cobaltstrike | e7532a3355d3d1d39197d60e07b29a8a3e3b4914153f71426d6ad7fd7a956833

Analysis

max time kernel
78s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2025 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

6.0MB
MD5

5f9d310a2d495f1e8efecf7f57c7ed1d
SHA1

b390ebd63af7c35283dbd7288c8cf240135e2c5b
SHA256

e7532a3355d3d1d39197d60e07b29a8a3e3b4914153f71426d6ad7fd7a956833
SHA512

e96010d4f610c9f2d3f5aed5d91186d4d7d2eec8d6ec80e822dc7d9e04d7f41aba1605d925b0ff8980f04b26886044cae28ec8942dd1d44797365c2511a6c79b
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lU/:T+q56utgpPF8u/7/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner persistence trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 32 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c87-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-14.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-67.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c88-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8e-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-138.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-143.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-157.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-163.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-155.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-146.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-176.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-172.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-196.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-199.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-197.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-192.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2624-0-0x00007FF6C7220000-0x00007FF6C7574000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c87-5.dat	xmrig
behavioral2/memory/2840-6-0x00007FF7DB790000-0x00007FF7DBAE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c8b-14.dat	xmrig
behavioral2/files/0x0007000000023c8f-30.dat	xmrig
behavioral2/files/0x0007000000023c8c-31.dat	xmrig
behavioral2/memory/348-37-0x00007FF617920000-0x00007FF617C74000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c91-40.dat	xmrig
behavioral2/memory/684-42-0x00007FF6DB030000-0x00007FF6DB384000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c93-52.dat	xmrig
behavioral2/files/0x0007000000023c92-51.dat	xmrig
behavioral2/files/0x0007000000023c95-67.dat	xmrig
behavioral2/files/0x0008000000023c88-79.dat	xmrig
behavioral2/files/0x0007000000023c99-93.dat	xmrig
behavioral2/memory/4612-102-0x00007FF7C8990000-0x00007FF7C8CE4000-memory.dmp	xmrig
behavioral2/memory/1120-104-0x00007FF757230000-0x00007FF757584000-memory.dmp	xmrig
behavioral2/memory/2016-103-0x00007FF7D9010000-0x00007FF7D9364000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c98-98.dat	xmrig
behavioral2/memory/1280-97-0x00007FF60CE00000-0x00007FF60D154000-memory.dmp	xmrig
behavioral2/memory/3608-94-0x00007FF6558D0000-0x00007FF655C24000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c97-91.dat	xmrig
behavioral2/files/0x0007000000023c96-89.dat	xmrig
behavioral2/memory/3928-87-0x00007FF7A0940000-0x00007FF7A0C94000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c94-82.dat	xmrig
behavioral2/memory/4100-68-0x00007FF66C680000-0x00007FF66C9D4000-memory.dmp	xmrig
behavioral2/memory/1104-63-0x00007FF7DE1B0000-0x00007FF7DE504000-memory.dmp	xmrig
behavioral2/memory/4908-61-0x00007FF7BCB10000-0x00007FF7BCE64000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c8e-50.dat	xmrig
behavioral2/files/0x0007000000023c90-49.dat	xmrig
behavioral2/memory/976-46-0x00007FF6A2BB0000-0x00007FF6A2F04000-memory.dmp	xmrig
behavioral2/memory/60-38-0x00007FF61D100000-0x00007FF61D454000-memory.dmp	xmrig
behavioral2/memory/4172-34-0x00007FF6B8450000-0x00007FF6B87A4000-memory.dmp	xmrig
behavioral2/memory/3384-27-0x00007FF755E10000-0x00007FF756164000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c8d-26.dat	xmrig
behavioral2/memory/4492-18-0x00007FF72B090000-0x00007FF72B3E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9a-107.dat	xmrig
behavioral2/memory/3884-108-0x00007FF67C3F0000-0x00007FF67C744000-memory.dmp	xmrig
behavioral2/memory/4492-115-0x00007FF72B090000-0x00007FF72B3E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9d-118.dat	xmrig
behavioral2/files/0x0007000000023ca0-138.dat	xmrig
behavioral2/files/0x0007000000023c9e-143.dat	xmrig
behavioral2/files/0x0007000000023ca2-157.dat	xmrig
behavioral2/memory/532-159-0x00007FF73D300000-0x00007FF73D654000-memory.dmp	xmrig
behavioral2/memory/1104-165-0x00007FF7DE1B0000-0x00007FF7DE504000-memory.dmp	xmrig
behavioral2/memory/4512-166-0x00007FF7D5E90000-0x00007FF7D61E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca3-163.dat	xmrig
behavioral2/memory/1424-160-0x00007FF69A9F0000-0x00007FF69AD44000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca1-155.dat	xmrig
behavioral2/memory/4376-154-0x00007FF707290000-0x00007FF7075E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9f-146.dat	xmrig
behavioral2/memory/1428-145-0x00007FF623490000-0x00007FF6237E4000-memory.dmp	xmrig
behavioral2/memory/3144-141-0x00007FF736B70000-0x00007FF736EC4000-memory.dmp	xmrig
behavioral2/memory/684-140-0x00007FF6DB030000-0x00007FF6DB384000-memory.dmp	xmrig
behavioral2/memory/348-139-0x00007FF617920000-0x00007FF617C74000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9c-133.dat	xmrig
behavioral2/memory/3384-131-0x00007FF755E10000-0x00007FF756164000-memory.dmp	xmrig
behavioral2/memory/4720-128-0x00007FF713E70000-0x00007FF7141C4000-memory.dmp	xmrig
behavioral2/memory/1216-126-0x00007FF7F34D0000-0x00007FF7F3824000-memory.dmp	xmrig
behavioral2/memory/4172-120-0x00007FF6B8450000-0x00007FF6B87A4000-memory.dmp	xmrig
behavioral2/memory/2840-119-0x00007FF7DB790000-0x00007FF7DBAE4000-memory.dmp	xmrig
behavioral2/memory/2624-112-0x00007FF6C7220000-0x00007FF6C7574000-memory.dmp	xmrig
behavioral2/memory/4908-169-0x00007FF7BCB10000-0x00007FF7BCE64000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca4-176.dat	xmrig
behavioral2/memory/4100-173-0x00007FF66C680000-0x00007FF66C9D4000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
2840	nZpjTdq.exe
4492	ZzIYYCI.exe
60	lwACowH.exe
3384	vEylmrF.exe
4172	NnNmuOF.exe
684	NgAGvoX.exe
348	iCVlEbf.exe
976	slcbecG.exe
4908	aWhuoDc.exe
1104	jiAnGLX.exe
4100	CYzmyxd.exe
3928	OiSGhZv.exe
3608	PhJMQIE.exe
2016	xvsGBTa.exe
1280	ylUSTNF.exe
1120	zLmujIg.exe
4612	hXCmbQm.exe
3884	zfGPpTM.exe
1216	LZlIbpx.exe
4720	QalYDiv.exe
3144	jcMmhVH.exe
4376	mbHFQiv.exe
1428	vDKvhfS.exe
532	HYEtxEV.exe
4512	NwouCUZ.exe
1424	fsDcvrj.exe
1776	MbuCHdj.exe
1828	lchrUDb.exe
4008	xyRKRaP.exe
912	JsvEsLM.exe
4140	eXcZQyc.exe
4804	MMzChlp.exe
4032	ncnAXiy.exe
4696	KKWGJOP.exe
2304	nkNvywv.exe
1668	BlyvgWJ.exe
2124	fzNbJxH.exe
5080	cgcaBDP.exe
380	cAPWvfK.exe
2316	WglAozf.exe
1220	AFobWHl.exe
3680	NnQNCKu.exe
1448	vaszJna.exe
4356	jYeLSso.exe
4336	wyrbJZa.exe
3252	EiHDujN.exe
1564	ZsdaaJg.exe
624	akBFfyk.exe
4604	mtgFyYu.exe
2932	rNgOnTE.exe
552	fpQcxcc.exe
4116	quYLDnq.exe
2744	afhArgT.exe
2344	xpqHRgG.exe
4800	NnyeJGL.exe
4052	dWUyxUe.exe
2792	QLXrQqX.exe
2352	NHbWZJu.exe
4880	YaVxGgd.exe
4136	OCpIupl.exe
3380	WxWcnlp.exe
3676	wGMWCbh.exe
2264	xIwGNtS.exe
3812	PUIWIjz.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2624-0-0x00007FF6C7220000-0x00007FF6C7574000-memory.dmp	upx
behavioral2/files/0x0008000000023c87-5.dat	upx
behavioral2/memory/2840-6-0x00007FF7DB790000-0x00007FF7DBAE4000-memory.dmp	upx
behavioral2/files/0x0007000000023c8b-14.dat	upx
behavioral2/files/0x0007000000023c8f-30.dat	upx
behavioral2/files/0x0007000000023c8c-31.dat	upx
behavioral2/memory/348-37-0x00007FF617920000-0x00007FF617C74000-memory.dmp	upx
behavioral2/files/0x0007000000023c91-40.dat	upx
behavioral2/memory/684-42-0x00007FF6DB030000-0x00007FF6DB384000-memory.dmp	upx
behavioral2/files/0x0007000000023c93-52.dat	upx
behavioral2/files/0x0007000000023c92-51.dat	upx
behavioral2/files/0x0007000000023c95-67.dat	upx
behavioral2/files/0x0008000000023c88-79.dat	upx
behavioral2/files/0x0007000000023c99-93.dat	upx
behavioral2/memory/4612-102-0x00007FF7C8990000-0x00007FF7C8CE4000-memory.dmp	upx
behavioral2/memory/1120-104-0x00007FF757230000-0x00007FF757584000-memory.dmp	upx
behavioral2/memory/2016-103-0x00007FF7D9010000-0x00007FF7D9364000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-98.dat	upx
behavioral2/memory/1280-97-0x00007FF60CE00000-0x00007FF60D154000-memory.dmp	upx
behavioral2/memory/3608-94-0x00007FF6558D0000-0x00007FF655C24000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-91.dat	upx
behavioral2/files/0x0007000000023c96-89.dat	upx
behavioral2/memory/3928-87-0x00007FF7A0940000-0x00007FF7A0C94000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-82.dat	upx
behavioral2/memory/4100-68-0x00007FF66C680000-0x00007FF66C9D4000-memory.dmp	upx
behavioral2/memory/1104-63-0x00007FF7DE1B0000-0x00007FF7DE504000-memory.dmp	upx
behavioral2/memory/4908-61-0x00007FF7BCB10000-0x00007FF7BCE64000-memory.dmp	upx
behavioral2/files/0x0007000000023c8e-50.dat	upx
behavioral2/files/0x0007000000023c90-49.dat	upx
behavioral2/memory/976-46-0x00007FF6A2BB0000-0x00007FF6A2F04000-memory.dmp	upx
behavioral2/memory/60-38-0x00007FF61D100000-0x00007FF61D454000-memory.dmp	upx
behavioral2/memory/4172-34-0x00007FF6B8450000-0x00007FF6B87A4000-memory.dmp	upx
behavioral2/memory/3384-27-0x00007FF755E10000-0x00007FF756164000-memory.dmp	upx
behavioral2/files/0x0007000000023c8d-26.dat	upx
behavioral2/memory/4492-18-0x00007FF72B090000-0x00007FF72B3E4000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-107.dat	upx
behavioral2/memory/3884-108-0x00007FF67C3F0000-0x00007FF67C744000-memory.dmp	upx
behavioral2/memory/4492-115-0x00007FF72B090000-0x00007FF72B3E4000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-118.dat	upx
behavioral2/files/0x0007000000023ca0-138.dat	upx
behavioral2/files/0x0007000000023c9e-143.dat	upx
behavioral2/files/0x0007000000023ca2-157.dat	upx
behavioral2/memory/532-159-0x00007FF73D300000-0x00007FF73D654000-memory.dmp	upx
behavioral2/memory/1104-165-0x00007FF7DE1B0000-0x00007FF7DE504000-memory.dmp	upx
behavioral2/memory/4512-166-0x00007FF7D5E90000-0x00007FF7D61E4000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-163.dat	upx
behavioral2/memory/1424-160-0x00007FF69A9F0000-0x00007FF69AD44000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-155.dat	upx
behavioral2/memory/4376-154-0x00007FF707290000-0x00007FF7075E4000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-146.dat	upx
behavioral2/memory/1428-145-0x00007FF623490000-0x00007FF6237E4000-memory.dmp	upx
behavioral2/memory/3144-141-0x00007FF736B70000-0x00007FF736EC4000-memory.dmp	upx
behavioral2/memory/684-140-0x00007FF6DB030000-0x00007FF6DB384000-memory.dmp	upx
behavioral2/memory/348-139-0x00007FF617920000-0x00007FF617C74000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-133.dat	upx
behavioral2/memory/3384-131-0x00007FF755E10000-0x00007FF756164000-memory.dmp	upx
behavioral2/memory/4720-128-0x00007FF713E70000-0x00007FF7141C4000-memory.dmp	upx
behavioral2/memory/1216-126-0x00007FF7F34D0000-0x00007FF7F3824000-memory.dmp	upx
behavioral2/memory/4172-120-0x00007FF6B8450000-0x00007FF6B87A4000-memory.dmp	upx
behavioral2/memory/2840-119-0x00007FF7DB790000-0x00007FF7DBAE4000-memory.dmp	upx
behavioral2/memory/2624-112-0x00007FF6C7220000-0x00007FF6C7574000-memory.dmp	upx
behavioral2/memory/4908-169-0x00007FF7BCB10000-0x00007FF7BCE64000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-176.dat	upx
behavioral2/memory/4100-173-0x00007FF66C680000-0x00007FF66C9D4000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\QkdtAFa.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\udYzLES.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jYeLSso.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kDzNiFs.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UvgAaSi.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YroYAHy.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OqlkfEo.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CgFbBIg.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uhDGvvV.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WANvpaG.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IcWGNSN.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iVfTkoy.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YSnqZTr.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HRYSIda.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dtQMKAR.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UxCSvbY.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iGcRmkV.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MvLcGNr.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pejkFFJ.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tYWrKLI.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tpxgDfX.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HjXENAB.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YBuBqTC.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dGGuLic.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iEUIrai.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LjhTbvh.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NJNwxNL.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HqSLewj.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MqsrnVZ.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SIPQsyk.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WErVcLp.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DkxiNYg.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fnLtaJh.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WyTnMPb.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tQDoSph.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nGrPhfn.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pAcXpIn.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ncrtMRH.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FNriTqi.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oUaSXJF.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BXRHIEH.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ItJehyf.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pcjgIYI.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yGqPpop.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NwoPVOW.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Pqibkds.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eWZZKXT.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tKFSMNm.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sLfYhYg.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jLaenPl.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WsvEgwO.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rljlFzr.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fzHgkam.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KRduuYJ.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ImrbdUz.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NujeTtt.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rlZYKqw.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HiKoome.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LGDrRqA.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DHNQbVu.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kxFuFtg.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XRcPYlG.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hsowDOw.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IdMzqep.exe	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\tn1031.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "L1036"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "411"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - de-DE Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_de-DE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - fr-FR Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Haruka"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Julie - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Ichiro"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "40C"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Hedda - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Helena"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_es-ES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_HW_it-IT.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\VoiceActivation_ja-JP.dat"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - en-US Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR es-ES Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\AI043082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "5218064"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "436;41c;401;801;c01;1001;1401;1801;1c01;2001;2401;2801;2c01;3001;3401;3801;3c01;4001;42b;42c;82c;42d;423;402;455;403;c04;1004;1404;41a;405;406;465;413;813;809;c09;1009;1409;1809;1c09;2009;2409;2809;2c09;3009;3409;425;438;429;40b;80c;c0c;100c;140c;180c;456;437;807;c07;1007;1407;408;447;40d;439;40e;40f;421;410;810;44b;457;412;812;440;426;427;827;42f;43e;83e;44e;450;414;814;415;416;816;446;418;419;44f;c1a;81a;41b;424;80a;100a;140a;180a;1c0a;200a;240a;280a;2c0a;300a;340a;380a;3c0a;400a;440a;480a;4c0a;500a;430;441;41d;81d;45a;449;444;44a;41e;41f;422;420;820;443;843;42a;540a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - ja-JP Embedded DNN v11.1"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{6BE28B7B-4F34-4FD2-A505-CAFFA4D49229}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Hortense - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Ayumi - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "11.0.2013.1022"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Ichiro - Japanese (Japan)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "16000"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{31350404-77AC-4471-B33A-9020A2EDA1D1}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech HW Voice Activation - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR fr-FR Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR it-IT Lts Lexicon"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\MSTTSLocdeDE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "C0A"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR ja-JP Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Stefan"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "5248260"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	15088	explorer.exe
Token: SeCreatePagefilePrivilege	15088	explorer.exe
Token: SeShutdownPrivilege	15088	explorer.exe
Token: SeCreatePagefilePrivilege	15088	explorer.exe
Token: SeShutdownPrivilege	15088	explorer.exe
Token: SeCreatePagefilePrivilege	15088	explorer.exe
Token: SeShutdownPrivilege	15088	explorer.exe
Token: SeCreatePagefilePrivilege	15088	explorer.exe
Token: SeShutdownPrivilege	15088	explorer.exe
Token: SeCreatePagefilePrivilege	15088	explorer.exe
Token: SeShutdownPrivilege	15088	explorer.exe
Token: SeCreatePagefilePrivilege	15088	explorer.exe
Token: SeShutdownPrivilege	15088	explorer.exe
Token: SeCreatePagefilePrivilege	15088	explorer.exe
Token: SeShutdownPrivilege	15088	explorer.exe
Token: SeCreatePagefilePrivilege	15088	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	2980	explorer.exe
Token: SeCreatePagefilePrivilege	2980	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe
Token: SeShutdownPrivilege	4476	explorer.exe
Token: SeCreatePagefilePrivilege	4476	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1060	sihost.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
15088	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
4476	explorer.exe
7652	explorer.exe
7652	explorer.exe
7652	explorer.exe
7652	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
14684	StartMenuExperienceHost.exe
5860	StartMenuExperienceHost.exe
5404	SearchApp.exe
7456	StartMenuExperienceHost.exe
7872	SearchApp.exe
8832	StartMenuExperienceHost.exe
5852	SearchApp.exe
5280	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2840	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2624 wrote to memory of 2840	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2624 wrote to memory of 4492	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2624 wrote to memory of 4492	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2624 wrote to memory of 3384	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2624 wrote to memory of 3384	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2624 wrote to memory of 60	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2624 wrote to memory of 60	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2624 wrote to memory of 4172	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2624 wrote to memory of 4172	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2624 wrote to memory of 684	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2624 wrote to memory of 684	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2624 wrote to memory of 348	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2624 wrote to memory of 348	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2624 wrote to memory of 976	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2624 wrote to memory of 976	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2624 wrote to memory of 4908	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2624 wrote to memory of 4908	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2624 wrote to memory of 1104	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2624 wrote to memory of 1104	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2624 wrote to memory of 3608	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2624 wrote to memory of 3608	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2624 wrote to memory of 4100	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2624 wrote to memory of 4100	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2624 wrote to memory of 3928	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2624 wrote to memory of 3928	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2624 wrote to memory of 2016	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2624 wrote to memory of 2016	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2624 wrote to memory of 1280	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2624 wrote to memory of 1280	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2624 wrote to memory of 1120	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2624 wrote to memory of 1120	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2624 wrote to memory of 4612	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2624 wrote to memory of 4612	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2624 wrote to memory of 3884	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2624 wrote to memory of 3884	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2624 wrote to memory of 1216	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2624 wrote to memory of 1216	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2624 wrote to memory of 4720	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2624 wrote to memory of 4720	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2624 wrote to memory of 3144	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2624 wrote to memory of 3144	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2624 wrote to memory of 4376	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2624 wrote to memory of 4376	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2624 wrote to memory of 1428	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2624 wrote to memory of 1428	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2624 wrote to memory of 532	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2624 wrote to memory of 532	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2624 wrote to memory of 4512	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2624 wrote to memory of 4512	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2624 wrote to memory of 1424	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2624 wrote to memory of 1424	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2624 wrote to memory of 1828	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2624 wrote to memory of 1828	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2624 wrote to memory of 1776	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 2624 wrote to memory of 1776	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 2624 wrote to memory of 4008	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 2624 wrote to memory of 4008	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 2624 wrote to memory of 912	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 2624 wrote to memory of 912	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 2624 wrote to memory of 4140	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 2624 wrote to memory of 4140	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 2624 wrote to memory of 4804	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 2624 wrote to memory of 4804	2624	2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-29_5f9d310a2d495f1e8efecf7f57c7ed1d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\System\nZpjTdq.exe
  C:\Windows\System\nZpjTdq.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\ZzIYYCI.exe
  C:\Windows\System\ZzIYYCI.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\vEylmrF.exe
  C:\Windows\System\vEylmrF.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System\lwACowH.exe
  C:\Windows\System\lwACowH.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\NnNmuOF.exe
  C:\Windows\System\NnNmuOF.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\NgAGvoX.exe
  C:\Windows\System\NgAGvoX.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\iCVlEbf.exe
  C:\Windows\System\iCVlEbf.exe
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Windows\System\slcbecG.exe
  C:\Windows\System\slcbecG.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System\aWhuoDc.exe
  C:\Windows\System\aWhuoDc.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\jiAnGLX.exe
  C:\Windows\System\jiAnGLX.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System\PhJMQIE.exe
  C:\Windows\System\PhJMQIE.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\CYzmyxd.exe
  C:\Windows\System\CYzmyxd.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\OiSGhZv.exe
  C:\Windows\System\OiSGhZv.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\xvsGBTa.exe
  C:\Windows\System\xvsGBTa.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\ylUSTNF.exe
  C:\Windows\System\ylUSTNF.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System\zLmujIg.exe
  C:\Windows\System\zLmujIg.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\hXCmbQm.exe
  C:\Windows\System\hXCmbQm.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\zfGPpTM.exe
  C:\Windows\System\zfGPpTM.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\LZlIbpx.exe
  C:\Windows\System\LZlIbpx.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\QalYDiv.exe
  C:\Windows\System\QalYDiv.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\jcMmhVH.exe
  C:\Windows\System\jcMmhVH.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\mbHFQiv.exe
  C:\Windows\System\mbHFQiv.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\vDKvhfS.exe
  C:\Windows\System\vDKvhfS.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\HYEtxEV.exe
  C:\Windows\System\HYEtxEV.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\NwouCUZ.exe
  C:\Windows\System\NwouCUZ.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\fsDcvrj.exe
  C:\Windows\System\fsDcvrj.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\lchrUDb.exe
  C:\Windows\System\lchrUDb.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\MbuCHdj.exe
  C:\Windows\System\MbuCHdj.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\xyRKRaP.exe
  C:\Windows\System\xyRKRaP.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System\JsvEsLM.exe
  C:\Windows\System\JsvEsLM.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System\eXcZQyc.exe
  C:\Windows\System\eXcZQyc.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\MMzChlp.exe
  C:\Windows\System\MMzChlp.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\ncnAXiy.exe
  C:\Windows\System\ncnAXiy.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System\KKWGJOP.exe
  C:\Windows\System\KKWGJOP.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\nkNvywv.exe
  C:\Windows\System\nkNvywv.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System\BlyvgWJ.exe
  C:\Windows\System\BlyvgWJ.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\fzNbJxH.exe
  C:\Windows\System\fzNbJxH.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\cgcaBDP.exe
  C:\Windows\System\cgcaBDP.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\cAPWvfK.exe
  C:\Windows\System\cAPWvfK.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\WglAozf.exe
  C:\Windows\System\WglAozf.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\AFobWHl.exe
  C:\Windows\System\AFobWHl.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\NnQNCKu.exe
  C:\Windows\System\NnQNCKu.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\vaszJna.exe
  C:\Windows\System\vaszJna.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\jYeLSso.exe
  C:\Windows\System\jYeLSso.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\wyrbJZa.exe
  C:\Windows\System\wyrbJZa.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\EiHDujN.exe
  C:\Windows\System\EiHDujN.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System\ZsdaaJg.exe
  C:\Windows\System\ZsdaaJg.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\akBFfyk.exe
  C:\Windows\System\akBFfyk.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\mtgFyYu.exe
  C:\Windows\System\mtgFyYu.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\rNgOnTE.exe
  C:\Windows\System\rNgOnTE.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\fpQcxcc.exe
  C:\Windows\System\fpQcxcc.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\quYLDnq.exe
  C:\Windows\System\quYLDnq.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System\afhArgT.exe
  C:\Windows\System\afhArgT.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\xpqHRgG.exe
  C:\Windows\System\xpqHRgG.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\NnyeJGL.exe
  C:\Windows\System\NnyeJGL.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\dWUyxUe.exe
  C:\Windows\System\dWUyxUe.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System\QLXrQqX.exe
  C:\Windows\System\QLXrQqX.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\NHbWZJu.exe
  C:\Windows\System\NHbWZJu.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\YaVxGgd.exe
  C:\Windows\System\YaVxGgd.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\OCpIupl.exe
  C:\Windows\System\OCpIupl.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\WxWcnlp.exe
  C:\Windows\System\WxWcnlp.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System\wGMWCbh.exe
  C:\Windows\System\wGMWCbh.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\xIwGNtS.exe
  C:\Windows\System\xIwGNtS.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\PUIWIjz.exe
  C:\Windows\System\PUIWIjz.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System\JwupWzW.exe
  C:\Windows\System\JwupWzW.exe
  2⤵
  PID:1792
- C:\Windows\System\tYWrKLI.exe
  C:\Windows\System\tYWrKLI.exe
  2⤵
  PID:3764
- C:\Windows\System\Kiwjpzq.exe
  C:\Windows\System\Kiwjpzq.exe
  2⤵
  PID:2424
- C:\Windows\System\AzRjESz.exe
  C:\Windows\System\AzRjESz.exe
  2⤵
  PID:1152
- C:\Windows\System\HRYSIda.exe
  C:\Windows\System\HRYSIda.exe
  2⤵
  PID:4984
- C:\Windows\System\NIBTxIj.exe
  C:\Windows\System\NIBTxIj.exe
  2⤵
  PID:2644
- C:\Windows\System\YZryzZg.exe
  C:\Windows\System\YZryzZg.exe
  2⤵
  PID:3832
- C:\Windows\System\ishGQqG.exe
  C:\Windows\System\ishGQqG.exe
  2⤵
  PID:1588
- C:\Windows\System\eedmlqY.exe
  C:\Windows\System\eedmlqY.exe
  2⤵
  PID:2020
- C:\Windows\System\bVBLHkO.exe
  C:\Windows\System\bVBLHkO.exe
  2⤵
  PID:4684
- C:\Windows\System\oNAcAaP.exe
  C:\Windows\System\oNAcAaP.exe
  2⤵
  PID:4092
- C:\Windows\System\xCIsgwu.exe
  C:\Windows\System\xCIsgwu.exe
  2⤵
  PID:4272
- C:\Windows\System\VBduehl.exe
  C:\Windows\System\VBduehl.exe
  2⤵
  PID:3836
- C:\Windows\System\SCHNnEx.exe
  C:\Windows\System\SCHNnEx.exe
  2⤵
  PID:3152
- C:\Windows\System\tKELWGM.exe
  C:\Windows\System\tKELWGM.exe
  2⤵
  PID:4960
- C:\Windows\System\BRiPILT.exe
  C:\Windows\System\BRiPILT.exe
  2⤵
  PID:3520
- C:\Windows\System\bkriOGs.exe
  C:\Windows\System\bkriOGs.exe
  2⤵
  PID:1556
- C:\Windows\System\TgJtUvO.exe
  C:\Windows\System\TgJtUvO.exe
  2⤵
  PID:4592
- C:\Windows\System\sFSooNb.exe
  C:\Windows\System\sFSooNb.exe
  2⤵
  PID:2948
- C:\Windows\System\wUtYEBC.exe
  C:\Windows\System\wUtYEBC.exe
  2⤵
  PID:2324
- C:\Windows\System\oVPhfZB.exe
  C:\Windows\System\oVPhfZB.exe
  2⤵
  PID:4780
- C:\Windows\System\hsowDOw.exe
  C:\Windows\System\hsowDOw.exe
  2⤵
  PID:4640
- C:\Windows\System\GIqmZht.exe
  C:\Windows\System\GIqmZht.exe
  2⤵
  PID:4588
- C:\Windows\System\BXRHIEH.exe
  C:\Windows\System\BXRHIEH.exe
  2⤵
  PID:3964
- C:\Windows\System\SJqtQFD.exe
  C:\Windows\System\SJqtQFD.exe
  2⤵
  PID:3940
- C:\Windows\System\Icmlyfl.exe
  C:\Windows\System\Icmlyfl.exe
  2⤵
  PID:3936
- C:\Windows\System\EkOfhgZ.exe
  C:\Windows\System\EkOfhgZ.exe
  2⤵
  PID:5104
- C:\Windows\System\PLlfBZi.exe
  C:\Windows\System\PLlfBZi.exe
  2⤵
  PID:3112
- C:\Windows\System\YEpifQW.exe
  C:\Windows\System\YEpifQW.exe
  2⤵
  PID:3616
- C:\Windows\System\zigMDsB.exe
  C:\Windows\System\zigMDsB.exe
  2⤵
  PID:4548
- C:\Windows\System\IdMzqep.exe
  C:\Windows\System\IdMzqep.exe
  2⤵
  PID:864
- C:\Windows\System\RdfHBkZ.exe
  C:\Windows\System\RdfHBkZ.exe
  2⤵
  PID:3212
- C:\Windows\System\asAbpOH.exe
  C:\Windows\System\asAbpOH.exe
  2⤵
  PID:4320
- C:\Windows\System\bhJemKR.exe
  C:\Windows\System\bhJemKR.exe
  2⤵
  PID:1784
- C:\Windows\System\AwoHoHP.exe
  C:\Windows\System\AwoHoHP.exe
  2⤵
  PID:3860
- C:\Windows\System\tQDoSph.exe
  C:\Windows\System\tQDoSph.exe
  2⤵
  PID:4632
- C:\Windows\System\NZmXpcd.exe
  C:\Windows\System\NZmXpcd.exe
  2⤵
  PID:4980
- C:\Windows\System\JUloVsA.exe
  C:\Windows\System\JUloVsA.exe
  2⤵
  PID:3824
- C:\Windows\System\mxDSOwC.exe
  C:\Windows\System\mxDSOwC.exe
  2⤵
  PID:1388
- C:\Windows\System\aEaUdzA.exe
  C:\Windows\System\aEaUdzA.exe
  2⤵
  PID:1268
- C:\Windows\System\knqXzBE.exe
  C:\Windows\System\knqXzBE.exe
  2⤵
  PID:4340
- C:\Windows\System\uZwdwrF.exe
  C:\Windows\System\uZwdwrF.exe
  2⤵
  PID:3736
- C:\Windows\System\kBeSFWl.exe
  C:\Windows\System\kBeSFWl.exe
  2⤵
  PID:3008
- C:\Windows\System\VUNFImj.exe
  C:\Windows\System\VUNFImj.exe
  2⤵
  PID:2528
- C:\Windows\System\OyvxOjp.exe
  C:\Windows\System\OyvxOjp.exe
  2⤵
  PID:3200
- C:\Windows\System\IogAwfC.exe
  C:\Windows\System\IogAwfC.exe
  2⤵
  PID:1908
- C:\Windows\System\tpxgDfX.exe
  C:\Windows\System\tpxgDfX.exe
  2⤵
  PID:4876
- C:\Windows\System\ElniRhv.exe
  C:\Windows\System\ElniRhv.exe
  2⤵
  PID:752
- C:\Windows\System\lJRxYnV.exe
  C:\Windows\System\lJRxYnV.exe
  2⤵
  PID:2112
- C:\Windows\System\cXcalVf.exe
  C:\Windows\System\cXcalVf.exe
  2⤵
  PID:5136
- C:\Windows\System\nmHuKSg.exe
  C:\Windows\System\nmHuKSg.exe
  2⤵
  PID:5164
- C:\Windows\System\swQbKId.exe
  C:\Windows\System\swQbKId.exe
  2⤵
  PID:5192
- C:\Windows\System\TXXOKkd.exe
  C:\Windows\System\TXXOKkd.exe
  2⤵
  PID:5220
- C:\Windows\System\CqcqWFo.exe
  C:\Windows\System\CqcqWFo.exe
  2⤵
  PID:5248
- C:\Windows\System\TyMUKzh.exe
  C:\Windows\System\TyMUKzh.exe
  2⤵
  PID:5280
- C:\Windows\System\NujeTtt.exe
  C:\Windows\System\NujeTtt.exe
  2⤵
  PID:5308
- C:\Windows\System\kDzNiFs.exe
  C:\Windows\System\kDzNiFs.exe
  2⤵
  PID:5332
- C:\Windows\System\Kqlyttg.exe
  C:\Windows\System\Kqlyttg.exe
  2⤵
  PID:5364
- C:\Windows\System\LSVpcmf.exe
  C:\Windows\System\LSVpcmf.exe
  2⤵
  PID:5396
- C:\Windows\System\BtegVsP.exe
  C:\Windows\System\BtegVsP.exe
  2⤵
  PID:5424
- C:\Windows\System\bIflYyy.exe
  C:\Windows\System\bIflYyy.exe
  2⤵
  PID:5452
- C:\Windows\System\tFbKWPN.exe
  C:\Windows\System\tFbKWPN.exe
  2⤵
  PID:5480
- C:\Windows\System\BOpRKjo.exe
  C:\Windows\System\BOpRKjo.exe
  2⤵
  PID:5508
- C:\Windows\System\hvWipKb.exe
  C:\Windows\System\hvWipKb.exe
  2⤵
  PID:5536
- C:\Windows\System\xvadGvo.exe
  C:\Windows\System\xvadGvo.exe
  2⤵
  PID:5564
- C:\Windows\System\RwNQXGD.exe
  C:\Windows\System\RwNQXGD.exe
  2⤵
  PID:5592
- C:\Windows\System\iPIBjnA.exe
  C:\Windows\System\iPIBjnA.exe
  2⤵
  PID:5620
- C:\Windows\System\JyxxrWM.exe
  C:\Windows\System\JyxxrWM.exe
  2⤵
  PID:5644
- C:\Windows\System\WWAyoEH.exe
  C:\Windows\System\WWAyoEH.exe
  2⤵
  PID:5676
- C:\Windows\System\sQhhcbp.exe
  C:\Windows\System\sQhhcbp.exe
  2⤵
  PID:5708
- C:\Windows\System\VUxxYhH.exe
  C:\Windows\System\VUxxYhH.exe
  2⤵
  PID:5732
- C:\Windows\System\ElzXoYi.exe
  C:\Windows\System\ElzXoYi.exe
  2⤵
  PID:5764
- C:\Windows\System\dtQMKAR.exe
  C:\Windows\System\dtQMKAR.exe
  2⤵
  PID:5788
- C:\Windows\System\IZYSXkC.exe
  C:\Windows\System\IZYSXkC.exe
  2⤵
  PID:5816
- C:\Windows\System\XHUbuJS.exe
  C:\Windows\System\XHUbuJS.exe
  2⤵
  PID:5844
- C:\Windows\System\rlZYKqw.exe
  C:\Windows\System\rlZYKqw.exe
  2⤵
  PID:5876
- C:\Windows\System\NyZumiu.exe
  C:\Windows\System\NyZumiu.exe
  2⤵
  PID:5904
- C:\Windows\System\WWakWTd.exe
  C:\Windows\System\WWakWTd.exe
  2⤵
  PID:5920
- C:\Windows\System\unbyxxl.exe
  C:\Windows\System\unbyxxl.exe
  2⤵
  PID:5956
- C:\Windows\System\zpTQrNR.exe
  C:\Windows\System\zpTQrNR.exe
  2⤵
  PID:5988
- C:\Windows\System\rMFajZz.exe
  C:\Windows\System\rMFajZz.exe
  2⤵
  PID:6020
- C:\Windows\System\DzyHdXr.exe
  C:\Windows\System\DzyHdXr.exe
  2⤵
  PID:6052
- C:\Windows\System\mkVotao.exe
  C:\Windows\System\mkVotao.exe
  2⤵
  PID:6080
- C:\Windows\System\syABanT.exe
  C:\Windows\System\syABanT.exe
  2⤵
  PID:6108
- C:\Windows\System\iMcvDJT.exe
  C:\Windows\System\iMcvDJT.exe
  2⤵
  PID:6136
- C:\Windows\System\HqSLewj.exe
  C:\Windows\System\HqSLewj.exe
  2⤵
  PID:5152
- C:\Windows\System\PFiiLtL.exe
  C:\Windows\System\PFiiLtL.exe
  2⤵
  PID:932
- C:\Windows\System\TfVMxkh.exe
  C:\Windows\System\TfVMxkh.exe
  2⤵
  PID:5300
- C:\Windows\System\dPjNCHj.exe
  C:\Windows\System\dPjNCHj.exe
  2⤵
  PID:5376
- C:\Windows\System\KJzNvDf.exe
  C:\Windows\System\KJzNvDf.exe
  2⤵
  PID:5448
- C:\Windows\System\frtTIyP.exe
  C:\Windows\System\frtTIyP.exe
  2⤵
  PID:5496
- C:\Windows\System\qkgVVvO.exe
  C:\Windows\System\qkgVVvO.exe
  2⤵
  PID:5552
- C:\Windows\System\glfJoyZ.exe
  C:\Windows\System\glfJoyZ.exe
  2⤵
  PID:5632
- C:\Windows\System\gMliXws.exe
  C:\Windows\System\gMliXws.exe
  2⤵
  PID:5696
- C:\Windows\System\JIRnFpT.exe
  C:\Windows\System\JIRnFpT.exe
  2⤵
  PID:5772
- C:\Windows\System\XXEbcjd.exe
  C:\Windows\System\XXEbcjd.exe
  2⤵
  PID:5832
- C:\Windows\System\YvAfvbJ.exe
  C:\Windows\System\YvAfvbJ.exe
  2⤵
  PID:5884
- C:\Windows\System\KFxliCi.exe
  C:\Windows\System\KFxliCi.exe
  2⤵
  PID:5940
- C:\Windows\System\emsCxlu.exe
  C:\Windows\System\emsCxlu.exe
  2⤵
  PID:6000
- C:\Windows\System\kTbKsyb.exe
  C:\Windows\System\kTbKsyb.exe
  2⤵
  PID:6076
- C:\Windows\System\gFZiynu.exe
  C:\Windows\System\gFZiynu.exe
  2⤵
  PID:6124
- C:\Windows\System\JMZzaYr.exe
  C:\Windows\System\JMZzaYr.exe
  2⤵
  PID:5276
- C:\Windows\System\mKnLPXM.exe
  C:\Windows\System\mKnLPXM.exe
  2⤵
  PID:5420
- C:\Windows\System\nGdTVra.exe
  C:\Windows\System\nGdTVra.exe
  2⤵
  PID:5580
- C:\Windows\System\iBDHsGk.exe
  C:\Windows\System\iBDHsGk.exe
  2⤵
  PID:5760
- C:\Windows\System\HxZPJgE.exe
  C:\Windows\System\HxZPJgE.exe
  2⤵
  PID:5900
- C:\Windows\System\HiWlxMX.exe
  C:\Windows\System\HiWlxMX.exe
  2⤵
  PID:6032
- C:\Windows\System\WVEfSqE.exe
  C:\Windows\System\WVEfSqE.exe
  2⤵
  PID:5188
- C:\Windows\System\EYUexKI.exe
  C:\Windows\System\EYUexKI.exe
  2⤵
  PID:5544
- C:\Windows\System\AhMyvSF.exe
  C:\Windows\System\AhMyvSF.exe
  2⤵
  PID:5800
- C:\Windows\System\QqwvoUx.exe
  C:\Windows\System\QqwvoUx.exe
  2⤵
  PID:5228
- C:\Windows\System\zEjuhTC.exe
  C:\Windows\System\zEjuhTC.exe
  2⤵
  PID:5144
- C:\Windows\System\yBKWfcF.exe
  C:\Windows\System\yBKWfcF.exe
  2⤵
  PID:6152
- C:\Windows\System\TLetOre.exe
  C:\Windows\System\TLetOre.exe
  2⤵
  PID:6180
- C:\Windows\System\HiCXNZf.exe
  C:\Windows\System\HiCXNZf.exe
  2⤵
  PID:6208
- C:\Windows\System\gubhPTS.exe
  C:\Windows\System\gubhPTS.exe
  2⤵
  PID:6236
- C:\Windows\System\tJuEsAH.exe
  C:\Windows\System\tJuEsAH.exe
  2⤵
  PID:6264
- C:\Windows\System\pbdKrEk.exe
  C:\Windows\System\pbdKrEk.exe
  2⤵
  PID:6292
- C:\Windows\System\nJiuUvu.exe
  C:\Windows\System\nJiuUvu.exe
  2⤵
  PID:6320
- C:\Windows\System\xPTZDIx.exe
  C:\Windows\System\xPTZDIx.exe
  2⤵
  PID:6340
- C:\Windows\System\HiKoome.exe
  C:\Windows\System\HiKoome.exe
  2⤵
  PID:6368
- C:\Windows\System\tKFSMNm.exe
  C:\Windows\System\tKFSMNm.exe
  2⤵
  PID:6404
- C:\Windows\System\HjXENAB.exe
  C:\Windows\System\HjXENAB.exe
  2⤵
  PID:6424
- C:\Windows\System\CMDINhW.exe
  C:\Windows\System\CMDINhW.exe
  2⤵
  PID:6464
- C:\Windows\System\eClmIaT.exe
  C:\Windows\System\eClmIaT.exe
  2⤵
  PID:6492
- C:\Windows\System\JBhGKCq.exe
  C:\Windows\System\JBhGKCq.exe
  2⤵
  PID:6520
- C:\Windows\System\nZpWkKq.exe
  C:\Windows\System\nZpWkKq.exe
  2⤵
  PID:6548
- C:\Windows\System\LBCdilD.exe
  C:\Windows\System\LBCdilD.exe
  2⤵
  PID:6576
- C:\Windows\System\YPmVrdH.exe
  C:\Windows\System\YPmVrdH.exe
  2⤵
  PID:6604
- C:\Windows\System\OVaJioG.exe
  C:\Windows\System\OVaJioG.exe
  2⤵
  PID:6632
- C:\Windows\System\qHtavIR.exe
  C:\Windows\System\qHtavIR.exe
  2⤵
  PID:6660
- C:\Windows\System\FZpYgVK.exe
  C:\Windows\System\FZpYgVK.exe
  2⤵
  PID:6688
- C:\Windows\System\FNmkzXE.exe
  C:\Windows\System\FNmkzXE.exe
  2⤵
  PID:6720
- C:\Windows\System\xhFloTd.exe
  C:\Windows\System\xhFloTd.exe
  2⤵
  PID:6748
- C:\Windows\System\gHTcECk.exe
  C:\Windows\System\gHTcECk.exe
  2⤵
  PID:6776
- C:\Windows\System\TYmEreR.exe
  C:\Windows\System\TYmEreR.exe
  2⤵
  PID:6804
- C:\Windows\System\PBjHbYs.exe
  C:\Windows\System\PBjHbYs.exe
  2⤵
  PID:6832
- C:\Windows\System\qNYBxVs.exe
  C:\Windows\System\qNYBxVs.exe
  2⤵
  PID:6860
- C:\Windows\System\JXmRKks.exe
  C:\Windows\System\JXmRKks.exe
  2⤵
  PID:6888
- C:\Windows\System\XQCNJFj.exe
  C:\Windows\System\XQCNJFj.exe
  2⤵
  PID:6916
- C:\Windows\System\GBTJRaX.exe
  C:\Windows\System\GBTJRaX.exe
  2⤵
  PID:6948
- C:\Windows\System\BSoVNQP.exe
  C:\Windows\System\BSoVNQP.exe
  2⤵
  PID:6976
- C:\Windows\System\SIySsXr.exe
  C:\Windows\System\SIySsXr.exe
  2⤵
  PID:6992
- C:\Windows\System\ibdsYnc.exe
  C:\Windows\System\ibdsYnc.exe
  2⤵
  PID:7028
- C:\Windows\System\mlukAHM.exe
  C:\Windows\System\mlukAHM.exe
  2⤵
  PID:7056
- C:\Windows\System\YAMfkHQ.exe
  C:\Windows\System\YAMfkHQ.exe
  2⤵
  PID:7088
- C:\Windows\System\JkGWPyF.exe
  C:\Windows\System\JkGWPyF.exe
  2⤵
  PID:7116
- C:\Windows\System\dszfNfR.exe
  C:\Windows\System\dszfNfR.exe
  2⤵
  PID:7144
- C:\Windows\System\YqiZVux.exe
  C:\Windows\System\YqiZVux.exe
  2⤵
  PID:6148
- C:\Windows\System\sLfYhYg.exe
  C:\Windows\System\sLfYhYg.exe
  2⤵
  PID:6216
- C:\Windows\System\XyiopQO.exe
  C:\Windows\System\XyiopQO.exe
  2⤵
  PID:6288
- C:\Windows\System\uCCRlYq.exe
  C:\Windows\System\uCCRlYq.exe
  2⤵
  PID:6348
- C:\Windows\System\TFsykvp.exe
  C:\Windows\System\TFsykvp.exe
  2⤵
  PID:6416
- C:\Windows\System\xxSovvl.exe
  C:\Windows\System\xxSovvl.exe
  2⤵
  PID:6488
- C:\Windows\System\jTSRugE.exe
  C:\Windows\System\jTSRugE.exe
  2⤵
  PID:6544
- C:\Windows\System\bNTpVmg.exe
  C:\Windows\System\bNTpVmg.exe
  2⤵
  PID:6592
- C:\Windows\System\tXmYDFE.exe
  C:\Windows\System\tXmYDFE.exe
  2⤵
  PID:6668
- C:\Windows\System\nltFoeU.exe
  C:\Windows\System\nltFoeU.exe
  2⤵
  PID:6704
- C:\Windows\System\guNEpuq.exe
  C:\Windows\System\guNEpuq.exe
  2⤵
  PID:6764
- C:\Windows\System\FEThGTw.exe
  C:\Windows\System\FEThGTw.exe
  2⤵
  PID:6856
- C:\Windows\System\UvgAaSi.exe
  C:\Windows\System\UvgAaSi.exe
  2⤵
  PID:6884
- C:\Windows\System\lczgRyz.exe
  C:\Windows\System\lczgRyz.exe
  2⤵
  PID:6936
- C:\Windows\System\heyUgwt.exe
  C:\Windows\System\heyUgwt.exe
  2⤵
  PID:7040
- C:\Windows\System\NeTqjuG.exe
  C:\Windows\System\NeTqjuG.exe
  2⤵
  PID:7104
- C:\Windows\System\sKiEbne.exe
  C:\Windows\System\sKiEbne.exe
  2⤵
  PID:6196
- C:\Windows\System\LBxnMyn.exe
  C:\Windows\System\LBxnMyn.exe
  2⤵
  PID:6460
- C:\Windows\System\MHCQscI.exe
  C:\Windows\System\MHCQscI.exe
  2⤵
  PID:6564
- C:\Windows\System\UjGiXob.exe
  C:\Windows\System\UjGiXob.exe
  2⤵
  PID:6792
- C:\Windows\System\DqgJWBm.exe
  C:\Windows\System\DqgJWBm.exe
  2⤵
  PID:7016
- C:\Windows\System\RLZxVdL.exe
  C:\Windows\System\RLZxVdL.exe
  2⤵
  PID:2140
- C:\Windows\System\uhDGvvV.exe
  C:\Windows\System\uhDGvvV.exe
  2⤵
  PID:7172
- C:\Windows\System\SKPaZZu.exe
  C:\Windows\System\SKPaZZu.exe
  2⤵
  PID:7216
- C:\Windows\System\DMXaTIX.exe
  C:\Windows\System\DMXaTIX.exe
  2⤵
  PID:7256
- C:\Windows\System\pvgxLuu.exe
  C:\Windows\System\pvgxLuu.exe
  2⤵
  PID:7284
- C:\Windows\System\lIPXWKQ.exe
  C:\Windows\System\lIPXWKQ.exe
  2⤵
  PID:7312
- C:\Windows\System\yeYWkdA.exe
  C:\Windows\System\yeYWkdA.exe
  2⤵
  PID:7340
- C:\Windows\System\KKDxqne.exe
  C:\Windows\System\KKDxqne.exe
  2⤵
  PID:7384
- C:\Windows\System\KBRPVmR.exe
  C:\Windows\System\KBRPVmR.exe
  2⤵
  PID:7412
- C:\Windows\System\UDsDXHK.exe
  C:\Windows\System\UDsDXHK.exe
  2⤵
  PID:7448
- C:\Windows\System\DsOAcUR.exe
  C:\Windows\System\DsOAcUR.exe
  2⤵
  PID:7488
- C:\Windows\System\MWjdAJw.exe
  C:\Windows\System\MWjdAJw.exe
  2⤵
  PID:7508
- C:\Windows\System\XlKwdFy.exe
  C:\Windows\System\XlKwdFy.exe
  2⤵
  PID:7548
- C:\Windows\System\qInvSQk.exe
  C:\Windows\System\qInvSQk.exe
  2⤵
  PID:7580
- C:\Windows\System\CbpHCmA.exe
  C:\Windows\System\CbpHCmA.exe
  2⤵
  PID:7608
- C:\Windows\System\teFEDKW.exe
  C:\Windows\System\teFEDKW.exe
  2⤵
  PID:7636
- C:\Windows\System\clrNlBY.exe
  C:\Windows\System\clrNlBY.exe
  2⤵
  PID:7660
- C:\Windows\System\TnmbJpa.exe
  C:\Windows\System\TnmbJpa.exe
  2⤵
  PID:7700
- C:\Windows\System\mzUuxkz.exe
  C:\Windows\System\mzUuxkz.exe
  2⤵
  PID:7724
- C:\Windows\System\txJmbbY.exe
  C:\Windows\System\txJmbbY.exe
  2⤵
  PID:7752
- C:\Windows\System\LdTcfLR.exe
  C:\Windows\System\LdTcfLR.exe
  2⤵
  PID:7772
- C:\Windows\System\wTUzCYz.exe
  C:\Windows\System\wTUzCYz.exe
  2⤵
  PID:7808
- C:\Windows\System\tBMzIBu.exe
  C:\Windows\System\tBMzIBu.exe
  2⤵
  PID:7836
- C:\Windows\System\mTtXdOZ.exe
  C:\Windows\System\mTtXdOZ.exe
  2⤵
  PID:7860
- C:\Windows\System\bBgtrOt.exe
  C:\Windows\System\bBgtrOt.exe
  2⤵
  PID:7892
- C:\Windows\System\jwweVoW.exe
  C:\Windows\System\jwweVoW.exe
  2⤵
  PID:7916
- C:\Windows\System\gcJAVNP.exe
  C:\Windows\System\gcJAVNP.exe
  2⤵
  PID:7948
- C:\Windows\System\hCGmFmA.exe
  C:\Windows\System\hCGmFmA.exe
  2⤵
  PID:7980
- C:\Windows\System\cxJhMaa.exe
  C:\Windows\System\cxJhMaa.exe
  2⤵
  PID:8016
- C:\Windows\System\KyJgyna.exe
  C:\Windows\System\KyJgyna.exe
  2⤵
  PID:8036
- C:\Windows\System\OijYNEU.exe
  C:\Windows\System\OijYNEU.exe
  2⤵
  PID:8072
- C:\Windows\System\bZWvtWF.exe
  C:\Windows\System\bZWvtWF.exe
  2⤵
  PID:8100
- C:\Windows\System\siyOOGj.exe
  C:\Windows\System\siyOOGj.exe
  2⤵
  PID:8124
- C:\Windows\System\VxKiaaS.exe
  C:\Windows\System\VxKiaaS.exe
  2⤵
  PID:8148
- C:\Windows\System\WLfLAaA.exe
  C:\Windows\System\WLfLAaA.exe
  2⤵
  PID:8188
- C:\Windows\System\TlHGyLs.exe
  C:\Windows\System\TlHGyLs.exe
  2⤵
  PID:7228
- C:\Windows\System\mNafpTe.exe
  C:\Windows\System\mNafpTe.exe
  2⤵
  PID:7244
- C:\Windows\System\ItJehyf.exe
  C:\Windows\System\ItJehyf.exe
  2⤵
  PID:7304
- C:\Windows\System\WANvpaG.exe
  C:\Windows\System\WANvpaG.exe
  2⤵
  PID:7408
- C:\Windows\System\XRKPVbD.exe
  C:\Windows\System\XRKPVbD.exe
  2⤵
  PID:7496
- C:\Windows\System\RXsDvXR.exe
  C:\Windows\System\RXsDvXR.exe
  2⤵
  PID:7592
- C:\Windows\System\YroYAHy.exe
  C:\Windows\System\YroYAHy.exe
  2⤵
  PID:7632
- C:\Windows\System\WeCbIpw.exe
  C:\Windows\System\WeCbIpw.exe
  2⤵
  PID:7716
- C:\Windows\System\DdyBfmK.exe
  C:\Windows\System\DdyBfmK.exe
  2⤵
  PID:7792
- C:\Windows\System\PRbeiHu.exe
  C:\Windows\System\PRbeiHu.exe
  2⤵
  PID:7436
- C:\Windows\System\yTlCPsr.exe
  C:\Windows\System\yTlCPsr.exe
  2⤵
  PID:7828
- C:\Windows\System\qTMRbga.exe
  C:\Windows\System\qTMRbga.exe
  2⤵
  PID:7884
- C:\Windows\System\ATRQYaT.exe
  C:\Windows\System\ATRQYaT.exe
  2⤵
  PID:7972
- C:\Windows\System\YGePFHK.exe
  C:\Windows\System\YGePFHK.exe
  2⤵
  PID:8024
- C:\Windows\System\MqsrnVZ.exe
  C:\Windows\System\MqsrnVZ.exe
  2⤵
  PID:8092
- C:\Windows\System\OGxFpkP.exe
  C:\Windows\System\OGxFpkP.exe
  2⤵
  PID:8156
- C:\Windows\System\CgjFFAz.exe
  C:\Windows\System\CgjFFAz.exe
  2⤵
  PID:2596
- C:\Windows\System\ZbZFdCy.exe
  C:\Windows\System\ZbZFdCy.exe
  2⤵
  PID:7332
- C:\Windows\System\WAQmOVw.exe
  C:\Windows\System\WAQmOVw.exe
  2⤵
  PID:7536
- C:\Windows\System\onQnmGz.exe
  C:\Windows\System\onQnmGz.exe
  2⤵
  PID:7764
- C:\Windows\System\DmDCeYo.exe
  C:\Windows\System\DmDCeYo.exe
  2⤵
  PID:7528
- C:\Windows\System\oZOVqXQ.exe
  C:\Windows\System\oZOVqXQ.exe
  2⤵
  PID:7932
- C:\Windows\System\cUSSyOP.exe
  C:\Windows\System\cUSSyOP.exe
  2⤵
  PID:8084
- C:\Windows\System\GGjLGvT.exe
  C:\Windows\System\GGjLGvT.exe
  2⤵
  PID:7336
- C:\Windows\System\oetlWCe.exe
  C:\Windows\System\oetlWCe.exe
  2⤵
  PID:7800
- C:\Windows\System\QiJwXFF.exe
  C:\Windows\System\QiJwXFF.exe
  2⤵
  PID:7924
- C:\Windows\System\VUqXqHJ.exe
  C:\Windows\System\VUqXqHJ.exe
  2⤵
  PID:7204
- C:\Windows\System\tRsHdUf.exe
  C:\Windows\System\tRsHdUf.exe
  2⤵
  PID:8068
- C:\Windows\System\rQRDFOB.exe
  C:\Windows\System\rQRDFOB.exe
  2⤵
  PID:7880
- C:\Windows\System\fsFLDOF.exe
  C:\Windows\System\fsFLDOF.exe
  2⤵
  PID:8220
- C:\Windows\System\WGNnTCj.exe
  C:\Windows\System\WGNnTCj.exe
  2⤵
  PID:8248
- C:\Windows\System\cTJfNRe.exe
  C:\Windows\System\cTJfNRe.exe
  2⤵
  PID:8280
- C:\Windows\System\WerJoPN.exe
  C:\Windows\System\WerJoPN.exe
  2⤵
  PID:8304
- C:\Windows\System\edcmzQA.exe
  C:\Windows\System\edcmzQA.exe
  2⤵
  PID:8332
- C:\Windows\System\ZBxgVro.exe
  C:\Windows\System\ZBxgVro.exe
  2⤵
  PID:8360
- C:\Windows\System\iZPoKEa.exe
  C:\Windows\System\iZPoKEa.exe
  2⤵
  PID:8388
- C:\Windows\System\MTjMeka.exe
  C:\Windows\System\MTjMeka.exe
  2⤵
  PID:8416
- C:\Windows\System\OqlkfEo.exe
  C:\Windows\System\OqlkfEo.exe
  2⤵
  PID:8444
- C:\Windows\System\iDLGoKQ.exe
  C:\Windows\System\iDLGoKQ.exe
  2⤵
  PID:8472
- C:\Windows\System\dqAghHC.exe
  C:\Windows\System\dqAghHC.exe
  2⤵
  PID:8504
- C:\Windows\System\ngGxqpx.exe
  C:\Windows\System\ngGxqpx.exe
  2⤵
  PID:8536
- C:\Windows\System\ADuusNp.exe
  C:\Windows\System\ADuusNp.exe
  2⤵
  PID:8564
- C:\Windows\System\YDUAZwr.exe
  C:\Windows\System\YDUAZwr.exe
  2⤵
  PID:8592
- C:\Windows\System\INANAIK.exe
  C:\Windows\System\INANAIK.exe
  2⤵
  PID:8620
- C:\Windows\System\FycULbQ.exe
  C:\Windows\System\FycULbQ.exe
  2⤵
  PID:8648
- C:\Windows\System\bmGHJBR.exe
  C:\Windows\System\bmGHJBR.exe
  2⤵
  PID:8676
- C:\Windows\System\wdnQnPu.exe
  C:\Windows\System\wdnQnPu.exe
  2⤵
  PID:8704
- C:\Windows\System\puUFSJt.exe
  C:\Windows\System\puUFSJt.exe
  2⤵
  PID:8732
- C:\Windows\System\hXjZwYg.exe
  C:\Windows\System\hXjZwYg.exe
  2⤵
  PID:8760
- C:\Windows\System\RFBShyi.exe
  C:\Windows\System\RFBShyi.exe
  2⤵
  PID:8788
- C:\Windows\System\fhoqBlN.exe
  C:\Windows\System\fhoqBlN.exe
  2⤵
  PID:8816
- C:\Windows\System\sLzdCUZ.exe
  C:\Windows\System\sLzdCUZ.exe
  2⤵
  PID:8844
- C:\Windows\System\eipyWMb.exe
  C:\Windows\System\eipyWMb.exe
  2⤵
  PID:8872
- C:\Windows\System\hPscQoT.exe
  C:\Windows\System\hPscQoT.exe
  2⤵
  PID:8912
- C:\Windows\System\pvwpXNi.exe
  C:\Windows\System\pvwpXNi.exe
  2⤵
  PID:8928
- C:\Windows\System\KvEJaMl.exe
  C:\Windows\System\KvEJaMl.exe
  2⤵
  PID:8956
- C:\Windows\System\plLWpOM.exe
  C:\Windows\System\plLWpOM.exe
  2⤵
  PID:8984
- C:\Windows\System\POozJTU.exe
  C:\Windows\System\POozJTU.exe
  2⤵
  PID:9016
- C:\Windows\System\iZyuMVy.exe
  C:\Windows\System\iZyuMVy.exe
  2⤵
  PID:9044
- C:\Windows\System\yFejavK.exe
  C:\Windows\System\yFejavK.exe
  2⤵
  PID:9072
- C:\Windows\System\mZUBIej.exe
  C:\Windows\System\mZUBIej.exe
  2⤵
  PID:9100
- C:\Windows\System\LhindQh.exe
  C:\Windows\System\LhindQh.exe
  2⤵
  PID:9128
- C:\Windows\System\tdkObpQ.exe
  C:\Windows\System\tdkObpQ.exe
  2⤵
  PID:9156
- C:\Windows\System\POXuwWr.exe
  C:\Windows\System\POXuwWr.exe
  2⤵
  PID:9184
- C:\Windows\System\xhEryYk.exe
  C:\Windows\System\xhEryYk.exe
  2⤵
  PID:9212
- C:\Windows\System\GdnOydn.exe
  C:\Windows\System\GdnOydn.exe
  2⤵
  PID:8244
- C:\Windows\System\pnLUSAQ.exe
  C:\Windows\System\pnLUSAQ.exe
  2⤵
  PID:8300
- C:\Windows\System\qqnlsgj.exe
  C:\Windows\System\qqnlsgj.exe
  2⤵
  PID:8372
- C:\Windows\System\vyCTzlf.exe
  C:\Windows\System\vyCTzlf.exe
  2⤵
  PID:8440
- C:\Windows\System\vdNyEYN.exe
  C:\Windows\System\vdNyEYN.exe
  2⤵
  PID:8500
- C:\Windows\System\ogIxEwO.exe
  C:\Windows\System\ogIxEwO.exe
  2⤵
  PID:8560
- C:\Windows\System\lpoXwhW.exe
  C:\Windows\System\lpoXwhW.exe
  2⤵
  PID:8644
- C:\Windows\System\jPoIXHj.exe
  C:\Windows\System\jPoIXHj.exe
  2⤵
  PID:8728
- C:\Windows\System\xnngTbK.exe
  C:\Windows\System\xnngTbK.exe
  2⤵
  PID:8800
- C:\Windows\System\rsIKXzh.exe
  C:\Windows\System\rsIKXzh.exe
  2⤵
  PID:8864
- C:\Windows\System\eKBMcdv.exe
  C:\Windows\System\eKBMcdv.exe
  2⤵
  PID:8924
- C:\Windows\System\ApJwEOs.exe
  C:\Windows\System\ApJwEOs.exe
  2⤵
  PID:8996
- C:\Windows\System\AqMILvP.exe
  C:\Windows\System\AqMILvP.exe
  2⤵
  PID:9064
- C:\Windows\System\ZbskLTB.exe
  C:\Windows\System\ZbskLTB.exe
  2⤵
  PID:9120
- C:\Windows\System\wfvSykB.exe
  C:\Windows\System\wfvSykB.exe
  2⤵
  PID:9180
- C:\Windows\System\UyaKlqd.exe
  C:\Windows\System\UyaKlqd.exe
  2⤵
  PID:8268
- C:\Windows\System\aVEbHEN.exe
  C:\Windows\System\aVEbHEN.exe
  2⤵
  PID:2592
- C:\Windows\System\XHjFzWK.exe
  C:\Windows\System\XHjFzWK.exe
  2⤵
  PID:8524
- C:\Windows\System\fYmIEae.exe
  C:\Windows\System\fYmIEae.exe
  2⤵
  PID:8616
- C:\Windows\System\IOiamXj.exe
  C:\Windows\System\IOiamXj.exe
  2⤵
  PID:8716
- C:\Windows\System\wXPyRjs.exe
  C:\Windows\System\wXPyRjs.exe
  2⤵
  PID:8920
- C:\Windows\System\BVHqHxu.exe
  C:\Windows\System\BVHqHxu.exe
  2⤵
  PID:8492
- C:\Windows\System\YBuBqTC.exe
  C:\Windows\System\YBuBqTC.exe
  2⤵
  PID:8232
- C:\Windows\System\JZRZLSO.exe
  C:\Windows\System\JZRZLSO.exe
  2⤵
  PID:416
- C:\Windows\System\smgCmvc.exe
  C:\Windows\System\smgCmvc.exe
  2⤵
  PID:8980
- C:\Windows\System\pFcrYUM.exe
  C:\Windows\System\pFcrYUM.exe
  2⤵
  PID:8468
- C:\Windows\System\wmDMggY.exe
  C:\Windows\System\wmDMggY.exe
  2⤵
  PID:6772
- C:\Windows\System\tOtLstq.exe
  C:\Windows\System\tOtLstq.exe
  2⤵
  PID:6436
- C:\Windows\System\yqAfgbz.exe
  C:\Windows\System\yqAfgbz.exe
  2⤵
  PID:8412
- C:\Windows\System\WGNPOFU.exe
  C:\Windows\System\WGNPOFU.exe
  2⤵
  PID:6364
- C:\Windows\System\VIXhpos.exe
  C:\Windows\System\VIXhpos.exe
  2⤵
  PID:9244
- C:\Windows\System\zyZcvOj.exe
  C:\Windows\System\zyZcvOj.exe
  2⤵
  PID:9272
- C:\Windows\System\VjADgFg.exe
  C:\Windows\System\VjADgFg.exe
  2⤵
  PID:9304
- C:\Windows\System\TmjOgmX.exe
  C:\Windows\System\TmjOgmX.exe
  2⤵
  PID:9332
- C:\Windows\System\vfwOmzL.exe
  C:\Windows\System\vfwOmzL.exe
  2⤵
  PID:9360
- C:\Windows\System\CAbdyjT.exe
  C:\Windows\System\CAbdyjT.exe
  2⤵
  PID:9388
- C:\Windows\System\SwowTne.exe
  C:\Windows\System\SwowTne.exe
  2⤵
  PID:9416
- C:\Windows\System\ghYNLxK.exe
  C:\Windows\System\ghYNLxK.exe
  2⤵
  PID:9444
- C:\Windows\System\pliRvAs.exe
  C:\Windows\System\pliRvAs.exe
  2⤵
  PID:9472
- C:\Windows\System\PVHUQaa.exe
  C:\Windows\System\PVHUQaa.exe
  2⤵
  PID:9500
- C:\Windows\System\bEqhbqy.exe
  C:\Windows\System\bEqhbqy.exe
  2⤵
  PID:9528
- C:\Windows\System\FONeFqN.exe
  C:\Windows\System\FONeFqN.exe
  2⤵
  PID:9556
- C:\Windows\System\nKFxcTc.exe
  C:\Windows\System\nKFxcTc.exe
  2⤵
  PID:9584
- C:\Windows\System\UmGPDfE.exe
  C:\Windows\System\UmGPDfE.exe
  2⤵
  PID:9612
- C:\Windows\System\bczAftx.exe
  C:\Windows\System\bczAftx.exe
  2⤵
  PID:9640
- C:\Windows\System\idWpoie.exe
  C:\Windows\System\idWpoie.exe
  2⤵
  PID:9668
- C:\Windows\System\TZIlfQt.exe
  C:\Windows\System\TZIlfQt.exe
  2⤵
  PID:9696
- C:\Windows\System\xmTrAYc.exe
  C:\Windows\System\xmTrAYc.exe
  2⤵
  PID:9728
- C:\Windows\System\UxCSvbY.exe
  C:\Windows\System\UxCSvbY.exe
  2⤵
  PID:9756
- C:\Windows\System\VkLlYjg.exe
  C:\Windows\System\VkLlYjg.exe
  2⤵
  PID:9772
- C:\Windows\System\wHQFhYn.exe
  C:\Windows\System\wHQFhYn.exe
  2⤵
  PID:9812
- C:\Windows\System\xSkeNJY.exe
  C:\Windows\System\xSkeNJY.exe
  2⤵
  PID:9840
- C:\Windows\System\jLaenPl.exe
  C:\Windows\System\jLaenPl.exe
  2⤵
  PID:9868
- C:\Windows\System\rRnDuya.exe
  C:\Windows\System\rRnDuya.exe
  2⤵
  PID:9900
- C:\Windows\System\mPnQdAY.exe
  C:\Windows\System\mPnQdAY.exe
  2⤵
  PID:9928
- C:\Windows\System\yKGWgqw.exe
  C:\Windows\System\yKGWgqw.exe
  2⤵
  PID:10004
- C:\Windows\System\zjbBWiQ.exe
  C:\Windows\System\zjbBWiQ.exe
  2⤵
  PID:10028
- C:\Windows\System\FMSorFI.exe
  C:\Windows\System\FMSorFI.exe
  2⤵
  PID:10056
- C:\Windows\System\rTrlVhg.exe
  C:\Windows\System\rTrlVhg.exe
  2⤵
  PID:10084
- C:\Windows\System\fRjnQsH.exe
  C:\Windows\System\fRjnQsH.exe
  2⤵
  PID:10112
- C:\Windows\System\qWfPXJS.exe
  C:\Windows\System\qWfPXJS.exe
  2⤵
  PID:10140
- C:\Windows\System\asLhshx.exe
  C:\Windows\System\asLhshx.exe
  2⤵
  PID:10176
- C:\Windows\System\oNrzBUY.exe
  C:\Windows\System\oNrzBUY.exe
  2⤵
  PID:10200
- C:\Windows\System\zqvbkxM.exe
  C:\Windows\System\zqvbkxM.exe
  2⤵
  PID:10228
- C:\Windows\System\YKNePwO.exe
  C:\Windows\System\YKNePwO.exe
  2⤵
  PID:9256
- C:\Windows\System\BkVnzsr.exe
  C:\Windows\System\BkVnzsr.exe
  2⤵
  PID:9324
- C:\Windows\System\zfqzNvR.exe
  C:\Windows\System\zfqzNvR.exe
  2⤵
  PID:9384
- C:\Windows\System\FrKtyRN.exe
  C:\Windows\System\FrKtyRN.exe
  2⤵
  PID:9456
- C:\Windows\System\qstAQMd.exe
  C:\Windows\System\qstAQMd.exe
  2⤵
  PID:9520
- C:\Windows\System\xvOBXlS.exe
  C:\Windows\System\xvOBXlS.exe
  2⤵
  PID:9580
- C:\Windows\System\ajadADk.exe
  C:\Windows\System\ajadADk.exe
  2⤵
  PID:9688
- C:\Windows\System\nGrPhfn.exe
  C:\Windows\System\nGrPhfn.exe
  2⤵
  PID:9724
- C:\Windows\System\SIPQsyk.exe
  C:\Windows\System\SIPQsyk.exe
  2⤵
  PID:9768
- C:\Windows\System\yhvrzcJ.exe
  C:\Windows\System\yhvrzcJ.exe
  2⤵
  PID:9832
- C:\Windows\System\vHayIhH.exe
  C:\Windows\System\vHayIhH.exe
  2⤵
  PID:9912
- C:\Windows\System\ujthEli.exe
  C:\Windows\System\ujthEli.exe
  2⤵
  PID:10048
- C:\Windows\System\REgRCzA.exe
  C:\Windows\System\REgRCzA.exe
  2⤵
  PID:10160
- C:\Windows\System\vmBAlGR.exe
  C:\Windows\System\vmBAlGR.exe
  2⤵
  PID:9316
- C:\Windows\System\pothAPA.exe
  C:\Windows\System\pothAPA.exe
  2⤵
  PID:8612
- C:\Windows\System\bbOKRdq.exe
  C:\Windows\System\bbOKRdq.exe
  2⤵
  PID:9864
- C:\Windows\System\FzvpBsy.exe
  C:\Windows\System\FzvpBsy.exe
  2⤵
  PID:10132
- C:\Windows\System\WFqeBGH.exe
  C:\Windows\System\WFqeBGH.exe
  2⤵
  PID:9608
- C:\Windows\System\rEqgxuk.exe
  C:\Windows\System\rEqgxuk.exe
  2⤵
  PID:10168
- C:\Windows\System\NGNandE.exe
  C:\Windows\System\NGNandE.exe
  2⤵
  PID:10252
- C:\Windows\System\FguJcog.exe
  C:\Windows\System\FguJcog.exe
  2⤵
  PID:10300
- C:\Windows\System\dPmuiUb.exe
  C:\Windows\System\dPmuiUb.exe
  2⤵
  PID:10324
- C:\Windows\System\ihlUTwG.exe
  C:\Windows\System\ihlUTwG.exe
  2⤵
  PID:10352
- C:\Windows\System\ihOFkuB.exe
  C:\Windows\System\ihOFkuB.exe
  2⤵
  PID:10388
- C:\Windows\System\yrDNqoN.exe
  C:\Windows\System\yrDNqoN.exe
  2⤵
  PID:10420
- C:\Windows\System\LyrkTHU.exe
  C:\Windows\System\LyrkTHU.exe
  2⤵
  PID:10448
- C:\Windows\System\fRErPVn.exe
  C:\Windows\System\fRErPVn.exe
  2⤵
  PID:10476
- C:\Windows\System\eNRkAKd.exe
  C:\Windows\System\eNRkAKd.exe
  2⤵
  PID:10516
- C:\Windows\System\WOwWDdQ.exe
  C:\Windows\System\WOwWDdQ.exe
  2⤵
  PID:10532
- C:\Windows\System\nDbikIB.exe
  C:\Windows\System\nDbikIB.exe
  2⤵
  PID:10560
- C:\Windows\System\oCZwmNf.exe
  C:\Windows\System\oCZwmNf.exe
  2⤵
  PID:10588
- C:\Windows\System\LchVFhx.exe
  C:\Windows\System\LchVFhx.exe
  2⤵
  PID:10616
- C:\Windows\System\rlWayUC.exe
  C:\Windows\System\rlWayUC.exe
  2⤵
  PID:10644
- C:\Windows\System\gQxmIWD.exe
  C:\Windows\System\gQxmIWD.exe
  2⤵
  PID:10672
- C:\Windows\System\wLGPpiY.exe
  C:\Windows\System\wLGPpiY.exe
  2⤵
  PID:10700
- C:\Windows\System\ChPbjkN.exe
  C:\Windows\System\ChPbjkN.exe
  2⤵
  PID:10728
- C:\Windows\System\DFMUuJj.exe
  C:\Windows\System\DFMUuJj.exe
  2⤵
  PID:10756
- C:\Windows\System\fFyWZcg.exe
  C:\Windows\System\fFyWZcg.exe
  2⤵
  PID:10784
- C:\Windows\System\oLQzinn.exe
  C:\Windows\System\oLQzinn.exe
  2⤵
  PID:10812
- C:\Windows\System\EERqsvK.exe
  C:\Windows\System\EERqsvK.exe
  2⤵
  PID:10840
- C:\Windows\System\dGGuLic.exe
  C:\Windows\System\dGGuLic.exe
  2⤵
  PID:10868
- C:\Windows\System\AdeRNdv.exe
  C:\Windows\System\AdeRNdv.exe
  2⤵
  PID:10896
- C:\Windows\System\ucghPli.exe
  C:\Windows\System\ucghPli.exe
  2⤵
  PID:10924
- C:\Windows\System\tvQyEZN.exe
  C:\Windows\System\tvQyEZN.exe
  2⤵
  PID:10952
- C:\Windows\System\kSJccZm.exe
  C:\Windows\System\kSJccZm.exe
  2⤵
  PID:10980
- C:\Windows\System\MLCwjgO.exe
  C:\Windows\System\MLCwjgO.exe
  2⤵
  PID:11008
- C:\Windows\System\DVPupFr.exe
  C:\Windows\System\DVPupFr.exe
  2⤵
  PID:11036
- C:\Windows\System\yMUdXVn.exe
  C:\Windows\System\yMUdXVn.exe
  2⤵
  PID:11068
- C:\Windows\System\nFfLWyo.exe
  C:\Windows\System\nFfLWyo.exe
  2⤵
  PID:11092
- C:\Windows\System\GGlGATG.exe
  C:\Windows\System\GGlGATG.exe
  2⤵
  PID:11120
- C:\Windows\System\MxrxgMF.exe
  C:\Windows\System\MxrxgMF.exe
  2⤵
  PID:11148
- C:\Windows\System\fiKfEQa.exe
  C:\Windows\System\fiKfEQa.exe
  2⤵
  PID:11192
- C:\Windows\System\KxaXIWj.exe
  C:\Windows\System\KxaXIWj.exe
  2⤵
  PID:11208
- C:\Windows\System\CAqAVXC.exe
  C:\Windows\System\CAqAVXC.exe
  2⤵
  PID:11236
- C:\Windows\System\Qzajobd.exe
  C:\Windows\System\Qzajobd.exe
  2⤵
  PID:10076
- C:\Windows\System\MVaZmZH.exe
  C:\Windows\System\MVaZmZH.exe
  2⤵
  PID:10320
- C:\Windows\System\zgupUXu.exe
  C:\Windows\System\zgupUXu.exe
  2⤵
  PID:10400
- C:\Windows\System\ngiEmzr.exe
  C:\Windows\System\ngiEmzr.exe
  2⤵
  PID:10468
- C:\Windows\System\grFruEy.exe
  C:\Windows\System\grFruEy.exe
  2⤵
  PID:9632
- C:\Windows\System\bVsOkYs.exe
  C:\Windows\System\bVsOkYs.exe
  2⤵
  PID:9496
- C:\Windows\System\mGuOwGk.exe
  C:\Windows\System\mGuOwGk.exe
  2⤵
  PID:10572
- C:\Windows\System\LITYvMe.exe
  C:\Windows\System\LITYvMe.exe
  2⤵
  PID:10636
- C:\Windows\System\ytqsOXm.exe
  C:\Windows\System\ytqsOXm.exe
  2⤵
  PID:10696
- C:\Windows\System\KZbixur.exe
  C:\Windows\System\KZbixur.exe
  2⤵
  PID:10768
- C:\Windows\System\BeBrFGq.exe
  C:\Windows\System\BeBrFGq.exe
  2⤵
  PID:10860
- C:\Windows\System\jabzZes.exe
  C:\Windows\System\jabzZes.exe
  2⤵
  PID:10892
- C:\Windows\System\FSbXCKV.exe
  C:\Windows\System\FSbXCKV.exe
  2⤵
  PID:10964
- C:\Windows\System\CgFbBIg.exe
  C:\Windows\System\CgFbBIg.exe
  2⤵
  PID:11020
- C:\Windows\System\xKFNSRI.exe
  C:\Windows\System\xKFNSRI.exe
  2⤵
  PID:11084
- C:\Windows\System\qQBksSp.exe
  C:\Windows\System\qQBksSp.exe
  2⤵
  PID:11144
- C:\Windows\System\DOQctMh.exe
  C:\Windows\System\DOQctMh.exe
  2⤵
  PID:11220
- C:\Windows\System\IUUBHcP.exe
  C:\Windows\System\IUUBHcP.exe
  2⤵
  PID:10308
- C:\Windows\System\ZGHZXbD.exe
  C:\Windows\System\ZGHZXbD.exe
  2⤵
  PID:10444
- C:\Windows\System\NTxlfnD.exe
  C:\Windows\System\NTxlfnD.exe
  2⤵
  PID:9512
- C:\Windows\System\AjqveqO.exe
  C:\Windows\System\AjqveqO.exe
  2⤵
  PID:10664
- C:\Windows\System\PddCdKq.exe
  C:\Windows\System\PddCdKq.exe
  2⤵
  PID:10808
- C:\Windows\System\aQNgRQM.exe
  C:\Windows\System\aQNgRQM.exe
  2⤵
  PID:10948
- C:\Windows\System\VPscuMx.exe
  C:\Windows\System\VPscuMx.exe
  2⤵
  PID:11112
- C:\Windows\System\gaWhCvs.exe
  C:\Windows\System\gaWhCvs.exe
  2⤵
  PID:11168
- C:\Windows\System\OWkBSUY.exe
  C:\Windows\System\OWkBSUY.exe
  2⤵
  PID:10408
- C:\Windows\System\zauMEmp.exe
  C:\Windows\System\zauMEmp.exe
  2⤵
  PID:10880
- C:\Windows\System\oQcPbXh.exe
  C:\Windows\System\oQcPbXh.exe
  2⤵
  PID:10380
- C:\Windows\System\ENfPZaq.exe
  C:\Windows\System\ENfPZaq.exe
  2⤵
  PID:11276
- C:\Windows\System\XGTkBFL.exe
  C:\Windows\System\XGTkBFL.exe
  2⤵
  PID:11336
- C:\Windows\System\rYicJkT.exe
  C:\Windows\System\rYicJkT.exe
  2⤵
  PID:11372
- C:\Windows\System\WErVcLp.exe
  C:\Windows\System\WErVcLp.exe
  2⤵
  PID:11408
- C:\Windows\System\pcjgIYI.exe
  C:\Windows\System\pcjgIYI.exe
  2⤵
  PID:11448
- C:\Windows\System\ormHHJQ.exe
  C:\Windows\System\ormHHJQ.exe
  2⤵
  PID:11476
- C:\Windows\System\XQpBiWg.exe
  C:\Windows\System\XQpBiWg.exe
  2⤵
  PID:11504
- C:\Windows\System\MoBLrZe.exe
  C:\Windows\System\MoBLrZe.exe
  2⤵
  PID:11532
- C:\Windows\System\alrCLmP.exe
  C:\Windows\System\alrCLmP.exe
  2⤵
  PID:11560
- C:\Windows\System\pzkCAOF.exe
  C:\Windows\System\pzkCAOF.exe
  2⤵
  PID:11588
- C:\Windows\System\iBKltKt.exe
  C:\Windows\System\iBKltKt.exe
  2⤵
  PID:11616
- C:\Windows\System\NDPQVvG.exe
  C:\Windows\System\NDPQVvG.exe
  2⤵
  PID:11644
- C:\Windows\System\GveoAsY.exe
  C:\Windows\System\GveoAsY.exe
  2⤵
  PID:11676
- C:\Windows\System\lZGumwm.exe
  C:\Windows\System\lZGumwm.exe
  2⤵
  PID:11692
- C:\Windows\System\nrtmwUN.exe
  C:\Windows\System\nrtmwUN.exe
  2⤵
  PID:11724
- C:\Windows\System\jqKPgJM.exe
  C:\Windows\System\jqKPgJM.exe
  2⤵
  PID:11756
- C:\Windows\System\KYGjvYd.exe
  C:\Windows\System\KYGjvYd.exe
  2⤵
  PID:11788
- C:\Windows\System\gmCKNEa.exe
  C:\Windows\System\gmCKNEa.exe
  2⤵
  PID:11808
- C:\Windows\System\RXFrrIh.exe
  C:\Windows\System\RXFrrIh.exe
  2⤵
  PID:11860
- C:\Windows\System\ODuTVLp.exe
  C:\Windows\System\ODuTVLp.exe
  2⤵
  PID:11884
- C:\Windows\System\yGqPpop.exe
  C:\Windows\System\yGqPpop.exe
  2⤵
  PID:11920
- C:\Windows\System\lpdveAW.exe
  C:\Windows\System\lpdveAW.exe
  2⤵
  PID:11944
- C:\Windows\System\BYhngks.exe
  C:\Windows\System\BYhngks.exe
  2⤵
  PID:11964
- C:\Windows\System\dVuyGvg.exe
  C:\Windows\System\dVuyGvg.exe
  2⤵
  PID:11996
- C:\Windows\System\pAcXpIn.exe
  C:\Windows\System\pAcXpIn.exe
  2⤵
  PID:12032
- C:\Windows\System\tLhSBtP.exe
  C:\Windows\System\tLhSBtP.exe
  2⤵
  PID:12056
- C:\Windows\System\mtVLsGy.exe
  C:\Windows\System\mtVLsGy.exe
  2⤵
  PID:12120
- C:\Windows\System\jfUrpGC.exe
  C:\Windows\System\jfUrpGC.exe
  2⤵
  PID:12140
- C:\Windows\System\ZsiMcZy.exe
  C:\Windows\System\ZsiMcZy.exe
  2⤵
  PID:12168
- C:\Windows\System\bsytEPv.exe
  C:\Windows\System\bsytEPv.exe
  2⤵
  PID:12192
- C:\Windows\System\IFkZpPq.exe
  C:\Windows\System\IFkZpPq.exe
  2⤵
  PID:12208
- C:\Windows\System\BFPYBSN.exe
  C:\Windows\System\BFPYBSN.exe
  2⤵
  PID:12240
- C:\Windows\System\BSPQhAC.exe
  C:\Windows\System\BSPQhAC.exe
  2⤵
  PID:12264
- C:\Windows\System\veIBQBd.exe
  C:\Windows\System\veIBQBd.exe
  2⤵
  PID:11268
- C:\Windows\System\GVzYFog.exe
  C:\Windows\System\GVzYFog.exe
  2⤵
  PID:11324
- C:\Windows\System\iGcRmkV.exe
  C:\Windows\System\iGcRmkV.exe
  2⤵
  PID:11420
- C:\Windows\System\ZSYgbIw.exe
  C:\Windows\System\ZSYgbIw.exe
  2⤵
  PID:11544
- C:\Windows\System\KzVvGpG.exe
  C:\Windows\System\KzVvGpG.exe
  2⤵
  PID:11688
- C:\Windows\System\hxYKXTu.exe
  C:\Windows\System\hxYKXTu.exe
  2⤵
  PID:11712
- C:\Windows\System\bDKlmwE.exe
  C:\Windows\System\bDKlmwE.exe
  2⤵
  PID:11828
- C:\Windows\System\qtUbmab.exe
  C:\Windows\System\qtUbmab.exe
  2⤵
  PID:11820
- C:\Windows\System\aWFnYTP.exe
  C:\Windows\System\aWFnYTP.exe
  2⤵
  PID:5024
- C:\Windows\System\fAWAHAw.exe
  C:\Windows\System\fAWAHAw.exe
  2⤵
  PID:676
- C:\Windows\System\hrChhPO.exe
  C:\Windows\System\hrChhPO.exe
  2⤵
  PID:2828
- C:\Windows\System\UsVfktt.exe
  C:\Windows\System\UsVfktt.exe
  2⤵
  PID:5048
- C:\Windows\System\avlhBzi.exe
  C:\Windows\System\avlhBzi.exe
  2⤵
  PID:12008
- C:\Windows\System\xGuFvOs.exe
  C:\Windows\System\xGuFvOs.exe
  2⤵
  PID:11880
- C:\Windows\System\ckAscGS.exe
  C:\Windows\System\ckAscGS.exe
  2⤵
  PID:12088
- C:\Windows\System\TTWTUpi.exe
  C:\Windows\System\TTWTUpi.exe
  2⤵
  PID:828
- C:\Windows\System\CNYzBIB.exe
  C:\Windows\System\CNYzBIB.exe
  2⤵
  PID:12248
- C:\Windows\System\ptwJrmE.exe
  C:\Windows\System\ptwJrmE.exe
  2⤵
  PID:12236
- C:\Windows\System\TnhmwjY.exe
  C:\Windows\System\TnhmwjY.exe
  2⤵
  PID:11400
- C:\Windows\System\CxFwvuf.exe
  C:\Windows\System\CxFwvuf.exe
  2⤵
  PID:11516
- C:\Windows\System\OMGWCJn.exe
  C:\Windows\System\OMGWCJn.exe
  2⤵
  PID:11664
- C:\Windows\System\mVGYCOs.exe
  C:\Windows\System\mVGYCOs.exe
  2⤵
  PID:12160
- C:\Windows\System\WsvEgwO.exe
  C:\Windows\System\WsvEgwO.exe
  2⤵
  PID:11856
- C:\Windows\System\awrrHzV.exe
  C:\Windows\System\awrrHzV.exe
  2⤵
  PID:11988
- C:\Windows\System\SYYBztA.exe
  C:\Windows\System\SYYBztA.exe
  2⤵
  PID:12100
- C:\Windows\System\AjIfeMk.exe
  C:\Windows\System\AjIfeMk.exe
  2⤵
  PID:3820
- C:\Windows\System\obtqdOA.exe
  C:\Windows\System\obtqdOA.exe
  2⤵
  PID:11368
- C:\Windows\System\SjreFqm.exe
  C:\Windows\System\SjreFqm.exe
  2⤵
  PID:3224
- C:\Windows\System\CbnzPAM.exe
  C:\Windows\System\CbnzPAM.exe
  2⤵
  PID:12180
- C:\Windows\System\XIUFkaF.exe
  C:\Windows\System\XIUFkaF.exe
  2⤵
  PID:464
- C:\Windows\System\xbmdWTZ.exe
  C:\Windows\System\xbmdWTZ.exe
  2⤵
  PID:12188
- C:\Windows\System\psuqkGr.exe
  C:\Windows\System\psuqkGr.exe
  2⤵
  PID:11312
- C:\Windows\System\VXRnvXc.exe
  C:\Windows\System\VXRnvXc.exe
  2⤵
  PID:12228
- C:\Windows\System\BtsuIRy.exe
  C:\Windows\System\BtsuIRy.exe
  2⤵
  PID:32
- C:\Windows\System\sLZvQiG.exe
  C:\Windows\System\sLZvQiG.exe
  2⤵
  PID:11980
- C:\Windows\System\kgNBCSo.exe
  C:\Windows\System\kgNBCSo.exe
  2⤵
  PID:12296
- C:\Windows\System\ncrtMRH.exe
  C:\Windows\System\ncrtMRH.exe
  2⤵
  PID:12324
- C:\Windows\System\GiXXzCY.exe
  C:\Windows\System\GiXXzCY.exe
  2⤵
  PID:12352
- C:\Windows\System\MZTiDdm.exe
  C:\Windows\System\MZTiDdm.exe
  2⤵
  PID:12380
- C:\Windows\System\iEUIrai.exe
  C:\Windows\System\iEUIrai.exe
  2⤵
  PID:12408
- C:\Windows\System\rljlFzr.exe
  C:\Windows\System\rljlFzr.exe
  2⤵
  PID:12436
- C:\Windows\System\TGVqmQy.exe
  C:\Windows\System\TGVqmQy.exe
  2⤵
  PID:12464
- C:\Windows\System\PZcxILW.exe
  C:\Windows\System\PZcxILW.exe
  2⤵
  PID:12492
- C:\Windows\System\DxvZylO.exe
  C:\Windows\System\DxvZylO.exe
  2⤵
  PID:12520
- C:\Windows\System\LfxalTD.exe
  C:\Windows\System\LfxalTD.exe
  2⤵
  PID:12548
- C:\Windows\System\mOXeTnF.exe
  C:\Windows\System\mOXeTnF.exe
  2⤵
  PID:12576
- C:\Windows\System\akDAFPv.exe
  C:\Windows\System\akDAFPv.exe
  2⤵
  PID:12608
- C:\Windows\System\scgizEl.exe
  C:\Windows\System\scgizEl.exe
  2⤵
  PID:12636
- C:\Windows\System\ZDNmHRD.exe
  C:\Windows\System\ZDNmHRD.exe
  2⤵
  PID:12676
- C:\Windows\System\fQtUwDl.exe
  C:\Windows\System\fQtUwDl.exe
  2⤵
  PID:12692
- C:\Windows\System\KQPjcCC.exe
  C:\Windows\System\KQPjcCC.exe
  2⤵
  PID:12720
- C:\Windows\System\OpjDdMs.exe
  C:\Windows\System\OpjDdMs.exe
  2⤵
  PID:12748
- C:\Windows\System\LkKYjxe.exe
  C:\Windows\System\LkKYjxe.exe
  2⤵
  PID:12776
- C:\Windows\System\ITUmJUi.exe
  C:\Windows\System\ITUmJUi.exe
  2⤵
  PID:12804
- C:\Windows\System\yJFEfUa.exe
  C:\Windows\System\yJFEfUa.exe
  2⤵
  PID:12832
- C:\Windows\System\ibKJFXE.exe
  C:\Windows\System\ibKJFXE.exe
  2⤵
  PID:12860
- C:\Windows\System\ILCUzTc.exe
  C:\Windows\System\ILCUzTc.exe
  2⤵
  PID:12888
- C:\Windows\System\ASXZmPB.exe
  C:\Windows\System\ASXZmPB.exe
  2⤵
  PID:12916
- C:\Windows\System\KFQNGlN.exe
  C:\Windows\System\KFQNGlN.exe
  2⤵
  PID:12944
- C:\Windows\System\LQhoTOD.exe
  C:\Windows\System\LQhoTOD.exe
  2⤵
  PID:12972
- C:\Windows\System\dSvdLoV.exe
  C:\Windows\System\dSvdLoV.exe
  2⤵
  PID:13000
- C:\Windows\System\QOQQNvF.exe
  C:\Windows\System\QOQQNvF.exe
  2⤵
  PID:13028
- C:\Windows\System\nspDyKl.exe
  C:\Windows\System\nspDyKl.exe
  2⤵
  PID:13056
- C:\Windows\System\DkxiNYg.exe
  C:\Windows\System\DkxiNYg.exe
  2⤵
  PID:13084
- C:\Windows\System\VDyIhEr.exe
  C:\Windows\System\VDyIhEr.exe
  2⤵
  PID:13112
- C:\Windows\System\bTlHTvV.exe
  C:\Windows\System\bTlHTvV.exe
  2⤵
  PID:13140
- C:\Windows\System\uWLEaBU.exe
  C:\Windows\System\uWLEaBU.exe
  2⤵
  PID:13168
- C:\Windows\System\FeuGbrI.exe
  C:\Windows\System\FeuGbrI.exe
  2⤵
  PID:13196
- C:\Windows\System\dSwhRtM.exe
  C:\Windows\System\dSwhRtM.exe
  2⤵
  PID:13224
- C:\Windows\System\OueQjof.exe
  C:\Windows\System\OueQjof.exe
  2⤵
  PID:13252
- C:\Windows\System\aXOLbzT.exe
  C:\Windows\System\aXOLbzT.exe
  2⤵
  PID:13280
- C:\Windows\System\wlCepNk.exe
  C:\Windows\System\wlCepNk.exe
  2⤵
  PID:13308
- C:\Windows\System\zOitafY.exe
  C:\Windows\System\zOitafY.exe
  2⤵
  PID:12344
- C:\Windows\System\svJxxFp.exe
  C:\Windows\System\svJxxFp.exe
  2⤵
  PID:12400
- C:\Windows\System\DYaqprm.exe
  C:\Windows\System\DYaqprm.exe
  2⤵
  PID:12476
- C:\Windows\System\wYXeuVT.exe
  C:\Windows\System\wYXeuVT.exe
  2⤵
  PID:12540
- C:\Windows\System\KidOQId.exe
  C:\Windows\System\KidOQId.exe
  2⤵
  PID:12620
- C:\Windows\System\HvChvoE.exe
  C:\Windows\System\HvChvoE.exe
  2⤵
  PID:12684
- C:\Windows\System\QaAfgge.exe
  C:\Windows\System\QaAfgge.exe
  2⤵
  PID:12744
- C:\Windows\System\WiSZGcK.exe
  C:\Windows\System\WiSZGcK.exe
  2⤵
  PID:12816
- C:\Windows\System\BPjjePs.exe
  C:\Windows\System\BPjjePs.exe
  2⤵
  PID:12872
- C:\Windows\System\ibogSDa.exe
  C:\Windows\System\ibogSDa.exe
  2⤵
  PID:12936
- C:\Windows\System\uAEEOIP.exe
  C:\Windows\System\uAEEOIP.exe
  2⤵
  PID:12996
- C:\Windows\System\PbCdJnj.exe
  C:\Windows\System\PbCdJnj.exe
  2⤵
  PID:13068
- C:\Windows\System\sqDqFWm.exe
  C:\Windows\System\sqDqFWm.exe
  2⤵
  PID:13132
- C:\Windows\System\rrNrpTe.exe
  C:\Windows\System\rrNrpTe.exe
  2⤵
  PID:13192
- C:\Windows\System\BSgQeTX.exe
  C:\Windows\System\BSgQeTX.exe
  2⤵
  PID:13248
- C:\Windows\System\VMGObEE.exe
  C:\Windows\System\VMGObEE.exe
  2⤵
  PID:12308
- C:\Windows\System\YeTNKqz.exe
  C:\Windows\System\YeTNKqz.exe
  2⤵
  PID:12448
- C:\Windows\System\OXVJJpz.exe
  C:\Windows\System\OXVJJpz.exe
  2⤵
  PID:12588
- C:\Windows\System\IADcTpf.exe
  C:\Windows\System\IADcTpf.exe
  2⤵
  PID:9972
- C:\Windows\System\btITxOu.exe
  C:\Windows\System\btITxOu.exe
  2⤵
  PID:9992
- C:\Windows\System\eyocKLF.exe
  C:\Windows\System\eyocKLF.exe
  2⤵
  PID:9952
- C:\Windows\System\mPufcZX.exe
  C:\Windows\System\mPufcZX.exe
  2⤵
  PID:12844
- C:\Windows\System\YeMBmRO.exe
  C:\Windows\System\YeMBmRO.exe
  2⤵
  PID:12984
- C:\Windows\System\LGDrRqA.exe
  C:\Windows\System\LGDrRqA.exe
  2⤵
  PID:13124
- C:\Windows\System\BnPHeXm.exe
  C:\Windows\System\BnPHeXm.exe
  2⤵
  PID:13276
- C:\Windows\System\YEnPqGA.exe
  C:\Windows\System\YEnPqGA.exe
  2⤵
  PID:12532
- C:\Windows\System\DHNQbVu.exe
  C:\Windows\System\DHNQbVu.exe
  2⤵
  PID:10020
- C:\Windows\System\dgXXkON.exe
  C:\Windows\System\dgXXkON.exe
  2⤵
  PID:12900
- C:\Windows\System\CaBCoVV.exe
  C:\Windows\System\CaBCoVV.exe
  2⤵
  PID:12596
- C:\Windows\System\ojJlpBK.exe
  C:\Windows\System\ojJlpBK.exe
  2⤵
  PID:9984
- C:\Windows\System\WHobESH.exe
  C:\Windows\System\WHobESH.exe
  2⤵
  PID:13180
- C:\Windows\System\HWmVNnF.exe
  C:\Windows\System\HWmVNnF.exe
  2⤵
  PID:12460
- C:\Windows\System\IwiFiDK.exe
  C:\Windows\System\IwiFiDK.exe
  2⤵
  PID:13340
- C:\Windows\System\FxebhJK.exe
  C:\Windows\System\FxebhJK.exe
  2⤵
  PID:13380
- C:\Windows\System\WtTxduK.exe
  C:\Windows\System\WtTxduK.exe
  2⤵
  PID:13400
- C:\Windows\System\aKbLRgG.exe
  C:\Windows\System\aKbLRgG.exe
  2⤵
  PID:13456
- C:\Windows\System\dwllaCj.exe
  C:\Windows\System\dwllaCj.exe
  2⤵
  PID:13488
- C:\Windows\System\Ewlsugo.exe
  C:\Windows\System\Ewlsugo.exe
  2⤵
  PID:13524
- C:\Windows\System\SGcPfuc.exe
  C:\Windows\System\SGcPfuc.exe
  2⤵
  PID:13544
- C:\Windows\System\zXfEabB.exe
  C:\Windows\System\zXfEabB.exe
  2⤵
  PID:13560
- C:\Windows\System\ZwnDqhL.exe
  C:\Windows\System\ZwnDqhL.exe
  2⤵
  PID:13592
- C:\Windows\System\CfKhSGa.exe
  C:\Windows\System\CfKhSGa.exe
  2⤵
  PID:13640
- C:\Windows\System\DSLaOlX.exe
  C:\Windows\System\DSLaOlX.exe
  2⤵
  PID:13660
- C:\Windows\System\xkrdiac.exe
  C:\Windows\System\xkrdiac.exe
  2⤵
  PID:13688
- C:\Windows\System\xhdzbKR.exe
  C:\Windows\System\xhdzbKR.exe
  2⤵
  PID:13724
- C:\Windows\System\edvmXmN.exe
  C:\Windows\System\edvmXmN.exe
  2⤵
  PID:13752
- C:\Windows\System\NwoPVOW.exe
  C:\Windows\System\NwoPVOW.exe
  2⤵
  PID:13780
- C:\Windows\System\HHayciZ.exe
  C:\Windows\System\HHayciZ.exe
  2⤵
  PID:13808
- C:\Windows\System\xkzGaTS.exe
  C:\Windows\System\xkzGaTS.exe
  2⤵
  PID:13836
- C:\Windows\System\SJinfrp.exe
  C:\Windows\System\SJinfrp.exe
  2⤵
  PID:13864
- C:\Windows\System\SeVCxLs.exe
  C:\Windows\System\SeVCxLs.exe
  2⤵
  PID:13896
- C:\Windows\System\fbjgHyO.exe
  C:\Windows\System\fbjgHyO.exe
  2⤵
  PID:13920
- C:\Windows\System\UqBrStU.exe
  C:\Windows\System\UqBrStU.exe
  2⤵
  PID:13948
- C:\Windows\System\yuPZWAt.exe
  C:\Windows\System\yuPZWAt.exe
  2⤵
  PID:13976
- C:\Windows\System\HHvzUFD.exe
  C:\Windows\System\HHvzUFD.exe
  2⤵
  PID:14008
- C:\Windows\System\pdhnLoU.exe
  C:\Windows\System\pdhnLoU.exe
  2⤵
  PID:14036
- C:\Windows\System\fnLtaJh.exe
  C:\Windows\System\fnLtaJh.exe
  2⤵
  PID:14064
- C:\Windows\System\IcWGNSN.exe
  C:\Windows\System\IcWGNSN.exe
  2⤵
  PID:14092
- C:\Windows\System\rsvvITy.exe
  C:\Windows\System\rsvvITy.exe
  2⤵
  PID:14120
- C:\Windows\System\oCcJMYy.exe
  C:\Windows\System\oCcJMYy.exe
  2⤵
  PID:14148
- C:\Windows\System\dIKJiei.exe
  C:\Windows\System\dIKJiei.exe
  2⤵
  PID:14180
- C:\Windows\System\xELTeUp.exe
  C:\Windows\System\xELTeUp.exe
  2⤵
  PID:14208
- C:\Windows\System\sPtOUfX.exe
  C:\Windows\System\sPtOUfX.exe
  2⤵
  PID:14236
- C:\Windows\System\vPFlHoU.exe
  C:\Windows\System\vPFlHoU.exe
  2⤵
  PID:14264
- C:\Windows\System\fzHgkam.exe
  C:\Windows\System\fzHgkam.exe
  2⤵
  PID:14292
- C:\Windows\System\GhkJSnN.exe
  C:\Windows\System\GhkJSnN.exe
  2⤵
  PID:14320
- C:\Windows\System\yrPqsOu.exe
  C:\Windows\System\yrPqsOu.exe
  2⤵
  PID:13332
- C:\Windows\System\aQmnhYu.exe
  C:\Windows\System\aQmnhYu.exe
  2⤵
  PID:13396
- C:\Windows\System\PcCqByX.exe
  C:\Windows\System\PcCqByX.exe
  2⤵
  PID:512
- C:\Windows\System\gbFxGEJ.exe
  C:\Windows\System\gbFxGEJ.exe
  2⤵
  PID:13508
- C:\Windows\System\GsleUgM.exe
  C:\Windows\System\GsleUgM.exe
  2⤵
  PID:13584
- C:\Windows\System\NTYDKPi.exe
  C:\Windows\System\NTYDKPi.exe
  2⤵
  PID:13648
- C:\Windows\System\uIJNPMA.exe
  C:\Windows\System\uIJNPMA.exe
  2⤵
  PID:2356
- C:\Windows\System\HLOjUoB.exe
  C:\Windows\System\HLOjUoB.exe
  2⤵
  PID:13748
- C:\Windows\System\JwUMDdZ.exe
  C:\Windows\System\JwUMDdZ.exe
  2⤵
  PID:13848
- C:\Windows\System\Pqibkds.exe
  C:\Windows\System\Pqibkds.exe
  2⤵
  PID:13884
- C:\Windows\System\nrQxKbR.exe
  C:\Windows\System\nrQxKbR.exe
  2⤵
  PID:1076
- C:\Windows\System\ixvrRKb.exe
  C:\Windows\System\ixvrRKb.exe
  2⤵
  PID:13988
- C:\Windows\System\cgVeoAG.exe
  C:\Windows\System\cgVeoAG.exe
  2⤵
  PID:14028
- C:\Windows\System\wWqNpdP.exe
  C:\Windows\System\wWqNpdP.exe
  2⤵
  PID:14076
- C:\Windows\System\kxFuFtg.exe
  C:\Windows\System\kxFuFtg.exe
  2⤵
  PID:14140
- C:\Windows\System\FNriTqi.exe
  C:\Windows\System\FNriTqi.exe
  2⤵
  PID:14172
- C:\Windows\System\AjjAsfm.exe
  C:\Windows\System\AjjAsfm.exe
  2⤵
  PID:5068
- C:\Windows\System\ybkPZVD.exe
  C:\Windows\System\ybkPZVD.exe
  2⤵
  PID:14276
- C:\Windows\System\vXjczex.exe
  C:\Windows\System\vXjczex.exe
  2⤵
  PID:13108
- C:\Windows\System\sdYWdSn.exe
  C:\Windows\System\sdYWdSn.exe
  2⤵
  PID:1604
- C:\Windows\System\KRduuYJ.exe
  C:\Windows\System\KRduuYJ.exe
  2⤵
  PID:13604
- C:\Windows\System\WmNAlSl.exe
  C:\Windows\System\WmNAlSl.exe
  2⤵
  PID:13716
- C:\Windows\System\UvgURJK.exe
  C:\Windows\System\UvgURJK.exe
  2⤵
  PID:13832
- C:\Windows\System\LqgMfzD.exe
  C:\Windows\System\LqgMfzD.exe
  2⤵
  PID:13944
- C:\Windows\System\iWupVJf.exe
  C:\Windows\System\iWupVJf.exe
  2⤵
  PID:4796
- C:\Windows\System\hMofnJI.exe
  C:\Windows\System\hMofnJI.exe
  2⤵
  PID:2260
- C:\Windows\System\avOWLaL.exe
  C:\Windows\System\avOWLaL.exe
  2⤵
  PID:14220
- C:\Windows\System\poGdHVB.exe
  C:\Windows\System\poGdHVB.exe
  2⤵
  PID:4292
- C:\Windows\System\Lhhkyym.exe
  C:\Windows\System\Lhhkyym.exe
  2⤵
  PID:13556
- C:\Windows\System\tleqygz.exe
  C:\Windows\System\tleqygz.exe
  2⤵
  PID:4520
- C:\Windows\System\jrhbVFM.exe
  C:\Windows\System\jrhbVFM.exe
  2⤵
  PID:1984
- C:\Windows\System\LKQrXne.exe
  C:\Windows\System\LKQrXne.exe
  2⤵
  PID:1720
- C:\Windows\System\tLXYFCd.exe
  C:\Windows\System\tLXYFCd.exe
  2⤵
  PID:14316
- C:\Windows\System\AETyEdg.exe
  C:\Windows\System\AETyEdg.exe
  2⤵
  PID:856
- C:\Windows\System\QzETbKv.exe
  C:\Windows\System\QzETbKv.exe
  2⤵
  PID:4572
- C:\Windows\System\AjbADTg.exe
  C:\Windows\System\AjbADTg.exe
  2⤵
  PID:14132
- C:\Windows\System\uIojCnW.exe
  C:\Windows\System\uIojCnW.exe
  2⤵
  PID:13500
- C:\Windows\System\jzjeHmZ.exe
  C:\Windows\System\jzjeHmZ.exe
  2⤵
  PID:14020
- C:\Windows\System\DWpJKDM.exe
  C:\Windows\System\DWpJKDM.exe
  2⤵
  PID:2588
- C:\Windows\System\NkERcZG.exe
  C:\Windows\System\NkERcZG.exe
  2⤵
  PID:628
- C:\Windows\System\MvLcGNr.exe
  C:\Windows\System\MvLcGNr.exe
  2⤵
  PID:2944
- C:\Windows\System\SDXzvVn.exe
  C:\Windows\System\SDXzvVn.exe
  2⤵
  PID:3500
- C:\Windows\System\kYFquHQ.exe
  C:\Windows\System\kYFquHQ.exe
  2⤵
  PID:14356
- C:\Windows\System\aLBrdyG.exe
  C:\Windows\System\aLBrdyG.exe
  2⤵
  PID:14384
- C:\Windows\System\ysTiImr.exe
  C:\Windows\System\ysTiImr.exe
  2⤵
  PID:14412
- C:\Windows\System\IGTOyxp.exe
  C:\Windows\System\IGTOyxp.exe
  2⤵
  PID:14440
- C:\Windows\System\ptPKWZh.exe
  C:\Windows\System\ptPKWZh.exe
  2⤵
  PID:14468
- C:\Windows\System\uTTEjUP.exe
  C:\Windows\System\uTTEjUP.exe
  2⤵
  PID:14496
- C:\Windows\System\LILezqC.exe
  C:\Windows\System\LILezqC.exe
  2⤵
  PID:14524
- C:\Windows\System\prxiALi.exe
  C:\Windows\System\prxiALi.exe
  2⤵
  PID:14552
- C:\Windows\System\stIljjK.exe
  C:\Windows\System\stIljjK.exe
  2⤵
  PID:14580
- C:\Windows\System\bbTmTYM.exe
  C:\Windows\System\bbTmTYM.exe
  2⤵
  PID:14608
- C:\Windows\System\qGARHmb.exe
  C:\Windows\System\qGARHmb.exe
  2⤵
  PID:14636
- C:\Windows\System\gQCDcgB.exe
  C:\Windows\System\gQCDcgB.exe
  2⤵
  PID:14664
- C:\Windows\System\XYwqDQy.exe
  C:\Windows\System\XYwqDQy.exe
  2⤵
  PID:14692
- C:\Windows\System\pejkFFJ.exe
  C:\Windows\System\pejkFFJ.exe
  2⤵
  PID:14724
- C:\Windows\System\MYphtYg.exe
  C:\Windows\System\MYphtYg.exe
  2⤵
  PID:14752
- C:\Windows\System\pWVRFjm.exe
  C:\Windows\System\pWVRFjm.exe
  2⤵
  PID:14780
- C:\Windows\System\pUxQOuk.exe
  C:\Windows\System\pUxQOuk.exe
  2⤵
  PID:14808
- C:\Windows\System\rZcbjaa.exe
  C:\Windows\System\rZcbjaa.exe
  2⤵
  PID:14836
- C:\Windows\System\wLsSuao.exe
  C:\Windows\System\wLsSuao.exe
  2⤵
  PID:14864
- C:\Windows\System\LjhTbvh.exe
  C:\Windows\System\LjhTbvh.exe
  2⤵
  PID:14892
- C:\Windows\System\SNkriNo.exe
  C:\Windows\System\SNkriNo.exe
  2⤵
  PID:14984
- C:\Windows\System\wbHVMNU.exe
  C:\Windows\System\wbHVMNU.exe
  2⤵
  PID:15160
- C:\Windows\System\ULaYuNb.exe
  C:\Windows\System\ULaYuNb.exe
  2⤵
  PID:15216
- C:\Windows\System\tWbJfto.exe
  C:\Windows\System\tWbJfto.exe
  2⤵
  PID:15300
- C:\Windows\System\fooJSNp.exe
  C:\Windows\System\fooJSNp.exe
  2⤵
  PID:15324
- C:\Windows\System\rUgtkYZ.exe
  C:\Windows\System\rUgtkYZ.exe
  2⤵
  PID:15344
- C:\Windows\System\dWcxfRX.exe
  C:\Windows\System\dWcxfRX.exe
  2⤵
  PID:14404
- C:\Windows\System\AWeIhdK.exe
  C:\Windows\System\AWeIhdK.exe
  2⤵
  PID:14436
- C:\Windows\System\JtWWtMY.exe
  C:\Windows\System\JtWWtMY.exe
  2⤵
  PID:14536

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:1060
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:15088

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:14684

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5860

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5404

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4476

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7456

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7872

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:7652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5852

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:7044

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5280

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3960

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9228

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10184

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5932

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6864

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6356

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7296

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6316

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7736

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12416

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1544

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9976

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13892

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9876

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9404

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14568

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10044

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4016

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6124

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12936

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11576

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7964

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5104

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:15324

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8412

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12480

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11472

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12852

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YCLWQ4BV\microsoft.windows[1].xml

Filesize
97B

MD5
781c2d6d1f6f2f8ae243c569925a6c44

SHA1
6d5d26acc2002f5a507bd517051095a97501931b

SHA256
70687e419879f006d0c50c08657c66b1187b94ea216cfe0a2e6be8bd2de77bc8

SHA512
3599fa8f2ffe140a8f68ec735810d24a5b367a9a551d620baa6dc611ca755dce1a662bf22b90f842d499d2c9530fb8acd634d1654d5e2c1b319574cbf35eadf7

Download Submit
C:\Windows\System\CYzmyxd.exe

Filesize
6.0MB

MD5
0a899c288ad436a274656e128945b897

SHA1
d731cd08d1959c4f956dc2b130ed96bde118c76a

SHA256
d8853e29225f77c179597601aad2f34f3dca6bcf8f79492d8c0b4b97c29d9fba

SHA512
aa99791fb5c7eb9938152d5a1abe477eab2a93b5cf87005c7b86df3efccff7623bee79705c59107b6a84e978a85b1329b32cd713095403cdccb98d053490b73e

Download Submit
C:\Windows\System\HYEtxEV.exe

Filesize
6.0MB

MD5
54f45b61827161e2225cd1033e099ab1

SHA1
c86066424a9c9bd4b66f540de400562425d1a774

SHA256
9315b905a3560ed76815f28acb9863d47e1143e0c169e6813a531f44746cbf70

SHA512
099f1757b570f9660c0130ddd5a0e74984e8c852151fe5eea00244277377401755e9d022a1d63eb28eb1562fc5ff65ca014e15d2ad46fde8865e46ccfc91670d

Download Submit
C:\Windows\System\JsvEsLM.exe

Filesize
6.0MB

MD5
1e45345532b6efb77b1d4a0befded6d8

SHA1
e6856ced54b901cead43b3dea24cbf74aa71fdd8

SHA256
cb2738e0bc1502234ddda3833c325457993ca9a13973d9e06e8116387470bafc

SHA512
442c808e9a4e199908f52f32a8adc6a501734bc6f601d08dce0caebde8ead881e139013adcad7074ba2c14d92ff165ce296e85319bcd4c7a0d14a29ba22dc73b

Download Submit
C:\Windows\System\LZlIbpx.exe

Filesize
6.0MB

MD5
122cd4ad3da2f9b762baee31ae30ab9b

SHA1
e634de79bf5b31ae541add501f177a863092e453

SHA256
4725d6e0c6c3bafb1f2d121a5793604093472e0749dad0ac05aa5a5ec1591f3f

SHA512
9c9238fff4ec8771f1ad556738195867da26aa11e1617dff51241395b9ee5322942660d5ebd3052470cf67446aefe9a3f0a941531b66ff6dff9b3d6b92329c65

Download Submit
C:\Windows\System\MMzChlp.exe

Filesize
6.0MB

MD5
d43353d8b0ad5078ff24c6b86c39077c

SHA1
30ceea28a531377409c15e61ee12772b24425d86

SHA256
292c49add5e795994131547e7e1f6299636b46cc3b90c0b285bae3dc7455f0ae

SHA512
62d9725bffd3b13c5d3b4970c94d19ecb816604921ea40b5239461ac159da9a7fc4e5be966531712d28b4f6562998e4320216cb9c262e8af25cb2738786aaf96

Download Submit
C:\Windows\System\MbuCHdj.exe

Filesize
6.0MB

MD5
5939630b1d5bd34fb1fc44252983cb54

SHA1
c73e9cfec1547a9212d0e289e6e57c3e76c18948

SHA256
ce32d8b3a3e256e1cc9d1e7498fbaf24730e1535eed30e1ca34c8b6ba4faf5b8

SHA512
3ec6de60f8db7947b3378e4a47ea972335f99b3f6b3345be910500de58d69c9b3690ad394c29faf26f642a144eafe92fb7d3dd4f3dd3a4a97a6e1596b4b1395a

Download Submit
C:\Windows\System\NgAGvoX.exe

Filesize
6.0MB

MD5
5e497f7fc31ee24abc2ed2c2cb0ad6d7

SHA1
eed95a47a56a2c55fdcec8cb34f7ba00d925eeb2

SHA256
4965c665e000e580a6a70375c3956d74ae7850c34c8dd81a012d972f6705cb01

SHA512
7223a0ff7e7e8bdd1a8208e65ae1ed4c5934b570774089abd2d5faf8755e6042bd9c372c25a41767a9d677703ba9e3f020bb1bcf1a023e93d14eb2bf3baf7119

Download Submit
C:\Windows\System\NnNmuOF.exe

Filesize
6.0MB

MD5
bf690e6ae77168e3c36822b9539ca083

SHA1
9c45f53621886923594c5a0b45e41c56d284973c

SHA256
ca87964b2c9a24b7a01f0828ae984a6a5552ba00dfd40e3beeada60fa055c856

SHA512
cb2caebf0590cca4eea4373d39a97b943c4deb83ec0ed6b914fd7958cf18ac082b98c6e49dbaaf413c4c83b42730c6d4ec757006d175b66214d99d16ae1f0f59

Download Submit
C:\Windows\System\NwouCUZ.exe

Filesize
6.0MB

MD5
632ee396744e055684933fae437e56ac

SHA1
9b640e7d135b12b527354be4d57f3f3c6d335108

SHA256
faa4c6a8c15c5da1cc921ee00a237ecd9c3c425b047dbf474c11613aa003d7e3

SHA512
0b5586466b711210407b5bdebd5c0b71ee6ac905a87b821388d4500092a7e8d9978f8bdbe3b5162604ffa5fa187fc9904fa1872098843eb264edd420b57432ef

Download Submit
C:\Windows\System\OiSGhZv.exe

Filesize
6.0MB

MD5
fd66db80117244e4b26f936cd65b94c7

SHA1
51d1a709d11436f5638e51fd36cfd7b35bc3bee2

SHA256
7014e712048a91454af2b5ce7adc5c5ab7f7f9f6264544a71522bfa36c1a8df7

SHA512
1e7ce19d8c9563ff13fbce8f50b0ee39de4f2d1afe91c48032e91a53d95a8c3b276da42af29a7dce88a2f049f79d1a60151b36e5ec2f658f9093d3d9c5c20e19

Download Submit
C:\Windows\System\PhJMQIE.exe

Filesize
6.0MB

MD5
04c1d562a046d99a87b6c08d84e9d8dd

SHA1
e471df25b77729695c57fcc72adaac0fb98d2e79

SHA256
b4610d18df828eb5be23bb8041f857b4a9c9741ad8ab794dc6eb735a3a75b2ec

SHA512
b50cabea2fee3cc7e1fcd52c90453af2c22b904c67f262fb74f75f57467e649369c66f1b76aa93f0b7065e5d075fce6d3c228305debd31257b9f2b3251ef4a0f

Download Submit
C:\Windows\System\QalYDiv.exe

Filesize
6.0MB

MD5
39f495ee09c8419bf1f2ed2ec8479aa1

SHA1
524b8188261f24f6ddb4b5ec8a6e2032f7e7d638

SHA256
f07efa97bf3565821b7d58c691d2598556d3c585436275d0e9c1e4ed4b6163be

SHA512
2af7bd630397fe29c9c5125a2da90f064e16cd8100e3de2b7591ebf22ceb59f910bdef84e65be7bfe7fa69307cf990aed638bdcfbea135354331814ba1d36a1d

Download Submit
C:\Windows\System\ZzIYYCI.exe

Filesize
6.0MB

MD5
14ea16cd9c6d6ac5402ce36ffbac047e

SHA1
ec05aeb527ffc4cfb0dae34a8176b43173d5d08e

SHA256
3a83d87ad22d7eb1b7cc43eb0b2426c7093ae54bf9fd1216e4d12a163fdf161d

SHA512
22a5a416370ab31c19afa5feca9aaa24ffd3f420418bc19b8ac3ae412214a1d56e0cf637d23019163d40dcd2bc815984657a2930ecdd5d3563bae188783c0e60

Download Submit
C:\Windows\System\aWhuoDc.exe

Filesize
6.0MB

MD5
2c11ee80b78324e87ba72ff0418bc7c6

SHA1
45b6a1e28b95c22ece689889041ef6305001e456

SHA256
355e3620ba7db14d8468683be5c8688d88d2bb52e26d22c6dd4e2280a3c37f2e

SHA512
c3b8fe1176c6f515cd8174c1c14194c028574a69e1a0de7f1c0b79970e1c995eadc253d3f348a4eec003a0c54c8910709803e3829fa58365744ce914490ee87b

Download Submit
C:\Windows\System\eXcZQyc.exe

Filesize
6.0MB

MD5
8de1f4605052de6485a4ff4fad5a4a9f

SHA1
ac0a74eb67ef1fa3d3d8ec322e63c68d8fc1b1f3

SHA256
520b3736c8e21ece8dbd64a3c2efd1b4e24162969cb4ade19436e802f43fc812

SHA512
d7c694512f30d620e649b134dac050aa3564a866bab7d489ce71d384df0c31b8e6106ceb46876b2239fb22d91a119d45f266bf8e40ca5c4afb6bbf69ed43eea3

Download Submit
C:\Windows\System\fsDcvrj.exe

Filesize
6.0MB

MD5
028d06201467807190f09a30082edcba

SHA1
157b2a383657bc600514098675900f8b217c0007

SHA256
1eb7405c1527866d209d6a500c8d9e3be4f7c27a9f17638b2ca736da56c04a47

SHA512
b3515bec8e2ecfb03701e09eba4d0b05eb0efe8a882fe827bcf2950626a70270904cdbcc924fbb83b8d7c1f4a2008f1122f448d1362e6a066b354da1d888ec78

Download Submit
C:\Windows\System\hXCmbQm.exe

Filesize
6.0MB

MD5
1e4eeae090a99b9c4dc735d19b5af44d

SHA1
e9085eb846c770b80f126d7137dca7b217ae2795

SHA256
92963d3b10d4f868f4b2ce3334d612975230f32584f96319caf8a230e70f51f1

SHA512
db78dda3f110a87d7678d058703810d2d9416601e739144c486aa4829969edc27a2765fb46362eb8729b000c640f330be4c3ab883217992fbec8475b2774eed4

Download Submit
C:\Windows\System\iCVlEbf.exe

Filesize
6.0MB

MD5
48cccfb8c69cb44530340edcd916767b

SHA1
4d2d273db0acf5e7b52fbe5a7719792f30683adc

SHA256
03df24b5ab649fc61320a44f3d1c68d83ddb57abc3ed19752426d1e0bfeaf9ec

SHA512
7edef59a9af2e7c3e35b807bc7de62d680ab8db0ab5bd1cdc58f404a0cb62415dc093385e23c2e17f259f1de9546033a94c06e3138d5bb4191384b47ade9b57f

Download Submit
C:\Windows\System\jcMmhVH.exe

Filesize
6.0MB

MD5
46a95a5562fb710e1caf7d2caca37980

SHA1
f00988d478fd19d4683ce9453b6a1f73a6c373ac

SHA256
8b39eda1e92824c04a5344bc6a00833a7af6acc79c2b41e36a6bd57a35ae6517

SHA512
f8779fccf315f4ad9f60155a93e8ab122791821a63612e0036e1f9f0b1cb88ee51ea8a2781500189166f01ea1752b3c83cac826f50e8c7328835f56c372a0204

Download Submit
C:\Windows\System\jiAnGLX.exe

Filesize
6.0MB

MD5
8e70b63fd308436bca1e53f079349096

SHA1
48a7062155519fe1a47f0f25ef5a763aab734030

SHA256
10ee128874af801d71391035f74567d8e36272ef66b042c94844d83ff6b352c9

SHA512
c4f7a8a102f5ff5bb022f34429006656cdc1ae22571c575c91b2d284372c620caca339416b68046947c295d0d93972eb6896e1034e15134adbd9e22fff96da01

Download Submit
C:\Windows\System\lchrUDb.exe

Filesize
6.0MB

MD5
2b5b7f7ab84a9f5a86d8230ad17d54f6

SHA1
52e59d47f898576ddc3e06cb61e752a29ebd5a6d

SHA256
6f3cf84e815c173c1ce106475004a37e7009f1539018d7f879f74e5c1339c7ac

SHA512
6602dec555816f176bbeddd14ea70c7f71bf21cb8c1677aaf1a348e50e659fc39593e2bb37aeb610e3e81944bc9d832789270d5f8a8fb25e75036e0d9e6acad0

Download Submit
C:\Windows\System\lwACowH.exe

Filesize
6.0MB

MD5
b6a606706b5d7db3cc7c5896296f29c3

SHA1
079303480606dcd68df088670f2a90b99ca6e999

SHA256
1a551a90e36dbcd5d5260a51aa33969c1d9d13ec7db74e8ed615da284eaf8e64

SHA512
165d16e3357296a4607191e14212b986fb87390615652321e9404bbd7b3d22178121515509ecff57ad8c40ad27f98116db455b85bbae06e679df1ff27cee3df4

Download Submit
C:\Windows\System\mbHFQiv.exe

Filesize
6.0MB

MD5
57021d02f3cebd38ca296c5151998a43

SHA1
42b4f903f60346eed3e757d758403ba81934f021

SHA256
f15283e8a3305ce98efad3dd197554f6f2e804dd8f319b31e94524f847f0839c

SHA512
153f487483f47650f10ec5ed8db4870867295538c5f12e3b87638ead3a0d5a7a11a9aa13d738eadada3e19386169fe85da7da783bf9cad0befe352977535ed8b

Download Submit
C:\Windows\System\nZpjTdq.exe

Filesize
6.0MB

MD5
d32be44265ebf91ce02fcdce140e1f32

SHA1
f45e0e8a8a19103bdf1e7ea1a1d7ae5a981eacd8

SHA256
65d9afe0ec76fa32ead338aa85f0fa1f4eccdbedc35ec71aa91dd71ab41319ec

SHA512
2433638b1d8e700b971f4a0d03bd120f5d4b8af75c832611cf41ab3f949c2e78b4194e048c0a2b3db3d2cafa049cca2a688b7030c9175a2fca6f26bcd6a0e91a

Download Submit
C:\Windows\System\slcbecG.exe

Filesize
6.0MB

MD5
4daa0e49fa65afc93ddc0539b8fcd7d4

SHA1
5388417108c282dd350c659f5e20bec505b5f235

SHA256
cfdb25c67b31f8308e81848ee1d42507ae171ae61a09d2cb6bacee3f7550cd78

SHA512
d847d5315094115654ed6556bdf937b67c8f47627bf971c311d935fda3f5e441c714cc9842fe5c215cd3915337c237fd65a08c95855894bfd6a982c9e637f19c

Download Submit
C:\Windows\System\vDKvhfS.exe

Filesize
6.0MB

MD5
40cdc30cb277f62e72ad106a6a9b4d67

SHA1
9fa7c514b5b2042f948dcc9d7dbe15a9c2ad369d

SHA256
6a4429afb1b8e4bb3ac6884546cd46b71a579c351358c858ee3795a07d6d644c

SHA512
88aa345be05cae2588639e6af67af1e9656f6703f349a8c9df2c763eb082e61c7a4a2ca752c485001317275ff65b3eb0e2934dbff21a8bd4510d189eb751db95

Download Submit
C:\Windows\System\vEylmrF.exe

Filesize
6.0MB

MD5
eabf72e06c869d2e09eb03cddd372576

SHA1
8c92f3aec8b2cb3243a90a18b3df06df8be11773

SHA256
b6753365da04594e99d7b6d39ddc900d6f814fc350e3e327982a255d97cd9fd1

SHA512
c2766bf8ee57302bd44e1970e3fc6c5b8c967d8432b2198cf47e3c65aac0cbf3cec8055b05d097b7f204d29b764f12ec8806b48ebc84985af4efd8856d31f9be

Download Submit
C:\Windows\System\xvsGBTa.exe

Filesize
6.0MB

MD5
c3cb00bdb30372a4314372f0807c9ce4

SHA1
c05f0e6ab614e57503359309de5c30b887059c14

SHA256
eaa02010a94cabeb7949838ae950cd5b3ef1c39e96120ce65b18299af5b66043

SHA512
a034be92c62e3035df137bc07cb57a4b90ec9b6decbc04a71700310130dae49b44858f5a76a76bed4f262f796379043f94b7581725baad0cf7b1f9e9296c4169

Download Submit
C:\Windows\System\xyRKRaP.exe

Filesize
6.0MB

MD5
e0bf3b94caa6845b8424ccb7ca879c63

SHA1
81822465958f69320a0b3f57163774264205e60b

SHA256
30c08581199d0e0e5138e007c4a88f10438de1887f0200e7a3dd012af1461c0e

SHA512
330584069212d8987c96359b0a02e822981da4838306cfc40804fa2c234807bbf2ae3bc2cbe00b7a10db04b1e04acdd39bfd4e79494bdd11fab1b1364bac0710

Download Submit
C:\Windows\System\ylUSTNF.exe

Filesize
6.0MB

MD5
29ffa43676147dbbf6268698166cb270

SHA1
3b35a6f2c44f2111b43149a50fe9a9613c617c7d

SHA256
0300f711d328661e852a4891658ed22ff40ffbe9a65287f918d6c08aaa59d6c0

SHA512
b43ce5599a104d1002833fda285f4e014ab60bb8c6a8cb1ffdc4a673938e36bd76f3378991ffb28eb7e9048252b5f24c79630653c339e2735e514860486a3c21

Download Submit
C:\Windows\System\zLmujIg.exe

Filesize
6.0MB

MD5
262e34f8a5f6cff8e7d54a78d371f75e

SHA1
d739837ee4e46fe3fbe255fd18e56cc20c896ed9

SHA256
90f2fd66da6475cdbfca4aa13c8af83ba4bd1cc402e6c38b0450649d57422fff

SHA512
e0ea6beb45615051cda0d333055e31a7bc5a11dfe131e463ad30ddecc55a01d7532a9706be9b8389da3da0f8ddca8ad893573be683283703115a7b535802a4e8

Download Submit
C:\Windows\System\zfGPpTM.exe

Filesize
6.0MB

MD5
5d8641069f3ef1986f27dc83e4681908

SHA1
afa836b7aac83a8e57ced3e869c11dbda681f84e

SHA256
7ed38cb8de3c49c6082b9989cf2f3184764411f46852902c65dad0017c4514fc

SHA512
6d30f98fcdbc84360b611efdeeff70e55748d14861b29ceae1b87ebebd6ecefeb83132858977ba92e64b76a1e8f27ded415d08ed43189103593ca291113c5222

Download Submit
memory/60-1604-0x00007FF61D100000-0x00007FF61D454000-memory.dmp

Filesize
3.3MB

Download
memory/60-38-0x00007FF61D100000-0x00007FF61D454000-memory.dmp

Filesize
3.3MB

Download
memory/348-139-0x00007FF617920000-0x00007FF617C74000-memory.dmp

Filesize
3.3MB

Download
memory/348-37-0x00007FF617920000-0x00007FF617C74000-memory.dmp

Filesize
3.3MB

Download
memory/348-1610-0x00007FF617920000-0x00007FF617C74000-memory.dmp

Filesize
3.3MB

Download
memory/532-159-0x00007FF73D300000-0x00007FF73D654000-memory.dmp

Filesize
3.3MB

Download
memory/684-1615-0x00007FF6DB030000-0x00007FF6DB384000-memory.dmp

Filesize
3.3MB

Download
memory/684-42-0x00007FF6DB030000-0x00007FF6DB384000-memory.dmp

Filesize
3.3MB

Download
memory/684-140-0x00007FF6DB030000-0x00007FF6DB384000-memory.dmp

Filesize
3.3MB

Download
memory/976-1614-0x00007FF6A2BB0000-0x00007FF6A2F04000-memory.dmp

Filesize
3.3MB

Download
memory/976-46-0x00007FF6A2BB0000-0x00007FF6A2F04000-memory.dmp

Filesize
3.3MB

Download
memory/1104-165-0x00007FF7DE1B0000-0x00007FF7DE504000-memory.dmp

Filesize
3.3MB

Download
memory/1104-1626-0x00007FF7DE1B0000-0x00007FF7DE504000-memory.dmp

Filesize
3.3MB

Download
memory/1104-63-0x00007FF7DE1B0000-0x00007FF7DE504000-memory.dmp

Filesize
3.3MB

Download
memory/1120-1648-0x00007FF757230000-0x00007FF757584000-memory.dmp

Filesize
3.3MB

Download
memory/1120-104-0x00007FF757230000-0x00007FF757584000-memory.dmp

Filesize
3.3MB

Download
memory/1216-126-0x00007FF7F34D0000-0x00007FF7F3824000-memory.dmp

Filesize
3.3MB

Download
memory/1216-234-0x00007FF7F34D0000-0x00007FF7F3824000-memory.dmp

Filesize
3.3MB

Download
memory/1280-97-0x00007FF60CE00000-0x00007FF60D154000-memory.dmp

Filesize
3.3MB

Download
memory/1280-1645-0x00007FF60CE00000-0x00007FF60D154000-memory.dmp

Filesize
3.3MB

Download
memory/1424-2324-0x00007FF69A9F0000-0x00007FF69AD44000-memory.dmp

Filesize
3.3MB

Download
memory/1424-470-0x00007FF69A9F0000-0x00007FF69AD44000-memory.dmp

Filesize
3.3MB

Download
memory/1424-160-0x00007FF69A9F0000-0x00007FF69AD44000-memory.dmp

Filesize
3.3MB

Download
memory/1428-145-0x00007FF623490000-0x00007FF6237E4000-memory.dmp

Filesize
3.3MB

Download
memory/1428-405-0x00007FF623490000-0x00007FF6237E4000-memory.dmp

Filesize
3.3MB

Download
memory/1428-2315-0x00007FF623490000-0x00007FF6237E4000-memory.dmp

Filesize
3.3MB

Download
memory/1776-2406-0x00007FF6AD870000-0x00007FF6ADBC4000-memory.dmp

Filesize
3.3MB

Download
memory/1776-178-0x00007FF6AD870000-0x00007FF6ADBC4000-memory.dmp

Filesize
3.3MB

Download
memory/1776-600-0x00007FF6AD870000-0x00007FF6ADBC4000-memory.dmp

Filesize
3.3MB

Download
memory/1828-191-0x00007FF7BE5C0000-0x00007FF7BE914000-memory.dmp

Filesize
3.3MB

Download
memory/1828-2405-0x00007FF7BE5C0000-0x00007FF7BE914000-memory.dmp

Filesize
3.3MB

Download
memory/2016-103-0x00007FF7D9010000-0x00007FF7D9364000-memory.dmp

Filesize
3.3MB

Download
memory/2016-1642-0x00007FF7D9010000-0x00007FF7D9364000-memory.dmp

Filesize
3.3MB

Download
memory/2624-0-0x00007FF6C7220000-0x00007FF6C7574000-memory.dmp

Filesize
3.3MB

Download
memory/2624-112-0x00007FF6C7220000-0x00007FF6C7574000-memory.dmp

Filesize
3.3MB

Download
memory/2624-1-0x0000020847D20000-0x0000020847D30000-memory.dmp

Filesize
64KB

Download
memory/2840-119-0x00007FF7DB790000-0x00007FF7DBAE4000-memory.dmp

Filesize
3.3MB

Download
memory/2840-1586-0x00007FF7DB790000-0x00007FF7DBAE4000-memory.dmp

Filesize
3.3MB

Download
memory/2840-6-0x00007FF7DB790000-0x00007FF7DBAE4000-memory.dmp

Filesize
3.3MB

Download
memory/3144-404-0x00007FF736B70000-0x00007FF736EC4000-memory.dmp

Filesize
3.3MB

Download
memory/3144-141-0x00007FF736B70000-0x00007FF736EC4000-memory.dmp

Filesize
3.3MB

Download
memory/3384-1605-0x00007FF755E10000-0x00007FF756164000-memory.dmp

Filesize
3.3MB

Download
memory/3384-131-0x00007FF755E10000-0x00007FF756164000-memory.dmp

Filesize
3.3MB

Download
memory/3384-27-0x00007FF755E10000-0x00007FF756164000-memory.dmp

Filesize
3.3MB

Download
memory/3608-94-0x00007FF6558D0000-0x00007FF655C24000-memory.dmp

Filesize
3.3MB

Download
memory/3608-1638-0x00007FF6558D0000-0x00007FF655C24000-memory.dmp

Filesize
3.3MB

Download
memory/3884-108-0x00007FF67C3F0000-0x00007FF67C744000-memory.dmp

Filesize
3.3MB

Download
memory/3884-233-0x00007FF67C3F0000-0x00007FF67C744000-memory.dmp

Filesize
3.3MB

Download
memory/3928-1646-0x00007FF7A0940000-0x00007FF7A0C94000-memory.dmp

Filesize
3.3MB

Download
memory/3928-187-0x00007FF7A0940000-0x00007FF7A0C94000-memory.dmp

Filesize
3.3MB

Download
memory/3928-87-0x00007FF7A0940000-0x00007FF7A0C94000-memory.dmp

Filesize
3.3MB

Download
memory/4008-665-0x00007FF6E6990000-0x00007FF6E6CE4000-memory.dmp

Filesize
3.3MB

Download
memory/4008-180-0x00007FF6E6990000-0x00007FF6E6CE4000-memory.dmp

Filesize
3.3MB

Download
memory/4008-2407-0x00007FF6E6990000-0x00007FF6E6CE4000-memory.dmp

Filesize
3.3MB

Download
memory/4100-1635-0x00007FF66C680000-0x00007FF66C9D4000-memory.dmp

Filesize
3.3MB

Download
memory/4100-173-0x00007FF66C680000-0x00007FF66C9D4000-memory.dmp

Filesize
3.3MB

Download
memory/4100-68-0x00007FF66C680000-0x00007FF66C9D4000-memory.dmp

Filesize
3.3MB

Download
memory/4172-120-0x00007FF6B8450000-0x00007FF6B87A4000-memory.dmp

Filesize
3.3MB

Download
memory/4172-1613-0x00007FF6B8450000-0x00007FF6B87A4000-memory.dmp

Filesize
3.3MB

Download
memory/4172-34-0x00007FF6B8450000-0x00007FF6B87A4000-memory.dmp

Filesize
3.3MB

Download
memory/4376-154-0x00007FF707290000-0x00007FF7075E4000-memory.dmp

Filesize
3.3MB

Download
memory/4492-1594-0x00007FF72B090000-0x00007FF72B3E4000-memory.dmp

Filesize
3.3MB

Download
memory/4492-115-0x00007FF72B090000-0x00007FF72B3E4000-memory.dmp

Filesize
3.3MB

Download
memory/4492-18-0x00007FF72B090000-0x00007FF72B3E4000-memory.dmp

Filesize
3.3MB

Download
memory/4512-166-0x00007FF7D5E90000-0x00007FF7D61E4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-102-0x00007FF7C8990000-0x00007FF7C8CE4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-1650-0x00007FF7C8990000-0x00007FF7C8CE4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-190-0x00007FF7C8990000-0x00007FF7C8CE4000-memory.dmp

Filesize
3.3MB

Download
memory/4720-128-0x00007FF713E70000-0x00007FF7141C4000-memory.dmp

Filesize
3.3MB

Download
memory/4720-403-0x00007FF713E70000-0x00007FF7141C4000-memory.dmp

Filesize
3.3MB

Download
memory/4908-1624-0x00007FF7BCB10000-0x00007FF7BCE64000-memory.dmp

Filesize
3.3MB

Download
memory/4908-61-0x00007FF7BCB10000-0x00007FF7BCE64000-memory.dmp

Filesize
3.3MB

Download
memory/4908-169-0x00007FF7BCB10000-0x00007FF7BCE64000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads