exe
  C:\Windows\System\XlqNEUu.exe
  2⤵
  PID:6964
- C:\Windows\System\EcSizxd.exe
  C:\Windows\System\EcSizxd.exe
  2⤵
  PID:6272
- C:\Windows\System\FFrUfIH.exe
  C:\Windows\System\FFrUfIH.exe
  2⤵
  PID:7452
- C:\Windows\System\RrxeXhi.exe
  C:\Windows\System\RrxeXhi.exe
  2⤵
  PID:7500
- C:\Windows\System\FqfLobt.exe
  C:\Windows\System\FqfLobt.exe
  2⤵
  PID:7556
- C:\Windows\System\FOLoVTM.exe
  C:\Windows\System\FOLoVTM.exe
  2⤵
  PID:7612
- C:\Windows\System\dbtSjUF.exe
  C:\Windows\System\dbtSjUF.exe
  2⤵
  PID:7688
- C:\Windows\System\hmsIZxc.exe
  C:\Windows\System\hmsIZxc.exe
  2⤵
  PID:7736
- C:\Windows\System\XInEDvu.exe
  C:\Windows\System\XInEDvu.exe
  2⤵
  PID:7792
- C:\Windows\System\yOjOcEJ.exe
  C:\Windows\System\yOjOcEJ.exe
  2⤵
  PID:7872
- C:\Windows\System\mVdroyv.exe
  C:\Windows\System\mVdroyv.exe
  2⤵
  PID:7928
- C:\Windows\System\TPOcNra.exe
  C:\Windows\System\TPOcNra.exe
  2⤵
  PID:7976
- C:\Windows\System\TMLKTyQ.exe
  C:\Windows\System\TMLKTyQ.exe
  2⤵
  PID:8044
- C:\Windows\System\wzGkOrU.exe
  C:\Windows\System\wzGkOrU.exe
  2⤵
  PID:8120
- C:\Windows\System\DpFxTSZ.exe
  C:\Windows\System\DpFxTSZ.exe
  2⤵
  PID:8184
- C:\Windows\System\cQMDqJB.exe
  C:\Windows\System\cQMDqJB.exe
  2⤵
  PID:7268
- C:\Windows\System\dBJmcBn.exe
  C:\Windows\System\dBJmcBn.exe
  2⤵
  PID:7412
- C:\Windows\System\llElosK.exe
  C:\Windows\System\llElosK.exe
  2⤵
  PID:7540
- C:\Windows\System\ohSmSIk.exe
  C:\Windows\System\ohSmSIk.exe
  2⤵
  PID:7660
- C:\Windows\System\tSjhfJE.exe
  C:\Windows\System\tSjhfJE.exe
  2⤵
  PID:7788
- C:\Windows\System\SaJhjxb.exe
  C:\Windows\System\SaJhjxb.exe
  2⤵
  PID:7960
- C:\Windows\System\XYyCEcA.exe
  C:\Windows\System\XYyCEcA.exe
  2⤵
  PID:8148
- C:\Windows\System\CPJbZyi.exe
  C:\Windows\System\CPJbZyi.exe
  2⤵
  PID:7284
- C:\Windows\System\XovcGkO.exe
  C:\Windows\System\XovcGkO.exe
  2⤵
  PID:7604
- C:\Windows\System\nOQNVKj.exe
  C:\Windows\System\nOQNVKj.exe
  2⤵
  PID:7904
- C:\Windows\System\DfzOZBP.exe
  C:\Windows\System\DfzOZBP.exe
  2⤵
  PID:7204
- C:\Windows\System\XEmrchj.exe
  C:\Windows\System\XEmrchj.exe
  2⤵
  PID:7848
- C:\Windows\System\AiZHdGV.exe
  C:\Windows\System\AiZHdGV.exe
  2⤵
  PID:8176
- C:\Windows\System\GnPWkrc.exe
  C:\Windows\System\GnPWkrc.exe
  2⤵
  PID:8212
- C:\Windows\System\xxBUxdD.exe
  C:\Windows\System\xxBUxdD.exe
  2⤵
  PID:8240
- C:\Windows\System\QFCThIp.exe
  C:\Windows\System\QFCThIp.exe
  2⤵
  PID:8268
- C:\Windows\System\KJaTkAd.exe
  C:\Windows\System\KJaTkAd.exe
  2⤵
  PID:8296
- C:\Windows\System\AwreXvh.exe
  C:\Windows\System\AwreXvh.exe
  2⤵
  PID:8324
- C:\Windows\System\RUNZsBw.exe
  C:\Windows\System\RUNZsBw.exe
  2⤵
  PID:8352
- C:\Windows\System\cISRvRL.exe
  C:\Windows\System\cISRvRL.exe
  2⤵
  PID:8388
- C:\Windows\System\kwfuQYw.exe
  C:\Windows\System\kwfuQYw.exe
  2⤵
  PID:8408
- C:\Windows\System\MKLIvUI.exe
  C:\Windows\System\MKLIvUI.exe
  2⤵
  PID:8440
- C:\Windows\System\xfvObTM.exe
  C:\Windows\System\xfvObTM.exe
  2⤵
  PID:8464
- C:\Windows\System\iChRoak.exe
  C:\Windows\System\iChRoak.exe
  2⤵
  PID:8492
- C:\Windows\System\HCUZJxW.exe
  C:\Windows\System\HCUZJxW.exe
  2⤵
  PID:8520
- C:\Windows\System\vMWXAMD.exe
  C:\Windows\System\vMWXAMD.exe
  2⤵
  PID:8552
- C:\Windows\System\waqiLha.exe
  C:\Windows\System\waqiLha.exe
  2⤵
  PID:8580
- C:\Windows\System\uGzijTh.exe
  C:\Windows\System\uGzijTh.exe
  2⤵
  PID:8608
- C:\Windows\System\UeLYdNc.exe
  C:\Windows\System\UeLYdNc.exe
  2⤵
  PID:8636
- C:\Windows\System\XzwqNai.exe
  C:\Windows\System\XzwqNai.exe
  2⤵
  PID:8664
- C:\Windows\System\eBWoPyG.exe
  C:\Windows\System\eBWoPyG.exe
  2⤵
  PID:8692
- C:\Windows\System\WMPnnAn.exe
  C:\Windows\System\WMPnnAn.exe
  2⤵
  PID:8720
- C:\Windows\System\bWuuJFX.exe
  C:\Windows\System\bWuuJFX.exe
  2⤵
  PID:8748
- C:\Windows\System\KNvUWCw.exe
  C:\Windows\System\KNvUWCw.exe
  2⤵
  PID:8776
- C:\Windows\System\DpugOWh.exe
  C:\Windows\System\DpugOWh.exe
  2⤵
  PID:8804
- C:\Windows\System\YHtFSJp.exe
  C:\Windows\System\YHtFSJp.exe
  2⤵
  PID:8832
- C:\Windows\System\dxTkwII.exe
  C:\Windows\System\dxTkwII.exe
  2⤵
  PID:8864
- C:\Windows\System\MrAQRNy.exe
  C:\Windows\System\MrAQRNy.exe
  2⤵
  PID:8888
- C:\Windows\System\wKbUKrJ.exe
  C:\Windows\System\wKbUKrJ.exe
  2⤵
  PID:8916
- C:\Windows\System\gxEpjeg.exe
  C:\Windows\System\gxEpjeg.exe
  2⤵
  PID:8944
- C:\Windows\System\lGeIQsA.exe
  C:\Windows\System\lGeIQsA.exe
  2⤵
  PID:8972
- C:\Windows\System\bYZLaUL.exe
  C:\Windows\System\bYZLaUL.exe
  2⤵
  PID:9000
- C:\Windows\System\qkNvcBI.exe
  C:\Windows\System\qkNvcBI.exe
  2⤵
  PID:9028
- C:\Windows\System\eaPpKFx.exe
  C:\Windows\System\eaPpKFx.exe
  2⤵
  PID:9056
- C:\Windows\System\xHnGaco.exe
  C:\Windows\System\xHnGaco.exe
  2⤵
  PID:9084
- C:\Windows\System\hyBWYhZ.exe
  C:\Windows\System\hyBWYhZ.exe
  2⤵
  PID:9112
- C:\Windows\System\anmEFIM.exe
  C:\Windows\System\anmEFIM.exe
  2⤵
  PID:9140
- C:\Windows\System\ieRBHks.exe
  C:\Windows\System\ieRBHks.exe
  2⤵
  PID:9168
- C:\Windows\System\xrkJKjM.exe
  C:\Windows\System\xrkJKjM.exe
  2⤵
  PID:9196
- C:\Windows\System\mkcghLN.exe
  C:\Windows\System\mkcghLN.exe
  2⤵
  PID:8208
- C:\Windows\System\HWsurPH.exe
  C:\Windows\System\HWsurPH.exe
  2⤵
  PID:8280
- C:\Windows\System\PMXQByQ.exe
  C:\Windows\System\PMXQByQ.exe
  2⤵
  PID:8336
- C:\Windows\System\CjNsmAV.exe
  C:\Windows\System\CjNsmAV.exe
  2⤵
  PID:8400
- C:\Windows\System\vjekdYZ.exe
  C:\Windows\System\vjekdYZ.exe
  2⤵
  PID:8460
- C:\Windows\System\yCnmkxV.exe
  C:\Windows\System\yCnmkxV.exe
  2⤵
  PID:8532
- C:\Windows\System\EKuptGS.exe
  C:\Windows\System\EKuptGS.exe
  2⤵
  PID:8600
- C:\Windows\System\tEPLLKF.exe
  C:\Windows\System\tEPLLKF.exe
  2⤵
  PID:8660
- C:\Windows\System\MRShJqL.exe
  C:\Windows\System\MRShJqL.exe
  2⤵
  PID:8740
- C:\Windows\System\rqqntjd.exe
  C:\Windows\System\rqqntjd.exe
  2⤵
  PID:8800
- C:\Windows\System\xjLyOlW.exe
  C:\Windows\System\xjLyOlW.exe
  2⤵
  PID:8872
- C:\Windows\System\lHmAuFy.exe
  C:\Windows\System\lHmAuFy.exe
  2⤵
  PID:860
- C:\Windows\System\BwUhoYq.exe
  C:\Windows\System\BwUhoYq.exe
  2⤵
  PID:8984
- C:\Windows\System\xzAyUDQ.exe
  C:\Windows\System\xzAyUDQ.exe
  2⤵
  PID:9048
- C:\Windows\System\baJEeAb.exe
  C:\Windows\System\baJEeAb.exe
  2⤵
  PID:9108
- C:\Windows\System\TdrkqLr.exe
  C:\Windows\System\TdrkqLr.exe
  2⤵
  PID:9180
- C:\Windows\System\SSfEahl.exe
  C:\Windows\System\SSfEahl.exe
  2⤵
  PID:8236
- C:\Windows\System\enqjbvC.exe
  C:\Windows\System\enqjbvC.exe
  2⤵
  PID:8376
- C:\Windows\System\NkLjmCZ.exe
  C:\Windows\System\NkLjmCZ.exe
  2⤵
  PID:8516
- C:\Windows\System\hkhGkfS.exe
  C:\Windows\System\hkhGkfS.exe
  2⤵
  PID:8688
- C:\Windows\System\RTQFIuR.exe
  C:\Windows\System\RTQFIuR.exe
  2⤵
  PID:8852
- C:\Windows\System\YwAuJDC.exe
  C:\Windows\System\YwAuJDC.exe
  2⤵
  PID:8968
- C:\Windows\System\KvFPnNw.exe
  C:\Windows\System\KvFPnNw.exe
  2⤵
  PID:9136
- C:\Windows\System\ozlNvgs.exe
  C:\Windows\System\ozlNvgs.exe
  2⤵
  PID:8016
- C:\Windows\System\IuRFhpc.exe
  C:\Windows\System\IuRFhpc.exe
  2⤵
  PID:8656
- C:\Windows\System\QbpnNHI.exe
  C:\Windows\System\QbpnNHI.exe
  2⤵
  PID:9040
- C:\Windows\System\XZcSPnt.exe
  C:\Windows\System\XZcSPnt.exe
  2⤵
  PID:8592
- C:\Windows\System\qxFfgTy.exe
  C:\Windows\System\qxFfgTy.exe
  2⤵
  PID:8488
- C:\Windows\System\LOZrOxu.exe
  C:\Windows\System\LOZrOxu.exe
  2⤵
  PID:9232
- C:\Windows\System\JYnUser.exe
  C:\Windows\System\JYnUser.exe
  2⤵
  PID:9260
- C:\Windows\System\Qdlybyc.exe
  C:\Windows\System\Qdlybyc.exe
  2⤵
  PID:9288
- C:\Windows\System\TMGkZCa.exe
  C:\Windows\System\TMGkZCa.exe
  2⤵
  PID:9316
- C:\Windows\System\OLUMrvA.exe
  C:\Windows\System\OLUMrvA.exe
  2⤵
  PID:9344
- C:\Windows\System\wtEGOuo.exe
  C:\Windows\System\wtEGOuo.exe
  2⤵
  PID:9372
- C:\Windows\System\eBaFmhV.exe
  C:\Windows\System\eBaFmhV.exe
  2⤵
  PID:9400
- C:\Windows\System\CHMktWQ.exe
  C:\Windows\System\CHMktWQ.exe
  2⤵
  PID:9428
- C:\Windows\System\HXUnvmT.exe
  C:\Windows\System\HXUnvmT.exe
  2⤵
  PID:9456
- C:\Windows\System\YzKpcOE.exe
  C:\Windows\System\YzKpcOE.exe
  2⤵
  PID:9484
- C:\Windows\System\yAPpEQn.exe
  C:\Windows\System\yAPpEQn.exe
  2⤵
  PID:9512
- C:\Windows\System\jqfzbJU.exe
  C:\Windows\System\jqfzbJU.exe
  2⤵
  PID:9540
- C:\Windows\System\YwKBPXG.exe
  C:\Windows\System\YwKBPXG.exe
  2⤵
  PID:9572
- C:\Windows\System\nuBqYBe.exe
  C:\Windows\System\nuBqYBe.exe
  2⤵
  PID:9600
- C:\Windows\System\qHAbbyE.exe
  C:\Windows\System\qHAbbyE.exe
  2⤵
  PID:9628
- C:\Windows\System\lujjhsY.exe
  C:\Windows\System\lujjhsY.exe
  2⤵
  PID:9656
- C:\Windows\System\MwoJrCh.exe
  C:\Windows\System\MwoJrCh.exe
  2⤵
  PID:9684
- C:\Windows\System\ziIuqZr.exe
  C:\Windows\System\ziIuqZr.exe
  2⤵
  PID:9712
- C:\Windows\System\NVLJZkC.exe
  C:\Windows\System\NVLJZkC.exe
  2⤵
  PID:9740
- C:\Windows\System\UGzNTwQ.exe
  C:\Windows\System\UGzNTwQ.exe
  2⤵
  PID:9768
- C:\Windows\System\mFxEwUK.exe
  C:\Windows\System\mFxEwUK.exe
  2⤵
  PID:9796
- C:\Windows\System\clESUgI.exe
  C:\Windows\System\clESUgI.exe
  2⤵
  PID:9824
- C:\Windows\System\okuuWyj.exe
  C:\Windows\System\okuuWyj.exe
  2⤵
  PID:9852
- C:\Windows\System\dGqlXxJ.exe
  C:\Windows\System\dGqlXxJ.exe
  2⤵
  PID:9880
- C:\Windows\System\ZatPVmr.exe
  C:\Windows\System\ZatPVmr.exe
  2⤵
  PID:9908
- C:\Windows\System\yCzNFTb.exe
  C:\Windows\System\yCzNFTb.exe
  2⤵
  PID:9936
- C:\Windows\System\trViPod.exe
  C:\Windows\System\trViPod.exe
  2⤵
  PID:9964
- C:\Windows\System\hbQNCyn.exe
  C:\Windows\System\hbQNCyn.exe
  2⤵
  PID:9992
- C:\Windows\System\dGbUXxS.exe
  C:\Windows\System\dGbUXxS.exe
  2⤵
  PID:10020
- C:\Windows\System\ZkaDgUt.exe
  C:\Windows\System\ZkaDgUt.exe
  2⤵
  PID:10048
- C:\Windows\System\kNHmPLz.exe
  C:\Windows\System\kNHmPLz.exe
  2⤵
  PID:10076
- C:\Windows\System\ybSGlqd.exe
  C:\Windows\System\ybSGlqd.exe
  2⤵
  PID:10104
- C:\Windows\System\xfvSfdc.exe
  C:\Windows\System\xfvSfdc.exe
  2⤵
  PID:10132
- C:\Windows\System\GsxrYOc.exe
  C:\Windows\System\GsxrYOc.exe
  2⤵
  PID:10160
- C:\Windows\System\RzPLweo.exe
  C:\Windows\System\RzPLweo.exe
  2⤵
  PID:10188
- C:\Windows\System\IdNExBr.exe
  C:\Windows\System\IdNExBr.exe
  2⤵
  PID:10216
- C:\Windows\System\bfEVpYU.exe
  C:\Windows\System\bfEVpYU.exe
  2⤵
  PID:9224
- C:\Windows\System\HpwYaHx.exe
  C:\Windows\System\HpwYaHx.exe
  2⤵
  PID:9284
- C:\Windows\System\kHMIhhH.exe
  C:\Windows\System\kHMIhhH.exe
  2⤵
  PID:9340
- C:\Windows\System\UQfXVan.exe
  C:\Windows\System\UQfXVan.exe
  2⤵
  PID:9412
- C:\Windows\System\DcJoIeu.exe
  C:\Windows\System\DcJoIeu.exe
  2⤵
  PID:9476
- C:\Windows\System\yxvQQUh.exe
  C:\Windows\System\yxvQQUh.exe
  2⤵
  PID:9536
- C:\Windows\System\BjUCDPP.exe
  C:\Windows\System\BjUCDPP.exe
  2⤵
  PID:9612
- C:\Windows\System\xgKZaQD.exe
  C:\Windows\System\xgKZaQD.exe
  2⤵
  PID:9680
- C:\Windows\System\vbTbqkU.exe
  C:\Windows\System\vbTbqkU.exe
  2⤵
  PID:9760
- C:\Windows\System\ZHbaeke.exe
  C:\Windows\System\ZHbaeke.exe
  2⤵
  PID:9816
- C:\Windows\System\jrNoWIE.exe
  C:\Windows\System\jrNoWIE.exe
  2⤵
  PID:9876
- C:\Windows\System\gAhqdFa.exe
  C:\Windows\System\gAhqdFa.exe
  2⤵
  PID:9948
- C:\Windows\System\KGpcveb.exe
  C:\Windows\System\KGpcveb.exe
  2⤵
  PID:10012
- C:\Windows\System\VRKsjIS.exe
  C:\Windows\System\VRKsjIS.exe
  2⤵
  PID:10072
- C:\Windows\System\pUkEAsa.exe
  C:\Windows\System\pUkEAsa.exe
  2⤵
  PID:10144
- C:\Windows\System\WomNwef.exe
  C:\Windows\System\WomNwef.exe
  2⤵
  PID:9560
- C:\Windows\System\NnoMvpD.exe
  C:\Windows\System\NnoMvpD.exe
  2⤵
  PID:9272
- C:\Windows\System\zeiCacC.exe
  C:\Windows\System\zeiCacC.exe
  2⤵
  PID:9396
- C:\Windows\System\lqRgPVH.exe
  C:\Windows\System\lqRgPVH.exe
  2⤵
  PID:9568
- C:\Windows\System\efJdlTE.exe
  C:\Windows\System\efJdlTE.exe
  2⤵
  PID:9732
- C:\Windows\System\XlrNfXp.exe
  C:\Windows\System\XlrNfXp.exe
  2⤵
  PID:9872
- C:\Windows\System\nEvGnbT.exe
  C:\Windows\System\nEvGnbT.exe
  2⤵
  PID:10040
- C:\Windows\System\orMxFqc.exe
  C:\Windows\System\orMxFqc.exe
  2⤵
  PID:10184
- C:\Windows\System\UdvWtUE.exe
  C:\Windows\System\UdvWtUE.exe
  2⤵
  PID:9392
- C:\Windows\System\iewTctl.exe
  C:\Windows\System\iewTctl.exe
  2⤵
  PID:9792
- C:\Windows\System\aLhWUQW.exe
  C:\Windows\System\aLhWUQW.exe
  2⤵
  PID:10128
- C:\Windows\System\TAGZepe.exe
  C:\Windows\System\TAGZepe.exe
  2⤵
  PID:9708
- C:\Windows\System\WwudyKD.exe
  C:\Windows\System\WwudyKD.exe
  2⤵
  PID:8712
- C:\Windows\System\vQrXavq.exe
  C:\Windows\System\vQrXavq.exe
  2⤵
  PID:10256
- C:\Windows\System\gaampKl.exe
  C:\Windows\System\gaampKl.exe
  2⤵
  PID:10284
- C:\Windows\System\qKbPjCX.exe
  C:\Windows\System\qKbPjCX.exe
  2⤵
  PID:10312
- C:\Windows\System\vOplSgk.exe
  C:\Windows\System\vOplSgk.exe
  2⤵
  PID:10340
- C:\Windows\System\JofEPin.exe
  C:\Windows\System\JofEPin.exe
  2⤵
  PID:10372
- C:\Windows\System\UqlIbeZ.exe
  C:\Windows\System\UqlIbeZ.exe
  2⤵
  PID:10400
- C:\Windows\System\HNHRqaV.exe
  C:\Windows\System\HNHRqaV.exe
  2⤵
  PID:10428
- C:\Windows\System\kqPlmIp.exe
  C:\Windows\System\kqPlmIp.exe
  2⤵
  PID:10456
- C:\Windows\System\BKpRYsz.exe
  C:\Windows\System\BKpRYsz.exe
  2⤵
  PID:10484
- C:\Windows\System\JtINTNH.exe
  C:\Windows\System\JtINTNH.exe
  2⤵
  PID:10512
- C:\Windows\System\LCnebIO.exe
  C:\Windows\System\LCnebIO.exe
  2⤵
  PID:10540
- C:\Windows\System\yfawGdz.exe
  C:\Windows\System\yfawGdz.exe
  2⤵
  PID:10568
- C:\Windows\System\kgAXOIp.exe
  C:\Windows\System\kgAXOIp.exe
  2⤵
  PID:10596
- C:\Windows\System\fIBfkof.exe
  C:\Windows\System\fIBfkof.exe
  2⤵
  PID:10624
- C:\Windows\System\uPYDxWl.exe
  C:\Windows\System\uPYDxWl.exe
  2⤵
  PID:10652
- C:\Windows\System\rrZIcxM.exe
  C:\Windows\System\rrZIcxM.exe
  2⤵
  PID:10680
- C:\Windows\System\lPRAWiL.exe
  C:\Windows\System\lPRAWiL.exe
  2⤵
  PID:10708
- C:\Windows\System\SZhkWYO.exe
  C:\Windows\System\SZhkWYO.exe
  2⤵
  PID:10736
- C:\Windows\System\VbJdudA.exe
  C:\Windows\System\VbJdudA.exe
  2⤵
  PID:10764
- C:\Windows\System\sUAYnnv.exe
  C:\Windows\System\sUAYnnv.exe
  2⤵
  PID:10792
- C:\Windows\System\kSAHkAQ.exe
  C:\Windows\System\kSAHkAQ.exe
  2⤵
  PID:10820
- C:\Windows\System\iCxOoxO.exe
  C:\Windows\System\iCxOoxO.exe
  2⤵
  PID:10848
- C:\Windows\System\jTQOIfC.exe
  C:\Windows\System\jTQOIfC.exe
  2⤵
  PID:10876
- C:\Windows\System\PPDhFRl.exe
  C:\Windows\System\PPDhFRl.exe
  2⤵
  PID:10904
- C:\Windows\System\AYzNnYm.exe
  C:\Windows\System\AYzNnYm.exe
  2⤵
  PID:10932
- C:\Windows\System\rhnDGba.exe
  C:\Windows\System\rhnDGba.exe
  2⤵
  PID:10960
- C:\Windows\System\fSRdqJv.exe
  C:\Windows\System\fSRdqJv.exe
  2⤵
  PID:10988
- C:\Windows\System\BnquAtA.exe
  C:\Windows\System\BnquAtA.exe
  2⤵
  PID:11016
- C:\Windows\System\HRHmzRG.exe
  C:\Windows\System\HRHmzRG.exe
  2⤵
  PID:11044
- C:\Windows\System\qBxtyzn.exe
  C:\Windows\System\qBxtyzn.exe
  2⤵
  PID:11072
- C:\Windows\System\BkQHpNO.exe
  C:\Windows\System\BkQHpNO.exe
  2⤵
  PID:11100
- C:\Windows\System\gjKXLfm.exe
  C:\Windows\System\gjKXLfm.exe
  2⤵
  PID:11132
- C:\Windows\System\oClBHyd.exe
  C:\Windows\System\oClBHyd.exe
  2⤵
  PID:11160
- C:\Windows\System\UzDNWiv.exe
  C:\Windows\System\UzDNWiv.exe
  2⤵
  PID:11192
- C:\Windows\System\KLIHcEz.exe
  C:\Windows\System\KLIHcEz.exe
  2⤵
  PID:11220
- C:\Windows\System\GiWnhXl.exe
  C:\Windows\System\GiWnhXl.exe
  2⤵
  PID:11248
- C:\Windows\System\AMygYIH.exe
  C:\Windows\System\AMygYIH.exe
  2⤵
  PID:10276
- C:\Windows\System\IcnHAzP.exe
  C:\Windows\System\IcnHAzP.exe
  2⤵
  PID:10304
- C:\Windows\System\RMQUFBs.exe
  C:\Windows\System\RMQUFBs.exe
  2⤵
  PID:10420
- C:\Windows\System\jhkMPHF.exe
  C:\Windows\System\jhkMPHF.exe
  2⤵
  PID:10496
- C:\Windows\System\bCMUHUS.exe
  C:\Windows\System\bCMUHUS.exe
  2⤵
  PID:10536
- C:\Windows\System\VuQFNoj.exe
  C:\Windows\System\VuQFNoj.exe
  2⤵
  PID:10588
- C:\Windows\System\SHqsAuE.exe
  C:\Windows\System\SHqsAuE.exe
  2⤵
  PID:10636
- C:\Windows\System\bHlGabk.exe
  C:\Windows\System\bHlGabk.exe
  2⤵
  PID:10692
- C:\Windows\System\SyefnpB.exe
  C:\Windows\System\SyefnpB.exe
  2⤵
  PID:10776
- C:\Windows\System\staOJkW.exe
  C:\Windows\System\staOJkW.exe
  2⤵
  PID:10928
- C:\Windows\System\PCkPuUk.exe
  C:\Windows\System\PCkPuUk.exe
  2⤵
  PID:11012
- C:\Windows\System\RdGBAMq.exe
  C:\Windows\System\RdGBAMq.exe
  2⤵
  PID:11068
- C:\Windows\System\SXGzKti.exe
  C:\Windows\System\SXGzKti.exe
  2⤵
  PID:1700
- C:\Windows\System\oKfZntn.exe
  C:\Windows\System\oKfZntn.exe
  2⤵
  PID:11212
- C:\Windows\System\PaFGQzk.exe
  C:\Windows\System\PaFGQzk.exe
  2⤵
  PID:10296
- C:\Windows\System\jixGCBZ.exe
  C:\Windows\System\jixGCBZ.exe
  2⤵
  PID:10532
- C:\Windows\System\NwfZjed.exe
  C:\Windows\System\NwfZjed.exe
  2⤵
  PID:10508
- C:\Windows\System\xGffVFW.exe
  C:\Windows\System\xGffVFW.exe
  2⤵
  PID:10564
- C:\Windows\System\IzylVVg.exe
  C:\Windows\System\IzylVVg.exe
  2⤵
  PID:10756
- C:\Windows\System\YOPJYjT.exe
  C:\Windows\System\YOPJYjT.exe
  2⤵
  PID:10924
- C:\Windows\System\oDbpvZD.exe
  C:\Windows\System\oDbpvZD.exe
  2⤵
  PID:4656
- C:\Windows\System\KGNtKMx.exe
  C:\Windows\System\KGNtKMx.exe
  2⤵
  PID:4484
- C:\Windows\System\nAQtlej.exe
  C:\Windows\System\nAQtlej.exe
  2⤵
  PID:4056
- C:\Windows\System\LWVqgNS.exe
  C:\Windows\System\LWVqgNS.exe
  2⤵
  PID:11240
- C:\Windows\System\JjAyiZH.exe
  C:\Windows\System\JjAyiZH.exe
  2⤵
  PID:4868
- C:\Windows\System\lAHXGYf.exe
  C:\Windows\System\lAHXGYf.exe
  2⤵
  PID:2748
- C:\Windows\System\tZhHvgg.exe
  C:\Windows\System\tZhHvgg.exe
  2⤵
  PID:1904
- C:\Windows\System\DZGtjdY.exe
  C:\Windows\System\DZGtjdY.exe
  2⤵
  PID:2820
- C:\Windows\System\eQdujSZ.exe
  C:\Windows\System\eQdujSZ.exe
  2⤵
  PID:11028
- C:\Windows\System\intAjQR.exe
  C:\Windows\System\intAjQR.exe
  2⤵
  PID:4780
- C:\Windows\System\hjWWTBL.exe
  C:\Windows\System\hjWWTBL.exe
  2⤵
  PID:10620
- C:\Windows\System\vOIulet.exe
  C:\Windows\System\vOIulet.exe
  2⤵
  PID:10480
- C:\Windows\System\RowGeTy.exe
  C:\Windows\System\RowGeTy.exe
  2⤵
  PID:3108
- C:\Windows\System\OLJQLtp.exe
  C:\Windows\System\OLJQLtp.exe
  2⤵
  PID:1128
- C:\Windows\System\OPoVPEf.exe
  C:\Windows\System\OPoVPEf.exe
  2⤵
  PID:3316
- C:\Windows\System\ABRmhQB.exe
  C:\Windows\System\ABRmhQB.exe
  2⤵
  PID:2232
- C:\Windows\System\SwKPyXe.exe
  C:\Windows\System\SwKPyXe.exe
  2⤵
  PID:4232
- C:\Windows\System\OFSkulg.exe
  C:\Windows\System\OFSkulg.exe
  2⤵
  PID:2300
- C:\Windows\System\VVxZpGR.exe
  C:\Windows\System\VVxZpGR.exe
  2⤵
  PID:3300
- C:\Windows\System\UwJWHeR.exe
  C:\Windows\System\UwJWHeR.exe
  2⤵
  PID:11092
- C:\Windows\System\wNAsYoJ.exe
  C:\Windows\System\wNAsYoJ.exe
  2⤵
  PID:10524
- C:\Windows\System\ZaHqnxX.exe
  C:\Windows\System\ZaHqnxX.exe
  2⤵
  PID:11284
- C:\Windows\System\EZMfRCQ.exe
  C:\Windows\System\EZMfRCQ.exe
  2⤵
  PID:11312
- C:\Windows\System\ChpWyFM.exe
  C:\Windows\System\ChpWyFM.exe
  2⤵
  PID:11340
- C:\Windows\System\pdGSuHT.exe
  C:\Windows\System\pdGSuHT.exe
  2⤵
  PID:11368
- C:\Windows\System\FIHRzwM.exe
  C:\Windows\System\FIHRzwM.exe
  2⤵
  PID:11396
- C:\Windows\System\ylFiLKK.exe
  C:\Windows\System\ylFiLKK.exe
  2⤵
  PID:11424
- C:\Windows\System\LBpjweA.exe
  C:\Windows\System\LBpjweA.exe
  2⤵
  PID:11452
- C:\Windows\System\GsyjHfK.exe
  C:\Windows\System\GsyjHfK.exe
  2⤵
  PID:11484
- C:\Windows\System\NwAocQs.exe
  C:\Windows\System\NwAocQs.exe
  2⤵
  PID:11512
- C:\Windows\System\mdJzKJk.exe
  C:\Windows\System\mdJzKJk.exe
  2⤵
  PID:11540
- C:\Windows\System\ataqisu.exe
  C:\Windows\System\ataqisu.exe
  2⤵
  PID:11580
- C:\Windows\System\fhALdOz.exe
  C:\Windows\System\fhALdOz.exe
  2⤵
  PID:11596
- C:\Windows\System\oqkcwog.exe
  C:\Windows\System\oqkcwog.exe
  2⤵
  PID:11624
- C:\Windows\System\TtGuAgI.exe
  C:\Windows\System\TtGuAgI.exe
  2⤵
  PID:11652
- C:\Windows\System\HloKosH.exe
  C:\Windows\System\HloKosH.exe
  2⤵
  PID:11680
- C:\Windows\System\ugFGvst.exe
  C:\Windows\System\ugFGvst.exe
  2⤵
  PID:11708
- C:\Windows\System\EWqosoQ.exe
  C:\Windows\System\EWqosoQ.exe
  2⤵
  PID:11736
- C:\Windows\System\ClEDENQ.exe
  C:\Windows\System\ClEDENQ.exe
  2⤵
  PID:11764
- C:\Windows\System\LHRNEHw.exe
  C:\Windows\System\LHRNEHw.exe
  2⤵
  PID:11792
- C:\Windows\System\HYTZFTx.exe
  C:\Windows\System\HYTZFTx.exe
  2⤵
  PID:11820
- C:\Windows\System\idunUBA.exe
  C:\Windows\System\idunUBA.exe
  2⤵
  PID:11848
- C:\Windows\System\XZiQLEG.exe
  C:\Windows\System\XZiQLEG.exe
  2⤵
  PID:11884
- C:\Windows\System\LeTpuqE.exe
  C:\Windows\System\LeTpuqE.exe
  2⤵
  PID:11904
- C:\Windows\System\fVqhXbX.exe
  C:\Windows\System\fVqhXbX.exe
  2⤵
  PID:11932
- C:\Windows\System\uoXUaRC.exe
  C:\Windows\System\uoXUaRC.exe
  2⤵
  PID:11960
- C:\Windows\System\wThPXdH.exe
  C:\Windows\System\wThPXdH.exe
  2⤵
  PID:11988
- C:\Windows\System\TXXXcqQ.exe
  C:\Windows\System\TXXXcqQ.exe
  2⤵
  PID:12016
- C:\Windows\System\dQgcAQs.exe
  C:\Windows\System\dQgcAQs.exe
  2⤵
  PID:12044
- C:\Windows\System\rOcibkf.exe
  C:\Windows\System\rOcibkf.exe
  2⤵
  PID:12072
- C:\Windows\System\FhlsIwx.exe
  C:\Windows\System\FhlsIwx.exe
  2⤵
  PID:12100
- C:\Windows\System\dRcPPCC.exe
  C:\Windows\System\dRcPPCC.exe
  2⤵
  PID:12128
- C:\Windows\System\zRzkWxH.exe
  C:\Windows\System\zRzkWxH.exe
  2⤵
  PID:12156
- C:\Windows\System\QrssUPL.exe
  C:\Windows\System\QrssUPL.exe
  2⤵
  PID:12184
- C:\Windows\System\PcaFQMj.exe
  C:\Windows\System\PcaFQMj.exe
  2⤵
  PID:12212
- C:\Windows\System\ufaqOhT.exe
  C:\Windows\System\ufaqOhT.exe
  2⤵
  PID:12244
- C:\Windows\System\JqLVntO.exe
  C:\Windows\System\JqLVntO.exe
  2⤵
  PID:12272
- C:\Windows\System\SupeBzK.exe
  C:\Windows\System\SupeBzK.exe
  2⤵
  PID:11296
- C:\Windows\System\LNxuoFv.exe
  C:\Windows\System\LNxuoFv.exe
  2⤵
  PID:11360
- C:\Windows\System\wmgOJeB.exe
  C:\Windows\System\wmgOJeB.exe
  2⤵
  PID:11420
- C:\Windows\System\yTrsaXz.exe
  C:\Windows\System\yTrsaXz.exe
  2⤵
  PID:11496
- C:\Windows\System\Yuopavr.exe
  C:\Windows\System\Yuopavr.exe
  2⤵
  PID:11560
- C:\Windows\System\iOwlwly.exe
  C:\Windows\System\iOwlwly.exe
  2⤵
  PID:11620
- C:\Windows\System\UGDnjNt.exe
  C:\Windows\System\UGDnjNt.exe
  2⤵
  PID:11692
- C:\Windows\System\FrmRoPP.exe
  C:\Windows\System\FrmRoPP.exe
  2⤵
  PID:11756
- C:\Windows\System\UOIbzxm.exe
  C:\Windows\System\UOIbzxm.exe
  2⤵
  PID:11816
- C:\Windows\System\TyDyhFK.exe
  C:\Windows\System\TyDyhFK.exe
  2⤵
  PID:11892
- C:\Windows\System\GKzyJOS.exe
  C:\Windows\System\GKzyJOS.exe
  2⤵
  PID:11952
- C:\Windows\System\QdLrrvg.exe
  C:\Windows\System\QdLrrvg.exe
  2⤵
  PID:12008
- C:\Windows\System\iWXxcGx.exe
  C:\Windows\System\iWXxcGx.exe
  2⤵
  PID:12068
- C:\Windows\System\TCjVlDd.exe
  C:\Windows\System\TCjVlDd.exe
  2⤵
  PID:12140
- C:\Windows\System\pSUWcqt.exe
  C:\Windows\System\pSUWcqt.exe
  2⤵
  PID:12204
- C:\Windows\System\sYDlhCZ.exe
  C:\Windows\System\sYDlhCZ.exe
  2⤵
  PID:12268
- C:\Windows\System\DuMGZez.exe
  C:\Windows\System\DuMGZez.exe
  2⤵
  PID:1928
- C:\Windows\System\NNsiSGy.exe
  C:\Windows\System\NNsiSGy.exe
  2⤵
  PID:2428
- C:\Windows\System\tRjqdiI.exe
  C:\Windows\System\tRjqdiI.exe
  2⤵
  PID:11608
- C:\Windows\System\Ceglvrl.exe
  C:\Windows\System\Ceglvrl.exe
  2⤵
  PID:11804
- C:\Windows\System\FCyGmeR.exe
  C:\Windows\System\FCyGmeR.exe
  2⤵
  PID:11872
- C:\Windows\System\JcospCT.exe
  C:\Windows\System\JcospCT.exe
  2⤵
  PID:12036
- C:\Windows\System\NBhlUei.exe
  C:\Windows\System\NBhlUei.exe
  2⤵
  PID:12180
- C:\Windows\System\GpswJnH.exe
  C:\Windows\System\GpswJnH.exe
  2⤵
  PID:11352
- C:\Windows\System\GBpiPNf.exe
  C:\Windows\System\GBpiPNf.exe
  2⤵
  PID:4156
- C:\Windows\System\cVJaPgZ.exe
  C:\Windows\System\cVJaPgZ.exe
  2⤵
  PID:11944
- C:\Windows\System\xPUHVwJ.exe
  C:\Windows\System\xPUHVwJ.exe
  2⤵
  PID:11280
- C:\Windows\System\lvvylnQ.exe
  C:\Windows\System\lvvylnQ.exe
  2⤵
  PID:12096
- C:\Windows\System\YNELhVo.exe
  C:\Windows\System\YNELhVo.exe
  2⤵
  PID:11868
- C:\Windows\System\umJfhqJ.exe
  C:\Windows\System\umJfhqJ.exe
  2⤵
  PID:12316
- C:\Windows\System\arrNrYZ.exe
  C:\Windows\System\arrNrYZ.exe
  2⤵
  PID:12344
- C:\Windows\System\wiXoHxt.exe
  C:\Windows\System\wiXoHxt.exe
  2⤵
  PID:12372
- C:\Windows\System\rgRmJUQ.exe
  C:\Windows\System\rgRmJUQ.exe
  2⤵
  PID:12400
- C:\Windows\System\QoIgqFN.exe
  C:\Windows\System\QoIgqFN.exe
  2⤵
  PID:12428
- C:\Windows\System\JBbtGXj.exe
  C:\Windows\System\JBbtGXj.exe
  2⤵
  PID:12456
- C:\Windows\System\CrSIGps.exe
  C:\Windows\System\CrSIGps.exe
  2⤵
  PID:12484
- C:\Windows\System\hXBbDOH.exe
  C:\Windows\System\hXBbDOH.exe
  2⤵
  PID:12524
- C:\Windows\System\TRTjKsc.exe
  C:\Windows\System\TRTjKsc.exe
  2⤵
  PID:12544
- C:\Windows\System\yzvdvhy.exe
  C:\Windows\System\yzvdvhy.exe
  2⤵
  PID:12572
- C:\Windows\System\lkVUpJD.exe
  C:\Windows\System\lkVUpJD.exe
  2⤵
  PID:12604
- C:\Windows\System\TmwEveD.exe
  C:\Windows\System\TmwEveD.exe
  2⤵
  PID:12628
- C:\Windows\System\bxKwJeh.exe
  C:\Windows\System\bxKwJeh.exe
  2⤵
  PID:12656
- C:\Windows\System\VdCyRPc.exe
  C:\Windows\System\VdCyRPc.exe
  2⤵
  PID:12684
- C:\Windows\System\LgkMydN.exe
  C:\Windows\System\LgkMydN.exe
  2⤵
  PID:12712
- C:\Windows\System\LwtqFzK.exe
  C:\Windows\System\LwtqFzK.exe
  2⤵
  PID:12740
- C:\Windows\System\xspmhEc.exe
  C:\Windows\System\xspmhEc.exe
  2⤵
  PID:12768
- C:\Windows\System\nYKVExJ.exe
  C:\Windows\System\nYKVExJ.exe
  2⤵
  PID:12808
- C:\Windows\System\VstQHZC.exe
  C:\Windows\System\VstQHZC.exe
  2⤵
  PID:12828
- C:\Windows\System\GOxZDSU.exe
  C:\Windows\System\GOxZDSU.exe
  2⤵
  PID:12852
- C:\Windows\System\BjjrWzu.exe
  C:\Windows\System\BjjrWzu.exe
  2⤵
  PID:12880
- C:\Windows\System\XIlzcuO.exe
  C:\Windows\System\XIlzcuO.exe
  2⤵
  PID:12912
- C:\Windows\System\zvpzMwu.exe
  C:\Windows\System\zvpzMwu.exe
  2⤵
  PID:12940
- C:\Windows\System\KpyrWiw.exe
  C:\Windows\System\KpyrWiw.exe
  2⤵
  PID:12968
- C:\Windows\System\miKGKlE.exe
  C:\Windows\System\miKGKlE.exe
  2⤵
  PID:12996
- C:\Windows\System\YNjHcYX.exe
  C:\Windows\System\YNjHcYX.exe
  2⤵
  PID:13024
- C:\Windows\System\fcnzGkM.exe
  C:\Windows\System\fcnzGkM.exe
  2⤵
  PID:13052
- C:\Windows\System\RtBOuNx.exe
  C:\Windows\System\RtBOuNx.exe
  2⤵
  PID:13080
- C:\Windows\System\VXaCGJL.exe
  C:\Windows\System\VXaCGJL.exe
  2⤵
  PID:13108
- C:\Windows\System\NCbolKv.exe
  C:\Windows\System\NCbolKv.exe
  2⤵
  PID:13136
- C:\Windows\System\ZdHbwuc.exe
  C:\Windows\System\ZdHbwuc.exe
  2⤵
  PID:13164
- C:\Windows\System\BKHsicg.exe
  C:\Windows\System\BKHsicg.exe
  2⤵
  PID:13192
- C:\Windows\System\WENGLVT.exe
  C:\Windows\System\WENGLVT.exe
  2⤵
  PID:13220
- C:\Windows\System\dBPkuRb.exe
  C:\Windows\System\dBPkuRb.exe
  2⤵
  PID:13248
- C:\Windows\System\wccfgFd.exe
  C:\Windows\System\wccfgFd.exe
  2⤵
  PID:13276
- C:\Windows\System\EUnPrWS.exe
  C:\Windows\System\EUnPrWS.exe
  2⤵
  PID:13304
- C:\Windows\System\ToiIoJN.exe
  C:\Windows\System\ToiIoJN.exe
  2⤵
  PID:12336
- C:\Windows\System\IhgSOmL.exe
  C:\Windows\System\IhgSOmL.exe
  2⤵
  PID:12396
- C:\Windows\System\JVaQUKJ.exe
  C:\Windows\System\JVaQUKJ.exe
  2⤵
  PID:12468
- C:\Windows\System\JTeFetv.exe
  C:\Windows\System\JTeFetv.exe
  2⤵
  PID:12508
- C:\Windows\System\vQSVwej.exe
  C:\Windows\System\vQSVwej.exe
  2⤵
  PID:12584
- C:\Windows\System\ofiXJRM.exe
  C:\Windows\System\ofiXJRM.exe
  2⤵
  PID:12648
- C:\Windows\System\EClMuWG.exe
  C:\Windows\System\EClMuWG.exe
  2⤵
  PID:12732
- C:\Windows\System\FKiGErp.exe
  C:\Windows\System\FKiGErp.exe
  2⤵
  PID:11476
- C:\Windows\System\IcEFDnR.exe
  C:\Windows\System\IcEFDnR.exe
  2⤵
  PID:12848
- C:\Windows\System\zcduqoR.exe
  C:\Windows\System\zcduqoR.exe
  2⤵
  PID:12908
- C:\Windows\System\qDMVDHm.exe
  C:\Windows\System\qDMVDHm.exe
  2⤵
  PID:12964
- C:\Windows\System\zYZFoff.exe
  C:\Windows\System\zYZFoff.exe
  2⤵
  PID:13036
- C:\Windows\System\MVGbsog.exe
  C:\Windows\System\MVGbsog.exe
  2⤵
  PID:13100
- C:\Windows\System\sXflXyL.exe
  C:\Windows\System\sXflXyL.exe
  2⤵
  PID:13176
- C:\Windows\System\ddRogyn.exe
  C:\Windows\System\ddRogyn.exe
  2⤵
  PID:13240
- C:\Windows\System\HYzQhtv.exe
  C:\Windows\System\HYzQhtv.exe
  2⤵
  PID:13300
- C:\Windows\System\ZMokTCq.exe
  C:\Windows\System\ZMokTCq.exe
  2⤵
  PID:12424
- C:\Windows\System\HvbWNOw.exe
  C:\Windows\System\HvbWNOw.exe
  2⤵
  PID:12564
- C:\Windows\System\VMdesyJ.exe
  C:\Windows\System\VMdesyJ.exe
  2⤵
  PID:12704
- C:\Windows\System\JxuyEqi.exe
  C:\Windows\System\JxuyEqi.exe
  2⤵
  PID:12820
- C:\Windows\System\DolyBBy.exe
  C:\Windows\System\DolyBBy.exe
  2⤵
  PID:12992
- C:\Windows\System\eSPOOID.exe
  C:\Windows\System\eSPOOID.exe
  2⤵
  PID:13148
- C:\Windows\System\dwVpeHq.exe
  C:\Windows\System\dwVpeHq.exe
  2⤵
  PID:13296
- C:\Windows\System\IHwNdiF.exe
  C:\Windows\System\IHwNdiF.exe
  2⤵
  PID:12624
- C:\Windows\System\gKwIbgQ.exe
  C:\Windows\System\gKwIbgQ.exe
  2⤵
  PID:12952
- C:\Windows\System\lxwvviW.exe
  C:\Windows\System\lxwvviW.exe
  2⤵
  PID:13288
- C:\Windows\System\nBLOBYU.exe
  C:\Windows\System\nBLOBYU.exe
  2⤵
  PID:12816
- C:\Windows\System\HITGioF.exe
  C:\Windows\System\HITGioF.exe
  2⤵
  PID:3476
- C:\Windows\System\ieqWisg.exe
  C:\Windows\System\ieqWisg.exe
  2⤵
  PID:13268
- C:\Windows\System\TlQHjRl.exe
  C:\Windows\System\TlQHjRl.exe
  2⤵
  PID:13328
- C:\Windows\System\OBhmyMZ.exe
  C:\Windows\System\OBhmyMZ.exe
  2⤵
  PID:13348
- C:\Windows\System\coTWYdd.exe
  C:\Windows\System\coTWYdd.exe
  2⤵
  PID:13376
- C:\Windows\System\MwEBNmM.exe
  C:\Windows\System\MwEBNmM.exe
  2⤵
  PID:13404
- C:\Windows\System\XnsjhUd.exe
  C:\Windows\System\XnsjhUd.exe
  2⤵
  PID:13432
- C:\Windows\System\PqYIoFz.exe
  C:\Windows\System\PqYIoFz.exe
  2⤵
  PID:13460
- C:\Windows\System\eeRwJHl.exe
  C:\Windows\System\eeRwJHl.exe
  2⤵
  PID:13488
- C:\Windows\System\klpianK.exe
  C:\Windows\System\klpianK.exe
  2⤵
  PID:13516
- C:\Windows\System\HajlGlL.exe
  C:\Windows\System\HajlGlL.exe
  2⤵
  PID:13544
- C:\Windows\System\uOjhNks.exe
  C:\Windows\System\uOjhNks.exe
  2⤵
  PID:13572
- C:\Windows\System\qFFYTMp.exe
  C:\Windows\System\qFFYTMp.exe
  2⤵
  PID:13600
- C:\Windows\System\ZmUbpPv.exe
  C:\Windows\System\ZmUbpPv.exe
  2⤵
  PID:13628
- C:\Windows\System\yVQFnQY.exe
  C:\Windows\System\yVQFnQY.exe
  2⤵
  PID:13656
- C:\Windows\System\RJLfkZU.exe
  C:\Windows\System\RJLfkZU.exe
  2⤵
  PID:13684
- C:\Windows\System\HOywdac.exe
  C:\Windows\System\HOywdac.exe
  2⤵
  PID:13712
- C:\Windows\System\TbmeLdW.exe
  C:\Windows\System\TbmeLdW.exe
  2⤵
  PID:13744
- C:\Windows\System\FqhHrCj.exe
  C:\Windows\System\FqhHrCj.exe
  2⤵
  PID:13772
- C:\Windows\System\JbTSDMR.exe
  C:\Windows\System\JbTSDMR.exe
  2⤵
  PID:13800
- C:\Windows\System\mhgCkLZ.exe
  C:\Windows\System\mhgCkLZ.exe
  2⤵
  PID:13828
- C:\Windows\System\JCiALou.exe
  C:\Windows\System\JCiALou.exe
  2⤵
  PID:13856
- C:\Windows\System\ehedwOS.exe
  C:\Windows\System\ehedwOS.exe
  2⤵
  PID:13884
- C:\Windows\System\YxVScYZ.exe
  C:\Windows\System\YxVScYZ.exe
  2⤵
  PID:13912
- C:\Windows\System\Sqnfutv.exe
  C:\Windows\System\Sqnfutv.exe
  2⤵
  PID:13940
- C:\Windows\System\kqPoSDo.exe
  C:\Windows\System\kqPoSDo.exe
  2⤵
  PID:13968
- C:\Windows\System\HpCQsZS.exe
  C:\Windows\System\HpCQsZS.exe
  2⤵
  PID:13996
- C:\Windows\System\sqXWVgG.exe
  C:\Windows\System\sqXWVgG.exe
  2⤵
  PID:14024
- C:\Windows\System\RWOuGCm.exe
  C:\Windows\System\RWOuGCm.exe
  2⤵
  PID:14052
- C:\Windows\System\ytaRFcw.exe
  C:\Windows\System\ytaRFcw.exe
  2⤵
  PID:14080
- C:\Windows\System\FlagcjC.exe
  C:\Windows\System\FlagcjC.exe
  2⤵
  PID:14108
- C:\Windows\System\AaogibC.exe
  C:\Windows\System\AaogibC.exe
  2⤵
  PID:14136
- C:\Windows\System\rqFlXgZ.exe
  C:\Windows\System\rqFlXgZ.exe
  2⤵
  PID:14164
- C:\Windows\System\tzfPDrB.exe
  C:\Windows\System\tzfPDrB.exe
  2⤵
  PID:14192
- C:\Windows\System\Foyhyow.exe
  C:\Windows\System\Foyhyow.exe
  2⤵
  PID:14220
- C:\Windows\System\JFdlziS.exe
  C:\Windows\System\JFdlziS.exe
  2⤵
  PID:14248
- C:\Windows\System\kVhzbht.exe
  C:\Windows\System\kVhzbht.exe
  2⤵
  PID:14276
- C:\Windows\System\xEZLakM.exe
  C:\Windows\System\xEZLakM.exe
  2⤵
  PID:14304
- C:\Windows\System\rbgyAIY.exe
  C:\Windows\System\rbgyAIY.exe
  2⤵
  PID:14332
- C:\Windows\System\MNACpoE.exe
  C:\Windows\System\MNACpoE.exe
  2⤵
  PID:13368
- C:\Windows\System\rEuzelU.exe
  C:\Windows\System\rEuzelU.exe
  2⤵
  PID:13428
- C:\Windows\System\jwUYVQi.exe
  C:\Windows\System\jwUYVQi.exe
  2⤵
  PID:13500
- C:\Windows\System\GsigKZz.exe
  C:\Windows\System\GsigKZz.exe
  2⤵
  PID:13556
- C:\Windows\System\PjRPCWu.exe
  C:\Windows\System\PjRPCWu.exe
  2⤵
  PID:13620
- C:\Windows\System\tohMXtZ.exe
  C:\Windows\System\tohMXtZ.exe
  2⤵
  PID:13680
- C:\Windows\System\anvONrZ.exe
  C:\Windows\System\anvONrZ.exe
  2⤵
  PID:13736
- C:\Windows\System\McgVNzZ.exe
  C:\Windows\System\McgVNzZ.exe
  2⤵
  PID:13796
- C:\Windows\System\sOHJrTE.exe
  C:\Windows\System\sOHJrTE.exe
  2⤵
  PID:13868
- C:\Windows\System\CaJvsfl.exe
  C:\Windows\System\CaJvsfl.exe
  2⤵
  PID:13936
- C:\Windows\System\cWFYoIt.exe
  C:\Windows\System\cWFYoIt.exe
  2⤵
  PID:14036
- C:\Windows\System\sBFeCst.exe
  C:\Windows\System\sBFeCst.exe
  2⤵
  PID:14072
- C:\Windows\System\FqjnMfM.exe
  C:\Windows\System\FqjnMfM.exe
  2⤵
  PID:14132
- C:\Windows\System\PkyBucZ.exe
  C:\Windows\System\PkyBucZ.exe
  2⤵
  PID:14204
- C:\Windows\System\UfOfMoe.exe
  C:\Windows\System\UfOfMoe.exe
  2⤵
  PID:14268
- C:\Windows\System\UHHFbmv.exe
  C:\Windows\System\UHHFbmv.exe
  2⤵
  PID:14328
- C:\Windows\System\oexwUDk.exe
  C:\Windows\System\oexwUDk.exe
  2⤵
  PID:13424
- C:\Windows\System\qUUDNpP.exe
  C:\Windows\System\qUUDNpP.exe
  2⤵
  PID:13584
- C:\Windows\System\gWbFmhW.exe
  C:\Windows\System\gWbFmhW.exe
  2⤵
  PID:3952
- C:\Windows\System\BIXNDnU.exe
  C:\Windows\System\BIXNDnU.exe
  2⤵
  PID:13724
- C:\Windows\System\YanmjcT.exe
  C:\Windows\System\YanmjcT.exe
  2⤵
  PID:13848
- C:\Windows\System\mXbynso.exe
  C:\Windows\System\mXbynso.exe
  2⤵
  PID:13964
- C:\Windows\System\SrIcfzc.exe
  C:\Windows\System\SrIcfzc.exe
  2⤵
  PID:4864
- C:\Windows\System\NZTvDFm.exe
  C:\Windows\System\NZTvDFm.exe
  2⤵
  PID:14100
- C:\Windows\System\TkyDQoE.exe
  C:\Windows\System\TkyDQoE.exe
  2⤵
  PID:2024
- C:\Windows\System\EEHOnlq.exe
  C:\Windows\System\EEHOnlq.exe
  2⤵
  PID:14260
- C:\Windows\System\CgyJNCy.exe
  C:\Windows\System\CgyJNCy.exe
  2⤵
  PID:1164
- C:\Windows\System\KhGWfRi.exe
  C:\Windows\System\KhGWfRi.exe
  2⤵
  PID:13536
- C:\Windows\System\fsmXBHv.exe
  C:\Windows\System\fsmXBHv.exe
  2⤵
  PID:5116
- C:\Windows\System\gelKIGd.exe
  C:\Windows\System\gelKIGd.exe
  2⤵
  PID:4928
- C:\Windows\System\gUWuWee.exe
  C:\Windows\System\gUWuWee.exe
  2⤵
  PID:3596
- C:\Windows\System\bsaAumo.exe
  C:\Windows\System\bsaAumo.exe
  2⤵
  PID:1252
- C:\Windows\System\QeggkkR.exe
  C:\Windows\System\QeggkkR.exe
  2⤵
  PID:14324
- C:\Windows\System\AyWCKWo.exe
  C:\Windows\System\AyWCKWo.exe
  2⤵
  PID:3976
- C:\Windows\System\IarOYjO.exe
  C:\Windows\System\IarOYjO.exe
  2⤵
  PID:4516
- C:\Windows\System\hSoTFAY.exe
  C:\Windows\System\hSoTFAY.exe
  2⤵
  PID:4068
- C:\Windows\System\DnAtjUg.exe
  C:\Windows\System\DnAtjUg.exe
  2⤵
  PID:3188
- C:\Windows\System\Qmqogfp.exe
  C:\Windows\System\Qmqogfp.exe
  2⤵
  PID:1720
- C:\Windows\System\YToFIiw.exe
  C:\Windows\System\YToFIiw.exe
  2⤵
  PID:13792
- C:\Windows\System\vXHACBN.exe
  C:\Windows\System\vXHACBN.exe
  2⤵
  PID:1976
- C:\Windows\System\LObohcs.exe
  C:\Windows\System\LObohcs.exe
  2⤵
  PID:4812
- C:\Windows\System\UliBsKu.exe
  C:\Windows\System\UliBsKu.exe
  2⤵
  PID:4624
- C:\Windows\System\xgntNaq.exe
  C:\Windows\System\xgntNaq.exe
  2⤵
  PID:1828
- C:\Windows\System\MpyexmR.exe
  C:\Windows\System\MpyexmR.exe
  2⤵
  PID:2580
- C:\Windows\System\ZBKNIzr.exe
  C:\Windows\System\ZBKNIzr.exe
  2⤵
  PID:2176
- C:\Windows\System\xDLfdxo.exe
  C:\Windows\System\xDLfdxo.exe
  2⤵
  PID:2304
- C:\Windows\System\ayriwYi.exe
  C:\Windows\System\ayriwYi.exe
  2⤵
  PID:2488
- C:\Windows\System\YhICczY.exe
  C:\Windows\System\YhICczY.exe
  2⤵
  PID:1536
- C:\Windows\System\aAoscjJ.exe
  C:\Windows\System\aAoscjJ.exe
  2⤵
  PID:3984
- C:\Windows\System\AAyJFzR.exe
  C:\Windows\System\AAyJFzR.exe
  2⤵
  PID:2712
- C:\Windows\System\seMPzhV.exe
  C:\Windows\System\seMPzhV.exe
  2⤵
  PID:5012
- C:\Windows\System\aYvUykh.exe
  C:\Windows\System\aYvUykh.exe
  2⤵
  PID:3088
- C:\Windows\System\YMmQRBW.exe
  C:\Windows\System\YMmQRBW.exe
  2⤵
  PID:4480
- C:\Windows\System\VePygsw.exe
  C:\Windows\System\VePygsw.exe
  2⤵
  PID:3064
- C:\Windows\System\QBniaWq.exe
  C:\Windows\System\QBniaWq.exe
  2⤵
  PID:5180
- C:\Windows\System\YamMRsv.exe
  C:\Windows\System\YamMRsv.exe
  2⤵
  PID:5188
- C:\Windows\System\sfEKfGw.exe
  C:\Windows\System\sfEKfGw.exe
  2⤵
  PID:5244
- C:\Windows\System\baxgzme.exe
  C:\Windows\System\baxgzme.exe
  2⤵
  PID:5280
- C:\Windows\System\SZyQwpm.exe
  C:\Windows\System\SZyQwpm.exe
  2⤵
  PID:5216
- C:\Windows\System\WcgudBY.exe
  C:\Windows\System\WcgudBY.exe
  2⤵
  PID:5392
- C:\Windows\System\iFjabvO.exe
  C:\Windows\System\iFjabvO.exe
  2⤵
  PID:5320
- C:\Windows\System\cELbwxC.exe
  C:\Windows\System\cELbwxC.exe
  2⤵
  PID:2868
- C:\Windows\System\gxPoDWr.exe
  C:\Windows\System\gxPoDWr.exe
  2⤵
  PID:5504
- C:\Windows\System\RvHJrGO.exe
  C:\Windows\System\RvHJrGO.exe
  2⤵
  PID:5412
- C:\Windows\System\sxDWSAe.exe
  C:\Windows\System\sxDWSAe.exe
  2⤵
  PID:5564
- C:\Windows\System\iCMWsfd.exe
  C:\Windows\System\iCMWsfd.exe
  2⤵
  PID:5536
- C:\Windows\System\jTSXAuD.exe
  C:\Windows\System\jTSXAuD.exe
  2⤵
  PID:14364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BWcgDEX.exe

Filesize
6.0MB

MD5
ddbc5c5b974839226e8e51a020b41c99

SHA1
99c1727e693d7d78c588eb3b6aa1f40be5c89f97

SHA256
cb4372cb05635e0735931dd0bdf5f3737dedad325a627699f2c7fecc6691e965

SHA512
ec46f2807a9e58ea5e058e3ef69d1fdca90e67f5b80baf888ed9b4e6fd9170cd5bbac0da94a793e80f0481c034c7fb5c4e4a8ec54656ec140133fb98dc065b43

Download Submit
C:\Windows\System\CEFbZYE.exe

Filesize
6.0MB

MD5
12b88f75682840264ef5693f2a0b45a0

SHA1
2e2639fd3517745be88183192cd07fb914a50340

SHA256
868c1017b3e05fcb3bfbfa5713698031b89f3de4900e0620c5fba6886ad0c5f8

SHA512
d0920d61445ad850078d6b9d19a3e5403d998e69600f25368a62cf3b1ac210e9ba21cc5a5ca0ce7bebc8172e81f65f490c049d2c1a154a24d4e4a0eb855b30bb

Download Submit
C:\Windows\System\CwiMhOj.exe

Filesize
6.0MB

MD5
710a0ef1e6c9cbd09d4f43e463f316a7

SHA1
a930089192790eafe6a964316654bda7eae4918c

SHA256
ceae95e1ea0fdfacad1bf82aafcbe2620435c9564d6caf2f976ee4361295240e

SHA512
641cdc7025506a6c997d58d1bfa668a0ae625a55a04290a0483c0faf3b31073725bce4d441eae429a7e8d2cb2336c7d1d40e6739a136559f653992c686927ac4

Download Submit
C:\Windows\System\DGhdObF.exe

Filesize
6.0MB

MD5
03098ef929991aba258d25a5a89cdf13

SHA1
9421cde7e0b0e62d548676207e77190ebd532ec0

SHA256
3d48c0c3b1b3bb5fdfbea01ed1c8b4367d7e15d905b27adc33afdc4691b7f15b

SHA512
3ebe62932c0eb0067008b3b878fde28ffffc2b1b943b053027a989140d7140b258d2f6f8a51d645e010dbbf5d9ac74d276566f66bcdc2b97a3f30e18cf2a8245

Download Submit
C:\Windows\System\HbHnFZf.exe

Filesize
6.0MB

MD5
908c9e4c4dd8593e4650d74ec83956d6

SHA1
c48c65578e9efa2e2cd6936ed7051782977767b4

SHA256
954272002a9e73b496c0079bddac9525d28552609b56b35e0259bbfe9aefbb74

SHA512
59ee5002e2f052631361159138ae49b327852a9e3cca605fb2ef9ca163271f70955786c814ad67d3a03a23f9e6ecf854d16f190c2af24ab88acea3eeafbc5fef

Download Submit
C:\Windows\System\KukdTPN.exe

Filesize
6.0MB

MD5
fd2bfb63614f073e59195caf3a532c65

SHA1
c52ee36d6c3bfa40a9adb8590aaf2bfdef2e6e9f

SHA256
2964640df08fe7256e090b634c6c3a7ebc5513072a2442bf35d99f72c6185ee2

SHA512
8fe52692bbc500d7a143b190aca271db276d6533090dfbed1b63800304c03d01178ab05dad739357f58dc4aa6c285a1efc92d21d8d2a03d3591bbdb792778102

Download Submit
C:\Windows\System\LUERYou.exe

Filesize
6.0MB

MD5
5064076ee415e7604d7307a4397e6f8d

SHA1
566f9d6259dd2e925982aeb4b868b3313aa13651

SHA256
abf956203d3ebc08d217c0491a2a5c555ecb454d2bd6c6b3dfdfb1c1dc9be399

SHA512
51f7558af86740e4e9f4322e52411b337c6f9dddacf663d7dc3ea77ae78f55f956d8614787e81f095e5cfe3fe135e9a25cf82c5f0210103f4550683097ef252c

Download Submit
C:\Windows\System\LWJxcFL.exe

Filesize
6.0MB

MD5
d583a8836a68105196bffbd000c82cfc

SHA1
457c859f7813dc68178391acdc212230b29e3922

SHA256
847c85f70339601e4320b37ed749d75c5d1e3c7a0526b7d40cbd57bb91998988

SHA512
04fa795f68c270942220a4ee92749a76cc7312082d15c98b797123bc1657c0c5443f387f81b5406eba84972ded90ced6c453aa992b1a3bbfb4401f4019b0159b

Download Submit
C:\Windows\System\MjtRoPw.exe

Filesize
6.0MB

MD5
fa4f0c46de5b4fc1ba0b4d2828941a61

SHA1
e8f735c6cd471deb8de06fd6c36c7655fa818b73

SHA256
4102c398129af24597e3262d187b40e5f07129c328d9028f37bf9e6d12d28c74

SHA512
2bb6a4380c271851b7be761855a56405e2c13584e3287e2ec889d35a6b4c45cfa4fea82cdf5839a8ff3176f28931c53d2b8def15af9736a65751a0f2f46ccfc1

Download Submit
C:\Windows\System\NDYFWhl.exe

Filesize
6.0MB

MD5
da3104ca8500b271e2a06c32f2d8e17b

SHA1
a5754924e6705eb8e8f612f995f8adb7325e5873

SHA256
691498f64eff180b6c9628bdb7f94b9c4e13ee1c62f5a15cd3bb767fd051a79e

SHA512
d9de771bbb9ac169b793ed55b6ec827c83fccbfd36b0acd79793b59abb9f2eff7ed62eafdf41c51e3eda61dc8a5cec7f2706666bea12e68703abc43485f66789

Download Submit
C:\Windows\System\NnlpflB.exe

Filesize
6.0MB

MD5
2efc0ef938a74935704f4f1c604bd9bf

SHA1
122277920833d186abbb3710f6fc0478be485d15

SHA256
21398c706d814004fca5699c732afa59ff6d092499ab7607bd91d2a1058b3d61

SHA512
f2edfba0cef90e0c47fe16194b75d08a664b9caccd092e5762b4ba26339824f8f913da3a74f10f85b96221c0dcf0597aaee6938859f19461424671bc7596900d

Download Submit
C:\Windows\System\RgFlzPi.exe

Filesize
6.0MB

MD5
f7775d29a2e10c915b625650b5f06a62

SHA1
82f973ee2c0e46fede42c779df5add498c56fddf

SHA256
e46e97c3ecf3098fe5f77f97dbf920866bbbcb19a4115819b2efaefcdd4eea9e

SHA512
c15979a935236e919064cbda8457774af4f1462bb8229834e0541aaaa3078035edda20c2cffa06471114e00870a683c6535ea3932833a55ab3046c61dd29392a

Download Submit
C:\Windows\System\RsnRtgu.exe

Filesize
6.0MB

MD5
f7386f3007bce5ad922c793030e39034

SHA1
ff50ad5a88bd6bf590b476f1872cb1b3b7bc3bab

SHA256
ca6e3fc1faeff0df7f744d0cf8a82ea0f24fe801a9b18043c17d3d7088566cc1

SHA512
cdf2d2ebbdaba2b913a30161c589ae60b60516d8970a81dcdef83a1d8d23f11b4615bbf8ead1bedd671db5287b669fd3e9c15d2bf0484b254c340b81d006ac0a

Download Submit
C:\Windows\System\WtdlZxp.exe

Filesize
6.0MB

MD5
da79c636deddd54b23dbb9f160f36a26

SHA1
f0e5e935c96874bc3fa9f15a86781c936f5267ba

SHA256
43d9e08c6bec50a7c87bce8954eb3fdad0b8b32b05c998d1175295bc24889ea8

SHA512
ddc217b4af1ac7577c4d97ebe3b2450e160bd6fb6fdc5b25d60b35a51aa79b8b5a727154ba0d4f0716a3c90497c5dc78453acfe5af6574439e83577dd026f3af

Download Submit
C:\Windows\System\YSHCNIA.exe

Filesize
6.0MB

MD5
f530f585e5f3ee84221c58790e0a7a5c

SHA1
16a1e40fc7a95b8f18ebaed6241c9b190accfa4f

SHA256
0f38def22efbb4ec36dcf7254bc4c8f7601e8e023c7bfba59e615ae0d71f3cda

SHA512
ee164f1a832d02450f065e8ec4b6f33d249b3eed946fbbd3c6cf4a77dd31d8b925bda97a448052bcdc2e8f23318be99ab6660a74ad0c39117a5f68571223088e

Download Submit
C:\Windows\System\ZcbyzZQ.exe

Filesize
6.0MB

MD5
c8bf937151ec02296ba0319237dfae50

SHA1
4567720e11aaf4aa71ae7da50f16a3f4e7c186bd

SHA256
1d1c3333ecffaeb42dd93f9658e01471be5e153343cceb215d2d7bd378aa2098

SHA512
7071968264f944a8f42ec84b3bdaf39c1d845de87f78655f0f83098dc6e457821a4b072d1b666f365946ef55b6d90cf9b0313301a41ba2203545c274278c65d7

Download Submit
C:\Windows\System\ZsoOyzu.exe

Filesize
6.0MB

MD5
5e7c745dbdbc7006bcc922a046dbaf03

SHA1
5a336c324b55e6e13d5d9d034c237aaadab3ab8a

SHA256
2c04b614c81625dc442a5333f17160b1e179cdba3e5cd6829cc19a5ca078315e

SHA512
225b6f0972d52719a8b7a9a4009aeab39c44a27c73959bf9d037f03bf7cb3a0dbcb4212b7599c01c0b1eba347101dddd6e48f113abe82863f21d5c7a116d3d56

Download Submit
C:\Windows\System\aRlNdmD.exe

Filesize
6.0MB

MD5
e9122e69d6715cd43891c3428d43e7ce

SHA1
5f23c0c4a9f956be88d3eb1e0c31a1e7ba5be7b1

SHA256
14f095bb1ce30bdc400f9aab169cb1de9d87e29f73d612210f04417f1a0ff3fb

SHA512
2bcba6bf7677a93e693753bf3ce6a7b45b50f32fc8bcd09e9187bbffe27763cabd6aa43a7a21b8a233e3073b2193265d1d3363b62912c3ccacf1d87a5e58a1b9

Download Submit
C:\Windows\System\ddlsbZj.exe

Filesize
6.0MB

MD5
7c786c2e5f4dc8da20439f2e93533140

SHA1
4e763eb1dbb2e664e7a64c839323b6c16353b8a3

SHA256
db24ebe402d0fea62b354f1f2d719ad4248ff1e495135014ae3aa28530366ed3

SHA512
07439ddb48d0991b0f6ce537ae94fc89f5d64062bc000a17bc9c0e74c98df5fa79aae6f617ac9ae803e46652122521b9d4cacc5afd69135f08c2374ae2e40bfd

Download Submit
C:\Windows\System\dhNpbJg.exe

Filesize
6.0MB

MD5
4c88f964bf7f2a93cf79db1dcf24f370

SHA1
37f3df5e83674f0093a09c50304c555a2f9748ef

SHA256
a39db3d5cddc70b28ae1af08971aac87ed3be29553e4d0823239b06327dc3352

SHA512
fd8edc3d5de6e7fd34e80eb282c5a62e2b08f841a8fd20538a6164bd435da12c2b9bf3dffa625ada50ed1f68e27528049b795a0ff82d724873fa1fb2c1330412

Download Submit
C:\Windows\System\hFiApkL.exe

Filesize
6.0MB

MD5
aa1466705a24f3994c94bf925f99187a

SHA1
b20fcb7638a313d2a3a91572419aee84f9a05a56

SHA256
ffee34795c8ba46d7964bb7744403b40b1dada0e461805e14689f21dc9e2b0da

SHA512
dd34204c96c7ed5c9a9415398c5a44984e0251e4124089fe81f42d615180f2a4e9bfa2118f0c70c7d3f1bd742bc9b7849fa9d6e1cf25bb476fda81e1b9298e77

Download Submit
C:\Windows\System\mSNlmBB.exe

Filesize
6.0MB

MD5
9871ffe27abc904a0b68100727f1e3c6

SHA1
9628cbee7417179b47386534a56e9aa0e1ea6bb7

SHA256
2abba3f8c5c7a083fd34976f97dbd222f5e6f943d334963e29c5fa5409a3fb73

SHA512
3b133213b6414e9af791b8b84bd90af65800372b528dfdbe946fcca4c10f7abaac99f755c6afa881939a4b1d43849d669780f177b271e578240f541d8d6ce7fc

Download Submit
C:\Windows\System\oWrvvHf.exe

Filesize
6.0MB

MD5
d0e46fdccf6943937d661d254edeb2c3

SHA1
0348c739c7c94dee45f7564ce912a67df1312b7d

SHA256
b7b31628ca3e09a2ec84ce19d2ff9304f6e263b07069fdd1c4f6235686a80210

SHA512
b04c9b66d54ca02c75ef23b562e9c6c9bc5f4bdeeaeff38fbd3fd85fb8ac1b1bd6d218d442556c9358a309136280aac60f67a5e5dfe69ac5da98cadfcf2e2956

Download Submit
C:\Windows\System\roBremN.exe

Filesize
6.0MB

MD5
0722a8b6ea8e081749b6614446de8a45

SHA1
12a628fd557b9726bcb152d7ab38bad939a4ffe4

SHA256
632d4365082543610476b8f59030d8a130419127f2ae013e90ef77b3da76cf8c

SHA512
94541e910b3d44b1e7d925bb819c858a950cf9f9520b0f864dbad582a5d9ba07f65d1b21203c48eef37e7fa50ef7dbaf3f49400893af02a60bf1c74ddf490ed4

Download Submit
C:\Windows\System\tOAjBBA.exe

Filesize
6.0MB

MD5
459e3e2f66923ea17d8243a97b0a2a4a

SHA1
08e3b87d7b7b81d1eee4a8a9ed796f8471574e9d

SHA256
902ce90557372082a5f39a597b981386f9cda83e18bbe801426bf3687287c7f4

SHA512
993c5bb3fc2334b440d6013aea82f6f703c5403cc7bf4cb58447f996e491023096bbb26054460ae93e8cf9bfc2f25b8d78b1d5a0d65a2cc39df1d18df315c72d

Download Submit
C:\Windows\System\toCpcBm.exe

Filesize
6.0MB

MD5
f25b0a08000c7c2d1be6aaa48415f5a4

SHA1
9d842fb8c3a4a111176d72c9c3dd89b0dce7690c

SHA256
930bf93af6f7d5c9d898633cd718012edd253a5ebde6142c7efbd61561cba852

SHA512
894b444f0e775b6606db07357620e85be9ab9f877dde87d4538890d8fdd0e9bd64de5da62a79cc6709d3e36e2ccbba74e7b19b329decfb580bccc3124f4821f5

Download Submit
C:\Windows\System\uIWhVGK.exe

Filesize
6.0MB

MD5
87baba8331e7590b2b22c3dcc6869d40

SHA1
724b96c83cd9f58dd57b76fa7c7f7afec3567091

SHA256
da53b48e6cb40d56e5807b07da202c80f057b85c9693fa6f151b02a3287aacde

SHA512
982adf42958560ba58f48db139b2ab844ddc86483089fcd57335a2c9cb1e1eae181569cb1ce80f1d03082f2c6d31929ea08c1e83c39977469366eb6008c395ab

Download Submit
C:\Windows\System\vKXemjp.exe

Filesize
6.0MB

MD5
f8beb069de3f26277446259f3f8a0fdc

SHA1
5c4000bb418f616907089b30b02e26581b5d43fa

SHA256
39aeeecb0ea8080ee71f5074f4b60b9d2306efa4a1ee66b6a5ccd5140e447fd5

SHA512
baecb62a4a7eb455d4e3caa95f6fff2b3f9124c8fb9434e30665f3735a91230736d43103bb2e0624f9412a7b223395fdf3a43d0ce65c792626d4aaee71fb152d

Download Submit
C:\Windows\System\vzmEUtI.exe

Filesize
6.0MB

MD5
16ea891e61ce7d3009a2aa66e018352f

SHA1
e2103552b6310425df4c7be2d626ec791922b757

SHA256
5ed43b547b74c083bb19a917f1a33d667d5a8cffb962709f4409773e710f39fa

SHA512
8b469aa944dbb4885d646d6a5737e3db12be0b86c506c1aa863b78503f1afd6d491b984de00905f861f7fa7c444cefffcf1403b9364090753f06fc4e14c437dd

Download Submit
C:\Windows\System\wjebPwE.exe

Filesize
6.0MB

MD5
888d049c53a0800e8475c2da593f7c2c

SHA1
28fac802653a9b1ff61119386f8db36ed97166bd

SHA256
7f74fbf2c9f243296773a9850811b3b2486707d5968e33421cd5ba2b67f6ff9e

SHA512
ded01e32a8ed9102fd2daaa3e9e5c86eb9880885f5b02d75aea9595e5cf19d836e9885b191cb654d17befcdeed2b648d72a58307c7ac5a891d9bb6f75675dd86

Download Submit
C:\Windows\System\wkmkWGs.exe

Filesize
6.0MB

MD5
61b8c0d315da9eb48fc414dbacc96d49

SHA1
92d21dfbfc7577e25b87af95f382260130eb6c93

SHA256
30fbb1e5b5332fbb7bb58305bd8da22929944094835ecd010763a169ab85e435

SHA512
293640050ed5eed11f23c7fb6734d1364aacb78fdf1dd84127b83e7888fcbc7193772c0756ec3dc01fe81987b0b7fb7d84f0e32c3d126ea9bf890ae5451ada7d

Download Submit
C:\Windows\System\yXKoAKL.exe

Filesize
6.0MB

MD5
a900cb091ed68afb7089008bef4cef63

SHA1
27f5969167d325cb97f75e532b0a2f576f450c8f

SHA256
48aa6d74b4e9054c40f1545e894d29273dcf9295613f3343e68f3aff96d49540

SHA512
757e458eaa2f92ae8e728c8761df17577e3f0e4569e1ccf1eb49c210d5cc272b9db861d304d2d84cf74aaaa41768330ad790b1a6871a14bc2617c6555bc7330f

Download Submit
memory/220-1446-0x00007FF7B7430000-0x00007FF7B7784000-memory.dmp

Filesize
3.3MB

Download
memory/220-27-0x00007FF7B7430000-0x00007FF7B7784000-memory.dmp

Filesize
3.3MB

Download
memory/228-1456-0x00007FF7254F0000-0x00007FF725844000-memory.dmp

Filesize
3.3MB

Download
memory/228-55-0x00007FF7254F0000-0x00007FF725844000-memory.dmp

Filesize
3.3MB

Download
memory/372-2178-0x00007FF7E8AF0000-0x00007FF7E8E44000-memory.dmp

Filesize
3.3MB

Download
memory/372-275-0x00007FF7E8AF0000-0x00007FF7E8E44000-memory.dmp

Filesize
3.3MB

Download
memory/372-131-0x00007FF7E8AF0000-0x00007FF7E8E44000-memory.dmp

Filesize
3.3MB

Download
memory/540-1468-0x00007FF674D50000-0x00007FF6750A4000-memory.dmp

Filesize
3.3MB

Download
memory/540-74-0x00007FF674D50000-0x00007FF6750A4000-memory.dmp

Filesize
3.3MB

Download
memory/548-1-0x0000023E3AAF0000-0x0000023E3AB00000-memory.dmp

Filesize
64KB

Download
memory/548-129-0x00007FF7C9CA0000-0x00007FF7C9FF4000-memory.dmp

Filesize
3.3MB

Download
memory/548-0-0x00007FF7C9CA0000-0x00007FF7C9FF4000-memory.dmp

Filesize
3.3MB

Download
memory/904-150-0x00007FF768CF0000-0x00007FF769044000-memory.dmp

Filesize
3.3MB

Download
memory/904-2188-0x00007FF768CF0000-0x00007FF769044000-memory.dmp

Filesize
3.3MB

Download
memory/904-391-0x00007FF768CF0000-0x00007FF769044000-memory.dmp

Filesize
3.3MB

Download
memory/1052-178-0x00007FF798F10000-0x00007FF799264000-memory.dmp

Filesize
3.3MB

Download
memory/1052-1503-0x00007FF798F10000-0x00007FF799264000-memory.dmp

Filesize
3.3MB

Download
memory/1052-105-0x00007FF798F10000-0x00007FF799264000-memory.dmp

Filesize
3.3MB

Download
memory/1068-2339-0x00007FF7B71D0000-0x00007FF7B7524000-memory.dmp

Filesize
3.3MB

Download
memory/1068-183-0x00007FF7B71D0000-0x00007FF7B7524000-memory.dmp

Filesize
3.3MB

Download
memory/1068-703-0x00007FF7B71D0000-0x00007FF7B7524000-memory.dmp

Filesize
3.3MB

Download
memory/1224-8-0x00007FF6A4C90000-0x00007FF6A4FE4000-memory.dmp

Filesize
3.3MB

Download
memory/1224-1429-0x00007FF6A4C90000-0x00007FF6A4FE4000-memory.dmp

Filesize
3.3MB

Download
memory/1508-75-0x00007FF772A60000-0x00007FF772DB4000-memory.dmp

Filesize
3.3MB

Download
memory/1508-1482-0x00007FF772A60000-0x00007FF772DB4000-memory.dmp

Filesize
3.3MB

Download
memory/1748-181-0x00007FF747860000-0x00007FF747BB4000-memory.dmp

Filesize
3.3MB

Download
memory/1832-69-0x00007FF607AF0000-0x00007FF607E44000-memory.dmp

Filesize
3.3MB

Download
memory/1832-1491-0x00007FF607AF0000-0x00007FF607E44000-memory.dmp

Filesize
3.3MB

Download
memory/1832-160-0x00007FF607AF0000-0x00007FF607E44000-memory.dmp

Filesize
3.3MB

Download
memory/2008-149-0x00007FF73A690000-0x00007FF73A9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2008-2181-0x00007FF73A690000-0x00007FF73A9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2156-123-0x00007FF7E8000000-0x00007FF7E8354000-memory.dmp

Filesize
3.3MB

Download
memory/2156-2174-0x00007FF7E8000000-0x00007FF7E8354000-memory.dmp

Filesize
3.3MB

Download
memory/2156-210-0x00007FF7E8000000-0x00007FF7E8354000-memory.dmp

Filesize
3.3MB

Download
memory/2312-184-0x00007FF7410F0000-0x00007FF741444000-memory.dmp

Filesize
3.3MB

Download
memory/2312-117-0x00007FF7410F0000-0x00007FF741444000-memory.dmp

Filesize
3.3MB

Download
memory/2312-2170-0x00007FF7410F0000-0x00007FF741444000-memory.dmp

Filesize
3.3MB

Download
memory/2324-274-0x00007FF74C490000-0x00007FF74C7E4000-memory.dmp

Filesize
3.3MB

Download
memory/2324-2179-0x00007FF74C490000-0x00007FF74C7E4000-memory.dmp

Filesize
3.3MB

Download
memory/2324-130-0x00007FF74C490000-0x00007FF74C7E4000-memory.dmp

Filesize
3.3MB

Download
memory/2408-515-0x00007FF77F180000-0x00007FF77F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2408-2193-0x00007FF77F180000-0x00007FF77F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2408-162-0x00007FF77F180000-0x00007FF77F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/3100-151-0x00007FF755FB0000-0x00007FF756304000-memory.dmp

Filesize
3.3MB

Download
memory/3100-63-0x00007FF755FB0000-0x00007FF756304000-memory.dmp

Filesize
3.3MB

Download
memory/3100-1488-0x00007FF755FB0000-0x00007FF756304000-memory.dmp

Filesize
3.3MB

Download
memory/3272-1506-0x00007FF7E8DC0000-0x00007FF7E9114000-memory.dmp

Filesize
3.3MB

Download
memory/3272-106-0x00007FF7E8DC0000-0x00007FF7E9114000-memory.dmp

Filesize
3.3MB

Download
memory/3272-179-0x00007FF7E8DC0000-0x00007FF7E9114000-memory.dmp

Filesize
3.3MB

Download
memory/3304-101-0x00007FF73A4B0000-0x00007FF73A804000-memory.dmp

Filesize
3.3MB

Download
memory/3304-1486-0x00007FF73A4B0000-0x00007FF73A804000-memory.dmp

Filesize
3.3MB

Download
memory/3624-60-0x00007FF72B5F0000-0x00007FF72B944000-memory.dmp

Filesize
3.3MB

Download
memory/3624-1475-0x00007FF72B5F0000-0x00007FF72B944000-memory.dmp

Filesize
3.3MB

Download
memory/3836-50-0x00007FF746B50000-0x00007FF746EA4000-memory.dmp

Filesize
3.3MB

Download
memory/3836-1460-0x00007FF746B50000-0x00007FF746EA4000-memory.dmp

Filesize
3.3MB

Download
memory/4076-182-0x00007FF6A3ED0000-0x00007FF6A4224000-memory.dmp

Filesize
3.3MB

Download
memory/4264-450-0x00007FF7BABE0000-0x00007FF7BAF34000-memory.dmp

Filesize
3.3MB

Download
memory/4264-2187-0x00007FF7BABE0000-0x00007FF7BAF34000-memory.dmp

Filesize
3.3MB

Download
memory/4264-154-0x00007FF7BABE0000-0x00007FF7BAF34000-memory.dmp

Filesize
3.3MB

Download
memory/4356-16-0x00007FF6ACF90000-0x00007FF6AD2E4000-memory.dmp

Filesize
3.3MB

Download
memory/4356-1451-0x00007FF6ACF90000-0x00007FF6AD2E4000-memory.dmp

Filesize
3.3MB

Download
memory/4356-145-0x00007FF6ACF90000-0x00007FF6AD2E4000-memory.dmp

Filesize
3.3MB

Download
memory/4540-146-0x00007FF6AEC60000-0x00007FF6AEFB4000-memory.dmp

Filesize
3.3MB

Download
memory/4540-36-0x00007FF6AEC60000-0x00007FF6AEFB4000-memory.dmp

Filesize
3.3MB

Download
memory/4540-1457-0x00007FF6AEC60000-0x00007FF6AEFB4000-memory.dmp

Filesize
3.3MB

Download
memory/4640-161-0x00007FF6764A0000-0x00007FF6767F4000-memory.dmp

Filesize
3.3MB

Download
memory/4640-97-0x00007FF6764A0000-0x00007FF6767F4000-memory.dmp

Filesize
3.3MB

Download
memory/4640-1505-0x00007FF6764A0000-0x00007FF6767F4000-memory.dmp

Filesize
3.3MB

Download
memory/4916-84-0x00007FF7DD7E0000-0x00007FF7DDB34000-memory.dmp

Filesize
3.3MB

Download
memory/4916-1487-0x00007FF7DD7E0000-0x00007FF7DDB34000-memory.dmp

Filesize
3.3MB

Download
memory/5036-104-0x00007FF788C70000-0x00007FF788FC4000-memory.dmp

Filesize
3.3MB

Download
memory/5036-1498-0x00007FF788C70000-0x00007FF788FC4000-memory.dmp

Filesize
3.3MB

Download
memory/5040-98-0x00007FF6F1310000-0x00007FF6F1664000-memory.dmp

Filesize
3.3MB

Download
memory/5040-170-0x00007FF6F1310000-0x00007FF6F1664000-memory.dmp

Filesize
3.3MB

Download
memory/5040-1507-0x00007FF6F1310000-0x00007FF6F1664000-memory.dmp

Filesize
3.3MB

Download