cobaltstrike | 110b535501a888b8f76a16bb6fca0d4470d3d610bdc9b8972c2f60b5c4df2719

Analysis

max time kernel
84s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
Size

6.0MB
MD5

5e08c240f61bf21310b6ec5b503c4711
SHA1

23effe95fb665f8c3067c01569489366307e2ead
SHA256

110b535501a888b8f76a16bb6fca0d4470d3d610bdc9b8972c2f60b5c4df2719
SHA512

87a18115bc07b9bfee978cefae7e13ec91d40f28e5796e5afcadaaacdb6e83cfb7344f2d80133543d209d1383ed7e4fa58414fdf8de557c16d442de08d172ca2
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lU2:T+q56utgpPF8u/72

Score

10^/10

cobaltstrike xmrig 0 backdoor miner persistence trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 33 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b10-4.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b75-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b77-21.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-64.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-59.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-37.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b76-24.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-70.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b73-79.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-108.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-116.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-126.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-136.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-134.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-124.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-109.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-178.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-192.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-194.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-205.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-202.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-187.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-185.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-155.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-153.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-151.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-97.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4256-0-0x00007FF688420000-0x00007FF688774000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b10-4.dat	xmrig
behavioral2/memory/3656-7-0x00007FF7A8FD0000-0x00007FF7A9324000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b75-11.dat	xmrig
behavioral2/memory/4652-13-0x00007FF618440000-0x00007FF618794000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b77-21.dat	xmrig
behavioral2/files/0x000a000000023b7b-39.dat	xmrig
behavioral2/files/0x000a000000023b7a-50.dat	xmrig
behavioral2/memory/3216-58-0x00007FF786B30000-0x00007FF786E84000-memory.dmp	xmrig
behavioral2/memory/1600-63-0x00007FF758F20000-0x00007FF759274000-memory.dmp	xmrig
behavioral2/memory/3704-67-0x00007FF6DAFC0000-0x00007FF6DB314000-memory.dmp	xmrig
behavioral2/memory/3352-68-0x00007FF7A7EE0000-0x00007FF7A8234000-memory.dmp	xmrig
behavioral2/memory/5048-66-0x00007FF687BD0000-0x00007FF687F24000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b7e-64.dat	xmrig
behavioral2/files/0x000a000000023b7d-61.dat	xmrig
behavioral2/files/0x000a000000023b7c-59.dat	xmrig
behavioral2/memory/1928-56-0x00007FF73E1D0000-0x00007FF73E524000-memory.dmp	xmrig
behavioral2/memory/3948-45-0x00007FF68E6F0000-0x00007FF68EA44000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b78-41.dat	xmrig
behavioral2/files/0x000a000000023b79-37.dat	xmrig
behavioral2/memory/2500-34-0x00007FF630C00000-0x00007FF630F54000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b76-24.dat	xmrig
behavioral2/memory/4576-20-0x00007FF725C00000-0x00007FF725F54000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b7f-70.dat	xmrig
behavioral2/memory/720-72-0x00007FF783520000-0x00007FF783874000-memory.dmp	xmrig
behavioral2/memory/3136-78-0x00007FF6CA6C0000-0x00007FF6CAA14000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b73-79.dat	xmrig
behavioral2/files/0x000a000000023b80-83.dat	xmrig
behavioral2/memory/3152-84-0x00007FF6FEAF0000-0x00007FF6FEE44000-memory.dmp	xmrig
behavioral2/memory/4256-89-0x00007FF688420000-0x00007FF688774000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b81-95.dat	xmrig
behavioral2/memory/4652-103-0x00007FF618440000-0x00007FF618794000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b84-108.dat	xmrig
behavioral2/files/0x000a000000023b85-116.dat	xmrig
behavioral2/files/0x000a000000023b87-126.dat	xmrig
behavioral2/files/0x000a000000023b89-136.dat	xmrig
behavioral2/files/0x000a000000023b88-134.dat	xmrig
behavioral2/files/0x000a000000023b86-124.dat	xmrig
behavioral2/files/0x000a000000023b83-109.dat	xmrig
behavioral2/memory/4576-105-0x00007FF725C00000-0x00007FF725F54000-memory.dmp	xmrig
behavioral2/memory/4240-101-0x00007FF7FB230000-0x00007FF7FB584000-memory.dmp	xmrig
behavioral2/memory/3656-99-0x00007FF7A8FD0000-0x00007FF7A9324000-memory.dmp	xmrig
behavioral2/memory/2412-148-0x00007FF73C690000-0x00007FF73C9E4000-memory.dmp	xmrig
behavioral2/memory/628-157-0x00007FF62E010000-0x00007FF62E364000-memory.dmp	xmrig
behavioral2/memory/1652-159-0x00007FF6F5E70000-0x00007FF6F61C4000-memory.dmp	xmrig
behavioral2/memory/1716-165-0x00007FF6FFC70000-0x00007FF6FFFC4000-memory.dmp	xmrig
behavioral2/memory/3644-164-0x00007FF715BB0000-0x00007FF715F04000-memory.dmp	xmrig
behavioral2/memory/1928-163-0x00007FF73E1D0000-0x00007FF73E524000-memory.dmp	xmrig
behavioral2/memory/3948-162-0x00007FF68E6F0000-0x00007FF68EA44000-memory.dmp	xmrig
behavioral2/memory/2500-161-0x00007FF630C00000-0x00007FF630F54000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b8f-178.dat	xmrig
behavioral2/files/0x000a000000023b90-192.dat	xmrig
behavioral2/files/0x000a000000023b91-194.dat	xmrig
behavioral2/files/0x000a000000023b93-205.dat	xmrig
behavioral2/files/0x000a000000023b92-202.dat	xmrig
behavioral2/memory/2360-191-0x00007FF6E2300000-0x00007FF6E2654000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b8e-187.dat	xmrig
behavioral2/files/0x000a000000023b8d-185.dat	xmrig
behavioral2/memory/2348-184-0x00007FF782E40000-0x00007FF783194000-memory.dmp	xmrig
behavioral2/memory/2612-183-0x00007FF7B0530000-0x00007FF7B0884000-memory.dmp	xmrig
behavioral2/memory/1600-180-0x00007FF758F20000-0x00007FF759274000-memory.dmp	xmrig
behavioral2/memory/3216-179-0x00007FF786B30000-0x00007FF786E84000-memory.dmp	xmrig
behavioral2/memory/3992-160-0x00007FF771BF0000-0x00007FF771F44000-memory.dmp	xmrig
behavioral2/memory/4460-158-0x00007FF6038B0000-0x00007FF603C04000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
3656	lvyRWYa.exe
4652	bDOrzEP.exe
4576	YXfDknq.exe
2500	bPBoVXx.exe
5048	JDYtVCl.exe
3948	XrlEKig.exe
3704	sClAqEI.exe
1928	tadoUKj.exe
3352	nQyAEuj.exe
3216	KIjYmYU.exe
1600	fijAKUX.exe
720	qUYYHOo.exe
3136	LJrUvaA.exe
3152	QeadGRB.exe
2376	SIGTwMG.exe
4240	oENfJDM.exe
2036	NoXfDlL.exe
3644	QzaIXKw.exe
2412	pqeqcUn.exe
4052	NupiCVe.exe
4896	TKYTEeP.exe
628	RBRAQqX.exe
4460	EznDYpL.exe
1652	ONYKAam.exe
1716	QFkDddX.exe
3992	PilcIjz.exe
2612	wfBUYdY.exe
2348	KiHIpHR.exe
2360	SGKzZkH.exe
1060	nGsfEeV.exe
2796	DtpxTWo.exe
4252	hVUAXTz.exe
4704	rFkYPrV.exe
3996	EMjjHph.exe
4936	ZRQCYGk.exe
1700	MYrnWfP.exe
1808	sxQhsPK.exe
536	tazaQDH.exe
3900	uSnfNvy.exe
5068	QdJGrwj.exe
3420	WBonQZv.exe
4844	FVAdtAJ.exe
4876	NHqyVMA.exe
4760	BgUVeZk.exe
4000	ukLImJj.exe
3684	uxgdTXR.exe
3952	zWPMcUL.exe
3028	VjweXAo.exe
1540	tXDmTJk.exe
2216	RhliUML.exe
4780	qauQKdT.exe
1376	xAfigDA.exe
2808	yjZnzFx.exe
2020	eBdiiEt.exe
4320	SOEtEXc.exe
4904	tIvjEaX.exe
2480	skgjTZr.exe
1936	dMoJjgb.exe
744	YuIZOnh.exe
464	DjAyxQZ.exe
3928	dRQFtNO.exe
1536	XlBpFzP.exe
4684	vPxTGXo.exe
4336	NqFSFXs.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4256-0-0x00007FF688420000-0x00007FF688774000-memory.dmp	upx
behavioral2/files/0x000c000000023b10-4.dat	upx
behavioral2/memory/3656-7-0x00007FF7A8FD0000-0x00007FF7A9324000-memory.dmp	upx
behavioral2/files/0x000b000000023b75-11.dat	upx
behavioral2/memory/4652-13-0x00007FF618440000-0x00007FF618794000-memory.dmp	upx
behavioral2/files/0x000a000000023b77-21.dat	upx
behavioral2/files/0x000a000000023b7b-39.dat	upx
behavioral2/files/0x000a000000023b7a-50.dat	upx
behavioral2/memory/3216-58-0x00007FF786B30000-0x00007FF786E84000-memory.dmp	upx
behavioral2/memory/1600-63-0x00007FF758F20000-0x00007FF759274000-memory.dmp	upx
behavioral2/memory/3704-67-0x00007FF6DAFC0000-0x00007FF6DB314000-memory.dmp	upx
behavioral2/memory/3352-68-0x00007FF7A7EE0000-0x00007FF7A8234000-memory.dmp	upx
behavioral2/memory/5048-66-0x00007FF687BD0000-0x00007FF687F24000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-64.dat	upx
behavioral2/files/0x000a000000023b7d-61.dat	upx
behavioral2/files/0x000a000000023b7c-59.dat	upx
behavioral2/memory/1928-56-0x00007FF73E1D0000-0x00007FF73E524000-memory.dmp	upx
behavioral2/memory/3948-45-0x00007FF68E6F0000-0x00007FF68EA44000-memory.dmp	upx
behavioral2/files/0x000a000000023b78-41.dat	upx
behavioral2/files/0x000a000000023b79-37.dat	upx
behavioral2/memory/2500-34-0x00007FF630C00000-0x00007FF630F54000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-24.dat	upx
behavioral2/memory/4576-20-0x00007FF725C00000-0x00007FF725F54000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-70.dat	upx
behavioral2/memory/720-72-0x00007FF783520000-0x00007FF783874000-memory.dmp	upx
behavioral2/memory/3136-78-0x00007FF6CA6C0000-0x00007FF6CAA14000-memory.dmp	upx
behavioral2/files/0x000b000000023b73-79.dat	upx
behavioral2/files/0x000a000000023b80-83.dat	upx
behavioral2/memory/3152-84-0x00007FF6FEAF0000-0x00007FF6FEE44000-memory.dmp	upx
behavioral2/memory/4256-89-0x00007FF688420000-0x00007FF688774000-memory.dmp	upx
behavioral2/files/0x000a000000023b81-95.dat	upx
behavioral2/memory/4652-103-0x00007FF618440000-0x00007FF618794000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-108.dat	upx
behavioral2/files/0x000a000000023b85-116.dat	upx
behavioral2/files/0x000a000000023b87-126.dat	upx
behavioral2/files/0x000a000000023b89-136.dat	upx
behavioral2/files/0x000a000000023b88-134.dat	upx
behavioral2/files/0x000a000000023b86-124.dat	upx
behavioral2/files/0x000a000000023b83-109.dat	upx
behavioral2/memory/4576-105-0x00007FF725C00000-0x00007FF725F54000-memory.dmp	upx
behavioral2/memory/4240-101-0x00007FF7FB230000-0x00007FF7FB584000-memory.dmp	upx
behavioral2/memory/3656-99-0x00007FF7A8FD0000-0x00007FF7A9324000-memory.dmp	upx
behavioral2/memory/2412-148-0x00007FF73C690000-0x00007FF73C9E4000-memory.dmp	upx
behavioral2/memory/628-157-0x00007FF62E010000-0x00007FF62E364000-memory.dmp	upx
behavioral2/memory/1652-159-0x00007FF6F5E70000-0x00007FF6F61C4000-memory.dmp	upx
behavioral2/memory/1716-165-0x00007FF6FFC70000-0x00007FF6FFFC4000-memory.dmp	upx
behavioral2/memory/3644-164-0x00007FF715BB0000-0x00007FF715F04000-memory.dmp	upx
behavioral2/memory/1928-163-0x00007FF73E1D0000-0x00007FF73E524000-memory.dmp	upx
behavioral2/memory/3948-162-0x00007FF68E6F0000-0x00007FF68EA44000-memory.dmp	upx
behavioral2/memory/2500-161-0x00007FF630C00000-0x00007FF630F54000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-178.dat	upx
behavioral2/files/0x000a000000023b90-192.dat	upx
behavioral2/files/0x000a000000023b91-194.dat	upx
behavioral2/files/0x000a000000023b93-205.dat	upx
behavioral2/files/0x000a000000023b92-202.dat	upx
behavioral2/memory/2360-191-0x00007FF6E2300000-0x00007FF6E2654000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-187.dat	upx
behavioral2/files/0x000a000000023b8d-185.dat	upx
behavioral2/memory/2348-184-0x00007FF782E40000-0x00007FF783194000-memory.dmp	upx
behavioral2/memory/2612-183-0x00007FF7B0530000-0x00007FF7B0884000-memory.dmp	upx
behavioral2/memory/1600-180-0x00007FF758F20000-0x00007FF759274000-memory.dmp	upx
behavioral2/memory/3216-179-0x00007FF786B30000-0x00007FF786E84000-memory.dmp	upx
behavioral2/memory/3992-160-0x00007FF771BF0000-0x00007FF771F44000-memory.dmp	upx
behavioral2/memory/4460-158-0x00007FF6038B0000-0x00007FF603C04000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\mgNQxdX.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\btRRvsk.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EERrkcb.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MKcFHkp.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TAeyhlk.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IcJSelZ.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ySxmlqw.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\enVEvxu.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WQYiwir.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kYsSaYe.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QWkmlyt.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OYRWFVV.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YXfDknq.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gihFYIS.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rQSczKp.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cJkcKbo.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yrDkZzU.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DFNdyvw.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VKbGZlT.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ElfXgDQ.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NAyacQv.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qUMfuXn.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AcSxRqt.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QWWezgJ.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DJZjtmC.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NFfbsnW.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pSvpIrP.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kPTqqPU.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rKWwHzF.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YAlChWV.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rMxhYhf.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DxApaBW.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JDYtVCl.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lJtVGCA.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SpRzuJK.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BcUodTs.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\odotGcD.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iIiCJuN.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LWDTCnW.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Xkiahee.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AeDOlzv.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EMiAJsR.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ewSzXeV.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PAxVzcv.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jzPXTly.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UNbIdLF.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JutbETl.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VAWJzWl.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kzBRIRT.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OoMTpTs.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\miofWNV.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fijAKUX.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xAfigDA.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cUkuPPe.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vrzQozG.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qsAvEgp.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SMBZJFP.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LICltMV.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kABbgAL.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kBpGmoG.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VmixGoK.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YuIZOnh.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ANRYaUY.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QIYrBpk.exe	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1412605595-2147700071-3468511006-1000\{C02780D0-0544-48BF-8B1B-E363032F1713}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1412605595-2147700071-3468511006-1000\{D5C64F61-ED6C-4BCB-A5C6-8FFB9DEDB177}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1412605595-2147700071-3468511006-1000\{7EDD5BDC-7F66-4DF6-9F10-A37C0F684B01}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1412605595-2147700071-3468511006-1000\{A6C7AF58-FF36-443C-AA35-0E17DA0BF5AE}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1412605595-2147700071-3468511006-1000\{C5DE2C1A-5D0F-4B9F-AC5A-9ED64A0F3898}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	15324	explorer.exe
Token: SeCreatePagefilePrivilege	15324	explorer.exe
Token: SeShutdownPrivilege	15324	explorer.exe
Token: SeCreatePagefilePrivilege	15324	explorer.exe
Token: SeShutdownPrivilege	15324	explorer.exe
Token: SeCreatePagefilePrivilege	15324	explorer.exe
Token: SeShutdownPrivilege	15324	explorer.exe
Token: SeCreatePagefilePrivilege	15324	explorer.exe
Token: SeShutdownPrivilege	15324	explorer.exe
Token: SeCreatePagefilePrivilege	15324	explorer.exe
Token: SeShutdownPrivilege	15324	explorer.exe
Token: SeCreatePagefilePrivilege	15324	explorer.exe
Token: SeShutdownPrivilege	15324	explorer.exe
Token: SeCreatePagefilePrivilege	15324	explorer.exe
Token: SeShutdownPrivilege	15324	explorer.exe
Token: SeCreatePagefilePrivilege	15324	explorer.exe
Token: SeShutdownPrivilege	15324	explorer.exe
Token: SeCreatePagefilePrivilege	15324	explorer.exe
Token: SeShutdownPrivilege	15324	explorer.exe
Token: SeCreatePagefilePrivilege	15324	explorer.exe
Token: SeShutdownPrivilege	5368	explorer.exe
Token: SeCreatePagefilePrivilege	5368	explorer.exe
Token: SeShutdownPrivilege	5368	explorer.exe
Token: SeCreatePagefilePrivilege	5368	explorer.exe
Token: SeShutdownPrivilege	5368	explorer.exe
Token: SeCreatePagefilePrivilege	5368	explorer.exe
Token: SeShutdownPrivilege	5368	explorer.exe
Token: SeCreatePagefilePrivilege	5368	explorer.exe
Token: SeShutdownPrivilege	5368	explorer.exe
Token: SeCreatePagefilePrivilege	5368	explorer.exe
Token: SeShutdownPrivilege	5368	explorer.exe
Token: SeCreatePagefilePrivilege	5368	explorer.exe
Token: SeShutdownPrivilege	5368	explorer.exe
Token: SeCreatePagefilePrivilege	5368	explorer.exe
Token: SeShutdownPrivilege	5368	explorer.exe
Token: SeCreatePagefilePrivilege	5368	explorer.exe
Token: SeShutdownPrivilege	5368	explorer.exe
Token: SeCreatePagefilePrivilege	5368	explorer.exe
Token: SeShutdownPrivilege	5368	explorer.exe
Token: SeCreatePagefilePrivilege	5368	explorer.exe
Token: SeShutdownPrivilege	5368	explorer.exe
Token: SeCreatePagefilePrivilege	5368	explorer.exe
Token: SeShutdownPrivilege	7372	explorer.exe
Token: SeCreatePagefilePrivilege	7372	explorer.exe
Token: SeShutdownPrivilege	7372	explorer.exe
Token: SeCreatePagefilePrivilege	7372	explorer.exe
Token: SeShutdownPrivilege	7372	explorer.exe
Token: SeCreatePagefilePrivilege	7372	explorer.exe
Token: SeShutdownPrivilege	7372	explorer.exe
Token: SeCreatePagefilePrivilege	7372	explorer.exe
Token: SeShutdownPrivilege	7372	explorer.exe
Token: SeCreatePagefilePrivilege	7372	explorer.exe
Token: SeShutdownPrivilege	7372	explorer.exe
Token: SeCreatePagefilePrivilege	7372	explorer.exe
Token: SeShutdownPrivilege	7372	explorer.exe
Token: SeCreatePagefilePrivilege	7372	explorer.exe
Token: SeShutdownPrivilege	7372	explorer.exe
Token: SeCreatePagefilePrivilege	7372	explorer.exe
Token: SeShutdownPrivilege	7372	explorer.exe
Token: SeCreatePagefilePrivilege	7372	explorer.exe
Token: SeShutdownPrivilege	7372	explorer.exe
Token: SeCreatePagefilePrivilege	7372	explorer.exe
Token: SeShutdownPrivilege	7372	explorer.exe
Token: SeCreatePagefilePrivilege	7372	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
15168	sihost.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
15324	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
5368	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
7372	explorer.exe
10540	explorer.exe
10540	explorer.exe
10540	explorer.exe
10540	explorer.exe
10540	explorer.exe
10540	explorer.exe
10540	explorer.exe
10540	explorer.exe
10540	explorer.exe
10540	explorer.exe
10540	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5228	StartMenuExperienceHost.exe
6728	StartMenuExperienceHost.exe
7764	StartMenuExperienceHost.exe
7724	SearchApp.exe
756	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 3656	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4256 wrote to memory of 3656	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4256 wrote to memory of 4652	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4256 wrote to memory of 4652	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4256 wrote to memory of 4576	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4256 wrote to memory of 4576	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4256 wrote to memory of 2500	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4256 wrote to memory of 2500	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4256 wrote to memory of 5048	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4256 wrote to memory of 5048	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4256 wrote to memory of 3948	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4256 wrote to memory of 3948	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4256 wrote to memory of 3704	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4256 wrote to memory of 3704	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4256 wrote to memory of 1928	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4256 wrote to memory of 1928	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4256 wrote to memory of 3352	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4256 wrote to memory of 3352	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4256 wrote to memory of 3216	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4256 wrote to memory of 3216	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4256 wrote to memory of 1600	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4256 wrote to memory of 1600	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4256 wrote to memory of 720	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4256 wrote to memory of 720	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4256 wrote to memory of 3136	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4256 wrote to memory of 3136	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4256 wrote to memory of 3152	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4256 wrote to memory of 3152	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4256 wrote to memory of 2376	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4256 wrote to memory of 2376	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4256 wrote to memory of 4240	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4256 wrote to memory of 4240	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4256 wrote to memory of 2036	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4256 wrote to memory of 2036	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4256 wrote to memory of 3644	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4256 wrote to memory of 3644	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4256 wrote to memory of 2412	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4256 wrote to memory of 2412	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4256 wrote to memory of 4052	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4256 wrote to memory of 4052	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4256 wrote to memory of 4896	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4256 wrote to memory of 4896	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4256 wrote to memory of 628	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4256 wrote to memory of 628	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4256 wrote to memory of 4460	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4256 wrote to memory of 4460	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4256 wrote to memory of 1652	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4256 wrote to memory of 1652	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4256 wrote to memory of 1716	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4256 wrote to memory of 1716	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4256 wrote to memory of 3992	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4256 wrote to memory of 3992	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4256 wrote to memory of 2612	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 4256 wrote to memory of 2612	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 4256 wrote to memory of 2348	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 4256 wrote to memory of 2348	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 4256 wrote to memory of 2360	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 4256 wrote to memory of 2360	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 4256 wrote to memory of 1060	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 4256 wrote to memory of 1060	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 4256 wrote to memory of 2796	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 4256 wrote to memory of 2796	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 4256 wrote to memory of 4252	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 4256 wrote to memory of 4252	4256	2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe	116

C:\Users\Admin\AppData\Local\Temp\2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-31_5e08c240f61bf21310b6ec5b503c4711_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\System\lvyRWYa.exe
  C:\Windows\System\lvyRWYa.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\bDOrzEP.exe
  C:\Windows\System\bDOrzEP.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\YXfDknq.exe
  C:\Windows\System\YXfDknq.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\bPBoVXx.exe
  C:\Windows\System\bPBoVXx.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\JDYtVCl.exe
  C:\Windows\System\JDYtVCl.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\XrlEKig.exe
  C:\Windows\System\XrlEKig.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\sClAqEI.exe
  C:\Windows\System\sClAqEI.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System\tadoUKj.exe
  C:\Windows\System\tadoUKj.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\nQyAEuj.exe
  C:\Windows\System\nQyAEuj.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\KIjYmYU.exe
  C:\Windows\System\KIjYmYU.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System\fijAKUX.exe
  C:\Windows\System\fijAKUX.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\qUYYHOo.exe
  C:\Windows\System\qUYYHOo.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System\LJrUvaA.exe
  C:\Windows\System\LJrUvaA.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\QeadGRB.exe
  C:\Windows\System\QeadGRB.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\SIGTwMG.exe
  C:\Windows\System\SIGTwMG.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\oENfJDM.exe
  C:\Windows\System\oENfJDM.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\NoXfDlL.exe
  C:\Windows\System\NoXfDlL.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\QzaIXKw.exe
  C:\Windows\System\QzaIXKw.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\pqeqcUn.exe
  C:\Windows\System\pqeqcUn.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\NupiCVe.exe
  C:\Windows\System\NupiCVe.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System\TKYTEeP.exe
  C:\Windows\System\TKYTEeP.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\RBRAQqX.exe
  C:\Windows\System\RBRAQqX.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\EznDYpL.exe
  C:\Windows\System\EznDYpL.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\ONYKAam.exe
  C:\Windows\System\ONYKAam.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\QFkDddX.exe
  C:\Windows\System\QFkDddX.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\PilcIjz.exe
  C:\Windows\System\PilcIjz.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\wfBUYdY.exe
  C:\Windows\System\wfBUYdY.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\KiHIpHR.exe
  C:\Windows\System\KiHIpHR.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\SGKzZkH.exe
  C:\Windows\System\SGKzZkH.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\nGsfEeV.exe
  C:\Windows\System\nGsfEeV.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\DtpxTWo.exe
  C:\Windows\System\DtpxTWo.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\hVUAXTz.exe
  C:\Windows\System\hVUAXTz.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System\rFkYPrV.exe
  C:\Windows\System\rFkYPrV.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\EMjjHph.exe
  C:\Windows\System\EMjjHph.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\ZRQCYGk.exe
  C:\Windows\System\ZRQCYGk.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\MYrnWfP.exe
  C:\Windows\System\MYrnWfP.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\sxQhsPK.exe
  C:\Windows\System\sxQhsPK.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System\tazaQDH.exe
  C:\Windows\System\tazaQDH.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\uSnfNvy.exe
  C:\Windows\System\uSnfNvy.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System\QdJGrwj.exe
  C:\Windows\System\QdJGrwj.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\WBonQZv.exe
  C:\Windows\System\WBonQZv.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System\FVAdtAJ.exe
  C:\Windows\System\FVAdtAJ.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\NHqyVMA.exe
  C:\Windows\System\NHqyVMA.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\BgUVeZk.exe
  C:\Windows\System\BgUVeZk.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\ukLImJj.exe
  C:\Windows\System\ukLImJj.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\uxgdTXR.exe
  C:\Windows\System\uxgdTXR.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\zWPMcUL.exe
  C:\Windows\System\zWPMcUL.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\VjweXAo.exe
  C:\Windows\System\VjweXAo.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\tXDmTJk.exe
  C:\Windows\System\tXDmTJk.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\RhliUML.exe
  C:\Windows\System\RhliUML.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\qauQKdT.exe
  C:\Windows\System\qauQKdT.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\xAfigDA.exe
  C:\Windows\System\xAfigDA.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System\yjZnzFx.exe
  C:\Windows\System\yjZnzFx.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\eBdiiEt.exe
  C:\Windows\System\eBdiiEt.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\SOEtEXc.exe
  C:\Windows\System\SOEtEXc.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\tIvjEaX.exe
  C:\Windows\System\tIvjEaX.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\skgjTZr.exe
  C:\Windows\System\skgjTZr.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\dMoJjgb.exe
  C:\Windows\System\dMoJjgb.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\YuIZOnh.exe
  C:\Windows\System\YuIZOnh.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\DjAyxQZ.exe
  C:\Windows\System\DjAyxQZ.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\dRQFtNO.exe
  C:\Windows\System\dRQFtNO.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\XlBpFzP.exe
  C:\Windows\System\XlBpFzP.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\vPxTGXo.exe
  C:\Windows\System\vPxTGXo.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\NqFSFXs.exe
  C:\Windows\System\NqFSFXs.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\glPMIMt.exe
  C:\Windows\System\glPMIMt.exe
  2⤵
  PID:3484
- C:\Windows\System\mgNQxdX.exe
  C:\Windows\System\mgNQxdX.exe
  2⤵
  PID:3960
- C:\Windows\System\OFuGsEl.exe
  C:\Windows\System\OFuGsEl.exe
  2⤵
  PID:4340
- C:\Windows\System\nmDbPCj.exe
  C:\Windows\System\nmDbPCj.exe
  2⤵
  PID:4836
- C:\Windows\System\vKoBBCh.exe
  C:\Windows\System\vKoBBCh.exe
  2⤵
  PID:2424
- C:\Windows\System\tyDVYWb.exe
  C:\Windows\System\tyDVYWb.exe
  2⤵
  PID:1872
- C:\Windows\System\xnvCfad.exe
  C:\Windows\System\xnvCfad.exe
  2⤵
  PID:4152
- C:\Windows\System\eHdALsY.exe
  C:\Windows\System\eHdALsY.exe
  2⤵
  PID:1896
- C:\Windows\System\riWFZLs.exe
  C:\Windows\System\riWFZLs.exe
  2⤵
  PID:376
- C:\Windows\System\naoRdWi.exe
  C:\Windows\System\naoRdWi.exe
  2⤵
  PID:400
- C:\Windows\System\SWQkxrL.exe
  C:\Windows\System\SWQkxrL.exe
  2⤵
  PID:3600
- C:\Windows\System\isdHrHA.exe
  C:\Windows\System\isdHrHA.exe
  2⤵
  PID:876
- C:\Windows\System\ahvNpbc.exe
  C:\Windows\System\ahvNpbc.exe
  2⤵
  PID:3868
- C:\Windows\System\qgKTxJW.exe
  C:\Windows\System\qgKTxJW.exe
  2⤵
  PID:1608
- C:\Windows\System\YoNdyRz.exe
  C:\Windows\System\YoNdyRz.exe
  2⤵
  PID:1748
- C:\Windows\System\kJyDJdN.exe
  C:\Windows\System\kJyDJdN.exe
  2⤵
  PID:4952
- C:\Windows\System\WGEFCpQ.exe
  C:\Windows\System\WGEFCpQ.exe
  2⤵
  PID:3532
- C:\Windows\System\wwvIGHc.exe
  C:\Windows\System\wwvIGHc.exe
  2⤵
  PID:1596
- C:\Windows\System\SOECpjd.exe
  C:\Windows\System\SOECpjd.exe
  2⤵
  PID:4352
- C:\Windows\System\JGpKgGw.exe
  C:\Windows\System\JGpKgGw.exe
  2⤵
  PID:3500
- C:\Windows\System\GXcNTNW.exe
  C:\Windows\System\GXcNTNW.exe
  2⤵
  PID:1212
- C:\Windows\System\ewSzXeV.exe
  C:\Windows\System\ewSzXeV.exe
  2⤵
  PID:1488
- C:\Windows\System\ysldAwf.exe
  C:\Windows\System\ysldAwf.exe
  2⤵
  PID:2460
- C:\Windows\System\waKZqIM.exe
  C:\Windows\System\waKZqIM.exe
  2⤵
  PID:3884
- C:\Windows\System\sklHEuT.exe
  C:\Windows\System\sklHEuT.exe
  2⤵
  PID:2732
- C:\Windows\System\PIxOAem.exe
  C:\Windows\System\PIxOAem.exe
  2⤵
  PID:3000
- C:\Windows\System\msRJYZm.exe
  C:\Windows\System\msRJYZm.exe
  2⤵
  PID:4040
- C:\Windows\System\KylKnwo.exe
  C:\Windows\System\KylKnwo.exe
  2⤵
  PID:3008
- C:\Windows\System\vRwSryT.exe
  C:\Windows\System\vRwSryT.exe
  2⤵
  PID:3336
- C:\Windows\System\BcYfiZo.exe
  C:\Windows\System\BcYfiZo.exe
  2⤵
  PID:5132
- C:\Windows\System\kPTqqPU.exe
  C:\Windows\System\kPTqqPU.exe
  2⤵
  PID:5156
- C:\Windows\System\hRppOhP.exe
  C:\Windows\System\hRppOhP.exe
  2⤵
  PID:5188
- C:\Windows\System\uvtKGAG.exe
  C:\Windows\System\uvtKGAG.exe
  2⤵
  PID:5216
- C:\Windows\System\EHnHvQA.exe
  C:\Windows\System\EHnHvQA.exe
  2⤵
  PID:5244
- C:\Windows\System\HYUsqUW.exe
  C:\Windows\System\HYUsqUW.exe
  2⤵
  PID:5272
- C:\Windows\System\cjakFLP.exe
  C:\Windows\System\cjakFLP.exe
  2⤵
  PID:5304
- C:\Windows\System\CzDDAfK.exe
  C:\Windows\System\CzDDAfK.exe
  2⤵
  PID:5332
- C:\Windows\System\btRRvsk.exe
  C:\Windows\System\btRRvsk.exe
  2⤵
  PID:5360
- C:\Windows\System\eVPRFAL.exe
  C:\Windows\System\eVPRFAL.exe
  2⤵
  PID:5384
- C:\Windows\System\qCfiMEH.exe
  C:\Windows\System\qCfiMEH.exe
  2⤵
  PID:5416
- C:\Windows\System\YendXJg.exe
  C:\Windows\System\YendXJg.exe
  2⤵
  PID:5444
- C:\Windows\System\WaREkRb.exe
  C:\Windows\System\WaREkRb.exe
  2⤵
  PID:5476
- C:\Windows\System\rKWwHzF.exe
  C:\Windows\System\rKWwHzF.exe
  2⤵
  PID:5504
- C:\Windows\System\fuzcdlI.exe
  C:\Windows\System\fuzcdlI.exe
  2⤵
  PID:5532
- C:\Windows\System\vxdMiIN.exe
  C:\Windows\System\vxdMiIN.exe
  2⤵
  PID:5560
- C:\Windows\System\auPblSB.exe
  C:\Windows\System\auPblSB.exe
  2⤵
  PID:5588
- C:\Windows\System\kZjpPqe.exe
  C:\Windows\System\kZjpPqe.exe
  2⤵
  PID:5616
- C:\Windows\System\wepnbit.exe
  C:\Windows\System\wepnbit.exe
  2⤵
  PID:5644
- C:\Windows\System\nIoGwtz.exe
  C:\Windows\System\nIoGwtz.exe
  2⤵
  PID:5672
- C:\Windows\System\yrXdhjK.exe
  C:\Windows\System\yrXdhjK.exe
  2⤵
  PID:5700
- C:\Windows\System\BaSPZZg.exe
  C:\Windows\System\BaSPZZg.exe
  2⤵
  PID:5732
- C:\Windows\System\OcvkCob.exe
  C:\Windows\System\OcvkCob.exe
  2⤵
  PID:5760
- C:\Windows\System\ADxqiIQ.exe
  C:\Windows\System\ADxqiIQ.exe
  2⤵
  PID:5788
- C:\Windows\System\HzfPXgL.exe
  C:\Windows\System\HzfPXgL.exe
  2⤵
  PID:5816
- C:\Windows\System\yJUjLtz.exe
  C:\Windows\System\yJUjLtz.exe
  2⤵
  PID:5844
- C:\Windows\System\ctaJcmX.exe
  C:\Windows\System\ctaJcmX.exe
  2⤵
  PID:5872
- C:\Windows\System\qsTsBZT.exe
  C:\Windows\System\qsTsBZT.exe
  2⤵
  PID:5900
- C:\Windows\System\EdbLWyq.exe
  C:\Windows\System\EdbLWyq.exe
  2⤵
  PID:5932
- C:\Windows\System\WBbLSqk.exe
  C:\Windows\System\WBbLSqk.exe
  2⤵
  PID:5952
- C:\Windows\System\RFksLkY.exe
  C:\Windows\System\RFksLkY.exe
  2⤵
  PID:5980
- C:\Windows\System\TWIkhol.exe
  C:\Windows\System\TWIkhol.exe
  2⤵
  PID:6008
- C:\Windows\System\kBkmimu.exe
  C:\Windows\System\kBkmimu.exe
  2⤵
  PID:6032
- C:\Windows\System\XlcanZM.exe
  C:\Windows\System\XlcanZM.exe
  2⤵
  PID:6076
- C:\Windows\System\pZhtwoV.exe
  C:\Windows\System\pZhtwoV.exe
  2⤵
  PID:6104
- C:\Windows\System\OnFkcHv.exe
  C:\Windows\System\OnFkcHv.exe
  2⤵
  PID:6132
- C:\Windows\System\bbTUUyM.exe
  C:\Windows\System\bbTUUyM.exe
  2⤵
  PID:5164
- C:\Windows\System\ZpEUPrS.exe
  C:\Windows\System\ZpEUPrS.exe
  2⤵
  PID:5224
- C:\Windows\System\TRzHLXk.exe
  C:\Windows\System\TRzHLXk.exe
  2⤵
  PID:184
- C:\Windows\System\wuuIAmi.exe
  C:\Windows\System\wuuIAmi.exe
  2⤵
  PID:1772
- C:\Windows\System\rVKWAop.exe
  C:\Windows\System\rVKWAop.exe
  2⤵
  PID:3660
- C:\Windows\System\LgJFXvh.exe
  C:\Windows\System\LgJFXvh.exe
  2⤵
  PID:516
- C:\Windows\System\gaVXlFb.exe
  C:\Windows\System\gaVXlFb.exe
  2⤵
  PID:5284
- C:\Windows\System\fpkrTqB.exe
  C:\Windows\System\fpkrTqB.exe
  2⤵
  PID:5340
- C:\Windows\System\KtwKjAw.exe
  C:\Windows\System\KtwKjAw.exe
  2⤵
  PID:5312
- C:\Windows\System\EvUsMpt.exe
  C:\Windows\System\EvUsMpt.exe
  2⤵
  PID:5456
- C:\Windows\System\eVHqeZQ.exe
  C:\Windows\System\eVHqeZQ.exe
  2⤵
  PID:5528
- C:\Windows\System\MnrJvIG.exe
  C:\Windows\System\MnrJvIG.exe
  2⤵
  PID:5584
- C:\Windows\System\dSDRTCa.exe
  C:\Windows\System\dSDRTCa.exe
  2⤵
  PID:5652
- C:\Windows\System\FjRQCvY.exe
  C:\Windows\System\FjRQCvY.exe
  2⤵
  PID:5728
- C:\Windows\System\mPFWwjy.exe
  C:\Windows\System\mPFWwjy.exe
  2⤵
  PID:5784
- C:\Windows\System\gjtLoWM.exe
  C:\Windows\System\gjtLoWM.exe
  2⤵
  PID:5824
- C:\Windows\System\uimrpQl.exe
  C:\Windows\System\uimrpQl.exe
  2⤵
  PID:5888
- C:\Windows\System\xrOsHJU.exe
  C:\Windows\System\xrOsHJU.exe
  2⤵
  PID:5940
- C:\Windows\System\SqRGwYp.exe
  C:\Windows\System\SqRGwYp.exe
  2⤵
  PID:5948
- C:\Windows\System\HKLqhnL.exe
  C:\Windows\System\HKLqhnL.exe
  2⤵
  PID:6056
- C:\Windows\System\fJYmJbV.exe
  C:\Windows\System\fJYmJbV.exe
  2⤵
  PID:2624
- C:\Windows\System\AtLviFl.exe
  C:\Windows\System\AtLviFl.exe
  2⤵
  PID:3676
- C:\Windows\System\wgTXVCq.exe
  C:\Windows\System\wgTXVCq.exe
  2⤵
  PID:1968
- C:\Windows\System\ouTJOpK.exe
  C:\Windows\System\ouTJOpK.exe
  2⤵
  PID:5372
- C:\Windows\System\dsRWHlC.exe
  C:\Windows\System\dsRWHlC.exe
  2⤵
  PID:5500
- C:\Windows\System\iOLkcYm.exe
  C:\Windows\System\iOLkcYm.exe
  2⤵
  PID:5668
- C:\Windows\System\vrzQozG.exe
  C:\Windows\System\vrzQozG.exe
  2⤵
  PID:5804
- C:\Windows\System\SSeFZXh.exe
  C:\Windows\System\SSeFZXh.exe
  2⤵
  PID:6040
- C:\Windows\System\kWaMqzn.exe
  C:\Windows\System\kWaMqzn.exe
  2⤵
  PID:6112
- C:\Windows\System\oZHTYVu.exe
  C:\Windows\System\oZHTYVu.exe
  2⤵
  PID:4900
- C:\Windows\System\EStilGQ.exe
  C:\Windows\System\EStilGQ.exe
  2⤵
  PID:5492
- C:\Windows\System\FdIkzft.exe
  C:\Windows\System\FdIkzft.exe
  2⤵
  PID:5756
- C:\Windows\System\qPXDULv.exe
  C:\Windows\System\qPXDULv.exe
  2⤵
  PID:5148
- C:\Windows\System\sJDNDKF.exe
  C:\Windows\System\sJDNDKF.exe
  2⤵
  PID:5612
- C:\Windows\System\nBOmmZe.exe
  C:\Windows\System\nBOmmZe.exe
  2⤵
  PID:5404
- C:\Windows\System\tfFHLuM.exe
  C:\Windows\System\tfFHLuM.exe
  2⤵
  PID:6152
- C:\Windows\System\qoBwgmo.exe
  C:\Windows\System\qoBwgmo.exe
  2⤵
  PID:6180
- C:\Windows\System\eQUNczr.exe
  C:\Windows\System\eQUNczr.exe
  2⤵
  PID:6208
- C:\Windows\System\hyYYYQM.exe
  C:\Windows\System\hyYYYQM.exe
  2⤵
  PID:6232
- C:\Windows\System\SSwDhOw.exe
  C:\Windows\System\SSwDhOw.exe
  2⤵
  PID:6252
- C:\Windows\System\oAZCrvy.exe
  C:\Windows\System\oAZCrvy.exe
  2⤵
  PID:6272
- C:\Windows\System\kudsSpM.exe
  C:\Windows\System\kudsSpM.exe
  2⤵
  PID:6312
- C:\Windows\System\qUMfuXn.exe
  C:\Windows\System\qUMfuXn.exe
  2⤵
  PID:6348
- C:\Windows\System\BQWLyzl.exe
  C:\Windows\System\BQWLyzl.exe
  2⤵
  PID:6376
- C:\Windows\System\jSHhWCh.exe
  C:\Windows\System\jSHhWCh.exe
  2⤵
  PID:6404
- C:\Windows\System\xELKUxE.exe
  C:\Windows\System\xELKUxE.exe
  2⤵
  PID:6436
- C:\Windows\System\dgwbSMM.exe
  C:\Windows\System\dgwbSMM.exe
  2⤵
  PID:6460
- C:\Windows\System\FVyzOkM.exe
  C:\Windows\System\FVyzOkM.exe
  2⤵
  PID:6488
- C:\Windows\System\ZmgEKmC.exe
  C:\Windows\System\ZmgEKmC.exe
  2⤵
  PID:6516
- C:\Windows\System\VEpptNF.exe
  C:\Windows\System\VEpptNF.exe
  2⤵
  PID:6548
- C:\Windows\System\GQEqLXW.exe
  C:\Windows\System\GQEqLXW.exe
  2⤵
  PID:6576
- C:\Windows\System\UNbIdLF.exe
  C:\Windows\System\UNbIdLF.exe
  2⤵
  PID:6604
- C:\Windows\System\AcSxRqt.exe
  C:\Windows\System\AcSxRqt.exe
  2⤵
  PID:6628
- C:\Windows\System\OcCpgYS.exe
  C:\Windows\System\OcCpgYS.exe
  2⤵
  PID:6660
- C:\Windows\System\dwRelhU.exe
  C:\Windows\System\dwRelhU.exe
  2⤵
  PID:6688
- C:\Windows\System\sYXhZzS.exe
  C:\Windows\System\sYXhZzS.exe
  2⤵
  PID:6712
- C:\Windows\System\RwWNGVL.exe
  C:\Windows\System\RwWNGVL.exe
  2⤵
  PID:6740
- C:\Windows\System\VOhPuVs.exe
  C:\Windows\System\VOhPuVs.exe
  2⤵
  PID:6772
- C:\Windows\System\bflSHOi.exe
  C:\Windows\System\bflSHOi.exe
  2⤵
  PID:6800
- C:\Windows\System\wffpRPa.exe
  C:\Windows\System\wffpRPa.exe
  2⤵
  PID:6828
- C:\Windows\System\sFEnReo.exe
  C:\Windows\System\sFEnReo.exe
  2⤵
  PID:6848
- C:\Windows\System\HfQZBLo.exe
  C:\Windows\System\HfQZBLo.exe
  2⤵
  PID:6884
- C:\Windows\System\HoxnbxS.exe
  C:\Windows\System\HoxnbxS.exe
  2⤵
  PID:6900
- C:\Windows\System\lJtVGCA.exe
  C:\Windows\System\lJtVGCA.exe
  2⤵
  PID:6932
- C:\Windows\System\GwUDTze.exe
  C:\Windows\System\GwUDTze.exe
  2⤵
  PID:6964
- C:\Windows\System\PqUMvzT.exe
  C:\Windows\System\PqUMvzT.exe
  2⤵
  PID:6996
- C:\Windows\System\iLHPyBB.exe
  C:\Windows\System\iLHPyBB.exe
  2⤵
  PID:7020
- C:\Windows\System\PRgeAFc.exe
  C:\Windows\System\PRgeAFc.exe
  2⤵
  PID:7056
- C:\Windows\System\OMyEaLj.exe
  C:\Windows\System\OMyEaLj.exe
  2⤵
  PID:7080
- C:\Windows\System\FIxhIME.exe
  C:\Windows\System\FIxhIME.exe
  2⤵
  PID:7112
- C:\Windows\System\ounQwDG.exe
  C:\Windows\System\ounQwDG.exe
  2⤵
  PID:7136
- C:\Windows\System\rnyqAKd.exe
  C:\Windows\System\rnyqAKd.exe
  2⤵
  PID:7164
- C:\Windows\System\LXItSRM.exe
  C:\Windows\System\LXItSRM.exe
  2⤵
  PID:6204
- C:\Windows\System\syXJTLh.exe
  C:\Windows\System\syXJTLh.exe
  2⤵
  PID:6284
- C:\Windows\System\TduJaae.exe
  C:\Windows\System\TduJaae.exe
  2⤵
  PID:6332
- C:\Windows\System\PyKzRpA.exe
  C:\Windows\System\PyKzRpA.exe
  2⤵
  PID:6412
- C:\Windows\System\LkRAKxF.exe
  C:\Windows\System\LkRAKxF.exe
  2⤵
  PID:6468
- C:\Windows\System\iZansHA.exe
  C:\Windows\System\iZansHA.exe
  2⤵
  PID:6528
- C:\Windows\System\qsAvEgp.exe
  C:\Windows\System\qsAvEgp.exe
  2⤵
  PID:6600
- C:\Windows\System\WQYiwir.exe
  C:\Windows\System\WQYiwir.exe
  2⤵
  PID:6668
- C:\Windows\System\PfpUEAv.exe
  C:\Windows\System\PfpUEAv.exe
  2⤵
  PID:6768
- C:\Windows\System\DFCRESs.exe
  C:\Windows\System\DFCRESs.exe
  2⤵
  PID:6896
- C:\Windows\System\DBLqhHO.exe
  C:\Windows\System\DBLqhHO.exe
  2⤵
  PID:6956
- C:\Windows\System\LPJZQuI.exe
  C:\Windows\System\LPJZQuI.exe
  2⤵
  PID:7032
- C:\Windows\System\dnvOYFo.exe
  C:\Windows\System\dnvOYFo.exe
  2⤵
  PID:6220
- C:\Windows\System\SdTySjz.exe
  C:\Windows\System\SdTySjz.exe
  2⤵
  PID:6640
- C:\Windows\System\GvgHUPi.exe
  C:\Windows\System\GvgHUPi.exe
  2⤵
  PID:6676
- C:\Windows\System\YAlChWV.exe
  C:\Windows\System\YAlChWV.exe
  2⤵
  PID:6940
- C:\Windows\System\ZmnMrXT.exe
  C:\Windows\System\ZmnMrXT.exe
  2⤵
  PID:6160
- C:\Windows\System\hpBFkae.exe
  C:\Windows\System\hpBFkae.exe
  2⤵
  PID:7004
- C:\Windows\System\TzbvbUA.exe
  C:\Windows\System\TzbvbUA.exe
  2⤵
  PID:7044
- C:\Windows\System\ctalrzE.exe
  C:\Windows\System\ctalrzE.exe
  2⤵
  PID:7172
- C:\Windows\System\yssmIWl.exe
  C:\Windows\System\yssmIWl.exe
  2⤵
  PID:7208
- C:\Windows\System\AePsDsU.exe
  C:\Windows\System\AePsDsU.exe
  2⤵
  PID:7236
- C:\Windows\System\dNREQWa.exe
  C:\Windows\System\dNREQWa.exe
  2⤵
  PID:7272
- C:\Windows\System\wHAbGUY.exe
  C:\Windows\System\wHAbGUY.exe
  2⤵
  PID:7320
- C:\Windows\System\SMBZJFP.exe
  C:\Windows\System\SMBZJFP.exe
  2⤵
  PID:7348
- C:\Windows\System\fPedRLB.exe
  C:\Windows\System\fPedRLB.exe
  2⤵
  PID:7380
- C:\Windows\System\zPblqQo.exe
  C:\Windows\System\zPblqQo.exe
  2⤵
  PID:7412
- C:\Windows\System\fUWCvyL.exe
  C:\Windows\System\fUWCvyL.exe
  2⤵
  PID:7436
- C:\Windows\System\cWtgrSr.exe
  C:\Windows\System\cWtgrSr.exe
  2⤵
  PID:7472
- C:\Windows\System\iSjhsrp.exe
  C:\Windows\System\iSjhsrp.exe
  2⤵
  PID:7500
- C:\Windows\System\OfFddHK.exe
  C:\Windows\System\OfFddHK.exe
  2⤵
  PID:7528
- C:\Windows\System\UGNOlpD.exe
  C:\Windows\System\UGNOlpD.exe
  2⤵
  PID:7560
- C:\Windows\System\gccqiUD.exe
  C:\Windows\System\gccqiUD.exe
  2⤵
  PID:7584
- C:\Windows\System\jwkvhyn.exe
  C:\Windows\System\jwkvhyn.exe
  2⤵
  PID:7616
- C:\Windows\System\oieTSWN.exe
  C:\Windows\System\oieTSWN.exe
  2⤵
  PID:7644
- C:\Windows\System\qYCVOKW.exe
  C:\Windows\System\qYCVOKW.exe
  2⤵
  PID:7668
- C:\Windows\System\vBrwxvX.exe
  C:\Windows\System\vBrwxvX.exe
  2⤵
  PID:7696
- C:\Windows\System\nyxkjuq.exe
  C:\Windows\System\nyxkjuq.exe
  2⤵
  PID:7728
- C:\Windows\System\FPCaiRj.exe
  C:\Windows\System\FPCaiRj.exe
  2⤵
  PID:7752
- C:\Windows\System\raNYjYE.exe
  C:\Windows\System\raNYjYE.exe
  2⤵
  PID:7780
- C:\Windows\System\jPBYvgS.exe
  C:\Windows\System\jPBYvgS.exe
  2⤵
  PID:7812
- C:\Windows\System\nvbxVwg.exe
  C:\Windows\System\nvbxVwg.exe
  2⤵
  PID:7836
- C:\Windows\System\zPCVigU.exe
  C:\Windows\System\zPCVigU.exe
  2⤵
  PID:7864
- C:\Windows\System\fkJpnxH.exe
  C:\Windows\System\fkJpnxH.exe
  2⤵
  PID:7884
- C:\Windows\System\SpRzuJK.exe
  C:\Windows\System\SpRzuJK.exe
  2⤵
  PID:7912
- C:\Windows\System\GagNrpz.exe
  C:\Windows\System\GagNrpz.exe
  2⤵
  PID:7948
- C:\Windows\System\AFrBCcz.exe
  C:\Windows\System\AFrBCcz.exe
  2⤵
  PID:7968
- C:\Windows\System\uUtLQKk.exe
  C:\Windows\System\uUtLQKk.exe
  2⤵
  PID:7996
- C:\Windows\System\ghkQqjB.exe
  C:\Windows\System\ghkQqjB.exe
  2⤵
  PID:8024
- C:\Windows\System\GseeCUh.exe
  C:\Windows\System\GseeCUh.exe
  2⤵
  PID:8052
- C:\Windows\System\yhTpBtT.exe
  C:\Windows\System\yhTpBtT.exe
  2⤵
  PID:8084
- C:\Windows\System\SzZVRNH.exe
  C:\Windows\System\SzZVRNH.exe
  2⤵
  PID:8116
- C:\Windows\System\BoBViMq.exe
  C:\Windows\System\BoBViMq.exe
  2⤵
  PID:8144
- C:\Windows\System\fwEFGUs.exe
  C:\Windows\System\fwEFGUs.exe
  2⤵
  PID:8172
- C:\Windows\System\nSxTaZB.exe
  C:\Windows\System\nSxTaZB.exe
  2⤵
  PID:4024
- C:\Windows\System\IDVnbss.exe
  C:\Windows\System\IDVnbss.exe
  2⤵
  PID:7244
- C:\Windows\System\vbQhmLJ.exe
  C:\Windows\System\vbQhmLJ.exe
  2⤵
  PID:7308
- C:\Windows\System\zxEDjCm.exe
  C:\Windows\System\zxEDjCm.exe
  2⤵
  PID:7248
- C:\Windows\System\SFxISdg.exe
  C:\Windows\System\SFxISdg.exe
  2⤵
  PID:6612
- C:\Windows\System\vdBGgAI.exe
  C:\Windows\System\vdBGgAI.exe
  2⤵
  PID:7420
- C:\Windows\System\QGjmmQU.exe
  C:\Windows\System\QGjmmQU.exe
  2⤵
  PID:7484
- C:\Windows\System\wECFQUC.exe
  C:\Windows\System\wECFQUC.exe
  2⤵
  PID:7552
- C:\Windows\System\PAxVzcv.exe
  C:\Windows\System\PAxVzcv.exe
  2⤵
  PID:7612
- C:\Windows\System\ksCdzQT.exe
  C:\Windows\System\ksCdzQT.exe
  2⤵
  PID:7680
- C:\Windows\System\TyGeNSZ.exe
  C:\Windows\System\TyGeNSZ.exe
  2⤵
  PID:7744
- C:\Windows\System\eXBuygl.exe
  C:\Windows\System\eXBuygl.exe
  2⤵
  PID:7800
- C:\Windows\System\bNLqNAg.exe
  C:\Windows\System\bNLqNAg.exe
  2⤵
  PID:7872
- C:\Windows\System\BDsobNk.exe
  C:\Windows\System\BDsobNk.exe
  2⤵
  PID:7936
- C:\Windows\System\CdFTstc.exe
  C:\Windows\System\CdFTstc.exe
  2⤵
  PID:7992
- C:\Windows\System\YjMrFdv.exe
  C:\Windows\System\YjMrFdv.exe
  2⤵
  PID:8064
- C:\Windows\System\tJerdWB.exe
  C:\Windows\System\tJerdWB.exe
  2⤵
  PID:8140
- C:\Windows\System\sEXBVyR.exe
  C:\Windows\System\sEXBVyR.exe
  2⤵
  PID:612
- C:\Windows\System\BhbEfgz.exe
  C:\Windows\System\BhbEfgz.exe
  2⤵
  PID:7292
- C:\Windows\System\mCuBGnZ.exe
  C:\Windows\System\mCuBGnZ.exe
  2⤵
  PID:7392
- C:\Windows\System\kESHBNx.exe
  C:\Windows\System\kESHBNx.exe
  2⤵
  PID:7536
- C:\Windows\System\oRvnTku.exe
  C:\Windows\System\oRvnTku.exe
  2⤵
  PID:7632
- C:\Windows\System\KEcbWyr.exe
  C:\Windows\System\KEcbWyr.exe
  2⤵
  PID:7772
- C:\Windows\System\VhQZNTp.exe
  C:\Windows\System\VhQZNTp.exe
  2⤵
  PID:7908
- C:\Windows\System\SVrKTMH.exe
  C:\Windows\System\SVrKTMH.exe
  2⤵
  PID:8168
- C:\Windows\System\xBdJCwn.exe
  C:\Windows\System\xBdJCwn.exe
  2⤵
  PID:7360
- C:\Windows\System\vFcZHhN.exe
  C:\Windows\System\vFcZHhN.exe
  2⤵
  PID:7736
- C:\Windows\System\JfCFUVj.exe
  C:\Windows\System\JfCFUVj.exe
  2⤵
  PID:8124
- C:\Windows\System\YeryYmM.exe
  C:\Windows\System\YeryYmM.exe
  2⤵
  PID:7216
- C:\Windows\System\rVKJxDg.exe
  C:\Windows\System\rVKJxDg.exe
  2⤵
  PID:6836
- C:\Windows\System\JdwxILq.exe
  C:\Windows\System\JdwxILq.exe
  2⤵
  PID:8020
- C:\Windows\System\xnsPRWc.exe
  C:\Windows\System\xnsPRWc.exe
  2⤵
  PID:6796
- C:\Windows\System\UNgCDih.exe
  C:\Windows\System\UNgCDih.exe
  2⤵
  PID:6788
- C:\Windows\System\vQFrcCS.exe
  C:\Windows\System\vQFrcCS.exe
  2⤵
  PID:8212
- C:\Windows\System\cETSCvF.exe
  C:\Windows\System\cETSCvF.exe
  2⤵
  PID:8244
- C:\Windows\System\AObLbQf.exe
  C:\Windows\System\AObLbQf.exe
  2⤵
  PID:8272
- C:\Windows\System\vpZETRp.exe
  C:\Windows\System\vpZETRp.exe
  2⤵
  PID:8300
- C:\Windows\System\PfrPDJf.exe
  C:\Windows\System\PfrPDJf.exe
  2⤵
  PID:8324
- C:\Windows\System\awDZlAR.exe
  C:\Windows\System\awDZlAR.exe
  2⤵
  PID:8360
- C:\Windows\System\azmtLWf.exe
  C:\Windows\System\azmtLWf.exe
  2⤵
  PID:8384
- C:\Windows\System\GGEASeZ.exe
  C:\Windows\System\GGEASeZ.exe
  2⤵
  PID:8408
- C:\Windows\System\qJfifmO.exe
  C:\Windows\System\qJfifmO.exe
  2⤵
  PID:8436
- C:\Windows\System\nSaxRwc.exe
  C:\Windows\System\nSaxRwc.exe
  2⤵
  PID:8464
- C:\Windows\System\UwxdMgQ.exe
  C:\Windows\System\UwxdMgQ.exe
  2⤵
  PID:8500
- C:\Windows\System\nsRgjXH.exe
  C:\Windows\System\nsRgjXH.exe
  2⤵
  PID:8524
- C:\Windows\System\hFWhSgV.exe
  C:\Windows\System\hFWhSgV.exe
  2⤵
  PID:8548
- C:\Windows\System\AEJAlOF.exe
  C:\Windows\System\AEJAlOF.exe
  2⤵
  PID:8576
- C:\Windows\System\sgfuNFm.exe
  C:\Windows\System\sgfuNFm.exe
  2⤵
  PID:8604
- C:\Windows\System\XHgzXKP.exe
  C:\Windows\System\XHgzXKP.exe
  2⤵
  PID:8632
- C:\Windows\System\xWOKWVs.exe
  C:\Windows\System\xWOKWVs.exe
  2⤵
  PID:8660
- C:\Windows\System\KiQQwuw.exe
  C:\Windows\System\KiQQwuw.exe
  2⤵
  PID:8688
- C:\Windows\System\IocERTv.exe
  C:\Windows\System\IocERTv.exe
  2⤵
  PID:8716
- C:\Windows\System\cOlZruN.exe
  C:\Windows\System\cOlZruN.exe
  2⤵
  PID:8744
- C:\Windows\System\vlKkmHa.exe
  C:\Windows\System\vlKkmHa.exe
  2⤵
  PID:8772
- C:\Windows\System\HSWmBPu.exe
  C:\Windows\System\HSWmBPu.exe
  2⤵
  PID:8800
- C:\Windows\System\ubMMwUo.exe
  C:\Windows\System\ubMMwUo.exe
  2⤵
  PID:8828
- C:\Windows\System\pLAYynS.exe
  C:\Windows\System\pLAYynS.exe
  2⤵
  PID:8856
- C:\Windows\System\RPfCMPt.exe
  C:\Windows\System\RPfCMPt.exe
  2⤵
  PID:8884
- C:\Windows\System\RPdLCIP.exe
  C:\Windows\System\RPdLCIP.exe
  2⤵
  PID:8912
- C:\Windows\System\acPDeer.exe
  C:\Windows\System\acPDeer.exe
  2⤵
  PID:8940
- C:\Windows\System\JLHdZuf.exe
  C:\Windows\System\JLHdZuf.exe
  2⤵
  PID:8968
- C:\Windows\System\OQeUdHq.exe
  C:\Windows\System\OQeUdHq.exe
  2⤵
  PID:9000
- C:\Windows\System\uvQAuor.exe
  C:\Windows\System\uvQAuor.exe
  2⤵
  PID:9028
- C:\Windows\System\AdCtNiS.exe
  C:\Windows\System\AdCtNiS.exe
  2⤵
  PID:9056
- C:\Windows\System\hBfmhlM.exe
  C:\Windows\System\hBfmhlM.exe
  2⤵
  PID:9084
- C:\Windows\System\AIvJVLA.exe
  C:\Windows\System\AIvJVLA.exe
  2⤵
  PID:9112
- C:\Windows\System\mHTxiTV.exe
  C:\Windows\System\mHTxiTV.exe
  2⤵
  PID:9140
- C:\Windows\System\JKzpKhm.exe
  C:\Windows\System\JKzpKhm.exe
  2⤵
  PID:9168
- C:\Windows\System\mvfuBDD.exe
  C:\Windows\System\mvfuBDD.exe
  2⤵
  PID:9196
- C:\Windows\System\CqdtgDo.exe
  C:\Windows\System\CqdtgDo.exe
  2⤵
  PID:8208
- C:\Windows\System\jAZZkWo.exe
  C:\Windows\System\jAZZkWo.exe
  2⤵
  PID:8280
- C:\Windows\System\SQXaiRs.exe
  C:\Windows\System\SQXaiRs.exe
  2⤵
  PID:8344
- C:\Windows\System\wwakuck.exe
  C:\Windows\System\wwakuck.exe
  2⤵
  PID:8404
- C:\Windows\System\ohrhcPu.exe
  C:\Windows\System\ohrhcPu.exe
  2⤵
  PID:8476
- C:\Windows\System\pGgecff.exe
  C:\Windows\System\pGgecff.exe
  2⤵
  PID:8540
- C:\Windows\System\GeeVVpe.exe
  C:\Windows\System\GeeVVpe.exe
  2⤵
  PID:8600
- C:\Windows\System\AYIrZLl.exe
  C:\Windows\System\AYIrZLl.exe
  2⤵
  PID:8672
- C:\Windows\System\dOxzVdt.exe
  C:\Windows\System\dOxzVdt.exe
  2⤵
  PID:8736
- C:\Windows\System\JutbETl.exe
  C:\Windows\System\JutbETl.exe
  2⤵
  PID:8792
- C:\Windows\System\ZBHETBF.exe
  C:\Windows\System\ZBHETBF.exe
  2⤵
  PID:8852
- C:\Windows\System\SZPBhSu.exe
  C:\Windows\System\SZPBhSu.exe
  2⤵
  PID:8924
- C:\Windows\System\uoIyxRO.exe
  C:\Windows\System\uoIyxRO.exe
  2⤵
  PID:8992
- C:\Windows\System\qsYbnYr.exe
  C:\Windows\System\qsYbnYr.exe
  2⤵
  PID:9052
- C:\Windows\System\EERrkcb.exe
  C:\Windows\System\EERrkcb.exe
  2⤵
  PID:9124
- C:\Windows\System\FzJpEwf.exe
  C:\Windows\System\FzJpEwf.exe
  2⤵
  PID:9188
- C:\Windows\System\QFMzCBi.exe
  C:\Windows\System\QFMzCBi.exe
  2⤵
  PID:8264
- C:\Windows\System\ANRYaUY.exe
  C:\Windows\System\ANRYaUY.exe
  2⤵
  PID:8432
- C:\Windows\System\LICltMV.exe
  C:\Windows\System\LICltMV.exe
  2⤵
  PID:8652
- C:\Windows\System\gkKPpRp.exe
  C:\Windows\System\gkKPpRp.exe
  2⤵
  PID:7052
- C:\Windows\System\FmjEWEj.exe
  C:\Windows\System\FmjEWEj.exe
  2⤵
  PID:8988
- C:\Windows\System\zaVxviQ.exe
  C:\Windows\System\zaVxviQ.exe
  2⤵
  PID:9040
- C:\Windows\System\kNicMHa.exe
  C:\Windows\System\kNicMHa.exe
  2⤵
  PID:9180
- C:\Windows\System\FStSrKQ.exe
  C:\Windows\System\FStSrKQ.exe
  2⤵
  PID:3192
- C:\Windows\System\IftnDfF.exe
  C:\Windows\System\IftnDfF.exe
  2⤵
  PID:8848
- C:\Windows\System\ASVgLdT.exe
  C:\Windows\System\ASVgLdT.exe
  2⤵
  PID:9164
- C:\Windows\System\JsXeBdU.exe
  C:\Windows\System\JsXeBdU.exe
  2⤵
  PID:8980
- C:\Windows\System\mvySSum.exe
  C:\Windows\System\mvySSum.exe
  2⤵
  PID:8820
- C:\Windows\System\CZfnHij.exe
  C:\Windows\System\CZfnHij.exe
  2⤵
  PID:9244
- C:\Windows\System\UJMlcpQ.exe
  C:\Windows\System\UJMlcpQ.exe
  2⤵
  PID:9272
- C:\Windows\System\zUoEhdJ.exe
  C:\Windows\System\zUoEhdJ.exe
  2⤵
  PID:9300
- C:\Windows\System\fLUQfvO.exe
  C:\Windows\System\fLUQfvO.exe
  2⤵
  PID:9328
- C:\Windows\System\dXGbnDQ.exe
  C:\Windows\System\dXGbnDQ.exe
  2⤵
  PID:9356
- C:\Windows\System\JhRbcHb.exe
  C:\Windows\System\JhRbcHb.exe
  2⤵
  PID:9384
- C:\Windows\System\bVGPIlk.exe
  C:\Windows\System\bVGPIlk.exe
  2⤵
  PID:9412
- C:\Windows\System\QWWezgJ.exe
  C:\Windows\System\QWWezgJ.exe
  2⤵
  PID:9440
- C:\Windows\System\FYiyzkP.exe
  C:\Windows\System\FYiyzkP.exe
  2⤵
  PID:9468
- C:\Windows\System\kWwiAxv.exe
  C:\Windows\System\kWwiAxv.exe
  2⤵
  PID:9496
- C:\Windows\System\XdeOLku.exe
  C:\Windows\System\XdeOLku.exe
  2⤵
  PID:9524
- C:\Windows\System\mNplDJr.exe
  C:\Windows\System\mNplDJr.exe
  2⤵
  PID:9552
- C:\Windows\System\mBgzqmk.exe
  C:\Windows\System\mBgzqmk.exe
  2⤵
  PID:9580
- C:\Windows\System\xDoMsbS.exe
  C:\Windows\System\xDoMsbS.exe
  2⤵
  PID:9608
- C:\Windows\System\KKzlUZu.exe
  C:\Windows\System\KKzlUZu.exe
  2⤵
  PID:9636
- C:\Windows\System\CiQTnDR.exe
  C:\Windows\System\CiQTnDR.exe
  2⤵
  PID:9664
- C:\Windows\System\jWHwnBH.exe
  C:\Windows\System\jWHwnBH.exe
  2⤵
  PID:9692
- C:\Windows\System\YnCuWXf.exe
  C:\Windows\System\YnCuWXf.exe
  2⤵
  PID:9720
- C:\Windows\System\GTMSZKk.exe
  C:\Windows\System\GTMSZKk.exe
  2⤵
  PID:9748
- C:\Windows\System\VAWJzWl.exe
  C:\Windows\System\VAWJzWl.exe
  2⤵
  PID:9776
- C:\Windows\System\ykbOhEu.exe
  C:\Windows\System\ykbOhEu.exe
  2⤵
  PID:9804
- C:\Windows\System\RrodCRF.exe
  C:\Windows\System\RrodCRF.exe
  2⤵
  PID:9832
- C:\Windows\System\DEEhwII.exe
  C:\Windows\System\DEEhwII.exe
  2⤵
  PID:9860
- C:\Windows\System\kzBRIRT.exe
  C:\Windows\System\kzBRIRT.exe
  2⤵
  PID:9888
- C:\Windows\System\fyDtTeZ.exe
  C:\Windows\System\fyDtTeZ.exe
  2⤵
  PID:9920
- C:\Windows\System\kLZcaRj.exe
  C:\Windows\System\kLZcaRj.exe
  2⤵
  PID:9948
- C:\Windows\System\HemHWcK.exe
  C:\Windows\System\HemHWcK.exe
  2⤵
  PID:9976
- C:\Windows\System\XMHubpa.exe
  C:\Windows\System\XMHubpa.exe
  2⤵
  PID:10004
- C:\Windows\System\tHWpWdB.exe
  C:\Windows\System\tHWpWdB.exe
  2⤵
  PID:10036
- C:\Windows\System\PSjwrdn.exe
  C:\Windows\System\PSjwrdn.exe
  2⤵
  PID:10060
- C:\Windows\System\VhizamT.exe
  C:\Windows\System\VhizamT.exe
  2⤵
  PID:10088
- C:\Windows\System\xCUHNNJ.exe
  C:\Windows\System\xCUHNNJ.exe
  2⤵
  PID:10116
- C:\Windows\System\zYtPyLS.exe
  C:\Windows\System\zYtPyLS.exe
  2⤵
  PID:10144
- C:\Windows\System\DJZjtmC.exe
  C:\Windows\System\DJZjtmC.exe
  2⤵
  PID:10172
- C:\Windows\System\xYFhGQD.exe
  C:\Windows\System\xYFhGQD.exe
  2⤵
  PID:10200
- C:\Windows\System\uwLcSCB.exe
  C:\Windows\System\uwLcSCB.exe
  2⤵
  PID:10228
- C:\Windows\System\IhYXQBN.exe
  C:\Windows\System\IhYXQBN.exe
  2⤵
  PID:9256
- C:\Windows\System\FFQVNrG.exe
  C:\Windows\System\FFQVNrG.exe
  2⤵
  PID:9320
- C:\Windows\System\QLaPCfk.exe
  C:\Windows\System\QLaPCfk.exe
  2⤵
  PID:9380
- C:\Windows\System\GxWdZdH.exe
  C:\Windows\System\GxWdZdH.exe
  2⤵
  PID:9452
- C:\Windows\System\haxlbIj.exe
  C:\Windows\System\haxlbIj.exe
  2⤵
  PID:9536
- C:\Windows\System\wkFVbHP.exe
  C:\Windows\System\wkFVbHP.exe
  2⤵
  PID:9572
- C:\Windows\System\QiyvEyg.exe
  C:\Windows\System\QiyvEyg.exe
  2⤵
  PID:9632
- C:\Windows\System\BvHkcYh.exe
  C:\Windows\System\BvHkcYh.exe
  2⤵
  PID:9688
- C:\Windows\System\DGRZPRz.exe
  C:\Windows\System\DGRZPRz.exe
  2⤵
  PID:9772
- C:\Windows\System\gHrfCHe.exe
  C:\Windows\System\gHrfCHe.exe
  2⤵
  PID:9844
- C:\Windows\System\rSXVrKq.exe
  C:\Windows\System\rSXVrKq.exe
  2⤵
  PID:9912
- C:\Windows\System\sCvepDc.exe
  C:\Windows\System\sCvepDc.exe
  2⤵
  PID:9968
- C:\Windows\System\VvCqItu.exe
  C:\Windows\System\VvCqItu.exe
  2⤵
  PID:10028
- C:\Windows\System\ZtAoKvN.exe
  C:\Windows\System\ZtAoKvN.exe
  2⤵
  PID:10080
- C:\Windows\System\vzGAmwe.exe
  C:\Windows\System\vzGAmwe.exe
  2⤵
  PID:10140
- C:\Windows\System\apbTEYt.exe
  C:\Windows\System\apbTEYt.exe
  2⤵
  PID:10212
- C:\Windows\System\xjHHlXf.exe
  C:\Windows\System\xjHHlXf.exe
  2⤵
  PID:9296
- C:\Windows\System\yVoesjF.exe
  C:\Windows\System\yVoesjF.exe
  2⤵
  PID:4348
- C:\Windows\System\FLKGIjI.exe
  C:\Windows\System\FLKGIjI.exe
  2⤵
  PID:9620
- C:\Windows\System\QIYrBpk.exe
  C:\Windows\System\QIYrBpk.exe
  2⤵
  PID:9744
- C:\Windows\System\yvpDnhj.exe
  C:\Windows\System\yvpDnhj.exe
  2⤵
  PID:9884
- C:\Windows\System\JFdMzTR.exe
  C:\Windows\System\JFdMzTR.exe
  2⤵
  PID:10024
- C:\Windows\System\gihFYIS.exe
  C:\Windows\System\gihFYIS.exe
  2⤵
  PID:10168
- C:\Windows\System\pIAHpAn.exe
  C:\Windows\System\pIAHpAn.exe
  2⤵
  PID:9376
- C:\Windows\System\EnbIxTP.exe
  C:\Windows\System\EnbIxTP.exe
  2⤵
  PID:9716
- C:\Windows\System\jzPXTly.exe
  C:\Windows\System\jzPXTly.exe
  2⤵
  PID:10016
- C:\Windows\System\ucidDBT.exe
  C:\Windows\System\ucidDBT.exe
  2⤵
  PID:9492
- C:\Windows\System\VSSldFb.exe
  C:\Windows\System\VSSldFb.exe
  2⤵
  PID:9240
- C:\Windows\System\edCUpHn.exe
  C:\Windows\System\edCUpHn.exe
  2⤵
  PID:9996
- C:\Windows\System\iPLTJaI.exe
  C:\Windows\System\iPLTJaI.exe
  2⤵
  PID:10244
- C:\Windows\System\ovrYjpp.exe
  C:\Windows\System\ovrYjpp.exe
  2⤵
  PID:10272
- C:\Windows\System\fYAZVfp.exe
  C:\Windows\System\fYAZVfp.exe
  2⤵
  PID:10300
- C:\Windows\System\ZxpKbhS.exe
  C:\Windows\System\ZxpKbhS.exe
  2⤵
  PID:10328
- C:\Windows\System\wbxpOwX.exe
  C:\Windows\System\wbxpOwX.exe
  2⤵
  PID:10356
- C:\Windows\System\HucoPHI.exe
  C:\Windows\System\HucoPHI.exe
  2⤵
  PID:10384
- C:\Windows\System\LYgfQKW.exe
  C:\Windows\System\LYgfQKW.exe
  2⤵
  PID:10412
- C:\Windows\System\HLPOJYM.exe
  C:\Windows\System\HLPOJYM.exe
  2⤵
  PID:10440
- C:\Windows\System\HrsuPdj.exe
  C:\Windows\System\HrsuPdj.exe
  2⤵
  PID:10468
- C:\Windows\System\MQutPJB.exe
  C:\Windows\System\MQutPJB.exe
  2⤵
  PID:10496
- C:\Windows\System\hqqTVtH.exe
  C:\Windows\System\hqqTVtH.exe
  2⤵
  PID:10524
- C:\Windows\System\BZSFzHJ.exe
  C:\Windows\System\BZSFzHJ.exe
  2⤵
  PID:10552
- C:\Windows\System\OiBxNaX.exe
  C:\Windows\System\OiBxNaX.exe
  2⤵
  PID:10580
- C:\Windows\System\YPQZNTd.exe
  C:\Windows\System\YPQZNTd.exe
  2⤵
  PID:10608
- C:\Windows\System\UGYdPDc.exe
  C:\Windows\System\UGYdPDc.exe
  2⤵
  PID:10636
- C:\Windows\System\exRLaFp.exe
  C:\Windows\System\exRLaFp.exe
  2⤵
  PID:10664
- C:\Windows\System\oEAnXsf.exe
  C:\Windows\System\oEAnXsf.exe
  2⤵
  PID:10692
- C:\Windows\System\bsMWBwK.exe
  C:\Windows\System\bsMWBwK.exe
  2⤵
  PID:10720
- C:\Windows\System\qKfFMnA.exe
  C:\Windows\System\qKfFMnA.exe
  2⤵
  PID:10748
- C:\Windows\System\etqiFRw.exe
  C:\Windows\System\etqiFRw.exe
  2⤵
  PID:10776
- C:\Windows\System\jbziJeP.exe
  C:\Windows\System\jbziJeP.exe
  2⤵
  PID:10804
- C:\Windows\System\ftuKpiW.exe
  C:\Windows\System\ftuKpiW.exe
  2⤵
  PID:10836
- C:\Windows\System\BcUodTs.exe
  C:\Windows\System\BcUodTs.exe
  2⤵
  PID:10864
- C:\Windows\System\qNEFIqd.exe
  C:\Windows\System\qNEFIqd.exe
  2⤵
  PID:10892
- C:\Windows\System\WkQMimQ.exe
  C:\Windows\System\WkQMimQ.exe
  2⤵
  PID:10920
- C:\Windows\System\XxZqjNO.exe
  C:\Windows\System\XxZqjNO.exe
  2⤵
  PID:10948
- C:\Windows\System\egcXgup.exe
  C:\Windows\System\egcXgup.exe
  2⤵
  PID:10976
- C:\Windows\System\yPqpaKq.exe
  C:\Windows\System\yPqpaKq.exe
  2⤵
  PID:11004
- C:\Windows\System\cYcQbUB.exe
  C:\Windows\System\cYcQbUB.exe
  2⤵
  PID:11032
- C:\Windows\System\tdywtzg.exe
  C:\Windows\System\tdywtzg.exe
  2⤵
  PID:11072
- C:\Windows\System\kABbgAL.exe
  C:\Windows\System\kABbgAL.exe
  2⤵
  PID:11088
- C:\Windows\System\qcRmduY.exe
  C:\Windows\System\qcRmduY.exe
  2⤵
  PID:11116
- C:\Windows\System\iYatstF.exe
  C:\Windows\System\iYatstF.exe
  2⤵
  PID:11144
- C:\Windows\System\rQSczKp.exe
  C:\Windows\System\rQSczKp.exe
  2⤵
  PID:11172
- C:\Windows\System\ytcTpPu.exe
  C:\Windows\System\ytcTpPu.exe
  2⤵
  PID:11200
- C:\Windows\System\zCerszo.exe
  C:\Windows\System\zCerszo.exe
  2⤵
  PID:11228
- C:\Windows\System\MKcFHkp.exe
  C:\Windows\System\MKcFHkp.exe
  2⤵
  PID:11256
- C:\Windows\System\zuPKIwc.exe
  C:\Windows\System\zuPKIwc.exe
  2⤵
  PID:10292
- C:\Windows\System\rMxhYhf.exe
  C:\Windows\System\rMxhYhf.exe
  2⤵
  PID:10340
- C:\Windows\System\BvIWAzb.exe
  C:\Windows\System\BvIWAzb.exe
  2⤵
  PID:3024
- C:\Windows\System\eoxiyCL.exe
  C:\Windows\System\eoxiyCL.exe
  2⤵
  PID:10432
- C:\Windows\System\gIdTrWM.exe
  C:\Windows\System\gIdTrWM.exe
  2⤵
  PID:10492
- C:\Windows\System\ChLSFvU.exe
  C:\Windows\System\ChLSFvU.exe
  2⤵
  PID:10564
- C:\Windows\System\kYsSaYe.exe
  C:\Windows\System\kYsSaYe.exe
  2⤵
  PID:10620
- C:\Windows\System\PDWMOkp.exe
  C:\Windows\System\PDWMOkp.exe
  2⤵
  PID:10684
- C:\Windows\System\FHlvCQu.exe
  C:\Windows\System\FHlvCQu.exe
  2⤵
  PID:10744
- C:\Windows\System\tZGOiXD.exe
  C:\Windows\System\tZGOiXD.exe
  2⤵
  PID:10816
- C:\Windows\System\LCFkcPW.exe
  C:\Windows\System\LCFkcPW.exe
  2⤵
  PID:10884
- C:\Windows\System\KgPQqiD.exe
  C:\Windows\System\KgPQqiD.exe
  2⤵
  PID:10944
- C:\Windows\System\FgvXgwb.exe
  C:\Windows\System\FgvXgwb.exe
  2⤵
  PID:11016
- C:\Windows\System\PrhiCjK.exe
  C:\Windows\System\PrhiCjK.exe
  2⤵
  PID:11080
- C:\Windows\System\BCKQgUp.exe
  C:\Windows\System\BCKQgUp.exe
  2⤵
  PID:11156
- C:\Windows\System\HBXcctV.exe
  C:\Windows\System\HBXcctV.exe
  2⤵
  PID:11220
- C:\Windows\System\YCavUgH.exe
  C:\Windows\System\YCavUgH.exe
  2⤵
  PID:10284
- C:\Windows\System\PmhOAJc.exe
  C:\Windows\System\PmhOAJc.exe
  2⤵
  PID:10396
- C:\Windows\System\HDUPbhm.exe
  C:\Windows\System\HDUPbhm.exe
  2⤵
  PID:10544
- C:\Windows\System\dNXFAMi.exe
  C:\Windows\System\dNXFAMi.exe
  2⤵
  PID:10660
- C:\Windows\System\HcHJZCf.exe
  C:\Windows\System\HcHJZCf.exe
  2⤵
  PID:10800
- C:\Windows\System\SbIwkvU.exe
  C:\Windows\System\SbIwkvU.exe
  2⤵
  PID:10972
- C:\Windows\System\KMEXkum.exe
  C:\Windows\System\KMEXkum.exe
  2⤵
  PID:11136
- C:\Windows\System\anSMyXl.exe
  C:\Windows\System\anSMyXl.exe
  2⤵
  PID:10268
- C:\Windows\System\PUXJzPF.exe
  C:\Windows\System\PUXJzPF.exe
  2⤵
  PID:10832
- C:\Windows\System\WfLCFQC.exe
  C:\Windows\System\WfLCFQC.exe
  2⤵
  PID:10932
- C:\Windows\System\ZdGSFKm.exe
  C:\Windows\System\ZdGSFKm.exe
  2⤵
  PID:10256
- C:\Windows\System\zjCgPnV.exe
  C:\Windows\System\zjCgPnV.exe
  2⤵
  PID:11056
- C:\Windows\System\vnKupxV.exe
  C:\Windows\System\vnKupxV.exe
  2⤵
  PID:10876
- C:\Windows\System\TAeyhlk.exe
  C:\Windows\System\TAeyhlk.exe
  2⤵
  PID:11292
- C:\Windows\System\UNSkfTZ.exe
  C:\Windows\System\UNSkfTZ.exe
  2⤵
  PID:11320
- C:\Windows\System\HYqrhbz.exe
  C:\Windows\System\HYqrhbz.exe
  2⤵
  PID:11348
- C:\Windows\System\cOiToac.exe
  C:\Windows\System\cOiToac.exe
  2⤵
  PID:11376
- C:\Windows\System\VwJHlMB.exe
  C:\Windows\System\VwJHlMB.exe
  2⤵
  PID:11404
- C:\Windows\System\qVlQtek.exe
  C:\Windows\System\qVlQtek.exe
  2⤵
  PID:11432
- C:\Windows\System\odotGcD.exe
  C:\Windows\System\odotGcD.exe
  2⤵
  PID:11460
- C:\Windows\System\IcJSelZ.exe
  C:\Windows\System\IcJSelZ.exe
  2⤵
  PID:11488
- C:\Windows\System\QWkmlyt.exe
  C:\Windows\System\QWkmlyt.exe
  2⤵
  PID:11516
- C:\Windows\System\nwLpHEu.exe
  C:\Windows\System\nwLpHEu.exe
  2⤵
  PID:11544
- C:\Windows\System\nMOiMOS.exe
  C:\Windows\System\nMOiMOS.exe
  2⤵
  PID:11576
- C:\Windows\System\CgeppKr.exe
  C:\Windows\System\CgeppKr.exe
  2⤵
  PID:11600
- C:\Windows\System\wfPuIDP.exe
  C:\Windows\System\wfPuIDP.exe
  2⤵
  PID:11640
- C:\Windows\System\cAlfoMy.exe
  C:\Windows\System\cAlfoMy.exe
  2⤵
  PID:11676
- C:\Windows\System\OYRWFVV.exe
  C:\Windows\System\OYRWFVV.exe
  2⤵
  PID:11692
- C:\Windows\System\imaYVKB.exe
  C:\Windows\System\imaYVKB.exe
  2⤵
  PID:11720
- C:\Windows\System\EEuLjqy.exe
  C:\Windows\System\EEuLjqy.exe
  2⤵
  PID:11756
- C:\Windows\System\FvkJEGO.exe
  C:\Windows\System\FvkJEGO.exe
  2⤵
  PID:11772
- C:\Windows\System\kDPuqwV.exe
  C:\Windows\System\kDPuqwV.exe
  2⤵
  PID:11792
- C:\Windows\System\wCpfJZB.exe
  C:\Windows\System\wCpfJZB.exe
  2⤵
  PID:11848
- C:\Windows\System\djGCadT.exe
  C:\Windows\System\djGCadT.exe
  2⤵
  PID:11864
- C:\Windows\System\cjCWqwU.exe
  C:\Windows\System\cjCWqwU.exe
  2⤵
  PID:11892
- C:\Windows\System\hfHWzTf.exe
  C:\Windows\System\hfHWzTf.exe
  2⤵
  PID:11960
- C:\Windows\System\NuPzHqH.exe
  C:\Windows\System\NuPzHqH.exe
  2⤵
  PID:11988
- C:\Windows\System\BVDcWUG.exe
  C:\Windows\System\BVDcWUG.exe
  2⤵
  PID:12016
- C:\Windows\System\dxEEvfM.exe
  C:\Windows\System\dxEEvfM.exe
  2⤵
  PID:12044
- C:\Windows\System\NqdwkYU.exe
  C:\Windows\System\NqdwkYU.exe
  2⤵
  PID:12072
- C:\Windows\System\OJDnCqw.exe
  C:\Windows\System\OJDnCqw.exe
  2⤵
  PID:12104
- C:\Windows\System\kEEaMDS.exe
  C:\Windows\System\kEEaMDS.exe
  2⤵
  PID:12128
- C:\Windows\System\iIiCJuN.exe
  C:\Windows\System\iIiCJuN.exe
  2⤵
  PID:12156
- C:\Windows\System\QxHtIow.exe
  C:\Windows\System\QxHtIow.exe
  2⤵
  PID:12184
- C:\Windows\System\cJLNzbN.exe
  C:\Windows\System\cJLNzbN.exe
  2⤵
  PID:12220
- C:\Windows\System\Lqaumxu.exe
  C:\Windows\System\Lqaumxu.exe
  2⤵
  PID:12240
- C:\Windows\System\QYzFUpk.exe
  C:\Windows\System\QYzFUpk.exe
  2⤵
  PID:12268
- C:\Windows\System\fLeisIy.exe
  C:\Windows\System\fLeisIy.exe
  2⤵
  PID:11284
- C:\Windows\System\KMkYoiD.exe
  C:\Windows\System\KMkYoiD.exe
  2⤵
  PID:11344
- C:\Windows\System\KcvMbkU.exe
  C:\Windows\System\KcvMbkU.exe
  2⤵
  PID:11416
- C:\Windows\System\CbZUAvK.exe
  C:\Windows\System\CbZUAvK.exe
  2⤵
  PID:11480
- C:\Windows\System\GGUnOOs.exe
  C:\Windows\System\GGUnOOs.exe
  2⤵
  PID:11540
- C:\Windows\System\yLIiHWl.exe
  C:\Windows\System\yLIiHWl.exe
  2⤵
  PID:11596
- C:\Windows\System\PAIJAXW.exe
  C:\Windows\System\PAIJAXW.exe
  2⤵
  PID:11616
- C:\Windows\System\OfvRYDa.exe
  C:\Windows\System\OfvRYDa.exe
  2⤵
  PID:11620
- C:\Windows\System\qrOWkPE.exe
  C:\Windows\System\qrOWkPE.exe
  2⤵
  PID:920
- C:\Windows\System\XUgSvhS.exe
  C:\Windows\System\XUgSvhS.exe
  2⤵
  PID:432
- C:\Windows\System\sBtoKDA.exe
  C:\Windows\System\sBtoKDA.exe
  2⤵
  PID:7120
- C:\Windows\System\mphuWig.exe
  C:\Windows\System\mphuWig.exe
  2⤵
  PID:1796
- C:\Windows\System\lMJvBpj.exe
  C:\Windows\System\lMJvBpj.exe
  2⤵
  PID:2120
- C:\Windows\System\NvUhDYc.exe
  C:\Windows\System\NvUhDYc.exe
  2⤵
  PID:11744
- C:\Windows\System\cUkuPPe.exe
  C:\Windows\System\cUkuPPe.exe
  2⤵
  PID:11780
- C:\Windows\System\LnMNrgU.exe
  C:\Windows\System\LnMNrgU.exe
  2⤵
  PID:11900
- C:\Windows\System\RcojSvM.exe
  C:\Windows\System\RcojSvM.exe
  2⤵
  PID:11732
- C:\Windows\System\jUcNPyU.exe
  C:\Windows\System\jUcNPyU.exe
  2⤵
  PID:11984
- C:\Windows\System\neJoDAp.exe
  C:\Windows\System\neJoDAp.exe
  2⤵
  PID:12056
- C:\Windows\System\HXpsdFB.exe
  C:\Windows\System\HXpsdFB.exe
  2⤵
  PID:12120
- C:\Windows\System\czFckMl.exe
  C:\Windows\System\czFckMl.exe
  2⤵
  PID:12180
- C:\Windows\System\QQkQNKJ.exe
  C:\Windows\System\QQkQNKJ.exe
  2⤵
  PID:12252
- C:\Windows\System\ApVOOEG.exe
  C:\Windows\System\ApVOOEG.exe
  2⤵
  PID:11332
- C:\Windows\System\ezkxuIv.exe
  C:\Windows\System\ezkxuIv.exe
  2⤵
  PID:11472
- C:\Windows\System\hHKBjiG.exe
  C:\Windows\System\hHKBjiG.exe
  2⤵
  PID:11588
- C:\Windows\System\YMZqJTr.exe
  C:\Windows\System\YMZqJTr.exe
  2⤵
  PID:11632
- C:\Windows\System\aeCaBzV.exe
  C:\Windows\System\aeCaBzV.exe
  2⤵
  PID:11924
- C:\Windows\System\VJMYnLg.exe
  C:\Windows\System\VJMYnLg.exe
  2⤵
  PID:11752
- C:\Windows\System\lpwTAHT.exe
  C:\Windows\System\lpwTAHT.exe
  2⤵
  PID:11816
- C:\Windows\System\VNAKMVz.exe
  C:\Windows\System\VNAKMVz.exe
  2⤵
  PID:11824
- C:\Windows\System\YdUgDUF.exe
  C:\Windows\System\YdUgDUF.exe
  2⤵
  PID:12084
- C:\Windows\System\sqPMwsV.exe
  C:\Windows\System\sqPMwsV.exe
  2⤵
  PID:12232
- C:\Windows\System\qEMejnO.exe
  C:\Windows\System\qEMejnO.exe
  2⤵
  PID:11452
- C:\Windows\System\FXGyPva.exe
  C:\Windows\System\FXGyPva.exe
  2⤵
  PID:7128
- C:\Windows\System\OZVNvxo.exe
  C:\Windows\System\OZVNvxo.exe
  2⤵
  PID:11740
- C:\Windows\System\BXYmEFH.exe
  C:\Windows\System\BXYmEFH.exe
  2⤵
  PID:7092
- C:\Windows\System\LWDTCnW.exe
  C:\Windows\System\LWDTCnW.exe
  2⤵
  PID:11396
- C:\Windows\System\JPrfmxP.exe
  C:\Windows\System\JPrfmxP.exe
  2⤵
  PID:2088
- C:\Windows\System\LOAFXaT.exe
  C:\Windows\System\LOAFXaT.exe
  2⤵
  PID:1924
- C:\Windows\System\akDPogN.exe
  C:\Windows\System\akDPogN.exe
  2⤵
  PID:11980
- C:\Windows\System\cJkcKbo.exe
  C:\Windows\System\cJkcKbo.exe
  2⤵
  PID:12308
- C:\Windows\System\kYhqnQo.exe
  C:\Windows\System\kYhqnQo.exe
  2⤵
  PID:12336
- C:\Windows\System\ySxmlqw.exe
  C:\Windows\System\ySxmlqw.exe
  2⤵
  PID:12364
- C:\Windows\System\rGWULAi.exe
  C:\Windows\System\rGWULAi.exe
  2⤵
  PID:12392
- C:\Windows\System\KVdYnqz.exe
  C:\Windows\System\KVdYnqz.exe
  2⤵
  PID:12420
- C:\Windows\System\rBgudLJ.exe
  C:\Windows\System\rBgudLJ.exe
  2⤵
  PID:12448
- C:\Windows\System\VNOBJnU.exe
  C:\Windows\System\VNOBJnU.exe
  2⤵
  PID:12476
- C:\Windows\System\SGCDfOG.exe
  C:\Windows\System\SGCDfOG.exe
  2⤵
  PID:12504
- C:\Windows\System\yWpQFXZ.exe
  C:\Windows\System\yWpQFXZ.exe
  2⤵
  PID:12536
- C:\Windows\System\pWVSbmG.exe
  C:\Windows\System\pWVSbmG.exe
  2⤵
  PID:12564
- C:\Windows\System\eAgnzuf.exe
  C:\Windows\System\eAgnzuf.exe
  2⤵
  PID:12592
- C:\Windows\System\XZJjDoF.exe
  C:\Windows\System\XZJjDoF.exe
  2⤵
  PID:12620
- C:\Windows\System\rcUfTXG.exe
  C:\Windows\System\rcUfTXG.exe
  2⤵
  PID:12648
- C:\Windows\System\NFfbsnW.exe
  C:\Windows\System\NFfbsnW.exe
  2⤵
  PID:12676
- C:\Windows\System\VwjjPLL.exe
  C:\Windows\System\VwjjPLL.exe
  2⤵
  PID:12704
- C:\Windows\System\ilOtvfH.exe
  C:\Windows\System\ilOtvfH.exe
  2⤵
  PID:12732
- C:\Windows\System\qoohAOB.exe
  C:\Windows\System\qoohAOB.exe
  2⤵
  PID:12760
- C:\Windows\System\Xkiahee.exe
  C:\Windows\System\Xkiahee.exe
  2⤵
  PID:12788
- C:\Windows\System\barDDNj.exe
  C:\Windows\System\barDDNj.exe
  2⤵
  PID:12816
- C:\Windows\System\tYUnwXZ.exe
  C:\Windows\System\tYUnwXZ.exe
  2⤵
  PID:12844
- C:\Windows\System\jIHDYSZ.exe
  C:\Windows\System\jIHDYSZ.exe
  2⤵
  PID:12872
- C:\Windows\System\KgKVfZN.exe
  C:\Windows\System\KgKVfZN.exe
  2⤵
  PID:12900
- C:\Windows\System\HCtyJtd.exe
  C:\Windows\System\HCtyJtd.exe
  2⤵
  PID:12928
- C:\Windows\System\QcTDFOJ.exe
  C:\Windows\System\QcTDFOJ.exe
  2⤵
  PID:12956
- C:\Windows\System\enVEvxu.exe
  C:\Windows\System\enVEvxu.exe
  2⤵
  PID:12984
- C:\Windows\System\tCecCRV.exe
  C:\Windows\System\tCecCRV.exe
  2⤵
  PID:13012
- C:\Windows\System\jqNlvXC.exe
  C:\Windows\System\jqNlvXC.exe
  2⤵
  PID:13040
- C:\Windows\System\HeaqFxR.exe
  C:\Windows\System\HeaqFxR.exe
  2⤵
  PID:13084
- C:\Windows\System\EZfFxlb.exe
  C:\Windows\System\EZfFxlb.exe
  2⤵
  PID:13100
- C:\Windows\System\HImgfyv.exe
  C:\Windows\System\HImgfyv.exe
  2⤵
  PID:13128
- C:\Windows\System\ghmdhJg.exe
  C:\Windows\System\ghmdhJg.exe
  2⤵
  PID:13156
- C:\Windows\System\jIQPLxP.exe
  C:\Windows\System\jIQPLxP.exe
  2⤵
  PID:13184
- C:\Windows\System\JDfQRXe.exe
  C:\Windows\System\JDfQRXe.exe
  2⤵
  PID:13212
- C:\Windows\System\FwfpejY.exe
  C:\Windows\System\FwfpejY.exe
  2⤵
  PID:13240
- C:\Windows\System\iLahfeN.exe
  C:\Windows\System\iLahfeN.exe
  2⤵
  PID:13268
- C:\Windows\System\oAKcvHe.exe
  C:\Windows\System\oAKcvHe.exe
  2⤵
  PID:13296
- C:\Windows\System\yrDkZzU.exe
  C:\Windows\System\yrDkZzU.exe
  2⤵
  PID:12320
- C:\Windows\System\HUnaBTP.exe
  C:\Windows\System\HUnaBTP.exe
  2⤵
  PID:12384
- C:\Windows\System\qVIWCIh.exe
  C:\Windows\System\qVIWCIh.exe
  2⤵
  PID:12444
- C:\Windows\System\rNisfMI.exe
  C:\Windows\System\rNisfMI.exe
  2⤵
  PID:12520
- C:\Windows\System\EAObOkK.exe
  C:\Windows\System\EAObOkK.exe
  2⤵
  PID:12588
- C:\Windows\System\uCqEwaZ.exe
  C:\Windows\System\uCqEwaZ.exe
  2⤵
  PID:12660
- C:\Windows\System\ykwULfI.exe
  C:\Windows\System\ykwULfI.exe
  2⤵
  PID:12724
- C:\Windows\System\gjPiBAq.exe
  C:\Windows\System\gjPiBAq.exe
  2⤵
  PID:12784
- C:\Windows\System\huWLAkh.exe
  C:\Windows\System\huWLAkh.exe
  2⤵
  PID:12868
- C:\Windows\System\DFNdyvw.exe
  C:\Windows\System\DFNdyvw.exe
  2⤵
  PID:12920
- C:\Windows\System\JTMlVuW.exe
  C:\Windows\System\JTMlVuW.exe
  2⤵
  PID:12980
- C:\Windows\System\AHraJTA.exe
  C:\Windows\System\AHraJTA.exe
  2⤵
  PID:13052
- C:\Windows\System\AeDOlzv.exe
  C:\Windows\System\AeDOlzv.exe
  2⤵
  PID:13120
- C:\Windows\System\dHYvOkv.exe
  C:\Windows\System\dHYvOkv.exe
  2⤵
  PID:13176
- C:\Windows\System\QTwocBS.exe
  C:\Windows\System\QTwocBS.exe
  2⤵
  PID:13236
- C:\Windows\System\IsCfvyO.exe
  C:\Windows\System\IsCfvyO.exe
  2⤵
  PID:13308
- C:\Windows\System\WlSpWTO.exe
  C:\Windows\System\WlSpWTO.exe
  2⤵
  PID:12432
- C:\Windows\System\kBpGmoG.exe
  C:\Windows\System\kBpGmoG.exe
  2⤵
  PID:12584
- C:\Windows\System\IRUeDdS.exe
  C:\Windows\System\IRUeDdS.exe
  2⤵
  PID:12752
- C:\Windows\System\LdbycZn.exe
  C:\Windows\System\LdbycZn.exe
  2⤵
  PID:12896
- C:\Windows\System\FADWvZv.exe
  C:\Windows\System\FADWvZv.exe
  2⤵
  PID:13036
- C:\Windows\System\VKbGZlT.exe
  C:\Windows\System\VKbGZlT.exe
  2⤵
  PID:13204
- C:\Windows\System\AgrFEaR.exe
  C:\Windows\System\AgrFEaR.exe
  2⤵
  PID:12376
- C:\Windows\System\gdgBIiB.exe
  C:\Windows\System\gdgBIiB.exe
  2⤵
  PID:12716
- C:\Windows\System\UnEydGd.exe
  C:\Windows\System\UnEydGd.exe
  2⤵
  PID:13112
- C:\Windows\System\heYWRUF.exe
  C:\Windows\System\heYWRUF.exe
  2⤵
  PID:12644
- C:\Windows\System\CWkVPzg.exe
  C:\Windows\System\CWkVPzg.exe
  2⤵
  PID:12548
- C:\Windows\System\EiKNdxB.exe
  C:\Windows\System\EiKNdxB.exe
  2⤵
  PID:13328
- C:\Windows\System\angTJLS.exe
  C:\Windows\System\angTJLS.exe
  2⤵
  PID:13356
- C:\Windows\System\OUyArqw.exe
  C:\Windows\System\OUyArqw.exe
  2⤵
  PID:13384
- C:\Windows\System\SDaQdOa.exe
  C:\Windows\System\SDaQdOa.exe
  2⤵
  PID:13412
- C:\Windows\System\CpHlZWt.exe
  C:\Windows\System\CpHlZWt.exe
  2⤵
  PID:13440
- C:\Windows\System\YMYUcun.exe
  C:\Windows\System\YMYUcun.exe
  2⤵
  PID:13468
- C:\Windows\System\OyRamQu.exe
  C:\Windows\System\OyRamQu.exe
  2⤵
  PID:13496
- C:\Windows\System\renLhFg.exe
  C:\Windows\System\renLhFg.exe
  2⤵
  PID:13524
- C:\Windows\System\RzznrOr.exe
  C:\Windows\System\RzznrOr.exe
  2⤵
  PID:13552
- C:\Windows\System\xpXSupF.exe
  C:\Windows\System\xpXSupF.exe
  2⤵
  PID:13584
- C:\Windows\System\CmjwqJW.exe
  C:\Windows\System\CmjwqJW.exe
  2⤵
  PID:13612
- C:\Windows\System\GKtmtjg.exe
  C:\Windows\System\GKtmtjg.exe
  2⤵
  PID:13640
- C:\Windows\System\aatRqlW.exe
  C:\Windows\System\aatRqlW.exe
  2⤵
  PID:13668
- C:\Windows\System\CWNDUqK.exe
  C:\Windows\System\CWNDUqK.exe
  2⤵
  PID:13696
- C:\Windows\System\DhjKUzy.exe
  C:\Windows\System\DhjKUzy.exe
  2⤵
  PID:13724
- C:\Windows\System\UsEtece.exe
  C:\Windows\System\UsEtece.exe
  2⤵
  PID:13752
- C:\Windows\System\pSvpIrP.exe
  C:\Windows\System\pSvpIrP.exe
  2⤵
  PID:13780
- C:\Windows\System\ANgbGmN.exe
  C:\Windows\System\ANgbGmN.exe
  2⤵
  PID:13808
- C:\Windows\System\JblCPNU.exe
  C:\Windows\System\JblCPNU.exe
  2⤵
  PID:13836
- C:\Windows\System\AJVnHfI.exe
  C:\Windows\System\AJVnHfI.exe
  2⤵
  PID:13864
- C:\Windows\System\hHnAqmE.exe
  C:\Windows\System\hHnAqmE.exe
  2⤵
  PID:13892
- C:\Windows\System\ZspBgwv.exe
  C:\Windows\System\ZspBgwv.exe
  2⤵
  PID:13920
- C:\Windows\System\fptgkqL.exe
  C:\Windows\System\fptgkqL.exe
  2⤵
  PID:13948
- C:\Windows\System\cdxDCzk.exe
  C:\Windows\System\cdxDCzk.exe
  2⤵
  PID:13976
- C:\Windows\System\VaTrhnz.exe
  C:\Windows\System\VaTrhnz.exe
  2⤵
  PID:14004
- C:\Windows\System\RXYecAG.exe
  C:\Windows\System\RXYecAG.exe
  2⤵
  PID:14032
- C:\Windows\System\fwqMjue.exe
  C:\Windows\System\fwqMjue.exe
  2⤵
  PID:14064
- C:\Windows\System\PeZBPuV.exe
  C:\Windows\System\PeZBPuV.exe
  2⤵
  PID:14088
- C:\Windows\System\UuUxtRD.exe
  C:\Windows\System\UuUxtRD.exe
  2⤵
  PID:14124
- C:\Windows\System\ZRkatjn.exe
  C:\Windows\System\ZRkatjn.exe
  2⤵
  PID:14152
- C:\Windows\System\qqqwyFK.exe
  C:\Windows\System\qqqwyFK.exe
  2⤵
  PID:14184
- C:\Windows\System\NrdpAhE.exe
  C:\Windows\System\NrdpAhE.exe
  2⤵
  PID:14224
- C:\Windows\System\VLJguzi.exe
  C:\Windows\System\VLJguzi.exe
  2⤵
  PID:14268
- C:\Windows\System\ZepozNL.exe
  C:\Windows\System\ZepozNL.exe
  2⤵
  PID:14308
- C:\Windows\System\rgINnSC.exe
  C:\Windows\System\rgINnSC.exe
  2⤵
  PID:12348
- C:\Windows\System\VnbRkBU.exe
  C:\Windows\System\VnbRkBU.exe
  2⤵
  PID:12556
- C:\Windows\System\PSpIFdD.exe
  C:\Windows\System\PSpIFdD.exe
  2⤵
  PID:13460
- C:\Windows\System\ZuTIVBi.exe
  C:\Windows\System\ZuTIVBi.exe
  2⤵
  PID:13492
- C:\Windows\System\raJZAOv.exe
  C:\Windows\System\raJZAOv.exe
  2⤵
  PID:13564
- C:\Windows\System\TimXmjD.exe
  C:\Windows\System\TimXmjD.exe
  2⤵
  PID:4044
- C:\Windows\System\NRqdTYp.exe
  C:\Windows\System\NRqdTYp.exe
  2⤵
  PID:13632
- C:\Windows\System\KapMtCv.exe
  C:\Windows\System\KapMtCv.exe
  2⤵
  PID:13692
- C:\Windows\System\xgSTnAV.exe
  C:\Windows\System\xgSTnAV.exe
  2⤵
  PID:13764
- C:\Windows\System\PjCCyef.exe
  C:\Windows\System\PjCCyef.exe
  2⤵
  PID:13828
- C:\Windows\System\xuBUXAi.exe
  C:\Windows\System\xuBUXAi.exe
  2⤵
  PID:13888
- C:\Windows\System\AILMpzW.exe
  C:\Windows\System\AILMpzW.exe
  2⤵
  PID:13960
- C:\Windows\System\MYERDPs.exe
  C:\Windows\System\MYERDPs.exe
  2⤵
  PID:14024
- C:\Windows\System\ycTczOV.exe
  C:\Windows\System\ycTczOV.exe
  2⤵
  PID:14076
- C:\Windows\System\wdKRAFT.exe
  C:\Windows\System\wdKRAFT.exe
  2⤵
  PID:14112
- C:\Windows\System\cpqMWST.exe
  C:\Windows\System\cpqMWST.exe
  2⤵
  PID:1156
- C:\Windows\System\GSktEHS.exe
  C:\Windows\System\GSktEHS.exe
  2⤵
  PID:14204
- C:\Windows\System\bJVGYbI.exe
  C:\Windows\System\bJVGYbI.exe
  2⤵
  PID:1228
- C:\Windows\System\ULimFeS.exe
  C:\Windows\System\ULimFeS.exe
  2⤵
  PID:14296
- C:\Windows\System\xOOKofS.exe
  C:\Windows\System\xOOKofS.exe
  2⤵
  PID:14256
- C:\Windows\System\mnZABPi.exe
  C:\Windows\System\mnZABPi.exe
  2⤵
  PID:13408
- C:\Windows\System\dgBRFHW.exe
  C:\Windows\System\dgBRFHW.exe
  2⤵
  PID:13548
- C:\Windows\System\nlaoNqt.exe
  C:\Windows\System\nlaoNqt.exe
  2⤵
  PID:13660
- C:\Windows\System\Ekorpck.exe
  C:\Windows\System\Ekorpck.exe
  2⤵
  PID:13804
- C:\Windows\System\iGNWwJY.exe
  C:\Windows\System\iGNWwJY.exe
  2⤵
  PID:13944
- C:\Windows\System\sgaNyfb.exe
  C:\Windows\System\sgaNyfb.exe
  2⤵
  PID:2752
- C:\Windows\System\nmVozMq.exe
  C:\Windows\System\nmVozMq.exe
  2⤵
  PID:5036
- C:\Windows\System\LTBhJQd.exe
  C:\Windows\System\LTBhJQd.exe
  2⤵
  PID:4084
- C:\Windows\System\OoMTpTs.exe
  C:\Windows\System\OoMTpTs.exe
  2⤵
  PID:14212
- C:\Windows\System\GxSldtY.exe
  C:\Windows\System\GxSldtY.exe
  2⤵
  PID:1388
- C:\Windows\System\DxApaBW.exe
  C:\Windows\System\DxApaBW.exe
  2⤵
  PID:4520
- C:\Windows\System\TAZGbUq.exe
  C:\Windows\System\TAZGbUq.exe
  2⤵
  PID:412
- C:\Windows\System\QUPulfX.exe
  C:\Windows\System\QUPulfX.exe
  2⤵
  PID:1216
- C:\Windows\System\VmixGoK.exe
  C:\Windows\System\VmixGoK.exe
  2⤵
  PID:13720
- C:\Windows\System\VGmiMBz.exe
  C:\Windows\System\VGmiMBz.exe
  2⤵
  PID:1576
- C:\Windows\System\pJKIqBX.exe
  C:\Windows\System\pJKIqBX.exe
  2⤵
  PID:14140
- C:\Windows\System\Ldxcedx.exe
  C:\Windows\System\Ldxcedx.exe
  2⤵
  PID:2976
- C:\Windows\System\EeZrfFY.exe
  C:\Windows\System\EeZrfFY.exe
  2⤵
  PID:4128
- C:\Windows\System\fODmOWk.exe
  C:\Windows\System\fODmOWk.exe
  2⤵
  PID:14260
- C:\Windows\System\vAPAGsU.exe
  C:\Windows\System\vAPAGsU.exe
  2⤵
  PID:212
- C:\Windows\System\ThZcsOF.exe
  C:\Windows\System\ThZcsOF.exe
  2⤵
  PID:4160
- C:\Windows\System\YqZsjsO.exe
  C:\Windows\System\YqZsjsO.exe
  2⤵
  PID:872
- C:\Windows\System\inLzEkS.exe
  C:\Windows\System\inLzEkS.exe
  2⤵
  PID:4020
- C:\Windows\System\UuwpdWM.exe
  C:\Windows\System\UuwpdWM.exe
  2⤵
  PID:4100
- C:\Windows\System\PDnLVvG.exe
  C:\Windows\System\PDnLVvG.exe
  2⤵
  PID:4620
- C:\Windows\System\nXqFGvh.exe
  C:\Windows\System\nXqFGvh.exe
  2⤵
  PID:4696
- C:\Windows\System\adrcNDU.exe
  C:\Windows\System\adrcNDU.exe
  2⤵
  PID:548
- C:\Windows\System\VitqOHU.exe
  C:\Windows\System\VitqOHU.exe
  2⤵
  PID:13380
- C:\Windows\System\euuOisN.exe
  C:\Windows\System\euuOisN.exe
  2⤵
  PID:4168
- C:\Windows\System\TyCtPdO.exe
  C:\Windows\System\TyCtPdO.exe
  2⤵
  PID:3304
- C:\Windows\System\tyHGFni.exe
  C:\Windows\System\tyHGFni.exe
  2⤵
  PID:4852
- C:\Windows\System\tWboMxm.exe
  C:\Windows\System\tWboMxm.exe
  2⤵
  PID:1648
- C:\Windows\System\iDTJQaV.exe
  C:\Windows\System\iDTJQaV.exe
  2⤵
  PID:2004
- C:\Windows\System\MRTpZWZ.exe
  C:\Windows\System\MRTpZWZ.exe
  2⤵
  PID:2568
- C:\Windows\System\hlhhurG.exe
  C:\Windows\System\hlhhurG.exe
  2⤵
  PID:4832
- C:\Windows\System\tnVBDow.exe
  C:\Windows\System\tnVBDow.exe
  2⤵
  PID:14016
- C:\Windows\System\HZioVli.exe
  C:\Windows\System\HZioVli.exe
  2⤵
  PID:552
- C:\Windows\System\QbVYeQe.exe
  C:\Windows\System\QbVYeQe.exe
  2⤵
  PID:1876
- C:\Windows\System\pNIpuij.exe
  C:\Windows\System\pNIpuij.exe
  2⤵
  PID:4424
- C:\Windows\System\XQYmROH.exe
  C:\Windows\System\XQYmROH.exe
  2⤵
  PID:2080
- C:\Windows\System\qTCzyUK.exe
  C:\Windows\System\qTCzyUK.exe
  2⤵
  PID:940
- C:\Windows\System\vsVuuic.exe
  C:\Windows\System\vsVuuic.exe
  2⤵
  PID:3548
- C:\Windows\System\CPJvBhZ.exe
  C:\Windows\System\CPJvBhZ.exe
  2⤵
  PID:2260
- C:\Windows\System\hcsvgZf.exe
  C:\Windows\System\hcsvgZf.exe
  2⤵
  PID:4080
- C:\Windows\System\hISyiYX.exe
  C:\Windows\System\hISyiYX.exe
  2⤵
  PID:3084
- C:\Windows\System\OoPzRIA.exe
  C:\Windows\System\OoPzRIA.exe
  2⤵
  PID:4872
- C:\Windows\System\yXEoyKb.exe
  C:\Windows\System\yXEoyKb.exe
  2⤵
  PID:14356
- C:\Windows\System\rTzPRWm.exe
  C:\Windows\System\rTzPRWm.exe
  2⤵
  PID:14384
- C:\Windows\System\tprvulo.exe
  C:\Windows\System\tprvulo.exe
  2⤵
  PID:14412
- C:\Windows\System\ZOVFZYA.exe
  C:\Windows\System\ZOVFZYA.exe
  2⤵
  PID:14440
- C:\Windows\System\RDxGKHo.exe
  C:\Windows\System\RDxGKHo.exe
  2⤵
  PID:14468
- C:\Windows\System\Appkmaf.exe
  C:\Windows\System\Appkmaf.exe
  2⤵
  PID:14496
- C:\Windows\System\ElfXgDQ.exe
  C:\Windows\System\ElfXgDQ.exe
  2⤵
  PID:14524
- C:\Windows\System\aPwvKsc.exe
  C:\Windows\System\aPwvKsc.exe
  2⤵
  PID:14552
- C:\Windows\System\HJJDAxW.exe
  C:\Windows\System\HJJDAxW.exe
  2⤵
  PID:14580
- C:\Windows\System\wSePmWQ.exe
  C:\Windows\System\wSePmWQ.exe
  2⤵
  PID:14608
- C:\Windows\System\kVnMwXd.exe
  C:\Windows\System\kVnMwXd.exe
  2⤵
  PID:14636
- C:\Windows\System\UJQEPUn.exe
  C:\Windows\System\UJQEPUn.exe
  2⤵
  PID:14664
- C:\Windows\System\yBLDjOv.exe
  C:\Windows\System\yBLDjOv.exe
  2⤵
  PID:14692
- C:\Windows\System\EMFvpuG.exe
  C:\Windows\System\EMFvpuG.exe
  2⤵
  PID:14720
- C:\Windows\System\EMiAJsR.exe
  C:\Windows\System\EMiAJsR.exe
  2⤵
  PID:14748
- C:\Windows\System\NAyacQv.exe
  C:\Windows\System\NAyacQv.exe
  2⤵
  PID:14776
- C:\Windows\System\YqHqRXW.exe
  C:\Windows\System\YqHqRXW.exe
  2⤵
  PID:14804

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:15168
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:15324

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5228

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5368

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6728

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7372

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7724

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:10540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:756

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4280

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3576

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3772

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11356

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14800

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6824

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8744

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5264

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13068

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9300

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9468

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9884

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13488

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14588

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4136

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6196

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4760

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14488

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14196

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2156

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2976

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8348

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6420

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6844

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8792

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8980

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8016

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7480

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11188

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14448

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TL6V2938\microsoft.windows[1].xml

Filesize
97B

MD5
5159d72145959cb18a43ea3fc2eae839

SHA1
f07321b18827ad81e531839dc7bd3c9bf5245a9a

SHA256
2b07a7e7e9edca0814591a799827909028c846ad531ffe4d1d84bcbe67e22104

SHA512
aae7652ff30a260d8c629760745893a42846d8db8f39406ac0b5360fe98aff571d911c87b2db9d929c04085876b5623b8e52cfd2ba758b92732bc978ddf87f53

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133827607041740352.txt

Filesize
75KB

MD5
42dde3b074456388ad212032bc91e94f

SHA1
2190c31fb020febcc50474d7892802f867c5f940

SHA256
5e56274db0c3891d84ff8ce437fcd770761baf2018a52c8ff282e88afe247c44

SHA512
2c2c4a58ab154ebf1e365e10b7f1a4b620b866d276428bcaa84da18472c913128b30f0509e9571ac413dce4882556a719fc0b8d97decf5121989b2ea393e2b64

Download Submit
C:\Windows\System\DtpxTWo.exe

Filesize
6.0MB

MD5
b3469d2edd94f0d5ae67cc0c4444de1c

SHA1
cdd260f31d46ade72557a1bf9d804da381db7b86

SHA256
60c4f0b36fca02ea01a3f26d6a427cb7d471b6d5e6fc3af586b8d2efeb92aa17

SHA512
d80063a846071c6cb3a696c1a51a3665617112ee6f84cf2b2ef7623a02d20e8ca8ee2ecc8f47d41c96de983c97fb8758cd183c7fac4f084fc2754ca1a53c02e6

Download Submit
C:\Windows\System\EznDYpL.exe

Filesize
6.0MB

MD5
fbeaf684bb25192de21cb624bd627f9a

SHA1
edb3a50a91e271cec774e38c7b634230b7899c43

SHA256
9e7b29b3a9a6e2eb428c7afb5ac103c1b2e2d02b3dede866c41521e5db88d112

SHA512
efa9a5964e82c835122b347970dd36a303491cb6df53c6d6986e597bd7e5d44387868c72311b54948801dde6a93846ccb325d5fb203349daa9930cbacf51f76c

Download Submit
C:\Windows\System\JDYtVCl.exe

Filesize
6.0MB

MD5
7bfdd539440dfe82ba7e1dbff5692312

SHA1
1675237235261d430b15e27c1bfba16baf00fab7

SHA256
ce1fd44d4256f3c65b01ea18b79db58f8d2ea2f3be680f0a08ddf8de99318f77

SHA512
5f8a02a2bcb95be51ae021b0f5d398f4da05ccf84b703da4631cc53420bb5a5a52c7e086c006dba0cc219be60b707cb6588db0dbe9f6d8e9d6980b994eef6cd0

Download Submit
C:\Windows\System\KIjYmYU.exe

Filesize
6.0MB

MD5
319f2a87944b7a595d994297f76ef239

SHA1
154bccb019911a0e92f34fc5e212a192bf879879

SHA256
6c44ee9bc3028279b7da20f0b5465b5c1ef8554db41a5596292f2f8e57be2448

SHA512
d30ebf72d6fdeb49416f25062ae58f898126d1068f80e5ecaa1a8b2f0631b3052c482733e7a4dc2d5c2da2b4ce8cdcf2d1ec465a85eebb819a63356e60942c1a

Download Submit
C:\Windows\System\KiHIpHR.exe

Filesize
6.0MB

MD5
f2b457c3a1a8d14488e14eba4ffdf2e2

SHA1
c5e1fd8d94ca5a85ce5014a32ef5a9be03bef7d0

SHA256
16cce00d5fd218e9f50bde884ba907b22364fcc0e7813ff8c34be818193b4ff7

SHA512
874a5fbe7363c387c147ebfbdeb5e9c0d1619c1a859dcacffdc6a217aaa7c544282a6562ae68fc5c177416364e0b441031b75d0d81843335da0babddfdd12028

Download Submit
C:\Windows\System\LJrUvaA.exe

Filesize
6.0MB

MD5
0a7b0182fb5e450706803732a9ebe6f2

SHA1
ca35e191607c7ff315075bcb5d360dd8a3d4e6ae

SHA256
75ea8c537397544a8fc877cf7e0fc0736f5eb77d3fb13a0c1262de28b1dcfe31

SHA512
a32379b7dd44e2186253a22b33250cf9409adf8fc2101f2cbdf8efc64aec4cad2ad0495460552081bb7e10344b77917e105adc7b3ea0f1176fe622f1b309a61e

Download Submit
C:\Windows\System\NoXfDlL.exe

Filesize
6.0MB

MD5
a2b291b943df82c0f5035b6b812d15f5

SHA1
f9c23647137f574ed29723c74b20564b191d1a83

SHA256
6516c5b97ffb5273a604afe9c1a9bca9d19058da6cbecb4dd72b84320f8b0282

SHA512
551e4a95129ce2acdddb26901d5023007387e9b0cfed284bc0e9bb145c02250c8d8b1c217dc3390c0f1de2eda3efa18e3494c8053b76b7dde17988019d4412fd

Download Submit
C:\Windows\System\NupiCVe.exe

Filesize
6.0MB

MD5
ae1dd3c3d31ea2513710dd3b97354752

SHA1
77d55c90655ccedd185c6199d962d4cf947e40a9

SHA256
7832387be5980f97a2df163d919b3dfe4b4769c4d89ef2a03f547ae479c25278

SHA512
435a720861948e6c1d907ff3d1bedab0716c458e4b9f1038db9e4bb0ef49171ae6cc8288ad3ca629583bb24f1d6f300bfa29a548789f7742cf012c2b08c2f3d8

Download Submit
C:\Windows\System\ONYKAam.exe

Filesize
6.0MB

MD5
169ce28f0252c0382fb07c6952056550

SHA1
8c33e19836beb906e69348f1386e065ef94fb3f4

SHA256
72e5cb18602d50f19a45aab50d70be9e5556dd2d6a783b79762dafef9285ba87

SHA512
0318c9d77e66dfe731848a0359a3dedf559ad07fe8b392060a806661a41b3f8b3868eb928b530e3029d62e9f87a0c4eea09f079a869a8079df95c1fc63677999

Download Submit
C:\Windows\System\PilcIjz.exe

Filesize
6.0MB

MD5
0a23dbe2f023f0ef2fa5857630b59750

SHA1
72b424fdef0e76972f9d99cc800b22174889ca04

SHA256
b63f5eef96b625eb06a933c02daf21012fddd596501089bf373ae3b4d9b6b531

SHA512
6abac400804221655d52e580bd8686c56b52c9985c999724a768b112180f778559097d5262dd2dd6eeebcdae01fbc5dfcc13c0d25d8e54f057b72cafcfb40bab

Download Submit
C:\Windows\System\QFkDddX.exe

Filesize
6.0MB

MD5
1196d85f8588034f1e7e82d20996533e

SHA1
523116c40fac1aa809503480f7a374dacf76a940

SHA256
3a27a76ae1ebebe7706cbb643210ba7f5630eafeb85ff01085dee21eedc21f6b

SHA512
25b408f1bc561f0a9a9faace8c95b8605ccffdbbbf85d06587759664fb38ca826d1ebd427fbc28d3f5f05986a6cdb3e1b894f20c87e40e7a51b35998b225e8ad

Download Submit
C:\Windows\System\QeadGRB.exe

Filesize
6.0MB

MD5
24f504fabb88baf25bfa698d82f618b1

SHA1
adfa4691d118d9f2cefb8ac748bbab3b3eb91381

SHA256
8abdc45dffc03ca089d66517209c3b509e47da38f7f73f26f583c28355fb914d

SHA512
01edb7f920164f2826c0d0827f7031e7b5640ae837a8dbdde6056f6dd179b370267439debd1f7b01e0a80b25c818234d77d26948896e22f68778e9e3e1545609

Download Submit
C:\Windows\System\QzaIXKw.exe

Filesize
6.0MB

MD5
405ff5ff498b27f88c066d537631af12

SHA1
0b389daa949f01075f23bc6ab48a18dfcd63c28a

SHA256
dc7a7bfea538e9d0525df3602fac70969c63256af53ddc19bd1e3882e064a3ae

SHA512
14495e0db50407f58ba37b88e3e7fe91f8babf0e68ef686b5713c7e385abe86cd0ffe38d5c06e069f1350b5c3d87ff88aae53d6caff3a5e0fe6100182ee80d26

Download Submit
C:\Windows\System\RBRAQqX.exe

Filesize
6.0MB

MD5
e0da63cb16810b7aec35e446987895ed

SHA1
187efcacbb5cbc725e69cfde7e59598df868eb8f

SHA256
3b04d05cb627e20de54c27e9a313459595fde3cea35bf7635909dbe0d6f7a995

SHA512
b469a2f890c1b570df0fb2ffdaf54540a30a434b4dbbea218434f83e4c35fcb00f64e3f5b37b2caf3426a75dfad3083289972c3b65000331a870a3764e9d0866

Download Submit
C:\Windows\System\SGKzZkH.exe

Filesize
6.0MB

MD5
dabb25e369560347b700ef7cdbab0c29

SHA1
f22ee6db8d5aed621ebb75e0b2bf63e2f6ea9424

SHA256
b84245534a2d5522cce995e56ffd02a79105d10394fd845b5b79c16e3245654c

SHA512
28e7d68f75f275c0abf44f753169171cb8790f87c7af5dd02e68f74bcf57026398ee71e109db6cd66a7e84d5420166a90b6e5b533767b83ab41359717be7d1a8

Download Submit
C:\Windows\System\SIGTwMG.exe

Filesize
6.0MB

MD5
8271b5a51f0c6831247801725a12e180

SHA1
a4c8bd8d05a70a80d94c4aa326dfabe8235d8caa

SHA256
6c5b1ec59b77cf6edc7a3c3d91ba886e5e368fce9cdf120365c26a433b051ea3

SHA512
223c4e95b004e6102f17c4517199766e0b34b329e333f657d9b335d06a827c8ae6f3fdd5b2fc17d92ad4ae6e4435edd458965df8b25c9f4c46910075143e1e8e

Download Submit
C:\Windows\System\TKYTEeP.exe

Filesize
6.0MB

MD5
03a76c57020413ccb87934460c134973

SHA1
fe7265fc3a2f27232191041c361d6f06de4c3011

SHA256
fa50f8dadc7583ba47ecedeacb21f9120b793a37446804e3706472a03ee9b7c9

SHA512
33b4b4181c3d40aec0f53dac7fcaacd0c4ef9a0ecdc8106eaccad52cb103b72e8e6e0b79b67dec4b13a8c117b15fbcf57c5d3e7dc4f7fdc7d8d0ce49322f8ebb

Download Submit
C:\Windows\System\XrlEKig.exe

Filesize
6.0MB

MD5
4b36574caef4759a8251622407c589a2

SHA1
51d2d727f07f8cea9d30cac17cdc57a81a9ab6df

SHA256
288ad309d06b99c359a783d97dd9f2ffb90600005b401471dd73bfdfa90b20c9

SHA512
999331fde577d386e075f87f6e65f56ccbe9205baab285d6d6e68c8b81ad50a08e899272b479d376d921eb47c89dc055c54f159bf81f59a2fb0995ecd32816b6

Download Submit
C:\Windows\System\YXfDknq.exe

Filesize
6.0MB

MD5
175caf1702debd07677d9e72036ff0a3

SHA1
2479b61dccae821c0324fcc6d760673262de8cb4

SHA256
0ed435df7bd6d9dd275887beb2fd957b6b43fe1272e986b90bffb2d0d137eb02

SHA512
53ec646621389e110b05f0e3842cd508ddd4ffb3095f4ba2c8e5291308631a0d020346cf5d0d5d69be3e81493d80756b42d87f2ff4aa9b7c9a20d01a86e6ff27

Download Submit
C:\Windows\System\bDOrzEP.exe

Filesize
6.0MB

MD5
3c01680bb0a76975ab4b9380b703a474

SHA1
6cc2befe41f5326806588c82df47cf32abe70117

SHA256
5905ebc48a00439020ef371174331d5b81557510a76de76477ca278ca789ec66

SHA512
c712520c981b8c2c8a89f7ea2acd2eb5bf4d28a8f932a4828be523e793158d7fb3168fd0af0b34037dc9096ac143199bbdcb1e02a926ceeb566238ec2860f5ca

Download Submit
C:\Windows\System\bPBoVXx.exe

Filesize
6.0MB

MD5
fe947c15ee49a2a81b540e74633eae54

SHA1
7bbc99189e13b4624c227afa2e1618c4465fc9c6

SHA256
287d574d7d7be7849f422d7469c161a39156895684435ad64ecc0362adfaf746

SHA512
c921754dc63bbec713b543715c08366df3373bde07cfcb530195aac8575bbd7b462b2fe3977b52fe4398ecc4cbec881599ce2bd7eec9612f097ab8cbbd027cd4

Download Submit
C:\Windows\System\fijAKUX.exe

Filesize
6.0MB

MD5
5feef185d00b1ad97ae04b15ccf55930

SHA1
1600c2bf95cebe9e1c3df9be30842b2e5dff6082

SHA256
a87cc2d120e1a3dba5159dc65cca79cfbd4f0c01d12bc4dc6d0a41f791dd2be4

SHA512
f66f907443b42047e75d1d17f55963720199a1f78c31b874fd85fab02288ac2fd6e76ec99dda6e7bac1800f826172db4343d6971e4586c1693a52921f2d71897

Download Submit
C:\Windows\System\hVUAXTz.exe

Filesize
6.0MB

MD5
e6040dd446233de594854e21df703b65

SHA1
15f5aac693d7c427ad554f1b7d5c186616ab036d

SHA256
7d2bf3d9ca3bc8458d7e6337bcccff2517beb574a215caf67f40df5359c7f229

SHA512
ff3965f71effc72eaab6ffe184f1ad25b4499d4584a3e38c8ecf3b968c9b886de3e983ccffafaaab08e9ca7e7ceb11a776dd31b1a36ad1e6e7fbb9ca17af1adf

Download Submit
C:\Windows\System\lvyRWYa.exe

Filesize
6.0MB

MD5
bd5f97cf14610803f24b699e52195966

SHA1
b8c5a4fa97a0638f3244acd6d1d79d7654c60791

SHA256
413235a26a521e15ef3f53f4d6f0f3d26c5151e720e7a7ead1f183f391882a17

SHA512
367b206ad49c6c46f8a521a99823ffbf5dcfc05c54c34f78b33415373fce49bc06aa70f06d34573fcc863736614b93afcaff0c2324c658fb0253844e632d9051

Download Submit
C:\Windows\System\nGsfEeV.exe

Filesize
6.0MB

MD5
c2b721e0b3e42f97412b9b7b5aa28aae

SHA1
f12b4c70586977fd2b8c1d0492cd8fb86d3874e6

SHA256
e58d99d677674d38d31090afcec323322f6a4b9d2f7df4801a9a677f3d71832a

SHA512
0ad1de30e6fff63866c21102d4e4b76e394f7ce47aac755e0b38f22529f840cbee8db576dc05734a2c6d11cf2c353bb033fc3abad9ebc0d57d9581653ad792bf

Download Submit
C:\Windows\System\nQyAEuj.exe

Filesize
6.0MB

MD5
eefcfd4d73823e4fdbd72039de963671

SHA1
854978725bc284be2e3a36d539e2f9f33663fab5

SHA256
ca0ba2fe96d9b71f47d328bc786a36c86df5c65a393302a3c20c6d106cdd6954

SHA512
c0951b1ee84ca583cfe82daa825915ea7a3a4e56eb5b09fb3def1e825edd90cbbb48db22515f18438b28883f7eb109f9330fc4bb97f45f18296021a4d0688c8f

Download Submit
C:\Windows\System\oENfJDM.exe

Filesize
6.0MB

MD5
7223e96b34342c13b792c7968fa49f0e

SHA1
0b555dc3dca0d821129f7a94baefd83a1fadcdfd

SHA256
efe3744f4b512c91cfcdfe65f1c7c4207390c5bddd21253761c95e091f09dce6

SHA512
8d09e88e762e65ceb34c9f01c3d2a62d5ad8c35068698841990ce4da5a4b1800456f390716fa1444fc63186b8376d0fbcb2a7d0d0d99c96bc48d4f55c4af65bb

Download Submit
C:\Windows\System\pqeqcUn.exe

Filesize
6.0MB

MD5
418f3ac934c96fa3addffd851044cb83

SHA1
ae9b10292f9255cee2124558056d78117afaf663

SHA256
fd5bb3433b69ff80b468e8bea63f59d5978246f0179fcd773c9a64301f14e7ae

SHA512
bd83c11efbe9fcec700749ca9abbf0a3e496f1f4b7e2c34fc696abd881d0e6ed143f1c2176f7eee3cf11c5e611dcaf22d87fe3858a9a79d52191fe4a8b491818

Download Submit
C:\Windows\System\qUYYHOo.exe

Filesize
6.0MB

MD5
fcd7297df714c54b60e971cbd2590378

SHA1
c2315bcb69a8c3246077047612890a1ce84d48ff

SHA256
dc5aac1bfea58a6c25105ae3a853c481e2f468c20a47df09f0548d256406cf50

SHA512
35a8ce353ee5917d0c8d4a32a3924a63b3a5f7c9c01318d37f71530b261c509019391705a036dcab78bda57f2d109ce88ae57b2162f6e3a631d002dd1b2e885c

Download Submit
C:\Windows\System\rFkYPrV.exe

Filesize
6.0MB

MD5
ad604776517be37cb4c7cda927dc22d0

SHA1
8c988ed0332c94e067dc42a5fb34fb7890f28b39

SHA256
076b1d772258da788d5bc5fc72552524ac476bbe5f2367e113e2ba44fd8a6245

SHA512
061dd895a5626723781340ea08c1ac44707fe4b754e38aeb12e29398bfd2043d4f4a3f801d1d6cd9a6c36cb63de26e65e88a0581e9ad02b5d7d8f74b58c84413

Download Submit
C:\Windows\System\sClAqEI.exe

Filesize
6.0MB

MD5
91d2b241407f5ed2e315220236bc7bce

SHA1
b3ba4c9a0657112a8289336ae0df7ec617064eba

SHA256
1a9b4a505b7b1ba8591e6d51d21057981bc9814bd74f60893a61a740ab534c27

SHA512
0b506f16179d8e4bfee48c1083d8061575873474a414ddcf0618405b09bbccb349063177bd670bf0f35be47529e06b52b0c7a47f114cf31b9b611732090c828b

Download Submit
C:\Windows\System\tadoUKj.exe

Filesize
6.0MB

MD5
666528124d66ca9e8ca263bd4fb86b3b

SHA1
11aff915ae253d373500dea4107d3c4fd8d5d7e3

SHA256
a7cc36092361c976b6ede0ba98fd7eb1b07e27d3ed23c60ff0710ca4fd870e22

SHA512
b362195ab4e8067c23f4d4ab031fd74cebdfe4cba5899aee253574d52612b15629d50892fe2b8d38dcff73928c47ad00cc816b2a65434d0baa0160fff74ef812

Download Submit
C:\Windows\System\wfBUYdY.exe

Filesize
6.0MB

MD5
345d093d3d88c1f359e07e9ab8d318fc

SHA1
d7218bf96161d14219e5ef5c7bceb6d0d4fbc053

SHA256
f71a07291bacd2b1d811b69553f17c7c4bae843db9d751ae3fe630b173c6bb01

SHA512
96b5411262a5036499e788863ba7a9cde0bf961916506daf16407b6de4c489caa1d8d93331760786d17d795786f9d091f90849cc7a6740f5e52f4acff5e3f3e3

Download Submit
memory/628-157-0x00007FF62E010000-0x00007FF62E364000-memory.dmp

Filesize
3.3MB

Download
memory/628-2088-0x00007FF62E010000-0x00007FF62E364000-memory.dmp

Filesize
3.3MB

Download
memory/720-283-0x00007FF783520000-0x00007FF783874000-memory.dmp

Filesize
3.3MB

Download
memory/720-2060-0x00007FF783520000-0x00007FF783874000-memory.dmp

Filesize
3.3MB

Download
memory/720-72-0x00007FF783520000-0x00007FF783874000-memory.dmp

Filesize
3.3MB

Download
memory/1600-180-0x00007FF758F20000-0x00007FF759274000-memory.dmp

Filesize
3.3MB

Download
memory/1600-63-0x00007FF758F20000-0x00007FF759274000-memory.dmp

Filesize
3.3MB

Download
memory/1600-1623-0x00007FF758F20000-0x00007FF759274000-memory.dmp

Filesize
3.3MB

Download
memory/1652-2148-0x00007FF6F5E70000-0x00007FF6F61C4000-memory.dmp

Filesize
3.3MB

Download
memory/1652-159-0x00007FF6F5E70000-0x00007FF6F61C4000-memory.dmp

Filesize
3.3MB

Download
memory/1716-2146-0x00007FF6FFC70000-0x00007FF6FFFC4000-memory.dmp

Filesize
3.3MB

Download
memory/1716-165-0x00007FF6FFC70000-0x00007FF6FFFC4000-memory.dmp

Filesize
3.3MB

Download
memory/1928-1605-0x00007FF73E1D0000-0x00007FF73E524000-memory.dmp

Filesize
3.3MB

Download
memory/1928-163-0x00007FF73E1D0000-0x00007FF73E524000-memory.dmp

Filesize
3.3MB

Download
memory/1928-56-0x00007FF73E1D0000-0x00007FF73E524000-memory.dmp

Filesize
3.3MB

Download
memory/2036-143-0x00007FF6235C0000-0x00007FF623914000-memory.dmp

Filesize
3.3MB

Download
memory/2036-540-0x00007FF6235C0000-0x00007FF623914000-memory.dmp

Filesize
3.3MB

Download
memory/2036-2081-0x00007FF6235C0000-0x00007FF623914000-memory.dmp

Filesize
3.3MB

Download
memory/2348-184-0x00007FF782E40000-0x00007FF783194000-memory.dmp

Filesize
3.3MB

Download
memory/2348-755-0x00007FF782E40000-0x00007FF783194000-memory.dmp

Filesize
3.3MB

Download
memory/2348-2206-0x00007FF782E40000-0x00007FF783194000-memory.dmp

Filesize
3.3MB

Download
memory/2360-2205-0x00007FF6E2300000-0x00007FF6E2654000-memory.dmp

Filesize
3.3MB

Download
memory/2360-191-0x00007FF6E2300000-0x00007FF6E2654000-memory.dmp

Filesize
3.3MB

Download
memory/2376-93-0x00007FF7168A0000-0x00007FF716BF4000-memory.dmp

Filesize
3.3MB

Download
memory/2376-473-0x00007FF7168A0000-0x00007FF716BF4000-memory.dmp

Filesize
3.3MB

Download
memory/2376-2074-0x00007FF7168A0000-0x00007FF716BF4000-memory.dmp

Filesize
3.3MB

Download
memory/2412-2085-0x00007FF73C690000-0x00007FF73C9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2412-148-0x00007FF73C690000-0x00007FF73C9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2500-161-0x00007FF630C00000-0x00007FF630F54000-memory.dmp

Filesize
3.3MB

Download
memory/2500-34-0x00007FF630C00000-0x00007FF630F54000-memory.dmp

Filesize
3.3MB

Download
memory/2500-1599-0x00007FF630C00000-0x00007FF630F54000-memory.dmp

Filesize
3.3MB

Download
memory/2612-183-0x00007FF7B0530000-0x00007FF7B0884000-memory.dmp

Filesize
3.3MB

Download
memory/2612-754-0x00007FF7B0530000-0x00007FF7B0884000-memory.dmp

Filesize
3.3MB

Download
memory/2612-2202-0x00007FF7B0530000-0x00007FF7B0884000-memory.dmp

Filesize
3.3MB

Download
memory/3136-2064-0x00007FF6CA6C0000-0x00007FF6CAA14000-memory.dmp

Filesize
3.3MB

Download
memory/3136-78-0x00007FF6CA6C0000-0x00007FF6CAA14000-memory.dmp

Filesize
3.3MB

Download
memory/3136-343-0x00007FF6CA6C0000-0x00007FF6CAA14000-memory.dmp

Filesize
3.3MB

Download
memory/3152-2072-0x00007FF6FEAF0000-0x00007FF6FEE44000-memory.dmp

Filesize
3.3MB

Download
memory/3152-404-0x00007FF6FEAF0000-0x00007FF6FEE44000-memory.dmp

Filesize
3.3MB

Download
memory/3152-84-0x00007FF6FEAF0000-0x00007FF6FEE44000-memory.dmp

Filesize
3.3MB

Download
memory/3216-58-0x00007FF786B30000-0x00007FF786E84000-memory.dmp

Filesize
3.3MB

Download
memory/3216-179-0x00007FF786B30000-0x00007FF786E84000-memory.dmp

Filesize
3.3MB

Download
memory/3216-1611-0x00007FF786B30000-0x00007FF786E84000-memory.dmp

Filesize
3.3MB

Download
memory/3352-68-0x00007FF7A7EE0000-0x00007FF7A8234000-memory.dmp

Filesize
3.3MB

Download
memory/3352-1610-0x00007FF7A7EE0000-0x00007FF7A8234000-memory.dmp

Filesize
3.3MB

Download
memory/3644-164-0x00007FF715BB0000-0x00007FF715F04000-memory.dmp

Filesize
3.3MB

Download
memory/3644-2079-0x00007FF715BB0000-0x00007FF715F04000-memory.dmp

Filesize
3.3MB

Download
memory/3656-1589-0x00007FF7A8FD0000-0x00007FF7A9324000-memory.dmp

Filesize
3.3MB

Download
memory/3656-99-0x00007FF7A8FD0000-0x00007FF7A9324000-memory.dmp

Filesize
3.3MB

Download
memory/3656-7-0x00007FF7A8FD0000-0x00007FF7A9324000-memory.dmp

Filesize
3.3MB

Download
memory/3704-1607-0x00007FF6DAFC0000-0x00007FF6DB314000-memory.dmp

Filesize
3.3MB

Download
memory/3704-67-0x00007FF6DAFC0000-0x00007FF6DB314000-memory.dmp

Filesize
3.3MB

Download
memory/3948-1606-0x00007FF68E6F0000-0x00007FF68EA44000-memory.dmp

Filesize
3.3MB

Download
memory/3948-45-0x00007FF68E6F0000-0x00007FF68EA44000-memory.dmp

Filesize
3.3MB

Download
memory/3948-162-0x00007FF68E6F0000-0x00007FF68EA44000-memory.dmp

Filesize
3.3MB

Download
memory/3992-160-0x00007FF771BF0000-0x00007FF771F44000-memory.dmp

Filesize
3.3MB

Download
memory/3992-2149-0x00007FF771BF0000-0x00007FF771F44000-memory.dmp

Filesize
3.3MB

Download
memory/4052-2086-0x00007FF7A80D0000-0x00007FF7A8424000-memory.dmp

Filesize
3.3MB

Download
memory/4052-149-0x00007FF7A80D0000-0x00007FF7A8424000-memory.dmp

Filesize
3.3MB

Download
memory/4240-101-0x00007FF7FB230000-0x00007FF7FB584000-memory.dmp

Filesize
3.3MB

Download
memory/4240-2076-0x00007FF7FB230000-0x00007FF7FB584000-memory.dmp

Filesize
3.3MB

Download
memory/4256-0-0x00007FF688420000-0x00007FF688774000-memory.dmp

Filesize
3.3MB

Download
memory/4256-89-0x00007FF688420000-0x00007FF688774000-memory.dmp

Filesize
3.3MB

Download
memory/4256-1-0x000002A3862B0000-0x000002A3862C0000-memory.dmp

Filesize
64KB

Download
memory/4460-158-0x00007FF6038B0000-0x00007FF603C04000-memory.dmp

Filesize
3.3MB

Download
memory/4460-2084-0x00007FF6038B0000-0x00007FF603C04000-memory.dmp

Filesize
3.3MB

Download
memory/4576-20-0x00007FF725C00000-0x00007FF725F54000-memory.dmp

Filesize
3.3MB

Download
memory/4576-105-0x00007FF725C00000-0x00007FF725F54000-memory.dmp

Filesize
3.3MB

Download
memory/4576-1598-0x00007FF725C00000-0x00007FF725F54000-memory.dmp

Filesize
3.3MB

Download
memory/4652-13-0x00007FF618440000-0x00007FF618794000-memory.dmp

Filesize
3.3MB

Download
memory/4652-103-0x00007FF618440000-0x00007FF618794000-memory.dmp

Filesize
3.3MB

Download
memory/4652-1595-0x00007FF618440000-0x00007FF618794000-memory.dmp

Filesize
3.3MB

Download
memory/4896-2087-0x00007FF65A550000-0x00007FF65A8A4000-memory.dmp

Filesize
3.3MB

Download
memory/4896-150-0x00007FF65A550000-0x00007FF65A8A4000-memory.dmp

Filesize
3.3MB

Download
memory/5048-66-0x00007FF687BD0000-0x00007FF687F24000-memory.dmp

Filesize
3.3MB

Download
memory/5048-1614-0x00007FF687BD0000-0x00007FF687F24000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads