cobaltstrike | 15b8b6ce94775ea2d0981f6989eb4d20506c4ccbea80a4f3a2463e5ebe7aefbb

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
Size

6.0MB
MD5

28169b1a2846a64bff5221b375c33d31
SHA1

b50c1e93932d2de97dfd3f86ba66d4ddb7ceffa1
SHA256

15b8b6ce94775ea2d0981f6989eb4d20506c4ccbea80a4f3a2463e5ebe7aefbb
SHA512

f9facf0970c5bd943239a7f96f48b9edb8906d835fa4d9c38f33908355fa2fe9f4530ddcb4d49c2552dfcadaf45d37e8c048f88e8b7d730c7dba3aafd8d4ed27
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUJ:T+q56utgpPF8u/7J

Score

10^/10

cobaltstrike xmrig 0 backdoor defense_evasion miner privilege_escalation trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 32 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c97-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-19.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-86.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c98-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-160.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-158.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-156.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-153.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-151.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-149.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-147.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-171.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-168.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-191.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-194.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-196.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3120-0-0x00007FF7B2100000-0x00007FF7B2454000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c97-4.dat	xmrig
behavioral2/memory/3316-14-0x00007FF600FF0000-0x00007FF601344000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9d-19.dat	xmrig
behavioral2/files/0x0007000000023c9c-24.dat	xmrig
behavioral2/files/0x0007000000023ca0-44.dat	xmrig
behavioral2/files/0x0007000000023ca2-48.dat	xmrig
behavioral2/files/0x0007000000023ca1-50.dat	xmrig
behavioral2/memory/4316-63-0x00007FF6DDAD0000-0x00007FF6DDE24000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca4-67.dat	xmrig
behavioral2/files/0x0007000000023ca5-71.dat	xmrig
behavioral2/files/0x0007000000023ca7-82.dat	xmrig
behavioral2/files/0x0007000000023ca8-86.dat	xmrig
behavioral2/files/0x0008000000023c98-98.dat	xmrig
behavioral2/files/0x0007000000023cac-117.dat	xmrig
behavioral2/memory/1364-136-0x00007FF736080000-0x00007FF7363D4000-memory.dmp	xmrig
behavioral2/memory/4968-142-0x00007FF7CD730000-0x00007FF7CDA84000-memory.dmp	xmrig
behavioral2/memory/1488-155-0x00007FF763540000-0x00007FF763894000-memory.dmp	xmrig
behavioral2/memory/4488-164-0x00007FF6698B0000-0x00007FF669C04000-memory.dmp	xmrig
behavioral2/memory/1288-163-0x00007FF7CD8A0000-0x00007FF7CDBF4000-memory.dmp	xmrig
behavioral2/memory/392-162-0x00007FF783800000-0x00007FF783B54000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb3-160.dat	xmrig
behavioral2/files/0x0007000000023cb2-158.dat	xmrig
behavioral2/files/0x0007000000023cb1-156.dat	xmrig
behavioral2/files/0x0007000000023cb0-153.dat	xmrig
behavioral2/files/0x0007000000023caf-151.dat	xmrig
behavioral2/files/0x0007000000023cae-149.dat	xmrig
behavioral2/files/0x0007000000023cad-147.dat	xmrig
behavioral2/memory/4960-146-0x00007FF66B4F0000-0x00007FF66B844000-memory.dmp	xmrig
behavioral2/memory/2132-145-0x00007FF6D9960000-0x00007FF6D9CB4000-memory.dmp	xmrig
behavioral2/memory/3844-144-0x00007FF70A010000-0x00007FF70A364000-memory.dmp	xmrig
behavioral2/memory/2672-143-0x00007FF6FE740000-0x00007FF6FEA94000-memory.dmp	xmrig
behavioral2/memory/3908-141-0x00007FF674570000-0x00007FF6748C4000-memory.dmp	xmrig
behavioral2/memory/4272-140-0x00007FF6D35F0000-0x00007FF6D3944000-memory.dmp	xmrig
behavioral2/memory/4824-133-0x00007FF6F44B0000-0x00007FF6F4804000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cab-124.dat	xmrig
behavioral2/files/0x0007000000023caa-118.dat	xmrig
behavioral2/memory/2808-115-0x00007FF6A5A40000-0x00007FF6A5D94000-memory.dmp	xmrig
behavioral2/memory/1900-114-0x00007FF71D010000-0x00007FF71D364000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca9-96.dat	xmrig
behavioral2/memory/1084-93-0x00007FF6FB940000-0x00007FF6FBC94000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca6-80.dat	xmrig
behavioral2/files/0x0007000000023ca3-65.dat	xmrig
behavioral2/memory/820-64-0x00007FF607A00000-0x00007FF607D54000-memory.dmp	xmrig
behavioral2/memory/1772-61-0x00007FF676430000-0x00007FF676784000-memory.dmp	xmrig
behavioral2/memory/1768-55-0x00007FF737F80000-0x00007FF7382D4000-memory.dmp	xmrig
behavioral2/memory/1136-49-0x00007FF7070F0000-0x00007FF707444000-memory.dmp	xmrig
behavioral2/memory/1852-54-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp	xmrig
behavioral2/memory/2592-40-0x00007FF7FBE70000-0x00007FF7FC1C4000-memory.dmp	xmrig
behavioral2/memory/3388-38-0x00007FF73CC30000-0x00007FF73CF84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9f-37.dat	xmrig
behavioral2/files/0x0007000000023c9e-32.dat	xmrig
behavioral2/memory/4032-26-0x00007FF601340000-0x00007FF601694000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9b-17.dat	xmrig
behavioral2/memory/396-7-0x00007FF74C550000-0x00007FF74C8A4000-memory.dmp	xmrig
behavioral2/memory/3120-165-0x00007FF7B2100000-0x00007FF7B2454000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb5-171.dat	xmrig
behavioral2/files/0x0007000000023cb4-168.dat	xmrig
behavioral2/memory/4032-185-0x00007FF601340000-0x00007FF601694000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb6-191.dat	xmrig
behavioral2/files/0x0007000000023cb7-194.dat	xmrig
behavioral2/files/0x0007000000023cb8-196.dat	xmrig
behavioral2/memory/2592-188-0x00007FF7FBE70000-0x00007FF7FC1C4000-memory.dmp	xmrig
behavioral2/memory/3388-187-0x00007FF73CC30000-0x00007FF73CF84000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
396	zGIbcbW.exe
3316	WjDPOai.exe
4032	tYzjkZK.exe
3388	SWuGRCw.exe
1136	sOOWBlD.exe
1852	eZdJHvA.exe
2592	KeVzXFc.exe
1768	qjAuvZn.exe
1772	MsDsnkk.exe
4316	ZnehlUN.exe
820	xKLfkzV.exe
1084	gTezVEd.exe
392	lnnARcB.exe
1900	SaDWAAJ.exe
2808	meulpGb.exe
4824	LKKfhHd.exe
1364	aVpgjBb.exe
4272	sucSZFl.exe
3908	xgePTMO.exe
1288	cHonKZm.exe
4968	eAXqqIb.exe
2672	SyTxDTj.exe
3844	GtBcnDW.exe
2132	pSqTnPX.exe
4488	YaBlKux.exe
4960	GcBdAdt.exe
1488	nUEaLWG.exe
2180	UBSBcAo.exe
1616	yyKRFSQ.exe
2116	Qexlxdh.exe
1096	UtRwVoG.exe
1504	cnVgGoB.exe
1172	nVJhFIe.exe
4792	hxreyIS.exe
5000	sDvPUdx.exe
4396	GHaDiPt.exe
4300	ucdWgcj.exe
1476	dtlChqz.exe
4948	NgULPXQ.exe
1596	KKtNRpy.exe
4872	smDMdXJ.exe
4804	uDcLvRw.exe
1144	jgjCikt.exe
4536	BRgeBEG.exe
4036	ruYwgRB.exe
1672	prCIwaZ.exe
3632	dpRnuYj.exe
5104	jVDgojn.exe
1216	ASzcqTq.exe
4376	zkaRpUQ.exe
4372	OjgnszA.exe
4224	ejRpYWw.exe
4452	kbTwvTy.exe
3252	bjWGVNz.exe
984	jLgTNog.exe
1956	yhVrIVw.exe
664	ACICcla.exe
3404	WcrxIch.exe
2480	sCEZwOj.exe
4068	YVLljtp.exe
2508	xANFIYu.exe
932	VGcWNGL.exe
3808	DhEumGz.exe
2016	oXQqCRb.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3120-0-0x00007FF7B2100000-0x00007FF7B2454000-memory.dmp	upx
behavioral2/files/0x0008000000023c97-4.dat	upx
behavioral2/memory/3316-14-0x00007FF600FF0000-0x00007FF601344000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-19.dat	upx
behavioral2/files/0x0007000000023c9c-24.dat	upx
behavioral2/files/0x0007000000023ca0-44.dat	upx
behavioral2/files/0x0007000000023ca2-48.dat	upx
behavioral2/files/0x0007000000023ca1-50.dat	upx
behavioral2/memory/4316-63-0x00007FF6DDAD0000-0x00007FF6DDE24000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-67.dat	upx
behavioral2/files/0x0007000000023ca5-71.dat	upx
behavioral2/files/0x0007000000023ca7-82.dat	upx
behavioral2/files/0x0007000000023ca8-86.dat	upx
behavioral2/files/0x0008000000023c98-98.dat	upx
behavioral2/files/0x0007000000023cac-117.dat	upx
behavioral2/memory/1364-136-0x00007FF736080000-0x00007FF7363D4000-memory.dmp	upx
behavioral2/memory/4968-142-0x00007FF7CD730000-0x00007FF7CDA84000-memory.dmp	upx
behavioral2/memory/1488-155-0x00007FF763540000-0x00007FF763894000-memory.dmp	upx
behavioral2/memory/4488-164-0x00007FF6698B0000-0x00007FF669C04000-memory.dmp	upx
behavioral2/memory/1288-163-0x00007FF7CD8A0000-0x00007FF7CDBF4000-memory.dmp	upx
behavioral2/memory/392-162-0x00007FF783800000-0x00007FF783B54000-memory.dmp	upx
behavioral2/files/0x0007000000023cb3-160.dat	upx
behavioral2/files/0x0007000000023cb2-158.dat	upx
behavioral2/files/0x0007000000023cb1-156.dat	upx
behavioral2/files/0x0007000000023cb0-153.dat	upx
behavioral2/files/0x0007000000023caf-151.dat	upx
behavioral2/files/0x0007000000023cae-149.dat	upx
behavioral2/files/0x0007000000023cad-147.dat	upx
behavioral2/memory/4960-146-0x00007FF66B4F0000-0x00007FF66B844000-memory.dmp	upx
behavioral2/memory/2132-145-0x00007FF6D9960000-0x00007FF6D9CB4000-memory.dmp	upx
behavioral2/memory/3844-144-0x00007FF70A010000-0x00007FF70A364000-memory.dmp	upx
behavioral2/memory/2672-143-0x00007FF6FE740000-0x00007FF6FEA94000-memory.dmp	upx
behavioral2/memory/3908-141-0x00007FF674570000-0x00007FF6748C4000-memory.dmp	upx
behavioral2/memory/4272-140-0x00007FF6D35F0000-0x00007FF6D3944000-memory.dmp	upx
behavioral2/memory/4824-133-0x00007FF6F44B0000-0x00007FF6F4804000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-124.dat	upx
behavioral2/files/0x0007000000023caa-118.dat	upx
behavioral2/memory/2808-115-0x00007FF6A5A40000-0x00007FF6A5D94000-memory.dmp	upx
behavioral2/memory/1900-114-0x00007FF71D010000-0x00007FF71D364000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-96.dat	upx
behavioral2/memory/1084-93-0x00007FF6FB940000-0x00007FF6FBC94000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-80.dat	upx
behavioral2/files/0x0007000000023ca3-65.dat	upx
behavioral2/memory/820-64-0x00007FF607A00000-0x00007FF607D54000-memory.dmp	upx
behavioral2/memory/1772-61-0x00007FF676430000-0x00007FF676784000-memory.dmp	upx
behavioral2/memory/1768-55-0x00007FF737F80000-0x00007FF7382D4000-memory.dmp	upx
behavioral2/memory/1136-49-0x00007FF7070F0000-0x00007FF707444000-memory.dmp	upx
behavioral2/memory/1852-54-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp	upx
behavioral2/memory/2592-40-0x00007FF7FBE70000-0x00007FF7FC1C4000-memory.dmp	upx
behavioral2/memory/3388-38-0x00007FF73CC30000-0x00007FF73CF84000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-37.dat	upx
behavioral2/files/0x0007000000023c9e-32.dat	upx
behavioral2/memory/4032-26-0x00007FF601340000-0x00007FF601694000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-17.dat	upx
behavioral2/memory/396-7-0x00007FF74C550000-0x00007FF74C8A4000-memory.dmp	upx
behavioral2/memory/3120-165-0x00007FF7B2100000-0x00007FF7B2454000-memory.dmp	upx
behavioral2/files/0x0007000000023cb5-171.dat	upx
behavioral2/files/0x0007000000023cb4-168.dat	upx
behavioral2/memory/4032-185-0x00007FF601340000-0x00007FF601694000-memory.dmp	upx
behavioral2/files/0x0007000000023cb6-191.dat	upx
behavioral2/files/0x0007000000023cb7-194.dat	upx
behavioral2/files/0x0007000000023cb8-196.dat	upx
behavioral2/memory/2592-188-0x00007FF7FBE70000-0x00007FF7FC1C4000-memory.dmp	upx
behavioral2/memory/3388-187-0x00007FF73CC30000-0x00007FF73CF84000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\UvOFfMj.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dtlChqz.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oXQqCRb.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CgTAkUS.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pWghQFg.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OUCMcFJ.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eBerCdG.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\buJOcYF.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sOOWBlD.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KKtNRpy.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jVDgojn.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jquCGKd.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Dvdfndc.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HypgzMt.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\slfNiXE.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ACICcla.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QzGCsvk.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xoehwUg.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GtBcnDW.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JonsVdM.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FSTnBjj.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YnRhKpN.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HjADMnY.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IpoKKqx.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QBjtkvH.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vmkOldI.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\khsYGVn.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZvOevqH.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GYgirNa.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xeCxxXs.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TzqnlRf.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EhFudjI.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lnrpfbJ.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WDCbLSr.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yZliWKt.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LhzyANm.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QUQIpbu.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jhFZFup.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kEkxzfU.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aqQgfFh.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oxVzZoL.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VsUShWs.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KJzfaSD.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\smDMdXJ.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MPstmzE.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HHIXiTZ.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EeljSny.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SWuGRCw.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vMeCpoH.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Sirestz.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eDCKsnl.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\buglkTL.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ekhqCwl.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FyQFnCo.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YaBlKux.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HIhKgCv.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GfIbDrM.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IjIpril.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bbYRZVP.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xUkTIOC.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ASzcqTq.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\monlWTJ.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pHXNOBW.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zNtSIsz.exe	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
12060	rUNAsHi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 396	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3120 wrote to memory of 396	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3120 wrote to memory of 3316	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3120 wrote to memory of 3316	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3120 wrote to memory of 4032	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3120 wrote to memory of 4032	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3120 wrote to memory of 3388	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3120 wrote to memory of 3388	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3120 wrote to memory of 1136	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3120 wrote to memory of 1136	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3120 wrote to memory of 1852	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3120 wrote to memory of 1852	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3120 wrote to memory of 2592	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3120 wrote to memory of 2592	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3120 wrote to memory of 1768	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3120 wrote to memory of 1768	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3120 wrote to memory of 1772	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3120 wrote to memory of 1772	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3120 wrote to memory of 4316	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3120 wrote to memory of 4316	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3120 wrote to memory of 820	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3120 wrote to memory of 820	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3120 wrote to memory of 1084	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3120 wrote to memory of 1084	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3120 wrote to memory of 392	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3120 wrote to memory of 392	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3120 wrote to memory of 1900	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3120 wrote to memory of 1900	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3120 wrote to memory of 2808	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3120 wrote to memory of 2808	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3120 wrote to memory of 1364	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3120 wrote to memory of 1364	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3120 wrote to memory of 4824	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3120 wrote to memory of 4824	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3120 wrote to memory of 4272	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3120 wrote to memory of 4272	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3120 wrote to memory of 3908	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3120 wrote to memory of 3908	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3120 wrote to memory of 1288	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3120 wrote to memory of 1288	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3120 wrote to memory of 4968	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3120 wrote to memory of 4968	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3120 wrote to memory of 2672	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3120 wrote to memory of 2672	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3120 wrote to memory of 3844	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3120 wrote to memory of 3844	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3120 wrote to memory of 2132	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3120 wrote to memory of 2132	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3120 wrote to memory of 4488	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3120 wrote to memory of 4488	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3120 wrote to memory of 4960	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3120 wrote to memory of 4960	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3120 wrote to memory of 1488	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3120 wrote to memory of 1488	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3120 wrote to memory of 2180	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 3120 wrote to memory of 2180	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 3120 wrote to memory of 1616	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 3120 wrote to memory of 1616	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 3120 wrote to memory of 2116	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 3120 wrote to memory of 2116	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 3120 wrote to memory of 1096	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 3120 wrote to memory of 1096	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 3120 wrote to memory of 1504	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 3120 wrote to memory of 1504	3120	2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-23_28169b1a2846a64bff5221b375c33d31_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\System\zGIbcbW.exe
  C:\Windows\System\zGIbcbW.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\WjDPOai.exe
  C:\Windows\System\WjDPOai.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System\tYzjkZK.exe
  C:\Windows\System\tYzjkZK.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System\SWuGRCw.exe
  C:\Windows\System\SWuGRCw.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\sOOWBlD.exe
  C:\Windows\System\sOOWBlD.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System\eZdJHvA.exe
  C:\Windows\System\eZdJHvA.exe
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\System\KeVzXFc.exe
  C:\Windows\System\KeVzXFc.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\qjAuvZn.exe
  C:\Windows\System\qjAuvZn.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\MsDsnkk.exe
  C:\Windows\System\MsDsnkk.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System\ZnehlUN.exe
  C:\Windows\System\ZnehlUN.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System\xKLfkzV.exe
  C:\Windows\System\xKLfkzV.exe
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Windows\System\gTezVEd.exe
  C:\Windows\System\gTezVEd.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System\lnnARcB.exe
  C:\Windows\System\lnnARcB.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System\SaDWAAJ.exe
  C:\Windows\System\SaDWAAJ.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\meulpGb.exe
  C:\Windows\System\meulpGb.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\aVpgjBb.exe
  C:\Windows\System\aVpgjBb.exe
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\System\LKKfhHd.exe
  C:\Windows\System\LKKfhHd.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System\sucSZFl.exe
  C:\Windows\System\sucSZFl.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\xgePTMO.exe
  C:\Windows\System\xgePTMO.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System\cHonKZm.exe
  C:\Windows\System\cHonKZm.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System\eAXqqIb.exe
  C:\Windows\System\eAXqqIb.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\SyTxDTj.exe
  C:\Windows\System\SyTxDTj.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\GtBcnDW.exe
  C:\Windows\System\GtBcnDW.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System\pSqTnPX.exe
  C:\Windows\System\pSqTnPX.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\YaBlKux.exe
  C:\Windows\System\YaBlKux.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\GcBdAdt.exe
  C:\Windows\System\GcBdAdt.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\nUEaLWG.exe
  C:\Windows\System\nUEaLWG.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\UBSBcAo.exe
  C:\Windows\System\UBSBcAo.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\yyKRFSQ.exe
  C:\Windows\System\yyKRFSQ.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\Qexlxdh.exe
  C:\Windows\System\Qexlxdh.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\UtRwVoG.exe
  C:\Windows\System\UtRwVoG.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System\cnVgGoB.exe
  C:\Windows\System\cnVgGoB.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\nVJhFIe.exe
  C:\Windows\System\nVJhFIe.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\hxreyIS.exe
  C:\Windows\System\hxreyIS.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\sDvPUdx.exe
  C:\Windows\System\sDvPUdx.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\GHaDiPt.exe
  C:\Windows\System\GHaDiPt.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\ucdWgcj.exe
  C:\Windows\System\ucdWgcj.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\dtlChqz.exe
  C:\Windows\System\dtlChqz.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\NgULPXQ.exe
  C:\Windows\System\NgULPXQ.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\KKtNRpy.exe
  C:\Windows\System\KKtNRpy.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\smDMdXJ.exe
  C:\Windows\System\smDMdXJ.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\uDcLvRw.exe
  C:\Windows\System\uDcLvRw.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\jgjCikt.exe
  C:\Windows\System\jgjCikt.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\BRgeBEG.exe
  C:\Windows\System\BRgeBEG.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\ruYwgRB.exe
  C:\Windows\System\ruYwgRB.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\prCIwaZ.exe
  C:\Windows\System\prCIwaZ.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\dpRnuYj.exe
  C:\Windows\System\dpRnuYj.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\jVDgojn.exe
  C:\Windows\System\jVDgojn.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\ASzcqTq.exe
  C:\Windows\System\ASzcqTq.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\zkaRpUQ.exe
  C:\Windows\System\zkaRpUQ.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\OjgnszA.exe
  C:\Windows\System\OjgnszA.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\ejRpYWw.exe
  C:\Windows\System\ejRpYWw.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System\kbTwvTy.exe
  C:\Windows\System\kbTwvTy.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\bjWGVNz.exe
  C:\Windows\System\bjWGVNz.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System\jLgTNog.exe
  C:\Windows\System\jLgTNog.exe
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\System\yhVrIVw.exe
  C:\Windows\System\yhVrIVw.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\ACICcla.exe
  C:\Windows\System\ACICcla.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System\WcrxIch.exe
  C:\Windows\System\WcrxIch.exe
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Windows\System\sCEZwOj.exe
  C:\Windows\System\sCEZwOj.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\YVLljtp.exe
  C:\Windows\System\YVLljtp.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\xANFIYu.exe
  C:\Windows\System\xANFIYu.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\VGcWNGL.exe
  C:\Windows\System\VGcWNGL.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System\DhEumGz.exe
  C:\Windows\System\DhEumGz.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System\oXQqCRb.exe
  C:\Windows\System\oXQqCRb.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\GUgbbRW.exe
  C:\Windows\System\GUgbbRW.exe
  2⤵
  PID:3440
- C:\Windows\System\JosyPlA.exe
  C:\Windows\System\JosyPlA.exe
  2⤵
  PID:2264
- C:\Windows\System\JiyHcaW.exe
  C:\Windows\System\JiyHcaW.exe
  2⤵
  PID:4768
- C:\Windows\System\YJosNHt.exe
  C:\Windows\System\YJosNHt.exe
  2⤵
  PID:3260
- C:\Windows\System\DmTbOvd.exe
  C:\Windows\System\DmTbOvd.exe
  2⤵
  PID:1940
- C:\Windows\System\wcughhq.exe
  C:\Windows\System\wcughhq.exe
  2⤵
  PID:1484
- C:\Windows\System\jgyDZtj.exe
  C:\Windows\System\jgyDZtj.exe
  2⤵
  PID:336
- C:\Windows\System\SnMYgHh.exe
  C:\Windows\System\SnMYgHh.exe
  2⤵
  PID:232
- C:\Windows\System\cldjKHH.exe
  C:\Windows\System\cldjKHH.exe
  2⤵
  PID:3156
- C:\Windows\System\xxyAafd.exe
  C:\Windows\System\xxyAafd.exe
  2⤵
  PID:3396
- C:\Windows\System\dieRgKC.exe
  C:\Windows\System\dieRgKC.exe
  2⤵
  PID:3636
- C:\Windows\System\AuCyBIt.exe
  C:\Windows\System\AuCyBIt.exe
  2⤵
  PID:2908
- C:\Windows\System\kNNeUSn.exe
  C:\Windows\System\kNNeUSn.exe
  2⤵
  PID:1036
- C:\Windows\System\hwmjSaG.exe
  C:\Windows\System\hwmjSaG.exe
  2⤵
  PID:4008
- C:\Windows\System\LKwEuBU.exe
  C:\Windows\System\LKwEuBU.exe
  2⤵
  PID:4856
- C:\Windows\System\laaWyOX.exe
  C:\Windows\System\laaWyOX.exe
  2⤵
  PID:2560
- C:\Windows\System\mkzgeqh.exe
  C:\Windows\System\mkzgeqh.exe
  2⤵
  PID:1716
- C:\Windows\System\doBcPGK.exe
  C:\Windows\System\doBcPGK.exe
  2⤵
  PID:2252
- C:\Windows\System\uhcTrxr.exe
  C:\Windows\System\uhcTrxr.exe
  2⤵
  PID:4508
- C:\Windows\System\MtaiKxh.exe
  C:\Windows\System\MtaiKxh.exe
  2⤵
  PID:3004
- C:\Windows\System\rgPNizv.exe
  C:\Windows\System\rgPNizv.exe
  2⤵
  PID:3492
- C:\Windows\System\omJKXeV.exe
  C:\Windows\System\omJKXeV.exe
  2⤵
  PID:3372
- C:\Windows\System\YxEEoqW.exe
  C:\Windows\System\YxEEoqW.exe
  2⤵
  PID:4844
- C:\Windows\System\gPngtDw.exe
  C:\Windows\System\gPngtDw.exe
  2⤵
  PID:212
- C:\Windows\System\agbXWXO.exe
  C:\Windows\System\agbXWXO.exe
  2⤵
  PID:3932
- C:\Windows\System\JsrUqHF.exe
  C:\Windows\System\JsrUqHF.exe
  2⤵
  PID:2280
- C:\Windows\System\LyIntEz.exe
  C:\Windows\System\LyIntEz.exe
  2⤵
  PID:2172
- C:\Windows\System\QyqXMTi.exe
  C:\Windows\System\QyqXMTi.exe
  2⤵
  PID:4072
- C:\Windows\System\jhFZFup.exe
  C:\Windows\System\jhFZFup.exe
  2⤵
  PID:2876
- C:\Windows\System\PJGyqig.exe
  C:\Windows\System\PJGyqig.exe
  2⤵
  PID:5064
- C:\Windows\System\oNJMZdE.exe
  C:\Windows\System\oNJMZdE.exe
  2⤵
  PID:1736
- C:\Windows\System\ALKfJOr.exe
  C:\Windows\System\ALKfJOr.exe
  2⤵
  PID:3000
- C:\Windows\System\kyjtPmR.exe
  C:\Windows\System\kyjtPmR.exe
  2⤵
  PID:4176
- C:\Windows\System\LPrwHAw.exe
  C:\Windows\System\LPrwHAw.exe
  2⤵
  PID:3868
- C:\Windows\System\TlxdAYl.exe
  C:\Windows\System\TlxdAYl.exe
  2⤵
  PID:2760
- C:\Windows\System\aiLXJAM.exe
  C:\Windows\System\aiLXJAM.exe
  2⤵
  PID:3036
- C:\Windows\System\SOfFSCP.exe
  C:\Windows\System\SOfFSCP.exe
  2⤵
  PID:2056
- C:\Windows\System\tEYLWIw.exe
  C:\Windows\System\tEYLWIw.exe
  2⤵
  PID:2536
- C:\Windows\System\OQkAmGw.exe
  C:\Windows\System\OQkAmGw.exe
  2⤵
  PID:1536
- C:\Windows\System\xOYeiIP.exe
  C:\Windows\System\xOYeiIP.exe
  2⤵
  PID:4524
- C:\Windows\System\gESDmQC.exe
  C:\Windows\System\gESDmQC.exe
  2⤵
  PID:3164
- C:\Windows\System\OstXCzt.exe
  C:\Windows\System\OstXCzt.exe
  2⤵
  PID:116
- C:\Windows\System\YfPgwOA.exe
  C:\Windows\System\YfPgwOA.exe
  2⤵
  PID:3428
- C:\Windows\System\wWtCiyL.exe
  C:\Windows\System\wWtCiyL.exe
  2⤵
  PID:3424
- C:\Windows\System\dkqZHgr.exe
  C:\Windows\System\dkqZHgr.exe
  2⤵
  PID:2320
- C:\Windows\System\YqMNHzL.exe
  C:\Windows\System\YqMNHzL.exe
  2⤵
  PID:752
- C:\Windows\System\DAlvZVH.exe
  C:\Windows\System\DAlvZVH.exe
  2⤵
  PID:3536
- C:\Windows\System\KcaGYzh.exe
  C:\Windows\System\KcaGYzh.exe
  2⤵
  PID:764
- C:\Windows\System\JcLXyme.exe
  C:\Windows\System\JcLXyme.exe
  2⤵
  PID:1188
- C:\Windows\System\jquCGKd.exe
  C:\Windows\System\jquCGKd.exe
  2⤵
  PID:1156
- C:\Windows\System\httLDxq.exe
  C:\Windows\System\httLDxq.exe
  2⤵
  PID:772
- C:\Windows\System\HUKpHCe.exe
  C:\Windows\System\HUKpHCe.exe
  2⤵
  PID:4772
- C:\Windows\System\ZuEQBds.exe
  C:\Windows\System\ZuEQBds.exe
  2⤵
  PID:5136
- C:\Windows\System\qinttRp.exe
  C:\Windows\System\qinttRp.exe
  2⤵
  PID:5168
- C:\Windows\System\IkzfDlV.exe
  C:\Windows\System\IkzfDlV.exe
  2⤵
  PID:5196
- C:\Windows\System\jGYGJWJ.exe
  C:\Windows\System\jGYGJWJ.exe
  2⤵
  PID:5224
- C:\Windows\System\RlmXwYI.exe
  C:\Windows\System\RlmXwYI.exe
  2⤵
  PID:5244
- C:\Windows\System\NLyUANK.exe
  C:\Windows\System\NLyUANK.exe
  2⤵
  PID:5264
- C:\Windows\System\kHlPjvm.exe
  C:\Windows\System\kHlPjvm.exe
  2⤵
  PID:5312
- C:\Windows\System\PILrbxz.exe
  C:\Windows\System\PILrbxz.exe
  2⤵
  PID:5332
- C:\Windows\System\kgvlzaL.exe
  C:\Windows\System\kgvlzaL.exe
  2⤵
  PID:5372
- C:\Windows\System\gnpOYRP.exe
  C:\Windows\System\gnpOYRP.exe
  2⤵
  PID:5400
- C:\Windows\System\dBisEcg.exe
  C:\Windows\System\dBisEcg.exe
  2⤵
  PID:5428
- C:\Windows\System\drCZWyg.exe
  C:\Windows\System\drCZWyg.exe
  2⤵
  PID:5448
- C:\Windows\System\kEkxzfU.exe
  C:\Windows\System\kEkxzfU.exe
  2⤵
  PID:5464
- C:\Windows\System\RuqbCnS.exe
  C:\Windows\System\RuqbCnS.exe
  2⤵
  PID:5504
- C:\Windows\System\WgIhbKj.exe
  C:\Windows\System\WgIhbKj.exe
  2⤵
  PID:5552
- C:\Windows\System\euWOqFH.exe
  C:\Windows\System\euWOqFH.exe
  2⤵
  PID:5584
- C:\Windows\System\IyByxMf.exe
  C:\Windows\System\IyByxMf.exe
  2⤵
  PID:5616
- C:\Windows\System\xrfzRsG.exe
  C:\Windows\System\xrfzRsG.exe
  2⤵
  PID:5632
- C:\Windows\System\vCnooyo.exe
  C:\Windows\System\vCnooyo.exe
  2⤵
  PID:5652
- C:\Windows\System\EXqopYK.exe
  C:\Windows\System\EXqopYK.exe
  2⤵
  PID:5676
- C:\Windows\System\sUoVbft.exe
  C:\Windows\System\sUoVbft.exe
  2⤵
  PID:5760
- C:\Windows\System\eQJlWAs.exe
  C:\Windows\System\eQJlWAs.exe
  2⤵
  PID:5792
- C:\Windows\System\nbvMHrv.exe
  C:\Windows\System\nbvMHrv.exe
  2⤵
  PID:5820
- C:\Windows\System\SkbNzIz.exe
  C:\Windows\System\SkbNzIz.exe
  2⤵
  PID:5844
- C:\Windows\System\kzONGzh.exe
  C:\Windows\System\kzONGzh.exe
  2⤵
  PID:5860
- C:\Windows\System\aINlmFx.exe
  C:\Windows\System\aINlmFx.exe
  2⤵
  PID:5904
- C:\Windows\System\HIhKgCv.exe
  C:\Windows\System\HIhKgCv.exe
  2⤵
  PID:5928
- C:\Windows\System\xbqBgaH.exe
  C:\Windows\System\xbqBgaH.exe
  2⤵
  PID:5960
- C:\Windows\System\QhFcABg.exe
  C:\Windows\System\QhFcABg.exe
  2⤵
  PID:5992
- C:\Windows\System\Dvdfndc.exe
  C:\Windows\System\Dvdfndc.exe
  2⤵
  PID:6048
- C:\Windows\System\vmkOldI.exe
  C:\Windows\System\vmkOldI.exe
  2⤵
  PID:6068
- C:\Windows\System\fVwUAWy.exe
  C:\Windows\System\fVwUAWy.exe
  2⤵
  PID:6104
- C:\Windows\System\NRZNpEL.exe
  C:\Windows\System\NRZNpEL.exe
  2⤵
  PID:6140
- C:\Windows\System\ZtYqRui.exe
  C:\Windows\System\ZtYqRui.exe
  2⤵
  PID:5156
- C:\Windows\System\tAQvXJx.exe
  C:\Windows\System\tAQvXJx.exe
  2⤵
  PID:5212
- C:\Windows\System\YNJGqyI.exe
  C:\Windows\System\YNJGqyI.exe
  2⤵
  PID:5320
- C:\Windows\System\elhcSVp.exe
  C:\Windows\System\elhcSVp.exe
  2⤵
  PID:5380
- C:\Windows\System\FFbtoXk.exe
  C:\Windows\System\FFbtoXk.exe
  2⤵
  PID:5440
- C:\Windows\System\YtrZisA.exe
  C:\Windows\System\YtrZisA.exe
  2⤵
  PID:5500
- C:\Windows\System\jGeRpph.exe
  C:\Windows\System\jGeRpph.exe
  2⤵
  PID:5600
- C:\Windows\System\BYrPkIy.exe
  C:\Windows\System\BYrPkIy.exe
  2⤵
  PID:5688
- C:\Windows\System\yDsiJfY.exe
  C:\Windows\System\yDsiJfY.exe
  2⤵
  PID:5836
- C:\Windows\System\EsEQVTD.exe
  C:\Windows\System\EsEQVTD.exe
  2⤵
  PID:5952
- C:\Windows\System\pBBoKCp.exe
  C:\Windows\System\pBBoKCp.exe
  2⤵
  PID:6056
- C:\Windows\System\cqReJQS.exe
  C:\Windows\System\cqReJQS.exe
  2⤵
  PID:6116
- C:\Windows\System\ZRJcKTK.exe
  C:\Windows\System\ZRJcKTK.exe
  2⤵
  PID:5188
- C:\Windows\System\LMuujZe.exe
  C:\Windows\System\LMuujZe.exe
  2⤵
  PID:5388
- C:\Windows\System\gHzTteK.exe
  C:\Windows\System\gHzTteK.exe
  2⤵
  PID:6004
- C:\Windows\System\fFSJbWw.exe
  C:\Windows\System\fFSJbWw.exe
  2⤵
  PID:6136
- C:\Windows\System\QZDUNvv.exe
  C:\Windows\System\QZDUNvv.exe
  2⤵
  PID:5948
- C:\Windows\System\SqlMSOO.exe
  C:\Windows\System\SqlMSOO.exe
  2⤵
  PID:5924
- C:\Windows\System\lPVMpOl.exe
  C:\Windows\System\lPVMpOl.exe
  2⤵
  PID:6176
- C:\Windows\System\MQshrut.exe
  C:\Windows\System\MQshrut.exe
  2⤵
  PID:6196
- C:\Windows\System\MltNTbe.exe
  C:\Windows\System\MltNTbe.exe
  2⤵
  PID:6236
- C:\Windows\System\uzVkMrb.exe
  C:\Windows\System\uzVkMrb.exe
  2⤵
  PID:6268
- C:\Windows\System\WRpFYZy.exe
  C:\Windows\System\WRpFYZy.exe
  2⤵
  PID:6296
- C:\Windows\System\HTebEiN.exe
  C:\Windows\System\HTebEiN.exe
  2⤵
  PID:6316
- C:\Windows\System\ljPuzwn.exe
  C:\Windows\System\ljPuzwn.exe
  2⤵
  PID:6340
- C:\Windows\System\RCgDmxl.exe
  C:\Windows\System\RCgDmxl.exe
  2⤵
  PID:6372
- C:\Windows\System\LseGMew.exe
  C:\Windows\System\LseGMew.exe
  2⤵
  PID:6400
- C:\Windows\System\MkjNzeb.exe
  C:\Windows\System\MkjNzeb.exe
  2⤵
  PID:6444
- C:\Windows\System\DpAEnbu.exe
  C:\Windows\System\DpAEnbu.exe
  2⤵
  PID:6476
- C:\Windows\System\VOZcFOn.exe
  C:\Windows\System\VOZcFOn.exe
  2⤵
  PID:6508
- C:\Windows\System\MAylQIW.exe
  C:\Windows\System\MAylQIW.exe
  2⤵
  PID:6548
- C:\Windows\System\HJrFNCm.exe
  C:\Windows\System\HJrFNCm.exe
  2⤵
  PID:6584
- C:\Windows\System\sBYjhtM.exe
  C:\Windows\System\sBYjhtM.exe
  2⤵
  PID:6608
- C:\Windows\System\FQTCZTB.exe
  C:\Windows\System\FQTCZTB.exe
  2⤵
  PID:6640
- C:\Windows\System\aAivmmF.exe
  C:\Windows\System\aAivmmF.exe
  2⤵
  PID:6672
- C:\Windows\System\lsooQch.exe
  C:\Windows\System\lsooQch.exe
  2⤵
  PID:6700
- C:\Windows\System\Kqnifoj.exe
  C:\Windows\System\Kqnifoj.exe
  2⤵
  PID:6728
- C:\Windows\System\yZliWKt.exe
  C:\Windows\System\yZliWKt.exe
  2⤵
  PID:6756
- C:\Windows\System\SlCdJuo.exe
  C:\Windows\System\SlCdJuo.exe
  2⤵
  PID:6780
- C:\Windows\System\xEMpSFo.exe
  C:\Windows\System\xEMpSFo.exe
  2⤵
  PID:6808
- C:\Windows\System\eeXWrcU.exe
  C:\Windows\System\eeXWrcU.exe
  2⤵
  PID:6840
- C:\Windows\System\OfnGjOe.exe
  C:\Windows\System\OfnGjOe.exe
  2⤵
  PID:6864
- C:\Windows\System\uGmzROw.exe
  C:\Windows\System\uGmzROw.exe
  2⤵
  PID:6892
- C:\Windows\System\yjwExmg.exe
  C:\Windows\System\yjwExmg.exe
  2⤵
  PID:6924
- C:\Windows\System\mczmNUo.exe
  C:\Windows\System\mczmNUo.exe
  2⤵
  PID:6956
- C:\Windows\System\pbEAyJv.exe
  C:\Windows\System\pbEAyJv.exe
  2⤵
  PID:6984
- C:\Windows\System\GbxQMLE.exe
  C:\Windows\System\GbxQMLE.exe
  2⤵
  PID:7012
- C:\Windows\System\uwSjzUt.exe
  C:\Windows\System\uwSjzUt.exe
  2⤵
  PID:7036
- C:\Windows\System\JvYFKLM.exe
  C:\Windows\System\JvYFKLM.exe
  2⤵
  PID:7060
- C:\Windows\System\rGQgkob.exe
  C:\Windows\System\rGQgkob.exe
  2⤵
  PID:7096
- C:\Windows\System\uROVMDQ.exe
  C:\Windows\System\uROVMDQ.exe
  2⤵
  PID:7128
- C:\Windows\System\HCfrOHp.exe
  C:\Windows\System\HCfrOHp.exe
  2⤵
  PID:7156
- C:\Windows\System\QXiUBcc.exe
  C:\Windows\System\QXiUBcc.exe
  2⤵
  PID:6168
- C:\Windows\System\WRyJZKE.exe
  C:\Windows\System\WRyJZKE.exe
  2⤵
  PID:6220
- C:\Windows\System\khsYGVn.exe
  C:\Windows\System\khsYGVn.exe
  2⤵
  PID:6324
- C:\Windows\System\ZvOevqH.exe
  C:\Windows\System\ZvOevqH.exe
  2⤵
  PID:6436
- C:\Windows\System\LrXiHAm.exe
  C:\Windows\System\LrXiHAm.exe
  2⤵
  PID:6500
- C:\Windows\System\zZLQnPc.exe
  C:\Windows\System\zZLQnPc.exe
  2⤵
  PID:6576
- C:\Windows\System\WhzOtoT.exe
  C:\Windows\System\WhzOtoT.exe
  2⤵
  PID:6624
- C:\Windows\System\JRfdoVB.exe
  C:\Windows\System\JRfdoVB.exe
  2⤵
  PID:6688
- C:\Windows\System\DOmorDh.exe
  C:\Windows\System\DOmorDh.exe
  2⤵
  PID:6772
- C:\Windows\System\qQGtqfa.exe
  C:\Windows\System\qQGtqfa.exe
  2⤵
  PID:6816
- C:\Windows\System\monlWTJ.exe
  C:\Windows\System\monlWTJ.exe
  2⤵
  PID:6880
- C:\Windows\System\cmVTPMA.exe
  C:\Windows\System\cmVTPMA.exe
  2⤵
  PID:6964
- C:\Windows\System\pejHQyN.exe
  C:\Windows\System\pejHQyN.exe
  2⤵
  PID:7028
- C:\Windows\System\RNcaSRh.exe
  C:\Windows\System\RNcaSRh.exe
  2⤵
  PID:7104
- C:\Windows\System\NHyyGSl.exe
  C:\Windows\System\NHyyGSl.exe
  2⤵
  PID:7144
- C:\Windows\System\GZiNnLn.exe
  C:\Windows\System\GZiNnLn.exe
  2⤵
  PID:6336
- C:\Windows\System\rzabVlk.exe
  C:\Windows\System\rzabVlk.exe
  2⤵
  PID:6488
- C:\Windows\System\uFMBaaK.exe
  C:\Windows\System\uFMBaaK.exe
  2⤵
  PID:6696
- C:\Windows\System\BkNvzkv.exe
  C:\Windows\System\BkNvzkv.exe
  2⤵
  PID:6800
- C:\Windows\System\VpOPxBT.exe
  C:\Windows\System\VpOPxBT.exe
  2⤵
  PID:6920
- C:\Windows\System\vMeCpoH.exe
  C:\Windows\System\vMeCpoH.exe
  2⤵
  PID:6524
- C:\Windows\System\byUkWhp.exe
  C:\Windows\System\byUkWhp.exe
  2⤵
  PID:6904
- C:\Windows\System\orSGndA.exe
  C:\Windows\System\orSGndA.exe
  2⤵
  PID:6396
- C:\Windows\System\OQXepXR.exe
  C:\Windows\System\OQXepXR.exe
  2⤵
  PID:628
- C:\Windows\System\VfdulNI.exe
  C:\Windows\System\VfdulNI.exe
  2⤵
  PID:7192
- C:\Windows\System\AnVgFRK.exe
  C:\Windows\System\AnVgFRK.exe
  2⤵
  PID:7216
- C:\Windows\System\KmUSFZd.exe
  C:\Windows\System\KmUSFZd.exe
  2⤵
  PID:7244
- C:\Windows\System\llgmnNQ.exe
  C:\Windows\System\llgmnNQ.exe
  2⤵
  PID:7272
- C:\Windows\System\RJKMUXM.exe
  C:\Windows\System\RJKMUXM.exe
  2⤵
  PID:7300
- C:\Windows\System\VUSkumi.exe
  C:\Windows\System\VUSkumi.exe
  2⤵
  PID:7340
- C:\Windows\System\TIYFEjK.exe
  C:\Windows\System\TIYFEjK.exe
  2⤵
  PID:7356
- C:\Windows\System\iELfSge.exe
  C:\Windows\System\iELfSge.exe
  2⤵
  PID:7384
- C:\Windows\System\STLBMfY.exe
  C:\Windows\System\STLBMfY.exe
  2⤵
  PID:7412
- C:\Windows\System\evBOQai.exe
  C:\Windows\System\evBOQai.exe
  2⤵
  PID:7440
- C:\Windows\System\bQaMUBr.exe
  C:\Windows\System\bQaMUBr.exe
  2⤵
  PID:7468
- C:\Windows\System\LSozJnz.exe
  C:\Windows\System\LSozJnz.exe
  2⤵
  PID:7504
- C:\Windows\System\pQePUmx.exe
  C:\Windows\System\pQePUmx.exe
  2⤵
  PID:7524
- C:\Windows\System\tCAHTjF.exe
  C:\Windows\System\tCAHTjF.exe
  2⤵
  PID:7552
- C:\Windows\System\MEZgiwe.exe
  C:\Windows\System\MEZgiwe.exe
  2⤵
  PID:7580
- C:\Windows\System\LvLXlif.exe
  C:\Windows\System\LvLXlif.exe
  2⤵
  PID:7608
- C:\Windows\System\ZRZgOSQ.exe
  C:\Windows\System\ZRZgOSQ.exe
  2⤵
  PID:7636
- C:\Windows\System\qpSKemQ.exe
  C:\Windows\System\qpSKemQ.exe
  2⤵
  PID:7664
- C:\Windows\System\AujFRpg.exe
  C:\Windows\System\AujFRpg.exe
  2⤵
  PID:7692
- C:\Windows\System\zpIsxNw.exe
  C:\Windows\System\zpIsxNw.exe
  2⤵
  PID:7720
- C:\Windows\System\uVytTde.exe
  C:\Windows\System\uVytTde.exe
  2⤵
  PID:7748
- C:\Windows\System\pHXNOBW.exe
  C:\Windows\System\pHXNOBW.exe
  2⤵
  PID:7776
- C:\Windows\System\tvdSiQy.exe
  C:\Windows\System\tvdSiQy.exe
  2⤵
  PID:7812
- C:\Windows\System\sVpFGZY.exe
  C:\Windows\System\sVpFGZY.exe
  2⤵
  PID:7832
- C:\Windows\System\kyzlGSx.exe
  C:\Windows\System\kyzlGSx.exe
  2⤵
  PID:7864
- C:\Windows\System\tjHbroN.exe
  C:\Windows\System\tjHbroN.exe
  2⤵
  PID:7892
- C:\Windows\System\QRujzQK.exe
  C:\Windows\System\QRujzQK.exe
  2⤵
  PID:7920
- C:\Windows\System\HUuYvwx.exe
  C:\Windows\System\HUuYvwx.exe
  2⤵
  PID:7948
- C:\Windows\System\TQZuLoU.exe
  C:\Windows\System\TQZuLoU.exe
  2⤵
  PID:7976
- C:\Windows\System\bYJTLAP.exe
  C:\Windows\System\bYJTLAP.exe
  2⤵
  PID:8004
- C:\Windows\System\VzlWMEo.exe
  C:\Windows\System\VzlWMEo.exe
  2⤵
  PID:8036
- C:\Windows\System\GYgirNa.exe
  C:\Windows\System\GYgirNa.exe
  2⤵
  PID:8068
- C:\Windows\System\NzaHkbT.exe
  C:\Windows\System\NzaHkbT.exe
  2⤵
  PID:8096
- C:\Windows\System\RbVtkCv.exe
  C:\Windows\System\RbVtkCv.exe
  2⤵
  PID:8120
- C:\Windows\System\GGQOwim.exe
  C:\Windows\System\GGQOwim.exe
  2⤵
  PID:8144
- C:\Windows\System\VKFKNGg.exe
  C:\Windows\System\VKFKNGg.exe
  2⤵
  PID:8172
- C:\Windows\System\tDRzcrk.exe
  C:\Windows\System\tDRzcrk.exe
  2⤵
  PID:7184
- C:\Windows\System\KocANnA.exe
  C:\Windows\System\KocANnA.exe
  2⤵
  PID:7256
- C:\Windows\System\aqQgfFh.exe
  C:\Windows\System\aqQgfFh.exe
  2⤵
  PID:7324
- C:\Windows\System\xeCxxXs.exe
  C:\Windows\System\xeCxxXs.exe
  2⤵
  PID:7380
- C:\Windows\System\rkBkbzP.exe
  C:\Windows\System\rkBkbzP.exe
  2⤵
  PID:7452
- C:\Windows\System\mkzPGJd.exe
  C:\Windows\System\mkzPGJd.exe
  2⤵
  PID:7520
- C:\Windows\System\QNhfWDF.exe
  C:\Windows\System\QNhfWDF.exe
  2⤵
  PID:6872
- C:\Windows\System\vWzdTgF.exe
  C:\Windows\System\vWzdTgF.exe
  2⤵
  PID:7632
- C:\Windows\System\zZeaNgV.exe
  C:\Windows\System\zZeaNgV.exe
  2⤵
  PID:7716
- C:\Windows\System\tpQZTNs.exe
  C:\Windows\System\tpQZTNs.exe
  2⤵
  PID:7768
- C:\Windows\System\JonsVdM.exe
  C:\Windows\System\JonsVdM.exe
  2⤵
  PID:7860
- C:\Windows\System\NbytdSH.exe
  C:\Windows\System\NbytdSH.exe
  2⤵
  PID:7904
- C:\Windows\System\LmBnysu.exe
  C:\Windows\System\LmBnysu.exe
  2⤵
  PID:7968
- C:\Windows\System\mLDLXoj.exe
  C:\Windows\System\mLDLXoj.exe
  2⤵
  PID:8028
- C:\Windows\System\zOejKdi.exe
  C:\Windows\System\zOejKdi.exe
  2⤵
  PID:8104
- C:\Windows\System\QQgfIng.exe
  C:\Windows\System\QQgfIng.exe
  2⤵
  PID:8164
- C:\Windows\System\QCreRDN.exe
  C:\Windows\System\QCreRDN.exe
  2⤵
  PID:7240
- C:\Windows\System\RKIRfKY.exe
  C:\Windows\System\RKIRfKY.exe
  2⤵
  PID:7436
- C:\Windows\System\zqYLFKy.exe
  C:\Windows\System\zqYLFKy.exe
  2⤵
  PID:7564
- C:\Windows\System\RbsuyaX.exe
  C:\Windows\System\RbsuyaX.exe
  2⤵
  PID:7628
- C:\Windows\System\hlezZLT.exe
  C:\Windows\System\hlezZLT.exe
  2⤵
  PID:7796
- C:\Windows\System\FSTnBjj.exe
  C:\Windows\System\FSTnBjj.exe
  2⤵
  PID:7944
- C:\Windows\System\LyBZmQy.exe
  C:\Windows\System\LyBZmQy.exe
  2⤵
  PID:8084
- C:\Windows\System\pOMgSJs.exe
  C:\Windows\System\pOMgSJs.exe
  2⤵
  PID:7312
- C:\Windows\System\MPstmzE.exe
  C:\Windows\System\MPstmzE.exe
  2⤵
  PID:4552
- C:\Windows\System\hOXfNQt.exe
  C:\Windows\System\hOXfNQt.exe
  2⤵
  PID:7932
- C:\Windows\System\zCperbK.exe
  C:\Windows\System\zCperbK.exe
  2⤵
  PID:7492
- C:\Windows\System\URZOGzL.exe
  C:\Windows\System\URZOGzL.exe
  2⤵
  PID:7212
- C:\Windows\System\ySPlWRf.exe
  C:\Windows\System\ySPlWRf.exe
  2⤵
  PID:8200
- C:\Windows\System\mXSwGUH.exe
  C:\Windows\System\mXSwGUH.exe
  2⤵
  PID:8228
- C:\Windows\System\zNtSIsz.exe
  C:\Windows\System\zNtSIsz.exe
  2⤵
  PID:8256
- C:\Windows\System\QBQRqiY.exe
  C:\Windows\System\QBQRqiY.exe
  2⤵
  PID:8284
- C:\Windows\System\eAZnYDI.exe
  C:\Windows\System\eAZnYDI.exe
  2⤵
  PID:8312
- C:\Windows\System\knTTQHg.exe
  C:\Windows\System\knTTQHg.exe
  2⤵
  PID:8344
- C:\Windows\System\NqNOOyQ.exe
  C:\Windows\System\NqNOOyQ.exe
  2⤵
  PID:8372
- C:\Windows\System\YxqpmQS.exe
  C:\Windows\System\YxqpmQS.exe
  2⤵
  PID:8400
- C:\Windows\System\uBnWgxS.exe
  C:\Windows\System\uBnWgxS.exe
  2⤵
  PID:8428
- C:\Windows\System\TLgFjYd.exe
  C:\Windows\System\TLgFjYd.exe
  2⤵
  PID:8464
- C:\Windows\System\LhzyANm.exe
  C:\Windows\System\LhzyANm.exe
  2⤵
  PID:8504
- C:\Windows\System\IGhhYyR.exe
  C:\Windows\System\IGhhYyR.exe
  2⤵
  PID:8572
- C:\Windows\System\duRLnkK.exe
  C:\Windows\System\duRLnkK.exe
  2⤵
  PID:8624
- C:\Windows\System\xVQKadr.exe
  C:\Windows\System\xVQKadr.exe
  2⤵
  PID:8684
- C:\Windows\System\TFunsQZ.exe
  C:\Windows\System\TFunsQZ.exe
  2⤵
  PID:8704
- C:\Windows\System\UQPRkbp.exe
  C:\Windows\System\UQPRkbp.exe
  2⤵
  PID:8748
- C:\Windows\System\UNECkUl.exe
  C:\Windows\System\UNECkUl.exe
  2⤵
  PID:8776
- C:\Windows\System\xgBmKYO.exe
  C:\Windows\System\xgBmKYO.exe
  2⤵
  PID:8808
- C:\Windows\System\ffckvgx.exe
  C:\Windows\System\ffckvgx.exe
  2⤵
  PID:8832
- C:\Windows\System\wZQtYLv.exe
  C:\Windows\System\wZQtYLv.exe
  2⤵
  PID:8860
- C:\Windows\System\vRjnWnW.exe
  C:\Windows\System\vRjnWnW.exe
  2⤵
  PID:8896
- C:\Windows\System\QlPPrUS.exe
  C:\Windows\System\QlPPrUS.exe
  2⤵
  PID:8916
- C:\Windows\System\Sirestz.exe
  C:\Windows\System\Sirestz.exe
  2⤵
  PID:8944
- C:\Windows\System\jsnWlGN.exe
  C:\Windows\System\jsnWlGN.exe
  2⤵
  PID:8972
- C:\Windows\System\fzsRLLv.exe
  C:\Windows\System\fzsRLLv.exe
  2⤵
  PID:9008
- C:\Windows\System\lqbWIwQ.exe
  C:\Windows\System\lqbWIwQ.exe
  2⤵
  PID:9028
- C:\Windows\System\lTWQHiz.exe
  C:\Windows\System\lTWQHiz.exe
  2⤵
  PID:9064
- C:\Windows\System\GFXoXNG.exe
  C:\Windows\System\GFXoXNG.exe
  2⤵
  PID:9084
- C:\Windows\System\TEHhxpi.exe
  C:\Windows\System\TEHhxpi.exe
  2⤵
  PID:9116
- C:\Windows\System\CgTAkUS.exe
  C:\Windows\System\CgTAkUS.exe
  2⤵
  PID:9144
- C:\Windows\System\iMdmpFl.exe
  C:\Windows\System\iMdmpFl.exe
  2⤵
  PID:9172
- C:\Windows\System\NUYTaBv.exe
  C:\Windows\System\NUYTaBv.exe
  2⤵
  PID:9200
- C:\Windows\System\gWbRpEx.exe
  C:\Windows\System\gWbRpEx.exe
  2⤵
  PID:8220
- C:\Windows\System\hXRExyg.exe
  C:\Windows\System\hXRExyg.exe
  2⤵
  PID:8280
- C:\Windows\System\srzapuX.exe
  C:\Windows\System\srzapuX.exe
  2⤵
  PID:8352
- C:\Windows\System\JIBJJeK.exe
  C:\Windows\System\JIBJJeK.exe
  2⤵
  PID:8420
- C:\Windows\System\PVuRPDv.exe
  C:\Windows\System\PVuRPDv.exe
  2⤵
  PID:8496
- C:\Windows\System\TtZroyj.exe
  C:\Windows\System\TtZroyj.exe
  2⤵
  PID:8608
- C:\Windows\System\bdYwUyL.exe
  C:\Windows\System\bdYwUyL.exe
  2⤵
  PID:8740
- C:\Windows\System\yxBfxVg.exe
  C:\Windows\System\yxBfxVg.exe
  2⤵
  PID:8816
- C:\Windows\System\TQiONwH.exe
  C:\Windows\System\TQiONwH.exe
  2⤵
  PID:8856
- C:\Windows\System\jbjHDmL.exe
  C:\Windows\System\jbjHDmL.exe
  2⤵
  PID:8908
- C:\Windows\System\wjWJnCN.exe
  C:\Windows\System\wjWJnCN.exe
  2⤵
  PID:8984
- C:\Windows\System\uXSKmFT.exe
  C:\Windows\System\uXSKmFT.exe
  2⤵
  PID:9048
- C:\Windows\System\ylVyjtr.exe
  C:\Windows\System\ylVyjtr.exe
  2⤵
  PID:9112
- C:\Windows\System\eDCKsnl.exe
  C:\Windows\System\eDCKsnl.exe
  2⤵
  PID:9184
- C:\Windows\System\czFUAVQ.exe
  C:\Windows\System\czFUAVQ.exe
  2⤵
  PID:8268
- C:\Windows\System\grEcmTU.exe
  C:\Windows\System\grEcmTU.exe
  2⤵
  PID:8412
- C:\Windows\System\RrbQsTQ.exe
  C:\Windows\System\RrbQsTQ.exe
  2⤵
  PID:8676
- C:\Windows\System\TiRKqIV.exe
  C:\Windows\System\TiRKqIV.exe
  2⤵
  PID:8852
- C:\Windows\System\HypgzMt.exe
  C:\Windows\System\HypgzMt.exe
  2⤵
  PID:9040
- C:\Windows\System\xfIUQIR.exe
  C:\Windows\System\xfIUQIR.exe
  2⤵
  PID:9140
- C:\Windows\System\GByKuAk.exe
  C:\Windows\System\GByKuAk.exe
  2⤵
  PID:8384
- C:\Windows\System\DAYLNvd.exe
  C:\Windows\System\DAYLNvd.exe
  2⤵
  PID:8936
- C:\Windows\System\WyVeHwq.exe
  C:\Windows\System\WyVeHwq.exe
  2⤵
  PID:9212
- C:\Windows\System\GYKWVKh.exe
  C:\Windows\System\GYKWVKh.exe
  2⤵
  PID:9096
- C:\Windows\System\FkNIYzb.exe
  C:\Windows\System\FkNIYzb.exe
  2⤵
  PID:9232
- C:\Windows\System\GfIbDrM.exe
  C:\Windows\System\GfIbDrM.exe
  2⤵
  PID:9252
- C:\Windows\System\PdSmqpQ.exe
  C:\Windows\System\PdSmqpQ.exe
  2⤵
  PID:9288
- C:\Windows\System\HHIXiTZ.exe
  C:\Windows\System\HHIXiTZ.exe
  2⤵
  PID:9308
- C:\Windows\System\QFuMcOW.exe
  C:\Windows\System\QFuMcOW.exe
  2⤵
  PID:9340
- C:\Windows\System\GNLWALu.exe
  C:\Windows\System\GNLWALu.exe
  2⤵
  PID:9372
- C:\Windows\System\QxjvSzJ.exe
  C:\Windows\System\QxjvSzJ.exe
  2⤵
  PID:9400
- C:\Windows\System\VkgOQDK.exe
  C:\Windows\System\VkgOQDK.exe
  2⤵
  PID:9420
- C:\Windows\System\AiPSTQN.exe
  C:\Windows\System\AiPSTQN.exe
  2⤵
  PID:9456
- C:\Windows\System\izJtTBb.exe
  C:\Windows\System\izJtTBb.exe
  2⤵
  PID:9476
- C:\Windows\System\UVigvYr.exe
  C:\Windows\System\UVigvYr.exe
  2⤵
  PID:9504
- C:\Windows\System\ZqCGIyB.exe
  C:\Windows\System\ZqCGIyB.exe
  2⤵
  PID:9532
- C:\Windows\System\OdFjWrN.exe
  C:\Windows\System\OdFjWrN.exe
  2⤵
  PID:9560
- C:\Windows\System\dSgfPQd.exe
  C:\Windows\System\dSgfPQd.exe
  2⤵
  PID:9588
- C:\Windows\System\dhEucQm.exe
  C:\Windows\System\dhEucQm.exe
  2⤵
  PID:9624
- C:\Windows\System\YSpWXrn.exe
  C:\Windows\System\YSpWXrn.exe
  2⤵
  PID:9644
- C:\Windows\System\nxylXBk.exe
  C:\Windows\System\nxylXBk.exe
  2⤵
  PID:9672
- C:\Windows\System\wZwKFkV.exe
  C:\Windows\System\wZwKFkV.exe
  2⤵
  PID:9700
- C:\Windows\System\bgRkGCj.exe
  C:\Windows\System\bgRkGCj.exe
  2⤵
  PID:9728
- C:\Windows\System\qvzIjwz.exe
  C:\Windows\System\qvzIjwz.exe
  2⤵
  PID:9760
- C:\Windows\System\AIAfWvU.exe
  C:\Windows\System\AIAfWvU.exe
  2⤵
  PID:9792
- C:\Windows\System\sOMlGAM.exe
  C:\Windows\System\sOMlGAM.exe
  2⤵
  PID:9820
- C:\Windows\System\rewIxrP.exe
  C:\Windows\System\rewIxrP.exe
  2⤵
  PID:9840
- C:\Windows\System\hwgeItl.exe
  C:\Windows\System\hwgeItl.exe
  2⤵
  PID:9868
- C:\Windows\System\ByIZeRv.exe
  C:\Windows\System\ByIZeRv.exe
  2⤵
  PID:9896
- C:\Windows\System\oPjIZxk.exe
  C:\Windows\System\oPjIZxk.exe
  2⤵
  PID:9924
- C:\Windows\System\BPdinPD.exe
  C:\Windows\System\BPdinPD.exe
  2⤵
  PID:9964
- C:\Windows\System\qmRvOAy.exe
  C:\Windows\System\qmRvOAy.exe
  2⤵
  PID:9980
- C:\Windows\System\KHgYJwo.exe
  C:\Windows\System\KHgYJwo.exe
  2⤵
  PID:10012
- C:\Windows\System\WpvVZos.exe
  C:\Windows\System\WpvVZos.exe
  2⤵
  PID:10048
- C:\Windows\System\ESvkuQM.exe
  C:\Windows\System\ESvkuQM.exe
  2⤵
  PID:10076
- C:\Windows\System\MGuWSgb.exe
  C:\Windows\System\MGuWSgb.exe
  2⤵
  PID:10104
- C:\Windows\System\HsgMsOJ.exe
  C:\Windows\System\HsgMsOJ.exe
  2⤵
  PID:10132
- C:\Windows\System\CZdiAPs.exe
  C:\Windows\System\CZdiAPs.exe
  2⤵
  PID:10160
- C:\Windows\System\hATtABm.exe
  C:\Windows\System\hATtABm.exe
  2⤵
  PID:10196
- C:\Windows\System\CHexThs.exe
  C:\Windows\System\CHexThs.exe
  2⤵
  PID:10216
- C:\Windows\System\zjJUoei.exe
  C:\Windows\System\zjJUoei.exe
  2⤵
  PID:9220
- C:\Windows\System\pqdNyPf.exe
  C:\Windows\System\pqdNyPf.exe
  2⤵
  PID:9296
- C:\Windows\System\fGPJaxe.exe
  C:\Windows\System\fGPJaxe.exe
  2⤵
  PID:9356
- C:\Windows\System\IjIpril.exe
  C:\Windows\System\IjIpril.exe
  2⤵
  PID:9440
- C:\Windows\System\IyPkdlk.exe
  C:\Windows\System\IyPkdlk.exe
  2⤵
  PID:9524
- C:\Windows\System\DQPwIVF.exe
  C:\Windows\System\DQPwIVF.exe
  2⤵
  PID:9636
- C:\Windows\System\KbyXuGy.exe
  C:\Windows\System\KbyXuGy.exe
  2⤵
  PID:9684
- C:\Windows\System\uLwzJit.exe
  C:\Windows\System\uLwzJit.exe
  2⤵
  PID:9776
- C:\Windows\System\ZKgqbcj.exe
  C:\Windows\System\ZKgqbcj.exe
  2⤵
  PID:9836
- C:\Windows\System\EZHizdF.exe
  C:\Windows\System\EZHizdF.exe
  2⤵
  PID:9892
- C:\Windows\System\aoOLFVN.exe
  C:\Windows\System\aoOLFVN.exe
  2⤵
  PID:9936
- C:\Windows\System\ujMkbPL.exe
  C:\Windows\System\ujMkbPL.exe
  2⤵
  PID:9992
- C:\Windows\System\daxSJAr.exe
  C:\Windows\System\daxSJAr.exe
  2⤵
  PID:5560
- C:\Windows\System\KWktyCY.exe
  C:\Windows\System\KWktyCY.exe
  2⤵
  PID:5732
- C:\Windows\System\bUbrZVA.exe
  C:\Windows\System\bUbrZVA.exe
  2⤵
  PID:10096
- C:\Windows\System\rAUMIwG.exe
  C:\Windows\System\rAUMIwG.exe
  2⤵
  PID:10144
- C:\Windows\System\JgxCTOi.exe
  C:\Windows\System\JgxCTOi.exe
  2⤵
  PID:10204
- C:\Windows\System\TYsbDWY.exe
  C:\Windows\System\TYsbDWY.exe
  2⤵
  PID:9272
- C:\Windows\System\VHtiTbV.exe
  C:\Windows\System\VHtiTbV.exe
  2⤵
  PID:9500
- C:\Windows\System\TzqnlRf.exe
  C:\Windows\System\TzqnlRf.exe
  2⤵
  PID:9656
- C:\Windows\System\UwnGlVt.exe
  C:\Windows\System\UwnGlVt.exe
  2⤵
  PID:9800
- C:\Windows\System\RCGSJyP.exe
  C:\Windows\System\RCGSJyP.exe
  2⤵
  PID:9972
- C:\Windows\System\fFAgBEv.exe
  C:\Windows\System\fFAgBEv.exe
  2⤵
  PID:5712
- C:\Windows\System\EaPbQcR.exe
  C:\Windows\System\EaPbQcR.exe
  2⤵
  PID:10068
- C:\Windows\System\oSCFkfl.exe
  C:\Windows\System\oSCFkfl.exe
  2⤵
  PID:10184
- C:\Windows\System\pWghQFg.exe
  C:\Windows\System\pWghQFg.exe
  2⤵
  PID:9408
- C:\Windows\System\XisvFFL.exe
  C:\Windows\System\XisvFFL.exe
  2⤵
  PID:9860
- C:\Windows\System\vLZOOqJ.exe
  C:\Windows\System\vLZOOqJ.exe
  2⤵
  PID:2244
- C:\Windows\System\NsyLDxD.exe
  C:\Windows\System\NsyLDxD.exe
  2⤵
  PID:9712
- C:\Windows\System\YdTUlFq.exe
  C:\Windows\System\YdTUlFq.exe
  2⤵
  PID:9468
- C:\Windows\System\rsKukWk.exe
  C:\Windows\System\rsKukWk.exe
  2⤵
  PID:10256
- C:\Windows\System\NBaTuwj.exe
  C:\Windows\System\NBaTuwj.exe
  2⤵
  PID:10276
- C:\Windows\System\HxtXUxX.exe
  C:\Windows\System\HxtXUxX.exe
  2⤵
  PID:10304
- C:\Windows\System\PrzdtQW.exe
  C:\Windows\System\PrzdtQW.exe
  2⤵
  PID:10332
- C:\Windows\System\SlOiBWc.exe
  C:\Windows\System\SlOiBWc.exe
  2⤵
  PID:10360
- C:\Windows\System\hCOlDIg.exe
  C:\Windows\System\hCOlDIg.exe
  2⤵
  PID:10388
- C:\Windows\System\POSUvmU.exe
  C:\Windows\System\POSUvmU.exe
  2⤵
  PID:10416
- C:\Windows\System\aUSIWZs.exe
  C:\Windows\System\aUSIWZs.exe
  2⤵
  PID:10444
- C:\Windows\System\zZnvXsl.exe
  C:\Windows\System\zZnvXsl.exe
  2⤵
  PID:10472
- C:\Windows\System\LgWMVFy.exe
  C:\Windows\System\LgWMVFy.exe
  2⤵
  PID:10504
- C:\Windows\System\yNUShhl.exe
  C:\Windows\System\yNUShhl.exe
  2⤵
  PID:10528
- C:\Windows\System\BHZZcmf.exe
  C:\Windows\System\BHZZcmf.exe
  2⤵
  PID:10564
- C:\Windows\System\CJOjgMA.exe
  C:\Windows\System\CJOjgMA.exe
  2⤵
  PID:10584
- C:\Windows\System\oxVzZoL.exe
  C:\Windows\System\oxVzZoL.exe
  2⤵
  PID:10612
- C:\Windows\System\VIeWZQF.exe
  C:\Windows\System\VIeWZQF.exe
  2⤵
  PID:10640
- C:\Windows\System\vbDAWfo.exe
  C:\Windows\System\vbDAWfo.exe
  2⤵
  PID:10668
- C:\Windows\System\FmSmIrf.exe
  C:\Windows\System\FmSmIrf.exe
  2⤵
  PID:10704
- C:\Windows\System\VgMFVFq.exe
  C:\Windows\System\VgMFVFq.exe
  2⤵
  PID:10724
- C:\Windows\System\VAPvfLd.exe
  C:\Windows\System\VAPvfLd.exe
  2⤵
  PID:10752
- C:\Windows\System\mPAnvzW.exe
  C:\Windows\System\mPAnvzW.exe
  2⤵
  PID:10780
- C:\Windows\System\wJJuRdW.exe
  C:\Windows\System\wJJuRdW.exe
  2⤵
  PID:10808
- C:\Windows\System\pTQrarD.exe
  C:\Windows\System\pTQrarD.exe
  2⤵
  PID:10844
- C:\Windows\System\GIPCjkU.exe
  C:\Windows\System\GIPCjkU.exe
  2⤵
  PID:10864
- C:\Windows\System\JwPznJV.exe
  C:\Windows\System\JwPznJV.exe
  2⤵
  PID:10892
- C:\Windows\System\OVadLao.exe
  C:\Windows\System\OVadLao.exe
  2⤵
  PID:10928
- C:\Windows\System\UERnPbw.exe
  C:\Windows\System\UERnPbw.exe
  2⤵
  PID:10956
- C:\Windows\System\NzStizQ.exe
  C:\Windows\System\NzStizQ.exe
  2⤵
  PID:10976
- C:\Windows\System\rgPjRUw.exe
  C:\Windows\System\rgPjRUw.exe
  2⤵
  PID:11008
- C:\Windows\System\PexfbOZ.exe
  C:\Windows\System\PexfbOZ.exe
  2⤵
  PID:11036
- C:\Windows\System\hPguLXZ.exe
  C:\Windows\System\hPguLXZ.exe
  2⤵
  PID:11064
- C:\Windows\System\wuOzYgP.exe
  C:\Windows\System\wuOzYgP.exe
  2⤵
  PID:11092
- C:\Windows\System\MRdoDtL.exe
  C:\Windows\System\MRdoDtL.exe
  2⤵
  PID:11120
- C:\Windows\System\pULyOEH.exe
  C:\Windows\System\pULyOEH.exe
  2⤵
  PID:11148
- C:\Windows\System\QaTRyHJ.exe
  C:\Windows\System\QaTRyHJ.exe
  2⤵
  PID:11176
- C:\Windows\System\RVwiooU.exe
  C:\Windows\System\RVwiooU.exe
  2⤵
  PID:11204
- C:\Windows\System\PfzKyUW.exe
  C:\Windows\System\PfzKyUW.exe
  2⤵
  PID:11232
- C:\Windows\System\RMUVWfu.exe
  C:\Windows\System\RMUVWfu.exe
  2⤵
  PID:11260
- C:\Windows\System\mANqhny.exe
  C:\Windows\System\mANqhny.exe
  2⤵
  PID:10296
- C:\Windows\System\mTsWFkD.exe
  C:\Windows\System\mTsWFkD.exe
  2⤵
  PID:10356
- C:\Windows\System\qpMqcKK.exe
  C:\Windows\System\qpMqcKK.exe
  2⤵
  PID:10428
- C:\Windows\System\zilLRnH.exe
  C:\Windows\System\zilLRnH.exe
  2⤵
  PID:10492
- C:\Windows\System\QzGCsvk.exe
  C:\Windows\System\QzGCsvk.exe
  2⤵
  PID:10552
- C:\Windows\System\JFxqoiS.exe
  C:\Windows\System\JFxqoiS.exe
  2⤵
  PID:10624
- C:\Windows\System\gzMNcSg.exe
  C:\Windows\System\gzMNcSg.exe
  2⤵
  PID:10688
- C:\Windows\System\lTrfxvP.exe
  C:\Windows\System\lTrfxvP.exe
  2⤵
  PID:3020
- C:\Windows\System\qYHMldf.exe
  C:\Windows\System\qYHMldf.exe
  2⤵
  PID:10804
- C:\Windows\System\TUvTVaH.exe
  C:\Windows\System\TUvTVaH.exe
  2⤵
  PID:10968
- C:\Windows\System\tKccRYW.exe
  C:\Windows\System\tKccRYW.exe
  2⤵
  PID:11032
- C:\Windows\System\hXZsQAM.exe
  C:\Windows\System\hXZsQAM.exe
  2⤵
  PID:11084
- C:\Windows\System\YljXmuk.exe
  C:\Windows\System\YljXmuk.exe
  2⤵
  PID:11168
- C:\Windows\System\KRsyVAU.exe
  C:\Windows\System\KRsyVAU.exe
  2⤵
  PID:11244
- C:\Windows\System\nTWDOay.exe
  C:\Windows\System\nTWDOay.exe
  2⤵
  PID:10352
- C:\Windows\System\inftwcq.exe
  C:\Windows\System\inftwcq.exe
  2⤵
  PID:10484
- C:\Windows\System\EhFudjI.exe
  C:\Windows\System\EhFudjI.exe
  2⤵
  PID:5528
- C:\Windows\System\DelquOT.exe
  C:\Windows\System\DelquOT.exe
  2⤵
  PID:10800
- C:\Windows\System\xfdQrPE.exe
  C:\Windows\System\xfdQrPE.exe
  2⤵
  PID:1776
- C:\Windows\System\iuPsswm.exe
  C:\Windows\System\iuPsswm.exe
  2⤵
  PID:11000
- C:\Windows\System\XanMfve.exe
  C:\Windows\System\XanMfve.exe
  2⤵
  PID:11144
- C:\Windows\System\oilXoRE.exe
  C:\Windows\System\oilXoRE.exe
  2⤵
  PID:10324
- C:\Windows\System\KaBOwQd.exe
  C:\Windows\System\KaBOwQd.exe
  2⤵
  PID:4936
- C:\Windows\System\YnRhKpN.exe
  C:\Windows\System\YnRhKpN.exe
  2⤵
  PID:552
- C:\Windows\System\QBjtkvH.exe
  C:\Windows\System\QBjtkvH.exe
  2⤵
  PID:10264
- C:\Windows\System\HUpMQCj.exe
  C:\Windows\System\HUpMQCj.exe
  2⤵
  PID:4924
- C:\Windows\System\ufcKtqD.exe
  C:\Windows\System\ufcKtqD.exe
  2⤵
  PID:10912
- C:\Windows\System\uNmXqke.exe
  C:\Windows\System\uNmXqke.exe
  2⤵
  PID:11112
- C:\Windows\System\xoehwUg.exe
  C:\Windows\System\xoehwUg.exe
  2⤵
  PID:11288
- C:\Windows\System\tUvVMNf.exe
  C:\Windows\System\tUvVMNf.exe
  2⤵
  PID:11316
- C:\Windows\System\mXPvvwc.exe
  C:\Windows\System\mXPvvwc.exe
  2⤵
  PID:11344
- C:\Windows\System\pWYbubm.exe
  C:\Windows\System\pWYbubm.exe
  2⤵
  PID:11372
- C:\Windows\System\ZHBsEKz.exe
  C:\Windows\System\ZHBsEKz.exe
  2⤵
  PID:11404
- C:\Windows\System\fXycGOj.exe
  C:\Windows\System\fXycGOj.exe
  2⤵
  PID:11428
- C:\Windows\System\gCNtlcB.exe
  C:\Windows\System\gCNtlcB.exe
  2⤵
  PID:11464
- C:\Windows\System\dPMNdOl.exe
  C:\Windows\System\dPMNdOl.exe
  2⤵
  PID:11488
- C:\Windows\System\dqogOyP.exe
  C:\Windows\System\dqogOyP.exe
  2⤵
  PID:11516
- C:\Windows\System\QUQIpbu.exe
  C:\Windows\System\QUQIpbu.exe
  2⤵
  PID:11544
- C:\Windows\System\VTnoRpw.exe
  C:\Windows\System\VTnoRpw.exe
  2⤵
  PID:11580
- C:\Windows\System\bsGKTkS.exe
  C:\Windows\System\bsGKTkS.exe
  2⤵
  PID:11600
- C:\Windows\System\DnofswY.exe
  C:\Windows\System\DnofswY.exe
  2⤵
  PID:11628
- C:\Windows\System\cpkgOGk.exe
  C:\Windows\System\cpkgOGk.exe
  2⤵
  PID:11656
- C:\Windows\System\XtcMLJo.exe
  C:\Windows\System\XtcMLJo.exe
  2⤵
  PID:11684
- C:\Windows\System\bTrngVI.exe
  C:\Windows\System\bTrngVI.exe
  2⤵
  PID:11712
- C:\Windows\System\xeWnKcQ.exe
  C:\Windows\System\xeWnKcQ.exe
  2⤵
  PID:11740
- C:\Windows\System\erPmdTL.exe
  C:\Windows\System\erPmdTL.exe
  2⤵
  PID:11768
- C:\Windows\System\UlwZRHz.exe
  C:\Windows\System\UlwZRHz.exe
  2⤵
  PID:11796
- C:\Windows\System\TrBKkZd.exe
  C:\Windows\System\TrBKkZd.exe
  2⤵
  PID:11824
- C:\Windows\System\UUpcwuz.exe
  C:\Windows\System\UUpcwuz.exe
  2⤵
  PID:11852
- C:\Windows\System\QCglHCm.exe
  C:\Windows\System\QCglHCm.exe
  2⤵
  PID:11880
- C:\Windows\System\vkgpRPP.exe
  C:\Windows\System\vkgpRPP.exe
  2⤵
  PID:11908
- C:\Windows\System\mWvHVXO.exe
  C:\Windows\System\mWvHVXO.exe
  2⤵
  PID:11944
- C:\Windows\System\dmKobZH.exe
  C:\Windows\System\dmKobZH.exe
  2⤵
  PID:11964
- C:\Windows\System\zzIFROa.exe
  C:\Windows\System\zzIFROa.exe
  2⤵
  PID:11992
- C:\Windows\System\chEIVVe.exe
  C:\Windows\System\chEIVVe.exe
  2⤵
  PID:12020
- C:\Windows\System\rUNAsHi.exe
  C:\Windows\System\rUNAsHi.exe
  2⤵
  - Access Token Manipulation: Create Process with Token
  PID:12060
- C:\Windows\System\QKKVNaY.exe
  C:\Windows\System\QKKVNaY.exe
  2⤵
  PID:12080
- C:\Windows\System\GpqBfAh.exe
  C:\Windows\System\GpqBfAh.exe
  2⤵
  PID:12108
- C:\Windows\System\nqPDtxH.exe
  C:\Windows\System\nqPDtxH.exe
  2⤵
  PID:12136
- C:\Windows\System\nGbKJdq.exe
  C:\Windows\System\nGbKJdq.exe
  2⤵
  PID:12164
- C:\Windows\System\uBTmYoL.exe
  C:\Windows\System\uBTmYoL.exe
  2⤵
  PID:12192
- C:\Windows\System\numBZCM.exe
  C:\Windows\System\numBZCM.exe
  2⤵
  PID:12220
- C:\Windows\System\UupuWdf.exe
  C:\Windows\System\UupuWdf.exe
  2⤵
  PID:12248
- C:\Windows\System\JnaGlwD.exe
  C:\Windows\System\JnaGlwD.exe
  2⤵
  PID:12276
- C:\Windows\System\fMeOYVE.exe
  C:\Windows\System\fMeOYVE.exe
  2⤵
  PID:11300
- C:\Windows\System\Ncwtjhh.exe
  C:\Windows\System\Ncwtjhh.exe
  2⤵
  PID:11364
- C:\Windows\System\qXatOav.exe
  C:\Windows\System\qXatOav.exe
  2⤵
  PID:11420
- C:\Windows\System\vQgbdQu.exe
  C:\Windows\System\vQgbdQu.exe
  2⤵
  PID:11528
- C:\Windows\System\TAtPGAn.exe
  C:\Windows\System\TAtPGAn.exe
  2⤵
  PID:112
- C:\Windows\System\ZLPnCsi.exe
  C:\Windows\System\ZLPnCsi.exe
  2⤵
  PID:11592
- C:\Windows\System\PINbOPm.exe
  C:\Windows\System\PINbOPm.exe
  2⤵
  PID:11652
- C:\Windows\System\dsKswjV.exe
  C:\Windows\System\dsKswjV.exe
  2⤵
  PID:11680
- C:\Windows\System\UfHEhZm.exe
  C:\Windows\System\UfHEhZm.exe
  2⤵
  PID:11732
- C:\Windows\System\LiqOcgH.exe
  C:\Windows\System\LiqOcgH.exe
  2⤵
  PID:11792
- C:\Windows\System\VzqBXlH.exe
  C:\Windows\System\VzqBXlH.exe
  2⤵
  PID:3516
- C:\Windows\System\yNGhZdX.exe
  C:\Windows\System\yNGhZdX.exe
  2⤵
  PID:11892
- C:\Windows\System\vYVVezr.exe
  C:\Windows\System\vYVVezr.exe
  2⤵
  PID:11956
- C:\Windows\System\OFodPXX.exe
  C:\Windows\System\OFodPXX.exe
  2⤵
  PID:12032
- C:\Windows\System\dVAzzWy.exe
  C:\Windows\System\dVAzzWy.exe
  2⤵
  PID:12104
- C:\Windows\System\tojWxHH.exe
  C:\Windows\System\tojWxHH.exe
  2⤵
  PID:12156
- C:\Windows\System\VpYJauo.exe
  C:\Windows\System\VpYJauo.exe
  2⤵
  PID:12216
- C:\Windows\System\QIVXZdV.exe
  C:\Windows\System\QIVXZdV.exe
  2⤵
  PID:11272
- C:\Windows\System\BMuYQKm.exe
  C:\Windows\System\BMuYQKm.exe
  2⤵
  PID:11412
- C:\Windows\System\TiqkdUY.exe
  C:\Windows\System\TiqkdUY.exe
  2⤵
  PID:11556
- C:\Windows\System\cHSusEP.exe
  C:\Windows\System\cHSusEP.exe
  2⤵
  PID:2492
- C:\Windows\System\QhdqltV.exe
  C:\Windows\System\QhdqltV.exe
  2⤵
  PID:11780
- C:\Windows\System\WxNQVXs.exe
  C:\Windows\System\WxNQVXs.exe
  2⤵
  PID:11864
- C:\Windows\System\DEhVOXi.exe
  C:\Windows\System\DEhVOXi.exe
  2⤵
  PID:12072
- C:\Windows\System\DCVUTgn.exe
  C:\Windows\System\DCVUTgn.exe
  2⤵
  PID:12204
- C:\Windows\System\mFyCVuL.exe
  C:\Windows\System\mFyCVuL.exe
  2⤵
  PID:11392
- C:\Windows\System\eObXNGl.exe
  C:\Windows\System\eObXNGl.exe
  2⤵
  PID:4324
- C:\Windows\System\ccTLaie.exe
  C:\Windows\System\ccTLaie.exe
  2⤵
  PID:12016
- C:\Windows\System\eYUpRyW.exe
  C:\Windows\System\eYUpRyW.exe
  2⤵
  PID:11356
- C:\Windows\System\zmxPCCA.exe
  C:\Windows\System\zmxPCCA.exe
  2⤵
  PID:12148
- C:\Windows\System\dtLVCul.exe
  C:\Windows\System\dtLVCul.exe
  2⤵
  PID:11952
- C:\Windows\System\xzUaSsN.exe
  C:\Windows\System\xzUaSsN.exe
  2⤵
  PID:12316
- C:\Windows\System\nCHmtcB.exe
  C:\Windows\System\nCHmtcB.exe
  2⤵
  PID:12344
- C:\Windows\System\QhBeABO.exe
  C:\Windows\System\QhBeABO.exe
  2⤵
  PID:12372
- C:\Windows\System\ShzTPNG.exe
  C:\Windows\System\ShzTPNG.exe
  2⤵
  PID:12400
- C:\Windows\System\DkpGrzH.exe
  C:\Windows\System\DkpGrzH.exe
  2⤵
  PID:12428
- C:\Windows\System\VsUShWs.exe
  C:\Windows\System\VsUShWs.exe
  2⤵
  PID:12456
- C:\Windows\System\hZIiuBm.exe
  C:\Windows\System\hZIiuBm.exe
  2⤵
  PID:12484
- C:\Windows\System\YBMWzgf.exe
  C:\Windows\System\YBMWzgf.exe
  2⤵
  PID:12512
- C:\Windows\System\qdfGGxB.exe
  C:\Windows\System\qdfGGxB.exe
  2⤵
  PID:12540
- C:\Windows\System\NDbjkio.exe
  C:\Windows\System\NDbjkio.exe
  2⤵
  PID:12568
- C:\Windows\System\EeljSny.exe
  C:\Windows\System\EeljSny.exe
  2⤵
  PID:12596
- C:\Windows\System\EgDCKpo.exe
  C:\Windows\System\EgDCKpo.exe
  2⤵
  PID:12624
- C:\Windows\System\XmJYxrA.exe
  C:\Windows\System\XmJYxrA.exe
  2⤵
  PID:12652
- C:\Windows\System\KJzfaSD.exe
  C:\Windows\System\KJzfaSD.exe
  2⤵
  PID:12680
- C:\Windows\System\uMedEUQ.exe
  C:\Windows\System\uMedEUQ.exe
  2⤵
  PID:12708
- C:\Windows\System\svAbIYa.exe
  C:\Windows\System\svAbIYa.exe
  2⤵
  PID:12736
- C:\Windows\System\yXyoqQw.exe
  C:\Windows\System\yXyoqQw.exe
  2⤵
  PID:12764
- C:\Windows\System\OUCMcFJ.exe
  C:\Windows\System\OUCMcFJ.exe
  2⤵
  PID:12792
- C:\Windows\System\slfNiXE.exe
  C:\Windows\System\slfNiXE.exe
  2⤵
  PID:12820
- C:\Windows\System\OmwnNAZ.exe
  C:\Windows\System\OmwnNAZ.exe
  2⤵
  PID:12848
- C:\Windows\System\VlcskkL.exe
  C:\Windows\System\VlcskkL.exe
  2⤵
  PID:12876
- C:\Windows\System\eBerCdG.exe
  C:\Windows\System\eBerCdG.exe
  2⤵
  PID:12904
- C:\Windows\System\pFZtgii.exe
  C:\Windows\System\pFZtgii.exe
  2⤵
  PID:12932
- C:\Windows\System\bxAJnef.exe
  C:\Windows\System\bxAJnef.exe
  2⤵
  PID:12960
- C:\Windows\System\gxjnXHb.exe
  C:\Windows\System\gxjnXHb.exe
  2⤵
  PID:12988
- C:\Windows\System\TchcVRR.exe
  C:\Windows\System\TchcVRR.exe
  2⤵
  PID:13016
- C:\Windows\System\GcAgZvb.exe
  C:\Windows\System\GcAgZvb.exe
  2⤵
  PID:13044
- C:\Windows\System\XMUYucP.exe
  C:\Windows\System\XMUYucP.exe
  2⤵
  PID:13076
- C:\Windows\System\wfUqxlr.exe
  C:\Windows\System\wfUqxlr.exe
  2⤵
  PID:13104
- C:\Windows\System\uYgEJLB.exe
  C:\Windows\System\uYgEJLB.exe
  2⤵
  PID:13132
- C:\Windows\System\AxVqndy.exe
  C:\Windows\System\AxVqndy.exe
  2⤵
  PID:13160
- C:\Windows\System\EorForO.exe
  C:\Windows\System\EorForO.exe
  2⤵
  PID:13188
- C:\Windows\System\lnrpfbJ.exe
  C:\Windows\System\lnrpfbJ.exe
  2⤵
  PID:13228
- C:\Windows\System\LHmmsAp.exe
  C:\Windows\System\LHmmsAp.exe
  2⤵
  PID:13244
- C:\Windows\System\RORBhls.exe
  C:\Windows\System\RORBhls.exe
  2⤵
  PID:13272
- C:\Windows\System\MijSzJk.exe
  C:\Windows\System\MijSzJk.exe
  2⤵
  PID:13300
- C:\Windows\System\iczfKPX.exe
  C:\Windows\System\iczfKPX.exe
  2⤵
  PID:12328
- C:\Windows\System\khaGPXi.exe
  C:\Windows\System\khaGPXi.exe
  2⤵
  PID:12392
- C:\Windows\System\wDdraLN.exe
  C:\Windows\System\wDdraLN.exe
  2⤵
  PID:12452
- C:\Windows\System\KMvNdIW.exe
  C:\Windows\System\KMvNdIW.exe
  2⤵
  PID:12532
- C:\Windows\System\vlWvGqI.exe
  C:\Windows\System\vlWvGqI.exe
  2⤵
  PID:11876
- C:\Windows\System\WcqICNX.exe
  C:\Windows\System\WcqICNX.exe
  2⤵
  PID:12644
- C:\Windows\System\kSILeXj.exe
  C:\Windows\System\kSILeXj.exe
  2⤵
  PID:12704
- C:\Windows\System\LVWTkQJ.exe
  C:\Windows\System\LVWTkQJ.exe
  2⤵
  PID:12776
- C:\Windows\System\CKcWCak.exe
  C:\Windows\System\CKcWCak.exe
  2⤵
  PID:12832
- C:\Windows\System\XelgSmu.exe
  C:\Windows\System\XelgSmu.exe
  2⤵
  PID:12896
- C:\Windows\System\awHvCmN.exe
  C:\Windows\System\awHvCmN.exe
  2⤵
  PID:12956
- C:\Windows\System\HaDCxXL.exe
  C:\Windows\System\HaDCxXL.exe
  2⤵
  PID:13028
- C:\Windows\System\pShRtmk.exe
  C:\Windows\System\pShRtmk.exe
  2⤵
  PID:13096
- C:\Windows\System\pxivhSR.exe
  C:\Windows\System\pxivhSR.exe
  2⤵
  PID:13156
- C:\Windows\System\PfPaYPb.exe
  C:\Windows\System\PfPaYPb.exe
  2⤵
  PID:13212
- C:\Windows\System\buJOcYF.exe
  C:\Windows\System\buJOcYF.exe
  2⤵
  PID:13292
- C:\Windows\System\EdiTSxg.exe
  C:\Windows\System\EdiTSxg.exe
  2⤵
  PID:12384
- C:\Windows\System\OgzaFQw.exe
  C:\Windows\System\OgzaFQw.exe
  2⤵
  PID:12508
- C:\Windows\System\GWRAWdd.exe
  C:\Windows\System\GWRAWdd.exe
  2⤵
  PID:12672
- C:\Windows\System\pSaEjeK.exe
  C:\Windows\System\pSaEjeK.exe
  2⤵
  PID:12816
- C:\Windows\System\TmyOwnv.exe
  C:\Windows\System\TmyOwnv.exe
  2⤵
  PID:12952
- C:\Windows\System\hFEDXey.exe
  C:\Windows\System\hFEDXey.exe
  2⤵
  PID:13124
- C:\Windows\System\yeZWZMk.exe
  C:\Windows\System\yeZWZMk.exe
  2⤵
  PID:13268
- C:\Windows\System\TqZhMkv.exe
  C:\Windows\System\TqZhMkv.exe
  2⤵
  PID:12504
- C:\Windows\System\dzbmDld.exe
  C:\Windows\System\dzbmDld.exe
  2⤵
  PID:12888
- C:\Windows\System\pAVSmjk.exe
  C:\Windows\System\pAVSmjk.exe
  2⤵
  PID:13224
- C:\Windows\System\buglkTL.exe
  C:\Windows\System\buglkTL.exe
  2⤵
  PID:13012
- C:\Windows\System\GzMqqUf.exe
  C:\Windows\System\GzMqqUf.exe
  2⤵
  PID:13184
- C:\Windows\System\KVlSuiN.exe
  C:\Windows\System\KVlSuiN.exe
  2⤵
  PID:13332
- C:\Windows\System\lgKUAnF.exe
  C:\Windows\System\lgKUAnF.exe
  2⤵
  PID:13360
- C:\Windows\System\qXhmWKR.exe
  C:\Windows\System\qXhmWKR.exe
  2⤵
  PID:13388
- C:\Windows\System\aciXgdr.exe
  C:\Windows\System\aciXgdr.exe
  2⤵
  PID:13416
- C:\Windows\System\gPTUvCn.exe
  C:\Windows\System\gPTUvCn.exe
  2⤵
  PID:13456
- C:\Windows\System\KgXxEsZ.exe
  C:\Windows\System\KgXxEsZ.exe
  2⤵
  PID:13476
- C:\Windows\System\mdPwcwM.exe
  C:\Windows\System\mdPwcwM.exe
  2⤵
  PID:13500
- C:\Windows\System\GuaznYL.exe
  C:\Windows\System\GuaznYL.exe
  2⤵
  PID:13528
- C:\Windows\System\OyfocWL.exe
  C:\Windows\System\OyfocWL.exe
  2⤵
  PID:13556
- C:\Windows\System\mibreUO.exe
  C:\Windows\System\mibreUO.exe
  2⤵
  PID:13584
- C:\Windows\System\RPgxSKg.exe
  C:\Windows\System\RPgxSKg.exe
  2⤵
  PID:13612
- C:\Windows\System\uQExlAg.exe
  C:\Windows\System\uQExlAg.exe
  2⤵
  PID:13640
- C:\Windows\System\HAzAzji.exe
  C:\Windows\System\HAzAzji.exe
  2⤵
  PID:13668
- C:\Windows\System\loqdejW.exe
  C:\Windows\System\loqdejW.exe
  2⤵
  PID:13696
- C:\Windows\System\uoCccdz.exe
  C:\Windows\System\uoCccdz.exe
  2⤵
  PID:13724
- C:\Windows\System\bbYRZVP.exe
  C:\Windows\System\bbYRZVP.exe
  2⤵
  PID:13752
- C:\Windows\System\qfVwcxn.exe
  C:\Windows\System\qfVwcxn.exe
  2⤵
  PID:13780
- C:\Windows\System\kLOAFVi.exe
  C:\Windows\System\kLOAFVi.exe
  2⤵
  PID:13808
- C:\Windows\System\xUkTIOC.exe
  C:\Windows\System\xUkTIOC.exe
  2⤵
  PID:13836
- C:\Windows\System\GgWXRPw.exe
  C:\Windows\System\GgWXRPw.exe
  2⤵
  PID:13868
- C:\Windows\System\kjqVsJi.exe
  C:\Windows\System\kjqVsJi.exe
  2⤵
  PID:13892
- C:\Windows\System\AgUoNMt.exe
  C:\Windows\System\AgUoNMt.exe
  2⤵
  PID:13920
- C:\Windows\System\ZNXloCR.exe
  C:\Windows\System\ZNXloCR.exe
  2⤵
  PID:13952
- C:\Windows\System\ekhqCwl.exe
  C:\Windows\System\ekhqCwl.exe
  2⤵
  PID:13980
- C:\Windows\System\bwMzOld.exe
  C:\Windows\System\bwMzOld.exe
  2⤵
  PID:14016
- C:\Windows\System\NpzLeaJ.exe
  C:\Windows\System\NpzLeaJ.exe
  2⤵
  PID:14036
- C:\Windows\System\isgtnxF.exe
  C:\Windows\System\isgtnxF.exe
  2⤵
  PID:14064
- C:\Windows\System\dlSzORX.exe
  C:\Windows\System\dlSzORX.exe
  2⤵
  PID:14092
- C:\Windows\System\xvRtzDj.exe
  C:\Windows\System\xvRtzDj.exe
  2⤵
  PID:14120
- C:\Windows\System\PRvQtub.exe
  C:\Windows\System\PRvQtub.exe
  2⤵
  PID:14148
- C:\Windows\System\QCTYulX.exe
  C:\Windows\System\QCTYulX.exe
  2⤵
  PID:14176
- C:\Windows\System\HlCoqxA.exe
  C:\Windows\System\HlCoqxA.exe
  2⤵
  PID:14204
- C:\Windows\System\rzuKwtm.exe
  C:\Windows\System\rzuKwtm.exe
  2⤵
  PID:14232
- C:\Windows\System\KAnGRbU.exe
  C:\Windows\System\KAnGRbU.exe
  2⤵
  PID:14260
- C:\Windows\System\ildjuMM.exe
  C:\Windows\System\ildjuMM.exe
  2⤵
  PID:14288
- C:\Windows\System\ehdFACJ.exe
  C:\Windows\System\ehdFACJ.exe
  2⤵
  PID:14316
- C:\Windows\System\guvCBpX.exe
  C:\Windows\System\guvCBpX.exe
  2⤵
  PID:13328
- C:\Windows\System\JiSKHZJ.exe
  C:\Windows\System\JiSKHZJ.exe
  2⤵
  PID:13400
- C:\Windows\System\CPLGney.exe
  C:\Windows\System\CPLGney.exe
  2⤵
  PID:13468
- C:\Windows\System\LiNutSo.exe
  C:\Windows\System\LiNutSo.exe
  2⤵
  PID:13524
- C:\Windows\System\pCZAboO.exe
  C:\Windows\System\pCZAboO.exe
  2⤵
  PID:13596
- C:\Windows\System\GNyEktK.exe
  C:\Windows\System\GNyEktK.exe
  2⤵
  PID:13660
- C:\Windows\System\FyQFnCo.exe
  C:\Windows\System\FyQFnCo.exe
  2⤵
  PID:13720
- C:\Windows\System\mXEAAjb.exe
  C:\Windows\System\mXEAAjb.exe
  2⤵
  PID:13776
- C:\Windows\System\yNlKVXj.exe
  C:\Windows\System\yNlKVXj.exe
  2⤵
  PID:13848
- C:\Windows\System\QufUtEE.exe
  C:\Windows\System\QufUtEE.exe
  2⤵
  PID:13912
- C:\Windows\System\lNTWHyt.exe
  C:\Windows\System\lNTWHyt.exe
  2⤵
  PID:13976
- C:\Windows\System\MhlGsdX.exe
  C:\Windows\System\MhlGsdX.exe
  2⤵
  PID:14048
- C:\Windows\System\qBeBomR.exe
  C:\Windows\System\qBeBomR.exe
  2⤵
  PID:14112
- C:\Windows\System\jzxgcWM.exe
  C:\Windows\System\jzxgcWM.exe
  2⤵
  PID:14172
- C:\Windows\System\iznDlfN.exe
  C:\Windows\System\iznDlfN.exe
  2⤵
  PID:14244
- C:\Windows\System\lYypPtj.exe
  C:\Windows\System\lYypPtj.exe
  2⤵
  PID:14308
- C:\Windows\System\UThKBrG.exe
  C:\Windows\System\UThKBrG.exe
  2⤵
  PID:13380
- C:\Windows\System\RWGMtmV.exe
  C:\Windows\System\RWGMtmV.exe
  2⤵
  PID:13552
- C:\Windows\System\seJlBem.exe
  C:\Windows\System\seJlBem.exe
  2⤵
  PID:13716
- C:\Windows\System\DWGRyDh.exe
  C:\Windows\System\DWGRyDh.exe
  2⤵
  PID:13876
- C:\Windows\System\oBxyvzZ.exe
  C:\Windows\System\oBxyvzZ.exe
  2⤵
  PID:14004
- C:\Windows\System\zzHqZlq.exe
  C:\Windows\System\zzHqZlq.exe
  2⤵
  PID:14160
- C:\Windows\System\XgSoXeA.exe
  C:\Windows\System\XgSoXeA.exe
  2⤵
  PID:14300
- C:\Windows\System\tOlcmdN.exe
  C:\Windows\System\tOlcmdN.exe
  2⤵
  PID:13624
- C:\Windows\System\tUIRZtF.exe
  C:\Windows\System\tUIRZtF.exe
  2⤵
  PID:13964
- C:\Windows\System\oMHpRTa.exe
  C:\Windows\System\oMHpRTa.exe
  2⤵
  PID:14284
- C:\Windows\System\nJvagpl.exe
  C:\Windows\System\nJvagpl.exe
  2⤵
  PID:14104
- C:\Windows\System\HjADMnY.exe
  C:\Windows\System\HjADMnY.exe
  2⤵
  PID:13944
- C:\Windows\System\cEJrtIs.exe
  C:\Windows\System\cEJrtIs.exe
  2⤵
  PID:14364
- C:\Windows\System\tcBZjzv.exe
  C:\Windows\System\tcBZjzv.exe
  2⤵
  PID:14392
- C:\Windows\System\WiYfGCo.exe
  C:\Windows\System\WiYfGCo.exe
  2⤵
  PID:14420
- C:\Windows\System\bzQYUDJ.exe
  C:\Windows\System\bzQYUDJ.exe
  2⤵
  PID:14448
- C:\Windows\System\AtYFEJm.exe
  C:\Windows\System\AtYFEJm.exe
  2⤵
  PID:14476
- C:\Windows\System\hgvGmRu.exe
  C:\Windows\System\hgvGmRu.exe
  2⤵
  PID:14504
- C:\Windows\System\aczCbYM.exe
  C:\Windows\System\aczCbYM.exe
  2⤵
  PID:14532
- C:\Windows\System\npQJzQi.exe
  C:\Windows\System\npQJzQi.exe
  2⤵
  PID:14560
- C:\Windows\System\UkFfpZm.exe
  C:\Windows\System\UkFfpZm.exe
  2⤵
  PID:14588
- C:\Windows\System\PgTKYLC.exe
  C:\Windows\System\PgTKYLC.exe
  2⤵
  PID:14616
- C:\Windows\System\YVVwNPr.exe
  C:\Windows\System\YVVwNPr.exe
  2⤵
  PID:14644
- C:\Windows\System\utDqGBQ.exe
  C:\Windows\System\utDqGBQ.exe
  2⤵
  PID:14680
- C:\Windows\System\qBgkCfW.exe
  C:\Windows\System\qBgkCfW.exe
  2⤵
  PID:14712
- C:\Windows\System\EcrAUup.exe
  C:\Windows\System\EcrAUup.exe
  2⤵
  PID:14728
- C:\Windows\System\MPuGJgw.exe
  C:\Windows\System\MPuGJgw.exe
  2⤵
  PID:14756
- C:\Windows\System\WJpeybe.exe
  C:\Windows\System\WJpeybe.exe
  2⤵
  PID:14784
- C:\Windows\System\wnPxQdP.exe
  C:\Windows\System\wnPxQdP.exe
  2⤵
  PID:14812
- C:\Windows\System\AcDQTiY.exe
  C:\Windows\System\AcDQTiY.exe
  2⤵
  PID:14840
- C:\Windows\System\mAQaxYV.exe
  C:\Windows\System\mAQaxYV.exe
  2⤵
  PID:14868
- C:\Windows\System\bPrZsdi.exe
  C:\Windows\System\bPrZsdi.exe
  2⤵
  PID:14900
- C:\Windows\System\qQzeFHf.exe
  C:\Windows\System\qQzeFHf.exe
  2⤵
  PID:14928
- C:\Windows\System\IpoKKqx.exe
  C:\Windows\System\IpoKKqx.exe
  2⤵
  PID:14956
- C:\Windows\System\EINQCrV.exe
  C:\Windows\System\EINQCrV.exe
  2⤵
  PID:14984
- C:\Windows\System\wpKaCLa.exe
  C:\Windows\System\wpKaCLa.exe
  2⤵
  PID:15012
- C:\Windows\System\OfmhftK.exe
  C:\Windows\System\OfmhftK.exe
  2⤵
  PID:15040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\GcBdAdt.exe

Filesize
6.0MB

MD5
3e5ca1c1f8ee0a22ed6457363ff8a953

SHA1
ec36e11d8dc6ef54324525653f61e23f14446483

SHA256
82d72b916c12c749d6bb6d86fea05c2d23cf9100719a1efd4986886a98a5b1fa

SHA512
05245fe417010a38226d8cc493d1883514d21da8d67eacea20ae40005ba151f1eff2b223b37dc1c26ca07aeb14b1a927056fd8c9cfa6749da398f0cc5763b9bf

Download Submit
C:\Windows\System\GtBcnDW.exe

Filesize
6.0MB

MD5
70da72dcfe74c6db7580876ac04eef8a

SHA1
37a7d2848eb8591e9ccc9bec2ce2443ed493e3ae

SHA256
24a91ceed57304601736207675e9d82b037f89373df3e2126803bebba6c73fe8

SHA512
20d4bfe3f998f5619f5a34821baba1d4d427a7fdd1863103edb2ea6d8d1e25baac49f442c165f3635589e08e7969d26dc65a4f45b66af9eb976766387d3c6e7e

Download Submit
C:\Windows\System\KeVzXFc.exe

Filesize
6.0MB

MD5
5f6c2d01f74554a1964102962c192f6f

SHA1
109f8300836c62d1a64b004c2dbe5975f4076b57

SHA256
0f1affe1bbc96d29ee7b3d967fe96a43f2eb58e6bd98d674f024e82aac3f5b53

SHA512
ed9411dea6ff2840b1636a38fde218f1b399ab18ddf482287d1cb0457d49f301a09ec29e5da79dd9bbf06c3628c03c6f4e820ce669c9cde540b483c625608ac4

Download Submit
C:\Windows\System\LKKfhHd.exe

Filesize
6.0MB

MD5
2b8dc663c2e33b09c2c9caa608aa7c20

SHA1
0e264e09bdec63e35c9c93c3f760ee526c20eaf2

SHA256
cc88231c86689dbfb8dceab36e0165fbca4443fe62bb8f541b1ffea8b999339a

SHA512
cda1aaf9717e27824f74007eed13761ab8c4c71b1d1d9a6b8de8673e5903e6131a8b4859aa5e7166e3847e0f2a05be06180d148c05b2749acfec9514fe7200a6

Download Submit
C:\Windows\System\MsDsnkk.exe

Filesize
6.0MB

MD5
419f92ef818075141d0f3e6b62a94685

SHA1
7f1291910eaa3b80824fea0315c52be2febc38de

SHA256
be2ba361845e516dfe93ecf0532efdc470dfa8f9387a684525cb19cf0892ceea

SHA512
ad6e1d4e34f7b9057b565f56966c6fe69900ffe38663dac8a4b44d85979c991b1012d499b4bd26ef4cf7bc2778098d8e1d27e3550f0af022753da77ea0e2a300

Download Submit
C:\Windows\System\Qexlxdh.exe

Filesize
6.0MB

MD5
b57a757663e0e9ad1e6e51fe7a94b006

SHA1
45b97d3bccde1114e23c22c1fa7035e00367b3b0

SHA256
27faef54b23968ea9626cf945ededad1c79fc39c1e613219ffc0af3583218e75

SHA512
f09cc01e2265b6c8292b3646c540e6f68f6fcaa7721e7373b25ca44c3c321c0a4c08339c1711c3a935729dccf19228b1755241ce5cd3201e195bec78067f84a3

Download Submit
C:\Windows\System\SWuGRCw.exe

Filesize
6.0MB

MD5
173514100ba61ccc4e938c8885cbd8d9

SHA1
70c1cbf4bf9e7791dec5ac182d3db24ffba1c3f9

SHA256
867f3effa88d6ad9244841c6bf566d4809eb4e31d8cb056275ae819bf07f4320

SHA512
d302640652923e125e14675507509f43e34a35acf047607b8c40a5cfbb697a085ed0d4bd2664df32136612a444adf6af95d25766b13e87d045c1ccaf3de26d6f

Download Submit
C:\Windows\System\SaDWAAJ.exe

Filesize
6.0MB

MD5
37370a68b51dde409019c358f111b9b1

SHA1
231e243f2f35c1fdd355a5eb1e0e20b94625640e

SHA256
2a97fbde771a645ff6e6b9bd09b2b0737ee36c317967730f4dc24856669a6a52

SHA512
af881dd4908759bcee9df51f19d1cde4d3ea508fe59452df2aa6aee6a9a0e7bc31b9f2fca592b2377bddb7ce9f03d16a55b4c855c4ab60521326d431f23d0747

Download Submit
C:\Windows\System\SyTxDTj.exe

Filesize
6.0MB

MD5
c7f3eec9e021d238e7b6e67876615913

SHA1
884ecf9d796c79ec075a47a124dd14d2619bc579

SHA256
ba6f2605cf98283d51d0bb53cce4f19cbbb64052f66f5f5c2e952fdd1716fd88

SHA512
8bba73668b7f3000b8af9fd9df62a8643e1f1db496716d34f7cb84ef73a77acfcf421cdf71bd139365b8d0614c5ac0e4f1fba7e948a10064718c1779708a1e3b

Download Submit
C:\Windows\System\UBSBcAo.exe

Filesize
6.0MB

MD5
83ddf30b5403cded17b121bd37ae8e76

SHA1
97e9796e31d549802e59f594fdda49794b276b08

SHA256
a04a416dfb97692e85ae471699e0dc54ab38f75da350eef8e416149f8be58ef5

SHA512
71ac44e9084f5fe03bdde5a50f227315ccf4790f55b8236f5480c61cf1c1a90e71d3de49a7da1f680097c8e509fdff686d4af2d7a2f4fc2aadf493d1a3c4f8af

Download Submit
C:\Windows\System\UtRwVoG.exe

Filesize
6.0MB

MD5
01735fb929178571257e721c2e55d8a7

SHA1
8177d94b29f4e880d893b2375ddbd49ffc0b8bca

SHA256
ced63f9004db7b3910464cbdabd229fc7eea83ac1764ab5c84f90ada6769a7d8

SHA512
4fae11316feb519c3537df623698963331c0b839fa1d2a70d274f94212258284dc7f07b3e890aff5afe38010c3b7b6d4fde12288eb7594f31fdcb6a637ac0f28

Download Submit
C:\Windows\System\WjDPOai.exe

Filesize
6.0MB

MD5
14a2b2dfe885353aa3160a0f2fc11c8f

SHA1
d21f03dd319ff21e0c1120e0f3bb59b9152d93bd

SHA256
ff609eb2262117146b349f22363edb403d886948fc7871bff3fd93f73b445ed4

SHA512
62649b95732a36ecac436241251c304b30edd8078454b2c4ee875a850b03b3972bcba2be14b6e5ed563a0bbe1ba0d98586e1bf3e5b543ae9305e5a68a8e2b0ff

Download Submit
C:\Windows\System\YaBlKux.exe

Filesize
6.0MB

MD5
08590400dffdf37d63cfcaa3185b194b

SHA1
3df9d5446f248955b0ec6fabd959e2483ad7e7eb

SHA256
922b34d8745a2f12318fa099b77d66450e4aa71abab99f75781a09e3278782ed

SHA512
8c2191a4d207a2266121f6453f4fff46985bb0d403e9bc87f7c5fd195fe5ad5e2561efc933f2f01f1706ed857726410baf87585facc9ac950aee97ba4e485ce3

Download Submit
C:\Windows\System\ZnehlUN.exe

Filesize
6.0MB

MD5
0f8ba9a50609778ca52f80e926586c6b

SHA1
bc28eb053e84a4c734b5e26a1e2acce66315e726

SHA256
b9ed21f2effa980b91f904c3095c8c2bdfff1ba99ee2095257766bdf38079974

SHA512
029ecb2621bcd60c49064f2c4a5cc519f9fbcbbeee97057b1164685c863d0b02032b93abb07ce13fa3c6c09855ae22fa8de6ea7f976cd2fc298dd6c04664c441

Download Submit
C:\Windows\System\aVpgjBb.exe

Filesize
6.0MB

MD5
c172d4614a9dbfff207ab9024bf86936

SHA1
38002eb42f9cddd2423ea23a5060f3aeb73bf467

SHA256
2547b61a5190a7045f6113a372886178fe7744e42a340776571a92fb089b35aa

SHA512
b1322cdc6666ba4d7068365e4413d73d96999ef56a0f701a0257c03d88b2a16f1e91d525604ec688cc22285416510e956d39df5c87bc1af9f608b4081e12f29d

Download Submit
C:\Windows\System\cHonKZm.exe

Filesize
6.0MB

MD5
0020d886c77d08850fafd29b20c76cfd

SHA1
00ed3f45041978eb9689d8f851906ec19e587b4b

SHA256
ef53b73d740f5858fd9fab3db01c42ecbe711f2222cc5437646b163557613ce1

SHA512
0a397139cb17d2757e29bfcd7ef054dac97ad4aa5e4ee706595f17e344f2554b44c584ad2856115e2cf36e439baf22e147d4f1c95c0b9105525dd103af224ddb

Download Submit
C:\Windows\System\cnVgGoB.exe

Filesize
6.0MB

MD5
f0fb60d4b0ae48db27264f1dfe25cc50

SHA1
f9ead94a91bcb47eb2afb9a50e7965d2ade6dc61

SHA256
b636ee028c2a053ec1048d5825c5d669a87a49d70e186c3a44f13f3d7a721cd6

SHA512
1713a37b798f346c93f6a8230576e50687796e512ff48f34dd120563523692466917754695b8ffb617fa6378d7147ca1ac4a2a6f75d9660e7f5f3e76131ea221

Download Submit
C:\Windows\System\eAXqqIb.exe

Filesize
6.0MB

MD5
6935986371685c9c22a03d6d31e446f8

SHA1
dd051422cde8ef6ed01d6d3cd403fcd1053b25e1

SHA256
1764ecf63b677f0911164ff3835ad2d12ab78a3c0c3614ad7acce151b45b5b3a

SHA512
332f248ae9c4a6633c7e301201589e51af04e099b93ed9e48edd4c061a589f86e3fcf467db0f46493f34e47747c81e5f4b576e7d9dc3b65aa2d38ca82263c8b7

Download Submit
C:\Windows\System\eZdJHvA.exe

Filesize
6.0MB

MD5
2e4a37d463ad5dfccdfae850fcbb79d2

SHA1
da1da1ed8c13abc8d6156aa9ce909c188ec7e65f

SHA256
d3e1b72a34387003443ed1ad9d02a50229c528f879720761ba8dfbcccde94cc7

SHA512
08dd87db3b55cce0ff89a272abf0b7ab050231873b8af75246993197f56efdadead562904a46c2972f90f417a5eec8013d0fe347bf27e8fafd83c1b0e838782e

Download Submit
C:\Windows\System\gTezVEd.exe

Filesize
6.0MB

MD5
05d8284b5c4feb8b962ad3c46cdb8fe2

SHA1
ff2675cf527b9e1cd73cb7f3344c48349aac0ec4

SHA256
5460f955caf40b7ca73e757c7f175a07f22ba11079fce977c2183b6e1529869f

SHA512
73952e38b5c5a17288db2db42627de7cf7cb967a3a2f9f40e0afbd44a2a49bb6641320df24534d7bf3c33b280789e20b307f53d4e5b4551a28ee96bae1512fa7

Download Submit
C:\Windows\System\lnnARcB.exe

Filesize
6.0MB

MD5
7fc70a12e64f65dc3a8961f4d4ed1292

SHA1
eb3d875fb79185bdac569f2b83767955b1179048

SHA256
f2e1027e0afb79a578c7a2fd75f8d27643e79454103c4900ff6a58a37862ad21

SHA512
0cfb6c278b121e7bf8eaeed723a7cc6b92d9b2034606cbb78cc3802d2b025f183d9b7549525daaa70a6624b1a40403e431c9e97356d410ec5992464900e8e260

Download Submit
C:\Windows\System\meulpGb.exe

Filesize
6.0MB

MD5
ba2fc97e4c9550f8c3e51467a19d2467

SHA1
de0cd2af0bdc624b417bd72825fae247e2d0e694

SHA256
e26f91febc77bc71dd8a7f0ebf44be27a48438742a59e62103fafbda570731fb

SHA512
8e5ffd8f04f794b494254034492b5b9acfd9dbc871919c38dfa2f53983ef2146941b3989cfee5eb265e2075b7e27c4b88e520545c3d7052db2934e9f46774279

Download Submit
C:\Windows\System\nUEaLWG.exe

Filesize
6.0MB

MD5
89376155df8f100ec61273108103ce76

SHA1
2635d3d0988c6f18cca0025efb68618f3d89b840

SHA256
d333372ea451cca94a5964d2431e94ca398df216608f41c84af7d072f4dea719

SHA512
bfb8390b78746d5af0c972d6bbac0ed1b1af236274e320da6f929ea355d704ff4cce7232a130438b9a8bc61394c536a0a5d570568a96859b6bdb1f7107028ff1

Download Submit
C:\Windows\System\pSqTnPX.exe

Filesize
6.0MB

MD5
2ca5ed73d371e0a560efcaf0d2b19da9

SHA1
815ee90e75ca17fe746bd812f128408df4d372d4

SHA256
12c2a90eb4d46279c7e31ae86a986478849565eb6770516e5daf270d3947cb34

SHA512
864f55ddde11fe9a6a61aeb80d82b62459734ddc8edd8579354182562a679c7f63ddb14b3737d824abb6dd9afb3b49879960124e82be03e41ac5dafa24d7f34c

Download Submit
C:\Windows\System\qjAuvZn.exe

Filesize
6.0MB

MD5
6c598cd9ac2866b39e266ea5803cb4f1

SHA1
079e077350a3cca2585708e6e24fd4e454df8d32

SHA256
57d61d2cfb89c6d6f441a36ab5f72f1758e270f901960ee5283891790a36efea

SHA512
6669a8f3e0ffa1577c12e5735aa4945f20739c0e2618bf1487801edf4becd545fcb8f224a38ff4e3a84da915ccb8e7b3a480e37509ecc643322ab3dd79de0f1b

Download Submit
C:\Windows\System\sOOWBlD.exe

Filesize
6.0MB

MD5
416d121933451343bd2dc5fc45a60f86

SHA1
7a57fa5422017f35f1e0ebaf05a130bdee05563c

SHA256
d1671a3f82b44fd87b2bb858d3b6c0f6c4da125abc64daf48f1844d9c8ae95eb

SHA512
1772607d2f6043e8bf4908ba0a7d668e2c6e9f7bd4b024efae5db332fcdafb0ac19318ced6c9267a28121250cd7a005ffe7bf2f882b281502b7537420a708887

Download Submit
C:\Windows\System\sucSZFl.exe

Filesize
6.0MB

MD5
b24b13987dd6a1ad129204ec5ab350ac

SHA1
c40eb52e7a8a7357e5abb0b3bec290464a07f4a7

SHA256
a8d16480501123e3efa315eeb8d8e1198da4d18fb5f0d43fb4ce2666a44fb1a3

SHA512
f609e60eac23bf590870642ea06fd2fe6226059462f33f027da9a83dd23ac45206548c3bd57499b5b21ff355a3b81319a4a8454930d0cdd2b0a1a85a048b741c

Download Submit
C:\Windows\System\tYzjkZK.exe

Filesize
6.0MB

MD5
5e4a0844f2044800a4b65a865e28e274

SHA1
fffef28af4ebfce5f59651a7992bff754b3963b7

SHA256
352746bef00fa2eb512eae93630cc66b361a12b33507aab39ced8acf62f43f11

SHA512
3b81f3be96e9f630b111f018a9c2e2896a1812a0761b11db0f5929a460b3a169d15d699150a162aba5c9118c2ca2c640705e7ec718d3d5ebe11f28fafa30093f

Download Submit
C:\Windows\System\xKLfkzV.exe

Filesize
6.0MB

MD5
20981618b16c050df4022718b7e046e0

SHA1
f0a00e0c5f1d15c14e1293fcd613934eddc600b5

SHA256
3b50cd370949c63a93a42d54d50a878ea6c124ff6ef1a0ac9743625c9db29cb4

SHA512
356f97fbcdffc97474f40083c2d3646e11c6ab199ddf33821c1a3b27f959460a484bd97ab02dca6ab6a8f442dcef76e64eb85f5d71a36352d91bca8f6e1a088c

Download Submit
C:\Windows\System\xgePTMO.exe

Filesize
6.0MB

MD5
0bf312470741eb79346ea13fbdb28703

SHA1
72a95ac6b3b11fc1ea5521c97268bbea916332e8

SHA256
e60b0f24ad1dfd0c0ec980bfe93a97ac5f663006ebec06a5d762bba773412c3b

SHA512
22018986e61d9cb0f9b98e328b39c73e4013f03a4c0852f66a69a7f5ddd7c3d71668aacb23dac3283136f6505ba6630e9271d12756feeb12fe0e857ed9e1b9e3

Download Submit
C:\Windows\System\yyKRFSQ.exe

Filesize
6.0MB

MD5
b65930006f1a5ce9454fa44e9acc64f9

SHA1
ba3760938884d64e14b9c8ed061430771cdd84b8

SHA256
927ff1beb134f503948631816983dc37dce567e3ce0e9ef043762b30af671181

SHA512
d17bdce919579afb5d5b701c95109d4eb90e3af8baec3096a2c21b1df358460c588030ee8de6ae0c59fbcb877dafd49894cabd7f3aaab151dcc993c058b4ccd2

Download Submit
C:\Windows\System\zGIbcbW.exe

Filesize
6.0MB

MD5
308b06f1ad6f42d61ab3396777e6ecf7

SHA1
fc2f3852af3f2d86a80999ba9c7c5cb716c2ef36

SHA256
86e86e89d7b10f3e84767dfa0f71d3d11866bfa6a9136538f627de607511ac6d

SHA512
aad290417ba7c4690e64f5629a3364333dd3024e5a9590181149c734c1117b7ac07fe9aca329704edfa4cf5e8a2f1dd574c977f7cddc5f2de76b9fc0a14ffe62

Download Submit
memory/392-2281-0x00007FF783800000-0x00007FF783B54000-memory.dmp

Filesize
3.3MB

Download
memory/392-162-0x00007FF783800000-0x00007FF783B54000-memory.dmp

Filesize
3.3MB

Download
memory/396-172-0x00007FF74C550000-0x00007FF74C8A4000-memory.dmp

Filesize
3.3MB

Download
memory/396-7-0x00007FF74C550000-0x00007FF74C8A4000-memory.dmp

Filesize
3.3MB

Download
memory/820-2277-0x00007FF607A00000-0x00007FF607D54000-memory.dmp

Filesize
3.3MB

Download
memory/820-64-0x00007FF607A00000-0x00007FF607D54000-memory.dmp

Filesize
3.3MB

Download
memory/820-462-0x00007FF607A00000-0x00007FF607D54000-memory.dmp

Filesize
3.3MB

Download
memory/1084-2279-0x00007FF6FB940000-0x00007FF6FBC94000-memory.dmp

Filesize
3.3MB

Download
memory/1084-464-0x00007FF6FB940000-0x00007FF6FBC94000-memory.dmp

Filesize
3.3MB

Download
memory/1084-93-0x00007FF6FB940000-0x00007FF6FBC94000-memory.dmp

Filesize
3.3MB

Download
memory/1136-49-0x00007FF7070F0000-0x00007FF707444000-memory.dmp

Filesize
3.3MB

Download
memory/1136-2272-0x00007FF7070F0000-0x00007FF707444000-memory.dmp

Filesize
3.3MB

Download
memory/1288-2286-0x00007FF7CD8A0000-0x00007FF7CDBF4000-memory.dmp

Filesize
3.3MB

Download
memory/1288-163-0x00007FF7CD8A0000-0x00007FF7CDBF4000-memory.dmp

Filesize
3.3MB

Download
memory/1364-136-0x00007FF736080000-0x00007FF7363D4000-memory.dmp

Filesize
3.3MB

Download
memory/1364-2283-0x00007FF736080000-0x00007FF7363D4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-541-0x00007FF763540000-0x00007FF763894000-memory.dmp

Filesize
3.3MB

Download
memory/1488-155-0x00007FF763540000-0x00007FF763894000-memory.dmp

Filesize
3.3MB

Download
memory/1488-2294-0x00007FF763540000-0x00007FF763894000-memory.dmp

Filesize
3.3MB

Download
memory/1616-181-0x00007FF7AF9C0000-0x00007FF7AFD14000-memory.dmp

Filesize
3.3MB

Download
memory/1616-2296-0x00007FF7AF9C0000-0x00007FF7AFD14000-memory.dmp

Filesize
3.3MB

Download
memory/1768-55-0x00007FF737F80000-0x00007FF7382D4000-memory.dmp

Filesize
3.3MB

Download
memory/1768-2275-0x00007FF737F80000-0x00007FF7382D4000-memory.dmp

Filesize
3.3MB

Download
memory/1772-2276-0x00007FF676430000-0x00007FF676784000-memory.dmp

Filesize
3.3MB

Download
memory/1772-61-0x00007FF676430000-0x00007FF676784000-memory.dmp

Filesize
3.3MB

Download
memory/1772-269-0x00007FF676430000-0x00007FF676784000-memory.dmp

Filesize
3.3MB

Download
memory/1852-54-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp

Filesize
3.3MB

Download
memory/1900-114-0x00007FF71D010000-0x00007FF71D364000-memory.dmp

Filesize
3.3MB

Download
memory/1900-2280-0x00007FF71D010000-0x00007FF71D364000-memory.dmp

Filesize
3.3MB

Download
memory/2132-2290-0x00007FF6D9960000-0x00007FF6D9CB4000-memory.dmp

Filesize
3.3MB

Download
memory/2132-539-0x00007FF6D9960000-0x00007FF6D9CB4000-memory.dmp

Filesize
3.3MB

Download
memory/2132-145-0x00007FF6D9960000-0x00007FF6D9CB4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-180-0x00007FF600BD0000-0x00007FF600F24000-memory.dmp

Filesize
3.3MB

Download
memory/2180-2295-0x00007FF600BD0000-0x00007FF600F24000-memory.dmp

Filesize
3.3MB

Download
memory/2180-732-0x00007FF600BD0000-0x00007FF600F24000-memory.dmp

Filesize
3.3MB

Download
memory/2592-40-0x00007FF7FBE70000-0x00007FF7FC1C4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-188-0x00007FF7FBE70000-0x00007FF7FC1C4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-2274-0x00007FF7FBE70000-0x00007FF7FC1C4000-memory.dmp

Filesize
3.3MB

Download
memory/2672-143-0x00007FF6FE740000-0x00007FF6FEA94000-memory.dmp

Filesize
3.3MB

Download
memory/2672-534-0x00007FF6FE740000-0x00007FF6FEA94000-memory.dmp

Filesize
3.3MB

Download
memory/2672-2289-0x00007FF6FE740000-0x00007FF6FEA94000-memory.dmp

Filesize
3.3MB

Download
memory/2808-2282-0x00007FF6A5A40000-0x00007FF6A5D94000-memory.dmp

Filesize
3.3MB

Download
memory/2808-115-0x00007FF6A5A40000-0x00007FF6A5D94000-memory.dmp

Filesize
3.3MB

Download
memory/3120-165-0x00007FF7B2100000-0x00007FF7B2454000-memory.dmp

Filesize
3.3MB

Download
memory/3120-1-0x000001FF2AC40000-0x000001FF2AC50000-memory.dmp

Filesize
64KB

Download
memory/3120-0-0x00007FF7B2100000-0x00007FF7B2454000-memory.dmp

Filesize
3.3MB

Download
memory/3316-184-0x00007FF600FF0000-0x00007FF601344000-memory.dmp

Filesize
3.3MB

Download
memory/3316-14-0x00007FF600FF0000-0x00007FF601344000-memory.dmp

Filesize
3.3MB

Download
memory/3388-2271-0x00007FF73CC30000-0x00007FF73CF84000-memory.dmp

Filesize
3.3MB

Download
memory/3388-38-0x00007FF73CC30000-0x00007FF73CF84000-memory.dmp

Filesize
3.3MB

Download
memory/3388-187-0x00007FF73CC30000-0x00007FF73CF84000-memory.dmp

Filesize
3.3MB

Download
memory/3844-538-0x00007FF70A010000-0x00007FF70A364000-memory.dmp

Filesize
3.3MB

Download
memory/3844-2291-0x00007FF70A010000-0x00007FF70A364000-memory.dmp

Filesize
3.3MB

Download
memory/3844-144-0x00007FF70A010000-0x00007FF70A364000-memory.dmp

Filesize
3.3MB

Download
memory/3908-2285-0x00007FF674570000-0x00007FF6748C4000-memory.dmp

Filesize
3.3MB

Download
memory/3908-141-0x00007FF674570000-0x00007FF6748C4000-memory.dmp

Filesize
3.3MB

Download
memory/4032-26-0x00007FF601340000-0x00007FF601694000-memory.dmp

Filesize
3.3MB

Download
memory/4032-185-0x00007FF601340000-0x00007FF601694000-memory.dmp

Filesize
3.3MB

Download
memory/4032-2269-0x00007FF601340000-0x00007FF601694000-memory.dmp

Filesize
3.3MB

Download
memory/4272-140-0x00007FF6D35F0000-0x00007FF6D3944000-memory.dmp

Filesize
3.3MB

Download
memory/4272-2287-0x00007FF6D35F0000-0x00007FF6D3944000-memory.dmp

Filesize
3.3MB

Download
memory/4316-63-0x00007FF6DDAD0000-0x00007FF6DDE24000-memory.dmp

Filesize
3.3MB

Download
memory/4316-331-0x00007FF6DDAD0000-0x00007FF6DDE24000-memory.dmp

Filesize
3.3MB

Download
memory/4316-2278-0x00007FF6DDAD0000-0x00007FF6DDE24000-memory.dmp

Filesize
3.3MB

Download
memory/4488-164-0x00007FF6698B0000-0x00007FF669C04000-memory.dmp

Filesize
3.3MB

Download
memory/4488-2293-0x00007FF6698B0000-0x00007FF669C04000-memory.dmp

Filesize
3.3MB

Download
memory/4824-133-0x00007FF6F44B0000-0x00007FF6F4804000-memory.dmp

Filesize
3.3MB

Download
memory/4824-2284-0x00007FF6F44B0000-0x00007FF6F4804000-memory.dmp

Filesize
3.3MB

Download
memory/4960-146-0x00007FF66B4F0000-0x00007FF66B844000-memory.dmp

Filesize
3.3MB

Download
memory/4960-540-0x00007FF66B4F0000-0x00007FF66B844000-memory.dmp

Filesize
3.3MB

Download
memory/4960-2292-0x00007FF66B4F0000-0x00007FF66B844000-memory.dmp

Filesize
3.3MB

Download
memory/4968-531-0x00007FF7CD730000-0x00007FF7CDA84000-memory.dmp

Filesize
3.3MB

Download
memory/4968-2288-0x00007FF7CD730000-0x00007FF7CDA84000-memory.dmp

Filesize
3.3MB

Download
memory/4968-142-0x00007FF7CD730000-0x00007FF7CDA84000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads