cobaltstrike | f5de177feac3409b099bdf6b3ef28ec9b359eceb5860bc4764a207b4524286e9

Analysis

max time kernel
70s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
Size

6.0MB
MD5

2988003a1d248ef44b7d1df11976e0e8
SHA1

bd5f70371c7774532b7c61f193409e1a5ac4fb1e
SHA256

f5de177feac3409b099bdf6b3ef28ec9b359eceb5860bc4764a207b4524286e9
SHA512

81832d5594f77d274581209c7a3645a9b95cb4f070d7e111921b1daba48e975e7ad704b256032bd5130941afce0e61f71d2921145e3b4c2ef4e3ec4964fad718
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lU9:T+q56utgpPF8u/79

Score

10^/10

cobaltstrike xmrig 0 backdoor miner persistence trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 33 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b8d-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-37.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-43.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-51.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8e-53.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-62.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-101.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba0-108.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb0-126.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb9-136.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbf-147.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bc4-171.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcb-200.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfd-212.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfb-210.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfc-207.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcc-205.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bca-191.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc9-183.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc6-179.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc0-166.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbe-150.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-129.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba1-124.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9f-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-92.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-85.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-76.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-71.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 13932 created 2860	13932	WerFaultSecure.exe	80

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/716-0-0x00007FF75F110000-0x00007FF75F464000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b8d-5.dat	xmrig
behavioral2/memory/1624-8-0x00007FF6CF9C0000-0x00007FF6CFD14000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b91-12.dat	xmrig
behavioral2/files/0x000a000000023b92-11.dat	xmrig
behavioral2/files/0x000a000000023b93-23.dat	xmrig
behavioral2/files/0x000a000000023b94-28.dat	xmrig
behavioral2/memory/1144-30-0x00007FF73C290000-0x00007FF73C5E4000-memory.dmp	xmrig
behavioral2/memory/4156-26-0x00007FF7BB550000-0x00007FF7BB8A4000-memory.dmp	xmrig
behavioral2/memory/4044-18-0x00007FF7DED40000-0x00007FF7DF094000-memory.dmp	xmrig
behavioral2/memory/3872-16-0x00007FF7A3270000-0x00007FF7A35C4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b97-37.dat	xmrig
behavioral2/files/0x000a000000023b95-43.dat	xmrig
behavioral2/memory/232-48-0x00007FF6F52E0000-0x00007FF6F5634000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b98-51.dat	xmrig
behavioral2/files/0x000b000000023b8e-53.dat	xmrig
behavioral2/files/0x000a000000023b99-62.dat	xmrig
behavioral2/memory/3460-68-0x00007FF7346D0000-0x00007FF734A24000-memory.dmp	xmrig
behavioral2/memory/3108-75-0x00007FF7DC020000-0x00007FF7DC374000-memory.dmp	xmrig
behavioral2/memory/4044-81-0x00007FF7DED40000-0x00007FF7DF094000-memory.dmp	xmrig
behavioral2/memory/4156-88-0x00007FF7BB550000-0x00007FF7BB8A4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9e-101.dat	xmrig
behavioral2/files/0x000b000000023ba0-108.dat	xmrig
behavioral2/memory/4488-115-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp	xmrig
behavioral2/files/0x000e000000023bb0-126.dat	xmrig
behavioral2/files/0x0008000000023bb9-136.dat	xmrig
behavioral2/files/0x0009000000023bbf-147.dat	xmrig
behavioral2/files/0x000e000000023bc4-171.dat	xmrig
behavioral2/files/0x0008000000023bcb-200.dat	xmrig
behavioral2/files/0x0008000000023bfd-212.dat	xmrig
behavioral2/files/0x0008000000023bfb-210.dat	xmrig
behavioral2/files/0x0008000000023bfc-207.dat	xmrig
behavioral2/files/0x0008000000023bcc-205.dat	xmrig
behavioral2/memory/452-199-0x00007FF7E2F50000-0x00007FF7E32A4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023bca-191.dat	xmrig
behavioral2/memory/2376-190-0x00007FF78DBB0000-0x00007FF78DF04000-memory.dmp	xmrig
behavioral2/memory/2344-187-0x00007FF6B8770000-0x00007FF6B8AC4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023bc9-183.dat	xmrig
behavioral2/memory/2032-182-0x00007FF62DEF0000-0x00007FF62E244000-memory.dmp	xmrig
behavioral2/files/0x0008000000023bc6-179.dat	xmrig
behavioral2/memory/868-178-0x00007FF70D940000-0x00007FF70DC94000-memory.dmp	xmrig
behavioral2/memory/1728-177-0x00007FF751E20000-0x00007FF752174000-memory.dmp	xmrig
behavioral2/memory/4488-174-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp	xmrig
behavioral2/memory/4232-173-0x00007FF7BF840000-0x00007FF7BFB94000-memory.dmp	xmrig
behavioral2/memory/1052-168-0x00007FF7109D0000-0x00007FF710D24000-memory.dmp	xmrig
behavioral2/files/0x0009000000023bc0-166.dat	xmrig
behavioral2/memory/2424-162-0x00007FF754080000-0x00007FF7543D4000-memory.dmp	xmrig
behavioral2/memory/4636-161-0x00007FF78D730000-0x00007FF78DA84000-memory.dmp	xmrig
behavioral2/memory/3628-160-0x00007FF7BDC00000-0x00007FF7BDF54000-memory.dmp	xmrig
behavioral2/memory/2780-152-0x00007FF601630000-0x00007FF601984000-memory.dmp	xmrig
behavioral2/files/0x0009000000023bbe-150.dat	xmrig
behavioral2/memory/2192-149-0x00007FF601770000-0x00007FF601AC4000-memory.dmp	xmrig
behavioral2/memory/2524-148-0x00007FF73B160000-0x00007FF73B4B4000-memory.dmp	xmrig
behavioral2/memory/3108-144-0x00007FF7DC020000-0x00007FF7DC374000-memory.dmp	xmrig
behavioral2/memory/2828-143-0x00007FF6B0C40000-0x00007FF6B0F94000-memory.dmp	xmrig
behavioral2/memory/3460-139-0x00007FF7346D0000-0x00007FF734A24000-memory.dmp	xmrig
behavioral2/memory/2288-133-0x00007FF66CD70000-0x00007FF66D0C4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023ba9-129.dat	xmrig
behavioral2/memory/1168-128-0x00007FF6A06B0000-0x00007FF6A0A04000-memory.dmp	xmrig
behavioral2/memory/2344-127-0x00007FF6B8770000-0x00007FF6B8AC4000-memory.dmp	xmrig
behavioral2/files/0x000b000000023ba1-124.dat	xmrig
behavioral2/memory/1148-123-0x00007FF6F3F20000-0x00007FF6F4274000-memory.dmp	xmrig
behavioral2/memory/868-122-0x00007FF70D940000-0x00007FF70DC94000-memory.dmp	xmrig
behavioral2/memory/232-116-0x00007FF6F52E0000-0x00007FF6F5634000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
1624	wTAMnhe.exe
3872	NMtfxey.exe
4044	nDcZCua.exe
4156	PByBvvc.exe
1144	uMREJCi.exe
1668	hfyKSKB.exe
3836	DvWGzJp.exe
232	ZTgcbWP.exe
1148	ylFpIUm.exe
1168	BaPAPYq.exe
3460	lmTsJcb.exe
3108	DrTWDXc.exe
2192	MNybuwB.exe
3628	yMVposg.exe
4636	pCqevHv.exe
4232	qlLuHga.exe
4488	JdiApoc.exe
868	reuDaAv.exe
2344	KtzhMnf.exe
2288	ruOUzdZ.exe
2828	OsSMRec.exe
2524	aVxYcZF.exe
2780	URIwatC.exe
2424	AUmMEDJ.exe
1052	LlsnIwr.exe
1728	wsZGook.exe
2032	gpogchC.exe
2376	WPimKpW.exe
452	xBBFAuF.exe
3632	QIDcnMd.exe
2440	HjzWNlE.exe
372	NmzFqtq.exe
380	zgjoTJF.exe
2688	wylRYDZ.exe
5096	YRXjigH.exe
1260	hbbNITL.exe
2924	epTinQQ.exe
1432	vXTRoJG.exe
2928	utJoeXe.exe
548	QPTdTRu.exe
4360	WvaOeDf.exe
4432	hPHjrXj.exe
3940	QZGLKRh.exe
1156	KXpeqob.exe
3232	tsvOUum.exe
3888	BmDSZRs.exe
1824	QWWfuGH.exe
1060	hWzpubi.exe
2252	lfUvoas.exe
4280	dGCMXec.exe
1532	bXcQTTb.exe
1664	yNHPbUS.exe
2360	pqgHtba.exe
620	tdQSgjd.exe
4900	NxqzyHv.exe
4700	TaxAzPC.exe
4656	sHrEDGC.exe
1216	aYlJSkN.exe
220	twFnXvE.exe
1208	ropaOBY.exe
1604	dzGMgIz.exe
3820	AcBWNKK.exe
3488	hXGinGY.exe
904	akjJTCL.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/716-0-0x00007FF75F110000-0x00007FF75F464000-memory.dmp	upx
behavioral2/files/0x000b000000023b8d-5.dat	upx
behavioral2/memory/1624-8-0x00007FF6CF9C0000-0x00007FF6CFD14000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-12.dat	upx
behavioral2/files/0x000a000000023b92-11.dat	upx
behavioral2/files/0x000a000000023b93-23.dat	upx
behavioral2/files/0x000a000000023b94-28.dat	upx
behavioral2/memory/1144-30-0x00007FF73C290000-0x00007FF73C5E4000-memory.dmp	upx
behavioral2/memory/4156-26-0x00007FF7BB550000-0x00007FF7BB8A4000-memory.dmp	upx
behavioral2/memory/4044-18-0x00007FF7DED40000-0x00007FF7DF094000-memory.dmp	upx
behavioral2/memory/3872-16-0x00007FF7A3270000-0x00007FF7A35C4000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-37.dat	upx
behavioral2/files/0x000a000000023b95-43.dat	upx
behavioral2/memory/232-48-0x00007FF6F52E0000-0x00007FF6F5634000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-51.dat	upx
behavioral2/files/0x000b000000023b8e-53.dat	upx
behavioral2/files/0x000a000000023b99-62.dat	upx
behavioral2/memory/3460-68-0x00007FF7346D0000-0x00007FF734A24000-memory.dmp	upx
behavioral2/memory/3108-75-0x00007FF7DC020000-0x00007FF7DC374000-memory.dmp	upx
behavioral2/memory/4044-81-0x00007FF7DED40000-0x00007FF7DF094000-memory.dmp	upx
behavioral2/memory/4156-88-0x00007FF7BB550000-0x00007FF7BB8A4000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-101.dat	upx
behavioral2/files/0x000b000000023ba0-108.dat	upx
behavioral2/memory/4488-115-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp	upx
behavioral2/files/0x000e000000023bb0-126.dat	upx
behavioral2/files/0x0008000000023bb9-136.dat	upx
behavioral2/files/0x0009000000023bbf-147.dat	upx
behavioral2/files/0x000e000000023bc4-171.dat	upx
behavioral2/files/0x0008000000023bcb-200.dat	upx
behavioral2/files/0x0008000000023bfd-212.dat	upx
behavioral2/files/0x0008000000023bfb-210.dat	upx
behavioral2/files/0x0008000000023bfc-207.dat	upx
behavioral2/files/0x0008000000023bcc-205.dat	upx
behavioral2/memory/452-199-0x00007FF7E2F50000-0x00007FF7E32A4000-memory.dmp	upx
behavioral2/files/0x0008000000023bca-191.dat	upx
behavioral2/memory/2376-190-0x00007FF78DBB0000-0x00007FF78DF04000-memory.dmp	upx
behavioral2/memory/2344-187-0x00007FF6B8770000-0x00007FF6B8AC4000-memory.dmp	upx
behavioral2/files/0x0008000000023bc9-183.dat	upx
behavioral2/memory/2032-182-0x00007FF62DEF0000-0x00007FF62E244000-memory.dmp	upx
behavioral2/files/0x0008000000023bc6-179.dat	upx
behavioral2/memory/868-178-0x00007FF70D940000-0x00007FF70DC94000-memory.dmp	upx
behavioral2/memory/1728-177-0x00007FF751E20000-0x00007FF752174000-memory.dmp	upx
behavioral2/memory/4488-174-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp	upx
behavioral2/memory/4232-173-0x00007FF7BF840000-0x00007FF7BFB94000-memory.dmp	upx
behavioral2/memory/1052-168-0x00007FF7109D0000-0x00007FF710D24000-memory.dmp	upx
behavioral2/files/0x0009000000023bc0-166.dat	upx
behavioral2/memory/2424-162-0x00007FF754080000-0x00007FF7543D4000-memory.dmp	upx
behavioral2/memory/4636-161-0x00007FF78D730000-0x00007FF78DA84000-memory.dmp	upx
behavioral2/memory/3628-160-0x00007FF7BDC00000-0x00007FF7BDF54000-memory.dmp	upx
behavioral2/memory/2780-152-0x00007FF601630000-0x00007FF601984000-memory.dmp	upx
behavioral2/files/0x0009000000023bbe-150.dat	upx
behavioral2/memory/2192-149-0x00007FF601770000-0x00007FF601AC4000-memory.dmp	upx
behavioral2/memory/2524-148-0x00007FF73B160000-0x00007FF73B4B4000-memory.dmp	upx
behavioral2/memory/3108-144-0x00007FF7DC020000-0x00007FF7DC374000-memory.dmp	upx
behavioral2/memory/2828-143-0x00007FF6B0C40000-0x00007FF6B0F94000-memory.dmp	upx
behavioral2/memory/3460-139-0x00007FF7346D0000-0x00007FF734A24000-memory.dmp	upx
behavioral2/memory/2288-133-0x00007FF66CD70000-0x00007FF66D0C4000-memory.dmp	upx
behavioral2/files/0x000a000000023ba9-129.dat	upx
behavioral2/memory/1168-128-0x00007FF6A06B0000-0x00007FF6A0A04000-memory.dmp	upx
behavioral2/memory/2344-127-0x00007FF6B8770000-0x00007FF6B8AC4000-memory.dmp	upx
behavioral2/files/0x000b000000023ba1-124.dat	upx
behavioral2/memory/1148-123-0x00007FF6F3F20000-0x00007FF6F4274000-memory.dmp	upx
behavioral2/memory/868-122-0x00007FF70D940000-0x00007FF70DC94000-memory.dmp	upx
behavioral2/memory/232-116-0x00007FF6F52E0000-0x00007FF6F5634000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\HTsXONV.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\stTAZvX.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NBzdhkk.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UisnbHd.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\epTinQQ.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BugfUSh.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VwEfobX.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dzGMgIz.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JGddaxD.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ojfqXGb.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SQBVgIB.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\akjJTCL.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iuoOmzl.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zxyvSaq.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PtMEqJD.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HRcpSKX.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wiQiakz.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vxBbTcX.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pwdJvFZ.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SKhEdjX.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XOlbpvs.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RSpkpzC.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DIGKjTg.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BAOZlyN.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XppVhPK.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lyjRfbT.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jTDkluA.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KfqdGyd.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VFnOLzT.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TQCDSYd.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jFCpjVM.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hiBrklM.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VqDDORF.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hDRNgqp.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nZlcinV.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bUMenzs.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tqlTzug.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LDCSpNX.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OJTHScG.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JQhBcXG.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sakdaTB.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iraXSBt.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FVtPyUX.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hoxnMHB.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uwMDOeb.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BPGNijn.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uSubNKl.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HSipSQs.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ropaOBY.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eEhloBK.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sTqwnPC.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hsQXZUG.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LDQoeWI.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LmznHok.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hLgvVZB.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xRwIjVo.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pKxGvtO.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hPHjrXj.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bOPvzOh.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CENoYaF.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YljKORp.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LmVynve.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gfFlSpt.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PoqLAne.exe	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR fr-FR Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR it-IT Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech SW Voice Activation - Italian (Italy)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Adult"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "11.0.2013.1022"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\c1031.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3350944739-639801879-157714471-1000\{ED548096-4905-4692-83EE-DAAA91812302}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech HW Voice Activation - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR it-IT Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ichiro"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = 49553b76dbc112bcd96e2ce32f82aa3750d88abb05779f5fac65e84c5363077e	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech SW Voice Activation - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\tn1041.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Julie"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_HW_it-IT.dat"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Traditional Chinese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "11.0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR fr-FR Lts Lexicon"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "411"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Universal Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Ayumi - Japanese (Japan)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech SW Voice Activation - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech HW Voice Activation - Spanish (Spain)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "40A;C0A"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Elsa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 a 000a e 000b i 000c o 000d u 000e t 000f d 0010 p 0011 b 0012 k 0013 g 0014 ch 0015 jj 0016 f 0017 s 0018 x 0019 m 001a n 001b nj 001c l 001d ll 001e r 001f rr 0020 j 0021 w 0022 th 0023"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\AI041031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Ayumi"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Elsa"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "MS-1031-110-WINMO-DNN"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
15048	WerFaultSecure.exe
15048	WerFaultSecure.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	15168	explorer.exe
Token: SeCreatePagefilePrivilege	15168	explorer.exe
Token: SeShutdownPrivilege	15168	explorer.exe
Token: SeCreatePagefilePrivilege	15168	explorer.exe
Token: SeShutdownPrivilege	15168	explorer.exe
Token: SeCreatePagefilePrivilege	15168	explorer.exe
Token: SeShutdownPrivilege	15168	explorer.exe
Token: SeCreatePagefilePrivilege	15168	explorer.exe
Token: SeShutdownPrivilege	15168	explorer.exe
Token: SeCreatePagefilePrivilege	15168	explorer.exe
Token: SeShutdownPrivilege	15168	explorer.exe
Token: SeCreatePagefilePrivilege	15168	explorer.exe
Token: SeShutdownPrivilege	15168	explorer.exe
Token: SeCreatePagefilePrivilege	15168	explorer.exe
Token: SeShutdownPrivilege	15168	explorer.exe
Token: SeCreatePagefilePrivilege	15168	explorer.exe
Token: SeShutdownPrivilege	15168	explorer.exe
Token: SeCreatePagefilePrivilege	15168	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	3344	explorer.exe
Token: SeCreatePagefilePrivilege	3344	explorer.exe
Token: SeShutdownPrivilege	5448	explorer.exe
Token: SeCreatePagefilePrivilege	5448	explorer.exe
Token: SeShutdownPrivilege	5448	explorer.exe
Token: SeCreatePagefilePrivilege	5448	explorer.exe
Token: SeShutdownPrivilege	5448	explorer.exe
Token: SeCreatePagefilePrivilege	5448	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
15292	sihost.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
15168	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
3344	explorer.exe
5448	explorer.exe
5448	explorer.exe
5448	explorer.exe
5448	explorer.exe
5448	explorer.exe
5448	explorer.exe
5448	explorer.exe
5448	explorer.exe
5448	explorer.exe
5448	explorer.exe
5448	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe
15268	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3516	StartMenuExperienceHost.exe
7180	StartMenuExperienceHost.exe
1584	SearchApp.exe
3556	StartMenuExperienceHost.exe
4240	StartMenuExperienceHost.exe
4940	SearchApp.exe
6512	StartMenuExperienceHost.exe
6548	SearchApp.exe
10044	StartMenuExperienceHost.exe
8240	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 1624	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 716 wrote to memory of 1624	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 716 wrote to memory of 3872	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 716 wrote to memory of 3872	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 716 wrote to memory of 4044	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 716 wrote to memory of 4044	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 716 wrote to memory of 4156	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 716 wrote to memory of 4156	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 716 wrote to memory of 1144	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 716 wrote to memory of 1144	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 716 wrote to memory of 3836	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 716 wrote to memory of 3836	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 716 wrote to memory of 1668	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 716 wrote to memory of 1668	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 716 wrote to memory of 232	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 716 wrote to memory of 232	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 716 wrote to memory of 1148	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 716 wrote to memory of 1148	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 716 wrote to memory of 1168	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 716 wrote to memory of 1168	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 716 wrote to memory of 3460	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 716 wrote to memory of 3460	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 716 wrote to memory of 3108	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 716 wrote to memory of 3108	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 716 wrote to memory of 2192	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 716 wrote to memory of 2192	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 716 wrote to memory of 3628	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 716 wrote to memory of 3628	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 716 wrote to memory of 4636	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 716 wrote to memory of 4636	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 716 wrote to memory of 4232	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 716 wrote to memory of 4232	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 716 wrote to memory of 4488	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 716 wrote to memory of 4488	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 716 wrote to memory of 868	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 716 wrote to memory of 868	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 716 wrote to memory of 2344	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 716 wrote to memory of 2344	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 716 wrote to memory of 2288	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 716 wrote to memory of 2288	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 716 wrote to memory of 2828	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 716 wrote to memory of 2828	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 716 wrote to memory of 2524	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 716 wrote to memory of 2524	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 716 wrote to memory of 2780	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 716 wrote to memory of 2780	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 716 wrote to memory of 2424	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 716 wrote to memory of 2424	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 716 wrote to memory of 1052	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 716 wrote to memory of 1052	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 716 wrote to memory of 1728	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 716 wrote to memory of 1728	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 716 wrote to memory of 2032	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 716 wrote to memory of 2032	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 716 wrote to memory of 2376	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 716 wrote to memory of 2376	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 716 wrote to memory of 452	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 716 wrote to memory of 452	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 716 wrote to memory of 3632	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 716 wrote to memory of 3632	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 716 wrote to memory of 2440	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 716 wrote to memory of 2440	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 716 wrote to memory of 372	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 716 wrote to memory of 372	716	2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:2860
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 2860 -s 2156
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:15048

C:\Users\Admin\AppData\Local\Temp\2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-25_2988003a1d248ef44b7d1df11976e0e8_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:716
- C:\Windows\System\wTAMnhe.exe
  C:\Windows\System\wTAMnhe.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\NMtfxey.exe
  C:\Windows\System\NMtfxey.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\nDcZCua.exe
  C:\Windows\System\nDcZCua.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\PByBvvc.exe
  C:\Windows\System\PByBvvc.exe
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Windows\System\uMREJCi.exe
  C:\Windows\System\uMREJCi.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\DvWGzJp.exe
  C:\Windows\System\DvWGzJp.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System\hfyKSKB.exe
  C:\Windows\System\hfyKSKB.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\ZTgcbWP.exe
  C:\Windows\System\ZTgcbWP.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\ylFpIUm.exe
  C:\Windows\System\ylFpIUm.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System\BaPAPYq.exe
  C:\Windows\System\BaPAPYq.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\lmTsJcb.exe
  C:\Windows\System\lmTsJcb.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\DrTWDXc.exe
  C:\Windows\System\DrTWDXc.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System\MNybuwB.exe
  C:\Windows\System\MNybuwB.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\yMVposg.exe
  C:\Windows\System\yMVposg.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\pCqevHv.exe
  C:\Windows\System\pCqevHv.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\qlLuHga.exe
  C:\Windows\System\qlLuHga.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System\JdiApoc.exe
  C:\Windows\System\JdiApoc.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\reuDaAv.exe
  C:\Windows\System\reuDaAv.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System\KtzhMnf.exe
  C:\Windows\System\KtzhMnf.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\ruOUzdZ.exe
  C:\Windows\System\ruOUzdZ.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\OsSMRec.exe
  C:\Windows\System\OsSMRec.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\aVxYcZF.exe
  C:\Windows\System\aVxYcZF.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\URIwatC.exe
  C:\Windows\System\URIwatC.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\AUmMEDJ.exe
  C:\Windows\System\AUmMEDJ.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\LlsnIwr.exe
  C:\Windows\System\LlsnIwr.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\wsZGook.exe
  C:\Windows\System\wsZGook.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\gpogchC.exe
  C:\Windows\System\gpogchC.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\WPimKpW.exe
  C:\Windows\System\WPimKpW.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\xBBFAuF.exe
  C:\Windows\System\xBBFAuF.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System\QIDcnMd.exe
  C:\Windows\System\QIDcnMd.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\HjzWNlE.exe
  C:\Windows\System\HjzWNlE.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\NmzFqtq.exe
  C:\Windows\System\NmzFqtq.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\zgjoTJF.exe
  C:\Windows\System\zgjoTJF.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\wylRYDZ.exe
  C:\Windows\System\wylRYDZ.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\YRXjigH.exe
  C:\Windows\System\YRXjigH.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\hbbNITL.exe
  C:\Windows\System\hbbNITL.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System\epTinQQ.exe
  C:\Windows\System\epTinQQ.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\vXTRoJG.exe
  C:\Windows\System\vXTRoJG.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\utJoeXe.exe
  C:\Windows\System\utJoeXe.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\QPTdTRu.exe
  C:\Windows\System\QPTdTRu.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\WvaOeDf.exe
  C:\Windows\System\WvaOeDf.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\hPHjrXj.exe
  C:\Windows\System\hPHjrXj.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System\QZGLKRh.exe
  C:\Windows\System\QZGLKRh.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\KXpeqob.exe
  C:\Windows\System\KXpeqob.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\tsvOUum.exe
  C:\Windows\System\tsvOUum.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\BmDSZRs.exe
  C:\Windows\System\BmDSZRs.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\QWWfuGH.exe
  C:\Windows\System\QWWfuGH.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System\hWzpubi.exe
  C:\Windows\System\hWzpubi.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\lfUvoas.exe
  C:\Windows\System\lfUvoas.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\dGCMXec.exe
  C:\Windows\System\dGCMXec.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\bXcQTTb.exe
  C:\Windows\System\bXcQTTb.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\yNHPbUS.exe
  C:\Windows\System\yNHPbUS.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\pqgHtba.exe
  C:\Windows\System\pqgHtba.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\tdQSgjd.exe
  C:\Windows\System\tdQSgjd.exe
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\System\NxqzyHv.exe
  C:\Windows\System\NxqzyHv.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\TaxAzPC.exe
  C:\Windows\System\TaxAzPC.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System\sHrEDGC.exe
  C:\Windows\System\sHrEDGC.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\aYlJSkN.exe
  C:\Windows\System\aYlJSkN.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\twFnXvE.exe
  C:\Windows\System\twFnXvE.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\ropaOBY.exe
  C:\Windows\System\ropaOBY.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System\dzGMgIz.exe
  C:\Windows\System\dzGMgIz.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System\AcBWNKK.exe
  C:\Windows\System\AcBWNKK.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System\hXGinGY.exe
  C:\Windows\System\hXGinGY.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System\akjJTCL.exe
  C:\Windows\System\akjJTCL.exe
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\System\rPFribu.exe
  C:\Windows\System\rPFribu.exe
  2⤵
  PID:5068
- C:\Windows\System\idiXpvc.exe
  C:\Windows\System\idiXpvc.exe
  2⤵
  PID:4364
- C:\Windows\System\sFgdDlJ.exe
  C:\Windows\System\sFgdDlJ.exe
  2⤵
  PID:2908
- C:\Windows\System\gmzokFc.exe
  C:\Windows\System\gmzokFc.exe
  2⤵
  PID:5148
- C:\Windows\System\ZbejxZh.exe
  C:\Windows\System\ZbejxZh.exe
  2⤵
  PID:5176
- C:\Windows\System\YofDQjn.exe
  C:\Windows\System\YofDQjn.exe
  2⤵
  PID:5204
- C:\Windows\System\nTmcIRP.exe
  C:\Windows\System\nTmcIRP.exe
  2⤵
  PID:5232
- C:\Windows\System\xqWwQdD.exe
  C:\Windows\System\xqWwQdD.exe
  2⤵
  PID:5260
- C:\Windows\System\bLEXjea.exe
  C:\Windows\System\bLEXjea.exe
  2⤵
  PID:5288
- C:\Windows\System\iraXSBt.exe
  C:\Windows\System\iraXSBt.exe
  2⤵
  PID:5316
- C:\Windows\System\SKhEdjX.exe
  C:\Windows\System\SKhEdjX.exe
  2⤵
  PID:5344
- C:\Windows\System\JHRZfKy.exe
  C:\Windows\System\JHRZfKy.exe
  2⤵
  PID:5372
- C:\Windows\System\qZdtPSe.exe
  C:\Windows\System\qZdtPSe.exe
  2⤵
  PID:5404
- C:\Windows\System\mvSAcFY.exe
  C:\Windows\System\mvSAcFY.exe
  2⤵
  PID:5440
- C:\Windows\System\pKSxztO.exe
  C:\Windows\System\pKSxztO.exe
  2⤵
  PID:5468
- C:\Windows\System\DIekAyf.exe
  C:\Windows\System\DIekAyf.exe
  2⤵
  PID:5496
- C:\Windows\System\zUcjshI.exe
  C:\Windows\System\zUcjshI.exe
  2⤵
  PID:5524
- C:\Windows\System\tmRHFpu.exe
  C:\Windows\System\tmRHFpu.exe
  2⤵
  PID:5552
- C:\Windows\System\SIskGHZ.exe
  C:\Windows\System\SIskGHZ.exe
  2⤵
  PID:5580
- C:\Windows\System\okVMFrh.exe
  C:\Windows\System\okVMFrh.exe
  2⤵
  PID:5608
- C:\Windows\System\pCdnjgC.exe
  C:\Windows\System\pCdnjgC.exe
  2⤵
  PID:5636
- C:\Windows\System\MJFIKml.exe
  C:\Windows\System\MJFIKml.exe
  2⤵
  PID:5664
- C:\Windows\System\lNhfSIP.exe
  C:\Windows\System\lNhfSIP.exe
  2⤵
  PID:5692
- C:\Windows\System\sTqwnPC.exe
  C:\Windows\System\sTqwnPC.exe
  2⤵
  PID:5720
- C:\Windows\System\WOoKwpS.exe
  C:\Windows\System\WOoKwpS.exe
  2⤵
  PID:5748
- C:\Windows\System\SBZuLZg.exe
  C:\Windows\System\SBZuLZg.exe
  2⤵
  PID:5776
- C:\Windows\System\GhRWMcY.exe
  C:\Windows\System\GhRWMcY.exe
  2⤵
  PID:5804
- C:\Windows\System\bfNZzgE.exe
  C:\Windows\System\bfNZzgE.exe
  2⤵
  PID:5832
- C:\Windows\System\jNuoAMj.exe
  C:\Windows\System\jNuoAMj.exe
  2⤵
  PID:5860
- C:\Windows\System\rytjpuk.exe
  C:\Windows\System\rytjpuk.exe
  2⤵
  PID:5888
- C:\Windows\System\JeHZBGK.exe
  C:\Windows\System\JeHZBGK.exe
  2⤵
  PID:5916
- C:\Windows\System\ZnLXVyE.exe
  C:\Windows\System\ZnLXVyE.exe
  2⤵
  PID:5944
- C:\Windows\System\QsOtoPN.exe
  C:\Windows\System\QsOtoPN.exe
  2⤵
  PID:5972
- C:\Windows\System\srMEDGb.exe
  C:\Windows\System\srMEDGb.exe
  2⤵
  PID:6000
- C:\Windows\System\gLWGHoz.exe
  C:\Windows\System\gLWGHoz.exe
  2⤵
  PID:6028
- C:\Windows\System\QTCxupO.exe
  C:\Windows\System\QTCxupO.exe
  2⤵
  PID:6056
- C:\Windows\System\TzKaUHR.exe
  C:\Windows\System\TzKaUHR.exe
  2⤵
  PID:6084
- C:\Windows\System\Rndfcoy.exe
  C:\Windows\System\Rndfcoy.exe
  2⤵
  PID:6112
- C:\Windows\System\QCBOVJl.exe
  C:\Windows\System\QCBOVJl.exe
  2⤵
  PID:6140
- C:\Windows\System\CKgswuC.exe
  C:\Windows\System\CKgswuC.exe
  2⤵
  PID:4940
- C:\Windows\System\ZWpsZzH.exe
  C:\Windows\System\ZWpsZzH.exe
  2⤵
  PID:3984
- C:\Windows\System\nOUrXeY.exe
  C:\Windows\System\nOUrXeY.exe
  2⤵
  PID:3316
- C:\Windows\System\SHJoALf.exe
  C:\Windows\System\SHJoALf.exe
  2⤵
  PID:1792
- C:\Windows\System\QpopWZO.exe
  C:\Windows\System\QpopWZO.exe
  2⤵
  PID:2488
- C:\Windows\System\uRFwFGT.exe
  C:\Windows\System\uRFwFGT.exe
  2⤵
  PID:5168
- C:\Windows\System\VuFdyxB.exe
  C:\Windows\System\VuFdyxB.exe
  2⤵
  PID:5244
- C:\Windows\System\GWvstMN.exe
  C:\Windows\System\GWvstMN.exe
  2⤵
  PID:5300
- C:\Windows\System\qAbIhwu.exe
  C:\Windows\System\qAbIhwu.exe
  2⤵
  PID:5360
- C:\Windows\System\IRYEKHb.exe
  C:\Windows\System\IRYEKHb.exe
  2⤵
  PID:5428
- C:\Windows\System\FWMrapf.exe
  C:\Windows\System\FWMrapf.exe
  2⤵
  PID:5488
- C:\Windows\System\CazRJZO.exe
  C:\Windows\System\CazRJZO.exe
  2⤵
  PID:5564
- C:\Windows\System\JGgpAXF.exe
  C:\Windows\System\JGgpAXF.exe
  2⤵
  PID:5624
- C:\Windows\System\lmQOAcz.exe
  C:\Windows\System\lmQOAcz.exe
  2⤵
  PID:5684
- C:\Windows\System\RMmIopV.exe
  C:\Windows\System\RMmIopV.exe
  2⤵
  PID:5760
- C:\Windows\System\yTEuOZe.exe
  C:\Windows\System\yTEuOZe.exe
  2⤵
  PID:5820
- C:\Windows\System\FVtPyUX.exe
  C:\Windows\System\FVtPyUX.exe
  2⤵
  PID:5880
- C:\Windows\System\DqjComC.exe
  C:\Windows\System\DqjComC.exe
  2⤵
  PID:5956
- C:\Windows\System\hYJCmIj.exe
  C:\Windows\System\hYJCmIj.exe
  2⤵
  PID:6016
- C:\Windows\System\gWspoeI.exe
  C:\Windows\System\gWspoeI.exe
  2⤵
  PID:6076
- C:\Windows\System\MZllbqK.exe
  C:\Windows\System\MZllbqK.exe
  2⤵
  PID:2668
- C:\Windows\System\OHCNYMl.exe
  C:\Windows\System\OHCNYMl.exe
  2⤵
  PID:4376
- C:\Windows\System\qbPNTCu.exe
  C:\Windows\System\qbPNTCu.exe
  2⤵
  PID:5160
- C:\Windows\System\iuoOmzl.exe
  C:\Windows\System\iuoOmzl.exe
  2⤵
  PID:5272
- C:\Windows\System\vYQTnmj.exe
  C:\Windows\System\vYQTnmj.exe
  2⤵
  PID:5400
- C:\Windows\System\aaiaSNN.exe
  C:\Windows\System\aaiaSNN.exe
  2⤵
  PID:5540
- C:\Windows\System\hvkIQgj.exe
  C:\Windows\System\hvkIQgj.exe
  2⤵
  PID:5712
- C:\Windows\System\rXWKweZ.exe
  C:\Windows\System\rXWKweZ.exe
  2⤵
  PID:5852
- C:\Windows\System\taciRLt.exe
  C:\Windows\System\taciRLt.exe
  2⤵
  PID:5988
- C:\Windows\System\ispwkrv.exe
  C:\Windows\System\ispwkrv.exe
  2⤵
  PID:6152
- C:\Windows\System\nsDXqyf.exe
  C:\Windows\System\nsDXqyf.exe
  2⤵
  PID:6168
- C:\Windows\System\gOKeIxz.exe
  C:\Windows\System\gOKeIxz.exe
  2⤵
  PID:6196
- C:\Windows\System\lKeRLkv.exe
  C:\Windows\System\lKeRLkv.exe
  2⤵
  PID:6224
- C:\Windows\System\KsfEYwA.exe
  C:\Windows\System\KsfEYwA.exe
  2⤵
  PID:6252
- C:\Windows\System\tBUPYYg.exe
  C:\Windows\System\tBUPYYg.exe
  2⤵
  PID:6280
- C:\Windows\System\QSSCkhO.exe
  C:\Windows\System\QSSCkhO.exe
  2⤵
  PID:6320
- C:\Windows\System\iKYffWC.exe
  C:\Windows\System\iKYffWC.exe
  2⤵
  PID:6348
- C:\Windows\System\VDqNcnv.exe
  C:\Windows\System\VDqNcnv.exe
  2⤵
  PID:6376
- C:\Windows\System\JPrmxLZ.exe
  C:\Windows\System\JPrmxLZ.exe
  2⤵
  PID:6408
- C:\Windows\System\ZtCcMjD.exe
  C:\Windows\System\ZtCcMjD.exe
  2⤵
  PID:6432
- C:\Windows\System\BnmcRPZ.exe
  C:\Windows\System\BnmcRPZ.exe
  2⤵
  PID:6460
- C:\Windows\System\jNZGJiF.exe
  C:\Windows\System\jNZGJiF.exe
  2⤵
  PID:6488
- C:\Windows\System\sbOxCVW.exe
  C:\Windows\System\sbOxCVW.exe
  2⤵
  PID:6516
- C:\Windows\System\rIirzGE.exe
  C:\Windows\System\rIirzGE.exe
  2⤵
  PID:6544
- C:\Windows\System\NEcgcqP.exe
  C:\Windows\System\NEcgcqP.exe
  2⤵
  PID:6572
- C:\Windows\System\hZFnXEZ.exe
  C:\Windows\System\hZFnXEZ.exe
  2⤵
  PID:6600
- C:\Windows\System\ZTNxEwQ.exe
  C:\Windows\System\ZTNxEwQ.exe
  2⤵
  PID:6628
- C:\Windows\System\RPyNbJH.exe
  C:\Windows\System\RPyNbJH.exe
  2⤵
  PID:6652
- C:\Windows\System\JGddaxD.exe
  C:\Windows\System\JGddaxD.exe
  2⤵
  PID:6684
- C:\Windows\System\cGUcVID.exe
  C:\Windows\System\cGUcVID.exe
  2⤵
  PID:6712
- C:\Windows\System\yciklot.exe
  C:\Windows\System\yciklot.exe
  2⤵
  PID:6740
- C:\Windows\System\CJFJXvB.exe
  C:\Windows\System\CJFJXvB.exe
  2⤵
  PID:6768
- C:\Windows\System\SCkxcUv.exe
  C:\Windows\System\SCkxcUv.exe
  2⤵
  PID:6796
- C:\Windows\System\yRGkjxh.exe
  C:\Windows\System\yRGkjxh.exe
  2⤵
  PID:6824
- C:\Windows\System\wKDankJ.exe
  C:\Windows\System\wKDankJ.exe
  2⤵
  PID:6852
- C:\Windows\System\rDnDLDh.exe
  C:\Windows\System\rDnDLDh.exe
  2⤵
  PID:6880
- C:\Windows\System\TttqLli.exe
  C:\Windows\System\TttqLli.exe
  2⤵
  PID:6908
- C:\Windows\System\cZZOHRz.exe
  C:\Windows\System\cZZOHRz.exe
  2⤵
  PID:6936
- C:\Windows\System\dxGEakW.exe
  C:\Windows\System\dxGEakW.exe
  2⤵
  PID:6964
- C:\Windows\System\VFnOLzT.exe
  C:\Windows\System\VFnOLzT.exe
  2⤵
  PID:6992
- C:\Windows\System\HqxdWXa.exe
  C:\Windows\System\HqxdWXa.exe
  2⤵
  PID:7020
- C:\Windows\System\cGaQAYt.exe
  C:\Windows\System\cGaQAYt.exe
  2⤵
  PID:7048
- C:\Windows\System\uKcqgCt.exe
  C:\Windows\System\uKcqgCt.exe
  2⤵
  PID:7076
- C:\Windows\System\RSpkpzC.exe
  C:\Windows\System\RSpkpzC.exe
  2⤵
  PID:7104
- C:\Windows\System\KuPsrWi.exe
  C:\Windows\System\KuPsrWi.exe
  2⤵
  PID:7132
- C:\Windows\System\sMwpyoq.exe
  C:\Windows\System\sMwpyoq.exe
  2⤵
  PID:7160
- C:\Windows\System\uvHMTxR.exe
  C:\Windows\System\uvHMTxR.exe
  2⤵
  PID:2640
- C:\Windows\System\YOWbwgE.exe
  C:\Windows\System\YOWbwgE.exe
  2⤵
  PID:5328
- C:\Windows\System\sxenDff.exe
  C:\Windows\System\sxenDff.exe
  2⤵
  PID:5652
- C:\Windows\System\EGYilck.exe
  C:\Windows\System\EGYilck.exe
  2⤵
  PID:5932
- C:\Windows\System\PEqvQNU.exe
  C:\Windows\System\PEqvQNU.exe
  2⤵
  PID:6184
- C:\Windows\System\nUGExTF.exe
  C:\Windows\System\nUGExTF.exe
  2⤵
  PID:6244
- C:\Windows\System\AORFPsy.exe
  C:\Windows\System\AORFPsy.exe
  2⤵
  PID:6312
- C:\Windows\System\OtvJxQH.exe
  C:\Windows\System\OtvJxQH.exe
  2⤵
  PID:6388
- C:\Windows\System\TXwMHmb.exe
  C:\Windows\System\TXwMHmb.exe
  2⤵
  PID:4524
- C:\Windows\System\JGwXdVt.exe
  C:\Windows\System\JGwXdVt.exe
  2⤵
  PID:6504
- C:\Windows\System\zxyvSaq.exe
  C:\Windows\System\zxyvSaq.exe
  2⤵
  PID:6564
- C:\Windows\System\pXinaor.exe
  C:\Windows\System\pXinaor.exe
  2⤵
  PID:6620
- C:\Windows\System\oStKFPe.exe
  C:\Windows\System\oStKFPe.exe
  2⤵
  PID:6696
- C:\Windows\System\xGJsXIu.exe
  C:\Windows\System\xGJsXIu.exe
  2⤵
  PID:6756
- C:\Windows\System\sUKvUgU.exe
  C:\Windows\System\sUKvUgU.exe
  2⤵
  PID:6816
- C:\Windows\System\ATgEijZ.exe
  C:\Windows\System\ATgEijZ.exe
  2⤵
  PID:6892
- C:\Windows\System\aAbZBXy.exe
  C:\Windows\System\aAbZBXy.exe
  2⤵
  PID:6952
- C:\Windows\System\sElVIzM.exe
  C:\Windows\System\sElVIzM.exe
  2⤵
  PID:7012
- C:\Windows\System\PtMEqJD.exe
  C:\Windows\System\PtMEqJD.exe
  2⤵
  PID:7088
- C:\Windows\System\AHxJXKL.exe
  C:\Windows\System\AHxJXKL.exe
  2⤵
  PID:7148
- C:\Windows\System\nZlcinV.exe
  C:\Windows\System\nZlcinV.exe
  2⤵
  PID:5216
- C:\Windows\System\ReiurtP.exe
  C:\Windows\System\ReiurtP.exe
  2⤵
  PID:6104
- C:\Windows\System\NQvbfhD.exe
  C:\Windows\System\NQvbfhD.exe
  2⤵
  PID:6292
- C:\Windows\System\ADrgzzm.exe
  C:\Windows\System\ADrgzzm.exe
  2⤵
  PID:6428
- C:\Windows\System\tdRTmjB.exe
  C:\Windows\System\tdRTmjB.exe
  2⤵
  PID:6588
- C:\Windows\System\HSJNLCh.exe
  C:\Windows\System\HSJNLCh.exe
  2⤵
  PID:6728
- C:\Windows\System\xIpYTBF.exe
  C:\Windows\System\xIpYTBF.exe
  2⤵
  PID:6868
- C:\Windows\System\gZHaCAW.exe
  C:\Windows\System\gZHaCAW.exe
  2⤵
  PID:7004
- C:\Windows\System\Byrfild.exe
  C:\Windows\System\Byrfild.exe
  2⤵
  PID:7172
- C:\Windows\System\xrnPYqh.exe
  C:\Windows\System\xrnPYqh.exe
  2⤵
  PID:7200
- C:\Windows\System\jHoAWFb.exe
  C:\Windows\System\jHoAWFb.exe
  2⤵
  PID:7228
- C:\Windows\System\QnOdxbL.exe
  C:\Windows\System\QnOdxbL.exe
  2⤵
  PID:7252
- C:\Windows\System\UbwdFtH.exe
  C:\Windows\System\UbwdFtH.exe
  2⤵
  PID:7272
- C:\Windows\System\nGcKSdu.exe
  C:\Windows\System\nGcKSdu.exe
  2⤵
  PID:7300
- C:\Windows\System\CEWBhOE.exe
  C:\Windows\System\CEWBhOE.exe
  2⤵
  PID:7328
- C:\Windows\System\hoxnMHB.exe
  C:\Windows\System\hoxnMHB.exe
  2⤵
  PID:7356
- C:\Windows\System\nbAbDuF.exe
  C:\Windows\System\nbAbDuF.exe
  2⤵
  PID:7384
- C:\Windows\System\UuWqPCC.exe
  C:\Windows\System\UuWqPCC.exe
  2⤵
  PID:7412
- C:\Windows\System\ojhhcOz.exe
  C:\Windows\System\ojhhcOz.exe
  2⤵
  PID:7440
- C:\Windows\System\LdSoyrk.exe
  C:\Windows\System\LdSoyrk.exe
  2⤵
  PID:7468
- C:\Windows\System\gIiUrIu.exe
  C:\Windows\System\gIiUrIu.exe
  2⤵
  PID:7496
- C:\Windows\System\tImtvQP.exe
  C:\Windows\System\tImtvQP.exe
  2⤵
  PID:7524
- C:\Windows\System\oqgAhCQ.exe
  C:\Windows\System\oqgAhCQ.exe
  2⤵
  PID:7552
- C:\Windows\System\iYgMnXX.exe
  C:\Windows\System\iYgMnXX.exe
  2⤵
  PID:7580
- C:\Windows\System\loGJImY.exe
  C:\Windows\System\loGJImY.exe
  2⤵
  PID:7608
- C:\Windows\System\QUsjlWM.exe
  C:\Windows\System\QUsjlWM.exe
  2⤵
  PID:7636
- C:\Windows\System\zphdnFJ.exe
  C:\Windows\System\zphdnFJ.exe
  2⤵
  PID:7664
- C:\Windows\System\tdVGsPn.exe
  C:\Windows\System\tdVGsPn.exe
  2⤵
  PID:7692
- C:\Windows\System\XuNAODG.exe
  C:\Windows\System\XuNAODG.exe
  2⤵
  PID:7720
- C:\Windows\System\iyjGYHn.exe
  C:\Windows\System\iyjGYHn.exe
  2⤵
  PID:7748
- C:\Windows\System\RjUvLJl.exe
  C:\Windows\System\RjUvLJl.exe
  2⤵
  PID:7776
- C:\Windows\System\PKfyaEr.exe
  C:\Windows\System\PKfyaEr.exe
  2⤵
  PID:7804
- C:\Windows\System\BhFprGV.exe
  C:\Windows\System\BhFprGV.exe
  2⤵
  PID:7844
- C:\Windows\System\sbgNKKD.exe
  C:\Windows\System\sbgNKKD.exe
  2⤵
  PID:7872
- C:\Windows\System\BUpnQDU.exe
  C:\Windows\System\BUpnQDU.exe
  2⤵
  PID:7900
- C:\Windows\System\cCoqzgv.exe
  C:\Windows\System\cCoqzgv.exe
  2⤵
  PID:7928
- C:\Windows\System\UnyisIh.exe
  C:\Windows\System\UnyisIh.exe
  2⤵
  PID:7956
- C:\Windows\System\YxSEacn.exe
  C:\Windows\System\YxSEacn.exe
  2⤵
  PID:7984
- C:\Windows\System\wLQRHeB.exe
  C:\Windows\System\wLQRHeB.exe
  2⤵
  PID:8012
- C:\Windows\System\ydgDEwq.exe
  C:\Windows\System\ydgDEwq.exe
  2⤵
  PID:8040
- C:\Windows\System\KMeDCym.exe
  C:\Windows\System\KMeDCym.exe
  2⤵
  PID:8068
- C:\Windows\System\ZdexGOV.exe
  C:\Windows\System\ZdexGOV.exe
  2⤵
  PID:8096
- C:\Windows\System\qrAJhcW.exe
  C:\Windows\System\qrAJhcW.exe
  2⤵
  PID:8124
- C:\Windows\System\GwEqUtT.exe
  C:\Windows\System\GwEqUtT.exe
  2⤵
  PID:8148
- C:\Windows\System\rHQLGdi.exe
  C:\Windows\System\rHQLGdi.exe
  2⤵
  PID:8180
- C:\Windows\System\klCbEUi.exe
  C:\Windows\System\klCbEUi.exe
  2⤵
  PID:5516
- C:\Windows\System\bYhtJuW.exe
  C:\Windows\System\bYhtJuW.exe
  2⤵
  PID:6364
- C:\Windows\System\ipmzYpC.exe
  C:\Windows\System\ipmzYpC.exe
  2⤵
  PID:6672
- C:\Windows\System\BpLsbGF.exe
  C:\Windows\System\BpLsbGF.exe
  2⤵
  PID:7064
- C:\Windows\System\ApsoeCf.exe
  C:\Windows\System\ApsoeCf.exe
  2⤵
  PID:7216
- C:\Windows\System\EAIrALy.exe
  C:\Windows\System\EAIrALy.exe
  2⤵
  PID:7284
- C:\Windows\System\nISpVKe.exe
  C:\Windows\System\nISpVKe.exe
  2⤵
  PID:7340
- C:\Windows\System\aFDCkaT.exe
  C:\Windows\System\aFDCkaT.exe
  2⤵
  PID:7400
- C:\Windows\System\yWIIZMA.exe
  C:\Windows\System\yWIIZMA.exe
  2⤵
  PID:7456
- C:\Windows\System\ALbttGt.exe
  C:\Windows\System\ALbttGt.exe
  2⤵
  PID:7516
- C:\Windows\System\DIGKjTg.exe
  C:\Windows\System\DIGKjTg.exe
  2⤵
  PID:7592
- C:\Windows\System\dqAUUNe.exe
  C:\Windows\System\dqAUUNe.exe
  2⤵
  PID:7652
- C:\Windows\System\gNTeOPJ.exe
  C:\Windows\System\gNTeOPJ.exe
  2⤵
  PID:7712
- C:\Windows\System\BAOZlyN.exe
  C:\Windows\System\BAOZlyN.exe
  2⤵
  PID:7768
- C:\Windows\System\NzQSlYd.exe
  C:\Windows\System\NzQSlYd.exe
  2⤵
  PID:7828
- C:\Windows\System\HdUlAoZ.exe
  C:\Windows\System\HdUlAoZ.exe
  2⤵
  PID:7888
- C:\Windows\System\JrMzkfv.exe
  C:\Windows\System\JrMzkfv.exe
  2⤵
  PID:7944
- C:\Windows\System\hsQXZUG.exe
  C:\Windows\System\hsQXZUG.exe
  2⤵
  PID:8004
- C:\Windows\System\XppVhPK.exe
  C:\Windows\System\XppVhPK.exe
  2⤵
  PID:8060
- C:\Windows\System\rWYzKEl.exe
  C:\Windows\System\rWYzKEl.exe
  2⤵
  PID:8116
- C:\Windows\System\ryYeUoE.exe
  C:\Windows\System\ryYeUoE.exe
  2⤵
  PID:8172
- C:\Windows\System\HRcpSKX.exe
  C:\Windows\System\HRcpSKX.exe
  2⤵
  PID:6236
- C:\Windows\System\palGySJ.exe
  C:\Windows\System\palGySJ.exe
  2⤵
  PID:212
- C:\Windows\System\eQQwjMo.exe
  C:\Windows\System\eQQwjMo.exe
  2⤵
  PID:7264
- C:\Windows\System\YljKORp.exe
  C:\Windows\System\YljKORp.exe
  2⤵
  PID:4648
- C:\Windows\System\YIXJagr.exe
  C:\Windows\System\YIXJagr.exe
  2⤵
  PID:7544
- C:\Windows\System\LfmePfp.exe
  C:\Windows\System\LfmePfp.exe
  2⤵
  PID:4824
- C:\Windows\System\HTsXONV.exe
  C:\Windows\System\HTsXONV.exe
  2⤵
  PID:7792
- C:\Windows\System\UbHcKXu.exe
  C:\Windows\System\UbHcKXu.exe
  2⤵
  PID:7924
- C:\Windows\System\OoMQotg.exe
  C:\Windows\System\OoMQotg.exe
  2⤵
  PID:5060
- C:\Windows\System\aBhGrKW.exe
  C:\Windows\System\aBhGrKW.exe
  2⤵
  PID:8144
- C:\Windows\System\Bzetity.exe
  C:\Windows\System\Bzetity.exe
  2⤵
  PID:2156
- C:\Windows\System\kQonTgO.exe
  C:\Windows\System\kQonTgO.exe
  2⤵
  PID:7316
- C:\Windows\System\lopyEnI.exe
  C:\Windows\System\lopyEnI.exe
  2⤵
  PID:8204
- C:\Windows\System\Hnemuda.exe
  C:\Windows\System\Hnemuda.exe
  2⤵
  PID:8232
- C:\Windows\System\wteFjVE.exe
  C:\Windows\System\wteFjVE.exe
  2⤵
  PID:8260
- C:\Windows\System\HyiDCCz.exe
  C:\Windows\System\HyiDCCz.exe
  2⤵
  PID:8288
- C:\Windows\System\ggCErUx.exe
  C:\Windows\System\ggCErUx.exe
  2⤵
  PID:8316
- C:\Windows\System\SzMuZKm.exe
  C:\Windows\System\SzMuZKm.exe
  2⤵
  PID:8344
- C:\Windows\System\xWjZYtW.exe
  C:\Windows\System\xWjZYtW.exe
  2⤵
  PID:8372
- C:\Windows\System\EgtobBu.exe
  C:\Windows\System\EgtobBu.exe
  2⤵
  PID:8400
- C:\Windows\System\DQnbTKO.exe
  C:\Windows\System\DQnbTKO.exe
  2⤵
  PID:8428
- C:\Windows\System\YINzuVW.exe
  C:\Windows\System\YINzuVW.exe
  2⤵
  PID:8456
- C:\Windows\System\cEeYRpb.exe
  C:\Windows\System\cEeYRpb.exe
  2⤵
  PID:8484
- C:\Windows\System\CERRgLM.exe
  C:\Windows\System\CERRgLM.exe
  2⤵
  PID:8512
- C:\Windows\System\CFgewxm.exe
  C:\Windows\System\CFgewxm.exe
  2⤵
  PID:8540
- C:\Windows\System\xutYQGM.exe
  C:\Windows\System\xutYQGM.exe
  2⤵
  PID:8568
- C:\Windows\System\lyjRfbT.exe
  C:\Windows\System\lyjRfbT.exe
  2⤵
  PID:8596
- C:\Windows\System\QIbMZDV.exe
  C:\Windows\System\QIbMZDV.exe
  2⤵
  PID:8624
- C:\Windows\System\LngyAKR.exe
  C:\Windows\System\LngyAKR.exe
  2⤵
  PID:8652
- C:\Windows\System\sQzOjiq.exe
  C:\Windows\System\sQzOjiq.exe
  2⤵
  PID:8680
- C:\Windows\System\dTcPHWy.exe
  C:\Windows\System\dTcPHWy.exe
  2⤵
  PID:8708
- C:\Windows\System\wiQiakz.exe
  C:\Windows\System\wiQiakz.exe
  2⤵
  PID:8736
- C:\Windows\System\MHEFkHG.exe
  C:\Windows\System\MHEFkHG.exe
  2⤵
  PID:8764
- C:\Windows\System\GVkuQLN.exe
  C:\Windows\System\GVkuQLN.exe
  2⤵
  PID:8792
- C:\Windows\System\PfkBNHb.exe
  C:\Windows\System\PfkBNHb.exe
  2⤵
  PID:8820
- C:\Windows\System\TgXrsFT.exe
  C:\Windows\System\TgXrsFT.exe
  2⤵
  PID:8848
- C:\Windows\System\FjsQtFy.exe
  C:\Windows\System\FjsQtFy.exe
  2⤵
  PID:8876
- C:\Windows\System\qxNnrjT.exe
  C:\Windows\System\qxNnrjT.exe
  2⤵
  PID:8904
- C:\Windows\System\tMlBuaS.exe
  C:\Windows\System\tMlBuaS.exe
  2⤵
  PID:8932
- C:\Windows\System\wqrpcKa.exe
  C:\Windows\System\wqrpcKa.exe
  2⤵
  PID:8960
- C:\Windows\System\vtwJvdD.exe
  C:\Windows\System\vtwJvdD.exe
  2⤵
  PID:8988
- C:\Windows\System\YPXqrTu.exe
  C:\Windows\System\YPXqrTu.exe
  2⤵
  PID:9016
- C:\Windows\System\sNfHcVz.exe
  C:\Windows\System\sNfHcVz.exe
  2⤵
  PID:9044
- C:\Windows\System\VIDZLqo.exe
  C:\Windows\System\VIDZLqo.exe
  2⤵
  PID:9072
- C:\Windows\System\mBLWoBz.exe
  C:\Windows\System\mBLWoBz.exe
  2⤵
  PID:9100
- C:\Windows\System\OvvRalj.exe
  C:\Windows\System\OvvRalj.exe
  2⤵
  PID:9128
- C:\Windows\System\JsNJvPk.exe
  C:\Windows\System\JsNJvPk.exe
  2⤵
  PID:9156
- C:\Windows\System\cYSvACD.exe
  C:\Windows\System\cYSvACD.exe
  2⤵
  PID:9184
- C:\Windows\System\ZrymIgi.exe
  C:\Windows\System\ZrymIgi.exe
  2⤵
  PID:9212
- C:\Windows\System\XimUjNG.exe
  C:\Windows\System\XimUjNG.exe
  2⤵
  PID:7624
- C:\Windows\System\ZXPaztC.exe
  C:\Windows\System\ZXPaztC.exe
  2⤵
  PID:7856
- C:\Windows\System\gvVhMiH.exe
  C:\Windows\System\gvVhMiH.exe
  2⤵
  PID:3124
- C:\Windows\System\kMEWVzW.exe
  C:\Windows\System\kMEWVzW.exe
  2⤵
  PID:7244
- C:\Windows\System\CLAKLAB.exe
  C:\Windows\System\CLAKLAB.exe
  2⤵
  PID:1496
- C:\Windows\System\upipzJM.exe
  C:\Windows\System\upipzJM.exe
  2⤵
  PID:8272
- C:\Windows\System\Sycghbi.exe
  C:\Windows\System\Sycghbi.exe
  2⤵
  PID:8308
- C:\Windows\System\DhkhxCz.exe
  C:\Windows\System\DhkhxCz.exe
  2⤵
  PID:8384
- C:\Windows\System\xWowxGo.exe
  C:\Windows\System\xWowxGo.exe
  2⤵
  PID:5080
- C:\Windows\System\KfKfyck.exe
  C:\Windows\System\KfKfyck.exe
  2⤵
  PID:8440
- C:\Windows\System\HPVGGCH.exe
  C:\Windows\System\HPVGGCH.exe
  2⤵
  PID:8496
- C:\Windows\System\axgdiDj.exe
  C:\Windows\System\axgdiDj.exe
  2⤵
  PID:4544
- C:\Windows\System\LDQoeWI.exe
  C:\Windows\System\LDQoeWI.exe
  2⤵
  PID:8584
- C:\Windows\System\jFCpjVM.exe
  C:\Windows\System\jFCpjVM.exe
  2⤵
  PID:8644
- C:\Windows\System\xQPqGXv.exe
  C:\Windows\System\xQPqGXv.exe
  2⤵
  PID:8700
- C:\Windows\System\sawIMOH.exe
  C:\Windows\System\sawIMOH.exe
  2⤵
  PID:8776
- C:\Windows\System\pBWAFmK.exe
  C:\Windows\System\pBWAFmK.exe
  2⤵
  PID:4356
- C:\Windows\System\MPtWQID.exe
  C:\Windows\System\MPtWQID.exe
  2⤵
  PID:8892
- C:\Windows\System\mSYkfjF.exe
  C:\Windows\System\mSYkfjF.exe
  2⤵
  PID:8952
- C:\Windows\System\uAQiPsX.exe
  C:\Windows\System\uAQiPsX.exe
  2⤵
  PID:9028
- C:\Windows\System\TVIPnRI.exe
  C:\Windows\System\TVIPnRI.exe
  2⤵
  PID:9084
- C:\Windows\System\vntyghP.exe
  C:\Windows\System\vntyghP.exe
  2⤵
  PID:9144
- C:\Windows\System\HeUtFZY.exe
  C:\Windows\System\HeUtFZY.exe
  2⤵
  PID:9204
- C:\Windows\System\upbGdvk.exe
  C:\Windows\System\upbGdvk.exe
  2⤵
  PID:7740
- C:\Windows\System\nlJafqW.exe
  C:\Windows\System\nlJafqW.exe
  2⤵
  PID:2804
- C:\Windows\System\fyyCRMh.exe
  C:\Windows\System\fyyCRMh.exe
  2⤵
  PID:8276
- C:\Windows\System\JivuPRC.exe
  C:\Windows\System\JivuPRC.exe
  2⤵
  PID:8392
- C:\Windows\System\DzEokpP.exe
  C:\Windows\System\DzEokpP.exe
  2⤵
  PID:8472
- C:\Windows\System\lOhDAqE.exe
  C:\Windows\System\lOhDAqE.exe
  2⤵
  PID:8612
- C:\Windows\System\oWzqnsk.exe
  C:\Windows\System\oWzqnsk.exe
  2⤵
  PID:8748
- C:\Windows\System\IhvgvrX.exe
  C:\Windows\System\IhvgvrX.exe
  2⤵
  PID:8868
- C:\Windows\System\SyltYEw.exe
  C:\Windows\System\SyltYEw.exe
  2⤵
  PID:9056
- C:\Windows\System\jkZkFpS.exe
  C:\Windows\System\jkZkFpS.exe
  2⤵
  PID:9176
- C:\Windows\System\XFLQXVh.exe
  C:\Windows\System\XFLQXVh.exe
  2⤵
  PID:4808
- C:\Windows\System\JCNIxcW.exe
  C:\Windows\System\JCNIxcW.exe
  2⤵
  PID:2176
- C:\Windows\System\hUnOdHC.exe
  C:\Windows\System\hUnOdHC.exe
  2⤵
  PID:8528
- C:\Windows\System\gYpwoat.exe
  C:\Windows\System\gYpwoat.exe
  2⤵
  PID:8812
- C:\Windows\System\LmznHok.exe
  C:\Windows\System\LmznHok.exe
  2⤵
  PID:9124
- C:\Windows\System\cyvHcFG.exe
  C:\Windows\System\cyvHcFG.exe
  2⤵
  PID:9244
- C:\Windows\System\CalYAHk.exe
  C:\Windows\System\CalYAHk.exe
  2⤵
  PID:9272
- C:\Windows\System\puRpkXA.exe
  C:\Windows\System\puRpkXA.exe
  2⤵
  PID:9300
- C:\Windows\System\oquIWfx.exe
  C:\Windows\System\oquIWfx.exe
  2⤵
  PID:9328
- C:\Windows\System\LylZWhv.exe
  C:\Windows\System\LylZWhv.exe
  2⤵
  PID:9356
- C:\Windows\System\oiPcBYT.exe
  C:\Windows\System\oiPcBYT.exe
  2⤵
  PID:9384
- C:\Windows\System\bSIPcDF.exe
  C:\Windows\System\bSIPcDF.exe
  2⤵
  PID:9412
- C:\Windows\System\IzuJROu.exe
  C:\Windows\System\IzuJROu.exe
  2⤵
  PID:9440
- C:\Windows\System\XLcErEx.exe
  C:\Windows\System\XLcErEx.exe
  2⤵
  PID:9468
- C:\Windows\System\deoRIKU.exe
  C:\Windows\System\deoRIKU.exe
  2⤵
  PID:9496
- C:\Windows\System\sakdaTB.exe
  C:\Windows\System\sakdaTB.exe
  2⤵
  PID:9524
- C:\Windows\System\cucTdci.exe
  C:\Windows\System\cucTdci.exe
  2⤵
  PID:9552
- C:\Windows\System\sFmQpXn.exe
  C:\Windows\System\sFmQpXn.exe
  2⤵
  PID:9580
- C:\Windows\System\AKHbsBF.exe
  C:\Windows\System\AKHbsBF.exe
  2⤵
  PID:9608
- C:\Windows\System\WOEBMUE.exe
  C:\Windows\System\WOEBMUE.exe
  2⤵
  PID:9636
- C:\Windows\System\PTsyuPL.exe
  C:\Windows\System\PTsyuPL.exe
  2⤵
  PID:9664
- C:\Windows\System\GWTeMiW.exe
  C:\Windows\System\GWTeMiW.exe
  2⤵
  PID:9692
- C:\Windows\System\eLhKjln.exe
  C:\Windows\System\eLhKjln.exe
  2⤵
  PID:9720
- C:\Windows\System\IBuGDJI.exe
  C:\Windows\System\IBuGDJI.exe
  2⤵
  PID:9748
- C:\Windows\System\anIupvQ.exe
  C:\Windows\System\anIupvQ.exe
  2⤵
  PID:9776
- C:\Windows\System\TRXBZPK.exe
  C:\Windows\System\TRXBZPK.exe
  2⤵
  PID:9804
- C:\Windows\System\kqCnBBv.exe
  C:\Windows\System\kqCnBBv.exe
  2⤵
  PID:9832
- C:\Windows\System\zbRxQrZ.exe
  C:\Windows\System\zbRxQrZ.exe
  2⤵
  PID:9860
- C:\Windows\System\ReaCUZG.exe
  C:\Windows\System\ReaCUZG.exe
  2⤵
  PID:9888
- C:\Windows\System\LmVynve.exe
  C:\Windows\System\LmVynve.exe
  2⤵
  PID:9956
- C:\Windows\System\nXaIfgK.exe
  C:\Windows\System\nXaIfgK.exe
  2⤵
  PID:9996
- C:\Windows\System\muKkxUB.exe
  C:\Windows\System\muKkxUB.exe
  2⤵
  PID:10020
- C:\Windows\System\OySMGme.exe
  C:\Windows\System\OySMGme.exe
  2⤵
  PID:10060
- C:\Windows\System\nBxxKWm.exe
  C:\Windows\System\nBxxKWm.exe
  2⤵
  PID:10080
- C:\Windows\System\UvmXHcm.exe
  C:\Windows\System\UvmXHcm.exe
  2⤵
  PID:10116
- C:\Windows\System\WlgHXYW.exe
  C:\Windows\System\WlgHXYW.exe
  2⤵
  PID:10144
- C:\Windows\System\CSFCghX.exe
  C:\Windows\System\CSFCghX.exe
  2⤵
  PID:10172
- C:\Windows\System\PFupyrF.exe
  C:\Windows\System\PFupyrF.exe
  2⤵
  PID:10192
- C:\Windows\System\BugfUSh.exe
  C:\Windows\System\BugfUSh.exe
  2⤵
  PID:10228
- C:\Windows\System\gfFlSpt.exe
  C:\Windows\System\gfFlSpt.exe
  2⤵
  PID:4888
- C:\Windows\System\RVLnfrE.exe
  C:\Windows\System\RVLnfrE.exe
  2⤵
  PID:8668
- C:\Windows\System\GMUDIIr.exe
  C:\Windows\System\GMUDIIr.exe
  2⤵
  PID:9000
- C:\Windows\System\LJfvUHq.exe
  C:\Windows\System\LJfvUHq.exe
  2⤵
  PID:9268
- C:\Windows\System\ARBQKgr.exe
  C:\Windows\System\ARBQKgr.exe
  2⤵
  PID:9292
- C:\Windows\System\tKFiqLl.exe
  C:\Windows\System\tKFiqLl.exe
  2⤵
  PID:9376
- C:\Windows\System\VkVRCfU.exe
  C:\Windows\System\VkVRCfU.exe
  2⤵
  PID:9428
- C:\Windows\System\RkpNtwE.exe
  C:\Windows\System\RkpNtwE.exe
  2⤵
  PID:9484
- C:\Windows\System\YBohySK.exe
  C:\Windows\System\YBohySK.exe
  2⤵
  PID:9544
- C:\Windows\System\rjUerHa.exe
  C:\Windows\System\rjUerHa.exe
  2⤵
  PID:9568
- C:\Windows\System\VqaoQPK.exe
  C:\Windows\System\VqaoQPK.exe
  2⤵
  PID:9648
- C:\Windows\System\beiTFNN.exe
  C:\Windows\System\beiTFNN.exe
  2⤵
  PID:9712
- C:\Windows\System\wAMmWdP.exe
  C:\Windows\System\wAMmWdP.exe
  2⤵
  PID:9764
- C:\Windows\System\HlmhDSo.exe
  C:\Windows\System\HlmhDSo.exe
  2⤵
  PID:4244
- C:\Windows\System\FHJhBYg.exe
  C:\Windows\System\FHJhBYg.exe
  2⤵
  PID:956
- C:\Windows\System\HAruBkR.exe
  C:\Windows\System\HAruBkR.exe
  2⤵
  PID:880
- C:\Windows\System\bUMenzs.exe
  C:\Windows\System\bUMenzs.exe
  2⤵
  PID:1428
- C:\Windows\System\KTQNgtQ.exe
  C:\Windows\System\KTQNgtQ.exe
  2⤵
  PID:552
- C:\Windows\System\Ugcyvmy.exe
  C:\Windows\System\Ugcyvmy.exe
  2⤵
  PID:808
- C:\Windows\System\IRLolXD.exe
  C:\Windows\System\IRLolXD.exe
  2⤵
  PID:3380
- C:\Windows\System\ZKmCxmu.exe
  C:\Windows\System\ZKmCxmu.exe
  2⤵
  PID:3644
- C:\Windows\System\kJlKBla.exe
  C:\Windows\System\kJlKBla.exe
  2⤵
  PID:2280
- C:\Windows\System\kyTZVzg.exe
  C:\Windows\System\kyTZVzg.exe
  2⤵
  PID:4684
- C:\Windows\System\osWzJfe.exe
  C:\Windows\System\osWzJfe.exe
  2⤵
  PID:1716
- C:\Windows\System\sPnZWcI.exe
  C:\Windows\System\sPnZWcI.exe
  2⤵
  PID:9900
- C:\Windows\System\ywMdVXC.exe
  C:\Windows\System\ywMdVXC.exe
  2⤵
  PID:4792
- C:\Windows\System\aUIXHud.exe
  C:\Windows\System\aUIXHud.exe
  2⤵
  PID:9968
- C:\Windows\System\WuWQNhF.exe
  C:\Windows\System\WuWQNhF.exe
  2⤵
  PID:4920
- C:\Windows\System\kJCXxJE.exe
  C:\Windows\System\kJCXxJE.exe
  2⤵
  PID:10016
- C:\Windows\System\MPQqWBv.exe
  C:\Windows\System\MPQqWBv.exe
  2⤵
  PID:10068
- C:\Windows\System\wXdMFMe.exe
  C:\Windows\System\wXdMFMe.exe
  2⤵
  PID:10156
- C:\Windows\System\ggQcDnx.exe
  C:\Windows\System\ggQcDnx.exe
  2⤵
  PID:10216
- C:\Windows\System\vpOOqEm.exe
  C:\Windows\System\vpOOqEm.exe
  2⤵
  PID:4464
- C:\Windows\System\RyEcMJW.exe
  C:\Windows\System\RyEcMJW.exe
  2⤵
  PID:2416
- C:\Windows\System\XNpiJKF.exe
  C:\Windows\System\XNpiJKF.exe
  2⤵
  PID:4456
- C:\Windows\System\ojfqXGb.exe
  C:\Windows\System\ojfqXGb.exe
  2⤵
  PID:9536
- C:\Windows\System\bdgSsKE.exe
  C:\Windows\System\bdgSsKE.exe
  2⤵
  PID:9680
- C:\Windows\System\eehCgec.exe
  C:\Windows\System\eehCgec.exe
  2⤵
  PID:2204
- C:\Windows\System\tnVMpUN.exe
  C:\Windows\System\tnVMpUN.exe
  2⤵
  PID:9656
- C:\Windows\System\nbPTaQf.exe
  C:\Windows\System\nbPTaQf.exe
  2⤵
  PID:5092
- C:\Windows\System\NKAsFoQ.exe
  C:\Windows\System\NKAsFoQ.exe
  2⤵
  PID:1056
- C:\Windows\System\djSdsJm.exe
  C:\Windows\System\djSdsJm.exe
  2⤵
  PID:1420
- C:\Windows\System\yiTLhpg.exe
  C:\Windows\System\yiTLhpg.exe
  2⤵
  PID:5064
- C:\Windows\System\DvnhYSO.exe
  C:\Windows\System\DvnhYSO.exe
  2⤵
  PID:3972
- C:\Windows\System\ILFFlAJ.exe
  C:\Windows\System\ILFFlAJ.exe
  2⤵
  PID:9988
- C:\Windows\System\AtvDnsm.exe
  C:\Windows\System\AtvDnsm.exe
  2⤵
  PID:10108
- C:\Windows\System\jVIuwbY.exe
  C:\Windows\System\jVIuwbY.exe
  2⤵
  PID:9232
- C:\Windows\System\ZZJYjDE.exe
  C:\Windows\System\ZZJYjDE.exe
  2⤵
  PID:460
- C:\Windows\System\LZumAIL.exe
  C:\Windows\System\LZumAIL.exe
  2⤵
  PID:9816
- C:\Windows\System\emzRxsp.exe
  C:\Windows\System\emzRxsp.exe
  2⤵
  PID:9852
- C:\Windows\System\mddiGik.exe
  C:\Windows\System\mddiGik.exe
  2⤵
  PID:924
- C:\Windows\System\hdFEnuV.exe
  C:\Windows\System\hdFEnuV.exe
  2⤵
  PID:10056
- C:\Windows\System\FPtKAwX.exe
  C:\Windows\System\FPtKAwX.exe
  2⤵
  PID:9404
- C:\Windows\System\kasuuYR.exe
  C:\Windows\System\kasuuYR.exe
  2⤵
  PID:4552
- C:\Windows\System\Bzjxroa.exe
  C:\Windows\System\Bzjxroa.exe
  2⤵
  PID:992
- C:\Windows\System\uwMDOeb.exe
  C:\Windows\System\uwMDOeb.exe
  2⤵
  PID:4568
- C:\Windows\System\Rdyfskm.exe
  C:\Windows\System\Rdyfskm.exe
  2⤵
  PID:10252
- C:\Windows\System\QOiPMmb.exe
  C:\Windows\System\QOiPMmb.exe
  2⤵
  PID:10280
- C:\Windows\System\TffOfxu.exe
  C:\Windows\System\TffOfxu.exe
  2⤵
  PID:10316
- C:\Windows\System\ahofdWg.exe
  C:\Windows\System\ahofdWg.exe
  2⤵
  PID:10344
- C:\Windows\System\PxOfeun.exe
  C:\Windows\System\PxOfeun.exe
  2⤵
  PID:10372
- C:\Windows\System\hLgvVZB.exe
  C:\Windows\System\hLgvVZB.exe
  2⤵
  PID:10400
- C:\Windows\System\vXoSMcy.exe
  C:\Windows\System\vXoSMcy.exe
  2⤵
  PID:10428
- C:\Windows\System\xYSufkq.exe
  C:\Windows\System\xYSufkq.exe
  2⤵
  PID:10456
- C:\Windows\System\qnNdhUA.exe
  C:\Windows\System\qnNdhUA.exe
  2⤵
  PID:10484
- C:\Windows\System\GIiIrkT.exe
  C:\Windows\System\GIiIrkT.exe
  2⤵
  PID:10512
- C:\Windows\System\XFhOBUs.exe
  C:\Windows\System\XFhOBUs.exe
  2⤵
  PID:10540
- C:\Windows\System\rTjAfAj.exe
  C:\Windows\System\rTjAfAj.exe
  2⤵
  PID:10568
- C:\Windows\System\zsYelcO.exe
  C:\Windows\System\zsYelcO.exe
  2⤵
  PID:10596
- C:\Windows\System\jTDkluA.exe
  C:\Windows\System\jTDkluA.exe
  2⤵
  PID:10624
- C:\Windows\System\hQsnnjj.exe
  C:\Windows\System\hQsnnjj.exe
  2⤵
  PID:10652
- C:\Windows\System\jrVHRhM.exe
  C:\Windows\System\jrVHRhM.exe
  2⤵
  PID:10680
- C:\Windows\System\OJWGoMv.exe
  C:\Windows\System\OJWGoMv.exe
  2⤵
  PID:10708
- C:\Windows\System\nYmcKtZ.exe
  C:\Windows\System\nYmcKtZ.exe
  2⤵
  PID:10736
- C:\Windows\System\SEGxkFO.exe
  C:\Windows\System\SEGxkFO.exe
  2⤵
  PID:10764
- C:\Windows\System\bOPvzOh.exe
  C:\Windows\System\bOPvzOh.exe
  2⤵
  PID:10792
- C:\Windows\System\SLizRoC.exe
  C:\Windows\System\SLizRoC.exe
  2⤵
  PID:10820
- C:\Windows\System\OqrXHQe.exe
  C:\Windows\System\OqrXHQe.exe
  2⤵
  PID:10848
- C:\Windows\System\BPGNijn.exe
  C:\Windows\System\BPGNijn.exe
  2⤵
  PID:10876
- C:\Windows\System\FjWwRYd.exe
  C:\Windows\System\FjWwRYd.exe
  2⤵
  PID:10904
- C:\Windows\System\iKACRZl.exe
  C:\Windows\System\iKACRZl.exe
  2⤵
  PID:10932
- C:\Windows\System\eoISSxg.exe
  C:\Windows\System\eoISSxg.exe
  2⤵
  PID:10964
- C:\Windows\System\XsGcJIO.exe
  C:\Windows\System\XsGcJIO.exe
  2⤵
  PID:10992
- C:\Windows\System\NdmNvyS.exe
  C:\Windows\System\NdmNvyS.exe
  2⤵
  PID:11020
- C:\Windows\System\heKOlAg.exe
  C:\Windows\System\heKOlAg.exe
  2⤵
  PID:11048
- C:\Windows\System\SnPTwuP.exe
  C:\Windows\System\SnPTwuP.exe
  2⤵
  PID:11080
- C:\Windows\System\AqkiklQ.exe
  C:\Windows\System\AqkiklQ.exe
  2⤵
  PID:11108
- C:\Windows\System\kPRLNtJ.exe
  C:\Windows\System\kPRLNtJ.exe
  2⤵
  PID:11156
- C:\Windows\System\AWdqcsk.exe
  C:\Windows\System\AWdqcsk.exe
  2⤵
  PID:11208
- C:\Windows\System\XMUjbkG.exe
  C:\Windows\System\XMUjbkG.exe
  2⤵
  PID:11236
- C:\Windows\System\tqlTzug.exe
  C:\Windows\System\tqlTzug.exe
  2⤵
  PID:10248
- C:\Windows\System\yYWSGfq.exe
  C:\Windows\System\yYWSGfq.exe
  2⤵
  PID:10308
- C:\Windows\System\GHJTZHL.exe
  C:\Windows\System\GHJTZHL.exe
  2⤵
  PID:10368
- C:\Windows\System\ZCZNaeg.exe
  C:\Windows\System\ZCZNaeg.exe
  2⤵
  PID:10444
- C:\Windows\System\kaTMTUc.exe
  C:\Windows\System\kaTMTUc.exe
  2⤵
  PID:10504
- C:\Windows\System\OySmpPz.exe
  C:\Windows\System\OySmpPz.exe
  2⤵
  PID:10564
- C:\Windows\System\lGLnVdm.exe
  C:\Windows\System\lGLnVdm.exe
  2⤵
  PID:10636
- C:\Windows\System\OLAimSD.exe
  C:\Windows\System\OLAimSD.exe
  2⤵
  PID:10700
- C:\Windows\System\IUQWXtT.exe
  C:\Windows\System\IUQWXtT.exe
  2⤵
  PID:10760
- C:\Windows\System\jzXzrZx.exe
  C:\Windows\System\jzXzrZx.exe
  2⤵
  PID:10860
- C:\Windows\System\cUibvUG.exe
  C:\Windows\System\cUibvUG.exe
  2⤵
  PID:10916
- C:\Windows\System\MAgvMTs.exe
  C:\Windows\System\MAgvMTs.exe
  2⤵
  PID:10976
- C:\Windows\System\iuaRkhv.exe
  C:\Windows\System\iuaRkhv.exe
  2⤵
  PID:11032
- C:\Windows\System\CIbGMYN.exe
  C:\Windows\System\CIbGMYN.exe
  2⤵
  PID:11100
- C:\Windows\System\kRnPKVw.exe
  C:\Windows\System\kRnPKVw.exe
  2⤵
  PID:4556
- C:\Windows\System\koHamfB.exe
  C:\Windows\System\koHamfB.exe
  2⤵
  PID:4680
- C:\Windows\System\JMrXdFU.exe
  C:\Windows\System\JMrXdFU.exe
  2⤵
  PID:10396
- C:\Windows\System\RXrfqcx.exe
  C:\Windows\System\RXrfqcx.exe
  2⤵
  PID:10552
- C:\Windows\System\vNcLxim.exe
  C:\Windows\System\vNcLxim.exe
  2⤵
  PID:10812
- C:\Windows\System\JduXSqU.exe
  C:\Windows\System\JduXSqU.exe
  2⤵
  PID:3084
- C:\Windows\System\ACFBmdX.exe
  C:\Windows\System\ACFBmdX.exe
  2⤵
  PID:10616
- C:\Windows\System\OkjsSoN.exe
  C:\Windows\System\OkjsSoN.exe
  2⤵
  PID:10532
- C:\Windows\System\iIWWGAF.exe
  C:\Windows\System\iIWWGAF.exe
  2⤵
  PID:11284
- C:\Windows\System\bFAbRbT.exe
  C:\Windows\System\bFAbRbT.exe
  2⤵
  PID:11324
- C:\Windows\System\DXdtKQr.exe
  C:\Windows\System\DXdtKQr.exe
  2⤵
  PID:11352
- C:\Windows\System\ZSgIpTQ.exe
  C:\Windows\System\ZSgIpTQ.exe
  2⤵
  PID:11380
- C:\Windows\System\tAgxErF.exe
  C:\Windows\System\tAgxErF.exe
  2⤵
  PID:11408
- C:\Windows\System\WyavyXD.exe
  C:\Windows\System\WyavyXD.exe
  2⤵
  PID:11436
- C:\Windows\System\uSubNKl.exe
  C:\Windows\System\uSubNKl.exe
  2⤵
  PID:11464
- C:\Windows\System\OtZcPzf.exe
  C:\Windows\System\OtZcPzf.exe
  2⤵
  PID:11496
- C:\Windows\System\XiedZJJ.exe
  C:\Windows\System\XiedZJJ.exe
  2⤵
  PID:11524
- C:\Windows\System\fqtkZYf.exe
  C:\Windows\System\fqtkZYf.exe
  2⤵
  PID:11556
- C:\Windows\System\ciLZorh.exe
  C:\Windows\System\ciLZorh.exe
  2⤵
  PID:11584
- C:\Windows\System\EGOTVtz.exe
  C:\Windows\System\EGOTVtz.exe
  2⤵
  PID:11632
- C:\Windows\System\RRrTwzc.exe
  C:\Windows\System\RRrTwzc.exe
  2⤵
  PID:11688
- C:\Windows\System\vNLjsip.exe
  C:\Windows\System\vNLjsip.exe
  2⤵
  PID:11716
- C:\Windows\System\yAOjXah.exe
  C:\Windows\System\yAOjXah.exe
  2⤵
  PID:11748
- C:\Windows\System\eCmStIQ.exe
  C:\Windows\System\eCmStIQ.exe
  2⤵
  PID:11780
- C:\Windows\System\wuKKgsF.exe
  C:\Windows\System\wuKKgsF.exe
  2⤵
  PID:11816
- C:\Windows\System\IAaGGEz.exe
  C:\Windows\System\IAaGGEz.exe
  2⤵
  PID:11840
- C:\Windows\System\xCNiofI.exe
  C:\Windows\System\xCNiofI.exe
  2⤵
  PID:11868
- C:\Windows\System\ZJPGvZm.exe
  C:\Windows\System\ZJPGvZm.exe
  2⤵
  PID:11900
- C:\Windows\System\SQBVgIB.exe
  C:\Windows\System\SQBVgIB.exe
  2⤵
  PID:11928
- C:\Windows\System\YFaFKex.exe
  C:\Windows\System\YFaFKex.exe
  2⤵
  PID:11956
- C:\Windows\System\QCjVAUg.exe
  C:\Windows\System\QCjVAUg.exe
  2⤵
  PID:11984
- C:\Windows\System\mSbDYVV.exe
  C:\Windows\System\mSbDYVV.exe
  2⤵
  PID:12024
- C:\Windows\System\UbsfvhX.exe
  C:\Windows\System\UbsfvhX.exe
  2⤵
  PID:12052
- C:\Windows\System\hiBrklM.exe
  C:\Windows\System\hiBrklM.exe
  2⤵
  PID:12080
- C:\Windows\System\fGoNXDn.exe
  C:\Windows\System\fGoNXDn.exe
  2⤵
  PID:12108
- C:\Windows\System\vxBbTcX.exe
  C:\Windows\System\vxBbTcX.exe
  2⤵
  PID:12136
- C:\Windows\System\KfqdGyd.exe
  C:\Windows\System\KfqdGyd.exe
  2⤵
  PID:12164
- C:\Windows\System\kpgWASL.exe
  C:\Windows\System\kpgWASL.exe
  2⤵
  PID:12192
- C:\Windows\System\RBjEQLs.exe
  C:\Windows\System\RBjEQLs.exe
  2⤵
  PID:12220
- C:\Windows\System\EaLXbWa.exe
  C:\Windows\System\EaLXbWa.exe
  2⤵
  PID:12256
- C:\Windows\System\IGcZkKH.exe
  C:\Windows\System\IGcZkKH.exe
  2⤵
  PID:12284
- C:\Windows\System\nuTInEX.exe
  C:\Windows\System\nuTInEX.exe
  2⤵
  PID:11364
- C:\Windows\System\gffsrSa.exe
  C:\Windows\System\gffsrSa.exe
  2⤵
  PID:712
- C:\Windows\System\UoNhCSf.exe
  C:\Windows\System\UoNhCSf.exe
  2⤵
  PID:11548
- C:\Windows\System\rTXkkNy.exe
  C:\Windows\System\rTXkkNy.exe
  2⤵
  PID:11728
- C:\Windows\System\wrhaEDh.exe
  C:\Windows\System\wrhaEDh.exe
  2⤵
  PID:4596
- C:\Windows\System\upJyMfa.exe
  C:\Windows\System\upJyMfa.exe
  2⤵
  PID:11804
- C:\Windows\System\oaLRwJD.exe
  C:\Windows\System\oaLRwJD.exe
  2⤵
  PID:11824
- C:\Windows\System\YPDCDdm.exe
  C:\Windows\System\YPDCDdm.exe
  2⤵
  PID:11896
- C:\Windows\System\ZZOSPkG.exe
  C:\Windows\System\ZZOSPkG.exe
  2⤵
  PID:11996
- C:\Windows\System\xRwIjVo.exe
  C:\Windows\System\xRwIjVo.exe
  2⤵
  PID:12072
- C:\Windows\System\JrGMlyZ.exe
  C:\Windows\System\JrGMlyZ.exe
  2⤵
  PID:1132
- C:\Windows\System\stTAZvX.exe
  C:\Windows\System\stTAZvX.exe
  2⤵
  PID:12188
- C:\Windows\System\NwybznD.exe
  C:\Windows\System\NwybznD.exe
  2⤵
  PID:12276
- C:\Windows\System\vlpJXkB.exe
  C:\Windows\System\vlpJXkB.exe
  2⤵
  PID:5008
- C:\Windows\System\KYtqyct.exe
  C:\Windows\System\KYtqyct.exe
  2⤵
  PID:11796
- C:\Windows\System\mePPFbU.exe
  C:\Windows\System\mePPFbU.exe
  2⤵
  PID:11860
- C:\Windows\System\xpedrBV.exe
  C:\Windows\System\xpedrBV.exe
  2⤵
  PID:11976
- C:\Windows\System\mgcHhTC.exe
  C:\Windows\System\mgcHhTC.exe
  2⤵
  PID:12156
- C:\Windows\System\xZUszpC.exe
  C:\Windows\System\xZUszpC.exe
  2⤵
  PID:11280
- C:\Windows\System\SsuVJQR.exe
  C:\Windows\System\SsuVJQR.exe
  2⤵
  PID:11344
- C:\Windows\System\oQDoCxq.exe
  C:\Windows\System\oQDoCxq.exe
  2⤵
  PID:11800
- C:\Windows\System\erapomH.exe
  C:\Windows\System\erapomH.exe
  2⤵
  PID:12128
- C:\Windows\System\uBGPtTg.exe
  C:\Windows\System\uBGPtTg.exe
  2⤵
  PID:11092
- C:\Windows\System\PLEpPvj.exe
  C:\Windows\System\PLEpPvj.exe
  2⤵
  PID:4972
- C:\Windows\System\IJJwnJQ.exe
  C:\Windows\System\IJJwnJQ.exe
  2⤵
  PID:3068
- C:\Windows\System\ZqkNDDd.exe
  C:\Windows\System\ZqkNDDd.exe
  2⤵
  PID:12244
- C:\Windows\System\mdnlESr.exe
  C:\Windows\System\mdnlESr.exe
  2⤵
  PID:11708
- C:\Windows\System\jzFCkvz.exe
  C:\Windows\System\jzFCkvz.exe
  2⤵
  PID:12304
- C:\Windows\System\wjtrpdH.exe
  C:\Windows\System\wjtrpdH.exe
  2⤵
  PID:12332
- C:\Windows\System\XmCJIXJ.exe
  C:\Windows\System\XmCJIXJ.exe
  2⤵
  PID:12360
- C:\Windows\System\gMGiMkS.exe
  C:\Windows\System\gMGiMkS.exe
  2⤵
  PID:12388
- C:\Windows\System\HSipSQs.exe
  C:\Windows\System\HSipSQs.exe
  2⤵
  PID:12416
- C:\Windows\System\sNYKDNo.exe
  C:\Windows\System\sNYKDNo.exe
  2⤵
  PID:12444
- C:\Windows\System\UJXtlxV.exe
  C:\Windows\System\UJXtlxV.exe
  2⤵
  PID:12472
- C:\Windows\System\IOXAtdC.exe
  C:\Windows\System\IOXAtdC.exe
  2⤵
  PID:12500
- C:\Windows\System\ppECLFP.exe
  C:\Windows\System\ppECLFP.exe
  2⤵
  PID:12528
- C:\Windows\System\bsUCeva.exe
  C:\Windows\System\bsUCeva.exe
  2⤵
  PID:12556
- C:\Windows\System\eEhloBK.exe
  C:\Windows\System\eEhloBK.exe
  2⤵
  PID:12584
- C:\Windows\System\vHjSAro.exe
  C:\Windows\System\vHjSAro.exe
  2⤵
  PID:12612
- C:\Windows\System\PiGYXaS.exe
  C:\Windows\System\PiGYXaS.exe
  2⤵
  PID:12640
- C:\Windows\System\LDCSpNX.exe
  C:\Windows\System\LDCSpNX.exe
  2⤵
  PID:12668
- C:\Windows\System\TJNBTrl.exe
  C:\Windows\System\TJNBTrl.exe
  2⤵
  PID:12696
- C:\Windows\System\xBLCSwl.exe
  C:\Windows\System\xBLCSwl.exe
  2⤵
  PID:12724
- C:\Windows\System\QJOyMrW.exe
  C:\Windows\System\QJOyMrW.exe
  2⤵
  PID:12752
- C:\Windows\System\NvGzUUI.exe
  C:\Windows\System\NvGzUUI.exe
  2⤵
  PID:12772
- C:\Windows\System\VEkjLlL.exe
  C:\Windows\System\VEkjLlL.exe
  2⤵
  PID:12788
- C:\Windows\System\wxxINDm.exe
  C:\Windows\System\wxxINDm.exe
  2⤵
  PID:12808
- C:\Windows\System\QjfKdkc.exe
  C:\Windows\System\QjfKdkc.exe
  2⤵
  PID:12872
- C:\Windows\System\PoqLAne.exe
  C:\Windows\System\PoqLAne.exe
  2⤵
  PID:12900
- C:\Windows\System\HVWUAoE.exe
  C:\Windows\System\HVWUAoE.exe
  2⤵
  PID:12932
- C:\Windows\System\jociwXI.exe
  C:\Windows\System\jociwXI.exe
  2⤵
  PID:12960
- C:\Windows\System\flEGxls.exe
  C:\Windows\System\flEGxls.exe
  2⤵
  PID:12988
- C:\Windows\System\EfZpQKA.exe
  C:\Windows\System\EfZpQKA.exe
  2⤵
  PID:13016
- C:\Windows\System\eehfDCI.exe
  C:\Windows\System\eehfDCI.exe
  2⤵
  PID:13044
- C:\Windows\System\PiDlTXW.exe
  C:\Windows\System\PiDlTXW.exe
  2⤵
  PID:13072
- C:\Windows\System\wwefXvw.exe
  C:\Windows\System\wwefXvw.exe
  2⤵
  PID:13100
- C:\Windows\System\fwLYdTg.exe
  C:\Windows\System\fwLYdTg.exe
  2⤵
  PID:13128
- C:\Windows\System\ykddZnH.exe
  C:\Windows\System\ykddZnH.exe
  2⤵
  PID:13156
- C:\Windows\System\xfbeIyo.exe
  C:\Windows\System\xfbeIyo.exe
  2⤵
  PID:13184
- C:\Windows\System\uEMZzas.exe
  C:\Windows\System\uEMZzas.exe
  2⤵
  PID:13212
- C:\Windows\System\xfNbqVK.exe
  C:\Windows\System\xfNbqVK.exe
  2⤵
  PID:13244
- C:\Windows\System\lycLfMD.exe
  C:\Windows\System\lycLfMD.exe
  2⤵
  PID:13272
- C:\Windows\System\lWyrZfb.exe
  C:\Windows\System\lWyrZfb.exe
  2⤵
  PID:13300
- C:\Windows\System\dxjEUts.exe
  C:\Windows\System\dxjEUts.exe
  2⤵
  PID:12324
- C:\Windows\System\ysbEPNn.exe
  C:\Windows\System\ysbEPNn.exe
  2⤵
  PID:12384
- C:\Windows\System\SwrNgaj.exe
  C:\Windows\System\SwrNgaj.exe
  2⤵
  PID:12456
- C:\Windows\System\DhIhfuS.exe
  C:\Windows\System\DhIhfuS.exe
  2⤵
  PID:12520
- C:\Windows\System\eFjjnYY.exe
  C:\Windows\System\eFjjnYY.exe
  2⤵
  PID:12580
- C:\Windows\System\lKLWdSy.exe
  C:\Windows\System\lKLWdSy.exe
  2⤵
  PID:12636
- C:\Windows\System\cWuOpCO.exe
  C:\Windows\System\cWuOpCO.exe
  2⤵
  PID:12712
- C:\Windows\System\ayCkSEa.exe
  C:\Windows\System\ayCkSEa.exe
  2⤵
  PID:12736
- C:\Windows\System\amhaoza.exe
  C:\Windows\System\amhaoza.exe
  2⤵
  PID:12896
- C:\Windows\System\DyGojiK.exe
  C:\Windows\System\DyGojiK.exe
  2⤵
  PID:10676
- C:\Windows\System\ehVrOWM.exe
  C:\Windows\System\ehVrOWM.exe
  2⤵
  PID:13012
- C:\Windows\System\zOGWcea.exe
  C:\Windows\System\zOGWcea.exe
  2⤵
  PID:13124
- C:\Windows\System\IAHcrGW.exe
  C:\Windows\System\IAHcrGW.exe
  2⤵
  PID:3724
- C:\Windows\System\QNvoyhg.exe
  C:\Windows\System\QNvoyhg.exe
  2⤵
  PID:13236
- C:\Windows\System\wlHRPwr.exe
  C:\Windows\System\wlHRPwr.exe
  2⤵
  PID:13296
- C:\Windows\System\moqXXZn.exe
  C:\Windows\System\moqXXZn.exe
  2⤵
  PID:4484
- C:\Windows\System\ChwiTOk.exe
  C:\Windows\System\ChwiTOk.exe
  2⤵
  PID:12496
- C:\Windows\System\IYKHzjH.exe
  C:\Windows\System\IYKHzjH.exe
  2⤵
  PID:12624
- C:\Windows\System\NBzdhkk.exe
  C:\Windows\System\NBzdhkk.exe
  2⤵
  PID:12744
- C:\Windows\System\vGIdRxw.exe
  C:\Windows\System\vGIdRxw.exe
  2⤵
  PID:764
- C:\Windows\System\RJJlanp.exe
  C:\Windows\System\RJJlanp.exe
  2⤵
  PID:13068
- C:\Windows\System\cLugQAz.exe
  C:\Windows\System\cLugQAz.exe
  2⤵
  PID:2460
- C:\Windows\System\uDzoWUm.exe
  C:\Windows\System\uDzoWUm.exe
  2⤵
  PID:13148
- C:\Windows\System\THrddxf.exe
  C:\Windows\System\THrddxf.exe
  2⤵
  PID:12352
- C:\Windows\System\OfgrSmD.exe
  C:\Windows\System\OfgrSmD.exe
  2⤵
  PID:12692
- C:\Windows\System\lYOLYRk.exe
  C:\Windows\System\lYOLYRk.exe
  2⤵
  PID:13064
- C:\Windows\System\GBcNpUK.exe
  C:\Windows\System\GBcNpUK.exe
  2⤵
  PID:13260
- C:\Windows\System\SjjaMAS.exe
  C:\Windows\System\SjjaMAS.exe
  2⤵
  PID:13232
- C:\Windows\System\UisnbHd.exe
  C:\Windows\System\UisnbHd.exe
  2⤵
  PID:12576
- C:\Windows\System\ThoLeEN.exe
  C:\Windows\System\ThoLeEN.exe
  2⤵
  PID:13320
- C:\Windows\System\KgLPwiV.exe
  C:\Windows\System\KgLPwiV.exe
  2⤵
  PID:13348
- C:\Windows\System\zlMKheP.exe
  C:\Windows\System\zlMKheP.exe
  2⤵
  PID:13376
- C:\Windows\System\kyNridS.exe
  C:\Windows\System\kyNridS.exe
  2⤵
  PID:13404
- C:\Windows\System\ridmVSu.exe
  C:\Windows\System\ridmVSu.exe
  2⤵
  PID:13432
- C:\Windows\System\nszjTgg.exe
  C:\Windows\System\nszjTgg.exe
  2⤵
  PID:13460
- C:\Windows\System\OJTHScG.exe
  C:\Windows\System\OJTHScG.exe
  2⤵
  PID:13488
- C:\Windows\System\zbLUdaV.exe
  C:\Windows\System\zbLUdaV.exe
  2⤵
  PID:13516
- C:\Windows\System\EISREEs.exe
  C:\Windows\System\EISREEs.exe
  2⤵
  PID:13544
- C:\Windows\System\hAwLXYl.exe
  C:\Windows\System\hAwLXYl.exe
  2⤵
  PID:13572
- C:\Windows\System\mFsSMRJ.exe
  C:\Windows\System\mFsSMRJ.exe
  2⤵
  PID:13600
- C:\Windows\System\jRyJCQB.exe
  C:\Windows\System\jRyJCQB.exe
  2⤵
  PID:13628
- C:\Windows\System\xIVOwVA.exe
  C:\Windows\System\xIVOwVA.exe
  2⤵
  PID:13660
- C:\Windows\System\ilhvhmV.exe
  C:\Windows\System\ilhvhmV.exe
  2⤵
  PID:13688
- C:\Windows\System\FzOSgoF.exe
  C:\Windows\System\FzOSgoF.exe
  2⤵
  PID:13716
- C:\Windows\System\puGGclP.exe
  C:\Windows\System\puGGclP.exe
  2⤵
  PID:13744
- C:\Windows\System\ZviHlWk.exe
  C:\Windows\System\ZviHlWk.exe
  2⤵
  PID:13772
- C:\Windows\System\CCWXYcq.exe
  C:\Windows\System\CCWXYcq.exe
  2⤵
  PID:13800
- C:\Windows\System\YZZMxVc.exe
  C:\Windows\System\YZZMxVc.exe
  2⤵
  PID:13828
- C:\Windows\System\EvwBzZF.exe
  C:\Windows\System\EvwBzZF.exe
  2⤵
  PID:13856
- C:\Windows\System\ERPdmQK.exe
  C:\Windows\System\ERPdmQK.exe
  2⤵
  PID:13884
- C:\Windows\System\TQCDSYd.exe
  C:\Windows\System\TQCDSYd.exe
  2⤵
  PID:13912
- C:\Windows\System\cPcTWiD.exe
  C:\Windows\System\cPcTWiD.exe
  2⤵
  PID:13940
- C:\Windows\System\ZqdRCyr.exe
  C:\Windows\System\ZqdRCyr.exe
  2⤵
  PID:13968
- C:\Windows\System\zLQlHuh.exe
  C:\Windows\System\zLQlHuh.exe
  2⤵
  PID:13996
- C:\Windows\System\ftYRXld.exe
  C:\Windows\System\ftYRXld.exe
  2⤵
  PID:14024
- C:\Windows\System\BOZEkUX.exe
  C:\Windows\System\BOZEkUX.exe
  2⤵
  PID:14052
- C:\Windows\System\EvELQWg.exe
  C:\Windows\System\EvELQWg.exe
  2⤵
  PID:14080
- C:\Windows\System\vGuatpv.exe
  C:\Windows\System\vGuatpv.exe
  2⤵
  PID:14108
- C:\Windows\System\GkAwfxw.exe
  C:\Windows\System\GkAwfxw.exe
  2⤵
  PID:14136
- C:\Windows\System\LsOVzFW.exe
  C:\Windows\System\LsOVzFW.exe
  2⤵
  PID:14164
- C:\Windows\System\cysvzBg.exe
  C:\Windows\System\cysvzBg.exe
  2⤵
  PID:14192
- C:\Windows\System\tkGRhBe.exe
  C:\Windows\System\tkGRhBe.exe
  2⤵
  PID:14220
- C:\Windows\System\PqZegpY.exe
  C:\Windows\System\PqZegpY.exe
  2⤵
  PID:14248
- C:\Windows\System\GLXixyU.exe
  C:\Windows\System\GLXixyU.exe
  2⤵
  PID:14276
- C:\Windows\System\lucbxYH.exe
  C:\Windows\System\lucbxYH.exe
  2⤵
  PID:14304
- C:\Windows\System\xLyFGxb.exe
  C:\Windows\System\xLyFGxb.exe
  2⤵
  PID:14332
- C:\Windows\System\pxIckkD.exe
  C:\Windows\System\pxIckkD.exe
  2⤵
  PID:13368
- C:\Windows\System\JtvYInn.exe
  C:\Windows\System\JtvYInn.exe
  2⤵
  PID:13428
- C:\Windows\System\uHtoYTi.exe
  C:\Windows\System\uHtoYTi.exe
  2⤵
  PID:13484
- C:\Windows\System\pwdJvFZ.exe
  C:\Windows\System\pwdJvFZ.exe
  2⤵
  PID:13556
- C:\Windows\System\VCvxfiU.exe
  C:\Windows\System\VCvxfiU.exe
  2⤵
  PID:13620
- C:\Windows\System\FjAsghF.exe
  C:\Windows\System\FjAsghF.exe
  2⤵
  PID:13684
- C:\Windows\System\AgICpdQ.exe
  C:\Windows\System\AgICpdQ.exe
  2⤵
  PID:13764
- C:\Windows\System\fjgWqrb.exe
  C:\Windows\System\fjgWqrb.exe
  2⤵
  PID:13824
- C:\Windows\System\MOEgALE.exe
  C:\Windows\System\MOEgALE.exe
  2⤵
  PID:13880
- C:\Windows\System\RPabsOd.exe
  C:\Windows\System\RPabsOd.exe
  2⤵
  PID:13952
- C:\Windows\System\BkRJZwJ.exe
  C:\Windows\System\BkRJZwJ.exe
  2⤵
  PID:14016
- C:\Windows\System\eoVShoP.exe
  C:\Windows\System\eoVShoP.exe
  2⤵
  PID:14076
- C:\Windows\System\RhZUxiw.exe
  C:\Windows\System\RhZUxiw.exe
  2⤵
  PID:14148
- C:\Windows\System\wMiRSsN.exe
  C:\Windows\System\wMiRSsN.exe
  2⤵
  PID:14212
- C:\Windows\System\tupWZBf.exe
  C:\Windows\System\tupWZBf.exe
  2⤵
  PID:14272
- C:\Windows\System\tzcqKDc.exe
  C:\Windows\System\tzcqKDc.exe
  2⤵
  PID:14328
- C:\Windows\System\BicqRbH.exe
  C:\Windows\System\BicqRbH.exe
  2⤵
  PID:13540
- C:\Windows\System\ceIpkyd.exe
  C:\Windows\System\ceIpkyd.exe
  2⤵
  PID:14012
- C:\Windows\System\OrpOSJM.exe
  C:\Windows\System\OrpOSJM.exe
  2⤵
  PID:14340
- C:\Windows\System\aQxYbjN.exe
  C:\Windows\System\aQxYbjN.exe
  2⤵
  PID:14360
- C:\Windows\System\NZUYYTi.exe
  C:\Windows\System\NZUYYTi.exe
  2⤵
  PID:14408
- C:\Windows\System\haWWsZO.exe
  C:\Windows\System\haWWsZO.exe
  2⤵
  PID:14448
- C:\Windows\System\TWYxGNe.exe
  C:\Windows\System\TWYxGNe.exe
  2⤵
  PID:14488
- C:\Windows\System\TfoJIDT.exe
  C:\Windows\System\TfoJIDT.exe
  2⤵
  PID:14508
- C:\Windows\System\cldiuob.exe
  C:\Windows\System\cldiuob.exe
  2⤵
  PID:14536
- C:\Windows\System\xObTtMg.exe
  C:\Windows\System\xObTtMg.exe
  2⤵
  PID:14584
- C:\Windows\System\WSBxIZS.exe
  C:\Windows\System\WSBxIZS.exe
  2⤵
  PID:14620
- C:\Windows\System\NJgGooh.exe
  C:\Windows\System\NJgGooh.exe
  2⤵
  PID:14652
- C:\Windows\System\MxVORlr.exe
  C:\Windows\System\MxVORlr.exe
  2⤵
  PID:14684
- C:\Windows\System\XOlbpvs.exe
  C:\Windows\System\XOlbpvs.exe
  2⤵
  PID:14712
- C:\Windows\System\kNWisHS.exe
  C:\Windows\System\kNWisHS.exe
  2⤵
  PID:14740
- C:\Windows\System\oLRhqpE.exe
  C:\Windows\System\oLRhqpE.exe
  2⤵
  PID:14768
- C:\Windows\System\GbFbNWm.exe
  C:\Windows\System\GbFbNWm.exe
  2⤵
  PID:14800
- C:\Windows\System\oCKjoXY.exe
  C:\Windows\System\oCKjoXY.exe
  2⤵
  PID:14828
- C:\Windows\System\xxUoaSr.exe
  C:\Windows\System\xxUoaSr.exe
  2⤵
  PID:14856
- C:\Windows\System\jroQDxw.exe
  C:\Windows\System\jroQDxw.exe
  2⤵
  PID:14884
- C:\Windows\System\YvPUcMm.exe
  C:\Windows\System\YvPUcMm.exe
  2⤵
  PID:14912
- C:\Windows\System\VMODHOi.exe
  C:\Windows\System\VMODHOi.exe
  2⤵
  PID:14940
- C:\Windows\System\ynebCKD.exe
  C:\Windows\System\ynebCKD.exe
  2⤵
  PID:14968
- C:\Windows\System\fzrwnLw.exe
  C:\Windows\System\fzrwnLw.exe
  2⤵
  PID:14996
- C:\Windows\System\rGXPvAB.exe
  C:\Windows\System\rGXPvAB.exe
  2⤵
  PID:15024
- C:\Windows\System\UvMsfMr.exe
  C:\Windows\System\UvMsfMr.exe
  2⤵
  PID:15052

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:15292
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:15168

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 2860 -i 2860 -h 468 -j 428 -s 476 -d 15280
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:13932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3516

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3344

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7180

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3556

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:15268

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4240

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4940

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6512

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6548

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:10044

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8244

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8184

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7116

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8368

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8564

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2360

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11936

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1832

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4188

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14320

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13292

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10232

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6324

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7304

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11136

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:364

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10604

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6096

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8216

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5960

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9260

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9244

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9484

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4792

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10216

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10348

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9820

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13120

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10436

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7908

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6232

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14056

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9076

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1QK7O5FT\microsoft.windows[1].xml

Filesize
97B

MD5
d999f65105ba511b9a85c92595366aa5

SHA1
acd1800ccb77d1ed5bf43fd29c05fbcdd9d14adb

SHA256
626774fae7cf7de253841c4d2244fa2a50cc4a5abf5cb2d2006afd836412ba5a

SHA512
c793a44c17918e30348fe2b836bfbcf0edacb4f76b99f6dc6a67d8047cfbd2079645a853500e9520b202883f8cce2433690406edf47b08cf334272df6c4c60f9

Download Submit
C:\Windows\System\AUmMEDJ.exe

Filesize
6.0MB

MD5
dab2895f583abea22180f52271531494

SHA1
b62bf91b95a4f84082c7bc0690ee8b57fd213a98

SHA256
e2d589e4f33f05e991af13bd4a2733e8e4642939a2f1ffae0e23cc1a3b3fae3f

SHA512
c7724dfa8157914c200a61f1b73cb7ac400fa226495300b85f7b32c1b81ec0ddb8e2d8dbd83c6d94d26d176f3c047fa69ca8512eb99ac7276afcd8e62330a0fb

Download Submit
C:\Windows\System\BaPAPYq.exe

Filesize
6.0MB

MD5
0f38e64d778b569aab154bc36474ccf6

SHA1
5f02cab38e7a0a7b5eec06da5efa509fe5564eba

SHA256
14de51713f94144c842cf326d1ec9b860a40921c2593027ef8583151eaeb338b

SHA512
5dc2a9ce31262c86705f56a2b24f57a82332cf0e22becef582b51da8b14f535a7eccf914e33431a99bca603087299ce5c29c011535c800383e954a255d4016f9

Download Submit
C:\Windows\System\DrTWDXc.exe

Filesize
6.0MB

MD5
f36968b61ac2c47311b7fb16d68f9721

SHA1
0ab04339bdd526dcb3ffae0d7bf52e95aa280846

SHA256
156b4fcc4971af4501b891b18e0b32807b43e6b0c3b179c05e89f0c9bafb18b3

SHA512
a559dc6acfc4412eb951343ab52018ffa0378cec8c475210e5b1f60ddddf672cc4db39e6a099d71fbc08561468fa2d8d7a7d52d14ecf99b09f92a3866cd03b8c

Download Submit
C:\Windows\System\DvWGzJp.exe

Filesize
6.0MB

MD5
c97c6e28287f0099d80dfaa07d6f8e52

SHA1
c453aa291f24d053c29156b8a65ad5d8ab3a7950

SHA256
fcd02f071b94fc26b191fe0529081fb5f9ab6cfc0960975c3cd2f5359a3a2076

SHA512
03053564f14b31578ef02641fab28b74fe9afac9729094cdd8b2d4074cebe0eca7d745bdfc9ffc739f6fdddbf3f44ed2d67a3ab4d00af9552d11f7306b44650a

Download Submit
C:\Windows\System\HjzWNlE.exe

Filesize
6.0MB

MD5
5030b864e60b56d690185b9aaa228611

SHA1
4418ef16133fb47bcd352cf4c7b82a7029516316

SHA256
d4e832d597ebcd957f0f23867cc772a96c29eb265aa52213beedbdf6f669d81c

SHA512
1142647b1b481c0966f7c58a736e06b9f374281b8525ed88f8f0da08232144ece9b376342dcd532b5d377b26698d45733a55572a6ab42e9f9fd163257207ec76

Download Submit
C:\Windows\System\JdiApoc.exe

Filesize
6.0MB

MD5
6dc8c0522f44e45a5c0aaf8edf865671

SHA1
2330d973d09d3bec65b7ef145bced505e2ba8512

SHA256
76d6df8ed7c2fb6c49e63fb4cc80fb5b4b21b877cb26dfda41b2e46b2ba2a0d5

SHA512
b6da37623dd45c600596c406646fbd77512dde923cb52143ec7e8ac736ae811767290d570f3ec3bf1163dcb958a0488c97fd56f2dc98a997eef657ec8c6a962d

Download Submit
C:\Windows\System\KtzhMnf.exe

Filesize
6.0MB

MD5
3c148f5fa1d5cb59d2fccec5437f283e

SHA1
25c9a33dcf38412e9b9748805104d51511de0fa4

SHA256
ac99a8431c9492d4df76d8f02805b03f01746c15e040aa3f34633970604f498e

SHA512
c841ea3b516b522e282703ef0d364dc5da4891bcfadf31847fa94c9eed7d5e05b454b4d1640507b5334843c83508efa4f5a394f70691d4324d83ac8c2a22e0f4

Download Submit
C:\Windows\System\LlsnIwr.exe

Filesize
6.0MB

MD5
a1804a0594ad41295122fee611370238

SHA1
cdb5bb1ca65cf3787380af116fe1438e887a57c1

SHA256
884899c59b4611772741e49306b408c6b4cdb385f28c72d7c2c3c2b143a91e5c

SHA512
cb57488f8f9b4f5c5e1ca40759e2b9432a28bda63f4c63332202f66ea51de2ce2abf07d40c6891371a79427b59c34567be6e3dbf464885a65b21ba7910b70302

Download Submit
C:\Windows\System\MNybuwB.exe

Filesize
6.0MB

MD5
cd70f293bf407d630d78154f9dd16df5

SHA1
17734f7b71da971cead8a1921bd179ff944d13f5

SHA256
1517c244ab51383c3c95673bf7ae9f5c6f6967cb159e95658db84dad5206878f

SHA512
7efd8ff8cd1891cc0171ad97f74aabd25808c828de4057feded51faaf265510ed6ab707710a5cfb4b3ee04441611ef1cfd5660de34657e0acf1c802a051c9657

Download Submit
C:\Windows\System\NMtfxey.exe

Filesize
6.0MB

MD5
3bcf61fc7ae3b9ad243e224518277165

SHA1
97071a32039a9ee5b4a51a010b2fc94d134fb5ad

SHA256
a48b5de9849fbbf9fa8ae9abcdece02019ae8b85333538995eea42b6b8dedd99

SHA512
ffb09cac10bd58c317ce51795d96bd2c7ec92df0d9e843810c8e79a74795e720eab2cd1ee7f0564847cc3894299e55b31dbe8a95b0c2b7a5c9a56668c26e95cb

Download Submit
C:\Windows\System\NmzFqtq.exe

Filesize
6.0MB

MD5
4c0f8b44298df76ca4d394a2c0022b49

SHA1
d3ef2702ac1773a9183633e2d35196238f7d2874

SHA256
00f8afa3af60fb6ad9286abb74901ae3ddf91ffe50acbdac7c77ba9411a20f70

SHA512
dd0329cab8aa0c2d18320b5f21227d63386f8a69b3697fd35f4bf5a7cb1b82d2cebef93a67e34cd6a4c7f3629b45fd06985bccb441761372181bba9f92430237

Download Submit
C:\Windows\System\OsSMRec.exe

Filesize
6.0MB

MD5
4b61c17800f6c670d0366d4e16c738bc

SHA1
cd96b2a8c12121bf9219cf5c7178b3536208e2ab

SHA256
5926cee8d1d7f7990f0a785204b1a6364ee1a693e31c5cce22172a83b2128e65

SHA512
061896b059a222293e14572964938ab3c15bd90f6095da5aabe1103ec3af15a99021c1faa2b4c62407317ebfde042e26e0e97fc7f694ba1133028b432606a359

Download Submit
C:\Windows\System\PByBvvc.exe

Filesize
6.0MB

MD5
8947417322f7f3f4b1e89cfd82901ccb

SHA1
1d278602f3c9e2e5de1bc67675e9edfa8507693e

SHA256
21dfad5b5005e001fa0a6fbbf6a08841b19804d88ab41028b0940b900247fcdf

SHA512
e10e3f67ce126fa9ac2da70b7fee7e0fab8c3df3439f1a5ba861b1fd9544f4461ddc74e1aaa7abb9fe3b71917f115e5d06c7ffb870ff3278ba85615463339aa0

Download Submit
C:\Windows\System\QIDcnMd.exe

Filesize
6.0MB

MD5
18ead8cdb95ea99a7502bda5b61dd4b5

SHA1
8ea3f2a4ef8900e17695f6aa46f2a979fb8ae4b8

SHA256
0cb63ef15106549a3d4d020493e8a9f39f3f0f7c654e3142245e8729392472dc

SHA512
dab00220c7ab6f5f17b9b1bee3ce917c9414a1995869e4dfe49cf9329f3c475b4626cbe67b690ec9a8e980d89aa5c52acb62beb36fa72929cf48b0a640a9083c

Download Submit
C:\Windows\System\URIwatC.exe

Filesize
6.0MB

MD5
b7aa2102c15b48bb49ec39597e2e18b3

SHA1
ff7edf9405ddb98fead2af4c80f119f076729eb2

SHA256
04834046cbe80d1ad9bc81e248cafe6479e0d2f871b0c56559ac5366ca3d60fb

SHA512
ac1f559fa0c0a80f44d05c541dd19ce673c250382dbe207b6312e8b0830964962b2b33ea90eb1f12fa479327c983b36da655e037100b8d23fd115634a878df10

Download Submit
C:\Windows\System\WPimKpW.exe

Filesize
6.0MB

MD5
205cc4ac764e9a32a44de88ddffed3e2

SHA1
c0d5fa0e69deccc108cc0b48c40e4cbec6d3d313

SHA256
95a7388c409a0ecf684c1fc1a76b3eaeb2cd2bb024d55f2df43ab1dd902e9ce9

SHA512
1483bda1e72e9e215e2f8907e00f96aeb8f6be31da3d17c0d5d9cacd1896452f572af7e72861495de21025f83d9846ec21d99e5e03825f4a47eeb9651d3261f5

Download Submit
C:\Windows\System\ZTgcbWP.exe

Filesize
6.0MB

MD5
c5437eb1e02f316fdb94439da56247d9

SHA1
83d8cd3a91029d0312d6a160208497b3664a9815

SHA256
932276e54045458cb9cdf28ccad2a7b42cb2462175e183930a9cd9705148b0ac

SHA512
a98ee20b729c3ab3cdabcc2bf8b23628bb9609d852f0378551d7d796534c8b2332f723a5e21e567826d0743b17cf406a353cd9d50923c997b9f15622d229e14e

Download Submit
C:\Windows\System\aVxYcZF.exe

Filesize
6.0MB

MD5
ecde5e290d4fda4fd4ea97d33e7259b9

SHA1
b12aee50848aaa76cc08cc34ce99f4bedf94eaf6

SHA256
c2cdcfa74dfa4f853651cc4956d5c686653674741ad404b45d524d429051e428

SHA512
d693d2f25db0ba86b241d545e1e6578ecf7a45084333d040007100e6005484bff3dbb1468c3a4be682665a9dccbe77f0a479402debc5a2a50daadb25aa671594

Download Submit
C:\Windows\System\gpogchC.exe

Filesize
6.0MB

MD5
f7b1a119c680d8bd8640858d9fd5e732

SHA1
a9492bca480db9bede9f6484c5732e2e6c60d041

SHA256
75f2a7377bf31204ca74acbb6deb39887eef8fc083a19ebc2e20df4e4406c88c

SHA512
e685f15a25bf4f70330bc18b694abb44765879be5c790afad0b14e947a13c6cc7c1fc46b9dac1c472ce80167f891f80b66535b17766ec9c35384d2b3a67729ac

Download Submit
C:\Windows\System\hfyKSKB.exe

Filesize
6.0MB

MD5
d92ea613cf5880a859bab18282d26384

SHA1
b73d5d3ec6df4772a08e505821c5c17218bcc86a

SHA256
2c94ba5f6dc6d8e181e70169ed7e53dfca81b503f511a449f53ae517a1b8653e

SHA512
dbbbacbe5913c16247e07438dac41f9adbaed2f1efccfe372b3c7b8e33db17621852b44893127b6e8644272dc0c6524851902c161882ee033ba645a4d598c391

Download Submit
C:\Windows\System\lmTsJcb.exe

Filesize
6.0MB

MD5
85c7f8dafa52f922e7f8256a3a9843e2

SHA1
0a528ebc91ab3e9fcc60355fef43c73be3d22258

SHA256
65b26dcf4328144aa2fa28900ec221cabc7e4b6088944bd91af6ed459dea6798

SHA512
2eb8518ffe80869a5691ffbc2939ddd1da39db059b4aba5bb62778695340b3133dcc99bfd652ba8b23496c4659ae83df176b7975c27df051e6f843832648f765

Download Submit
C:\Windows\System\nDcZCua.exe

Filesize
6.0MB

MD5
133c3fd595977b6dd861374cb8739d3b

SHA1
b92bf84151479f8fdbb63feb0dda1f2cedeec20b

SHA256
1703849f11d6cf2a43421355352afd0c6294dc8e00cad6672092cbb1e2964264

SHA512
4d824152be8e0ae00057847967038e1599b44516e9d28503977ad2d83eb7d2bb295c0d708077d325c861a00a38924f9710d8d91b377811d0d55a4b9bc944ad84

Download Submit
C:\Windows\System\pCqevHv.exe

Filesize
6.0MB

MD5
e4ac58ac31957412e37d93180df4cf67

SHA1
94691b13e94d3bf4878bef2f4746e989c17c33a5

SHA256
2e935fc2554f80e1a35e4d625890db96149a03e3916805fa560df47e7e9c8c86

SHA512
bd9cd61f9b4e300f2b1c8034187ea7d1d3afe2862d7317f7f10cd7b5504377090e363694d58af6ccec94b51a9cc92616589860d8fb0555176e8180e6c0bae8f6

Download Submit
C:\Windows\System\qlLuHga.exe

Filesize
6.0MB

MD5
e482a42dea7c6223e4684eb07ee0d2b9

SHA1
152f7a04cf96bc8d8c37eb1be872ba37e4b87347

SHA256
553479d94fe24b5f7afec78e8667baa875e00f8a8cab7b6d35def2119b119466

SHA512
ee29301758d128f271214837ac1d97fa46365a6c78de9bc2ef44250679f68c9bd13b8990c9ad71927eed22632ed29c5be583f55224fd563b56d1f97f4de79731

Download Submit
C:\Windows\System\reuDaAv.exe

Filesize
6.0MB

MD5
39679a904ab24038c6a9eae9ff4d01fa

SHA1
b84395d6726853669ce6a033f773d1f19c235a1b

SHA256
6b3eb755097c4b0def8e5414d63cd09e546912a1d180d3e50bcd6275350bfae8

SHA512
6799f8057e27e8b99adaa6871775fe9251d9beb667e521f3025dd98d32b62aea977c685b7c457fa6beff88a18a52398113447b1838016976b57c242a7bc2614c

Download Submit
C:\Windows\System\ruOUzdZ.exe

Filesize
6.0MB

MD5
cd5dfae25d661a1834b0ebd05c822863

SHA1
a8ebe33a6b4d735f5f9b6083e2af6aea724d246f

SHA256
0e4d471b1a686fb54dfedeeff7a1e39ed35d9955a28fc5e6aaed4dd0e90b45a1

SHA512
e8c9bee84cb86b5b93c2a3adb624771b2ff5cc2bdf68f62f6c9929c483b2a8834e6ebdbde7d34a089b566590082ea3abbe37febe41f087a32a32abecaa921301

Download Submit
C:\Windows\System\uMREJCi.exe

Filesize
6.0MB

MD5
719e09c90d314eafe9cd5131406028d0

SHA1
74fa5f2c88976436325337e95f682a71aefb73c4

SHA256
23b432c4eb98563e1b976bfc1059235b7e3feb874395b66902c8ed8f3158d41a

SHA512
121f6b105a30d31eaf4b461966caa15c4692e48ad6eb32d7e63b7fc1ee8893da0a6259f0e883a86a775a37c8d9b6e58342fa281cfdd9de4b1e1f5badec54ba14

Download Submit
C:\Windows\System\wTAMnhe.exe

Filesize
6.0MB

MD5
42f39498db5a84613e823efd0d342163

SHA1
4446439efb1bb56b5dee0b11d97593740a2ed901

SHA256
9245a350683f7a829f84ab2c52e0b61626b90e225888f3dc646c1a40de9c8321

SHA512
e934fb6258d75093ada5a68973d67a58b4a648f58b0ec2472495e5b7bcdfdf90ddf27566f37da3a43cf5d499df0b8c3902d82e6613d5c097c72b720a910d5772

Download Submit
C:\Windows\System\wsZGook.exe

Filesize
6.0MB

MD5
e847265ed6c2a90f98b9472ba8e6d8f3

SHA1
993a780db8a318ffb8fe81f58d8d3b33038822d6

SHA256
b8647ba011d04b7349fc27e205a0e599624ad5494fb639b06392b2d8e308a214

SHA512
261147c60b0ab574c116ca2c3856c36dfc89248a262abfa9383fc90e0223438c52020bf8a56e8149758ecf0683a9a13c029bb8f81967b3118f87ee9a9a719dff

Download Submit
C:\Windows\System\xBBFAuF.exe

Filesize
6.0MB

MD5
9f3300e61e63e5c30167cfd7b58de370

SHA1
5dda9bce74e5a97d5008cc4fc9cef723f1dad3d8

SHA256
7aeb04f16616fb0e63350995e28aca1285dd82ec66cdfe3102a4cba9278b108e

SHA512
30a3e958a64d507652382932e4b0de1e11cd4ce1f461624930bb02b736ec996d6a78ec4763300bc68a4c9e6eeeb20d6e7b2309410fd8022688a4384c32ece58a

Download Submit
C:\Windows\System\yMVposg.exe

Filesize
6.0MB

MD5
c3b439d26a4dbc9626ab3bb2102fade3

SHA1
af88bd3732983d1bc9b881e162aee43d9855ef0d

SHA256
0d1e84612667bfbc0bac2914ce4bbcbb95bb63478a8c87f8700b17a9e21b6132

SHA512
faa15de4ff3438db93bf7a93622489620bd032eb2f7ee89a70ed78b3ade50f978b5583b8ae16db9bae5dc89940a1951efd1bcb2f598dc9cc0bf851f65d5b9be1

Download Submit
C:\Windows\System\ylFpIUm.exe

Filesize
6.0MB

MD5
068e73c5fa09f54a001f4ab7370bbc44

SHA1
dbb62a6f4be2dcaec9b73f27d06ad47f61663435

SHA256
30fde54335d1865694d17a4d4cc71774807cc392e473ca5e60b69c00a92b0e31

SHA512
1f85aa630aab9756a5ebcee9ce2e16711c8e79c01a8e20b15e3d716f3d6d04f9a0c529c11976266bbeed67ababfb8013504e046c46e1ed49cad4e82cd30f8b79

Download Submit
C:\Windows\System\zgjoTJF.exe

Filesize
6.0MB

MD5
3b68bf6ab947b0495fbfdc91220f32ca

SHA1
3fc677e54eaa21a70e719bcbc075ab5b30dfa4a3

SHA256
c22a9f570aa87a17a3ac63a59142ef75a811d3037f00c6a6a1c0f1230f879bb5

SHA512
8d893c442cb50ac4193c83b3c5389e41ef3ed263ae050624447ac0478e843a37995bb4f682eba530c07dd430c0905c19ab45507a9e1f53c99e18a173b228259f

Download Submit
memory/232-48-0x00007FF6F52E0000-0x00007FF6F5634000-memory.dmp

Filesize
3.3MB

Download
memory/232-2253-0x00007FF6F52E0000-0x00007FF6F5634000-memory.dmp

Filesize
3.3MB

Download
memory/232-116-0x00007FF6F52E0000-0x00007FF6F5634000-memory.dmp

Filesize
3.3MB

Download
memory/452-199-0x00007FF7E2F50000-0x00007FF7E32A4000-memory.dmp

Filesize
3.3MB

Download
memory/452-2270-0x00007FF7E2F50000-0x00007FF7E32A4000-memory.dmp

Filesize
3.3MB

Download
memory/452-1816-0x00007FF7E2F50000-0x00007FF7E32A4000-memory.dmp

Filesize
3.3MB

Download
memory/716-60-0x00007FF75F110000-0x00007FF75F464000-memory.dmp

Filesize
3.3MB

Download
memory/716-1-0x000001F64A620000-0x000001F64A630000-memory.dmp

Filesize
64KB

Download
memory/716-0-0x00007FF75F110000-0x00007FF75F464000-memory.dmp

Filesize
3.3MB

Download
memory/868-122-0x00007FF70D940000-0x00007FF70DC94000-memory.dmp

Filesize
3.3MB

Download
memory/868-2261-0x00007FF70D940000-0x00007FF70DC94000-memory.dmp

Filesize
3.3MB

Download
memory/868-178-0x00007FF70D940000-0x00007FF70DC94000-memory.dmp

Filesize
3.3MB

Download
memory/1052-168-0x00007FF7109D0000-0x00007FF710D24000-memory.dmp

Filesize
3.3MB

Download
memory/1052-2268-0x00007FF7109D0000-0x00007FF710D24000-memory.dmp

Filesize
3.3MB

Download
memory/1052-1542-0x00007FF7109D0000-0x00007FF710D24000-memory.dmp

Filesize
3.3MB

Download
memory/1144-96-0x00007FF73C290000-0x00007FF73C5E4000-memory.dmp

Filesize
3.3MB

Download
memory/1144-2247-0x00007FF73C290000-0x00007FF73C5E4000-memory.dmp

Filesize
3.3MB

Download
memory/1144-30-0x00007FF73C290000-0x00007FF73C5E4000-memory.dmp

Filesize
3.3MB

Download
memory/1148-2252-0x00007FF6F3F20000-0x00007FF6F4274000-memory.dmp

Filesize
3.3MB

Download
memory/1148-52-0x00007FF6F3F20000-0x00007FF6F4274000-memory.dmp

Filesize
3.3MB

Download
memory/1148-123-0x00007FF6F3F20000-0x00007FF6F4274000-memory.dmp

Filesize
3.3MB

Download
memory/1168-128-0x00007FF6A06B0000-0x00007FF6A0A04000-memory.dmp

Filesize
3.3MB

Download
memory/1168-61-0x00007FF6A06B0000-0x00007FF6A0A04000-memory.dmp

Filesize
3.3MB

Download
memory/1168-2251-0x00007FF6A06B0000-0x00007FF6A0A04000-memory.dmp

Filesize
3.3MB

Download
memory/1624-67-0x00007FF6CF9C0000-0x00007FF6CFD14000-memory.dmp

Filesize
3.3MB

Download
memory/1624-8-0x00007FF6CF9C0000-0x00007FF6CFD14000-memory.dmp

Filesize
3.3MB

Download
memory/1668-100-0x00007FF6EE390000-0x00007FF6EE6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-38-0x00007FF6EE390000-0x00007FF6EE6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-2249-0x00007FF6EE390000-0x00007FF6EE6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1728-1543-0x00007FF751E20000-0x00007FF752174000-memory.dmp

Filesize
3.3MB

Download
memory/1728-2269-0x00007FF751E20000-0x00007FF752174000-memory.dmp

Filesize
3.3MB

Download
memory/1728-177-0x00007FF751E20000-0x00007FF752174000-memory.dmp

Filesize
3.3MB

Download
memory/2032-2271-0x00007FF62DEF0000-0x00007FF62E244000-memory.dmp

Filesize
3.3MB

Download
memory/2032-1677-0x00007FF62DEF0000-0x00007FF62E244000-memory.dmp

Filesize
3.3MB

Download
memory/2032-182-0x00007FF62DEF0000-0x00007FF62E244000-memory.dmp

Filesize
3.3MB

Download
memory/2192-149-0x00007FF601770000-0x00007FF601AC4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-2259-0x00007FF601770000-0x00007FF601AC4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-82-0x00007FF601770000-0x00007FF601AC4000-memory.dmp

Filesize
3.3MB

Download
memory/2288-2267-0x00007FF66CD70000-0x00007FF66D0C4000-memory.dmp

Filesize
3.3MB

Download
memory/2288-133-0x00007FF66CD70000-0x00007FF66D0C4000-memory.dmp

Filesize
3.3MB

Download
memory/2288-1216-0x00007FF66CD70000-0x00007FF66D0C4000-memory.dmp

Filesize
3.3MB

Download
memory/2344-127-0x00007FF6B8770000-0x00007FF6B8AC4000-memory.dmp

Filesize
3.3MB

Download
memory/2344-2262-0x00007FF6B8770000-0x00007FF6B8AC4000-memory.dmp

Filesize
3.3MB

Download
memory/2344-187-0x00007FF6B8770000-0x00007FF6B8AC4000-memory.dmp

Filesize
3.3MB

Download
memory/2376-190-0x00007FF78DBB0000-0x00007FF78DF04000-memory.dmp

Filesize
3.3MB

Download
memory/2376-1744-0x00007FF78DBB0000-0x00007FF78DF04000-memory.dmp

Filesize
3.3MB

Download
memory/2376-2272-0x00007FF78DBB0000-0x00007FF78DF04000-memory.dmp

Filesize
3.3MB

Download
memory/2424-1490-0x00007FF754080000-0x00007FF7543D4000-memory.dmp

Filesize
3.3MB

Download
memory/2424-2263-0x00007FF754080000-0x00007FF7543D4000-memory.dmp

Filesize
3.3MB

Download
memory/2424-162-0x00007FF754080000-0x00007FF7543D4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-148-0x00007FF73B160000-0x00007FF73B4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-2265-0x00007FF73B160000-0x00007FF73B4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-1275-0x00007FF73B160000-0x00007FF73B4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2780-2264-0x00007FF601630000-0x00007FF601984000-memory.dmp

Filesize
3.3MB

Download
memory/2780-152-0x00007FF601630000-0x00007FF601984000-memory.dmp

Filesize
3.3MB

Download
memory/2780-1417-0x00007FF601630000-0x00007FF601984000-memory.dmp

Filesize
3.3MB

Download
memory/2828-2266-0x00007FF6B0C40000-0x00007FF6B0F94000-memory.dmp

Filesize
3.3MB

Download
memory/2828-143-0x00007FF6B0C40000-0x00007FF6B0F94000-memory.dmp

Filesize
3.3MB

Download
memory/2828-1217-0x00007FF6B0C40000-0x00007FF6B0F94000-memory.dmp

Filesize
3.3MB

Download
memory/3108-144-0x00007FF7DC020000-0x00007FF7DC374000-memory.dmp

Filesize
3.3MB

Download
memory/3108-2255-0x00007FF7DC020000-0x00007FF7DC374000-memory.dmp

Filesize
3.3MB

Download
memory/3108-75-0x00007FF7DC020000-0x00007FF7DC374000-memory.dmp

Filesize
3.3MB

Download
memory/3460-2254-0x00007FF7346D0000-0x00007FF734A24000-memory.dmp

Filesize
3.3MB

Download
memory/3460-68-0x00007FF7346D0000-0x00007FF734A24000-memory.dmp

Filesize
3.3MB

Download
memory/3460-139-0x00007FF7346D0000-0x00007FF734A24000-memory.dmp

Filesize
3.3MB

Download
memory/3628-2258-0x00007FF7BDC00000-0x00007FF7BDF54000-memory.dmp

Filesize
3.3MB

Download
memory/3628-91-0x00007FF7BDC00000-0x00007FF7BDF54000-memory.dmp

Filesize
3.3MB

Download
memory/3628-160-0x00007FF7BDC00000-0x00007FF7BDF54000-memory.dmp

Filesize
3.3MB

Download
memory/3836-42-0x00007FF771E00000-0x00007FF772154000-memory.dmp

Filesize
3.3MB

Download
memory/3836-2250-0x00007FF771E00000-0x00007FF772154000-memory.dmp

Filesize
3.3MB

Download
memory/3836-111-0x00007FF771E00000-0x00007FF772154000-memory.dmp

Filesize
3.3MB

Download
memory/3872-2245-0x00007FF7A3270000-0x00007FF7A35C4000-memory.dmp

Filesize
3.3MB

Download
memory/3872-74-0x00007FF7A3270000-0x00007FF7A35C4000-memory.dmp

Filesize
3.3MB

Download
memory/3872-16-0x00007FF7A3270000-0x00007FF7A35C4000-memory.dmp

Filesize
3.3MB

Download
memory/4044-2246-0x00007FF7DED40000-0x00007FF7DF094000-memory.dmp

Filesize
3.3MB

Download
memory/4044-18-0x00007FF7DED40000-0x00007FF7DF094000-memory.dmp

Filesize
3.3MB

Download
memory/4044-81-0x00007FF7DED40000-0x00007FF7DF094000-memory.dmp

Filesize
3.3MB

Download
memory/4156-88-0x00007FF7BB550000-0x00007FF7BB8A4000-memory.dmp

Filesize
3.3MB

Download
memory/4156-26-0x00007FF7BB550000-0x00007FF7BB8A4000-memory.dmp

Filesize
3.3MB

Download
memory/4156-2248-0x00007FF7BB550000-0x00007FF7BB8A4000-memory.dmp

Filesize
3.3MB

Download
memory/4232-173-0x00007FF7BF840000-0x00007FF7BFB94000-memory.dmp

Filesize
3.3MB

Download
memory/4232-105-0x00007FF7BF840000-0x00007FF7BFB94000-memory.dmp

Filesize
3.3MB

Download
memory/4232-2257-0x00007FF7BF840000-0x00007FF7BFB94000-memory.dmp

Filesize
3.3MB

Download
memory/4488-174-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp

Filesize
3.3MB

Download
memory/4488-115-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp

Filesize
3.3MB

Download
memory/4488-2260-0x00007FF7BCCF0000-0x00007FF7BD044000-memory.dmp

Filesize
3.3MB

Download
memory/4636-99-0x00007FF78D730000-0x00007FF78DA84000-memory.dmp

Filesize
3.3MB

Download
memory/4636-2256-0x00007FF78D730000-0x00007FF78DA84000-memory.dmp

Filesize
3.3MB

Download
memory/4636-161-0x00007FF78D730000-0x00007FF78DA84000-memory.dmp

Filesize
3.3MB

Download