cobaltstrike | 7b1d5f7d107c340e1000ac9fa504c5e9723469b7586d2ebe7600101bc667650b

Analysis

max time kernel
89s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
Size

6.0MB
MD5

3592bbfd8aa55377fd38ace643f863e6
SHA1

25a9babc1e6e59781cf70a41dda81ef5e0c86744
SHA256

7b1d5f7d107c340e1000ac9fa504c5e9723469b7586d2ebe7600101bc667650b
SHA512

3dcf99846579db76d36ca7975aa6c2e96e7b44d6afde374de42a3ee78581d081af3b50002caf1f89a85b16fa97f9e75401759064f0ddb289817cec5c3ce56565
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUJ:T+q56utgpPF8u/7J

Score

10^/10

cobaltstrike xmrig 0 backdoor miner persistence trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 32 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b78-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-19.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-26.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b84-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-36.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b86-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-53.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-64.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b79-76.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-66.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b85-43.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-90.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-97.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-108.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-123.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-128.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-142.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-114.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-155.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-161.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-164.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-168.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-175.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-205.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-207.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-202.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-201.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-190.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4324-0-0x00007FF74D1C0000-0x00007FF74D514000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b78-4.dat	xmrig
behavioral2/memory/2800-6-0x00007FF76B730000-0x00007FF76BA84000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b80-12.dat	xmrig
behavioral2/files/0x000a000000023b81-19.dat	xmrig
behavioral2/memory/1992-23-0x00007FF73BEA0000-0x00007FF73C1F4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b82-26.dat	xmrig
behavioral2/files/0x0031000000023b84-34.dat	xmrig
behavioral2/files/0x000a000000023b83-36.dat	xmrig
behavioral2/files/0x0031000000023b86-41.dat	xmrig
behavioral2/files/0x000a000000023b88-53.dat	xmrig
behavioral2/files/0x000a000000023b89-54.dat	xmrig
behavioral2/files/0x000a000000023b8a-64.dat	xmrig
behavioral2/memory/3492-74-0x00007FF71ED00000-0x00007FF71F054000-memory.dmp	xmrig
behavioral2/memory/2864-78-0x00007FF63D400000-0x00007FF63D754000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b79-76.dat	xmrig
behavioral2/memory/5024-75-0x00007FF739CB0000-0x00007FF73A004000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b87-66.dat	xmrig
behavioral2/memory/3048-65-0x00007FF778940000-0x00007FF778C94000-memory.dmp	xmrig
behavioral2/memory/1128-59-0x00007FF6D5800000-0x00007FF6D5B54000-memory.dmp	xmrig
behavioral2/memory/5004-56-0x00007FF6A4F00000-0x00007FF6A5254000-memory.dmp	xmrig
behavioral2/memory/3976-48-0x00007FF616050000-0x00007FF6163A4000-memory.dmp	xmrig
behavioral2/memory/456-42-0x00007FF62CE50000-0x00007FF62D1A4000-memory.dmp	xmrig
behavioral2/files/0x0031000000023b85-43.dat	xmrig
behavioral2/memory/1068-38-0x00007FF73B120000-0x00007FF73B474000-memory.dmp	xmrig
behavioral2/memory/5096-28-0x00007FF664920000-0x00007FF664C74000-memory.dmp	xmrig
behavioral2/memory/3588-15-0x00007FF6656B0000-0x00007FF665A04000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b8b-83.dat	xmrig
behavioral2/memory/4708-87-0x00007FF798980000-0x00007FF798CD4000-memory.dmp	xmrig
behavioral2/memory/4324-86-0x00007FF74D1C0000-0x00007FF74D514000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b8d-90.dat	xmrig
behavioral2/files/0x000a000000023b8e-97.dat	xmrig
behavioral2/memory/4544-99-0x00007FF6D7630000-0x00007FF6D7984000-memory.dmp	xmrig
behavioral2/memory/1992-104-0x00007FF73BEA0000-0x00007FF73C1F4000-memory.dmp	xmrig
behavioral2/memory/1260-107-0x00007FF7C2960000-0x00007FF7C2CB4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b8f-108.dat	xmrig
behavioral2/files/0x000a000000023b91-119.dat	xmrig
behavioral2/files/0x000a000000023b92-123.dat	xmrig
behavioral2/files/0x000a000000023b93-128.dat	xmrig
behavioral2/memory/212-131-0x00007FF661C30000-0x00007FF661F84000-memory.dmp	xmrig
behavioral2/memory/4828-136-0x00007FF709B10000-0x00007FF709E64000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b94-142.dat	xmrig
behavioral2/memory/1504-137-0x00007FF6657B0000-0x00007FF665B04000-memory.dmp	xmrig
behavioral2/memory/3048-135-0x00007FF778940000-0x00007FF778C94000-memory.dmp	xmrig
behavioral2/memory/5004-134-0x00007FF6A4F00000-0x00007FF6A5254000-memory.dmp	xmrig
behavioral2/memory/3976-133-0x00007FF616050000-0x00007FF6163A4000-memory.dmp	xmrig
behavioral2/memory/456-132-0x00007FF62CE50000-0x00007FF62D1A4000-memory.dmp	xmrig
behavioral2/memory/1876-130-0x00007FF6F4760000-0x00007FF6F4AB4000-memory.dmp	xmrig
behavioral2/memory/2784-126-0x00007FF6D4750000-0x00007FF6D4AA4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b90-114.dat	xmrig
behavioral2/memory/1068-113-0x00007FF73B120000-0x00007FF73B474000-memory.dmp	xmrig
behavioral2/memory/5096-105-0x00007FF664920000-0x00007FF664C74000-memory.dmp	xmrig
behavioral2/memory/3588-98-0x00007FF6656B0000-0x00007FF665A04000-memory.dmp	xmrig
behavioral2/memory/3396-94-0x00007FF703E70000-0x00007FF7041C4000-memory.dmp	xmrig
behavioral2/memory/2800-91-0x00007FF76B730000-0x00007FF76BA84000-memory.dmp	xmrig
behavioral2/memory/3492-148-0x00007FF71ED00000-0x00007FF71F054000-memory.dmp	xmrig
behavioral2/memory/644-152-0x00007FF6D6880000-0x00007FF6D6BD4000-memory.dmp	xmrig
behavioral2/memory/4956-159-0x00007FF62B180000-0x00007FF62B4D4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b95-155.dat	xmrig
behavioral2/files/0x000a000000023b96-161.dat	xmrig
behavioral2/files/0x000a000000023b97-164.dat	xmrig
behavioral2/memory/3448-163-0x00007FF780EF0000-0x00007FF781244000-memory.dmp	xmrig
behavioral2/memory/5024-150-0x00007FF739CB0000-0x00007FF73A004000-memory.dmp	xmrig
behavioral2/memory/1128-145-0x00007FF6D5800000-0x00007FF6D5B54000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
2800	zzLgfGd.exe
3588	ntdCrkf.exe
1992	FHZEmis.exe
5096	TGBCfwq.exe
1068	PEWEbId.exe
5004	gavoqyR.exe
456	EDHcWom.exe
3976	IDAopgl.exe
3492	GWDeeae.exe
1128	grNDeua.exe
3048	TYCyItq.exe
5024	UTKYbfQ.exe
2864	SyFRvsq.exe
4708	mqWShjv.exe
3396	LKgxQSC.exe
4544	BFEYZOF.exe
1260	zkjPXgJ.exe
2784	LvozGPx.exe
4828	MMkCSbz.exe
1876	JjBZKYo.exe
1504	WhjfsjO.exe
212	JPylDnb.exe
644	SVtPooj.exe
4956	obOaXrz.exe
3448	zAqoZNu.exe
3488	GJltCrw.exe
5068	wOzSmxs.exe
4780	VAsgtXE.exe
2656	SkPmuTJ.exe
3280	wxDTZtY.exe
3080	TtZEWex.exe
4460	wCEgXot.exe
4392	zQMOMyo.exe
2356	JIGdxVE.exe
1400	TklEJfN.exe
4056	OmdCuHo.exe
4496	XMskkpL.exe
2448	hTWURMz.exe
5112	xUrGQBD.exe
1944	tUfbirP.exe
4304	DXqhTCv.exe
3284	kRMzAjz.exe
4044	GfxdYgj.exe
4352	NUQlyzQ.exe
1564	LqGijWh.exe
4592	gIBrVcE.exe
2776	CaoLflw.exe
1652	QiGSZtU.exe
1820	ynlYSmN.exe
4464	KebZXOZ.exe
4952	JzvfBzD.exe
5088	gMAdLEZ.exe
2068	cZtqbik.exe
3356	dtTUnOD.exe
4296	FuRqWfV.exe
4060	jVHoUQj.exe
4448	PfLyTQG.exe
1780	AuWCEgF.exe
3060	pAsGmNH.exe
712	JWQUSvW.exe
4824	PECaFHK.exe
5052	TryplzS.exe
2436	VUqGSKZ.exe
2332	JCmoAdU.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4324-0-0x00007FF74D1C0000-0x00007FF74D514000-memory.dmp	upx
behavioral2/files/0x000c000000023b78-4.dat	upx
behavioral2/memory/2800-6-0x00007FF76B730000-0x00007FF76BA84000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-12.dat	upx
behavioral2/files/0x000a000000023b81-19.dat	upx
behavioral2/memory/1992-23-0x00007FF73BEA0000-0x00007FF73C1F4000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-26.dat	upx
behavioral2/files/0x0031000000023b84-34.dat	upx
behavioral2/files/0x000a000000023b83-36.dat	upx
behavioral2/files/0x0031000000023b86-41.dat	upx
behavioral2/files/0x000a000000023b88-53.dat	upx
behavioral2/files/0x000a000000023b89-54.dat	upx
behavioral2/files/0x000a000000023b8a-64.dat	upx
behavioral2/memory/3492-74-0x00007FF71ED00000-0x00007FF71F054000-memory.dmp	upx
behavioral2/memory/2864-78-0x00007FF63D400000-0x00007FF63D754000-memory.dmp	upx
behavioral2/files/0x000c000000023b79-76.dat	upx
behavioral2/memory/5024-75-0x00007FF739CB0000-0x00007FF73A004000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-66.dat	upx
behavioral2/memory/3048-65-0x00007FF778940000-0x00007FF778C94000-memory.dmp	upx
behavioral2/memory/1128-59-0x00007FF6D5800000-0x00007FF6D5B54000-memory.dmp	upx
behavioral2/memory/5004-56-0x00007FF6A4F00000-0x00007FF6A5254000-memory.dmp	upx
behavioral2/memory/3976-48-0x00007FF616050000-0x00007FF6163A4000-memory.dmp	upx
behavioral2/memory/456-42-0x00007FF62CE50000-0x00007FF62D1A4000-memory.dmp	upx
behavioral2/files/0x0031000000023b85-43.dat	upx
behavioral2/memory/1068-38-0x00007FF73B120000-0x00007FF73B474000-memory.dmp	upx
behavioral2/memory/5096-28-0x00007FF664920000-0x00007FF664C74000-memory.dmp	upx
behavioral2/memory/3588-15-0x00007FF6656B0000-0x00007FF665A04000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-83.dat	upx
behavioral2/memory/4708-87-0x00007FF798980000-0x00007FF798CD4000-memory.dmp	upx
behavioral2/memory/4324-86-0x00007FF74D1C0000-0x00007FF74D514000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-90.dat	upx
behavioral2/files/0x000a000000023b8e-97.dat	upx
behavioral2/memory/4544-99-0x00007FF6D7630000-0x00007FF6D7984000-memory.dmp	upx
behavioral2/memory/1992-104-0x00007FF73BEA0000-0x00007FF73C1F4000-memory.dmp	upx
behavioral2/memory/1260-107-0x00007FF7C2960000-0x00007FF7C2CB4000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-108.dat	upx
behavioral2/files/0x000a000000023b91-119.dat	upx
behavioral2/files/0x000a000000023b92-123.dat	upx
behavioral2/files/0x000a000000023b93-128.dat	upx
behavioral2/memory/212-131-0x00007FF661C30000-0x00007FF661F84000-memory.dmp	upx
behavioral2/memory/4828-136-0x00007FF709B10000-0x00007FF709E64000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-142.dat	upx
behavioral2/memory/1504-137-0x00007FF6657B0000-0x00007FF665B04000-memory.dmp	upx
behavioral2/memory/3048-135-0x00007FF778940000-0x00007FF778C94000-memory.dmp	upx
behavioral2/memory/5004-134-0x00007FF6A4F00000-0x00007FF6A5254000-memory.dmp	upx
behavioral2/memory/3976-133-0x00007FF616050000-0x00007FF6163A4000-memory.dmp	upx
behavioral2/memory/456-132-0x00007FF62CE50000-0x00007FF62D1A4000-memory.dmp	upx
behavioral2/memory/1876-130-0x00007FF6F4760000-0x00007FF6F4AB4000-memory.dmp	upx
behavioral2/memory/2784-126-0x00007FF6D4750000-0x00007FF6D4AA4000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-114.dat	upx
behavioral2/memory/1068-113-0x00007FF73B120000-0x00007FF73B474000-memory.dmp	upx
behavioral2/memory/5096-105-0x00007FF664920000-0x00007FF664C74000-memory.dmp	upx
behavioral2/memory/3588-98-0x00007FF6656B0000-0x00007FF665A04000-memory.dmp	upx
behavioral2/memory/3396-94-0x00007FF703E70000-0x00007FF7041C4000-memory.dmp	upx
behavioral2/memory/2800-91-0x00007FF76B730000-0x00007FF76BA84000-memory.dmp	upx
behavioral2/memory/3492-148-0x00007FF71ED00000-0x00007FF71F054000-memory.dmp	upx
behavioral2/memory/644-152-0x00007FF6D6880000-0x00007FF6D6BD4000-memory.dmp	upx
behavioral2/memory/4956-159-0x00007FF62B180000-0x00007FF62B4D4000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-155.dat	upx
behavioral2/files/0x000a000000023b96-161.dat	upx
behavioral2/files/0x000a000000023b97-164.dat	upx
behavioral2/memory/3448-163-0x00007FF780EF0000-0x00007FF781244000-memory.dmp	upx
behavioral2/memory/5024-150-0x00007FF739CB0000-0x00007FF73A004000-memory.dmp	upx
behavioral2/memory/1128-145-0x00007FF6D5800000-0x00007FF6D5B54000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\qUsNSnT.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TTRqcLv.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XhpQjCl.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Pmuksub.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hKBRSPA.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ncIrToJ.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DGZFgsC.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gZzrZDJ.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gavoqyR.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CkoJFEM.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RxpnrqW.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rREmulz.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IDomVBW.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qIHRhRU.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bnGdUzI.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CvnBciY.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gxOFdta.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\imaggeB.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NkjfKSX.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aoGUdQZ.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BNAgRtW.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XOXpOHf.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FfaJdcD.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tVSKPya.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sivqBot.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nADDQzp.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vnEfBGK.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZZNrqZF.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XEpaecG.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OmBtjwt.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bcxqFyL.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vsdoZjj.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fqFQiaT.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WoWIvGr.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WzDDHZk.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WQXgTNQ.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iFCzqBO.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ynlYSmN.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\muQcwjo.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XPcIrTs.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pDLtwtf.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OnQBjRD.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XySvDzn.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fjnFRdJ.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KxlnyLa.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oprVPFs.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ctxZcGY.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PECaFHK.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rsPOpUD.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DigCsaD.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MwbcGZz.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UrBVCAM.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KmuRNsu.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KXItndp.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qHCmLic.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MKGPSXm.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RbCgvYF.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\foLFWmA.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AuWCEgF.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\voGenro.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\keaTgZY.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aXfjEbf.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lmADnPL.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wFDDKQH.exe	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Anywhere;Trailing"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - de-DE Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "407"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - fr-FR Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR ja-JP Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\tn1041.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\MSTTSLocjaJP.dat"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR fr-FR Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\sidubm.table"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{14E74C62-DC97-43B0-8F2F-581496A65D60}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "411"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "You have selected %1 as the default voice."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Paul"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\MSTTSLocdeDE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{0936EDE4-27D4-42CF-91C4-A36329C7DFDC}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Ayumi"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Traditional Chinese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR de-DE Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech HW Voice Activation - Italian (Italy)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Discrete;Continuous"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Vous avez sélectionné %1 comme voix par défaut."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\L1040"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "French Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "L1031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\tn1040.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech HW Voice Activation - English (United States)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Spanish Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR en-US Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\sidubm.table"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	14968	explorer.exe
Token: SeCreatePagefilePrivilege	14968	explorer.exe
Token: SeShutdownPrivilege	14968	explorer.exe
Token: SeCreatePagefilePrivilege	14968	explorer.exe
Token: SeShutdownPrivilege	14968	explorer.exe
Token: SeCreatePagefilePrivilege	14968	explorer.exe
Token: SeShutdownPrivilege	14968	explorer.exe
Token: SeCreatePagefilePrivilege	14968	explorer.exe
Token: SeShutdownPrivilege	14968	explorer.exe
Token: SeCreatePagefilePrivilege	14968	explorer.exe
Token: SeShutdownPrivilege	14968	explorer.exe
Token: SeCreatePagefilePrivilege	14968	explorer.exe
Token: SeShutdownPrivilege	14968	explorer.exe
Token: SeCreatePagefilePrivilege	14968	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	5252	explorer.exe
Token: SeCreatePagefilePrivilege	5252	explorer.exe
Token: SeShutdownPrivilege	9752	explorer.exe
Token: SeCreatePagefilePrivilege	9752	explorer.exe
Token: SeShutdownPrivilege	9752	explorer.exe
Token: SeCreatePagefilePrivilege	9752	explorer.exe
Token: SeShutdownPrivilege	9752	explorer.exe
Token: SeCreatePagefilePrivilege	9752	explorer.exe
Token: SeShutdownPrivilege	9752	explorer.exe
Token: SeCreatePagefilePrivilege	9752	explorer.exe
Token: SeShutdownPrivilege	9752	explorer.exe
Token: SeCreatePagefilePrivilege	9752	explorer.exe
Token: SeShutdownPrivilege	9752	explorer.exe
Token: SeCreatePagefilePrivilege	9752	explorer.exe
Token: SeShutdownPrivilege	9752	explorer.exe
Token: SeCreatePagefilePrivilege	9752	explorer.exe
Token: SeShutdownPrivilege	9752	explorer.exe
Token: SeCreatePagefilePrivilege	9752	explorer.exe
Token: SeShutdownPrivilege	9752	explorer.exe
Token: SeCreatePagefilePrivilege	9752	explorer.exe
Token: SeShutdownPrivilege	9752	explorer.exe
Token: SeCreatePagefilePrivilege	9752	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
13748	sihost.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
14968	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
5252	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
9752	explorer.exe
1284	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
5492	StartMenuExperienceHost.exe
6168	StartMenuExperienceHost.exe
6640	SearchApp.exe
2540	StartMenuExperienceHost.exe
4964	SearchApp.exe
5616	StartMenuExperienceHost.exe
4108	SearchApp.exe
10748	StartMenuExperienceHost.exe
7156	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 2800	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4324 wrote to memory of 2800	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4324 wrote to memory of 3588	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4324 wrote to memory of 3588	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4324 wrote to memory of 1992	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4324 wrote to memory of 1992	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4324 wrote to memory of 5096	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4324 wrote to memory of 5096	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4324 wrote to memory of 1068	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4324 wrote to memory of 1068	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4324 wrote to memory of 5004	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4324 wrote to memory of 5004	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4324 wrote to memory of 456	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4324 wrote to memory of 456	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4324 wrote to memory of 3976	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4324 wrote to memory of 3976	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4324 wrote to memory of 3492	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4324 wrote to memory of 3492	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4324 wrote to memory of 1128	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4324 wrote to memory of 1128	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4324 wrote to memory of 3048	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4324 wrote to memory of 3048	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4324 wrote to memory of 5024	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4324 wrote to memory of 5024	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4324 wrote to memory of 2864	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4324 wrote to memory of 2864	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4324 wrote to memory of 4708	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4324 wrote to memory of 4708	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4324 wrote to memory of 3396	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4324 wrote to memory of 3396	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4324 wrote to memory of 4544	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4324 wrote to memory of 4544	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4324 wrote to memory of 1260	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4324 wrote to memory of 1260	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4324 wrote to memory of 2784	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4324 wrote to memory of 2784	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4324 wrote to memory of 4828	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4324 wrote to memory of 4828	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4324 wrote to memory of 1876	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4324 wrote to memory of 1876	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4324 wrote to memory of 1504	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4324 wrote to memory of 1504	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4324 wrote to memory of 212	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4324 wrote to memory of 212	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4324 wrote to memory of 644	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4324 wrote to memory of 644	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4324 wrote to memory of 4956	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4324 wrote to memory of 4956	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4324 wrote to memory of 3448	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4324 wrote to memory of 3448	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4324 wrote to memory of 3488	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4324 wrote to memory of 3488	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4324 wrote to memory of 5068	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 4324 wrote to memory of 5068	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 4324 wrote to memory of 4780	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 4324 wrote to memory of 4780	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 4324 wrote to memory of 2656	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 4324 wrote to memory of 2656	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 4324 wrote to memory of 3280	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 4324 wrote to memory of 3280	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 4324 wrote to memory of 3080	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 4324 wrote to memory of 3080	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 4324 wrote to memory of 4460	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 4324 wrote to memory of 4460	4324	2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_3592bbfd8aa55377fd38ace643f863e6_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\System\zzLgfGd.exe
  C:\Windows\System\zzLgfGd.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\ntdCrkf.exe
  C:\Windows\System\ntdCrkf.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System\FHZEmis.exe
  C:\Windows\System\FHZEmis.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System\TGBCfwq.exe
  C:\Windows\System\TGBCfwq.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\PEWEbId.exe
  C:\Windows\System\PEWEbId.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\gavoqyR.exe
  C:\Windows\System\gavoqyR.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\EDHcWom.exe
  C:\Windows\System\EDHcWom.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\IDAopgl.exe
  C:\Windows\System\IDAopgl.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\GWDeeae.exe
  C:\Windows\System\GWDeeae.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\grNDeua.exe
  C:\Windows\System\grNDeua.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\TYCyItq.exe
  C:\Windows\System\TYCyItq.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\UTKYbfQ.exe
  C:\Windows\System\UTKYbfQ.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\SyFRvsq.exe
  C:\Windows\System\SyFRvsq.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\mqWShjv.exe
  C:\Windows\System\mqWShjv.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\LKgxQSC.exe
  C:\Windows\System\LKgxQSC.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System\BFEYZOF.exe
  C:\Windows\System\BFEYZOF.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\zkjPXgJ.exe
  C:\Windows\System\zkjPXgJ.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System\LvozGPx.exe
  C:\Windows\System\LvozGPx.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\MMkCSbz.exe
  C:\Windows\System\MMkCSbz.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\JjBZKYo.exe
  C:\Windows\System\JjBZKYo.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\WhjfsjO.exe
  C:\Windows\System\WhjfsjO.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\JPylDnb.exe
  C:\Windows\System\JPylDnb.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\SVtPooj.exe
  C:\Windows\System\SVtPooj.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System\obOaXrz.exe
  C:\Windows\System\obOaXrz.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\zAqoZNu.exe
  C:\Windows\System\zAqoZNu.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\GJltCrw.exe
  C:\Windows\System\GJltCrw.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System\wOzSmxs.exe
  C:\Windows\System\wOzSmxs.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\VAsgtXE.exe
  C:\Windows\System\VAsgtXE.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\SkPmuTJ.exe
  C:\Windows\System\SkPmuTJ.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\wxDTZtY.exe
  C:\Windows\System\wxDTZtY.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\TtZEWex.exe
  C:\Windows\System\TtZEWex.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System\wCEgXot.exe
  C:\Windows\System\wCEgXot.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\zQMOMyo.exe
  C:\Windows\System\zQMOMyo.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\JIGdxVE.exe
  C:\Windows\System\JIGdxVE.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\TklEJfN.exe
  C:\Windows\System\TklEJfN.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\OmdCuHo.exe
  C:\Windows\System\OmdCuHo.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\XMskkpL.exe
  C:\Windows\System\XMskkpL.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\hTWURMz.exe
  C:\Windows\System\hTWURMz.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\xUrGQBD.exe
  C:\Windows\System\xUrGQBD.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\tUfbirP.exe
  C:\Windows\System\tUfbirP.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\DXqhTCv.exe
  C:\Windows\System\DXqhTCv.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\kRMzAjz.exe
  C:\Windows\System\kRMzAjz.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System\GfxdYgj.exe
  C:\Windows\System\GfxdYgj.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\NUQlyzQ.exe
  C:\Windows\System\NUQlyzQ.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\LqGijWh.exe
  C:\Windows\System\LqGijWh.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\gIBrVcE.exe
  C:\Windows\System\gIBrVcE.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\CaoLflw.exe
  C:\Windows\System\CaoLflw.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\QiGSZtU.exe
  C:\Windows\System\QiGSZtU.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\ynlYSmN.exe
  C:\Windows\System\ynlYSmN.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\KebZXOZ.exe
  C:\Windows\System\KebZXOZ.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\JzvfBzD.exe
  C:\Windows\System\JzvfBzD.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\gMAdLEZ.exe
  C:\Windows\System\gMAdLEZ.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\cZtqbik.exe
  C:\Windows\System\cZtqbik.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\dtTUnOD.exe
  C:\Windows\System\dtTUnOD.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\FuRqWfV.exe
  C:\Windows\System\FuRqWfV.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\jVHoUQj.exe
  C:\Windows\System\jVHoUQj.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\PfLyTQG.exe
  C:\Windows\System\PfLyTQG.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System\AuWCEgF.exe
  C:\Windows\System\AuWCEgF.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\pAsGmNH.exe
  C:\Windows\System\pAsGmNH.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\JWQUSvW.exe
  C:\Windows\System\JWQUSvW.exe
  2⤵
  - Executes dropped EXE
  PID:712
- C:\Windows\System\PECaFHK.exe
  C:\Windows\System\PECaFHK.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System\TryplzS.exe
  C:\Windows\System\TryplzS.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\VUqGSKZ.exe
  C:\Windows\System\VUqGSKZ.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\JCmoAdU.exe
  C:\Windows\System\JCmoAdU.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\jMNwpGL.exe
  C:\Windows\System\jMNwpGL.exe
  2⤵
  PID:2188
- C:\Windows\System\ZJQCPHi.exe
  C:\Windows\System\ZJQCPHi.exe
  2⤵
  PID:2532
- C:\Windows\System\xTKIjga.exe
  C:\Windows\System\xTKIjga.exe
  2⤵
  PID:3064
- C:\Windows\System\gfRpLob.exe
  C:\Windows\System\gfRpLob.exe
  2⤵
  PID:916
- C:\Windows\System\NtOrZKp.exe
  C:\Windows\System\NtOrZKp.exe
  2⤵
  PID:1480
- C:\Windows\System\AZtEvlO.exe
  C:\Windows\System\AZtEvlO.exe
  2⤵
  PID:4776
- C:\Windows\System\wweMkBQ.exe
  C:\Windows\System\wweMkBQ.exe
  2⤵
  PID:4836
- C:\Windows\System\UqNKYRk.exe
  C:\Windows\System\UqNKYRk.exe
  2⤵
  PID:3936
- C:\Windows\System\LtCCstV.exe
  C:\Windows\System\LtCCstV.exe
  2⤵
  PID:4136
- C:\Windows\System\lGdTzev.exe
  C:\Windows\System\lGdTzev.exe
  2⤵
  PID:2324
- C:\Windows\System\zcDmPIX.exe
  C:\Windows\System\zcDmPIX.exe
  2⤵
  PID:1756
- C:\Windows\System\jzdvcqE.exe
  C:\Windows\System\jzdvcqE.exe
  2⤵
  PID:392
- C:\Windows\System\DdkKetJ.exe
  C:\Windows\System\DdkKetJ.exe
  2⤵
  PID:3560
- C:\Windows\System\NvVGhcA.exe
  C:\Windows\System\NvVGhcA.exe
  2⤵
  PID:3040
- C:\Windows\System\xMSPTxN.exe
  C:\Windows\System\xMSPTxN.exe
  2⤵
  PID:5056
- C:\Windows\System\jRSgath.exe
  C:\Windows\System\jRSgath.exe
  2⤵
  PID:1296
- C:\Windows\System\vZVYaYU.exe
  C:\Windows\System\vZVYaYU.exe
  2⤵
  PID:4048
- C:\Windows\System\WygnbAb.exe
  C:\Windows\System\WygnbAb.exe
  2⤵
  PID:224
- C:\Windows\System\eiQshOp.exe
  C:\Windows\System\eiQshOp.exe
  2⤵
  PID:4868
- C:\Windows\System\bwwXotJ.exe
  C:\Windows\System\bwwXotJ.exe
  2⤵
  PID:4632
- C:\Windows\System\qUsNSnT.exe
  C:\Windows\System\qUsNSnT.exe
  2⤵
  PID:2680
- C:\Windows\System\REuOBCd.exe
  C:\Windows\System\REuOBCd.exe
  2⤵
  PID:3276
- C:\Windows\System\XAaaftY.exe
  C:\Windows\System\XAaaftY.exe
  2⤵
  PID:556
- C:\Windows\System\MxQAImg.exe
  C:\Windows\System\MxQAImg.exe
  2⤵
  PID:4932
- C:\Windows\System\VNLvQxU.exe
  C:\Windows\System\VNLvQxU.exe
  2⤵
  PID:3672
- C:\Windows\System\VxvyEKN.exe
  C:\Windows\System\VxvyEKN.exe
  2⤵
  PID:4128
- C:\Windows\System\qaiaTPw.exe
  C:\Windows\System\qaiaTPw.exe
  2⤵
  PID:2336
- C:\Windows\System\gCJNSrL.exe
  C:\Windows\System\gCJNSrL.exe
  2⤵
  PID:3128
- C:\Windows\System\amXzayy.exe
  C:\Windows\System\amXzayy.exe
  2⤵
  PID:1900
- C:\Windows\System\UsLZmrz.exe
  C:\Windows\System\UsLZmrz.exe
  2⤵
  PID:3436
- C:\Windows\System\xjwwFwZ.exe
  C:\Windows\System\xjwwFwZ.exe
  2⤵
  PID:3724
- C:\Windows\System\JQKuLVq.exe
  C:\Windows\System\JQKuLVq.exe
  2⤵
  PID:1088
- C:\Windows\System\BgOOScj.exe
  C:\Windows\System\BgOOScj.exe
  2⤵
  PID:968
- C:\Windows\System\lFWrJmp.exe
  C:\Windows\System\lFWrJmp.exe
  2⤵
  PID:700
- C:\Windows\System\KFfHBHh.exe
  C:\Windows\System\KFfHBHh.exe
  2⤵
  PID:1512
- C:\Windows\System\IMpFkQb.exe
  C:\Windows\System\IMpFkQb.exe
  2⤵
  PID:2508
- C:\Windows\System\NsEDMrP.exe
  C:\Windows\System\NsEDMrP.exe
  2⤵
  PID:4444
- C:\Windows\System\OPRoFkV.exe
  C:\Windows\System\OPRoFkV.exe
  2⤵
  PID:1052
- C:\Windows\System\UfIdvCZ.exe
  C:\Windows\System\UfIdvCZ.exe
  2⤵
  PID:964
- C:\Windows\System\YYUiJiM.exe
  C:\Windows\System\YYUiJiM.exe
  2⤵
  PID:1284
- C:\Windows\System\rLXYtMp.exe
  C:\Windows\System\rLXYtMp.exe
  2⤵
  PID:3216
- C:\Windows\System\avTPSXQ.exe
  C:\Windows\System\avTPSXQ.exe
  2⤵
  PID:5148
- C:\Windows\System\muQcwjo.exe
  C:\Windows\System\muQcwjo.exe
  2⤵
  PID:5244
- C:\Windows\System\elhffCX.exe
  C:\Windows\System\elhffCX.exe
  2⤵
  PID:5276
- C:\Windows\System\qSuwKpN.exe
  C:\Windows\System\qSuwKpN.exe
  2⤵
  PID:5324
- C:\Windows\System\fPOFlkk.exe
  C:\Windows\System\fPOFlkk.exe
  2⤵
  PID:5368
- C:\Windows\System\dgiOkhf.exe
  C:\Windows\System\dgiOkhf.exe
  2⤵
  PID:5420
- C:\Windows\System\PZzRvMI.exe
  C:\Windows\System\PZzRvMI.exe
  2⤵
  PID:5448
- C:\Windows\System\DhwSTOO.exe
  C:\Windows\System\DhwSTOO.exe
  2⤵
  PID:5480
- C:\Windows\System\TirCXhw.exe
  C:\Windows\System\TirCXhw.exe
  2⤵
  PID:5508
- C:\Windows\System\tWUXnUP.exe
  C:\Windows\System\tWUXnUP.exe
  2⤵
  PID:5536
- C:\Windows\System\jxaEbLr.exe
  C:\Windows\System\jxaEbLr.exe
  2⤵
  PID:5564
- C:\Windows\System\BjNXehl.exe
  C:\Windows\System\BjNXehl.exe
  2⤵
  PID:5592
- C:\Windows\System\tVSKPya.exe
  C:\Windows\System\tVSKPya.exe
  2⤵
  PID:5620
- C:\Windows\System\ALIvlAV.exe
  C:\Windows\System\ALIvlAV.exe
  2⤵
  PID:5648
- C:\Windows\System\xsiXXFq.exe
  C:\Windows\System\xsiXXFq.exe
  2⤵
  PID:5668
- C:\Windows\System\shRDKLG.exe
  C:\Windows\System\shRDKLG.exe
  2⤵
  PID:5684
- C:\Windows\System\zxLTIUs.exe
  C:\Windows\System\zxLTIUs.exe
  2⤵
  PID:5736
- C:\Windows\System\TTRqcLv.exe
  C:\Windows\System\TTRqcLv.exe
  2⤵
  PID:5764
- C:\Windows\System\beikPOs.exe
  C:\Windows\System\beikPOs.exe
  2⤵
  PID:5796
- C:\Windows\System\qIHRhRU.exe
  C:\Windows\System\qIHRhRU.exe
  2⤵
  PID:5816
- C:\Windows\System\CkoJFEM.exe
  C:\Windows\System\CkoJFEM.exe
  2⤵
  PID:5852
- C:\Windows\System\MqZywVJ.exe
  C:\Windows\System\MqZywVJ.exe
  2⤵
  PID:5880
- C:\Windows\System\DcuedpR.exe
  C:\Windows\System\DcuedpR.exe
  2⤵
  PID:5908
- C:\Windows\System\dcehhEf.exe
  C:\Windows\System\dcehhEf.exe
  2⤵
  PID:5936
- C:\Windows\System\xjMCyiF.exe
  C:\Windows\System\xjMCyiF.exe
  2⤵
  PID:5964
- C:\Windows\System\CmVgCLc.exe
  C:\Windows\System\CmVgCLc.exe
  2⤵
  PID:5992
- C:\Windows\System\LtBeECH.exe
  C:\Windows\System\LtBeECH.exe
  2⤵
  PID:6020
- C:\Windows\System\DQZJicl.exe
  C:\Windows\System\DQZJicl.exe
  2⤵
  PID:6048
- C:\Windows\System\rNIdduk.exe
  C:\Windows\System\rNIdduk.exe
  2⤵
  PID:6076
- C:\Windows\System\OmBtjwt.exe
  C:\Windows\System\OmBtjwt.exe
  2⤵
  PID:6104
- C:\Windows\System\ZDTXfCv.exe
  C:\Windows\System\ZDTXfCv.exe
  2⤵
  PID:6132
- C:\Windows\System\efsoKXH.exe
  C:\Windows\System\efsoKXH.exe
  2⤵
  PID:5216
- C:\Windows\System\voGenro.exe
  C:\Windows\System\voGenro.exe
  2⤵
  PID:5316
- C:\Windows\System\wBwZRHk.exe
  C:\Windows\System\wBwZRHk.exe
  2⤵
  PID:5432
- C:\Windows\System\UDHXAHi.exe
  C:\Windows\System\UDHXAHi.exe
  2⤵
  PID:640
- C:\Windows\System\siISpfv.exe
  C:\Windows\System\siISpfv.exe
  2⤵
  PID:4644
- C:\Windows\System\rsPOpUD.exe
  C:\Windows\System\rsPOpUD.exe
  2⤵
  PID:5544
- C:\Windows\System\CNkTTWZ.exe
  C:\Windows\System\CNkTTWZ.exe
  2⤵
  PID:5608
- C:\Windows\System\OglSIJF.exe
  C:\Windows\System\OglSIJF.exe
  2⤵
  PID:5676
- C:\Windows\System\BXAiZdJ.exe
  C:\Windows\System\BXAiZdJ.exe
  2⤵
  PID:5664
- C:\Windows\System\tjZyeuc.exe
  C:\Windows\System\tjZyeuc.exe
  2⤵
  PID:5804
- C:\Windows\System\RqjSDVb.exe
  C:\Windows\System\RqjSDVb.exe
  2⤵
  PID:5872
- C:\Windows\System\IZTvPVP.exe
  C:\Windows\System\IZTvPVP.exe
  2⤵
  PID:5924
- C:\Windows\System\zVDdHuY.exe
  C:\Windows\System\zVDdHuY.exe
  2⤵
  PID:6000
- C:\Windows\System\XhpQjCl.exe
  C:\Windows\System\XhpQjCl.exe
  2⤵
  PID:6056
- C:\Windows\System\SkmFABL.exe
  C:\Windows\System\SkmFABL.exe
  2⤵
  PID:6128
- C:\Windows\System\JakRapc.exe
  C:\Windows\System\JakRapc.exe
  2⤵
  PID:5352
- C:\Windows\System\xZnWrbw.exe
  C:\Windows\System\xZnWrbw.exe
  2⤵
  PID:5176
- C:\Windows\System\AfnGeFo.exe
  C:\Windows\System\AfnGeFo.exe
  2⤵
  PID:5600
- C:\Windows\System\YwSqaFg.exe
  C:\Windows\System\YwSqaFg.exe
  2⤵
  PID:5708
- C:\Windows\System\ybxcsIr.exe
  C:\Windows\System\ybxcsIr.exe
  2⤵
  PID:5888
- C:\Windows\System\ECtfxui.exe
  C:\Windows\System\ECtfxui.exe
  2⤵
  PID:6036
- C:\Windows\System\XPcIrTs.exe
  C:\Windows\System\XPcIrTs.exe
  2⤵
  PID:1136
- C:\Windows\System\KmuRNsu.exe
  C:\Windows\System\KmuRNsu.exe
  2⤵
  PID:5524
- C:\Windows\System\XlyDhZT.exe
  C:\Windows\System\XlyDhZT.exe
  2⤵
  PID:5932
- C:\Windows\System\ZFycvvv.exe
  C:\Windows\System\ZFycvvv.exe
  2⤵
  PID:5416
- C:\Windows\System\nsiUzUu.exe
  C:\Windows\System\nsiUzUu.exe
  2⤵
  PID:5456
- C:\Windows\System\JhjMHEk.exe
  C:\Windows\System\JhjMHEk.exe
  2⤵
  PID:6148
- C:\Windows\System\FSRCaLj.exe
  C:\Windows\System\FSRCaLj.exe
  2⤵
  PID:6188
- C:\Windows\System\jGdQGVn.exe
  C:\Windows\System\jGdQGVn.exe
  2⤵
  PID:6216
- C:\Windows\System\CbaehyU.exe
  C:\Windows\System\CbaehyU.exe
  2⤵
  PID:6248
- C:\Windows\System\Cfwwmwg.exe
  C:\Windows\System\Cfwwmwg.exe
  2⤵
  PID:6280
- C:\Windows\System\verFWRt.exe
  C:\Windows\System\verFWRt.exe
  2⤵
  PID:6340
- C:\Windows\System\lkHUjJF.exe
  C:\Windows\System\lkHUjJF.exe
  2⤵
  PID:6400
- C:\Windows\System\skbGQAB.exe
  C:\Windows\System\skbGQAB.exe
  2⤵
  PID:6432
- C:\Windows\System\kaczjLZ.exe
  C:\Windows\System\kaczjLZ.exe
  2⤵
  PID:6460
- C:\Windows\System\LLFuUWE.exe
  C:\Windows\System\LLFuUWE.exe
  2⤵
  PID:6492
- C:\Windows\System\Gorenhl.exe
  C:\Windows\System\Gorenhl.exe
  2⤵
  PID:6520
- C:\Windows\System\cuesJbG.exe
  C:\Windows\System\cuesJbG.exe
  2⤵
  PID:6548
- C:\Windows\System\YJsKifw.exe
  C:\Windows\System\YJsKifw.exe
  2⤵
  PID:6576
- C:\Windows\System\SqJjnzc.exe
  C:\Windows\System\SqJjnzc.exe
  2⤵
  PID:6604
- C:\Windows\System\neFllBI.exe
  C:\Windows\System\neFllBI.exe
  2⤵
  PID:6632
- C:\Windows\System\pRtPSFT.exe
  C:\Windows\System\pRtPSFT.exe
  2⤵
  PID:6660
- C:\Windows\System\mLAuElC.exe
  C:\Windows\System\mLAuElC.exe
  2⤵
  PID:6688
- C:\Windows\System\WKREEoe.exe
  C:\Windows\System\WKREEoe.exe
  2⤵
  PID:6716
- C:\Windows\System\KXiwgkZ.exe
  C:\Windows\System\KXiwgkZ.exe
  2⤵
  PID:6744
- C:\Windows\System\RKdJATH.exe
  C:\Windows\System\RKdJATH.exe
  2⤵
  PID:6772
- C:\Windows\System\LZmxKjX.exe
  C:\Windows\System\LZmxKjX.exe
  2⤵
  PID:6800
- C:\Windows\System\VuKulCY.exe
  C:\Windows\System\VuKulCY.exe
  2⤵
  PID:6824
- C:\Windows\System\TkzFaxl.exe
  C:\Windows\System\TkzFaxl.exe
  2⤵
  PID:6852
- C:\Windows\System\HOqSKPE.exe
  C:\Windows\System\HOqSKPE.exe
  2⤵
  PID:6884
- C:\Windows\System\NUcGlyX.exe
  C:\Windows\System\NUcGlyX.exe
  2⤵
  PID:6944
- C:\Windows\System\cKcRxug.exe
  C:\Windows\System\cKcRxug.exe
  2⤵
  PID:6976
- C:\Windows\System\CpJSvWW.exe
  C:\Windows\System\CpJSvWW.exe
  2⤵
  PID:7008
- C:\Windows\System\cdOePfQ.exe
  C:\Windows\System\cdOePfQ.exe
  2⤵
  PID:7044
- C:\Windows\System\SBncGyT.exe
  C:\Windows\System\SBncGyT.exe
  2⤵
  PID:7100
- C:\Windows\System\GoRKoNi.exe
  C:\Windows\System\GoRKoNi.exe
  2⤵
  PID:7136
- C:\Windows\System\jZvTdwY.exe
  C:\Windows\System\jZvTdwY.exe
  2⤵
  PID:7164
- C:\Windows\System\UbhxLKw.exe
  C:\Windows\System\UbhxLKw.exe
  2⤵
  PID:6208
- C:\Windows\System\XHGrAmB.exe
  C:\Windows\System\XHGrAmB.exe
  2⤵
  PID:6276
- C:\Windows\System\FHUPpOH.exe
  C:\Windows\System\FHUPpOH.exe
  2⤵
  PID:6388
- C:\Windows\System\FdAWFKd.exe
  C:\Windows\System\FdAWFKd.exe
  2⤵
  PID:6360
- C:\Windows\System\cZZnsxc.exe
  C:\Windows\System\cZZnsxc.exe
  2⤵
  PID:6448
- C:\Windows\System\frrLHan.exe
  C:\Windows\System\frrLHan.exe
  2⤵
  PID:6508
- C:\Windows\System\OCygrnx.exe
  C:\Windows\System\OCygrnx.exe
  2⤵
  PID:6600
- C:\Windows\System\IKSCdnB.exe
  C:\Windows\System\IKSCdnB.exe
  2⤵
  PID:6668
- C:\Windows\System\SPBddPk.exe
  C:\Windows\System\SPBddPk.exe
  2⤵
  PID:6740
- C:\Windows\System\ZdArJqV.exe
  C:\Windows\System\ZdArJqV.exe
  2⤵
  PID:6788
- C:\Windows\System\MbtwKOe.exe
  C:\Windows\System\MbtwKOe.exe
  2⤵
  PID:6840
- C:\Windows\System\mkGJuYk.exe
  C:\Windows\System\mkGJuYk.exe
  2⤵
  PID:6896
- C:\Windows\System\AZpktBj.exe
  C:\Windows\System\AZpktBj.exe
  2⤵
  PID:6956
- C:\Windows\System\ynlfrta.exe
  C:\Windows\System\ynlfrta.exe
  2⤵
  PID:7032
- C:\Windows\System\OoKHOAo.exe
  C:\Windows\System\OoKHOAo.exe
  2⤵
  PID:7120
- C:\Windows\System\mAFiSRU.exe
  C:\Windows\System\mAFiSRU.exe
  2⤵
  PID:7064
- C:\Windows\System\dLolQfQ.exe
  C:\Windows\System\dLolQfQ.exe
  2⤵
  PID:5972
- C:\Windows\System\sgLHDcw.exe
  C:\Windows\System\sgLHDcw.exe
  2⤵
  PID:4704
- C:\Windows\System\AGVACbI.exe
  C:\Windows\System\AGVACbI.exe
  2⤵
  PID:6376
- C:\Windows\System\FdbpWlV.exe
  C:\Windows\System\FdbpWlV.exe
  2⤵
  PID:6584
- C:\Windows\System\QOzMilG.exe
  C:\Windows\System\QOzMilG.exe
  2⤵
  PID:6712
- C:\Windows\System\bnGdUzI.exe
  C:\Windows\System\bnGdUzI.exe
  2⤵
  PID:6872
- C:\Windows\System\nhhtMEB.exe
  C:\Windows\System\nhhtMEB.exe
  2⤵
  PID:7028
- C:\Windows\System\PWrzzUt.exe
  C:\Windows\System\PWrzzUt.exe
  2⤵
  PID:7076
- C:\Windows\System\UbcpeFs.exe
  C:\Windows\System\UbcpeFs.exe
  2⤵
  PID:6204
- C:\Windows\System\KQURJws.exe
  C:\Windows\System\KQURJws.exe
  2⤵
  PID:6368
- C:\Windows\System\fNJXvUd.exe
  C:\Windows\System\fNJXvUd.exe
  2⤵
  PID:6760
- C:\Windows\System\KlUeHRd.exe
  C:\Windows\System\KlUeHRd.exe
  2⤵
  PID:7084
- C:\Windows\System\gucEFVD.exe
  C:\Windows\System\gucEFVD.exe
  2⤵
  PID:6256
- C:\Windows\System\dNJrqfd.exe
  C:\Windows\System\dNJrqfd.exe
  2⤵
  PID:2832
- C:\Windows\System\WYfjiFw.exe
  C:\Windows\System\WYfjiFw.exe
  2⤵
  PID:6952
- C:\Windows\System\vdPiGsq.exe
  C:\Windows\System\vdPiGsq.exe
  2⤵
  PID:7180
- C:\Windows\System\dBlIbRL.exe
  C:\Windows\System\dBlIbRL.exe
  2⤵
  PID:7196
- C:\Windows\System\cvYYEGI.exe
  C:\Windows\System\cvYYEGI.exe
  2⤵
  PID:7232
- C:\Windows\System\wwEwOEg.exe
  C:\Windows\System\wwEwOEg.exe
  2⤵
  PID:7264
- C:\Windows\System\CBPRrIu.exe
  C:\Windows\System\CBPRrIu.exe
  2⤵
  PID:7304
- C:\Windows\System\BjYhWCx.exe
  C:\Windows\System\BjYhWCx.exe
  2⤵
  PID:7368
- C:\Windows\System\CyIFmhB.exe
  C:\Windows\System\CyIFmhB.exe
  2⤵
  PID:7452
- C:\Windows\System\XfwDmYN.exe
  C:\Windows\System\XfwDmYN.exe
  2⤵
  PID:7492
- C:\Windows\System\yhHpjQD.exe
  C:\Windows\System\yhHpjQD.exe
  2⤵
  PID:7512
- C:\Windows\System\jmFwTIV.exe
  C:\Windows\System\jmFwTIV.exe
  2⤵
  PID:7552
- C:\Windows\System\RRnURiB.exe
  C:\Windows\System\RRnURiB.exe
  2⤵
  PID:7596
- C:\Windows\System\GdRaOAL.exe
  C:\Windows\System\GdRaOAL.exe
  2⤵
  PID:7648
- C:\Windows\System\igNXwlt.exe
  C:\Windows\System\igNXwlt.exe
  2⤵
  PID:7680
- C:\Windows\System\UtORegh.exe
  C:\Windows\System\UtORegh.exe
  2⤵
  PID:7704
- C:\Windows\System\EHVXdTW.exe
  C:\Windows\System\EHVXdTW.exe
  2⤵
  PID:7736
- C:\Windows\System\mhAUBDL.exe
  C:\Windows\System\mhAUBDL.exe
  2⤵
  PID:7764
- C:\Windows\System\hcfRnmn.exe
  C:\Windows\System\hcfRnmn.exe
  2⤵
  PID:7792
- C:\Windows\System\XBlzDtl.exe
  C:\Windows\System\XBlzDtl.exe
  2⤵
  PID:7828
- C:\Windows\System\IWcMcid.exe
  C:\Windows\System\IWcMcid.exe
  2⤵
  PID:7852
- C:\Windows\System\iTXJBCH.exe
  C:\Windows\System\iTXJBCH.exe
  2⤵
  PID:7884
- C:\Windows\System\sKyXccy.exe
  C:\Windows\System\sKyXccy.exe
  2⤵
  PID:7912
- C:\Windows\System\HfAdtzJ.exe
  C:\Windows\System\HfAdtzJ.exe
  2⤵
  PID:7936
- C:\Windows\System\cioYXIu.exe
  C:\Windows\System\cioYXIu.exe
  2⤵
  PID:7964
- C:\Windows\System\cusLyDK.exe
  C:\Windows\System\cusLyDK.exe
  2⤵
  PID:7996
- C:\Windows\System\NzxRGot.exe
  C:\Windows\System\NzxRGot.exe
  2⤵
  PID:8028
- C:\Windows\System\jpyxIuX.exe
  C:\Windows\System\jpyxIuX.exe
  2⤵
  PID:8048
- C:\Windows\System\AEpsxIK.exe
  C:\Windows\System\AEpsxIK.exe
  2⤵
  PID:8080
- C:\Windows\System\keaTgZY.exe
  C:\Windows\System\keaTgZY.exe
  2⤵
  PID:8104
- C:\Windows\System\rJFbYkD.exe
  C:\Windows\System\rJFbYkD.exe
  2⤵
  PID:8136
- C:\Windows\System\NuwNRwm.exe
  C:\Windows\System\NuwNRwm.exe
  2⤵
  PID:8160
- C:\Windows\System\bcxqFyL.exe
  C:\Windows\System\bcxqFyL.exe
  2⤵
  PID:8188
- C:\Windows\System\RGdufxy.exe
  C:\Windows\System\RGdufxy.exe
  2⤵
  PID:7260
- C:\Windows\System\vuPWCjr.exe
  C:\Windows\System\vuPWCjr.exe
  2⤵
  PID:7360
- C:\Windows\System\RxpnrqW.exe
  C:\Windows\System\RxpnrqW.exe
  2⤵
  PID:7448
- C:\Windows\System\NRUVQya.exe
  C:\Windows\System\NRUVQya.exe
  2⤵
  PID:7532
- C:\Windows\System\ZOzCmpC.exe
  C:\Windows\System\ZOzCmpC.exe
  2⤵
  PID:7604
- C:\Windows\System\sYuGjdk.exe
  C:\Windows\System\sYuGjdk.exe
  2⤵
  PID:7696
- C:\Windows\System\ANjrwmm.exe
  C:\Windows\System\ANjrwmm.exe
  2⤵
  PID:7732
- C:\Windows\System\zNpDnFj.exe
  C:\Windows\System\zNpDnFj.exe
  2⤵
  PID:7688
- C:\Windows\System\cAkDfwb.exe
  C:\Windows\System\cAkDfwb.exe
  2⤵
  PID:7816
- C:\Windows\System\JpoSAlO.exe
  C:\Windows\System\JpoSAlO.exe
  2⤵
  PID:7872
- C:\Windows\System\BtiuaHk.exe
  C:\Windows\System\BtiuaHk.exe
  2⤵
  PID:7932
- C:\Windows\System\IDFYIaR.exe
  C:\Windows\System\IDFYIaR.exe
  2⤵
  PID:8012
- C:\Windows\System\aXfjEbf.exe
  C:\Windows\System\aXfjEbf.exe
  2⤵
  PID:8156
- C:\Windows\System\xtpHtWu.exe
  C:\Windows\System\xtpHtWu.exe
  2⤵
  PID:7400
- C:\Windows\System\MXzjXlt.exe
  C:\Windows\System\MXzjXlt.exe
  2⤵
  PID:7724
- C:\Windows\System\MNqJMmh.exe
  C:\Windows\System\MNqJMmh.exe
  2⤵
  PID:7900
- C:\Windows\System\yqoUyLA.exe
  C:\Windows\System\yqoUyLA.exe
  2⤵
  PID:7988
- C:\Windows\System\dqjaWLc.exe
  C:\Windows\System\dqjaWLc.exe
  2⤵
  PID:7240
- C:\Windows\System\KApnlRV.exe
  C:\Windows\System\KApnlRV.exe
  2⤵
  PID:6908
- C:\Windows\System\lwQCzfV.exe
  C:\Windows\System\lwQCzfV.exe
  2⤵
  PID:6912
- C:\Windows\System\mbTJyvx.exe
  C:\Windows\System\mbTJyvx.exe
  2⤵
  PID:7960
- C:\Windows\System\jmNkjdp.exe
  C:\Windows\System\jmNkjdp.exe
  2⤵
  PID:7020
- C:\Windows\System\HziUKCR.exe
  C:\Windows\System\HziUKCR.exe
  2⤵
  PID:7292
- C:\Windows\System\UvOzuDa.exe
  C:\Windows\System\UvOzuDa.exe
  2⤵
  PID:8212
- C:\Windows\System\BSPocLQ.exe
  C:\Windows\System\BSPocLQ.exe
  2⤵
  PID:8240
- C:\Windows\System\QbulAys.exe
  C:\Windows\System\QbulAys.exe
  2⤵
  PID:8268
- C:\Windows\System\EJjjAkT.exe
  C:\Windows\System\EJjjAkT.exe
  2⤵
  PID:8296
- C:\Windows\System\qXkrhun.exe
  C:\Windows\System\qXkrhun.exe
  2⤵
  PID:8324
- C:\Windows\System\OnwQaix.exe
  C:\Windows\System\OnwQaix.exe
  2⤵
  PID:8352
- C:\Windows\System\cNRQbNQ.exe
  C:\Windows\System\cNRQbNQ.exe
  2⤵
  PID:8388
- C:\Windows\System\cFXdDxI.exe
  C:\Windows\System\cFXdDxI.exe
  2⤵
  PID:8412
- C:\Windows\System\PbSmPMB.exe
  C:\Windows\System\PbSmPMB.exe
  2⤵
  PID:8440
- C:\Windows\System\mxOSuuA.exe
  C:\Windows\System\mxOSuuA.exe
  2⤵
  PID:8468
- C:\Windows\System\sivqBot.exe
  C:\Windows\System\sivqBot.exe
  2⤵
  PID:8496
- C:\Windows\System\YsJAivz.exe
  C:\Windows\System\YsJAivz.exe
  2⤵
  PID:8524
- C:\Windows\System\NznsEDq.exe
  C:\Windows\System\NznsEDq.exe
  2⤵
  PID:8560
- C:\Windows\System\VPjsiYA.exe
  C:\Windows\System\VPjsiYA.exe
  2⤵
  PID:8580
- C:\Windows\System\dgolCih.exe
  C:\Windows\System\dgolCih.exe
  2⤵
  PID:8608
- C:\Windows\System\SXxxIZE.exe
  C:\Windows\System\SXxxIZE.exe
  2⤵
  PID:8636
- C:\Windows\System\lmADnPL.exe
  C:\Windows\System\lmADnPL.exe
  2⤵
  PID:8668
- C:\Windows\System\jpSMNvh.exe
  C:\Windows\System\jpSMNvh.exe
  2⤵
  PID:8696
- C:\Windows\System\quSDGly.exe
  C:\Windows\System\quSDGly.exe
  2⤵
  PID:8720
- C:\Windows\System\DHUFyNt.exe
  C:\Windows\System\DHUFyNt.exe
  2⤵
  PID:8748
- C:\Windows\System\wanxaZt.exe
  C:\Windows\System\wanxaZt.exe
  2⤵
  PID:8776
- C:\Windows\System\ojkjAsT.exe
  C:\Windows\System\ojkjAsT.exe
  2⤵
  PID:8820
- C:\Windows\System\LqRnCQs.exe
  C:\Windows\System\LqRnCQs.exe
  2⤵
  PID:8836
- C:\Windows\System\rBheLyO.exe
  C:\Windows\System\rBheLyO.exe
  2⤵
  PID:8868
- C:\Windows\System\AxViNNa.exe
  C:\Windows\System\AxViNNa.exe
  2⤵
  PID:8904
- C:\Windows\System\TjxUnCe.exe
  C:\Windows\System\TjxUnCe.exe
  2⤵
  PID:8928
- C:\Windows\System\SeMOfNI.exe
  C:\Windows\System\SeMOfNI.exe
  2⤵
  PID:8948
- C:\Windows\System\uULfbQj.exe
  C:\Windows\System\uULfbQj.exe
  2⤵
  PID:9000
- C:\Windows\System\aDztbLs.exe
  C:\Windows\System\aDztbLs.exe
  2⤵
  PID:9020
- C:\Windows\System\SgpUozW.exe
  C:\Windows\System\SgpUozW.exe
  2⤵
  PID:9052
- C:\Windows\System\PWqlTTN.exe
  C:\Windows\System\PWqlTTN.exe
  2⤵
  PID:9080
- C:\Windows\System\kwyKbZV.exe
  C:\Windows\System\kwyKbZV.exe
  2⤵
  PID:9108
- C:\Windows\System\vsdoZjj.exe
  C:\Windows\System\vsdoZjj.exe
  2⤵
  PID:9136
- C:\Windows\System\ZYTwdgQ.exe
  C:\Windows\System\ZYTwdgQ.exe
  2⤵
  PID:9164
- C:\Windows\System\xKaFbSy.exe
  C:\Windows\System\xKaFbSy.exe
  2⤵
  PID:9192
- C:\Windows\System\UucnwKW.exe
  C:\Windows\System\UucnwKW.exe
  2⤵
  PID:7460
- C:\Windows\System\cVwWLPd.exe
  C:\Windows\System\cVwWLPd.exe
  2⤵
  PID:8236
- C:\Windows\System\DigCsaD.exe
  C:\Windows\System\DigCsaD.exe
  2⤵
  PID:8308
- C:\Windows\System\TuXKMuw.exe
  C:\Windows\System\TuXKMuw.exe
  2⤵
  PID:8376
- C:\Windows\System\Bkdcosl.exe
  C:\Windows\System\Bkdcosl.exe
  2⤵
  PID:8436
- C:\Windows\System\WnrGFsY.exe
  C:\Windows\System\WnrGFsY.exe
  2⤵
  PID:8508
- C:\Windows\System\dGmJsWC.exe
  C:\Windows\System\dGmJsWC.exe
  2⤵
  PID:8568
- C:\Windows\System\BObWPEM.exe
  C:\Windows\System\BObWPEM.exe
  2⤵
  PID:7504
- C:\Windows\System\uJhgeCA.exe
  C:\Windows\System\uJhgeCA.exe
  2⤵
  PID:8684
- C:\Windows\System\TmcuHxv.exe
  C:\Windows\System\TmcuHxv.exe
  2⤵
  PID:8744
- C:\Windows\System\wYKWZFW.exe
  C:\Windows\System\wYKWZFW.exe
  2⤵
  PID:8800
- C:\Windows\System\gttFMzq.exe
  C:\Windows\System\gttFMzq.exe
  2⤵
  PID:8880
- C:\Windows\System\iBAvkKB.exe
  C:\Windows\System\iBAvkKB.exe
  2⤵
  PID:8944
- C:\Windows\System\dqyPkjQ.exe
  C:\Windows\System\dqyPkjQ.exe
  2⤵
  PID:2384
- C:\Windows\System\fjnFRdJ.exe
  C:\Windows\System\fjnFRdJ.exe
  2⤵
  PID:2268
- C:\Windows\System\Igtjxtg.exe
  C:\Windows\System\Igtjxtg.exe
  2⤵
  PID:400
- C:\Windows\System\pwwvycM.exe
  C:\Windows\System\pwwvycM.exe
  2⤵
  PID:9044
- C:\Windows\System\LfEgmxB.exe
  C:\Windows\System\LfEgmxB.exe
  2⤵
  PID:9128
- C:\Windows\System\szsizzC.exe
  C:\Windows\System\szsizzC.exe
  2⤵
  PID:9184
- C:\Windows\System\wRexvon.exe
  C:\Windows\System\wRexvon.exe
  2⤵
  PID:8232
- C:\Windows\System\eIMawLp.exe
  C:\Windows\System\eIMawLp.exe
  2⤵
  PID:8404
- C:\Windows\System\JjvQGJK.exe
  C:\Windows\System\JjvQGJK.exe
  2⤵
  PID:8544
- C:\Windows\System\nfMDgbq.exe
  C:\Windows\System\nfMDgbq.exe
  2⤵
  PID:8676
- C:\Windows\System\sAPsQIG.exe
  C:\Windows\System\sAPsQIG.exe
  2⤵
  PID:8848
- C:\Windows\System\nADDQzp.exe
  C:\Windows\System\nADDQzp.exe
  2⤵
  PID:2924
- C:\Windows\System\NfQRMbW.exe
  C:\Windows\System\NfQRMbW.exe
  2⤵
  PID:8996
- C:\Windows\System\mgcwyBJ.exe
  C:\Windows\System\mgcwyBJ.exe
  2⤵
  PID:9100
- C:\Windows\System\iaNSwsk.exe
  C:\Windows\System\iaNSwsk.exe
  2⤵
  PID:8292
- C:\Windows\System\FQgqmNS.exe
  C:\Windows\System\FQgqmNS.exe
  2⤵
  PID:8648
- C:\Windows\System\bCVegOC.exe
  C:\Windows\System\bCVegOC.exe
  2⤵
  PID:840
- C:\Windows\System\wZsWnjg.exe
  C:\Windows\System\wZsWnjg.exe
  2⤵
  PID:9176
- C:\Windows\System\sQFgVrs.exe
  C:\Windows\System\sQFgVrs.exe
  2⤵
  PID:8912
- C:\Windows\System\FJoJSwR.exe
  C:\Windows\System\FJoJSwR.exe
  2⤵
  PID:8796
- C:\Windows\System\yrVYhRG.exe
  C:\Windows\System\yrVYhRG.exe
  2⤵
  PID:9232
- C:\Windows\System\UZAiyCS.exe
  C:\Windows\System\UZAiyCS.exe
  2⤵
  PID:9260
- C:\Windows\System\EoPFalz.exe
  C:\Windows\System\EoPFalz.exe
  2⤵
  PID:9288
- C:\Windows\System\fhSLeUq.exe
  C:\Windows\System\fhSLeUq.exe
  2⤵
  PID:9316
- C:\Windows\System\MPwSZmj.exe
  C:\Windows\System\MPwSZmj.exe
  2⤵
  PID:9344
- C:\Windows\System\qkyZAmg.exe
  C:\Windows\System\qkyZAmg.exe
  2⤵
  PID:9372
- C:\Windows\System\gDDPkyT.exe
  C:\Windows\System\gDDPkyT.exe
  2⤵
  PID:9400
- C:\Windows\System\fdeWEdv.exe
  C:\Windows\System\fdeWEdv.exe
  2⤵
  PID:9428
- C:\Windows\System\JkoLaEF.exe
  C:\Windows\System\JkoLaEF.exe
  2⤵
  PID:9456
- C:\Windows\System\SxhMDNZ.exe
  C:\Windows\System\SxhMDNZ.exe
  2⤵
  PID:9484
- C:\Windows\System\BcmXQFg.exe
  C:\Windows\System\BcmXQFg.exe
  2⤵
  PID:9512
- C:\Windows\System\yveOOtY.exe
  C:\Windows\System\yveOOtY.exe
  2⤵
  PID:9540
- C:\Windows\System\nOHGkQg.exe
  C:\Windows\System\nOHGkQg.exe
  2⤵
  PID:9568
- C:\Windows\System\wumsKyQ.exe
  C:\Windows\System\wumsKyQ.exe
  2⤵
  PID:9596
- C:\Windows\System\NDNPjcj.exe
  C:\Windows\System\NDNPjcj.exe
  2⤵
  PID:9624
- C:\Windows\System\XmJlqBN.exe
  C:\Windows\System\XmJlqBN.exe
  2⤵
  PID:9652
- C:\Windows\System\jJQhIhx.exe
  C:\Windows\System\jJQhIhx.exe
  2⤵
  PID:9680
- C:\Windows\System\pVXBPTp.exe
  C:\Windows\System\pVXBPTp.exe
  2⤵
  PID:9708
- C:\Windows\System\UmjKYEm.exe
  C:\Windows\System\UmjKYEm.exe
  2⤵
  PID:9736
- C:\Windows\System\wYkQurR.exe
  C:\Windows\System\wYkQurR.exe
  2⤵
  PID:9768
- C:\Windows\System\GPylZhU.exe
  C:\Windows\System\GPylZhU.exe
  2⤵
  PID:9804
- C:\Windows\System\Eugvzmx.exe
  C:\Windows\System\Eugvzmx.exe
  2⤵
  PID:9824
- C:\Windows\System\OQFAKnj.exe
  C:\Windows\System\OQFAKnj.exe
  2⤵
  PID:9852
- C:\Windows\System\xZyxaIt.exe
  C:\Windows\System\xZyxaIt.exe
  2⤵
  PID:9880
- C:\Windows\System\Rzzmwti.exe
  C:\Windows\System\Rzzmwti.exe
  2⤵
  PID:9908
- C:\Windows\System\MKGPSXm.exe
  C:\Windows\System\MKGPSXm.exe
  2⤵
  PID:9936
- C:\Windows\System\KNAjpXV.exe
  C:\Windows\System\KNAjpXV.exe
  2⤵
  PID:9964
- C:\Windows\System\DaPEixO.exe
  C:\Windows\System\DaPEixO.exe
  2⤵
  PID:9992
- C:\Windows\System\CqyJXUd.exe
  C:\Windows\System\CqyJXUd.exe
  2⤵
  PID:10020
- C:\Windows\System\akRcEKN.exe
  C:\Windows\System\akRcEKN.exe
  2⤵
  PID:10048
- C:\Windows\System\YFLbZii.exe
  C:\Windows\System\YFLbZii.exe
  2⤵
  PID:10076
- C:\Windows\System\BeXgqKU.exe
  C:\Windows\System\BeXgqKU.exe
  2⤵
  PID:10104
- C:\Windows\System\MALebZA.exe
  C:\Windows\System\MALebZA.exe
  2⤵
  PID:10132
- C:\Windows\System\AOJrARv.exe
  C:\Windows\System\AOJrARv.exe
  2⤵
  PID:10160
- C:\Windows\System\RiuRiEd.exe
  C:\Windows\System\RiuRiEd.exe
  2⤵
  PID:10188
- C:\Windows\System\vJiJbRG.exe
  C:\Windows\System\vJiJbRG.exe
  2⤵
  PID:10216
- C:\Windows\System\UysDFnz.exe
  C:\Windows\System\UysDFnz.exe
  2⤵
  PID:9224
- C:\Windows\System\dkRPLTx.exe
  C:\Windows\System\dkRPLTx.exe
  2⤵
  PID:9284
- C:\Windows\System\ObXMlGO.exe
  C:\Windows\System\ObXMlGO.exe
  2⤵
  PID:9356
- C:\Windows\System\UwYYTtO.exe
  C:\Windows\System\UwYYTtO.exe
  2⤵
  PID:9424
- C:\Windows\System\XtRyhEn.exe
  C:\Windows\System\XtRyhEn.exe
  2⤵
  PID:9496
- C:\Windows\System\mWAKAEk.exe
  C:\Windows\System\mWAKAEk.exe
  2⤵
  PID:9536
- C:\Windows\System\hYmgbmN.exe
  C:\Windows\System\hYmgbmN.exe
  2⤵
  PID:9608
- C:\Windows\System\vhEpAvC.exe
  C:\Windows\System\vhEpAvC.exe
  2⤵
  PID:9672
- C:\Windows\System\WgPxSbf.exe
  C:\Windows\System\WgPxSbf.exe
  2⤵
  PID:9732
- C:\Windows\System\WtrXSbK.exe
  C:\Windows\System\WtrXSbK.exe
  2⤵
  PID:9812
- C:\Windows\System\FjSAJrz.exe
  C:\Windows\System\FjSAJrz.exe
  2⤵
  PID:9872
- C:\Windows\System\ROwPAdz.exe
  C:\Windows\System\ROwPAdz.exe
  2⤵
  PID:9932
- C:\Windows\System\qtIvCNN.exe
  C:\Windows\System\qtIvCNN.exe
  2⤵
  PID:10004
- C:\Windows\System\HbxPSFf.exe
  C:\Windows\System\HbxPSFf.exe
  2⤵
  PID:10096
- C:\Windows\System\jChdEqb.exe
  C:\Windows\System\jChdEqb.exe
  2⤵
  PID:10152
- C:\Windows\System\KKRHvbe.exe
  C:\Windows\System\KKRHvbe.exe
  2⤵
  PID:10212
- C:\Windows\System\IRvEZOY.exe
  C:\Windows\System\IRvEZOY.exe
  2⤵
  PID:9336
- C:\Windows\System\FphWKXR.exe
  C:\Windows\System\FphWKXR.exe
  2⤵
  PID:9524
- C:\Windows\System\cKkXyyO.exe
  C:\Windows\System\cKkXyyO.exe
  2⤵
  PID:9648
- C:\Windows\System\ZOnLyRU.exe
  C:\Windows\System\ZOnLyRU.exe
  2⤵
  PID:9764
- C:\Windows\System\vnEfBGK.exe
  C:\Windows\System\vnEfBGK.exe
  2⤵
  PID:9920
- C:\Windows\System\ayBFoNi.exe
  C:\Windows\System\ayBFoNi.exe
  2⤵
  PID:10072
- C:\Windows\System\SwOUDwU.exe
  C:\Windows\System\SwOUDwU.exe
  2⤵
  PID:10208
- C:\Windows\System\WlBhvOc.exe
  C:\Windows\System\WlBhvOc.exe
  2⤵
  PID:9448
- C:\Windows\System\kqICjKj.exe
  C:\Windows\System\kqICjKj.exe
  2⤵
  PID:9728
- C:\Windows\System\Pmuksub.exe
  C:\Windows\System\Pmuksub.exe
  2⤵
  PID:10032
- C:\Windows\System\qqUsvqW.exe
  C:\Windows\System\qqUsvqW.exe
  2⤵
  PID:9312
- C:\Windows\System\PQeVSLb.exe
  C:\Windows\System\PQeVSLb.exe
  2⤵
  PID:9900
- C:\Windows\System\PKQYqAg.exe
  C:\Windows\System\PKQYqAg.exe
  2⤵
  PID:9836
- C:\Windows\System\YrjZCMy.exe
  C:\Windows\System\YrjZCMy.exe
  2⤵
  PID:10256
- C:\Windows\System\MJLeXZO.exe
  C:\Windows\System\MJLeXZO.exe
  2⤵
  PID:10284
- C:\Windows\System\UMRGCge.exe
  C:\Windows\System\UMRGCge.exe
  2⤵
  PID:10312
- C:\Windows\System\PCJnozf.exe
  C:\Windows\System\PCJnozf.exe
  2⤵
  PID:10340
- C:\Windows\System\DpISFzD.exe
  C:\Windows\System\DpISFzD.exe
  2⤵
  PID:10368
- C:\Windows\System\bELNAim.exe
  C:\Windows\System\bELNAim.exe
  2⤵
  PID:10396
- C:\Windows\System\HZWEhju.exe
  C:\Windows\System\HZWEhju.exe
  2⤵
  PID:10424
- C:\Windows\System\rhyRXyr.exe
  C:\Windows\System\rhyRXyr.exe
  2⤵
  PID:10452
- C:\Windows\System\pDLtwtf.exe
  C:\Windows\System\pDLtwtf.exe
  2⤵
  PID:10480
- C:\Windows\System\eSNdwfa.exe
  C:\Windows\System\eSNdwfa.exe
  2⤵
  PID:10508
- C:\Windows\System\ckaUtcZ.exe
  C:\Windows\System\ckaUtcZ.exe
  2⤵
  PID:10536
- C:\Windows\System\fKOuOfd.exe
  C:\Windows\System\fKOuOfd.exe
  2⤵
  PID:10564
- C:\Windows\System\NkjfKSX.exe
  C:\Windows\System\NkjfKSX.exe
  2⤵
  PID:10592
- C:\Windows\System\WUcLUel.exe
  C:\Windows\System\WUcLUel.exe
  2⤵
  PID:10620
- C:\Windows\System\gbQwSWo.exe
  C:\Windows\System\gbQwSWo.exe
  2⤵
  PID:10652
- C:\Windows\System\jWrkyZU.exe
  C:\Windows\System\jWrkyZU.exe
  2⤵
  PID:10680
- C:\Windows\System\cvuQzQY.exe
  C:\Windows\System\cvuQzQY.exe
  2⤵
  PID:10708
- C:\Windows\System\eIjcQQR.exe
  C:\Windows\System\eIjcQQR.exe
  2⤵
  PID:10740
- C:\Windows\System\oIPsMrh.exe
  C:\Windows\System\oIPsMrh.exe
  2⤵
  PID:10764
- C:\Windows\System\HxyKxoP.exe
  C:\Windows\System\HxyKxoP.exe
  2⤵
  PID:10792
- C:\Windows\System\ekMlBlX.exe
  C:\Windows\System\ekMlBlX.exe
  2⤵
  PID:10820
- C:\Windows\System\wiZYnuP.exe
  C:\Windows\System\wiZYnuP.exe
  2⤵
  PID:10848
- C:\Windows\System\CsyyXcq.exe
  C:\Windows\System\CsyyXcq.exe
  2⤵
  PID:10876
- C:\Windows\System\dwAGzKk.exe
  C:\Windows\System\dwAGzKk.exe
  2⤵
  PID:10904
- C:\Windows\System\kDfoaQg.exe
  C:\Windows\System\kDfoaQg.exe
  2⤵
  PID:10932
- C:\Windows\System\SuAItHk.exe
  C:\Windows\System\SuAItHk.exe
  2⤵
  PID:10960
- C:\Windows\System\hjtAtrd.exe
  C:\Windows\System\hjtAtrd.exe
  2⤵
  PID:10988
- C:\Windows\System\isboCIS.exe
  C:\Windows\System\isboCIS.exe
  2⤵
  PID:11016
- C:\Windows\System\QScroTi.exe
  C:\Windows\System\QScroTi.exe
  2⤵
  PID:11044
- C:\Windows\System\udIaDID.exe
  C:\Windows\System\udIaDID.exe
  2⤵
  PID:11072
- C:\Windows\System\LjEYYhS.exe
  C:\Windows\System\LjEYYhS.exe
  2⤵
  PID:11100
- C:\Windows\System\JqxSWsm.exe
  C:\Windows\System\JqxSWsm.exe
  2⤵
  PID:11128
- C:\Windows\System\UKtoFXd.exe
  C:\Windows\System\UKtoFXd.exe
  2⤵
  PID:11156
- C:\Windows\System\jYvzPuZ.exe
  C:\Windows\System\jYvzPuZ.exe
  2⤵
  PID:11184
- C:\Windows\System\XHDPrFR.exe
  C:\Windows\System\XHDPrFR.exe
  2⤵
  PID:11212
- C:\Windows\System\wJRsuxE.exe
  C:\Windows\System\wJRsuxE.exe
  2⤵
  PID:11240
- C:\Windows\System\iEywSPU.exe
  C:\Windows\System\iEywSPU.exe
  2⤵
  PID:10248
- C:\Windows\System\akOPHHO.exe
  C:\Windows\System\akOPHHO.exe
  2⤵
  PID:10308
- C:\Windows\System\iIonjaH.exe
  C:\Windows\System\iIonjaH.exe
  2⤵
  PID:3776
- C:\Windows\System\KCgyxMb.exe
  C:\Windows\System\KCgyxMb.exe
  2⤵
  PID:4268
- C:\Windows\System\KxmIXpD.exe
  C:\Windows\System\KxmIXpD.exe
  2⤵
  PID:10436
- C:\Windows\System\qiIhltf.exe
  C:\Windows\System\qiIhltf.exe
  2⤵
  PID:10500
- C:\Windows\System\vSNjqXN.exe
  C:\Windows\System\vSNjqXN.exe
  2⤵
  PID:10560
- C:\Windows\System\OGLjkJD.exe
  C:\Windows\System\OGLjkJD.exe
  2⤵
  PID:10632
- C:\Windows\System\qZiwlwn.exe
  C:\Windows\System\qZiwlwn.exe
  2⤵
  PID:10692
- C:\Windows\System\innjvkF.exe
  C:\Windows\System\innjvkF.exe
  2⤵
  PID:10756
- C:\Windows\System\LOOFVOW.exe
  C:\Windows\System\LOOFVOW.exe
  2⤵
  PID:10816
- C:\Windows\System\qBiKVNU.exe
  C:\Windows\System\qBiKVNU.exe
  2⤵
  PID:10896
- C:\Windows\System\qnalWYJ.exe
  C:\Windows\System\qnalWYJ.exe
  2⤵
  PID:10956
- C:\Windows\System\oJFNAAz.exe
  C:\Windows\System\oJFNAAz.exe
  2⤵
  PID:11028
- C:\Windows\System\KfRqSlF.exe
  C:\Windows\System\KfRqSlF.exe
  2⤵
  PID:11092
- C:\Windows\System\CvnBciY.exe
  C:\Windows\System\CvnBciY.exe
  2⤵
  PID:11152
- C:\Windows\System\fqFQiaT.exe
  C:\Windows\System\fqFQiaT.exe
  2⤵
  PID:11224
- C:\Windows\System\wEwvlmr.exe
  C:\Windows\System\wEwvlmr.exe
  2⤵
  PID:10296
- C:\Windows\System\DqoGKvL.exe
  C:\Windows\System\DqoGKvL.exe
  2⤵
  PID:10364
- C:\Windows\System\UKzsAOC.exe
  C:\Windows\System\UKzsAOC.exe
  2⤵
  PID:10528
- C:\Windows\System\YrOyRvx.exe
  C:\Windows\System\YrOyRvx.exe
  2⤵
  PID:10672
- C:\Windows\System\OEMcIoS.exe
  C:\Windows\System\OEMcIoS.exe
  2⤵
  PID:10812
- C:\Windows\System\xbWpANg.exe
  C:\Windows\System\xbWpANg.exe
  2⤵
  PID:11008
- C:\Windows\System\UmPTmhC.exe
  C:\Windows\System\UmPTmhC.exe
  2⤵
  PID:11148
- C:\Windows\System\jxiYwKG.exe
  C:\Windows\System\jxiYwKG.exe
  2⤵
  PID:10640
- C:\Windows\System\HDrWFPS.exe
  C:\Windows\System\HDrWFPS.exe
  2⤵
  PID:10664
- C:\Windows\System\twWVATZ.exe
  C:\Windows\System\twWVATZ.exe
  2⤵
  PID:10952
- C:\Windows\System\QaEfDqK.exe
  C:\Windows\System\QaEfDqK.exe
  2⤵
  PID:1244
- C:\Windows\System\TqJJrBm.exe
  C:\Windows\System\TqJJrBm.exe
  2⤵
  PID:4008
- C:\Windows\System\cMZtcZk.exe
  C:\Windows\System\cMZtcZk.exe
  2⤵
  PID:10888
- C:\Windows\System\kUHTGzj.exe
  C:\Windows\System\kUHTGzj.exe
  2⤵
  PID:1496
- C:\Windows\System\gNeuXul.exe
  C:\Windows\System\gNeuXul.exe
  2⤵
  PID:11284
- C:\Windows\System\kAEvpMy.exe
  C:\Windows\System\kAEvpMy.exe
  2⤵
  PID:11300
- C:\Windows\System\oNishsy.exe
  C:\Windows\System\oNishsy.exe
  2⤵
  PID:11332
- C:\Windows\System\oWnNchR.exe
  C:\Windows\System\oWnNchR.exe
  2⤵
  PID:11368
- C:\Windows\System\FTearnF.exe
  C:\Windows\System\FTearnF.exe
  2⤵
  PID:11404
- C:\Windows\System\eCtUevr.exe
  C:\Windows\System\eCtUevr.exe
  2⤵
  PID:11444
- C:\Windows\System\nfKfwas.exe
  C:\Windows\System\nfKfwas.exe
  2⤵
  PID:11472
- C:\Windows\System\BoLbNkt.exe
  C:\Windows\System\BoLbNkt.exe
  2⤵
  PID:11500
- C:\Windows\System\SqMwwYB.exe
  C:\Windows\System\SqMwwYB.exe
  2⤵
  PID:11528
- C:\Windows\System\gxOFdta.exe
  C:\Windows\System\gxOFdta.exe
  2⤵
  PID:11556
- C:\Windows\System\iSGFihl.exe
  C:\Windows\System\iSGFihl.exe
  2⤵
  PID:11584
- C:\Windows\System\RqsnIjO.exe
  C:\Windows\System\RqsnIjO.exe
  2⤵
  PID:11612
- C:\Windows\System\rREmulz.exe
  C:\Windows\System\rREmulz.exe
  2⤵
  PID:11644
- C:\Windows\System\VuARvDV.exe
  C:\Windows\System\VuARvDV.exe
  2⤵
  PID:11672
- C:\Windows\System\BBkRjIz.exe
  C:\Windows\System\BBkRjIz.exe
  2⤵
  PID:11700
- C:\Windows\System\zIdZMMD.exe
  C:\Windows\System\zIdZMMD.exe
  2⤵
  PID:11728
- C:\Windows\System\akBvPoI.exe
  C:\Windows\System\akBvPoI.exe
  2⤵
  PID:11756
- C:\Windows\System\ZgSLDBJ.exe
  C:\Windows\System\ZgSLDBJ.exe
  2⤵
  PID:11784
- C:\Windows\System\Zodoszx.exe
  C:\Windows\System\Zodoszx.exe
  2⤵
  PID:11812
- C:\Windows\System\iJVPzNj.exe
  C:\Windows\System\iJVPzNj.exe
  2⤵
  PID:11840
- C:\Windows\System\VUgsqQm.exe
  C:\Windows\System\VUgsqQm.exe
  2⤵
  PID:11868
- C:\Windows\System\YJHqiHI.exe
  C:\Windows\System\YJHqiHI.exe
  2⤵
  PID:11896
- C:\Windows\System\KxCYgTL.exe
  C:\Windows\System\KxCYgTL.exe
  2⤵
  PID:11924
- C:\Windows\System\eESdVHe.exe
  C:\Windows\System\eESdVHe.exe
  2⤵
  PID:11952
- C:\Windows\System\KSvneBf.exe
  C:\Windows\System\KSvneBf.exe
  2⤵
  PID:11980
- C:\Windows\System\OnQBjRD.exe
  C:\Windows\System\OnQBjRD.exe
  2⤵
  PID:12008
- C:\Windows\System\GAopqUl.exe
  C:\Windows\System\GAopqUl.exe
  2⤵
  PID:12036
- C:\Windows\System\WzDDHZk.exe
  C:\Windows\System\WzDDHZk.exe
  2⤵
  PID:12064
- C:\Windows\System\PCMVYvo.exe
  C:\Windows\System\PCMVYvo.exe
  2⤵
  PID:12104
- C:\Windows\System\KrGDGeJ.exe
  C:\Windows\System\KrGDGeJ.exe
  2⤵
  PID:12120
- C:\Windows\System\qQioaMt.exe
  C:\Windows\System\qQioaMt.exe
  2⤵
  PID:12148
- C:\Windows\System\WlPaPDd.exe
  C:\Windows\System\WlPaPDd.exe
  2⤵
  PID:12176
- C:\Windows\System\LZWfXCm.exe
  C:\Windows\System\LZWfXCm.exe
  2⤵
  PID:12204
- C:\Windows\System\kKlUigD.exe
  C:\Windows\System\kKlUigD.exe
  2⤵
  PID:12232
- C:\Windows\System\lKxGeqf.exe
  C:\Windows\System\lKxGeqf.exe
  2⤵
  PID:12260
- C:\Windows\System\dLaRpao.exe
  C:\Windows\System\dLaRpao.exe
  2⤵
  PID:1628
- C:\Windows\System\HWtIwsX.exe
  C:\Windows\System\HWtIwsX.exe
  2⤵
  PID:1264
- C:\Windows\System\FbHPnDc.exe
  C:\Windows\System\FbHPnDc.exe
  2⤵
  PID:3464
- C:\Windows\System\Xxkihgw.exe
  C:\Windows\System\Xxkihgw.exe
  2⤵
  PID:11356
- C:\Windows\System\tmgrPRN.exe
  C:\Windows\System\tmgrPRN.exe
  2⤵
  PID:11392
- C:\Windows\System\AsUrzdh.exe
  C:\Windows\System\AsUrzdh.exe
  2⤵
  PID:10784
- C:\Windows\System\bqqwbSn.exe
  C:\Windows\System\bqqwbSn.exe
  2⤵
  PID:11464
- C:\Windows\System\NirEtuY.exe
  C:\Windows\System\NirEtuY.exe
  2⤵
  PID:11524
- C:\Windows\System\wQBrETp.exe
  C:\Windows\System\wQBrETp.exe
  2⤵
  PID:11596
- C:\Windows\System\DLCAyZe.exe
  C:\Windows\System\DLCAyZe.exe
  2⤵
  PID:11668
- C:\Windows\System\jgeIOOV.exe
  C:\Windows\System\jgeIOOV.exe
  2⤵
  PID:11740
- C:\Windows\System\pPnAiSH.exe
  C:\Windows\System\pPnAiSH.exe
  2⤵
  PID:11804
- C:\Windows\System\TtBJSuK.exe
  C:\Windows\System\TtBJSuK.exe
  2⤵
  PID:11864
- C:\Windows\System\vquQPPC.exe
  C:\Windows\System\vquQPPC.exe
  2⤵
  PID:11936
- C:\Windows\System\SReZkGx.exe
  C:\Windows\System\SReZkGx.exe
  2⤵
  PID:12000
- C:\Windows\System\uyocgBO.exe
  C:\Windows\System\uyocgBO.exe
  2⤵
  PID:12056
- C:\Windows\System\nYIgNNK.exe
  C:\Windows\System\nYIgNNK.exe
  2⤵
  PID:12116
- C:\Windows\System\zznZZNt.exe
  C:\Windows\System\zznZZNt.exe
  2⤵
  PID:12188
- C:\Windows\System\UpnUsvh.exe
  C:\Windows\System\UpnUsvh.exe
  2⤵
  PID:12252
- C:\Windows\System\jmdHwUx.exe
  C:\Windows\System\jmdHwUx.exe
  2⤵
  PID:1816
- C:\Windows\System\fwbSqmy.exe
  C:\Windows\System\fwbSqmy.exe
  2⤵
  PID:11352
- C:\Windows\System\LCFteVm.exe
  C:\Windows\System\LCFteVm.exe
  2⤵
  PID:11396
- C:\Windows\System\saTontw.exe
  C:\Windows\System\saTontw.exe
  2⤵
  PID:11656
- C:\Windows\System\LMNAhGf.exe
  C:\Windows\System\LMNAhGf.exe
  2⤵
  PID:11768
- C:\Windows\System\cfMUxXr.exe
  C:\Windows\System\cfMUxXr.exe
  2⤵
  PID:11916
- C:\Windows\System\KViSeZM.exe
  C:\Windows\System\KViSeZM.exe
  2⤵
  PID:12048
- C:\Windows\System\VgXelvE.exe
  C:\Windows\System\VgXelvE.exe
  2⤵
  PID:12216
- C:\Windows\System\FtwgmCl.exe
  C:\Windows\System\FtwgmCl.exe
  2⤵
  PID:11272
- C:\Windows\System\yolEvsa.exe
  C:\Windows\System\yolEvsa.exe
  2⤵
  PID:11552
- C:\Windows\System\doGdnvE.exe
  C:\Windows\System\doGdnvE.exe
  2⤵
  PID:11860
- C:\Windows\System\Cexfnhk.exe
  C:\Windows\System\Cexfnhk.exe
  2⤵
  PID:11632
- C:\Windows\System\QmgpLQt.exe
  C:\Windows\System\QmgpLQt.exe
  2⤵
  PID:11724
- C:\Windows\System\hKBRSPA.exe
  C:\Windows\System\hKBRSPA.exe
  2⤵
  PID:1072
- C:\Windows\System\IDomVBW.exe
  C:\Windows\System\IDomVBW.exe
  2⤵
  PID:11280
- C:\Windows\System\ntenwfR.exe
  C:\Windows\System\ntenwfR.exe
  2⤵
  PID:11204
- C:\Windows\System\ZZNrqZF.exe
  C:\Windows\System\ZZNrqZF.exe
  2⤵
  PID:12316
- C:\Windows\System\pNacZXi.exe
  C:\Windows\System\pNacZXi.exe
  2⤵
  PID:12344
- C:\Windows\System\XaeOTfK.exe
  C:\Windows\System\XaeOTfK.exe
  2⤵
  PID:12372
- C:\Windows\System\PADnSNk.exe
  C:\Windows\System\PADnSNk.exe
  2⤵
  PID:12400
- C:\Windows\System\IHYMQbT.exe
  C:\Windows\System\IHYMQbT.exe
  2⤵
  PID:12428
- C:\Windows\System\obKwBoN.exe
  C:\Windows\System\obKwBoN.exe
  2⤵
  PID:12456
- C:\Windows\System\EPzvhZW.exe
  C:\Windows\System\EPzvhZW.exe
  2⤵
  PID:12488
- C:\Windows\System\OQmSAvc.exe
  C:\Windows\System\OQmSAvc.exe
  2⤵
  PID:12516
- C:\Windows\System\ADWBIps.exe
  C:\Windows\System\ADWBIps.exe
  2⤵
  PID:12544
- C:\Windows\System\wYLyEXO.exe
  C:\Windows\System\wYLyEXO.exe
  2⤵
  PID:12572
- C:\Windows\System\gCpCtTu.exe
  C:\Windows\System\gCpCtTu.exe
  2⤵
  PID:12600
- C:\Windows\System\MCqTGVK.exe
  C:\Windows\System\MCqTGVK.exe
  2⤵
  PID:12628
- C:\Windows\System\EmNWVzd.exe
  C:\Windows\System\EmNWVzd.exe
  2⤵
  PID:12656
- C:\Windows\System\EwpnVBk.exe
  C:\Windows\System\EwpnVBk.exe
  2⤵
  PID:12684
- C:\Windows\System\quEuyCH.exe
  C:\Windows\System\quEuyCH.exe
  2⤵
  PID:12712
- C:\Windows\System\iDsNzch.exe
  C:\Windows\System\iDsNzch.exe
  2⤵
  PID:12740
- C:\Windows\System\XihHtLJ.exe
  C:\Windows\System\XihHtLJ.exe
  2⤵
  PID:12768
- C:\Windows\System\duOydqg.exe
  C:\Windows\System\duOydqg.exe
  2⤵
  PID:12796
- C:\Windows\System\MwbcGZz.exe
  C:\Windows\System\MwbcGZz.exe
  2⤵
  PID:12824
- C:\Windows\System\dhGWJDz.exe
  C:\Windows\System\dhGWJDz.exe
  2⤵
  PID:12852
- C:\Windows\System\BsgKdiV.exe
  C:\Windows\System\BsgKdiV.exe
  2⤵
  PID:12880
- C:\Windows\System\xEoWKFF.exe
  C:\Windows\System\xEoWKFF.exe
  2⤵
  PID:12908
- C:\Windows\System\JUZTJCB.exe
  C:\Windows\System\JUZTJCB.exe
  2⤵
  PID:12936
- C:\Windows\System\vDJXILu.exe
  C:\Windows\System\vDJXILu.exe
  2⤵
  PID:12964
- C:\Windows\System\imaggeB.exe
  C:\Windows\System\imaggeB.exe
  2⤵
  PID:12992
- C:\Windows\System\UGTmtav.exe
  C:\Windows\System\UGTmtav.exe
  2⤵
  PID:13020
- C:\Windows\System\ZoGQVAq.exe
  C:\Windows\System\ZoGQVAq.exe
  2⤵
  PID:13048
- C:\Windows\System\WzFbeVW.exe
  C:\Windows\System\WzFbeVW.exe
  2⤵
  PID:13076
- C:\Windows\System\SDIniXK.exe
  C:\Windows\System\SDIniXK.exe
  2⤵
  PID:13104
- C:\Windows\System\xHJfSyw.exe
  C:\Windows\System\xHJfSyw.exe
  2⤵
  PID:13132
- C:\Windows\System\kLviOLi.exe
  C:\Windows\System\kLviOLi.exe
  2⤵
  PID:13160
- C:\Windows\System\jyBUAsy.exe
  C:\Windows\System\jyBUAsy.exe
  2⤵
  PID:13188
- C:\Windows\System\xfiaUnS.exe
  C:\Windows\System\xfiaUnS.exe
  2⤵
  PID:13216
- C:\Windows\System\qrEMWsD.exe
  C:\Windows\System\qrEMWsD.exe
  2⤵
  PID:13244
- C:\Windows\System\BSLQuzV.exe
  C:\Windows\System\BSLQuzV.exe
  2⤵
  PID:13272
- C:\Windows\System\MafHfYg.exe
  C:\Windows\System\MafHfYg.exe
  2⤵
  PID:13300
- C:\Windows\System\GueBrTk.exe
  C:\Windows\System\GueBrTk.exe
  2⤵
  PID:12328
- C:\Windows\System\nlSBikL.exe
  C:\Windows\System\nlSBikL.exe
  2⤵
  PID:12396
- C:\Windows\System\cUPgXdN.exe
  C:\Windows\System\cUPgXdN.exe
  2⤵
  PID:12468
- C:\Windows\System\WoWIvGr.exe
  C:\Windows\System\WoWIvGr.exe
  2⤵
  PID:12536
- C:\Windows\System\uDamWsz.exe
  C:\Windows\System\uDamWsz.exe
  2⤵
  PID:12596
- C:\Windows\System\UrBVCAM.exe
  C:\Windows\System\UrBVCAM.exe
  2⤵
  PID:12668
- C:\Windows\System\mQxLbnJ.exe
  C:\Windows\System\mQxLbnJ.exe
  2⤵
  PID:12732
- C:\Windows\System\eOExFSK.exe
  C:\Windows\System\eOExFSK.exe
  2⤵
  PID:12792
- C:\Windows\System\zcnaYWD.exe
  C:\Windows\System\zcnaYWD.exe
  2⤵
  PID:12864
- C:\Windows\System\mcoercs.exe
  C:\Windows\System\mcoercs.exe
  2⤵
  PID:12928
- C:\Windows\System\eSxMtlk.exe
  C:\Windows\System\eSxMtlk.exe
  2⤵
  PID:12988
- C:\Windows\System\kjbEvWf.exe
  C:\Windows\System\kjbEvWf.exe
  2⤵
  PID:13060
- C:\Windows\System\sqnqngP.exe
  C:\Windows\System\sqnqngP.exe
  2⤵
  PID:12480
- C:\Windows\System\Muzdtih.exe
  C:\Windows\System\Muzdtih.exe
  2⤵
  PID:13180
- C:\Windows\System\RbCgvYF.exe
  C:\Windows\System\RbCgvYF.exe
  2⤵
  PID:13240
- C:\Windows\System\FymLIxi.exe
  C:\Windows\System\FymLIxi.exe
  2⤵
  PID:11608
- C:\Windows\System\dGKIUDC.exe
  C:\Windows\System\dGKIUDC.exe
  2⤵
  PID:12448
- C:\Windows\System\UobxRIo.exe
  C:\Windows\System\UobxRIo.exe
  2⤵
  PID:12592
- C:\Windows\System\YaGvwsB.exe
  C:\Windows\System\YaGvwsB.exe
  2⤵
  PID:12760
- C:\Windows\System\RPhpjbQ.exe
  C:\Windows\System\RPhpjbQ.exe
  2⤵
  PID:12904
- C:\Windows\System\TkdRAmz.exe
  C:\Windows\System\TkdRAmz.exe
  2⤵
  PID:13044
- C:\Windows\System\AobzpXz.exe
  C:\Windows\System\AobzpXz.exe
  2⤵
  PID:13208
- C:\Windows\System\oIqirXY.exe
  C:\Windows\System\oIqirXY.exe
  2⤵
  PID:12384
- C:\Windows\System\pxQucSj.exe
  C:\Windows\System\pxQucSj.exe
  2⤵
  PID:3584
- C:\Windows\System\ygvuRKY.exe
  C:\Windows\System\ygvuRKY.exe
  2⤵
  PID:13016
- C:\Windows\System\HsBUOqG.exe
  C:\Windows\System\HsBUOqG.exe
  2⤵
  PID:12356
- C:\Windows\System\XOXpOHf.exe
  C:\Windows\System\XOXpOHf.exe
  2⤵
  PID:4428
- C:\Windows\System\WQXgTNQ.exe
  C:\Windows\System\WQXgTNQ.exe
  2⤵
  PID:2876
- C:\Windows\System\oWlKKdW.exe
  C:\Windows\System\oWlKKdW.exe
  2⤵
  PID:12820
- C:\Windows\System\XBeNWEU.exe
  C:\Windows\System\XBeNWEU.exe
  2⤵
  PID:12652
- C:\Windows\System\rKUOnFA.exe
  C:\Windows\System\rKUOnFA.exe
  2⤵
  PID:13328
- C:\Windows\System\iFCzqBO.exe
  C:\Windows\System\iFCzqBO.exe
  2⤵
  PID:13356
- C:\Windows\System\JpOkTXa.exe
  C:\Windows\System\JpOkTXa.exe
  2⤵
  PID:13384
- C:\Windows\System\KmqNldj.exe
  C:\Windows\System\KmqNldj.exe
  2⤵
  PID:13412
- C:\Windows\System\uWzXTFY.exe
  C:\Windows\System\uWzXTFY.exe
  2⤵
  PID:13440
- C:\Windows\System\dfstBzQ.exe
  C:\Windows\System\dfstBzQ.exe
  2⤵
  PID:13472
- C:\Windows\System\UoLtEBq.exe
  C:\Windows\System\UoLtEBq.exe
  2⤵
  PID:13500
- C:\Windows\System\oYgdUFr.exe
  C:\Windows\System\oYgdUFr.exe
  2⤵
  PID:13528
- C:\Windows\System\pMjKHgH.exe
  C:\Windows\System\pMjKHgH.exe
  2⤵
  PID:13556
- C:\Windows\System\MSDnldL.exe
  C:\Windows\System\MSDnldL.exe
  2⤵
  PID:13584
- C:\Windows\System\aFIdktq.exe
  C:\Windows\System\aFIdktq.exe
  2⤵
  PID:13624
- C:\Windows\System\KVGlCNI.exe
  C:\Windows\System\KVGlCNI.exe
  2⤵
  PID:13640
- C:\Windows\System\cyjjWwM.exe
  C:\Windows\System\cyjjWwM.exe
  2⤵
  PID:13668
- C:\Windows\System\ehjpcEw.exe
  C:\Windows\System\ehjpcEw.exe
  2⤵
  PID:13696
- C:\Windows\System\JZqZtHH.exe
  C:\Windows\System\JZqZtHH.exe
  2⤵
  PID:13724
- C:\Windows\System\foLFWmA.exe
  C:\Windows\System\foLFWmA.exe
  2⤵
  PID:13752
- C:\Windows\System\lKnObbo.exe
  C:\Windows\System\lKnObbo.exe
  2⤵
  PID:13780
- C:\Windows\System\ZKCymdX.exe
  C:\Windows\System\ZKCymdX.exe
  2⤵
  PID:13808
- C:\Windows\System\HTLRhSP.exe
  C:\Windows\System\HTLRhSP.exe
  2⤵
  PID:13836
- C:\Windows\System\NUSfXCS.exe
  C:\Windows\System\NUSfXCS.exe
  2⤵
  PID:13864
- C:\Windows\System\YsEcoVa.exe
  C:\Windows\System\YsEcoVa.exe
  2⤵
  PID:13892
- C:\Windows\System\fsFMrrE.exe
  C:\Windows\System\fsFMrrE.exe
  2⤵
  PID:13920
- C:\Windows\System\KObjhFk.exe
  C:\Windows\System\KObjhFk.exe
  2⤵
  PID:13948
- C:\Windows\System\pYqTrse.exe
  C:\Windows\System\pYqTrse.exe
  2⤵
  PID:13976
- C:\Windows\System\dEeFIMz.exe
  C:\Windows\System\dEeFIMz.exe
  2⤵
  PID:14004
- C:\Windows\System\hBOSIuw.exe
  C:\Windows\System\hBOSIuw.exe
  2⤵
  PID:14032
- C:\Windows\System\RcmBPXT.exe
  C:\Windows\System\RcmBPXT.exe
  2⤵
  PID:14060
- C:\Windows\System\JCOrSXp.exe
  C:\Windows\System\JCOrSXp.exe
  2⤵
  PID:14088
- C:\Windows\System\BLvbqfN.exe
  C:\Windows\System\BLvbqfN.exe
  2⤵
  PID:14116
- C:\Windows\System\XJRNWsf.exe
  C:\Windows\System\XJRNWsf.exe
  2⤵
  PID:14144
- C:\Windows\System\MzJoGui.exe
  C:\Windows\System\MzJoGui.exe
  2⤵
  PID:14172
- C:\Windows\System\iAvKFDy.exe
  C:\Windows\System\iAvKFDy.exe
  2⤵
  PID:14208
- C:\Windows\System\wFDDKQH.exe
  C:\Windows\System\wFDDKQH.exe
  2⤵
  PID:14248
- C:\Windows\System\KtWhbZr.exe
  C:\Windows\System\KtWhbZr.exe
  2⤵
  PID:14268
- C:\Windows\System\rNeDTOy.exe
  C:\Windows\System\rNeDTOy.exe
  2⤵
  PID:14296
- C:\Windows\System\KXItndp.exe
  C:\Windows\System\KXItndp.exe
  2⤵
  PID:14328
- C:\Windows\System\iWKchpL.exe
  C:\Windows\System\iWKchpL.exe
  2⤵
  PID:13380
- C:\Windows\System\BttxZki.exe
  C:\Windows\System\BttxZki.exe
  2⤵
  PID:13436
- C:\Windows\System\hIoHqTi.exe
  C:\Windows\System\hIoHqTi.exe
  2⤵
  PID:13512
- C:\Windows\System\DVwjDZo.exe
  C:\Windows\System\DVwjDZo.exe
  2⤵
  PID:13568
- C:\Windows\System\sPccMpe.exe
  C:\Windows\System\sPccMpe.exe
  2⤵
  PID:13636
- C:\Windows\System\OJEsRPD.exe
  C:\Windows\System\OJEsRPD.exe
  2⤵
  PID:13772
- C:\Windows\System\KjXNEYt.exe
  C:\Windows\System\KjXNEYt.exe
  2⤵
  PID:13804
- C:\Windows\System\HzLujSa.exe
  C:\Windows\System\HzLujSa.exe
  2⤵
  PID:13876
- C:\Windows\System\qPYPItH.exe
  C:\Windows\System\qPYPItH.exe
  2⤵
  PID:13932
- C:\Windows\System\ttakuDj.exe
  C:\Windows\System\ttakuDj.exe
  2⤵
  PID:14000
- C:\Windows\System\aoGUdQZ.exe
  C:\Windows\System\aoGUdQZ.exe
  2⤵
  PID:14056
- C:\Windows\System\HcEMwPu.exe
  C:\Windows\System\HcEMwPu.exe
  2⤵
  PID:14136
- C:\Windows\System\JjglIdc.exe
  C:\Windows\System\JjglIdc.exe
  2⤵
  PID:468
- C:\Windows\System\zcCIcNg.exe
  C:\Windows\System\zcCIcNg.exe
  2⤵
  PID:4560
- C:\Windows\System\SUfdFyP.exe
  C:\Windows\System\SUfdFyP.exe
  2⤵
  PID:2496
- C:\Windows\System\oXMGAQh.exe
  C:\Windows\System\oXMGAQh.exe
  2⤵
  PID:13320
- C:\Windows\System\rBDUQEy.exe
  C:\Windows\System\rBDUQEy.exe
  2⤵
  PID:13540
- C:\Windows\System\MOOQuGm.exe
  C:\Windows\System\MOOQuGm.exe
  2⤵
  PID:13664
- C:\Windows\System\RJIiMCM.exe
  C:\Windows\System\RJIiMCM.exe
  2⤵
  PID:13792
- C:\Windows\System\ncIrToJ.exe
  C:\Windows\System\ncIrToJ.exe
  2⤵
  PID:13968
- C:\Windows\System\lrhYgAb.exe
  C:\Windows\System\lrhYgAb.exe
  2⤵
  PID:13988
- C:\Windows\System\ADQwnjc.exe
  C:\Windows\System\ADQwnjc.exe
  2⤵
  PID:4972
- C:\Windows\System\nlZlMqa.exe
  C:\Windows\System\nlZlMqa.exe
  2⤵
  PID:14264
- C:\Windows\System\yfnmdoA.exe
  C:\Windows\System\yfnmdoA.exe
  2⤵
  PID:13408
- C:\Windows\System\HuPHmlz.exe
  C:\Windows\System\HuPHmlz.exe
  2⤵
  PID:13800
- C:\Windows\System\bLLqfhl.exe
  C:\Windows\System\bLLqfhl.exe
  2⤵
  PID:14044
- C:\Windows\System\XhTtFUD.exe
  C:\Windows\System\XhTtFUD.exe
  2⤵
  PID:14280
- C:\Windows\System\EyMAjzs.exe
  C:\Windows\System\EyMAjzs.exe
  2⤵
  PID:13484
- C:\Windows\System\aDBvHUx.exe
  C:\Windows\System\aDBvHUx.exe
  2⤵
  PID:13960
- C:\Windows\System\ioRLxdD.exe
  C:\Windows\System\ioRLxdD.exe
  2⤵
  PID:14352
- C:\Windows\System\MDvhWIX.exe
  C:\Windows\System\MDvhWIX.exe
  2⤵
  PID:14380
- C:\Windows\System\qzTNjrk.exe
  C:\Windows\System\qzTNjrk.exe
  2⤵
  PID:14408
- C:\Windows\System\AEIPnZR.exe
  C:\Windows\System\AEIPnZR.exe
  2⤵
  PID:14436
- C:\Windows\System\mmBBTMe.exe
  C:\Windows\System\mmBBTMe.exe
  2⤵
  PID:14464
- C:\Windows\System\MnhQTef.exe
  C:\Windows\System\MnhQTef.exe
  2⤵
  PID:14492
- C:\Windows\System\eERxWYG.exe
  C:\Windows\System\eERxWYG.exe
  2⤵
  PID:14520
- C:\Windows\System\MDCPDzg.exe
  C:\Windows\System\MDCPDzg.exe
  2⤵
  PID:14548
- C:\Windows\System\UQmCGqE.exe
  C:\Windows\System\UQmCGqE.exe
  2⤵
  PID:14576
- C:\Windows\System\rfXYjtx.exe
  C:\Windows\System\rfXYjtx.exe
  2⤵
  PID:14604
- C:\Windows\System\Nlxjmas.exe
  C:\Windows\System\Nlxjmas.exe
  2⤵
  PID:14632
- C:\Windows\System\KgLvgWM.exe
  C:\Windows\System\KgLvgWM.exe
  2⤵
  PID:14660
- C:\Windows\System\RPDGWmE.exe
  C:\Windows\System\RPDGWmE.exe
  2⤵
  PID:14688
- C:\Windows\System\rvkmoDx.exe
  C:\Windows\System\rvkmoDx.exe
  2⤵
  PID:14720
- C:\Windows\System\gSapIpm.exe
  C:\Windows\System\gSapIpm.exe
  2⤵
  PID:14748
- C:\Windows\System\EVqNJTG.exe
  C:\Windows\System\EVqNJTG.exe
  2⤵
  PID:14776
- C:\Windows\System\xkPqZzm.exe
  C:\Windows\System\xkPqZzm.exe
  2⤵
  PID:14804
- C:\Windows\System\vjmYagS.exe
  C:\Windows\System\vjmYagS.exe
  2⤵
  PID:14832
- C:\Windows\System\RetULmX.exe
  C:\Windows\System\RetULmX.exe
  2⤵
  PID:14860
- C:\Windows\System\vmMgaYj.exe
  C:\Windows\System\vmMgaYj.exe
  2⤵
  PID:14888
- C:\Windows\System\RpEWqdN.exe
  C:\Windows\System\RpEWqdN.exe
  2⤵
  PID:14916
- C:\Windows\System\GZXuoTH.exe
  C:\Windows\System\GZXuoTH.exe
  2⤵
  PID:14944
- C:\Windows\System\kfBpNZL.exe
  C:\Windows\System\kfBpNZL.exe
  2⤵
  PID:14972
- C:\Windows\System\UXZXHrq.exe
  C:\Windows\System\UXZXHrq.exe
  2⤵
  PID:15000
- C:\Windows\System\tyGTlIx.exe
  C:\Windows\System\tyGTlIx.exe
  2⤵
  PID:15028
- C:\Windows\System\gOIJsgp.exe
  C:\Windows\System\gOIJsgp.exe
  2⤵
  PID:15056
- C:\Windows\System\GXBLoXg.exe
  C:\Windows\System\GXBLoXg.exe
  2⤵
  PID:15084
- C:\Windows\System\YMMuFDT.exe
  C:\Windows\System\YMMuFDT.exe
  2⤵
  PID:15112
- C:\Windows\System\WoKEAJk.exe
  C:\Windows\System\WoKEAJk.exe
  2⤵
  PID:15140
- C:\Windows\System\wsSezyD.exe
  C:\Windows\System\wsSezyD.exe
  2⤵
  PID:15168
- C:\Windows\System\wtiCpXH.exe
  C:\Windows\System\wtiCpXH.exe
  2⤵
  PID:15196
- C:\Windows\System\GvCWfeW.exe
  C:\Windows\System\GvCWfeW.exe
  2⤵
  PID:15224
- C:\Windows\System\AtbyQIH.exe
  C:\Windows\System\AtbyQIH.exe
  2⤵
  PID:15252
- C:\Windows\System\KxlnyLa.exe
  C:\Windows\System\KxlnyLa.exe
  2⤵
  PID:15280
- C:\Windows\System\uXIIrma.exe
  C:\Windows\System\uXIIrma.exe
  2⤵
  PID:15308
- C:\Windows\System\FDyzHVU.exe
  C:\Windows\System\FDyzHVU.exe
  2⤵
  PID:15336
- C:\Windows\System\BWwgQRT.exe
  C:\Windows\System\BWwgQRT.exe
  2⤵
  PID:14344
- C:\Windows\System\okSrMlw.exe
  C:\Windows\System\okSrMlw.exe
  2⤵
  PID:14428
- C:\Windows\System\dLLtNTZ.exe
  C:\Windows\System\dLLtNTZ.exe
  2⤵
  PID:14476
- C:\Windows\System\NyiZmVp.exe
  C:\Windows\System\NyiZmVp.exe
  2⤵
  PID:14532
- C:\Windows\System\XySvDzn.exe
  C:\Windows\System\XySvDzn.exe
  2⤵
  PID:14596
- C:\Windows\System\smViCZY.exe
  C:\Windows\System\smViCZY.exe
  2⤵
  PID:14656
- C:\Windows\System\srDuCRA.exe
  C:\Windows\System\srDuCRA.exe
  2⤵
  PID:14712
- C:\Windows\System\OylAeFt.exe
  C:\Windows\System\OylAeFt.exe
  2⤵
  PID:4120
- C:\Windows\System\yTlqvpQ.exe
  C:\Windows\System\yTlqvpQ.exe
  2⤵
  PID:14816
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 14816 -s 248
    3⤵
    PID:15320

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:13748
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:14968

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5492

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5252

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6168

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6640

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:9752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4964

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:1284

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5616

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4108

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:10788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:10748

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8196

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7780

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5520

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12840

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9784

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9912

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4388

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3624

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3972

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10144

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6632

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11524

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:15108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9756

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13208

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:608

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8320

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9076

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1824

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13260

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6416

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5360

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9524

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6428

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14480

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YCLWQ4BV\microsoft.windows[1].xml

Filesize
97B

MD5
781c2d6d1f6f2f8ae243c569925a6c44

SHA1
6d5d26acc2002f5a507bd517051095a97501931b

SHA256
70687e419879f006d0c50c08657c66b1187b94ea216cfe0a2e6be8bd2de77bc8

SHA512
3599fa8f2ffe140a8f68ec735810d24a5b367a9a551d620baa6dc611ca755dce1a662bf22b90f842d499d2c9530fb8acd634d1654d5e2c1b319574cbf35eadf7

Download Submit
C:\Windows\System\BFEYZOF.exe

Filesize
6.0MB

MD5
d0d106e01ae478c55cdbfec5dccc5811

SHA1
a4fda7e7d8ec32836e0ce60b0e171924eee8ec62

SHA256
c84ece691d6bda8ea3c7622355d51c5266452b2e3373d17adf0a62615364fcda

SHA512
0b2c573734d058a113381a0b2ca6595dab93c8bdaa5bebcc39a1c6922b7899b58260a17628a362f62379ff0ce56ffcf78d431b2062eae52314e42481b9c88fef

Download Submit
C:\Windows\System\EDHcWom.exe

Filesize
6.0MB

MD5
3256d2627836bb5b3bb7107b2fb3128d

SHA1
0518fb4369b642ce2ac7c066d63acd93e788d325

SHA256
63f0b21ea2a884580876bfa0a371b662f8cc9fc94275ca0131dbf8a24a34fc02

SHA512
8cdca5d419d0d5f4fc4a8c06492f9322a5023f5023379f47ed2395e3cacdb692506c988b1eacd19169236d3687b4bbececb185588d60a745877faf82a42246d1

Download Submit
C:\Windows\System\FHZEmis.exe

Filesize
6.0MB

MD5
e789f03ddc00d2cd6f8662742d05f135

SHA1
e8ec753639cdd44185a78f1accefcb67cbc6b132

SHA256
c48c9f2b90d89465b0b0426cde62a548d75398e5b6124d9c5030dec62cbb9386

SHA512
6aecbacb761b6846d57f50bdd7e375acf18be82e2a62a3412d27dc1b433584e0d5df231854a12ae92cfe7a09166a93127c0fb8a6efe3985c751771f3618a7330

Download Submit
C:\Windows\System\GJltCrw.exe

Filesize
6.0MB

MD5
b02c4ad7f45bd830c2fd180dc3658028

SHA1
758b61afd79ae6c3a3ee4513a6c21e6124e8d623

SHA256
cb919343f1f45ea7351b6ed95291fba97fe15121dad79e3712553a98eabc2cc5

SHA512
fbb388b848f641c997097abc6356aa551bfd7d789ec880dd0cae4c1187c663fc52c5dc796672f26b57e94c1b43d6e10c5be06a697ca1a94cc244e11ea16416a0

Download Submit
C:\Windows\System\GWDeeae.exe

Filesize
6.0MB

MD5
c5a0baee6092e13a5e4527e4acd937eb

SHA1
dbff64277f71a44151c7fe2ba62480f7c2916e46

SHA256
e3398aedf6a63fe0120c25af9d1bcb8b46a4dd4c464971d8ca730ecf3488839f

SHA512
ed7acf2f244c2a1bdffa9a99462f8d8c67e5beb6af11c3d86aa0f1945e724b332a6d443f460a56fc9598dafc718487608281e24b99169f4e5c19cf9f429b02e7

Download Submit
C:\Windows\System\IDAopgl.exe

Filesize
6.0MB

MD5
09ff639365c25583ba825f66b85d453c

SHA1
e858ba43125476322aaf031713dc52acd6e731ff

SHA256
57a4672f9cccce6e3e09427bf0570f6b800093d41ac4a09f85cb368ee368f40d

SHA512
ae63b8aaff483f82a9852adf64dae55c1524e4477e430a10da8bc918d50a1739263e6cb880baca270402a146674d6eda1f306779d1bc966d309fd44252f6853a

Download Submit
C:\Windows\System\JPylDnb.exe

Filesize
6.0MB

MD5
4017afcb797e00d256bd5022858dae7b

SHA1
96d49dbbde2c04ea50c12a33109b3e7e7cdcf9ef

SHA256
c078a60e74e75348473a0c70024e04cd639383447cc4b527ab32b2211cefddae

SHA512
72d4e204b7d2f60064eb1f9dca03af20c8b97fec132a6ef5eb4f37638a098105d3022e10e07112df46a8eaf7a705be72e7c7400c96e4481871f3334ff417b67e

Download Submit
C:\Windows\System\JjBZKYo.exe

Filesize
6.0MB

MD5
a48d6105dd5603746ace12ca74b2c2a8

SHA1
d2984bad35b1a1c693f2d32d89af7599a7bfe494

SHA256
4855591c5714f2679ea22acb7906071566a8a14f6a90cbbea5f63dc8f13ab930

SHA512
96703b1a43e85f0e8fa488a17de3a29b69217204325a980659b77d2ee43ae88741d8a8151a538537ad12e30f950f3f5d3f8a55dd061bf1d150e69212c8981c81

Download Submit
C:\Windows\System\LKgxQSC.exe

Filesize
6.0MB

MD5
98bf78287146143fd5e71be98f0010aa

SHA1
6c7db8906ca6bbe2a2820eab2da1fd9f643c25c1

SHA256
53b1a89069826cc7ca8bca174b90de7601c352527fb784ea34272b914b71af96

SHA512
bb14a6372358c1db54320b0af21d518e29aecbf717d1233f52b5f69f10bbce0343f76e20804d7b514ae7a61807a073c71e4faacd01221702f4c9a4c58ad57aa5

Download Submit
C:\Windows\System\LvozGPx.exe

Filesize
6.0MB

MD5
6dc8178c59d073e7fcb2ea9b2ed3f819

SHA1
009922391a5c7e0aba7e8f85f3fded43f8269f35

SHA256
5022ec14d88bbaff706476859e183da04377774ee9ed3dfcda50f9e8dcc8c946

SHA512
fd5c8c36c20ce72a3c0be53ff7918d7dcffa9ed54c902d6ef7da7e3b7ba4888f0df2510fec3a9322a5250c05e4502b23c9941a85ec8a17eeb4fd91ea5efbab61

Download Submit
C:\Windows\System\MMkCSbz.exe

Filesize
6.0MB

MD5
3a8596714f7a587b41b9de4294c0ea6f

SHA1
fd75c7c45cdb11d063c56b18de6955a530cf049d

SHA256
40e64805fd05ce4fea91f6148a9ff77c2ef8c837d43ae310f25eacd58dd061f3

SHA512
fdc21f872966eaaaa9b63f8ed6924f7d01c92202bb846eec7367ad53e212291ffb442e858bcbe4a328d52eaab6408a77396676b58594f6a830ed840bf5afa777

Download Submit
C:\Windows\System\PEWEbId.exe

Filesize
6.0MB

MD5
aa760012abca1ff5831e743375f17216

SHA1
4328b3c1469381090cdd3192b76cee7e8299078f

SHA256
c3b645c09cbbb9292ac1ae1a953b4c4fd3bb4dbe38f2dddfbfbff157b1b3f0db

SHA512
76040e1bf7788b48386c1f28e17b9f114e454e26c25c76443c71a31efe7ae11f249f16ab781c179c8e3e94ae21651f7e91cb593ae3b71629ebdce25bf65163c5

Download Submit
C:\Windows\System\SVtPooj.exe

Filesize
6.0MB

MD5
d178ec2b6643d250ae18db801a3ef752

SHA1
d82141cdba6d5d78d4a9cf2a938df839cc3bf133

SHA256
3a0d32babaac792107d9ba589b5a786f1480d4491da4afc2618c9b88ee8b608b

SHA512
85d86320e0cad8306afb5e35c6e42a8ae577a68bb4db30ac81c101bc8755689435c14b7a866398e38297e4767c33d7f350a5967d32abf104fcf423ea69e9d9ac

Download Submit
C:\Windows\System\SkPmuTJ.exe

Filesize
6.0MB

MD5
f3944949432143b7167df1d032fec060

SHA1
08220d43c565b6ec20547dfee2cbff5349cb0b8b

SHA256
d839aefa59c59a6bff482099a65ad26308cd29eca885f2995076a6c0dddd8774

SHA512
c52a0f3517764e023304550cb995d80bfb070c59911505cfcbf5e017a841cc358462f1d68609a9e8ac1f4cf7a408d0e4d5df795324bc83f83eea7ffc8424ea85

Download Submit
C:\Windows\System\SyFRvsq.exe

Filesize
6.0MB

MD5
ca388b2d1ef7f3f4ee4c8cb707a64aac

SHA1
7909e68e06b27ee4dd2ac27e2a165b303156406b

SHA256
223975fc0af1b4fb7770de90e611fcaa85e1fc08d31f462f9d471660af3a1503

SHA512
a9dca29b503925cc4aa2364e8aa0c0cb74662d6ea507fe49e93f9078d8dc665b010857f6bdbe6bcf7efc85a734f42d5540080e7a4791a24cddea936afbe09f1d

Download Submit
C:\Windows\System\TGBCfwq.exe

Filesize
6.0MB

MD5
2b16e37e0e6e6eae2ffe0e433a775fea

SHA1
9ff7c7c14b5e81738fabfe9551086905fc224f7d

SHA256
52fda4da7e248ac09574c3b7ffffc3d2d4378ff19bb97e2a28524e755223acbc

SHA512
192dff3a0bc8cc5c7a39106207a5cb8c775f3af5be71ebbff874737e22e6ae2b8721e766469abf0394ffba3934dc430086fd4bd66e9c175c2d529217b37f14a1

Download Submit
C:\Windows\System\TYCyItq.exe

Filesize
6.0MB

MD5
96a09989a1c7e7bbb73c1e4da36ddbb2

SHA1
ee1f979328ca75e95cc216dc7e663da7611d7307

SHA256
9f78548aa2f46a557e417d3b4606b965cfe75e6b091de0128b1649b2de4e8428

SHA512
9c34a25eef08380e3ffea3e68fea00fee74bcc3dc792bdeb0ccdcb6e3774a2c73c3b9bd0195e736e9bcdbf9de8c287c18830ee690ab3532dfba25526f756efdf

Download Submit
C:\Windows\System\TtZEWex.exe

Filesize
6.0MB

MD5
68c548ddff726cade4c5988a3fc0dc89

SHA1
78ce79df804dc2a603049f11fc12fa6c39fa99f1

SHA256
4249ae9a2edf17a6a2a99192e80a49194fafefd259591ed04c406014678b1707

SHA512
f2d84fd14115766f9e31c01f7e147156121a553b18977d73ecc9dfae0b1592a1f77b9bcb223ba04d038775631a8b0967a3310af9b71ed1869d7d77dda52ec8df

Download Submit
C:\Windows\System\UTKYbfQ.exe

Filesize
6.0MB

MD5
fa97a16614a94015e57788ff0d07f63c

SHA1
e65d02465c2398cd31e09cf357dde540a6d98aea

SHA256
5a035198b6a80ad89e43cde0c1ba55c5d3a64a3cd26fff863d6aa03dfa895966

SHA512
545c369b4d60cb873552893712bfd269db86b602b29c69c9b5453c6e347c3c612130cf71493f57379902f96b33f1ac006bd7fbe12304a16ccfd68f0502bcf4a9

Download Submit
C:\Windows\System\VAsgtXE.exe

Filesize
6.0MB

MD5
5bfc258b23feac0a7441e1e3f972f233

SHA1
7fd5d12e790dbc8c7c441f3574482e077cd35aa3

SHA256
48e81c2ee8d46bfa1fbb1ac01dab36b18cb2706701217443f863d9cf55c55efe

SHA512
581d6b76a539bae251e2ba4e779933b263e3b0339499cf3c1f1b07e5be19c820ecf0d1ed01b6e3c45c39a39d21f892391261ec2de1b1b64013dfe89d5d1299a8

Download Submit
C:\Windows\System\WhjfsjO.exe

Filesize
6.0MB

MD5
98398c4dace2a20edc5c2bbb532e0ad6

SHA1
b6414ca8bba7502b137f9ff46dd79b9d9e0c7e50

SHA256
17e828551aa13efc085a5b68fd7316a4f800219df36fcc29f89b72a40228dd85

SHA512
581aab93700e73422fa176a59526d6854840de17ef349782c9e9bbe5ae44db6eee536cbc100327f7e3897945afe513fafa7b5667e1b2ce3e3819a7c16fb08433

Download Submit
C:\Windows\System\gavoqyR.exe

Filesize
6.0MB

MD5
1dfdf3eadb9fe6aae280b1e8fb9fd8d5

SHA1
cfd57407d6c5f8340cbcd13ccec7f0ab6137fc25

SHA256
21df7d1df7cdbba6cb4d6cf1447801d59c7ae69b2d16a36d56af73f442bf7c71

SHA512
8d3b1d8592cb7172557f824787f2118d032c06c0bc97fd2ae24227aab113ed793de40eb7d26525f094dce4b86362a5c95f57b6d3cba214a43faaa0303c7444b8

Download Submit
C:\Windows\System\grNDeua.exe

Filesize
6.0MB

MD5
c9169fbde6437da73b9885a2f7052f7a

SHA1
0bb4f6f182a234181f50dd106d4e1cc0f791762c

SHA256
708665eb2ff0490bd2966d4d1ce924cd1dc30ad25e6f17ff4a1db2f0e32f6d80

SHA512
12e9645eaae78351ded1646eb71863064313f93577e536a91f48ba82d42beb5a997bad6510d14572b7e18ffb66833b7893fff6631375496b8f325be6aad4cb94

Download Submit
C:\Windows\System\mqWShjv.exe

Filesize
6.0MB

MD5
0b92aefca325d659793d604044f0decc

SHA1
06fe480c9bbf096bf3ad521478732c7c3a618f8b

SHA256
dbb53d357e05b4ac867a03cb7625d811d54cf22e587f848b2dfbb66cbf5d55a5

SHA512
858cacac7e3076c75f1fd6969878613214c4324aced4079438727d48895711e59857a5f6a0ad5bc0a91f8a33c0b342644e2a212113bec65b318acd4f04acf092

Download Submit
C:\Windows\System\ntdCrkf.exe

Filesize
6.0MB

MD5
154ac65c6081fda0cb24bbd40f304a63

SHA1
0ae1478d66a34632083fc0bf52eed9d2c61b48c9

SHA256
ca3318e7ce5953135241247ced211c5405ec0f611d38598268190c716e62c068

SHA512
65a18d82b30863307ece7fda81dcd5ba4d6d245d0b5d274bfc912a48586e89dd8c44050742ac17ef374bd6ea66731faf2af7c04f36c6f3f059f5b834815a28fa

Download Submit
C:\Windows\System\obOaXrz.exe

Filesize
6.0MB

MD5
2f4030974c7ebeca8d3944646974869b

SHA1
fa93052b299f062d5c9994b27f3bb6a548c3ec37

SHA256
8ec1bec7c91837cb017afab5571f12e41960865dedb3c90cc831f76d7d3bd6c2

SHA512
441464ff7230bb04f1138f6198ffba1edf6e8a09ab423eb6498daa1e1da87ef53449c55c06f331ee9dc993b18448abe5b90f74c2d3ac326ffca7d0e458e6a363

Download Submit
C:\Windows\System\wCEgXot.exe

Filesize
6.0MB

MD5
07ef13fae35c6168334e96014f079301

SHA1
0d732a12d6379edbf2ac9e15bc9201299acda138

SHA256
a86bc4cc8f4f8600e561736f2cb496dd7d57e01cf5092232a56687d9ea5b09c5

SHA512
695681cac33757e9cee36b2a046530144fb70b954d2304c29de8b9a5ddea6d9c95105fca36cdf7f2af878115e81471938d44ed6165a17eb09be77f5eccae45d3

Download Submit
C:\Windows\System\wOzSmxs.exe

Filesize
6.0MB

MD5
afd597b3a46b5b6a7a04e501829004c9

SHA1
571ee193ff842ba75acc131736079217eb3d5ee0

SHA256
9c44a9ad43ec2b4e8e054b161845a8ba8887a3348c0b3234d34273451f093d1d

SHA512
5ff5de9a21ce0d179ec8389077366a2c3278d5c595ed0b392b9657c7437fd3a8e9aa0ccb40aaae4e7da6fb9d82274a3d5453a6b0d8b9a073eb63a5b960021936

Download Submit
C:\Windows\System\wxDTZtY.exe

Filesize
6.0MB

MD5
7f986e20b8d875070f2816b1f1c5598c

SHA1
4dde08f12d2c939c043297c8e14ae4ca1f1e8d18

SHA256
6d8c8dd8565bcfebc7dfacbad0fc7bf52d9452b11d9d83865483c2b11c195e59

SHA512
2007ec25af100a901ffbd62facc741efccfa21f015a4a83f7a47f6e47be5ea8b42fe50abbb8691268849bb11fdbf1c95e41e0a84ef5eaee0b1f522774934b0ab

Download Submit
C:\Windows\System\zAqoZNu.exe

Filesize
6.0MB

MD5
0b053e50dced5b060a029b1de84cee49

SHA1
fbcf3b2fbf529543776c9e51a591d17044f97624

SHA256
004a6ce6f9b6c25295d69254bd49ba034d86927c7f9055defd95a41ce81856ee

SHA512
4cd3a6155df3985e4f06fd9181bad4464099dc04a804ffb6fc629b26bd13e567c96a77c89f745b3cd6ca824721b765b3ed262ab9dea58d54f9a323e0407e9723

Download Submit
C:\Windows\System\zkjPXgJ.exe

Filesize
6.0MB

MD5
5e3d4c87d19011dd5163d5104f50ddd2

SHA1
f00b71700e67e533c0d0effe2e7da77014409b1b

SHA256
e0218af9108c1df62cbe734fc3d9320d8de6f1b9fe7b331dad171d637779f3bc

SHA512
7fe36ae9f0fd580b5079e63a17b82ba4adbf31cecb67f0ddec5aa255729330933088cec729aa43453c8eb63c9f83393571264167ffd93378234b7bb7e998b66c

Download Submit
C:\Windows\System\zzLgfGd.exe

Filesize
6.0MB

MD5
e05f1cd6980fb241c28cd7a37b6ce94d

SHA1
267fcb62783695971b2c9eb8df627721be5fca5d

SHA256
7d338659627c10ce4737e6ff45fd5d7466a059d92ab004b84c56594d298ed23c

SHA512
d3e87267635d45de7e4282472aada100e64be0271688273da9affb93177b6ada284deaf24f517068dadbc6d46af9068d3ef1b528f1f0fe2c8fbe4def491153fc

Download Submit
memory/212-199-0x00007FF661C30000-0x00007FF661F84000-memory.dmp

Filesize
3.3MB

Download
memory/212-2094-0x00007FF661C30000-0x00007FF661F84000-memory.dmp

Filesize
3.3MB

Download
memory/212-131-0x00007FF661C30000-0x00007FF661F84000-memory.dmp

Filesize
3.3MB

Download
memory/456-1551-0x00007FF62CE50000-0x00007FF62D1A4000-memory.dmp

Filesize
3.3MB

Download
memory/456-132-0x00007FF62CE50000-0x00007FF62D1A4000-memory.dmp

Filesize
3.3MB

Download
memory/456-42-0x00007FF62CE50000-0x00007FF62D1A4000-memory.dmp

Filesize
3.3MB

Download
memory/644-152-0x00007FF6D6880000-0x00007FF6D6BD4000-memory.dmp

Filesize
3.3MB

Download
memory/644-349-0x00007FF6D6880000-0x00007FF6D6BD4000-memory.dmp

Filesize
3.3MB

Download
memory/1068-1541-0x00007FF73B120000-0x00007FF73B474000-memory.dmp

Filesize
3.3MB

Download
memory/1068-113-0x00007FF73B120000-0x00007FF73B474000-memory.dmp

Filesize
3.3MB

Download
memory/1068-38-0x00007FF73B120000-0x00007FF73B474000-memory.dmp

Filesize
3.3MB

Download
memory/1128-1556-0x00007FF6D5800000-0x00007FF6D5B54000-memory.dmp

Filesize
3.3MB

Download
memory/1128-145-0x00007FF6D5800000-0x00007FF6D5B54000-memory.dmp

Filesize
3.3MB

Download
memory/1128-59-0x00007FF6D5800000-0x00007FF6D5B54000-memory.dmp

Filesize
3.3MB

Download
memory/1260-187-0x00007FF7C2960000-0x00007FF7C2CB4000-memory.dmp

Filesize
3.3MB

Download
memory/1260-2076-0x00007FF7C2960000-0x00007FF7C2CB4000-memory.dmp

Filesize
3.3MB

Download
memory/1260-107-0x00007FF7C2960000-0x00007FF7C2CB4000-memory.dmp

Filesize
3.3MB

Download
memory/1504-213-0x00007FF6657B0000-0x00007FF665B04000-memory.dmp

Filesize
3.3MB

Download
memory/1504-137-0x00007FF6657B0000-0x00007FF665B04000-memory.dmp

Filesize
3.3MB

Download
memory/1504-2097-0x00007FF6657B0000-0x00007FF665B04000-memory.dmp

Filesize
3.3MB

Download
memory/1876-189-0x00007FF6F4760000-0x00007FF6F4AB4000-memory.dmp

Filesize
3.3MB

Download
memory/1876-130-0x00007FF6F4760000-0x00007FF6F4AB4000-memory.dmp

Filesize
3.3MB

Download
memory/1876-2093-0x00007FF6F4760000-0x00007FF6F4AB4000-memory.dmp

Filesize
3.3MB

Download
memory/1992-104-0x00007FF73BEA0000-0x00007FF73C1F4000-memory.dmp

Filesize
3.3MB

Download
memory/1992-23-0x00007FF73BEA0000-0x00007FF73C1F4000-memory.dmp

Filesize
3.3MB

Download
memory/1992-1533-0x00007FF73BEA0000-0x00007FF73C1F4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-196-0x00007FF7DE950000-0x00007FF7DECA4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-2358-0x00007FF7DE950000-0x00007FF7DECA4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-732-0x00007FF7DE950000-0x00007FF7DECA4000-memory.dmp

Filesize
3.3MB

Download
memory/2784-2075-0x00007FF6D4750000-0x00007FF6D4AA4000-memory.dmp

Filesize
3.3MB

Download
memory/2784-188-0x00007FF6D4750000-0x00007FF6D4AA4000-memory.dmp

Filesize
3.3MB

Download
memory/2784-126-0x00007FF6D4750000-0x00007FF6D4AA4000-memory.dmp

Filesize
3.3MB

Download
memory/2800-1517-0x00007FF76B730000-0x00007FF76BA84000-memory.dmp

Filesize
3.3MB

Download
memory/2800-91-0x00007FF76B730000-0x00007FF76BA84000-memory.dmp

Filesize
3.3MB

Download
memory/2800-6-0x00007FF76B730000-0x00007FF76BA84000-memory.dmp

Filesize
3.3MB

Download
memory/2864-78-0x00007FF63D400000-0x00007FF63D754000-memory.dmp

Filesize
3.3MB

Download
memory/2864-1567-0x00007FF63D400000-0x00007FF63D754000-memory.dmp

Filesize
3.3MB

Download
memory/3048-65-0x00007FF778940000-0x00007FF778C94000-memory.dmp

Filesize
3.3MB

Download
memory/3048-1562-0x00007FF778940000-0x00007FF778C94000-memory.dmp

Filesize
3.3MB

Download
memory/3048-135-0x00007FF778940000-0x00007FF778C94000-memory.dmp

Filesize
3.3MB

Download
memory/3396-2068-0x00007FF703E70000-0x00007FF7041C4000-memory.dmp

Filesize
3.3MB

Download
memory/3396-94-0x00007FF703E70000-0x00007FF7041C4000-memory.dmp

Filesize
3.3MB

Download
memory/3448-163-0x00007FF780EF0000-0x00007FF781244000-memory.dmp

Filesize
3.3MB

Download
memory/3448-473-0x00007FF780EF0000-0x00007FF781244000-memory.dmp

Filesize
3.3MB

Download
memory/3448-2354-0x00007FF780EF0000-0x00007FF781244000-memory.dmp

Filesize
3.3MB

Download
memory/3488-603-0x00007FF7828E0000-0x00007FF782C34000-memory.dmp

Filesize
3.3MB

Download
memory/3488-2355-0x00007FF7828E0000-0x00007FF782C34000-memory.dmp

Filesize
3.3MB

Download
memory/3488-169-0x00007FF7828E0000-0x00007FF782C34000-memory.dmp

Filesize
3.3MB

Download
memory/3492-1560-0x00007FF71ED00000-0x00007FF71F054000-memory.dmp

Filesize
3.3MB

Download
memory/3492-74-0x00007FF71ED00000-0x00007FF71F054000-memory.dmp

Filesize
3.3MB

Download
memory/3492-148-0x00007FF71ED00000-0x00007FF71F054000-memory.dmp

Filesize
3.3MB

Download
memory/3588-15-0x00007FF6656B0000-0x00007FF665A04000-memory.dmp

Filesize
3.3MB

Download
memory/3588-1527-0x00007FF6656B0000-0x00007FF665A04000-memory.dmp

Filesize
3.3MB

Download
memory/3588-98-0x00007FF6656B0000-0x00007FF665A04000-memory.dmp

Filesize
3.3MB

Download
memory/3976-48-0x00007FF616050000-0x00007FF6163A4000-memory.dmp

Filesize
3.3MB

Download
memory/3976-1561-0x00007FF616050000-0x00007FF6163A4000-memory.dmp

Filesize
3.3MB

Download
memory/3976-133-0x00007FF616050000-0x00007FF6163A4000-memory.dmp

Filesize
3.3MB

Download
memory/4324-86-0x00007FF74D1C0000-0x00007FF74D514000-memory.dmp

Filesize
3.3MB

Download
memory/4324-1-0x000001DDFD6A0000-0x000001DDFD6B0000-memory.dmp

Filesize
64KB

Download
memory/4324-0-0x00007FF74D1C0000-0x00007FF74D514000-memory.dmp

Filesize
3.3MB

Download
memory/4544-176-0x00007FF6D7630000-0x00007FF6D7984000-memory.dmp

Filesize
3.3MB

Download
memory/4544-2072-0x00007FF6D7630000-0x00007FF6D7984000-memory.dmp

Filesize
3.3MB

Download
memory/4544-99-0x00007FF6D7630000-0x00007FF6D7984000-memory.dmp

Filesize
3.3MB

Download
memory/4708-87-0x00007FF798980000-0x00007FF798CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4708-2067-0x00007FF798980000-0x00007FF798CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4780-2357-0x00007FF706180000-0x00007FF7064D4000-memory.dmp

Filesize
3.3MB

Download
memory/4780-192-0x00007FF706180000-0x00007FF7064D4000-memory.dmp

Filesize
3.3MB

Download
memory/4780-731-0x00007FF706180000-0x00007FF7064D4000-memory.dmp

Filesize
3.3MB

Download
memory/4828-136-0x00007FF709B10000-0x00007FF709E64000-memory.dmp

Filesize
3.3MB

Download
memory/4828-2080-0x00007FF709B10000-0x00007FF709E64000-memory.dmp

Filesize
3.3MB

Download
memory/4956-410-0x00007FF62B180000-0x00007FF62B4D4000-memory.dmp

Filesize
3.3MB

Download
memory/4956-159-0x00007FF62B180000-0x00007FF62B4D4000-memory.dmp

Filesize
3.3MB

Download
memory/5004-1559-0x00007FF6A4F00000-0x00007FF6A5254000-memory.dmp

Filesize
3.3MB

Download
memory/5004-134-0x00007FF6A4F00000-0x00007FF6A5254000-memory.dmp

Filesize
3.3MB

Download
memory/5004-56-0x00007FF6A4F00000-0x00007FF6A5254000-memory.dmp

Filesize
3.3MB

Download
memory/5024-1570-0x00007FF739CB0000-0x00007FF73A004000-memory.dmp

Filesize
3.3MB

Download
memory/5024-150-0x00007FF739CB0000-0x00007FF73A004000-memory.dmp

Filesize
3.3MB

Download
memory/5024-75-0x00007FF739CB0000-0x00007FF73A004000-memory.dmp

Filesize
3.3MB

Download
memory/5068-180-0x00007FF7EAB30000-0x00007FF7EAE84000-memory.dmp

Filesize
3.3MB

Download
memory/5068-2356-0x00007FF7EAB30000-0x00007FF7EAE84000-memory.dmp

Filesize
3.3MB

Download
memory/5068-667-0x00007FF7EAB30000-0x00007FF7EAE84000-memory.dmp

Filesize
3.3MB

Download
memory/5096-105-0x00007FF664920000-0x00007FF664C74000-memory.dmp

Filesize
3.3MB

Download
memory/5096-28-0x00007FF664920000-0x00007FF664C74000-memory.dmp

Filesize
3.3MB

Download
memory/5096-1536-0x00007FF664920000-0x00007FF664C74000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads