cobaltstrike | 0d8f65f5ba478bf060bdc7eba877c9322af8101675787d2e6c2e00eb23a19753

Analysis

max time kernel
91s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
Size

6.0MB
MD5

85194a306081e3a05a5397da58023c60
SHA1

e5679b2e533e0956cb8813c438e41115ca7148f5
SHA256

0d8f65f5ba478bf060bdc7eba877c9322af8101675787d2e6c2e00eb23a19753
SHA512

93908d835c90575aeb83ed760678663a3055a900b314fbb107328a32c099c0d4bb90aa2012b01428d0da1a8188599f1aae5280e29611be69ec6dc5f4e7336cbe
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUA:T+q56utgpPF8u/7A

Score

10^/10

cobaltstrike xmrig 0 backdoor miner persistence trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 32 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b79-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-27.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-33.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b84-49.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b85-67.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b86-71.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-82.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-84.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-65.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b7a-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-30.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-91.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-99.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-104.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-118.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-157.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-170.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-167.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-176.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-187.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-203.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-201.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-199.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-197.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-149.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-147.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-144.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-139.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4296-0-0x00007FF7F79D0000-0x00007FF7F7D24000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b79-4.dat	xmrig
behavioral2/memory/2308-8-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b7d-11.dat	xmrig
behavioral2/memory/1864-13-0x00007FF6C0400000-0x00007FF6C0754000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b7f-27.dat	xmrig
behavioral2/files/0x000a000000023b81-33.dat	xmrig
behavioral2/files/0x0031000000023b84-49.dat	xmrig
behavioral2/memory/3948-58-0x00007FF642E40000-0x00007FF643194000-memory.dmp	xmrig
behavioral2/memory/1924-64-0x00007FF6CF350000-0x00007FF6CF6A4000-memory.dmp	xmrig
behavioral2/files/0x0031000000023b85-67.dat	xmrig
behavioral2/files/0x0031000000023b86-71.dat	xmrig
behavioral2/files/0x000a000000023b87-82.dat	xmrig
behavioral2/memory/4296-87-0x00007FF7F79D0000-0x00007FF7F7D24000-memory.dmp	xmrig
behavioral2/memory/2352-86-0x00007FF7974E0000-0x00007FF797834000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b88-84.dat	xmrig
behavioral2/memory/1508-81-0x00007FF615090000-0x00007FF6153E4000-memory.dmp	xmrig
behavioral2/memory/4732-75-0x00007FF785360000-0x00007FF7856B4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b83-65.dat	xmrig
behavioral2/memory/1520-63-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp	xmrig
behavioral2/memory/3428-59-0x00007FF6042F0000-0x00007FF604644000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b7a-54.dat	xmrig
behavioral2/memory/624-50-0x00007FF6056B0000-0x00007FF605A04000-memory.dmp	xmrig
behavioral2/memory/4588-44-0x00007FF7CBB40000-0x00007FF7CBE94000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b82-48.dat	xmrig
behavioral2/memory/4140-35-0x00007FF6E2880000-0x00007FF6E2BD4000-memory.dmp	xmrig
behavioral2/memory/5068-32-0x00007FF6EE6B0000-0x00007FF6EEA04000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b80-30.dat	xmrig
behavioral2/memory/2484-24-0x00007FF69DD80000-0x00007FF69E0D4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b7e-22.dat	xmrig
behavioral2/memory/2308-88-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp	xmrig
behavioral2/memory/2484-89-0x00007FF69DD80000-0x00007FF69E0D4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b89-91.dat	xmrig
behavioral2/memory/5012-96-0x00007FF6A7C20000-0x00007FF6A7F74000-memory.dmp	xmrig
behavioral2/memory/1864-95-0x00007FF6C0400000-0x00007FF6C0754000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b8d-99.dat	xmrig
behavioral2/files/0x000a000000023b8e-104.dat	xmrig
behavioral2/memory/4588-111-0x00007FF7CBB40000-0x00007FF7CBE94000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b8f-112.dat	xmrig
behavioral2/files/0x000a000000023b90-118.dat	xmrig
behavioral2/memory/3428-124-0x00007FF6042F0000-0x00007FF604644000-memory.dmp	xmrig
behavioral2/memory/1088-127-0x00007FF7E74A0000-0x00007FF7E77F4000-memory.dmp	xmrig
behavioral2/memory/3812-142-0x00007FF622D00000-0x00007FF623054000-memory.dmp	xmrig
behavioral2/memory/3328-146-0x00007FF67E890000-0x00007FF67EBE4000-memory.dmp	xmrig
behavioral2/memory/2352-152-0x00007FF7974E0000-0x00007FF797834000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b95-157.dat	xmrig
behavioral2/memory/4352-164-0x00007FF630E70000-0x00007FF6311C4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b97-170.dat	xmrig
behavioral2/memory/2368-169-0x00007FF64A680000-0x00007FF64A9D4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b96-167.dat	xmrig
behavioral2/files/0x000a000000023b98-176.dat	xmrig
behavioral2/files/0x000a000000023b9b-187.dat	xmrig
behavioral2/files/0x000a000000023b9a-203.dat	xmrig
behavioral2/files/0x000a000000023b9d-201.dat	xmrig
behavioral2/files/0x000a000000023b9c-199.dat	xmrig
behavioral2/files/0x000a000000023b99-197.dat	xmrig
behavioral2/memory/3988-196-0x00007FF70CB30000-0x00007FF70CE84000-memory.dmp	xmrig
behavioral2/memory/548-188-0x00007FF6E33B0000-0x00007FF6E3704000-memory.dmp	xmrig
behavioral2/memory/1436-182-0x00007FF640EE0000-0x00007FF641234000-memory.dmp	xmrig
behavioral2/memory/3756-163-0x00007FF7B8990000-0x00007FF7B8CE4000-memory.dmp	xmrig
behavioral2/memory/1508-161-0x00007FF615090000-0x00007FF6153E4000-memory.dmp	xmrig
behavioral2/memory/4732-151-0x00007FF785360000-0x00007FF7856B4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b94-149.dat	xmrig
behavioral2/files/0x000a000000023b93-147.dat	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
2308	dDyqSMl.exe
1864	dABCvQI.exe
2484	TBTkhGu.exe
5068	dBEdkyj.exe
4140	TsDeUeY.exe
4588	IVPMcgZ.exe
3948	MUazWbB.exe
624	qhRqbjM.exe
3428	XVEcXAI.exe
1520	mXDPLLQ.exe
1924	pLInjZq.exe
4732	urPTmbn.exe
1508	IYqqjez.exe
2352	lbxTaPR.exe
5012	rpOSsKO.exe
448	zIVfBuZ.exe
4492	dqOHHqf.exe
2252	wvfbXCS.exe
4224	nQUOJZB.exe
1088	PiqZVaX.exe
3812	HoDBiGe.exe
3328	ItjMHrF.exe
2980	wtswkeI.exe
3756	lpMSXFo.exe
4352	RmOFkCV.exe
2368	htFMIiu.exe
1436	njUABWS.exe
548	ACzXBRb.exe
3988	cHEpVss.exe
4176	NzXTavs.exe
4496	sSzqmLb.exe
1288	acpnUSX.exe
2084	RolJxHl.exe
3720	fyRHxPM.exe
1796	VKhqKOu.exe
3404	RKjFdls.exe
2028	rBWubmd.exe
4364	WSaPBBW.exe
2092	TxEkWYm.exe
4592	yRZnxxB.exe
2160	rizDgXQ.exe
1960	DTAvSpZ.exe
3656	iXABqZR.exe
2544	gLirSZT.exe
3520	dJifUru.exe
2640	nAVEcDV.exe
1856	QajZoSF.exe
1276	TVFyvOj.exe
1704	rnOJDvB.exe
4404	OvAcYtl.exe
1644	GEdsaDR.exe
2824	SoXNHEI.exe
1968	ydfppcd.exe
1676	XKXWMKF.exe
4844	QIIahrE.exe
4928	KkWagkR.exe
2972	SOCsYNt.exe
2772	VmVOVws.exe
1412	CONiCLX.exe
1036	dnhuctv.exe
4992	XDXmhsE.exe
1544	gnhrFkP.exe
4400	EgJJbKQ.exe
2044	IvYeDgb.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4296-0-0x00007FF7F79D0000-0x00007FF7F7D24000-memory.dmp	upx
behavioral2/files/0x000b000000023b79-4.dat	upx
behavioral2/memory/2308-8-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-11.dat	upx
behavioral2/memory/1864-13-0x00007FF6C0400000-0x00007FF6C0754000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-27.dat	upx
behavioral2/files/0x000a000000023b81-33.dat	upx
behavioral2/files/0x0031000000023b84-49.dat	upx
behavioral2/memory/3948-58-0x00007FF642E40000-0x00007FF643194000-memory.dmp	upx
behavioral2/memory/1924-64-0x00007FF6CF350000-0x00007FF6CF6A4000-memory.dmp	upx
behavioral2/files/0x0031000000023b85-67.dat	upx
behavioral2/files/0x0031000000023b86-71.dat	upx
behavioral2/files/0x000a000000023b87-82.dat	upx
behavioral2/memory/4296-87-0x00007FF7F79D0000-0x00007FF7F7D24000-memory.dmp	upx
behavioral2/memory/2352-86-0x00007FF7974E0000-0x00007FF797834000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-84.dat	upx
behavioral2/memory/1508-81-0x00007FF615090000-0x00007FF6153E4000-memory.dmp	upx
behavioral2/memory/4732-75-0x00007FF785360000-0x00007FF7856B4000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-65.dat	upx
behavioral2/memory/1520-63-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp	upx
behavioral2/memory/3428-59-0x00007FF6042F0000-0x00007FF604644000-memory.dmp	upx
behavioral2/files/0x000b000000023b7a-54.dat	upx
behavioral2/memory/624-50-0x00007FF6056B0000-0x00007FF605A04000-memory.dmp	upx
behavioral2/memory/4588-44-0x00007FF7CBB40000-0x00007FF7CBE94000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-48.dat	upx
behavioral2/memory/4140-35-0x00007FF6E2880000-0x00007FF6E2BD4000-memory.dmp	upx
behavioral2/memory/5068-32-0x00007FF6EE6B0000-0x00007FF6EEA04000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-30.dat	upx
behavioral2/memory/2484-24-0x00007FF69DD80000-0x00007FF69E0D4000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-22.dat	upx
behavioral2/memory/2308-88-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp	upx
behavioral2/memory/2484-89-0x00007FF69DD80000-0x00007FF69E0D4000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-91.dat	upx
behavioral2/memory/5012-96-0x00007FF6A7C20000-0x00007FF6A7F74000-memory.dmp	upx
behavioral2/memory/1864-95-0x00007FF6C0400000-0x00007FF6C0754000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-99.dat	upx
behavioral2/files/0x000a000000023b8e-104.dat	upx
behavioral2/memory/4588-111-0x00007FF7CBB40000-0x00007FF7CBE94000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-112.dat	upx
behavioral2/files/0x000a000000023b90-118.dat	upx
behavioral2/memory/3428-124-0x00007FF6042F0000-0x00007FF604644000-memory.dmp	upx
behavioral2/memory/1088-127-0x00007FF7E74A0000-0x00007FF7E77F4000-memory.dmp	upx
behavioral2/memory/3812-142-0x00007FF622D00000-0x00007FF623054000-memory.dmp	upx
behavioral2/memory/3328-146-0x00007FF67E890000-0x00007FF67EBE4000-memory.dmp	upx
behavioral2/memory/2352-152-0x00007FF7974E0000-0x00007FF797834000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-157.dat	upx
behavioral2/memory/4352-164-0x00007FF630E70000-0x00007FF6311C4000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-170.dat	upx
behavioral2/memory/2368-169-0x00007FF64A680000-0x00007FF64A9D4000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-167.dat	upx
behavioral2/files/0x000a000000023b98-176.dat	upx
behavioral2/files/0x000a000000023b9b-187.dat	upx
behavioral2/files/0x000a000000023b9a-203.dat	upx
behavioral2/files/0x000a000000023b9d-201.dat	upx
behavioral2/files/0x000a000000023b9c-199.dat	upx
behavioral2/files/0x000a000000023b99-197.dat	upx
behavioral2/memory/3988-196-0x00007FF70CB30000-0x00007FF70CE84000-memory.dmp	upx
behavioral2/memory/548-188-0x00007FF6E33B0000-0x00007FF6E3704000-memory.dmp	upx
behavioral2/memory/1436-182-0x00007FF640EE0000-0x00007FF641234000-memory.dmp	upx
behavioral2/memory/3756-163-0x00007FF7B8990000-0x00007FF7B8CE4000-memory.dmp	upx
behavioral2/memory/1508-161-0x00007FF615090000-0x00007FF6153E4000-memory.dmp	upx
behavioral2/memory/4732-151-0x00007FF785360000-0x00007FF7856B4000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-149.dat	upx
behavioral2/files/0x000a000000023b93-147.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\RolJxHl.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZtTFaKI.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LxAbIVd.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jTKMMeM.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uPpeOjC.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hgOtNWw.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lBsyBiK.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UGYvkCN.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZgACFkl.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qtyknnd.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RQgTPah.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bBDVAbf.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mhKlAvw.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nQUOJZB.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fuxvyOD.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JQikjiz.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GlmxTXY.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QFOArTR.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BwrCqEd.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oQmmnqR.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Fnnxmfy.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ruuwyqC.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aZebiYr.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mkvUanV.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eFPSgmL.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FtjfohG.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xqtZjhj.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GiYYTDB.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GyEWBTl.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UwfdKZH.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ncDfNCu.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CagEqSb.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LWGLybB.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mUhowiB.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LbNOUVx.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\shiyfpb.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\inuFagS.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pjrZZWc.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KzWwdOa.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oaSfGDB.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EplDCAL.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NBvVxHg.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mAetGjN.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lSXgfcP.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SVVsdYp.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ESPxNhO.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oehbVyb.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FXIBINQ.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UDUlgBN.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FVIocYl.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lLXrkFe.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XUgsNbT.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dABCvQI.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VmVOVws.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UCdTnDI.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XNIGiYG.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XTyuRuc.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bLWgvYg.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IouOZTh.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lDskZZY.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PvJLkbc.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RDAXOAl.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sqyKASn.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ppKrlIw.exe	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Zira"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Julie - French (France)"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Hedda - German (Germany)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR de-DE Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR ja-JP Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech SW Voice Activation - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "DebugPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033David"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{0CFAE939-931E-4305-8D05-8C76C254EB34}"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "French Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SW"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\AI041040"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\r1041sr.lxa"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SpeechUXPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "MS-1031-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Katja - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Pablo - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "410"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\L1041"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\lsr1031.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Cosimo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR ja-JP Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\AI041041"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\tn1041.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\VoiceActivation_HW_ja-JP.dat"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{2984A9DB-5689-43AD-877D-14999A15DD46}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\AI041031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{5D99466B-1E23-4F3C-A7BD-1F8128108BB1}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - de-DE Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "11.0.2013.1022"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\c1041.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "404"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Julie"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{81218F10-A8AA-44C4-9436-33A42C3852E9}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR en-US Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; message=NativeSupported; computer=NativeSupported"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\MSTTSLocjaJP.dat"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Traditional Chinese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "5248260"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	14556	explorer.exe
Token: SeCreatePagefilePrivilege	14556	explorer.exe
Token: SeShutdownPrivilege	14556	explorer.exe
Token: SeCreatePagefilePrivilege	14556	explorer.exe
Token: SeShutdownPrivilege	14556	explorer.exe
Token: SeCreatePagefilePrivilege	14556	explorer.exe
Token: SeShutdownPrivilege	14556	explorer.exe
Token: SeCreatePagefilePrivilege	14556	explorer.exe
Token: SeShutdownPrivilege	14556	explorer.exe
Token: SeCreatePagefilePrivilege	14556	explorer.exe
Token: SeShutdownPrivilege	14556	explorer.exe
Token: SeCreatePagefilePrivilege	14556	explorer.exe
Token: SeShutdownPrivilege	14556	explorer.exe
Token: SeCreatePagefilePrivilege	14556	explorer.exe
Token: SeShutdownPrivilege	14556	explorer.exe
Token: SeCreatePagefilePrivilege	14556	explorer.exe
Token: SeShutdownPrivilege	14556	explorer.exe
Token: SeCreatePagefilePrivilege	14556	explorer.exe
Token: SeShutdownPrivilege	14556	explorer.exe
Token: SeCreatePagefilePrivilege	14556	explorer.exe
Token: SeShutdownPrivilege	14556	explorer.exe
Token: SeCreatePagefilePrivilege	14556	explorer.exe
Token: SeShutdownPrivilege	14556	explorer.exe
Token: SeCreatePagefilePrivilege	14556	explorer.exe
Token: SeShutdownPrivilege	6896	explorer.exe
Token: SeCreatePagefilePrivilege	6896	explorer.exe
Token: SeShutdownPrivilege	6896	explorer.exe
Token: SeCreatePagefilePrivilege	6896	explorer.exe
Token: SeShutdownPrivilege	6896	explorer.exe
Token: SeCreatePagefilePrivilege	6896	explorer.exe
Token: SeShutdownPrivilege	6896	explorer.exe
Token: SeCreatePagefilePrivilege	6896	explorer.exe
Token: SeShutdownPrivilege	6896	explorer.exe
Token: SeCreatePagefilePrivilege	6896	explorer.exe
Token: SeShutdownPrivilege	6896	explorer.exe
Token: SeCreatePagefilePrivilege	6896	explorer.exe
Token: SeShutdownPrivilege	6896	explorer.exe
Token: SeCreatePagefilePrivilege	6896	explorer.exe
Token: SeShutdownPrivilege	6896	explorer.exe
Token: SeCreatePagefilePrivilege	6896	explorer.exe
Token: SeShutdownPrivilege	6896	explorer.exe
Token: SeCreatePagefilePrivilege	6896	explorer.exe
Token: SeShutdownPrivilege	6896	explorer.exe
Token: SeCreatePagefilePrivilege	6896	explorer.exe
Token: SeShutdownPrivilege	6896	explorer.exe
Token: SeCreatePagefilePrivilege	6896	explorer.exe
Token: SeShutdownPrivilege	6896	explorer.exe
Token: SeCreatePagefilePrivilege	6896	explorer.exe
Token: SeShutdownPrivilege	6896	explorer.exe
Token: SeCreatePagefilePrivilege	6896	explorer.exe
Token: SeShutdownPrivilege	7684	explorer.exe
Token: SeCreatePagefilePrivilege	7684	explorer.exe
Token: SeShutdownPrivilege	7684	explorer.exe
Token: SeCreatePagefilePrivilege	7684	explorer.exe
Token: SeShutdownPrivilege	7684	explorer.exe
Token: SeCreatePagefilePrivilege	7684	explorer.exe
Token: SeShutdownPrivilege	7684	explorer.exe
Token: SeCreatePagefilePrivilege	7684	explorer.exe
Token: SeShutdownPrivilege	7684	explorer.exe
Token: SeCreatePagefilePrivilege	7684	explorer.exe
Token: SeShutdownPrivilege	7684	explorer.exe
Token: SeCreatePagefilePrivilege	7684	explorer.exe
Token: SeShutdownPrivilege	7684	explorer.exe
Token: SeCreatePagefilePrivilege	7684	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3220	sihost.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
14556	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
6896	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7684	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
7576	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5696	StartMenuExperienceHost.exe
7384	StartMenuExperienceHost.exe
8820	StartMenuExperienceHost.exe
9300	StartMenuExperienceHost.exe
9876	SearchApp.exe
6052	StartMenuExperienceHost.exe
5460	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 2308	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4296 wrote to memory of 2308	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4296 wrote to memory of 1864	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4296 wrote to memory of 1864	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4296 wrote to memory of 2484	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4296 wrote to memory of 2484	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4296 wrote to memory of 5068	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4296 wrote to memory of 5068	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4296 wrote to memory of 4140	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4296 wrote to memory of 4140	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4296 wrote to memory of 4588	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4296 wrote to memory of 4588	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4296 wrote to memory of 3948	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4296 wrote to memory of 3948	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4296 wrote to memory of 624	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4296 wrote to memory of 624	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4296 wrote to memory of 1520	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4296 wrote to memory of 1520	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4296 wrote to memory of 3428	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4296 wrote to memory of 3428	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4296 wrote to memory of 1924	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4296 wrote to memory of 1924	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4296 wrote to memory of 4732	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4296 wrote to memory of 4732	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4296 wrote to memory of 1508	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4296 wrote to memory of 1508	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4296 wrote to memory of 2352	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4296 wrote to memory of 2352	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4296 wrote to memory of 5012	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4296 wrote to memory of 5012	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4296 wrote to memory of 448	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4296 wrote to memory of 448	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4296 wrote to memory of 4492	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4296 wrote to memory of 4492	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4296 wrote to memory of 2252	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4296 wrote to memory of 2252	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4296 wrote to memory of 4224	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4296 wrote to memory of 4224	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4296 wrote to memory of 1088	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4296 wrote to memory of 1088	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4296 wrote to memory of 3812	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4296 wrote to memory of 3812	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4296 wrote to memory of 3328	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4296 wrote to memory of 3328	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4296 wrote to memory of 2980	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4296 wrote to memory of 2980	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4296 wrote to memory of 3756	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4296 wrote to memory of 3756	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4296 wrote to memory of 4352	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4296 wrote to memory of 4352	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4296 wrote to memory of 2368	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4296 wrote to memory of 2368	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4296 wrote to memory of 1436	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 4296 wrote to memory of 1436	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 4296 wrote to memory of 548	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 4296 wrote to memory of 548	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 4296 wrote to memory of 1288	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 4296 wrote to memory of 1288	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 4296 wrote to memory of 3988	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 4296 wrote to memory of 3988	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 4296 wrote to memory of 4176	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 4296 wrote to memory of 4176	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 4296 wrote to memory of 4496	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 4296 wrote to memory of 4496	4296	2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-27_85194a306081e3a05a5397da58023c60_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\System\dDyqSMl.exe
  C:\Windows\System\dDyqSMl.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\dABCvQI.exe
  C:\Windows\System\dABCvQI.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\TBTkhGu.exe
  C:\Windows\System\TBTkhGu.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\dBEdkyj.exe
  C:\Windows\System\dBEdkyj.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\TsDeUeY.exe
  C:\Windows\System\TsDeUeY.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\IVPMcgZ.exe
  C:\Windows\System\IVPMcgZ.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System\MUazWbB.exe
  C:\Windows\System\MUazWbB.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\qhRqbjM.exe
  C:\Windows\System\qhRqbjM.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\mXDPLLQ.exe
  C:\Windows\System\mXDPLLQ.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\XVEcXAI.exe
  C:\Windows\System\XVEcXAI.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\pLInjZq.exe
  C:\Windows\System\pLInjZq.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\urPTmbn.exe
  C:\Windows\System\urPTmbn.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\IYqqjez.exe
  C:\Windows\System\IYqqjez.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\lbxTaPR.exe
  C:\Windows\System\lbxTaPR.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\rpOSsKO.exe
  C:\Windows\System\rpOSsKO.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\zIVfBuZ.exe
  C:\Windows\System\zIVfBuZ.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System\dqOHHqf.exe
  C:\Windows\System\dqOHHqf.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\wvfbXCS.exe
  C:\Windows\System\wvfbXCS.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\nQUOJZB.exe
  C:\Windows\System\nQUOJZB.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System\PiqZVaX.exe
  C:\Windows\System\PiqZVaX.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\HoDBiGe.exe
  C:\Windows\System\HoDBiGe.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System\ItjMHrF.exe
  C:\Windows\System\ItjMHrF.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System\wtswkeI.exe
  C:\Windows\System\wtswkeI.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\lpMSXFo.exe
  C:\Windows\System\lpMSXFo.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System\RmOFkCV.exe
  C:\Windows\System\RmOFkCV.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\htFMIiu.exe
  C:\Windows\System\htFMIiu.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\njUABWS.exe
  C:\Windows\System\njUABWS.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\ACzXBRb.exe
  C:\Windows\System\ACzXBRb.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\acpnUSX.exe
  C:\Windows\System\acpnUSX.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System\cHEpVss.exe
  C:\Windows\System\cHEpVss.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\NzXTavs.exe
  C:\Windows\System\NzXTavs.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\sSzqmLb.exe
  C:\Windows\System\sSzqmLb.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\RolJxHl.exe
  C:\Windows\System\RolJxHl.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\fyRHxPM.exe
  C:\Windows\System\fyRHxPM.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System\VKhqKOu.exe
  C:\Windows\System\VKhqKOu.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\RKjFdls.exe
  C:\Windows\System\RKjFdls.exe
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Windows\System\rBWubmd.exe
  C:\Windows\System\rBWubmd.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\WSaPBBW.exe
  C:\Windows\System\WSaPBBW.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\TxEkWYm.exe
  C:\Windows\System\TxEkWYm.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\yRZnxxB.exe
  C:\Windows\System\yRZnxxB.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\rizDgXQ.exe
  C:\Windows\System\rizDgXQ.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\DTAvSpZ.exe
  C:\Windows\System\DTAvSpZ.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\iXABqZR.exe
  C:\Windows\System\iXABqZR.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\gLirSZT.exe
  C:\Windows\System\gLirSZT.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\dJifUru.exe
  C:\Windows\System\dJifUru.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System\nAVEcDV.exe
  C:\Windows\System\nAVEcDV.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\QajZoSF.exe
  C:\Windows\System\QajZoSF.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\TVFyvOj.exe
  C:\Windows\System\TVFyvOj.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System\rnOJDvB.exe
  C:\Windows\System\rnOJDvB.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\OvAcYtl.exe
  C:\Windows\System\OvAcYtl.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\GEdsaDR.exe
  C:\Windows\System\GEdsaDR.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\SoXNHEI.exe
  C:\Windows\System\SoXNHEI.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\ydfppcd.exe
  C:\Windows\System\ydfppcd.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\XKXWMKF.exe
  C:\Windows\System\XKXWMKF.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\QIIahrE.exe
  C:\Windows\System\QIIahrE.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\KkWagkR.exe
  C:\Windows\System\KkWagkR.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\SOCsYNt.exe
  C:\Windows\System\SOCsYNt.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\VmVOVws.exe
  C:\Windows\System\VmVOVws.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\CONiCLX.exe
  C:\Windows\System\CONiCLX.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\dnhuctv.exe
  C:\Windows\System\dnhuctv.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\XDXmhsE.exe
  C:\Windows\System\XDXmhsE.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\gnhrFkP.exe
  C:\Windows\System\gnhrFkP.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\EgJJbKQ.exe
  C:\Windows\System\EgJJbKQ.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\IvYeDgb.exe
  C:\Windows\System\IvYeDgb.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\ipPmqgW.exe
  C:\Windows\System\ipPmqgW.exe
  2⤵
  PID:1852
- C:\Windows\System\TMlbznD.exe
  C:\Windows\System\TMlbznD.exe
  2⤵
  PID:2708
- C:\Windows\System\RwHeTkp.exe
  C:\Windows\System\RwHeTkp.exe
  2⤵
  PID:1104
- C:\Windows\System\RLRWode.exe
  C:\Windows\System\RLRWode.exe
  2⤵
  PID:1100
- C:\Windows\System\vXhQLng.exe
  C:\Windows\System\vXhQLng.exe
  2⤵
  PID:3628
- C:\Windows\System\EkLMYnU.exe
  C:\Windows\System\EkLMYnU.exe
  2⤵
  PID:2392
- C:\Windows\System\hZYBrmn.exe
  C:\Windows\System\hZYBrmn.exe
  2⤵
  PID:2380
- C:\Windows\System\qRgiOIk.exe
  C:\Windows\System\qRgiOIk.exe
  2⤵
  PID:3440
- C:\Windows\System\BjPugOB.exe
  C:\Windows\System\BjPugOB.exe
  2⤵
  PID:5112
- C:\Windows\System\SExIHtt.exe
  C:\Windows\System\SExIHtt.exe
  2⤵
  PID:2076
- C:\Windows\System\TrIhpmX.exe
  C:\Windows\System\TrIhpmX.exe
  2⤵
  PID:3116
- C:\Windows\System\wgjYDTa.exe
  C:\Windows\System\wgjYDTa.exe
  2⤵
  PID:3776
- C:\Windows\System\UHzWtOT.exe
  C:\Windows\System\UHzWtOT.exe
  2⤵
  PID:4348
- C:\Windows\System\VzwMSwn.exe
  C:\Windows\System\VzwMSwn.exe
  2⤵
  PID:5020
- C:\Windows\System\vOxptSL.exe
  C:\Windows\System\vOxptSL.exe
  2⤵
  PID:4372
- C:\Windows\System\GzyBWxR.exe
  C:\Windows\System\GzyBWxR.exe
  2⤵
  PID:2148
- C:\Windows\System\LayDOgd.exe
  C:\Windows\System\LayDOgd.exe
  2⤵
  PID:1068
- C:\Windows\System\FVIocYl.exe
  C:\Windows\System\FVIocYl.exe
  2⤵
  PID:3424
- C:\Windows\System\hDIWCwe.exe
  C:\Windows\System\hDIWCwe.exe
  2⤵
  PID:536
- C:\Windows\System\egUsyxm.exe
  C:\Windows\System\egUsyxm.exe
  2⤵
  PID:4144
- C:\Windows\System\lrBNCtw.exe
  C:\Windows\System\lrBNCtw.exe
  2⤵
  PID:388
- C:\Windows\System\sGjryEy.exe
  C:\Windows\System\sGjryEy.exe
  2⤵
  PID:5036
- C:\Windows\System\KIiWdHZ.exe
  C:\Windows\System\KIiWdHZ.exe
  2⤵
  PID:4580
- C:\Windows\System\lwRZjIt.exe
  C:\Windows\System\lwRZjIt.exe
  2⤵
  PID:2268
- C:\Windows\System\qVaspZV.exe
  C:\Windows\System\qVaspZV.exe
  2⤵
  PID:2964
- C:\Windows\System\JwIIPOE.exe
  C:\Windows\System\JwIIPOE.exe
  2⤵
  PID:1940
- C:\Windows\System\BzjraTs.exe
  C:\Windows\System\BzjraTs.exe
  2⤵
  PID:860
- C:\Windows\System\nKLrmgd.exe
  C:\Windows\System\nKLrmgd.exe
  2⤵
  PID:4308
- C:\Windows\System\FtjfohG.exe
  C:\Windows\System\FtjfohG.exe
  2⤵
  PID:2492
- C:\Windows\System\CyXudUt.exe
  C:\Windows\System\CyXudUt.exe
  2⤵
  PID:3180
- C:\Windows\System\LilMeBK.exe
  C:\Windows\System\LilMeBK.exe
  2⤵
  PID:3488
- C:\Windows\System\eHsLsHq.exe
  C:\Windows\System\eHsLsHq.exe
  2⤵
  PID:32
- C:\Windows\System\KAKhdqr.exe
  C:\Windows\System\KAKhdqr.exe
  2⤵
  PID:5148
- C:\Windows\System\FYOpqRh.exe
  C:\Windows\System\FYOpqRh.exe
  2⤵
  PID:5180
- C:\Windows\System\DXGRtDz.exe
  C:\Windows\System\DXGRtDz.exe
  2⤵
  PID:5240
- C:\Windows\System\ppBqFmo.exe
  C:\Windows\System\ppBqFmo.exe
  2⤵
  PID:5304
- C:\Windows\System\ZQbjmNs.exe
  C:\Windows\System\ZQbjmNs.exe
  2⤵
  PID:5336
- C:\Windows\System\VPnLNmO.exe
  C:\Windows\System\VPnLNmO.exe
  2⤵
  PID:5364
- C:\Windows\System\JFUsmPH.exe
  C:\Windows\System\JFUsmPH.exe
  2⤵
  PID:5396
- C:\Windows\System\nAyECiQ.exe
  C:\Windows\System\nAyECiQ.exe
  2⤵
  PID:5424
- C:\Windows\System\UCdTnDI.exe
  C:\Windows\System\UCdTnDI.exe
  2⤵
  PID:5452
- C:\Windows\System\Fnnxmfy.exe
  C:\Windows\System\Fnnxmfy.exe
  2⤵
  PID:5480
- C:\Windows\System\mvjqosy.exe
  C:\Windows\System\mvjqosy.exe
  2⤵
  PID:5508
- C:\Windows\System\ncMORtl.exe
  C:\Windows\System\ncMORtl.exe
  2⤵
  PID:5536
- C:\Windows\System\RaAIwDM.exe
  C:\Windows\System\RaAIwDM.exe
  2⤵
  PID:5564
- C:\Windows\System\hIOnGUH.exe
  C:\Windows\System\hIOnGUH.exe
  2⤵
  PID:5588
- C:\Windows\System\skaIWcD.exe
  C:\Windows\System\skaIWcD.exe
  2⤵
  PID:5616
- C:\Windows\System\NwpPXmv.exe
  C:\Windows\System\NwpPXmv.exe
  2⤵
  PID:5644
- C:\Windows\System\YIxcewU.exe
  C:\Windows\System\YIxcewU.exe
  2⤵
  PID:5680
- C:\Windows\System\czvpzae.exe
  C:\Windows\System\czvpzae.exe
  2⤵
  PID:5712
- C:\Windows\System\JlNcBpI.exe
  C:\Windows\System\JlNcBpI.exe
  2⤵
  PID:5740
- C:\Windows\System\kTuTglX.exe
  C:\Windows\System\kTuTglX.exe
  2⤵
  PID:5768
- C:\Windows\System\fcQERAL.exe
  C:\Windows\System\fcQERAL.exe
  2⤵
  PID:5796
- C:\Windows\System\SlKUwhi.exe
  C:\Windows\System\SlKUwhi.exe
  2⤵
  PID:5824
- C:\Windows\System\sXjWldz.exe
  C:\Windows\System\sXjWldz.exe
  2⤵
  PID:5852
- C:\Windows\System\iIEfLXv.exe
  C:\Windows\System\iIEfLXv.exe
  2⤵
  PID:5880
- C:\Windows\System\NUAoQgA.exe
  C:\Windows\System\NUAoQgA.exe
  2⤵
  PID:5908
- C:\Windows\System\zJTdoSy.exe
  C:\Windows\System\zJTdoSy.exe
  2⤵
  PID:5936
- C:\Windows\System\vOqPSiM.exe
  C:\Windows\System\vOqPSiM.exe
  2⤵
  PID:5964
- C:\Windows\System\OjjIvNo.exe
  C:\Windows\System\OjjIvNo.exe
  2⤵
  PID:5992
- C:\Windows\System\ruuwyqC.exe
  C:\Windows\System\ruuwyqC.exe
  2⤵
  PID:6020
- C:\Windows\System\shiyfpb.exe
  C:\Windows\System\shiyfpb.exe
  2⤵
  PID:6048
- C:\Windows\System\xgjKIir.exe
  C:\Windows\System\xgjKIir.exe
  2⤵
  PID:6076
- C:\Windows\System\NrIJZaa.exe
  C:\Windows\System\NrIJZaa.exe
  2⤵
  PID:6104
- C:\Windows\System\yfUmCQJ.exe
  C:\Windows\System\yfUmCQJ.exe
  2⤵
  PID:6132
- C:\Windows\System\yhzGCha.exe
  C:\Windows\System\yhzGCha.exe
  2⤵
  PID:5140
- C:\Windows\System\Xzxusxs.exe
  C:\Windows\System\Xzxusxs.exe
  2⤵
  PID:5128
- C:\Windows\System\UwHfQET.exe
  C:\Windows\System\UwHfQET.exe
  2⤵
  PID:5232
- C:\Windows\System\JJQrxUz.exe
  C:\Windows\System\JJQrxUz.exe
  2⤵
  PID:5328
- C:\Windows\System\KfsskuV.exe
  C:\Windows\System\KfsskuV.exe
  2⤵
  PID:5260
- C:\Windows\System\ApFDuAT.exe
  C:\Windows\System\ApFDuAT.exe
  2⤵
  PID:5404
- C:\Windows\System\AeCMIfx.exe
  C:\Windows\System\AeCMIfx.exe
  2⤵
  PID:5472
- C:\Windows\System\geLAKCZ.exe
  C:\Windows\System\geLAKCZ.exe
  2⤵
  PID:5524
- C:\Windows\System\XNIGiYG.exe
  C:\Windows\System\XNIGiYG.exe
  2⤵
  PID:5608
- C:\Windows\System\jsypOuX.exe
  C:\Windows\System\jsypOuX.exe
  2⤵
  PID:5668
- C:\Windows\System\EsnVQUU.exe
  C:\Windows\System\EsnVQUU.exe
  2⤵
  PID:5728
- C:\Windows\System\xqtZjhj.exe
  C:\Windows\System\xqtZjhj.exe
  2⤵
  PID:5804
- C:\Windows\System\FKDxbro.exe
  C:\Windows\System\FKDxbro.exe
  2⤵
  PID:5876
- C:\Windows\System\DpgDPCF.exe
  C:\Windows\System\DpgDPCF.exe
  2⤵
  PID:5924
- C:\Windows\System\LgxpqCB.exe
  C:\Windows\System\LgxpqCB.exe
  2⤵
  PID:6000
- C:\Windows\System\AdBdiWy.exe
  C:\Windows\System\AdBdiWy.exe
  2⤵
  PID:6072
- C:\Windows\System\jgsShsJ.exe
  C:\Windows\System\jgsShsJ.exe
  2⤵
  PID:6128
- C:\Windows\System\FztbHBn.exe
  C:\Windows\System\FztbHBn.exe
  2⤵
  PID:5164
- C:\Windows\System\EUDJsdD.exe
  C:\Windows\System\EUDJsdD.exe
  2⤵
  PID:5124
- C:\Windows\System\FMhbdfz.exe
  C:\Windows\System\FMhbdfz.exe
  2⤵
  PID:5432
- C:\Windows\System\nmymCWd.exe
  C:\Windows\System\nmymCWd.exe
  2⤵
  PID:5580
- C:\Windows\System\jHbEENL.exe
  C:\Windows\System\jHbEENL.exe
  2⤵
  PID:5692
- C:\Windows\System\eXwHjrF.exe
  C:\Windows\System\eXwHjrF.exe
  2⤵
  PID:5812
- C:\Windows\System\yrSCTkf.exe
  C:\Windows\System\yrSCTkf.exe
  2⤵
  PID:5960
- C:\Windows\System\uvhulZD.exe
  C:\Windows\System\uvhulZD.exe
  2⤵
  PID:5272
- C:\Windows\System\AHvvxrZ.exe
  C:\Windows\System\AHvvxrZ.exe
  2⤵
  PID:5496
- C:\Windows\System\JhzYAMc.exe
  C:\Windows\System\JhzYAMc.exe
  2⤵
  PID:5888
- C:\Windows\System\iCctzHK.exe
  C:\Windows\System\iCctzHK.exe
  2⤵
  PID:5412
- C:\Windows\System\gzufXCB.exe
  C:\Windows\System\gzufXCB.exe
  2⤵
  PID:6120
- C:\Windows\System\DrbOckG.exe
  C:\Windows\System\DrbOckG.exe
  2⤵
  PID:6168
- C:\Windows\System\JoMdlGY.exe
  C:\Windows\System\JoMdlGY.exe
  2⤵
  PID:6248
- C:\Windows\System\iqbNiET.exe
  C:\Windows\System\iqbNiET.exe
  2⤵
  PID:6320
- C:\Windows\System\xrhFuCq.exe
  C:\Windows\System\xrhFuCq.exe
  2⤵
  PID:6360
- C:\Windows\System\qtFybbA.exe
  C:\Windows\System\qtFybbA.exe
  2⤵
  PID:6388
- C:\Windows\System\nfmbmcy.exe
  C:\Windows\System\nfmbmcy.exe
  2⤵
  PID:6456
- C:\Windows\System\tTiNfjQ.exe
  C:\Windows\System\tTiNfjQ.exe
  2⤵
  PID:6496
- C:\Windows\System\vLXGiQZ.exe
  C:\Windows\System\vLXGiQZ.exe
  2⤵
  PID:6532
- C:\Windows\System\qIbgfaa.exe
  C:\Windows\System\qIbgfaa.exe
  2⤵
  PID:6556
- C:\Windows\System\hvcThNS.exe
  C:\Windows\System\hvcThNS.exe
  2⤵
  PID:6588
- C:\Windows\System\sgvvQET.exe
  C:\Windows\System\sgvvQET.exe
  2⤵
  PID:6616
- C:\Windows\System\kEhFdov.exe
  C:\Windows\System\kEhFdov.exe
  2⤵
  PID:6636
- C:\Windows\System\MUVNQBG.exe
  C:\Windows\System\MUVNQBG.exe
  2⤵
  PID:6672
- C:\Windows\System\ZjXoVvV.exe
  C:\Windows\System\ZjXoVvV.exe
  2⤵
  PID:6692
- C:\Windows\System\jbDcGZi.exe
  C:\Windows\System\jbDcGZi.exe
  2⤵
  PID:6724
- C:\Windows\System\GKDBGrr.exe
  C:\Windows\System\GKDBGrr.exe
  2⤵
  PID:6756
- C:\Windows\System\EQFKMjC.exe
  C:\Windows\System\EQFKMjC.exe
  2⤵
  PID:6792
- C:\Windows\System\wxTSTBn.exe
  C:\Windows\System\wxTSTBn.exe
  2⤵
  PID:6820
- C:\Windows\System\dUJzngW.exe
  C:\Windows\System\dUJzngW.exe
  2⤵
  PID:6848
- C:\Windows\System\vYIodFk.exe
  C:\Windows\System\vYIodFk.exe
  2⤵
  PID:6876
- C:\Windows\System\JPUSjln.exe
  C:\Windows\System\JPUSjln.exe
  2⤵
  PID:6904
- C:\Windows\System\ppkgrrN.exe
  C:\Windows\System\ppkgrrN.exe
  2⤵
  PID:6932
- C:\Windows\System\RVktjsi.exe
  C:\Windows\System\RVktjsi.exe
  2⤵
  PID:6960
- C:\Windows\System\hauDEBC.exe
  C:\Windows\System\hauDEBC.exe
  2⤵
  PID:6988
- C:\Windows\System\TQjdzPJ.exe
  C:\Windows\System\TQjdzPJ.exe
  2⤵
  PID:7016
- C:\Windows\System\ISEVYYO.exe
  C:\Windows\System\ISEVYYO.exe
  2⤵
  PID:7048
- C:\Windows\System\HNKMBwG.exe
  C:\Windows\System\HNKMBwG.exe
  2⤵
  PID:7076
- C:\Windows\System\SpzVOKF.exe
  C:\Windows\System\SpzVOKF.exe
  2⤵
  PID:7100
- C:\Windows\System\VuSnyva.exe
  C:\Windows\System\VuSnyva.exe
  2⤵
  PID:7132
- C:\Windows\System\GAerQJf.exe
  C:\Windows\System\GAerQJf.exe
  2⤵
  PID:7160
- C:\Windows\System\gCICDzg.exe
  C:\Windows\System\gCICDzg.exe
  2⤵
  PID:6244
- C:\Windows\System\iOfFTXu.exe
  C:\Windows\System\iOfFTXu.exe
  2⤵
  PID:6384
- C:\Windows\System\BuQnKLl.exe
  C:\Windows\System\BuQnKLl.exe
  2⤵
  PID:6476
- C:\Windows\System\SFbeNyp.exe
  C:\Windows\System\SFbeNyp.exe
  2⤵
  PID:6440
- C:\Windows\System\SmpFEJa.exe
  C:\Windows\System\SmpFEJa.exe
  2⤵
  PID:6568
- C:\Windows\System\KqYLbtu.exe
  C:\Windows\System\KqYLbtu.exe
  2⤵
  PID:6680
- C:\Windows\System\uXyYLQM.exe
  C:\Windows\System\uXyYLQM.exe
  2⤵
  PID:6740
- C:\Windows\System\eLMYCQG.exe
  C:\Windows\System\eLMYCQG.exe
  2⤵
  PID:6800
- C:\Windows\System\HtGQqWr.exe
  C:\Windows\System\HtGQqWr.exe
  2⤵
  PID:6864
- C:\Windows\System\AwtPCiB.exe
  C:\Windows\System\AwtPCiB.exe
  2⤵
  PID:7004
- C:\Windows\System\rPXFtAF.exe
  C:\Windows\System\rPXFtAF.exe
  2⤵
  PID:7112
- C:\Windows\System\PntfpOh.exe
  C:\Windows\System\PntfpOh.exe
  2⤵
  PID:6272
- C:\Windows\System\irnKlLD.exe
  C:\Windows\System\irnKlLD.exe
  2⤵
  PID:3648
- C:\Windows\System\EZEBlyA.exe
  C:\Windows\System\EZEBlyA.exe
  2⤵
  PID:4444
- C:\Windows\System\fNzqqpP.exe
  C:\Windows\System\fNzqqpP.exe
  2⤵
  PID:6632
- C:\Windows\System\YefNDJb.exe
  C:\Windows\System\YefNDJb.exe
  2⤵
  PID:6780
- C:\Windows\System\HamFfCX.exe
  C:\Windows\System\HamFfCX.exe
  2⤵
  PID:7036
- C:\Windows\System\gHqVlBH.exe
  C:\Windows\System\gHqVlBH.exe
  2⤵
  PID:4152
- C:\Windows\System\inuFagS.exe
  C:\Windows\System\inuFagS.exe
  2⤵
  PID:6152
- C:\Windows\System\scamBWd.exe
  C:\Windows\System\scamBWd.exe
  2⤵
  PID:6428
- C:\Windows\System\ILpInSZ.exe
  C:\Windows\System\ILpInSZ.exe
  2⤵
  PID:6484
- C:\Windows\System\XTyuRuc.exe
  C:\Windows\System\XTyuRuc.exe
  2⤵
  PID:6892
- C:\Windows\System\NXRWTdM.exe
  C:\Windows\System\NXRWTdM.exe
  2⤵
  PID:2628
- C:\Windows\System\JDWjzFu.exe
  C:\Windows\System\JDWjzFu.exe
  2⤵
  PID:6716
- C:\Windows\System\NYszjnS.exe
  C:\Windows\System\NYszjnS.exe
  2⤵
  PID:6928
- C:\Windows\System\ZUCcTkS.exe
  C:\Windows\System\ZUCcTkS.exe
  2⤵
  PID:3380
- C:\Windows\System\onBmswM.exe
  C:\Windows\System\onBmswM.exe
  2⤵
  PID:7192
- C:\Windows\System\ImNNawq.exe
  C:\Windows\System\ImNNawq.exe
  2⤵
  PID:7224
- C:\Windows\System\eHfnvco.exe
  C:\Windows\System\eHfnvco.exe
  2⤵
  PID:7248
- C:\Windows\System\rDpWKPN.exe
  C:\Windows\System\rDpWKPN.exe
  2⤵
  PID:7276
- C:\Windows\System\BTadIJP.exe
  C:\Windows\System\BTadIJP.exe
  2⤵
  PID:7312
- C:\Windows\System\zeTQjxa.exe
  C:\Windows\System\zeTQjxa.exe
  2⤵
  PID:7340
- C:\Windows\System\LASwZTy.exe
  C:\Windows\System\LASwZTy.exe
  2⤵
  PID:7372
- C:\Windows\System\kENjdcG.exe
  C:\Windows\System\kENjdcG.exe
  2⤵
  PID:7400
- C:\Windows\System\rOMWqgA.exe
  C:\Windows\System\rOMWqgA.exe
  2⤵
  PID:7428
- C:\Windows\System\VeyNNzf.exe
  C:\Windows\System\VeyNNzf.exe
  2⤵
  PID:7456
- C:\Windows\System\RHAUoYG.exe
  C:\Windows\System\RHAUoYG.exe
  2⤵
  PID:7480
- C:\Windows\System\BibSZFU.exe
  C:\Windows\System\BibSZFU.exe
  2⤵
  PID:7512
- C:\Windows\System\erDIcKC.exe
  C:\Windows\System\erDIcKC.exe
  2⤵
  PID:7536
- C:\Windows\System\lwwDsSn.exe
  C:\Windows\System\lwwDsSn.exe
  2⤵
  PID:7564
- C:\Windows\System\mniFgzM.exe
  C:\Windows\System\mniFgzM.exe
  2⤵
  PID:7588
- C:\Windows\System\wdohtuB.exe
  C:\Windows\System\wdohtuB.exe
  2⤵
  PID:7616
- C:\Windows\System\DaLvtmj.exe
  C:\Windows\System\DaLvtmj.exe
  2⤵
  PID:7644
- C:\Windows\System\UGYvkCN.exe
  C:\Windows\System\UGYvkCN.exe
  2⤵
  PID:7676
- C:\Windows\System\EFKLqNQ.exe
  C:\Windows\System\EFKLqNQ.exe
  2⤵
  PID:7700
- C:\Windows\System\wJxPffc.exe
  C:\Windows\System\wJxPffc.exe
  2⤵
  PID:7728
- C:\Windows\System\PigFLtf.exe
  C:\Windows\System\PigFLtf.exe
  2⤵
  PID:7756
- C:\Windows\System\mBVaKcM.exe
  C:\Windows\System\mBVaKcM.exe
  2⤵
  PID:7784
- C:\Windows\System\GGtoAOs.exe
  C:\Windows\System\GGtoAOs.exe
  2⤵
  PID:7820
- C:\Windows\System\qbEoPud.exe
  C:\Windows\System\qbEoPud.exe
  2⤵
  PID:7840
- C:\Windows\System\eUMLYPY.exe
  C:\Windows\System\eUMLYPY.exe
  2⤵
  PID:7860
- C:\Windows\System\YOzquuH.exe
  C:\Windows\System\YOzquuH.exe
  2⤵
  PID:7884
- C:\Windows\System\xfmtkiu.exe
  C:\Windows\System\xfmtkiu.exe
  2⤵
  PID:7924
- C:\Windows\System\vZDRTnN.exe
  C:\Windows\System\vZDRTnN.exe
  2⤵
  PID:7952
- C:\Windows\System\KaBKUcD.exe
  C:\Windows\System\KaBKUcD.exe
  2⤵
  PID:8000
- C:\Windows\System\OpjWzKF.exe
  C:\Windows\System\OpjWzKF.exe
  2⤵
  PID:8040
- C:\Windows\System\oWxHACN.exe
  C:\Windows\System\oWxHACN.exe
  2⤵
  PID:8076
- C:\Windows\System\HmetmCE.exe
  C:\Windows\System\HmetmCE.exe
  2⤵
  PID:8104
- C:\Windows\System\NgCtNaN.exe
  C:\Windows\System\NgCtNaN.exe
  2⤵
  PID:8136
- C:\Windows\System\CYmZUpd.exe
  C:\Windows\System\CYmZUpd.exe
  2⤵
  PID:8168
- C:\Windows\System\gYwzPEd.exe
  C:\Windows\System\gYwzPEd.exe
  2⤵
  PID:8188
- C:\Windows\System\OlmnGhz.exe
  C:\Windows\System\OlmnGhz.exe
  2⤵
  PID:7204
- C:\Windows\System\EvInEmj.exe
  C:\Windows\System\EvInEmj.exe
  2⤵
  PID:7256
- C:\Windows\System\RZwlpSb.exe
  C:\Windows\System\RZwlpSb.exe
  2⤵
  PID:4568
- C:\Windows\System\yyXOiTq.exe
  C:\Windows\System\yyXOiTq.exe
  2⤵
  PID:4688
- C:\Windows\System\ARIvAdG.exe
  C:\Windows\System\ARIvAdG.exe
  2⤵
  PID:7320
- C:\Windows\System\EryXlpI.exe
  C:\Windows\System\EryXlpI.exe
  2⤵
  PID:7368
- C:\Windows\System\kfoldNU.exe
  C:\Windows\System\kfoldNU.exe
  2⤵
  PID:7436
- C:\Windows\System\odOJfre.exe
  C:\Windows\System\odOJfre.exe
  2⤵
  PID:7492
- C:\Windows\System\HvqxILd.exe
  C:\Windows\System\HvqxILd.exe
  2⤵
  PID:836
- C:\Windows\System\LcoPOVL.exe
  C:\Windows\System\LcoPOVL.exe
  2⤵
  PID:7584
- C:\Windows\System\PZawhhI.exe
  C:\Windows\System\PZawhhI.exe
  2⤵
  PID:7664
- C:\Windows\System\aZebiYr.exe
  C:\Windows\System\aZebiYr.exe
  2⤵
  PID:7724
- C:\Windows\System\UvKiNfe.exe
  C:\Windows\System\UvKiNfe.exe
  2⤵
  PID:7796
- C:\Windows\System\RosiCgl.exe
  C:\Windows\System\RosiCgl.exe
  2⤵
  PID:7816
- C:\Windows\System\TJOQBCu.exe
  C:\Windows\System\TJOQBCu.exe
  2⤵
  PID:7936
- C:\Windows\System\roPbypX.exe
  C:\Windows\System\roPbypX.exe
  2⤵
  PID:8036
- C:\Windows\System\TnrVyrl.exe
  C:\Windows\System\TnrVyrl.exe
  2⤵
  PID:6828
- C:\Windows\System\IPVVNGw.exe
  C:\Windows\System\IPVVNGw.exe
  2⤵
  PID:8100
- C:\Windows\System\rLMlHzk.exe
  C:\Windows\System\rLMlHzk.exe
  2⤵
  PID:8176
- C:\Windows\System\fuxvyOD.exe
  C:\Windows\System\fuxvyOD.exe
  2⤵
  PID:3052
- C:\Windows\System\VgBVwdk.exe
  C:\Windows\System\VgBVwdk.exe
  2⤵
  PID:7296
- C:\Windows\System\AHZqCOd.exe
  C:\Windows\System\AHZqCOd.exe
  2⤵
  PID:7520
- C:\Windows\System\DWaVEkp.exe
  C:\Windows\System\DWaVEkp.exe
  2⤵
  PID:7548
- C:\Windows\System\IziitFm.exe
  C:\Windows\System\IziitFm.exe
  2⤵
  PID:7636
- C:\Windows\System\bLWgvYg.exe
  C:\Windows\System\bLWgvYg.exe
  2⤵
  PID:7720
- C:\Windows\System\jQvXRji.exe
  C:\Windows\System\jQvXRji.exe
  2⤵
  PID:8012
- C:\Windows\System\dJsAfSP.exe
  C:\Windows\System\dJsAfSP.exe
  2⤵
  PID:8144
- C:\Windows\System\HSQgoDY.exe
  C:\Windows\System\HSQgoDY.exe
  2⤵
  PID:7268
- C:\Windows\System\XKmmlbR.exe
  C:\Windows\System\XKmmlbR.exe
  2⤵
  PID:7608
- C:\Windows\System\HPnDpLL.exe
  C:\Windows\System\HPnDpLL.exe
  2⤵
  PID:7964
- C:\Windows\System\jCUiEnj.exe
  C:\Windows\System\jCUiEnj.exe
  2⤵
  PID:6332
- C:\Windows\System\wFTZQBm.exe
  C:\Windows\System\wFTZQBm.exe
  2⤵
  PID:8096
- C:\Windows\System\aAGXvUv.exe
  C:\Windows\System\aAGXvUv.exe
  2⤵
  PID:7544
- C:\Windows\System\fUzJWSs.exe
  C:\Windows\System\fUzJWSs.exe
  2⤵
  PID:8224
- C:\Windows\System\MRsEXyu.exe
  C:\Windows\System\MRsEXyu.exe
  2⤵
  PID:8248
- C:\Windows\System\GXeZCiO.exe
  C:\Windows\System\GXeZCiO.exe
  2⤵
  PID:8276
- C:\Windows\System\UGYDxmy.exe
  C:\Windows\System\UGYDxmy.exe
  2⤵
  PID:8300
- C:\Windows\System\SIKTpww.exe
  C:\Windows\System\SIKTpww.exe
  2⤵
  PID:8340
- C:\Windows\System\iFeaArG.exe
  C:\Windows\System\iFeaArG.exe
  2⤵
  PID:8364
- C:\Windows\System\HrlbwcC.exe
  C:\Windows\System\HrlbwcC.exe
  2⤵
  PID:8396
- C:\Windows\System\DqOdcjq.exe
  C:\Windows\System\DqOdcjq.exe
  2⤵
  PID:8424
- C:\Windows\System\jWmElfv.exe
  C:\Windows\System\jWmElfv.exe
  2⤵
  PID:8444
- C:\Windows\System\NLCPIdp.exe
  C:\Windows\System\NLCPIdp.exe
  2⤵
  PID:8472
- C:\Windows\System\wMNGYOM.exe
  C:\Windows\System\wMNGYOM.exe
  2⤵
  PID:8504
- C:\Windows\System\QmVQwVI.exe
  C:\Windows\System\QmVQwVI.exe
  2⤵
  PID:8532
- C:\Windows\System\yWbSUSn.exe
  C:\Windows\System\yWbSUSn.exe
  2⤵
  PID:8560
- C:\Windows\System\pjrZZWc.exe
  C:\Windows\System\pjrZZWc.exe
  2⤵
  PID:8588
- C:\Windows\System\uoYuFbv.exe
  C:\Windows\System\uoYuFbv.exe
  2⤵
  PID:8624
- C:\Windows\System\lLXrkFe.exe
  C:\Windows\System\lLXrkFe.exe
  2⤵
  PID:8644
- C:\Windows\System\vIyjiwf.exe
  C:\Windows\System\vIyjiwf.exe
  2⤵
  PID:8672
- C:\Windows\System\WFkYRrk.exe
  C:\Windows\System\WFkYRrk.exe
  2⤵
  PID:8700
- C:\Windows\System\iYlDRFK.exe
  C:\Windows\System\iYlDRFK.exe
  2⤵
  PID:8728
- C:\Windows\System\JOVRtKN.exe
  C:\Windows\System\JOVRtKN.exe
  2⤵
  PID:8756
- C:\Windows\System\YJjJEHQ.exe
  C:\Windows\System\YJjJEHQ.exe
  2⤵
  PID:8784
- C:\Windows\System\JQikjiz.exe
  C:\Windows\System\JQikjiz.exe
  2⤵
  PID:8812
- C:\Windows\System\YlOrnUE.exe
  C:\Windows\System\YlOrnUE.exe
  2⤵
  PID:8840
- C:\Windows\System\IXATTEP.exe
  C:\Windows\System\IXATTEP.exe
  2⤵
  PID:8880
- C:\Windows\System\FdMERaC.exe
  C:\Windows\System\FdMERaC.exe
  2⤵
  PID:8896
- C:\Windows\System\NAyuHtv.exe
  C:\Windows\System\NAyuHtv.exe
  2⤵
  PID:8924
- C:\Windows\System\ZAZbFGc.exe
  C:\Windows\System\ZAZbFGc.exe
  2⤵
  PID:8952
- C:\Windows\System\IouOZTh.exe
  C:\Windows\System\IouOZTh.exe
  2⤵
  PID:8980
- C:\Windows\System\KzWwdOa.exe
  C:\Windows\System\KzWwdOa.exe
  2⤵
  PID:9008
- C:\Windows\System\yGuKwvI.exe
  C:\Windows\System\yGuKwvI.exe
  2⤵
  PID:9036
- C:\Windows\System\AiXTyJb.exe
  C:\Windows\System\AiXTyJb.exe
  2⤵
  PID:9064
- C:\Windows\System\oaSfGDB.exe
  C:\Windows\System\oaSfGDB.exe
  2⤵
  PID:9092
- C:\Windows\System\ZgACFkl.exe
  C:\Windows\System\ZgACFkl.exe
  2⤵
  PID:9128
- C:\Windows\System\PMXmsMj.exe
  C:\Windows\System\PMXmsMj.exe
  2⤵
  PID:9148
- C:\Windows\System\lDskZZY.exe
  C:\Windows\System\lDskZZY.exe
  2⤵
  PID:9176
- C:\Windows\System\GrGgDoZ.exe
  C:\Windows\System\GrGgDoZ.exe
  2⤵
  PID:9204
- C:\Windows\System\bulQNvp.exe
  C:\Windows\System\bulQNvp.exe
  2⤵
  PID:8232
- C:\Windows\System\QafNfPz.exe
  C:\Windows\System\QafNfPz.exe
  2⤵
  PID:7880
- C:\Windows\System\yqTXXZn.exe
  C:\Windows\System\yqTXXZn.exe
  2⤵
  PID:8352
- C:\Windows\System\myXNsZV.exe
  C:\Windows\System\myXNsZV.exe
  2⤵
  PID:8408
- C:\Windows\System\hBRgwee.exe
  C:\Windows\System\hBRgwee.exe
  2⤵
  PID:8468
- C:\Windows\System\vVUIZuD.exe
  C:\Windows\System\vVUIZuD.exe
  2⤵
  PID:8552
- C:\Windows\System\XWcLuUD.exe
  C:\Windows\System\XWcLuUD.exe
  2⤵
  PID:8612
- C:\Windows\System\oNHsNAK.exe
  C:\Windows\System\oNHsNAK.exe
  2⤵
  PID:8668
- C:\Windows\System\uDWPYlw.exe
  C:\Windows\System\uDWPYlw.exe
  2⤵
  PID:8740
- C:\Windows\System\zIeDYWL.exe
  C:\Windows\System\zIeDYWL.exe
  2⤵
  PID:8804
- C:\Windows\System\GiYYTDB.exe
  C:\Windows\System\GiYYTDB.exe
  2⤵
  PID:8876
- C:\Windows\System\vxUnnmO.exe
  C:\Windows\System\vxUnnmO.exe
  2⤵
  PID:8936
- C:\Windows\System\vaGmLWt.exe
  C:\Windows\System\vaGmLWt.exe
  2⤵
  PID:9000
- C:\Windows\System\pPdYMuE.exe
  C:\Windows\System\pPdYMuE.exe
  2⤵
  PID:9060
- C:\Windows\System\zEOiBxE.exe
  C:\Windows\System\zEOiBxE.exe
  2⤵
  PID:9136
- C:\Windows\System\OGoNhBY.exe
  C:\Windows\System\OGoNhBY.exe
  2⤵
  PID:9188
- C:\Windows\System\FCZbvAm.exe
  C:\Windows\System\FCZbvAm.exe
  2⤵
  PID:8268
- C:\Windows\System\PMEOhud.exe
  C:\Windows\System\PMEOhud.exe
  2⤵
  PID:1420
- C:\Windows\System\utugJeV.exe
  C:\Windows\System\utugJeV.exe
  2⤵
  PID:8580
- C:\Windows\System\RrQjpMX.exe
  C:\Windows\System\RrQjpMX.exe
  2⤵
  PID:8720
- C:\Windows\System\OpzFvAv.exe
  C:\Windows\System\OpzFvAv.exe
  2⤵
  PID:8860
- C:\Windows\System\glrNgjW.exe
  C:\Windows\System\glrNgjW.exe
  2⤵
  PID:9028
- C:\Windows\System\uIrCAAT.exe
  C:\Windows\System\uIrCAAT.exe
  2⤵
  PID:9168
- C:\Windows\System\zhWfdWv.exe
  C:\Windows\System\zhWfdWv.exe
  2⤵
  PID:8404
- C:\Windows\System\idBgXbo.exe
  C:\Windows\System\idBgXbo.exe
  2⤵
  PID:8780
- C:\Windows\System\zTVwRhU.exe
  C:\Windows\System\zTVwRhU.exe
  2⤵
  PID:9116
- C:\Windows\System\KjABleP.exe
  C:\Windows\System\KjABleP.exe
  2⤵
  PID:8664
- C:\Windows\System\WRipKPW.exe
  C:\Windows\System\WRipKPW.exe
  2⤵
  PID:8528
- C:\Windows\System\aeKeXWO.exe
  C:\Windows\System\aeKeXWO.exe
  2⤵
  PID:9232
- C:\Windows\System\PvJLkbc.exe
  C:\Windows\System\PvJLkbc.exe
  2⤵
  PID:9260
- C:\Windows\System\xmFUrPz.exe
  C:\Windows\System\xmFUrPz.exe
  2⤵
  PID:9288
- C:\Windows\System\CQQDSGA.exe
  C:\Windows\System\CQQDSGA.exe
  2⤵
  PID:9320
- C:\Windows\System\EplDCAL.exe
  C:\Windows\System\EplDCAL.exe
  2⤵
  PID:9344
- C:\Windows\System\UEIJeqy.exe
  C:\Windows\System\UEIJeqy.exe
  2⤵
  PID:9372
- C:\Windows\System\tlbGZcp.exe
  C:\Windows\System\tlbGZcp.exe
  2⤵
  PID:9400
- C:\Windows\System\WfEmOAP.exe
  C:\Windows\System\WfEmOAP.exe
  2⤵
  PID:9428
- C:\Windows\System\pWMCZyJ.exe
  C:\Windows\System\pWMCZyJ.exe
  2⤵
  PID:9456
- C:\Windows\System\dlsjlBO.exe
  C:\Windows\System\dlsjlBO.exe
  2⤵
  PID:9484
- C:\Windows\System\vpHOnHQ.exe
  C:\Windows\System\vpHOnHQ.exe
  2⤵
  PID:9516
- C:\Windows\System\AJWeNth.exe
  C:\Windows\System\AJWeNth.exe
  2⤵
  PID:9544
- C:\Windows\System\NBvVxHg.exe
  C:\Windows\System\NBvVxHg.exe
  2⤵
  PID:9580
- C:\Windows\System\OcktGRP.exe
  C:\Windows\System\OcktGRP.exe
  2⤵
  PID:9600
- C:\Windows\System\QWnVVlE.exe
  C:\Windows\System\QWnVVlE.exe
  2⤵
  PID:9628
- C:\Windows\System\MVvIUWz.exe
  C:\Windows\System\MVvIUWz.exe
  2⤵
  PID:9656
- C:\Windows\System\QDZXAVk.exe
  C:\Windows\System\QDZXAVk.exe
  2⤵
  PID:9684
- C:\Windows\System\SgfdMar.exe
  C:\Windows\System\SgfdMar.exe
  2⤵
  PID:9712
- C:\Windows\System\jMfDxXw.exe
  C:\Windows\System\jMfDxXw.exe
  2⤵
  PID:9740
- C:\Windows\System\IUOPciM.exe
  C:\Windows\System\IUOPciM.exe
  2⤵
  PID:9776
- C:\Windows\System\MGyhGgW.exe
  C:\Windows\System\MGyhGgW.exe
  2⤵
  PID:9796
- C:\Windows\System\IqLPkYD.exe
  C:\Windows\System\IqLPkYD.exe
  2⤵
  PID:9824
- C:\Windows\System\qhmcvjw.exe
  C:\Windows\System\qhmcvjw.exe
  2⤵
  PID:9852
- C:\Windows\System\yuTfabx.exe
  C:\Windows\System\yuTfabx.exe
  2⤵
  PID:9880
- C:\Windows\System\cRtnAye.exe
  C:\Windows\System\cRtnAye.exe
  2⤵
  PID:9912
- C:\Windows\System\MJJnpdv.exe
  C:\Windows\System\MJJnpdv.exe
  2⤵
  PID:9936
- C:\Windows\System\mKKZhRf.exe
  C:\Windows\System\mKKZhRf.exe
  2⤵
  PID:9964
- C:\Windows\System\QRifdMf.exe
  C:\Windows\System\QRifdMf.exe
  2⤵
  PID:9992
- C:\Windows\System\bhiCqCK.exe
  C:\Windows\System\bhiCqCK.exe
  2⤵
  PID:10024
- C:\Windows\System\HZklnhv.exe
  C:\Windows\System\HZklnhv.exe
  2⤵
  PID:10048
- C:\Windows\System\fTBlODK.exe
  C:\Windows\System\fTBlODK.exe
  2⤵
  PID:10076
- C:\Windows\System\SsFNdzg.exe
  C:\Windows\System\SsFNdzg.exe
  2⤵
  PID:10104
- C:\Windows\System\mSyKKdj.exe
  C:\Windows\System\mSyKKdj.exe
  2⤵
  PID:10132
- C:\Windows\System\EdWTwOI.exe
  C:\Windows\System\EdWTwOI.exe
  2⤵
  PID:10168
- C:\Windows\System\CdIUrpO.exe
  C:\Windows\System\CdIUrpO.exe
  2⤵
  PID:10196
- C:\Windows\System\iYXGKbK.exe
  C:\Windows\System\iYXGKbK.exe
  2⤵
  PID:10216
- C:\Windows\System\csXXaap.exe
  C:\Windows\System\csXXaap.exe
  2⤵
  PID:9224
- C:\Windows\System\hRFTNDW.exe
  C:\Windows\System\hRFTNDW.exe
  2⤵
  PID:9280
- C:\Windows\System\XmcWAED.exe
  C:\Windows\System\XmcWAED.exe
  2⤵
  PID:9340
- C:\Windows\System\pFZyMEl.exe
  C:\Windows\System\pFZyMEl.exe
  2⤵
  PID:9412
- C:\Windows\System\YHrWtVO.exe
  C:\Windows\System\YHrWtVO.exe
  2⤵
  PID:9512
- C:\Windows\System\rYWjywl.exe
  C:\Windows\System\rYWjywl.exe
  2⤵
  PID:4032
- C:\Windows\System\loUFQbn.exe
  C:\Windows\System\loUFQbn.exe
  2⤵
  PID:9620
- C:\Windows\System\HuciDGI.exe
  C:\Windows\System\HuciDGI.exe
  2⤵
  PID:9652
- C:\Windows\System\SqAbzaM.exe
  C:\Windows\System\SqAbzaM.exe
  2⤵
  PID:9724
- C:\Windows\System\mvYHbwU.exe
  C:\Windows\System\mvYHbwU.exe
  2⤵
  PID:9788
- C:\Windows\System\OfpJOiZ.exe
  C:\Windows\System\OfpJOiZ.exe
  2⤵
  PID:9848
- C:\Windows\System\ccEXDAk.exe
  C:\Windows\System\ccEXDAk.exe
  2⤵
  PID:9932
- C:\Windows\System\nFcRAwy.exe
  C:\Windows\System\nFcRAwy.exe
  2⤵
  PID:9984
- C:\Windows\System\OFFXWlO.exe
  C:\Windows\System\OFFXWlO.exe
  2⤵
  PID:10044
- C:\Windows\System\pRpnvHk.exe
  C:\Windows\System\pRpnvHk.exe
  2⤵
  PID:10116
- C:\Windows\System\WIcUWWl.exe
  C:\Windows\System\WIcUWWl.exe
  2⤵
  PID:10176
- C:\Windows\System\tAIIWXN.exe
  C:\Windows\System\tAIIWXN.exe
  2⤵
  PID:10236
- C:\Windows\System\MKnomZl.exe
  C:\Windows\System\MKnomZl.exe
  2⤵
  PID:9336
- C:\Windows\System\sDmRhXa.exe
  C:\Windows\System\sDmRhXa.exe
  2⤵
  PID:9468
- C:\Windows\System\oogIemH.exe
  C:\Windows\System\oogIemH.exe
  2⤵
  PID:9640
- C:\Windows\System\CfelIsF.exe
  C:\Windows\System\CfelIsF.exe
  2⤵
  PID:9784
- C:\Windows\System\WsWljhT.exe
  C:\Windows\System\WsWljhT.exe
  2⤵
  PID:9948
- C:\Windows\System\OefLYNT.exe
  C:\Windows\System\OefLYNT.exe
  2⤵
  PID:10096
- C:\Windows\System\rwWgNCa.exe
  C:\Windows\System\rwWgNCa.exe
  2⤵
  PID:10228
- C:\Windows\System\gSLojfL.exe
  C:\Windows\System\gSLojfL.exe
  2⤵
  PID:9556
- C:\Windows\System\tkMgdyR.exe
  C:\Windows\System\tkMgdyR.exe
  2⤵
  PID:9900
- C:\Windows\System\rbYiwAx.exe
  C:\Windows\System\rbYiwAx.exe
  2⤵
  PID:10204
- C:\Windows\System\IrkutMY.exe
  C:\Windows\System\IrkutMY.exe
  2⤵
  PID:9844
- C:\Windows\System\CJgBPYw.exe
  C:\Windows\System\CJgBPYw.exe
  2⤵
  PID:9476
- C:\Windows\System\WEaKrip.exe
  C:\Windows\System\WEaKrip.exe
  2⤵
  PID:10260
- C:\Windows\System\mimwmrn.exe
  C:\Windows\System\mimwmrn.exe
  2⤵
  PID:10288
- C:\Windows\System\cEXyTJo.exe
  C:\Windows\System\cEXyTJo.exe
  2⤵
  PID:10320
- C:\Windows\System\xsrScmb.exe
  C:\Windows\System\xsrScmb.exe
  2⤵
  PID:10348
- C:\Windows\System\jjMeMwl.exe
  C:\Windows\System\jjMeMwl.exe
  2⤵
  PID:10376
- C:\Windows\System\pPYcGCu.exe
  C:\Windows\System\pPYcGCu.exe
  2⤵
  PID:10412
- C:\Windows\System\mkvUanV.exe
  C:\Windows\System\mkvUanV.exe
  2⤵
  PID:10440
- C:\Windows\System\suDlLtW.exe
  C:\Windows\System\suDlLtW.exe
  2⤵
  PID:10468
- C:\Windows\System\EhaquBV.exe
  C:\Windows\System\EhaquBV.exe
  2⤵
  PID:10496
- C:\Windows\System\TGiSlng.exe
  C:\Windows\System\TGiSlng.exe
  2⤵
  PID:10524
- C:\Windows\System\mHHUjdI.exe
  C:\Windows\System\mHHUjdI.exe
  2⤵
  PID:10552
- C:\Windows\System\CWbTOJQ.exe
  C:\Windows\System\CWbTOJQ.exe
  2⤵
  PID:10580
- C:\Windows\System\hZqWOTW.exe
  C:\Windows\System\hZqWOTW.exe
  2⤵
  PID:10608
- C:\Windows\System\sHpHWUf.exe
  C:\Windows\System\sHpHWUf.exe
  2⤵
  PID:10636
- C:\Windows\System\rYCePNF.exe
  C:\Windows\System\rYCePNF.exe
  2⤵
  PID:10664
- C:\Windows\System\zrnUJBt.exe
  C:\Windows\System\zrnUJBt.exe
  2⤵
  PID:10692
- C:\Windows\System\pJJmVRI.exe
  C:\Windows\System\pJJmVRI.exe
  2⤵
  PID:10720
- C:\Windows\System\tkMVREP.exe
  C:\Windows\System\tkMVREP.exe
  2⤵
  PID:10748
- C:\Windows\System\GBkAAns.exe
  C:\Windows\System\GBkAAns.exe
  2⤵
  PID:10776
- C:\Windows\System\EhSOJuu.exe
  C:\Windows\System\EhSOJuu.exe
  2⤵
  PID:10804
- C:\Windows\System\TpRkZxz.exe
  C:\Windows\System\TpRkZxz.exe
  2⤵
  PID:10832
- C:\Windows\System\UDamQay.exe
  C:\Windows\System\UDamQay.exe
  2⤵
  PID:10860
- C:\Windows\System\uSsJNlj.exe
  C:\Windows\System\uSsJNlj.exe
  2⤵
  PID:10888
- C:\Windows\System\ZlEDTZF.exe
  C:\Windows\System\ZlEDTZF.exe
  2⤵
  PID:10916
- C:\Windows\System\SJILApt.exe
  C:\Windows\System\SJILApt.exe
  2⤵
  PID:10944
- C:\Windows\System\pZCUEjS.exe
  C:\Windows\System\pZCUEjS.exe
  2⤵
  PID:10972
- C:\Windows\System\jhGACbQ.exe
  C:\Windows\System\jhGACbQ.exe
  2⤵
  PID:11000
- C:\Windows\System\qtyknnd.exe
  C:\Windows\System\qtyknnd.exe
  2⤵
  PID:11028
- C:\Windows\System\tpAhYxS.exe
  C:\Windows\System\tpAhYxS.exe
  2⤵
  PID:11056
- C:\Windows\System\eGgAfdo.exe
  C:\Windows\System\eGgAfdo.exe
  2⤵
  PID:11084
- C:\Windows\System\qOSMAiv.exe
  C:\Windows\System\qOSMAiv.exe
  2⤵
  PID:11112
- C:\Windows\System\JNmfBxF.exe
  C:\Windows\System\JNmfBxF.exe
  2⤵
  PID:11140
- C:\Windows\System\pddoRkv.exe
  C:\Windows\System\pddoRkv.exe
  2⤵
  PID:11168
- C:\Windows\System\zfOtwpF.exe
  C:\Windows\System\zfOtwpF.exe
  2⤵
  PID:11196
- C:\Windows\System\RDAXOAl.exe
  C:\Windows\System\RDAXOAl.exe
  2⤵
  PID:11228
- C:\Windows\System\hBBngGi.exe
  C:\Windows\System\hBBngGi.exe
  2⤵
  PID:11256
- C:\Windows\System\iCoSWFO.exe
  C:\Windows\System\iCoSWFO.exe
  2⤵
  PID:10284
- C:\Windows\System\nAmcrYl.exe
  C:\Windows\System\nAmcrYl.exe
  2⤵
  PID:10360
- C:\Windows\System\mAetGjN.exe
  C:\Windows\System\mAetGjN.exe
  2⤵
  PID:10424
- C:\Windows\System\USQiSmq.exe
  C:\Windows\System\USQiSmq.exe
  2⤵
  PID:10488
- C:\Windows\System\GyEWBTl.exe
  C:\Windows\System\GyEWBTl.exe
  2⤵
  PID:10548
- C:\Windows\System\Xajdecz.exe
  C:\Windows\System\Xajdecz.exe
  2⤵
  PID:10620
- C:\Windows\System\RRRkRFA.exe
  C:\Windows\System\RRRkRFA.exe
  2⤵
  PID:10684
- C:\Windows\System\lSXgfcP.exe
  C:\Windows\System\lSXgfcP.exe
  2⤵
  PID:10732
- C:\Windows\System\tDntZZh.exe
  C:\Windows\System\tDntZZh.exe
  2⤵
  PID:10772
- C:\Windows\System\wjNVNxX.exe
  C:\Windows\System\wjNVNxX.exe
  2⤵
  PID:10844
- C:\Windows\System\KrRpeJm.exe
  C:\Windows\System\KrRpeJm.exe
  2⤵
  PID:10884
- C:\Windows\System\IJJBBKK.exe
  C:\Windows\System\IJJBBKK.exe
  2⤵
  PID:10956
- C:\Windows\System\mGiqNhq.exe
  C:\Windows\System\mGiqNhq.exe
  2⤵
  PID:11012
- C:\Windows\System\TcHtsDs.exe
  C:\Windows\System\TcHtsDs.exe
  2⤵
  PID:11076
- C:\Windows\System\WMPPVDN.exe
  C:\Windows\System\WMPPVDN.exe
  2⤵
  PID:11136
- C:\Windows\System\dwjsZXC.exe
  C:\Windows\System\dwjsZXC.exe
  2⤵
  PID:11208
- C:\Windows\System\SVVsdYp.exe
  C:\Windows\System\SVVsdYp.exe
  2⤵
  PID:10280
- C:\Windows\System\hPvGHBV.exe
  C:\Windows\System\hPvGHBV.exe
  2⤵
  PID:10404
- C:\Windows\System\AOKDmbr.exe
  C:\Windows\System\AOKDmbr.exe
  2⤵
  PID:10544
- C:\Windows\System\sqyKASn.exe
  C:\Windows\System\sqyKASn.exe
  2⤵
  PID:10688
- C:\Windows\System\LRyVScq.exe
  C:\Windows\System\LRyVScq.exe
  2⤵
  PID:10824
- C:\Windows\System\jleZWYW.exe
  C:\Windows\System\jleZWYW.exe
  2⤵
  PID:10940
- C:\Windows\System\GlmxTXY.exe
  C:\Windows\System\GlmxTXY.exe
  2⤵
  PID:11104
- C:\Windows\System\FaVgXAE.exe
  C:\Windows\System\FaVgXAE.exe
  2⤵
  PID:10252
- C:\Windows\System\zyhNkaK.exe
  C:\Windows\System\zyhNkaK.exe
  2⤵
  PID:10464
- C:\Windows\System\jZFqETK.exe
  C:\Windows\System\jZFqETK.exe
  2⤵
  PID:10768
- C:\Windows\System\qqrMSgL.exe
  C:\Windows\System\qqrMSgL.exe
  2⤵
  PID:11052
- C:\Windows\System\vEzROpa.exe
  C:\Windows\System\vEzROpa.exe
  2⤵
  PID:1636
- C:\Windows\System\UwfdKZH.exe
  C:\Windows\System\UwfdKZH.exe
  2⤵
  PID:2036
- C:\Windows\System\wLJKRmQ.exe
  C:\Windows\System\wLJKRmQ.exe
  2⤵
  PID:10996
- C:\Windows\System\tGHNOGa.exe
  C:\Windows\System\tGHNOGa.exe
  2⤵
  PID:10760
- C:\Windows\System\ByRVfQG.exe
  C:\Windows\System\ByRVfQG.exe
  2⤵
  PID:10344
- C:\Windows\System\rovIcUs.exe
  C:\Windows\System\rovIcUs.exe
  2⤵
  PID:11292
- C:\Windows\System\VWyeNbg.exe
  C:\Windows\System\VWyeNbg.exe
  2⤵
  PID:11324
- C:\Windows\System\IGVcGZr.exe
  C:\Windows\System\IGVcGZr.exe
  2⤵
  PID:11368
- C:\Windows\System\ZXNOtCI.exe
  C:\Windows\System\ZXNOtCI.exe
  2⤵
  PID:11388
- C:\Windows\System\ikgFxSS.exe
  C:\Windows\System\ikgFxSS.exe
  2⤵
  PID:11408
- C:\Windows\System\ZtTFaKI.exe
  C:\Windows\System\ZtTFaKI.exe
  2⤵
  PID:11440
- C:\Windows\System\wgdKJKV.exe
  C:\Windows\System\wgdKJKV.exe
  2⤵
  PID:11472
- C:\Windows\System\bWPlhfB.exe
  C:\Windows\System\bWPlhfB.exe
  2⤵
  PID:11504
- C:\Windows\System\tHztBvJ.exe
  C:\Windows\System\tHztBvJ.exe
  2⤵
  PID:11544
- C:\Windows\System\EOQCEIV.exe
  C:\Windows\System\EOQCEIV.exe
  2⤵
  PID:11580
- C:\Windows\System\YwaPOfb.exe
  C:\Windows\System\YwaPOfb.exe
  2⤵
  PID:11612
- C:\Windows\System\CHPzhre.exe
  C:\Windows\System\CHPzhre.exe
  2⤵
  PID:11628
- C:\Windows\System\aGgbzlT.exe
  C:\Windows\System\aGgbzlT.exe
  2⤵
  PID:11680
- C:\Windows\System\QFOArTR.exe
  C:\Windows\System\QFOArTR.exe
  2⤵
  PID:11700
- C:\Windows\System\uoRtlNL.exe
  C:\Windows\System\uoRtlNL.exe
  2⤵
  PID:11728
- C:\Windows\System\zjdCJIA.exe
  C:\Windows\System\zjdCJIA.exe
  2⤵
  PID:11744
- C:\Windows\System\owmjYtM.exe
  C:\Windows\System\owmjYtM.exe
  2⤵
  PID:11768
- C:\Windows\System\clDiqSz.exe
  C:\Windows\System\clDiqSz.exe
  2⤵
  PID:11820
- C:\Windows\System\iunomFV.exe
  C:\Windows\System\iunomFV.exe
  2⤵
  PID:11848
- C:\Windows\System\DGSakjN.exe
  C:\Windows\System\DGSakjN.exe
  2⤵
  PID:11868
- C:\Windows\System\ncDfNCu.exe
  C:\Windows\System\ncDfNCu.exe
  2⤵
  PID:11896
- C:\Windows\System\gUEpqHm.exe
  C:\Windows\System\gUEpqHm.exe
  2⤵
  PID:11944
- C:\Windows\System\aLDpwyW.exe
  C:\Windows\System\aLDpwyW.exe
  2⤵
  PID:11964
- C:\Windows\System\BwrCqEd.exe
  C:\Windows\System\BwrCqEd.exe
  2⤵
  PID:11992
- C:\Windows\System\EpboZkl.exe
  C:\Windows\System\EpboZkl.exe
  2⤵
  PID:12020
- C:\Windows\System\fETSKAk.exe
  C:\Windows\System\fETSKAk.exe
  2⤵
  PID:12048
- C:\Windows\System\XJxBJQB.exe
  C:\Windows\System\XJxBJQB.exe
  2⤵
  PID:12076
- C:\Windows\System\AIJfsnz.exe
  C:\Windows\System\AIJfsnz.exe
  2⤵
  PID:12104
- C:\Windows\System\YYsJLwY.exe
  C:\Windows\System\YYsJLwY.exe
  2⤵
  PID:12132
- C:\Windows\System\uSqQwbY.exe
  C:\Windows\System\uSqQwbY.exe
  2⤵
  PID:12160
- C:\Windows\System\glWsowe.exe
  C:\Windows\System\glWsowe.exe
  2⤵
  PID:12188
- C:\Windows\System\xAsKDuu.exe
  C:\Windows\System\xAsKDuu.exe
  2⤵
  PID:12216
- C:\Windows\System\BCdAqLB.exe
  C:\Windows\System\BCdAqLB.exe
  2⤵
  PID:12244
- C:\Windows\System\GRbSOgV.exe
  C:\Windows\System\GRbSOgV.exe
  2⤵
  PID:12272
- C:\Windows\System\YcJSnUp.exe
  C:\Windows\System\YcJSnUp.exe
  2⤵
  PID:11284
- C:\Windows\System\ZdXIFnR.exe
  C:\Windows\System\ZdXIFnR.exe
  2⤵
  PID:11336
- C:\Windows\System\rrWtsyX.exe
  C:\Windows\System\rrWtsyX.exe
  2⤵
  PID:11400
- C:\Windows\System\fInubcU.exe
  C:\Windows\System\fInubcU.exe
  2⤵
  PID:11464
- C:\Windows\System\yLOmcsy.exe
  C:\Windows\System\yLOmcsy.exe
  2⤵
  PID:4616
- C:\Windows\System\oCZnwfM.exe
  C:\Windows\System\oCZnwfM.exe
  2⤵
  PID:11552
- C:\Windows\System\xnJZdcm.exe
  C:\Windows\System\xnJZdcm.exe
  2⤵
  PID:11588
- C:\Windows\System\ReONKJg.exe
  C:\Windows\System\ReONKJg.exe
  2⤵
  PID:11344
- C:\Windows\System\ZPMkwMQ.exe
  C:\Windows\System\ZPMkwMQ.exe
  2⤵
  PID:11648
- C:\Windows\System\ahECYFE.exe
  C:\Windows\System\ahECYFE.exe
  2⤵
  PID:2032
- C:\Windows\System\ZFXMqGP.exe
  C:\Windows\System\ZFXMqGP.exe
  2⤵
  PID:11752
- C:\Windows\System\TfKBbJp.exe
  C:\Windows\System\TfKBbJp.exe
  2⤵
  PID:11480
- C:\Windows\System\ESPxNhO.exe
  C:\Windows\System\ESPxNhO.exe
  2⤵
  PID:11864
- C:\Windows\System\LTHEKnx.exe
  C:\Windows\System\LTHEKnx.exe
  2⤵
  PID:11916
- C:\Windows\System\lllCshK.exe
  C:\Windows\System\lllCshK.exe
  2⤵
  PID:11960
- C:\Windows\System\NhPLiDH.exe
  C:\Windows\System\NhPLiDH.exe
  2⤵
  PID:12032
- C:\Windows\System\dUTPhjT.exe
  C:\Windows\System\dUTPhjT.exe
  2⤵
  PID:12072
- C:\Windows\System\WZgdHTs.exe
  C:\Windows\System\WZgdHTs.exe
  2⤵
  PID:12144
- C:\Windows\System\wxBNXbk.exe
  C:\Windows\System\wxBNXbk.exe
  2⤵
  PID:12208
- C:\Windows\System\BBbkcSN.exe
  C:\Windows\System\BBbkcSN.exe
  2⤵
  PID:12268
- C:\Windows\System\oJvVlEz.exe
  C:\Windows\System\oJvVlEz.exe
  2⤵
  PID:11380
- C:\Windows\System\JgnkdCP.exe
  C:\Windows\System\JgnkdCP.exe
  2⤵
  PID:4012
- C:\Windows\System\rhVsvkL.exe
  C:\Windows\System\rhVsvkL.exe
  2⤵
  PID:11572
- C:\Windows\System\mmOiJSN.exe
  C:\Windows\System\mmOiJSN.exe
  2⤵
  PID:11608
- C:\Windows\System\VdJvLjO.exe
  C:\Windows\System\VdJvLjO.exe
  2⤵
  PID:11776
- C:\Windows\System\BTMHMYI.exe
  C:\Windows\System\BTMHMYI.exe
  2⤵
  PID:11908
- C:\Windows\System\FyILnpX.exe
  C:\Windows\System\FyILnpX.exe
  2⤵
  PID:12016
- C:\Windows\System\DwOyTPA.exe
  C:\Windows\System\DwOyTPA.exe
  2⤵
  PID:12172
- C:\Windows\System\hoGnvHi.exe
  C:\Windows\System\hoGnvHi.exe
  2⤵
  PID:2304
- C:\Windows\System\sDUozWX.exe
  C:\Windows\System\sDUozWX.exe
  2⤵
  PID:11596
- C:\Windows\System\pNLsQSs.exe
  C:\Windows\System\pNLsQSs.exe
  2⤵
  PID:11840
- C:\Windows\System\IEvbFid.exe
  C:\Windows\System\IEvbFid.exe
  2⤵
  PID:12124
- C:\Windows\System\KUhWlNl.exe
  C:\Windows\System\KUhWlNl.exe
  2⤵
  PID:11496
- C:\Windows\System\bcxEudW.exe
  C:\Windows\System\bcxEudW.exe
  2⤵
  PID:12068
- C:\Windows\System\YCDfhvB.exe
  C:\Windows\System\YCDfhvB.exe
  2⤵
  PID:11448
- C:\Windows\System\fYLxTbZ.exe
  C:\Windows\System\fYLxTbZ.exe
  2⤵
  PID:12308
- C:\Windows\System\ETefVLA.exe
  C:\Windows\System\ETefVLA.exe
  2⤵
  PID:12340
- C:\Windows\System\XBzPtql.exe
  C:\Windows\System\XBzPtql.exe
  2⤵
  PID:12368
- C:\Windows\System\eKqhoKB.exe
  C:\Windows\System\eKqhoKB.exe
  2⤵
  PID:12396
- C:\Windows\System\TknTggY.exe
  C:\Windows\System\TknTggY.exe
  2⤵
  PID:12424
- C:\Windows\System\NsYxIsp.exe
  C:\Windows\System\NsYxIsp.exe
  2⤵
  PID:12452
- C:\Windows\System\vQdnwwP.exe
  C:\Windows\System\vQdnwwP.exe
  2⤵
  PID:12480
- C:\Windows\System\bgjXySk.exe
  C:\Windows\System\bgjXySk.exe
  2⤵
  PID:12508
- C:\Windows\System\kKfFFNI.exe
  C:\Windows\System\kKfFFNI.exe
  2⤵
  PID:12536
- C:\Windows\System\aaHhYHf.exe
  C:\Windows\System\aaHhYHf.exe
  2⤵
  PID:12564
- C:\Windows\System\tTJWjex.exe
  C:\Windows\System\tTJWjex.exe
  2⤵
  PID:12592
- C:\Windows\System\ukpDCLM.exe
  C:\Windows\System\ukpDCLM.exe
  2⤵
  PID:12620
- C:\Windows\System\btgrxzZ.exe
  C:\Windows\System\btgrxzZ.exe
  2⤵
  PID:12648
- C:\Windows\System\geldDlj.exe
  C:\Windows\System\geldDlj.exe
  2⤵
  PID:12676
- C:\Windows\System\qgdetnF.exe
  C:\Windows\System\qgdetnF.exe
  2⤵
  PID:12704
- C:\Windows\System\PdfmyoE.exe
  C:\Windows\System\PdfmyoE.exe
  2⤵
  PID:12732
- C:\Windows\System\RQgTPah.exe
  C:\Windows\System\RQgTPah.exe
  2⤵
  PID:12760
- C:\Windows\System\nsPhLFT.exe
  C:\Windows\System\nsPhLFT.exe
  2⤵
  PID:12788
- C:\Windows\System\ShTErOv.exe
  C:\Windows\System\ShTErOv.exe
  2⤵
  PID:12828
- C:\Windows\System\winHNhM.exe
  C:\Windows\System\winHNhM.exe
  2⤵
  PID:12844
- C:\Windows\System\sUmfOQG.exe
  C:\Windows\System\sUmfOQG.exe
  2⤵
  PID:12872
- C:\Windows\System\ppKrlIw.exe
  C:\Windows\System\ppKrlIw.exe
  2⤵
  PID:12900
- C:\Windows\System\tUdTGgh.exe
  C:\Windows\System\tUdTGgh.exe
  2⤵
  PID:12928
- C:\Windows\System\nqTBego.exe
  C:\Windows\System\nqTBego.exe
  2⤵
  PID:12956
- C:\Windows\System\hdUkELe.exe
  C:\Windows\System\hdUkELe.exe
  2⤵
  PID:12984
- C:\Windows\System\NeIUfuJ.exe
  C:\Windows\System\NeIUfuJ.exe
  2⤵
  PID:13012
- C:\Windows\System\DiiIwLE.exe
  C:\Windows\System\DiiIwLE.exe
  2⤵
  PID:13040
- C:\Windows\System\poVStTF.exe
  C:\Windows\System\poVStTF.exe
  2⤵
  PID:13068
- C:\Windows\System\xRlnftv.exe
  C:\Windows\System\xRlnftv.exe
  2⤵
  PID:13096
- C:\Windows\System\qViIgcB.exe
  C:\Windows\System\qViIgcB.exe
  2⤵
  PID:13124
- C:\Windows\System\LxAbIVd.exe
  C:\Windows\System\LxAbIVd.exe
  2⤵
  PID:13156
- C:\Windows\System\oehbVyb.exe
  C:\Windows\System\oehbVyb.exe
  2⤵
  PID:13184
- C:\Windows\System\ckedXrA.exe
  C:\Windows\System\ckedXrA.exe
  2⤵
  PID:13212
- C:\Windows\System\zowCZDa.exe
  C:\Windows\System\zowCZDa.exe
  2⤵
  PID:13240
- C:\Windows\System\FMfDnCW.exe
  C:\Windows\System\FMfDnCW.exe
  2⤵
  PID:13268
- C:\Windows\System\zkWCpqQ.exe
  C:\Windows\System\zkWCpqQ.exe
  2⤵
  PID:13296
- C:\Windows\System\tPbMUKe.exe
  C:\Windows\System\tPbMUKe.exe
  2⤵
  PID:12320
- C:\Windows\System\VUCBNOi.exe
  C:\Windows\System\VUCBNOi.exe
  2⤵
  PID:12388
- C:\Windows\System\BWhNbwp.exe
  C:\Windows\System\BWhNbwp.exe
  2⤵
  PID:12448
- C:\Windows\System\kHxiHDI.exe
  C:\Windows\System\kHxiHDI.exe
  2⤵
  PID:12520
- C:\Windows\System\cGIjnuW.exe
  C:\Windows\System\cGIjnuW.exe
  2⤵
  PID:12584
- C:\Windows\System\twHcqQC.exe
  C:\Windows\System\twHcqQC.exe
  2⤵
  PID:12644
- C:\Windows\System\BxGswoj.exe
  C:\Windows\System\BxGswoj.exe
  2⤵
  PID:12716
- C:\Windows\System\aqntasP.exe
  C:\Windows\System\aqntasP.exe
  2⤵
  PID:12780
- C:\Windows\System\IbwbdSm.exe
  C:\Windows\System\IbwbdSm.exe
  2⤵
  PID:12840
- C:\Windows\System\jTKMMeM.exe
  C:\Windows\System\jTKMMeM.exe
  2⤵
  PID:12912
- C:\Windows\System\GlpuGum.exe
  C:\Windows\System\GlpuGum.exe
  2⤵
  PID:12968
- C:\Windows\System\XUgsNbT.exe
  C:\Windows\System\XUgsNbT.exe
  2⤵
  PID:13032
- C:\Windows\System\MKueYid.exe
  C:\Windows\System\MKueYid.exe
  2⤵
  PID:13092
- C:\Windows\System\dLTtpmB.exe
  C:\Windows\System\dLTtpmB.exe
  2⤵
  PID:13168
- C:\Windows\System\EwyfooR.exe
  C:\Windows\System\EwyfooR.exe
  2⤵
  PID:13232
- C:\Windows\System\fcqtwEZ.exe
  C:\Windows\System\fcqtwEZ.exe
  2⤵
  PID:13292
- C:\Windows\System\smzNTyW.exe
  C:\Windows\System\smzNTyW.exe
  2⤵
  PID:12416
- C:\Windows\System\SVOgTRd.exe
  C:\Windows\System\SVOgTRd.exe
  2⤵
  PID:12560
- C:\Windows\System\tAEzWiK.exe
  C:\Windows\System\tAEzWiK.exe
  2⤵
  PID:12700
- C:\Windows\System\KvhhkRO.exe
  C:\Windows\System\KvhhkRO.exe
  2⤵
  PID:12868
- C:\Windows\System\YmNvMLF.exe
  C:\Windows\System\YmNvMLF.exe
  2⤵
  PID:13008
- C:\Windows\System\gUOpwNE.exe
  C:\Windows\System\gUOpwNE.exe
  2⤵
  PID:13152
- C:\Windows\System\XmTHolS.exe
  C:\Windows\System\XmTHolS.exe
  2⤵
  PID:12304
- C:\Windows\System\TWGCqAI.exe
  C:\Windows\System\TWGCqAI.exe
  2⤵
  PID:12672
- C:\Windows\System\CpdFmlk.exe
  C:\Windows\System\CpdFmlk.exe
  2⤵
  PID:12952
- C:\Windows\System\hLzlfIr.exe
  C:\Windows\System\hLzlfIr.exe
  2⤵
  PID:13288
- C:\Windows\System\tqnAybo.exe
  C:\Windows\System\tqnAybo.exe
  2⤵
  PID:13120
- C:\Windows\System\IGFpCyG.exe
  C:\Windows\System\IGFpCyG.exe
  2⤵
  PID:13320
- C:\Windows\System\vXcaGXl.exe
  C:\Windows\System\vXcaGXl.exe
  2⤵
  PID:13348
- C:\Windows\System\UVAEXlF.exe
  C:\Windows\System\UVAEXlF.exe
  2⤵
  PID:13376
- C:\Windows\System\CagEqSb.exe
  C:\Windows\System\CagEqSb.exe
  2⤵
  PID:13404
- C:\Windows\System\QuvvFbk.exe
  C:\Windows\System\QuvvFbk.exe
  2⤵
  PID:13432
- C:\Windows\System\xUqtEdm.exe
  C:\Windows\System\xUqtEdm.exe
  2⤵
  PID:13460
- C:\Windows\System\whVAcbz.exe
  C:\Windows\System\whVAcbz.exe
  2⤵
  PID:13488
- C:\Windows\System\AtttqUU.exe
  C:\Windows\System\AtttqUU.exe
  2⤵
  PID:13516
- C:\Windows\System\PyLHaMr.exe
  C:\Windows\System\PyLHaMr.exe
  2⤵
  PID:13544
- C:\Windows\System\iQNMBST.exe
  C:\Windows\System\iQNMBST.exe
  2⤵
  PID:13572
- C:\Windows\System\NbVdHKe.exe
  C:\Windows\System\NbVdHKe.exe
  2⤵
  PID:13600
- C:\Windows\System\aisVByf.exe
  C:\Windows\System\aisVByf.exe
  2⤵
  PID:13628
- C:\Windows\System\ZdDlcwR.exe
  C:\Windows\System\ZdDlcwR.exe
  2⤵
  PID:13656
- C:\Windows\System\ezZfWgq.exe
  C:\Windows\System\ezZfWgq.exe
  2⤵
  PID:13684
- C:\Windows\System\eshgril.exe
  C:\Windows\System\eshgril.exe
  2⤵
  PID:13712
- C:\Windows\System\GyrXhSZ.exe
  C:\Windows\System\GyrXhSZ.exe
  2⤵
  PID:13740
- C:\Windows\System\qBmBgKl.exe
  C:\Windows\System\qBmBgKl.exe
  2⤵
  PID:13768
- C:\Windows\System\nNefnMl.exe
  C:\Windows\System\nNefnMl.exe
  2⤵
  PID:13796
- C:\Windows\System\gMUkUeO.exe
  C:\Windows\System\gMUkUeO.exe
  2⤵
  PID:13824
- C:\Windows\System\jxjxodc.exe
  C:\Windows\System\jxjxodc.exe
  2⤵
  PID:13852
- C:\Windows\System\JEOZAxQ.exe
  C:\Windows\System\JEOZAxQ.exe
  2⤵
  PID:13880
- C:\Windows\System\AIdcXUa.exe
  C:\Windows\System\AIdcXUa.exe
  2⤵
  PID:13908
- C:\Windows\System\oBljtzj.exe
  C:\Windows\System\oBljtzj.exe
  2⤵
  PID:13936
- C:\Windows\System\nRUqbjj.exe
  C:\Windows\System\nRUqbjj.exe
  2⤵
  PID:13964
- C:\Windows\System\NmWZeEC.exe
  C:\Windows\System\NmWZeEC.exe
  2⤵
  PID:13992
- C:\Windows\System\yBYyKut.exe
  C:\Windows\System\yBYyKut.exe
  2⤵
  PID:14020
- C:\Windows\System\SxuIqQz.exe
  C:\Windows\System\SxuIqQz.exe
  2⤵
  PID:14048
- C:\Windows\System\dfhjWNQ.exe
  C:\Windows\System\dfhjWNQ.exe
  2⤵
  PID:14076
- C:\Windows\System\ndDzQdk.exe
  C:\Windows\System\ndDzQdk.exe
  2⤵
  PID:14108
- C:\Windows\System\GfHwcOn.exe
  C:\Windows\System\GfHwcOn.exe
  2⤵
  PID:14136
- C:\Windows\System\SrVUsOZ.exe
  C:\Windows\System\SrVUsOZ.exe
  2⤵
  PID:14164
- C:\Windows\System\eNfIlXd.exe
  C:\Windows\System\eNfIlXd.exe
  2⤵
  PID:14192
- C:\Windows\System\sffZeCJ.exe
  C:\Windows\System\sffZeCJ.exe
  2⤵
  PID:14220
- C:\Windows\System\DcaZuMR.exe
  C:\Windows\System\DcaZuMR.exe
  2⤵
  PID:14248
- C:\Windows\System\ePqrDsR.exe
  C:\Windows\System\ePqrDsR.exe
  2⤵
  PID:14276
- C:\Windows\System\WwSOGSr.exe
  C:\Windows\System\WwSOGSr.exe
  2⤵
  PID:14304
- C:\Windows\System\BSkVMbx.exe
  C:\Windows\System\BSkVMbx.exe
  2⤵
  PID:14332
- C:\Windows\System\xHEEbPf.exe
  C:\Windows\System\xHEEbPf.exe
  2⤵
  PID:13368
- C:\Windows\System\TperxGg.exe
  C:\Windows\System\TperxGg.exe
  2⤵
  PID:13428
- C:\Windows\System\JYUWlVO.exe
  C:\Windows\System\JYUWlVO.exe
  2⤵
  PID:13500
- C:\Windows\System\pEaUCtS.exe
  C:\Windows\System\pEaUCtS.exe
  2⤵
  PID:13564
- C:\Windows\System\KrnXJWL.exe
  C:\Windows\System\KrnXJWL.exe
  2⤵
  PID:13624
- C:\Windows\System\OnzlUXs.exe
  C:\Windows\System\OnzlUXs.exe
  2⤵
  PID:13696
- C:\Windows\System\GlqXjyG.exe
  C:\Windows\System\GlqXjyG.exe
  2⤵
  PID:13760
- C:\Windows\System\vfDhTCH.exe
  C:\Windows\System\vfDhTCH.exe
  2⤵
  PID:13820
- C:\Windows\System\aeFLmWw.exe
  C:\Windows\System\aeFLmWw.exe
  2⤵
  PID:13892
- C:\Windows\System\aHWcxzY.exe
  C:\Windows\System\aHWcxzY.exe
  2⤵
  PID:13948
- C:\Windows\System\mGssjgJ.exe
  C:\Windows\System\mGssjgJ.exe
  2⤵
  PID:14012
- C:\Windows\System\eJcLwoZ.exe
  C:\Windows\System\eJcLwoZ.exe
  2⤵
  PID:14072
- C:\Windows\System\FXIBINQ.exe
  C:\Windows\System\FXIBINQ.exe
  2⤵
  PID:14148
- C:\Windows\System\lAYYCcd.exe
  C:\Windows\System\lAYYCcd.exe
  2⤵
  PID:14212
- C:\Windows\System\zwEeXbc.exe
  C:\Windows\System\zwEeXbc.exe
  2⤵
  PID:14272
- C:\Windows\System\xoavRgK.exe
  C:\Windows\System\xoavRgK.exe
  2⤵
  PID:13332
- C:\Windows\System\mdocjSh.exe
  C:\Windows\System\mdocjSh.exe
  2⤵
  PID:13480
- C:\Windows\System\MJojOZQ.exe
  C:\Windows\System\MJojOZQ.exe
  2⤵
  PID:13620
- C:\Windows\System\FdCgOHs.exe
  C:\Windows\System\FdCgOHs.exe
  2⤵
  PID:13848
- C:\Windows\System\dCeLzSH.exe
  C:\Windows\System\dCeLzSH.exe
  2⤵
  PID:13932
- C:\Windows\System\ZgiCUWG.exe
  C:\Windows\System\ZgiCUWG.exe
  2⤵
  PID:14176
- C:\Windows\System\LWGLybB.exe
  C:\Windows\System\LWGLybB.exe
  2⤵
  PID:14324
- C:\Windows\System\MoJBaBD.exe
  C:\Windows\System\MoJBaBD.exe
  2⤵
  PID:13424
- C:\Windows\System\bBDVAbf.exe
  C:\Windows\System\bBDVAbf.exe
  2⤵
  PID:13752
- C:\Windows\System\DdLJNpO.exe
  C:\Windows\System\DdLJNpO.exe
  2⤵
  PID:14300
- C:\Windows\System\arIJpOy.exe
  C:\Windows\System\arIJpOy.exe
  2⤵
  PID:376
- C:\Windows\System\RVgOJUu.exe
  C:\Windows\System\RVgOJUu.exe
  2⤵
  PID:4832
- C:\Windows\System\YtQTpgV.exe
  C:\Windows\System\YtQTpgV.exe
  2⤵
  PID:14352
- C:\Windows\System\IoQmdqG.exe
  C:\Windows\System\IoQmdqG.exe
  2⤵
  PID:14376
- C:\Windows\System\PahgJIN.exe
  C:\Windows\System\PahgJIN.exe
  2⤵
  PID:14416
- C:\Windows\System\cucMoWz.exe
  C:\Windows\System\cucMoWz.exe
  2⤵
  PID:14432
- C:\Windows\System\raffWvs.exe
  C:\Windows\System\raffWvs.exe
  2⤵
  PID:14456
- C:\Windows\System\uPpeOjC.exe
  C:\Windows\System\uPpeOjC.exe
  2⤵
  PID:14484
- C:\Windows\System\UDUlgBN.exe
  C:\Windows\System\UDUlgBN.exe
  2⤵
  PID:14516
- C:\Windows\System\rjXlvyy.exe
  C:\Windows\System\rjXlvyy.exe
  2⤵
  PID:14540
- C:\Windows\System\qOqeXyU.exe
  C:\Windows\System\qOqeXyU.exe
  2⤵
  PID:14576
- C:\Windows\System\dzyMpRm.exe
  C:\Windows\System\dzyMpRm.exe
  2⤵
  PID:14612
- C:\Windows\System\TazVYGT.exe
  C:\Windows\System\TazVYGT.exe
  2⤵
  PID:14628
- C:\Windows\System\XTwIVOg.exe
  C:\Windows\System\XTwIVOg.exe
  2⤵
  PID:14656
- C:\Windows\System\xDWxIoi.exe
  C:\Windows\System\xDWxIoi.exe
  2⤵
  PID:14688
- C:\Windows\System\oQmmnqR.exe
  C:\Windows\System\oQmmnqR.exe
  2⤵
  PID:14712
- C:\Windows\System\SNuwKHA.exe
  C:\Windows\System\SNuwKHA.exe
  2⤵
  PID:14740
- C:\Windows\System\HFrSobF.exe
  C:\Windows\System\HFrSobF.exe
  2⤵
  PID:14760
- C:\Windows\System\AcuEMVY.exe
  C:\Windows\System\AcuEMVY.exe
  2⤵
  PID:14836
- C:\Windows\System\SbOFLYc.exe
  C:\Windows\System\SbOFLYc.exe
  2⤵
  PID:14860
- C:\Windows\System\UawMRmz.exe
  C:\Windows\System\UawMRmz.exe
  2⤵
  PID:14888
- C:\Windows\System\zksaOku.exe
  C:\Windows\System\zksaOku.exe
  2⤵
  PID:14916
- C:\Windows\System\ciXwvYj.exe
  C:\Windows\System\ciXwvYj.exe
  2⤵
  PID:14952
- C:\Windows\System\fNQpoxU.exe
  C:\Windows\System\fNQpoxU.exe
  2⤵
  PID:14980
- C:\Windows\System\kFehIsi.exe
  C:\Windows\System\kFehIsi.exe
  2⤵
  PID:15020
- C:\Windows\System\SytGXdS.exe
  C:\Windows\System\SytGXdS.exe
  2⤵
  PID:15048
- C:\Windows\System\mUhowiB.exe
  C:\Windows\System\mUhowiB.exe
  2⤵
  PID:15076
- C:\Windows\System\gWSCwMU.exe
  C:\Windows\System\gWSCwMU.exe
  2⤵
  PID:15104
- C:\Windows\System\Gzknzfq.exe
  C:\Windows\System\Gzknzfq.exe
  2⤵
  PID:15132
- C:\Windows\System\bSYpEDq.exe
  C:\Windows\System\bSYpEDq.exe
  2⤵
  PID:15160
- C:\Windows\System\hgOtNWw.exe
  C:\Windows\System\hgOtNWw.exe
  2⤵
  PID:15188
- C:\Windows\System\nEltTod.exe
  C:\Windows\System\nEltTod.exe
  2⤵
  PID:15216
- C:\Windows\System\QJfRqXS.exe
  C:\Windows\System\QJfRqXS.exe
  2⤵
  PID:15244
- C:\Windows\System\riZjubG.exe
  C:\Windows\System\riZjubG.exe
  2⤵
  PID:15272
- C:\Windows\System\jESLtvV.exe
  C:\Windows\System\jESLtvV.exe
  2⤵
  PID:15312
- C:\Windows\System\aUJnIsy.exe
  C:\Windows\System\aUJnIsy.exe
  2⤵
  PID:15328
- C:\Windows\System\ItLbpdp.exe
  C:\Windows\System\ItLbpdp.exe
  2⤵
  PID:15356
- C:\Windows\System\FMwQnmn.exe
  C:\Windows\System\FMwQnmn.exe
  2⤵
  PID:14128
- C:\Windows\System\FRcdmGP.exe
  C:\Windows\System\FRcdmGP.exe
  2⤵
  PID:1444
- C:\Windows\System\YtpSfFi.exe
  C:\Windows\System\YtpSfFi.exe
  2⤵
  PID:14396
- C:\Windows\System\pjAjFCC.exe
  C:\Windows\System\pjAjFCC.exe
  2⤵
  PID:14504
- C:\Windows\System\iLiFWRU.exe
  C:\Windows\System\iLiFWRU.exe
  2⤵
  PID:3652
- C:\Windows\System\avrFdvW.exe
  C:\Windows\System\avrFdvW.exe
  2⤵
  PID:14572
- C:\Windows\System\NMBkOVw.exe
  C:\Windows\System\NMBkOVw.exe
  2⤵
  PID:3156
- C:\Windows\System\ZiLjfDU.exe
  C:\Windows\System\ZiLjfDU.exe
  2⤵
  PID:14564
- C:\Windows\System\FIOWnUY.exe
  C:\Windows\System\FIOWnUY.exe
  2⤵
  PID:4136
- C:\Windows\System\qMmknTA.exe
  C:\Windows\System\qMmknTA.exe
  2⤵
  PID:14700
- C:\Windows\System\rJaaMGY.exe
  C:\Windows\System\rJaaMGY.exe
  2⤵
  PID:14748
- C:\Windows\System\nfptaGI.exe
  C:\Windows\System\nfptaGI.exe
  2⤵
  PID:14204
- C:\Windows\System\UnZEAVL.exe
  C:\Windows\System\UnZEAVL.exe
  2⤵
  PID:3412
- C:\Windows\System\whIdgpV.exe
  C:\Windows\System\whIdgpV.exe
  2⤵
  PID:3792
- C:\Windows\System\SNDZryY.exe
  C:\Windows\System\SNDZryY.exe
  2⤵
  PID:3464
- C:\Windows\System\EXNXkQH.exe
  C:\Windows\System\EXNXkQH.exe
  2⤵
  PID:4148
- C:\Windows\System\IqXMILK.exe
  C:\Windows\System\IqXMILK.exe
  2⤵
  PID:14848
- C:\Windows\System\gxgTdeQ.exe
  C:\Windows\System\gxgTdeQ.exe
  2⤵
  PID:2892
- C:\Windows\System\meJTfPD.exe
  C:\Windows\System\meJTfPD.exe
  2⤵
  PID:14940
- C:\Windows\System\DCAghwL.exe
  C:\Windows\System\DCAghwL.exe
  2⤵
  PID:3584
- C:\Windows\System\zqeHimD.exe
  C:\Windows\System\zqeHimD.exe
  2⤵
  PID:15004

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:3220
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:14556

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5696

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7384

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:8820

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7576

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:9300

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9876

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2984

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6052

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5460

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3648

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4320

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8504

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9344

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9484

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10320

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8584

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8432

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:15176

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:15116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4068

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9956

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:428

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13236

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5524

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5428

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1628

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8004

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5380

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7324

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5168

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7180

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12348

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8268

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9324

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8988

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8500

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8608

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YCLWQ4BV\microsoft.windows[1].xml

Filesize
97B

MD5
781c2d6d1f6f2f8ae243c569925a6c44

SHA1
6d5d26acc2002f5a507bd517051095a97501931b

SHA256
70687e419879f006d0c50c08657c66b1187b94ea216cfe0a2e6be8bd2de77bc8

SHA512
3599fa8f2ffe140a8f68ec735810d24a5b367a9a551d620baa6dc611ca755dce1a662bf22b90f842d499d2c9530fb8acd634d1654d5e2c1b319574cbf35eadf7

Download Submit
C:\Windows\System\ACzXBRb.exe

Filesize
6.0MB

MD5
84161715c3a63951a326f48604fa7c22

SHA1
11bc584298860fb43e92626d09fbdfa43afec57c

SHA256
f0fbd23289457ad1a8a89c534e60a770b272440eb210a66032621b45ba096dd1

SHA512
4ff1ca1bf010699998fad7a0927ac56960297efae6b3df0e37538588fa81cd2109e509798a8af6b6343c9e8bfc91142375b8d5af07b366c90eb5009cf5f07f4c

Download Submit
C:\Windows\System\HoDBiGe.exe

Filesize
6.0MB

MD5
f8c0ed438a85f84807c7a9b93465ef53

SHA1
3d98c8e3f5397c6ee3c530c98d3164222e90110a

SHA256
6cef7a8ea8783faf00fa5716d3b90f74af9fb401421717888213050cb392cefe

SHA512
f9f9281e34cd6934e4f3e2414764eef930330fb4c21dcaf091676611b06c89e33db4aa922bd8a297cf642b762f116e63e7425bd5f891070c4e5ea412cb6324a4

Download Submit
C:\Windows\System\IVPMcgZ.exe

Filesize
6.0MB

MD5
15308f2106bb31a93a556b13b8bedfc0

SHA1
6219cd9858e7391a29a8bee66768485d16db1754

SHA256
723c5d35fb6318e6e91804bf687ae203d90ed2984efa77d698f2485c71e317c9

SHA512
4a70fd742e9919d5c5d64870d4a4e4b5f2753a48ff1ac161c19d7448a015e3a6eb8d2765ec30fd28463af32bd7783e5c3dc17e1037885daefa224ef3eca34320

Download Submit
C:\Windows\System\IYqqjez.exe

Filesize
6.0MB

MD5
08c8013ea4edbe36448edcfd4c77c9ca

SHA1
5647c51588ab2092451ec37102401766ca9df077

SHA256
b4b05bc3794646ce0e955f1236631c2888803d4897223d55fa9bcbcfab515076

SHA512
d041e3dfd7f346bb483b47857007c98855527b1c522a7d1ffd2e490213b78113e526fca70a6b71c0e57fe3e560f27e5e4d756056b13d301d406d2c0f17d41757

Download Submit
C:\Windows\System\ItjMHrF.exe

Filesize
6.0MB

MD5
da71c4a69f07662a6a71d830019f6100

SHA1
7dccb3961deb9f59e500d16cb0256cde958e7730

SHA256
8f156e6a363720771dfc9a108e4a8f75d6b58195fcb39f75213e25efeb49145e

SHA512
2c243bde60858f461d3349ff7b1db50aba019a938b3cf092916c3685fc0e80249406b85534fe596571e1773d27b8ab59effd9d26678d767eaae42a81eafd31b1

Download Submit
C:\Windows\System\MUazWbB.exe

Filesize
6.0MB

MD5
4cb63554edd1ae1672421778a95e41d5

SHA1
5d943b365b96dfce751231cf8649451187d9f40a

SHA256
7129935fe76bccef24ce7f0bd6b2ef4432d1814e40265efd9a76b034a83a9a4b

SHA512
45501a1f8824ee4cff97c8e7c870cfed4fd3e99668b2eab404f83562e080b1443f40acd89a03df113e03b617eb3414ce70c092fd2958784cd1cbfe294a3776ad

Download Submit
C:\Windows\System\NzXTavs.exe

Filesize
6.0MB

MD5
99f053f89f42ac29ea5534a9413386ac

SHA1
59841abbe41c9438ce64f824b59589ec60efa7ed

SHA256
45b14e32b98c46ba65cd2264dc5bb6fe203bec6107f106a6175769b591f78e6c

SHA512
dcf2e35b4ac694220a0f863ed1d52bc014eb350f9e30e385fa2f80f77771a391a2bdf75649fd866cf495eb92f480e25e881a4e88b1e1aa265aa56e4e3734671b

Download Submit
C:\Windows\System\PiqZVaX.exe

Filesize
6.0MB

MD5
0a95117856afe0b32e1598cceb187c8d

SHA1
3acc84fba7d11c0c38981b8613412f6e6b084ff3

SHA256
fbb39005733f9db1d0082de0e37f49e06226fe415d6a4fc6ce1838ca4a1a58bb

SHA512
71d5882148a6982c7a7f30858c06ac727840daa0104fcdb8f38dfe6fb2c55e6735f0ad69e327b2d9e32f5c04f8796e992ecf0ffb14b7daaa1cc3d9c1f8ad72de

Download Submit
C:\Windows\System\RmOFkCV.exe

Filesize
6.0MB

MD5
3c8ee9344e996b27ea44148b03209a1f

SHA1
b8968a8185ff16bef923ed2809cd0697e306c94e

SHA256
33af87a23d9b099ce30cc1bf15dc0c99a21871ddf9a074f9fc1aad1b161ebdc4

SHA512
2ffbe54ce03179dff9d259cff721aa318cc898bebd8b800d2ff75cd6f3a274f7fe8f4401ef76f5dc1cbb6e6c7ec63956b0f225189ace54daee2168ed5068348c

Download Submit
C:\Windows\System\TBTkhGu.exe

Filesize
6.0MB

MD5
5e0e35e4fac17e66db3fe1b325340d2f

SHA1
d3477aeba3d28e96a6a6e9f157f0c55e1983ecc8

SHA256
f858537654a599fab7930f581fcc4799907c4fcf16e385f119dc924154e55157

SHA512
747bceffeb1864c204702948d53b7d54ac071d16548ccb466f0c9fe690935770411d40c03a167df3742760fbd7360b2c8d498022816ae4a1a37e8da1857b80cd

Download Submit
C:\Windows\System\TsDeUeY.exe

Filesize
6.0MB

MD5
0b699b88136d64a9f86cbb45144c2a4c

SHA1
2353f9eb1448b717b5621948ac36cb5a58c93329

SHA256
e66f7b31f2700196693e057e22f15e438b1cc8f34c7d63c74c81171e80ff24eb

SHA512
f75812a97a734fd5c4246ea8ab565d309875ba9c74404e8e97e8be1fe0803438f0fc3428a12f58e8a7fadd3ed90ff64735a2786e648acd3b298f401b7ed3441e

Download Submit
C:\Windows\System\XVEcXAI.exe

Filesize
6.0MB

MD5
900f91a857e7f3d0ed8aa49249e4258d

SHA1
dbef86564163686cd62abd117bb471b5b5bb153e

SHA256
e3ed234b135729647d3f4d44403c493322230c62645d851b9c248bc4be6e55c8

SHA512
d40527e558ba123a23418914e6c627b0d65cd60d9df4bc89e9ea0b127eda53fcb7cbacff5b9aba62bb53d56ddd8af233772f15f41bca3939348adf7a005fe98b

Download Submit
C:\Windows\System\acpnUSX.exe

Filesize
6.0MB

MD5
256d886ac53b581fe084905b2df668d1

SHA1
d9a64184f2574e9c268487682a9bf2c9e2600480

SHA256
0b3f4d1f884e1c8ccf4cf4f0a4042a68138b51aa96e37b5225f8eae070f281f0

SHA512
beea035f9d75718ec0e02d2f5a22393ecf23af664c8fb6cbd13fa69b32518a57338fd7531a891f66be8e04f71d58105946cba973287d124d3646b626da89be06

Download Submit
C:\Windows\System\cHEpVss.exe

Filesize
6.0MB

MD5
a29ebac4fa6140a1dd6be19005549b6a

SHA1
dff9061bee70d3f05e6ef9ee4c3e864ac87f326b

SHA256
f19a5da995be2e5d88625a51cf2634637a65c59c4712a9489e199ca4dbb4c9ce

SHA512
7f832a6d4209b997981dfb92b49ccf94c7d03deecb89e59d314e2416e3c578c4743c44cb39c8cef8637789415d373aaf098d328fc88f2cb1b2745dafaef6bb01

Download Submit
C:\Windows\System\dABCvQI.exe

Filesize
6.0MB

MD5
5230b89603d8130c278a7f4f1c56ea86

SHA1
1eae14b3e5e6171b978260e27e6f5744c935392b

SHA256
0e1764a3d7f4c1c4a80eeeb055cb43de6c4e244e39a68bd4331544e9e6c2b823

SHA512
cdadd13a1ed63369d8fca80dcf1aaace69ab44fdae72cc94ccc0047073c5332ce8110fcbdf22eb9d9c336b88b050b3662bb4c7c2740ed59f5011d70bcd9ddefe

Download Submit
C:\Windows\System\dBEdkyj.exe

Filesize
6.0MB

MD5
6e5fd0159fe64603f9ebc041c8c6d7fa

SHA1
692ad4b285a39636b3e06f06c4bf8d0d30d27dff

SHA256
7c728c30b620b52aefe50744db86ab26c8848788ad811ac6114508ab0b91040f

SHA512
f210ed75229f15c597dae996acb65e3db782b7f3edd6eff3bbdb243dfa736a01eb6a3300a09a2aeef9a249a780961097d6402b4bf2056bd48acf056e526417da

Download Submit
C:\Windows\System\dDyqSMl.exe

Filesize
6.0MB

MD5
baed5dbeef6509cf2346c521ee4c2b57

SHA1
887eb0c025726418457fbc60ccc21a7ba68849f1

SHA256
097f74ded4b2ed193dca8e2ade6e17cf3011a87a27955963d6bfd01c18ec6170

SHA512
a363addfa9e2d01dc5cf1a277176057373ba357c18c7495af08fb0b0e679289fb9ee0d9ca4993432c874f40fbab88ecf79e5b8e08d46f6cc215882494d8bd037

Download Submit
C:\Windows\System\dqOHHqf.exe

Filesize
6.0MB

MD5
1958af4439100c39f6777fc3e412276f

SHA1
1959c8904b79697ca2987c518dc4c9255bc07b9f

SHA256
e87df28d0f7747636fbaa4bff6d781f5fbddbd259600558717ca4d8cd0d6e96b

SHA512
3f7ee17c6df8cfa22300cbc3007a7f1324da6e7c22cb2f796db74cbc2d57d30c96e0e84596e9b40b85e62b24c68a76293e5e73608e1afe83a6ddc5788c76fddd

Download Submit
C:\Windows\System\htFMIiu.exe

Filesize
6.0MB

MD5
6e5b7d269e8a81d9e05c27b9a3615120

SHA1
0fa927031b14ed165b3dfaba581466881cf381f5

SHA256
a4f6dab967d9f73eaab61afe55bf25dadb0ce73c957fd50068008c74a4dbabce

SHA512
d924bb3257c72d8655c1ef3efb6abf1aa871cb2ff23630f3e8e3c9c836f19b605ec24e45be71e767074216498d2527e1d01718f7d68d8abe77a8209b07eafc97

Download Submit
C:\Windows\System\lbxTaPR.exe

Filesize
6.0MB

MD5
c337473fee0964c0bb33e8c2981e9c14

SHA1
7ce23e8dab19743e13b0b273b6b1f97de144a289

SHA256
ac81c025fbd1616b00737b6d31346969b69502a5c06d3cbf86d3b85fa153ab56

SHA512
3124331b1bd4fa0d3e621bbe26b4164af628832f8e69d95f0800ee613198bd6265e43b40cf8d981f049cecf51252477c94f24fa0d3c19182d8401568139e316b

Download Submit
C:\Windows\System\lpMSXFo.exe

Filesize
6.0MB

MD5
d8120105099aa9d99fea731785564240

SHA1
6f951fd4e4075e623a15c14a80fd51bfecb776af

SHA256
a932c11f05699d0e02636bb99c300f529a47aae51e7080c8e8485387a4bdf0a3

SHA512
14fbd691bacc7e22003f6e597b1a0a6a91807a69cf4e0daec2a822ab23b7bb21b360098af9b912d8b97ad608bf25f0a7b9ed80da60558ac739419ce79903d6bb

Download Submit
C:\Windows\System\mXDPLLQ.exe

Filesize
6.0MB

MD5
215d1b391b0ea8410884ee3366b05501

SHA1
5bb4bc13e00458420f799ebe9bd8d4188efe7f0b

SHA256
0a08ee9c4b2cf772c0521d5df52432846080d2d3f227ec4a0b599932267eaa4e

SHA512
77298ad6255649765a6dcccaccbf00a6d9d62bc5ed0d4215efa9ddee7b268770bdb735e84df4d33908c028e9b3c037a240bacb5e5aa3c214fbfd91a84475ac09

Download Submit
C:\Windows\System\nQUOJZB.exe

Filesize
6.0MB

MD5
cb36d5935a88766d4302c791093032fe

SHA1
0c348cbcfa9b491796835ade8f9cc96bb3340072

SHA256
775e69a817b13c60a1bc3f4e00a7dab860d32c5dfd0c5321e926c4f7d16edabd

SHA512
79af89290746940973d066923e3335b7eff8a4a00b23a14d8b99bafac32455b7c4fdf46067a1fa3df916e18d259276d55fbd8116ace63e15452efe7230f9921e

Download Submit
C:\Windows\System\njUABWS.exe

Filesize
6.0MB

MD5
f6508d2987d06e8a2b35db02efd00938

SHA1
5f18992f1e89be67939473b27034ecaba8004d07

SHA256
a6107f1ca07b9fc317bb9eef4f50a1db1f31157ed1c7ee21898997e5d8854cd0

SHA512
714fc1dff427874e132b033a3c57549398a5aca2621151ebd1f101b133407bb45ba587a0944741d11482c6a68a1810a5806c6c822b5830106ce775ee96075df5

Download Submit
C:\Windows\System\pLInjZq.exe

Filesize
6.0MB

MD5
d327c70da3afd4c3bd7d0a47d043e43d

SHA1
39643e00da4cd149eb564fd60cbe4872202302a3

SHA256
532979bf4f74e11ed1f95acf2b62b9635c34c3f1a819b97fcf9eb03bfc6312fa

SHA512
d8b3d91b35f9937c026999953541cecff55d32aff53f6c5bacdf3b843eff79e1ec2631673d88ad49dfa488d928e7168a5c78b2fb389342bfce857caa54860b2a

Download Submit
C:\Windows\System\qhRqbjM.exe

Filesize
6.0MB

MD5
83515ccf689b45b6cb401f11b3a16967

SHA1
b87eeeb1fb5ee7ccc08ba5c99f062407e259decf

SHA256
42d764680347c1082a548d4788bade747110c455b3993a4c5050eb8a36b47fd0

SHA512
a16355945047e73d6fa392c2d8d22d19edd1d85f08ee17469d10021ee8db7f633004335172213185abe8b260a2333953c261d941cb48cb03f5ddc193b9abe86e

Download Submit
C:\Windows\System\rpOSsKO.exe

Filesize
6.0MB

MD5
7cec66cdaf15ba794ce6f24c9659bade

SHA1
dbd14dae49314bf7c7395f98439a285cb67b9ea0

SHA256
5ef79fed095581df556f21db48cca840c3235a6ce7a4594f2f9e493f8515a87c

SHA512
da3dac359a806e7f513daa1638762ecdf9a016cdf1a3fa153753f352ac4f355cb9ceb17464f99fcf7763f41acb69202ae602511315a7c292a472bb3d7072a2ac

Download Submit
C:\Windows\System\sSzqmLb.exe

Filesize
6.0MB

MD5
a1061c7a5e119cfd3ea707cbfee1af19

SHA1
2fe1d59f738233735e1c262004a9f14058dce315

SHA256
a6efd3ef575b40601aa7afa38237a8d9c439d8c1f3fb8d93b2b9811c4d49610a

SHA512
5f084af30c7661a2efe7064cb62622f8701910b68c4d2f11f39e7a299e4cc3845b9d374dd8b4729fd50e50e1e5e7a63018c907b72eb722b968679f5d7ade5f10

Download Submit
C:\Windows\System\urPTmbn.exe

Filesize
6.0MB

MD5
e4377645ccaa84bec5b6b3420c959d44

SHA1
0fee0edc605ffb0e0cb3d7ef07af3d6cd1123865

SHA256
87f3c660834aa23e726b2d555cfb88901e62e47e1feff003da08e65035df29cf

SHA512
ff8f4acf0d384114f09340ca5b3ca1995a973f349da257893a52d66eda091af3c511ba2ee2ed49a9299b78a224734943a89a73c469d201fea591f8515698e12a

Download Submit
C:\Windows\System\wtswkeI.exe

Filesize
6.0MB

MD5
57ede0a9c812805dd1802268aef464ee

SHA1
ab08817e3666e45a640efc7665a7f2317be71c2a

SHA256
f28781599d467edd169a9997cd37ba2d606df113ae82ce1595dbbf322d50b3b0

SHA512
d7c8a651fb582a59283ab77f0153cc316063fad50eb9c75e849195208f8680355e19ae3485468de1f69bda6780ef175f74acb5fdcfa38f649d9f37d675f13495

Download Submit
C:\Windows\System\wvfbXCS.exe

Filesize
6.0MB

MD5
93941673e1b48473174b144733ffdff0

SHA1
574b9ca4db86659eb23360af15e5c242451af41f

SHA256
696c72b42ea86b989e0bbfd4442d2e066bb2b1611c6278760b7dcf84916c3d98

SHA512
01975c3caecc634cf5680694e6fa11ae857180f83d922b00ba6ca7140ce567345b5bd1c7190ed8e022c7edb4ebd139242a10ff79f37f628dfcfc9c1ba93a512b

Download Submit
C:\Windows\System\zIVfBuZ.exe

Filesize
6.0MB

MD5
4a3ceb143ff804c376fdf3dd7fe8d9db

SHA1
363d7069a060ddacad51f76063e0829e57ba36c0

SHA256
39839593c7ac5cff007f96bff8d778d3066e4c6316e492bae0cb247cc92c62e7

SHA512
5f9bd095911d1a3ab39721a3f8318f7f30ce22781fafe42f93b322aba795cdf057f481d89338a65d2d4ebefc76af5c69c307248b14b036d092e7c16876c266f4

Download Submit
memory/448-109-0x00007FF6FE930000-0x00007FF6FEC84000-memory.dmp

Filesize
3.3MB

Download
memory/448-2135-0x00007FF6FE930000-0x00007FF6FEC84000-memory.dmp

Filesize
3.3MB

Download
memory/548-742-0x00007FF6E33B0000-0x00007FF6E3704000-memory.dmp

Filesize
3.3MB

Download
memory/548-188-0x00007FF6E33B0000-0x00007FF6E3704000-memory.dmp

Filesize
3.3MB

Download
memory/548-2224-0x00007FF6E33B0000-0x00007FF6E3704000-memory.dmp

Filesize
3.3MB

Download
memory/624-117-0x00007FF6056B0000-0x00007FF605A04000-memory.dmp

Filesize
3.3MB

Download
memory/624-1583-0x00007FF6056B0000-0x00007FF605A04000-memory.dmp

Filesize
3.3MB

Download
memory/624-50-0x00007FF6056B0000-0x00007FF605A04000-memory.dmp

Filesize
3.3MB

Download
memory/1088-385-0x00007FF7E74A0000-0x00007FF7E77F4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-2156-0x00007FF7E74A0000-0x00007FF7E77F4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-127-0x00007FF7E74A0000-0x00007FF7E77F4000-memory.dmp

Filesize
3.3MB

Download
memory/1436-182-0x00007FF640EE0000-0x00007FF641234000-memory.dmp

Filesize
3.3MB

Download
memory/1436-2220-0x00007FF640EE0000-0x00007FF641234000-memory.dmp

Filesize
3.3MB

Download
memory/1436-687-0x00007FF640EE0000-0x00007FF641234000-memory.dmp

Filesize
3.3MB

Download
memory/1508-1606-0x00007FF615090000-0x00007FF6153E4000-memory.dmp

Filesize
3.3MB

Download
memory/1508-81-0x00007FF615090000-0x00007FF6153E4000-memory.dmp

Filesize
3.3MB

Download
memory/1508-161-0x00007FF615090000-0x00007FF6153E4000-memory.dmp

Filesize
3.3MB

Download
memory/1520-134-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp

Filesize
3.3MB

Download
memory/1520-63-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp

Filesize
3.3MB

Download
memory/1520-1595-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp

Filesize
3.3MB

Download
memory/1864-13-0x00007FF6C0400000-0x00007FF6C0754000-memory.dmp

Filesize
3.3MB

Download
memory/1864-95-0x00007FF6C0400000-0x00007FF6C0754000-memory.dmp

Filesize
3.3MB

Download
memory/1864-1550-0x00007FF6C0400000-0x00007FF6C0754000-memory.dmp

Filesize
3.3MB

Download
memory/1924-1594-0x00007FF6CF350000-0x00007FF6CF6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-135-0x00007FF6CF350000-0x00007FF6CF6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-64-0x00007FF6CF350000-0x00007FF6CF6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2252-2148-0x00007FF6EF780000-0x00007FF6EFAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2252-121-0x00007FF6EF780000-0x00007FF6EFAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2308-88-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp

Filesize
3.3MB

Download
memory/2308-8-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp

Filesize
3.3MB

Download
memory/2308-1504-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp

Filesize
3.3MB

Download
memory/2352-1605-0x00007FF7974E0000-0x00007FF797834000-memory.dmp

Filesize
3.3MB

Download
memory/2352-86-0x00007FF7974E0000-0x00007FF797834000-memory.dmp

Filesize
3.3MB

Download
memory/2352-152-0x00007FF7974E0000-0x00007FF797834000-memory.dmp

Filesize
3.3MB

Download
memory/2368-169-0x00007FF64A680000-0x00007FF64A9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2368-686-0x00007FF64A680000-0x00007FF64A9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2368-2187-0x00007FF64A680000-0x00007FF64A9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-24-0x00007FF69DD80000-0x00007FF69E0D4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-1558-0x00007FF69DD80000-0x00007FF69E0D4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-89-0x00007FF69DD80000-0x00007FF69E0D4000-memory.dmp

Filesize
3.3MB

Download
memory/2980-2166-0x00007FF7DEFB0000-0x00007FF7DF304000-memory.dmp

Filesize
3.3MB

Download
memory/2980-143-0x00007FF7DEFB0000-0x00007FF7DF304000-memory.dmp

Filesize
3.3MB

Download
memory/2980-497-0x00007FF7DEFB0000-0x00007FF7DF304000-memory.dmp

Filesize
3.3MB

Download
memory/3328-561-0x00007FF67E890000-0x00007FF67EBE4000-memory.dmp

Filesize
3.3MB

Download
memory/3328-146-0x00007FF67E890000-0x00007FF67EBE4000-memory.dmp

Filesize
3.3MB

Download
memory/3328-2167-0x00007FF67E890000-0x00007FF67EBE4000-memory.dmp

Filesize
3.3MB

Download
memory/3428-59-0x00007FF6042F0000-0x00007FF604644000-memory.dmp

Filesize
3.3MB

Download
memory/3428-124-0x00007FF6042F0000-0x00007FF604644000-memory.dmp

Filesize
3.3MB

Download
memory/3428-1588-0x00007FF6042F0000-0x00007FF604644000-memory.dmp

Filesize
3.3MB

Download
memory/3756-163-0x00007FF7B8990000-0x00007FF7B8CE4000-memory.dmp

Filesize
3.3MB

Download
memory/3756-2186-0x00007FF7B8990000-0x00007FF7B8CE4000-memory.dmp

Filesize
3.3MB

Download
memory/3756-563-0x00007FF7B8990000-0x00007FF7B8CE4000-memory.dmp

Filesize
3.3MB

Download
memory/3812-142-0x00007FF622D00000-0x00007FF623054000-memory.dmp

Filesize
3.3MB

Download
memory/3812-2161-0x00007FF622D00000-0x00007FF623054000-memory.dmp

Filesize
3.3MB

Download
memory/3812-435-0x00007FF622D00000-0x00007FF623054000-memory.dmp

Filesize
3.3MB

Download
memory/3948-58-0x00007FF642E40000-0x00007FF643194000-memory.dmp

Filesize
3.3MB

Download
memory/3948-122-0x00007FF642E40000-0x00007FF643194000-memory.dmp

Filesize
3.3MB

Download
memory/3948-1582-0x00007FF642E40000-0x00007FF643194000-memory.dmp

Filesize
3.3MB

Download
memory/3988-196-0x00007FF70CB30000-0x00007FF70CE84000-memory.dmp

Filesize
3.3MB

Download
memory/3988-2221-0x00007FF70CB30000-0x00007FF70CE84000-memory.dmp

Filesize
3.3MB

Download
memory/4140-35-0x00007FF6E2880000-0x00007FF6E2BD4000-memory.dmp

Filesize
3.3MB

Download
memory/4140-1565-0x00007FF6E2880000-0x00007FF6E2BD4000-memory.dmp

Filesize
3.3MB

Download
memory/4224-384-0x00007FF7B6BA0000-0x00007FF7B6EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4224-2151-0x00007FF7B6BA0000-0x00007FF7B6EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4224-125-0x00007FF7B6BA0000-0x00007FF7B6EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4296-87-0x00007FF7F79D0000-0x00007FF7F7D24000-memory.dmp

Filesize
3.3MB

Download
memory/4296-1-0x00000224DF310000-0x00000224DF320000-memory.dmp

Filesize
64KB

Download
memory/4296-0-0x00007FF7F79D0000-0x00007FF7F7D24000-memory.dmp

Filesize
3.3MB

Download
memory/4352-164-0x00007FF630E70000-0x00007FF6311C4000-memory.dmp

Filesize
3.3MB

Download
memory/4352-620-0x00007FF630E70000-0x00007FF6311C4000-memory.dmp

Filesize
3.3MB

Download
memory/4352-2185-0x00007FF630E70000-0x00007FF6311C4000-memory.dmp

Filesize
3.3MB

Download
memory/4492-116-0x00007FF7053A0000-0x00007FF7056F4000-memory.dmp

Filesize
3.3MB

Download
memory/4492-2139-0x00007FF7053A0000-0x00007FF7056F4000-memory.dmp

Filesize
3.3MB

Download
memory/4588-44-0x00007FF7CBB40000-0x00007FF7CBE94000-memory.dmp

Filesize
3.3MB

Download
memory/4588-111-0x00007FF7CBB40000-0x00007FF7CBE94000-memory.dmp

Filesize
3.3MB

Download
memory/4588-1578-0x00007FF7CBB40000-0x00007FF7CBE94000-memory.dmp

Filesize
3.3MB

Download
memory/4732-1609-0x00007FF785360000-0x00007FF7856B4000-memory.dmp

Filesize
3.3MB

Download
memory/4732-75-0x00007FF785360000-0x00007FF7856B4000-memory.dmp

Filesize
3.3MB

Download
memory/4732-151-0x00007FF785360000-0x00007FF7856B4000-memory.dmp

Filesize
3.3MB

Download
memory/5012-96-0x00007FF6A7C20000-0x00007FF6A7F74000-memory.dmp

Filesize
3.3MB

Download
memory/5012-2130-0x00007FF6A7C20000-0x00007FF6A7F74000-memory.dmp

Filesize
3.3MB

Download
memory/5068-32-0x00007FF6EE6B0000-0x00007FF6EEA04000-memory.dmp

Filesize
3.3MB

Download
memory/5068-1563-0x00007FF6EE6B0000-0x00007FF6EEA04000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads