cobaltstrike | 139694a74d60c4ebc25aeee3f2e1fd99a76d1387be7ce6d2a23ab6d76b507f59

Analysis

max time kernel
89s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

c91e2a072bc86484f6a5700577add5ac
SHA1

96c34d93f7adefb4947b8404388eeb58d4120dea
SHA256

139694a74d60c4ebc25aeee3f2e1fd99a76d1387be7ce6d2a23ab6d76b507f59
SHA512

b382ba1b5841a2771700176d443d8506dc77b04c0743b0ac93bad92065b8dd132f3fb962bda36b1685a33a686c3d380583b46d0d254cbad7caf2ca1e51dd7bee
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUZ:j+R56utgpPF8u/7Z

Score

10^/10

cobaltstrike xmrig 0 backdoor miner persistence trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 34 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023b2b-10.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b2a-15.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b2d-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b31-45.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b2f-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b32-52.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b33-66.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b34-80.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b37-96.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b38-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b36-90.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b35-85.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b30-57.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b2e-44.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b2c-24.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023b1e-6.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b28-101.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b39-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b3a-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b3b-118.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b3d-128.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b3c-129.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b3f-134.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b40-144.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b41-150.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b43-163.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b45-171.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b48-182.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b4a-196.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b46-190.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b49-183.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b47-181.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b44-178.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b42-161.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3676-0-0x00007FF6035D0000-0x00007FF60391D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b2b-10.dat	xmrig
behavioral2/files/0x000b000000023b2a-15.dat	xmrig
behavioral2/memory/4064-16-0x00007FF69C9C0000-0x00007FF69CD0D000-memory.dmp	xmrig
behavioral2/memory/1312-25-0x00007FF6B1830000-0x00007FF6B1B7D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b2d-33.dat	xmrig
behavioral2/files/0x000a000000023b31-45.dat	xmrig
behavioral2/files/0x000a000000023b2f-48.dat	xmrig
behavioral2/files/0x000a000000023b32-52.dat	xmrig
behavioral2/files/0x000a000000023b33-66.dat	xmrig
behavioral2/memory/1628-46-0x00007FF7D9640000-0x00007FF7D998D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b34-80.dat	xmrig
behavioral2/memory/2292-91-0x00007FF63EBB0000-0x00007FF63EEFD000-memory.dmp	xmrig
behavioral2/memory/4352-97-0x00007FF6E26B0000-0x00007FF6E29FD000-memory.dmp	xmrig
behavioral2/files/0x0031000000023b37-96.dat	xmrig
behavioral2/memory/4572-94-0x00007FF6BD910000-0x00007FF6BDC5D000-memory.dmp	xmrig
behavioral2/files/0x0031000000023b38-93.dat	xmrig
behavioral2/files/0x000a000000023b36-90.dat	xmrig
behavioral2/memory/1484-86-0x00007FF78DC30000-0x00007FF78DF7D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b35-85.dat	xmrig
behavioral2/memory/384-81-0x00007FF69C4E0000-0x00007FF69C82D000-memory.dmp	xmrig
behavioral2/memory/3512-67-0x00007FF73F220000-0x00007FF73F56D000-memory.dmp	xmrig
behavioral2/memory/1940-61-0x00007FF6711A0000-0x00007FF6714ED000-memory.dmp	xmrig
behavioral2/memory/1068-58-0x00007FF605CF0000-0x00007FF60603D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b30-57.dat	xmrig
behavioral2/memory/2684-55-0x00007FF74B4A0000-0x00007FF74B7ED000-memory.dmp	xmrig
behavioral2/memory/4336-50-0x00007FF686B60000-0x00007FF686EAD000-memory.dmp	xmrig
behavioral2/memory/1060-34-0x00007FF790430000-0x00007FF79077D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b2e-44.dat	xmrig
behavioral2/files/0x000a000000023b2c-24.dat	xmrig
behavioral2/memory/3584-21-0x00007FF7ED640000-0x00007FF7ED98D000-memory.dmp	xmrig
behavioral2/files/0x000e000000023b1e-6.dat	xmrig
behavioral2/memory/3260-7-0x00007FF7E6940000-0x00007FF7E6C8D000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b28-101.dat	xmrig
behavioral2/memory/1556-103-0x00007FF6D58F0000-0x00007FF6D5C3D000-memory.dmp	xmrig
behavioral2/files/0x0031000000023b39-106.dat	xmrig
behavioral2/memory/1976-109-0x00007FF6E7FF0000-0x00007FF6E833D000-memory.dmp	xmrig
behavioral2/memory/664-115-0x00007FF78FEC0000-0x00007FF79020D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b3a-112.dat	xmrig
behavioral2/files/0x000a000000023b3b-118.dat	xmrig
behavioral2/memory/1156-121-0x00007FF746B30000-0x00007FF746E7D000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b3d-128.dat	xmrig
behavioral2/files/0x000a000000023b3c-129.dat	xmrig
behavioral2/files/0x000b000000023b3f-134.dat	xmrig
behavioral2/memory/3840-138-0x00007FF66E4E0000-0x00007FF66E82D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b40-144.dat	xmrig
behavioral2/files/0x000a000000023b41-150.dat	xmrig
behavioral2/memory/2396-153-0x00007FF7901F0000-0x00007FF79053D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b43-163.dat	xmrig
behavioral2/files/0x000a000000023b45-171.dat	xmrig
behavioral2/files/0x000a000000023b48-182.dat	xmrig
behavioral2/files/0x000a000000023b4a-196.dat	xmrig
behavioral2/memory/3396-199-0x00007FF607910000-0x00007FF607C5D000-memory.dmp	xmrig
behavioral2/memory/3180-189-0x00007FF666A10000-0x00007FF666D5D000-memory.dmp	xmrig
behavioral2/memory/3252-191-0x00007FF7FEC30000-0x00007FF7FEF7D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b46-190.dat	xmrig
behavioral2/files/0x000a000000023b49-183.dat	xmrig
behavioral2/files/0x000a000000023b47-181.dat	xmrig
behavioral2/memory/1324-179-0x00007FF768EF0000-0x00007FF76923D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b44-178.dat	xmrig
behavioral2/memory/1980-175-0x00007FF784A40000-0x00007FF784D8D000-memory.dmp	xmrig
behavioral2/memory/4976-165-0x00007FF62FFF0000-0x00007FF63033D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b42-161.dat	xmrig
behavioral2/memory/2960-145-0x00007FF66BCE0000-0x00007FF66C02D000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
3260	TQwpbNk.exe
4064	rbocLcu.exe
3584	EwyXiUG.exe
1312	ybzgReO.exe
1060	pOvtsaV.exe
1628	wcmsoGt.exe
4336	qbpGoju.exe
1068	ZCklPyL.exe
2684	FnyEwNN.exe
1940	wnruLyy.exe
3512	cqsqgKh.exe
384	lHqyAyy.exe
1484	NTOMdpQ.exe
2292	XiAXmvu.exe
4352	QNOiqhk.exe
4572	JgjHCTS.exe
1556	xeAQOeV.exe
1976	AicGxCd.exe
664	eJOVPPs.exe
1156	kVhcuCi.exe
1584	WQNnfmL.exe
3748	luTkBKy.exe
3840	rBBcnbr.exe
2960	fclMRrF.exe
2396	AbTZtRX.exe
1980	MyUdeEb.exe
4976	hVUUBAB.exe
1324	QfYgMbZ.exe
3180	NuQlxrE.exe
4600	zaixoaZ.exe
3396	ugGuIve.exe
184	iQwwtgn.exe
3252	qdxEzfX.exe
4136	CjBxfkD.exe
4440	MnwqSTw.exe
4388	BqyQiyT.exe
3492	YCkuzfH.exe
1116	rxjpVPX.exe
4624	uaKexdk.exe
2500	LcVoZuT.exe
4348	OzELDBr.exe
1392	zQopFmN.exe
3688	VMhvMgU.exe
3952	TEyZSJC.exe
4056	zPYIOFl.exe
976	vFKJXLj.exe
4756	AvYHGjs.exe
4544	aKnkvDY.exe
4592	jqnoRiI.exe
916	NQOfiPc.exe
1784	dAnWNAB.exe
3408	PdUZVxq.exe
372	qoHjjOf.exe
1332	GvjlIpF.exe
3360	KrnyqSf.exe
4948	DlOrIUA.exe
2156	qznCUQs.exe
2336	DaoZsRv.exe
692	DWQmtzZ.exe
4672	CEaZidk.exe
2792	BUGSfII.exe
4364	VTXwKTa.exe
3712	xcgrteO.exe
4184	VOiRmtK.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\eJOVPPs.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XGsbwvo.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BQUuasl.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fFMICyo.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\acIhtca.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iGXwcaE.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RtWikZQ.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HHEHYEw.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ujcXrGO.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CicoVvk.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HAKAivC.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UqoEIip.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AkAqiHS.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GOzTpVo.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wnvybNd.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PsRQMvu.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BroKcZy.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DlwbNTA.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bkqxWME.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\naMVmVF.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vtEZxOn.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Qqljulu.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UmVODqo.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WynEArH.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wUUXlTU.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gDBZfXA.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZShsNno.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CuLcEDk.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VoTWoSn.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TSSEniM.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qygipFG.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uFJBIkl.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zqqdrSk.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rwudhkj.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FHIzAUz.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oPCDQNK.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SrYNGPZ.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DXyVZxf.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iZCGsoh.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iQwwtgn.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZLxKlRb.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xvKpyqP.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sUfPSJC.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tIdaaeB.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KbUqRJP.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\asSmTzB.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HMfhjse.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uXycaDO.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CmJjFpz.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RKOMIic.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JzmKTiE.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mvudoJa.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yPaWTon.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LgtJPxx.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MVZqhGa.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ItdMqcI.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WrjhXio.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yGFxSKY.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GuoNDqP.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZCklPyL.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YJPrJMR.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qFeeEjD.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dWpCLqG.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UpofWWB.exe	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1121399784-3202166597-3503557106-1000\{FE817410-E965-40DB-B27A-17A57A165B41}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1121399784-3202166597-3503557106-1000\{0D067F0C-3469-41DC-9E0E-3D0537D0C0DC}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1121399784-3202166597-3503557106-1000\{3F3EF62B-E189-4A53-A4B9-965C28B01504}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1121399784-3202166597-3503557106-1000\{3C6824C2-0AE2-4674-A265-C69BCD6303C6}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1121399784-3202166597-3503557106-1000\{68D4BA93-66E1-49C5-9DA3-4A92228A69A4}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	17396	explorer.exe
Token: SeCreatePagefilePrivilege	17396	explorer.exe
Token: SeShutdownPrivilege	17396	explorer.exe
Token: SeCreatePagefilePrivilege	17396	explorer.exe
Token: SeShutdownPrivilege	17396	explorer.exe
Token: SeCreatePagefilePrivilege	17396	explorer.exe
Token: SeShutdownPrivilege	17396	explorer.exe
Token: SeCreatePagefilePrivilege	17396	explorer.exe
Token: SeShutdownPrivilege	17396	explorer.exe
Token: SeCreatePagefilePrivilege	17396	explorer.exe
Token: SeShutdownPrivilege	17396	explorer.exe
Token: SeCreatePagefilePrivilege	17396	explorer.exe
Token: SeShutdownPrivilege	17396	explorer.exe
Token: SeCreatePagefilePrivilege	17396	explorer.exe
Token: SeShutdownPrivilege	17396	explorer.exe
Token: SeCreatePagefilePrivilege	17396	explorer.exe
Token: SeShutdownPrivilege	17396	explorer.exe
Token: SeCreatePagefilePrivilege	17396	explorer.exe
Token: SeShutdownPrivilege	17396	explorer.exe
Token: SeCreatePagefilePrivilege	17396	explorer.exe
Token: SeShutdownPrivilege	5324	explorer.exe
Token: SeCreatePagefilePrivilege	5324	explorer.exe
Token: SeShutdownPrivilege	5324	explorer.exe
Token: SeCreatePagefilePrivilege	5324	explorer.exe
Token: SeShutdownPrivilege	5324	explorer.exe
Token: SeCreatePagefilePrivilege	5324	explorer.exe
Token: SeShutdownPrivilege	5324	explorer.exe
Token: SeCreatePagefilePrivilege	5324	explorer.exe
Token: SeShutdownPrivilege	5324	explorer.exe
Token: SeCreatePagefilePrivilege	5324	explorer.exe
Token: SeShutdownPrivilege	5324	explorer.exe
Token: SeCreatePagefilePrivilege	5324	explorer.exe
Token: SeShutdownPrivilege	5324	explorer.exe
Token: SeCreatePagefilePrivilege	5324	explorer.exe
Token: SeShutdownPrivilege	5324	explorer.exe
Token: SeCreatePagefilePrivilege	5324	explorer.exe
Token: SeShutdownPrivilege	5324	explorer.exe
Token: SeCreatePagefilePrivilege	5324	explorer.exe
Token: SeShutdownPrivilege	5324	explorer.exe
Token: SeCreatePagefilePrivilege	5324	explorer.exe
Token: SeShutdownPrivilege	5324	explorer.exe
Token: SeCreatePagefilePrivilege	5324	explorer.exe
Token: SeShutdownPrivilege	5324	explorer.exe
Token: SeCreatePagefilePrivilege	5324	explorer.exe
Token: SeShutdownPrivilege	5324	explorer.exe
Token: SeCreatePagefilePrivilege	5324	explorer.exe
Token: SeShutdownPrivilege	5324	explorer.exe
Token: SeCreatePagefilePrivilege	5324	explorer.exe
Token: SeShutdownPrivilege	6984	explorer.exe
Token: SeCreatePagefilePrivilege	6984	explorer.exe
Token: SeShutdownPrivilege	6984	explorer.exe
Token: SeCreatePagefilePrivilege	6984	explorer.exe
Token: SeShutdownPrivilege	6984	explorer.exe
Token: SeCreatePagefilePrivilege	6984	explorer.exe
Token: SeShutdownPrivilege	6984	explorer.exe
Token: SeCreatePagefilePrivilege	6984	explorer.exe
Token: SeShutdownPrivilege	6984	explorer.exe
Token: SeCreatePagefilePrivilege	6984	explorer.exe
Token: SeShutdownPrivilege	6984	explorer.exe
Token: SeCreatePagefilePrivilege	6984	explorer.exe
Token: SeShutdownPrivilege	6984	explorer.exe
Token: SeCreatePagefilePrivilege	6984	explorer.exe
Token: SeShutdownPrivilege	6984	explorer.exe
Token: SeCreatePagefilePrivilege	6984	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
17236	sihost.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
17396	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
5324	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
6984	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
7816	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5232	StartMenuExperienceHost.exe
5976	StartMenuExperienceHost.exe
7332	StartMenuExperienceHost.exe
9184	StartMenuExperienceHost.exe
9128	SearchApp.exe
3316	StartMenuExperienceHost.exe
2520	SearchApp.exe
4164	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 3260	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3676 wrote to memory of 3260	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3676 wrote to memory of 4064	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3676 wrote to memory of 4064	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3676 wrote to memory of 3584	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3676 wrote to memory of 3584	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3676 wrote to memory of 1312	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3676 wrote to memory of 1312	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3676 wrote to memory of 1060	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3676 wrote to memory of 1060	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3676 wrote to memory of 1628	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3676 wrote to memory of 1628	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3676 wrote to memory of 4336	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3676 wrote to memory of 4336	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3676 wrote to memory of 1068	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3676 wrote to memory of 1068	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3676 wrote to memory of 2684	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3676 wrote to memory of 2684	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3676 wrote to memory of 1940	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3676 wrote to memory of 1940	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3676 wrote to memory of 3512	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3676 wrote to memory of 3512	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3676 wrote to memory of 384	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3676 wrote to memory of 384	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3676 wrote to memory of 1484	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3676 wrote to memory of 1484	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3676 wrote to memory of 2292	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3676 wrote to memory of 2292	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3676 wrote to memory of 4352	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3676 wrote to memory of 4352	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3676 wrote to memory of 4572	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3676 wrote to memory of 4572	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3676 wrote to memory of 1556	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3676 wrote to memory of 1556	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3676 wrote to memory of 1976	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3676 wrote to memory of 1976	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3676 wrote to memory of 664	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3676 wrote to memory of 664	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3676 wrote to memory of 1156	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3676 wrote to memory of 1156	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3676 wrote to memory of 1584	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3676 wrote to memory of 1584	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3676 wrote to memory of 3748	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3676 wrote to memory of 3748	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3676 wrote to memory of 3840	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3676 wrote to memory of 3840	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3676 wrote to memory of 2960	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 3676 wrote to memory of 2960	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 3676 wrote to memory of 2396	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 3676 wrote to memory of 2396	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 3676 wrote to memory of 1980	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 3676 wrote to memory of 1980	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 3676 wrote to memory of 4976	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 3676 wrote to memory of 4976	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 3676 wrote to memory of 1324	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 3676 wrote to memory of 1324	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 3676 wrote to memory of 3180	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 3676 wrote to memory of 3180	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 3676 wrote to memory of 3252	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 3676 wrote to memory of 3252	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 3676 wrote to memory of 4600	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	117
PID 3676 wrote to memory of 4600	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	117
PID 3676 wrote to memory of 3396	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	118
PID 3676 wrote to memory of 3396	3676	2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe	118

C:\Users\Admin\AppData\Local\Temp\2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-31_c91e2a072bc86484f6a5700577add5ac_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\System\TQwpbNk.exe
  C:\Windows\System\TQwpbNk.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System\rbocLcu.exe
  C:\Windows\System\rbocLcu.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\EwyXiUG.exe
  C:\Windows\System\EwyXiUG.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System\ybzgReO.exe
  C:\Windows\System\ybzgReO.exe
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\System\pOvtsaV.exe
  C:\Windows\System\pOvtsaV.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\wcmsoGt.exe
  C:\Windows\System\wcmsoGt.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\qbpGoju.exe
  C:\Windows\System\qbpGoju.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\ZCklPyL.exe
  C:\Windows\System\ZCklPyL.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\FnyEwNN.exe
  C:\Windows\System\FnyEwNN.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\wnruLyy.exe
  C:\Windows\System\wnruLyy.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\cqsqgKh.exe
  C:\Windows\System\cqsqgKh.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\lHqyAyy.exe
  C:\Windows\System\lHqyAyy.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\NTOMdpQ.exe
  C:\Windows\System\NTOMdpQ.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\XiAXmvu.exe
  C:\Windows\System\XiAXmvu.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\QNOiqhk.exe
  C:\Windows\System\QNOiqhk.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\JgjHCTS.exe
  C:\Windows\System\JgjHCTS.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\xeAQOeV.exe
  C:\Windows\System\xeAQOeV.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\AicGxCd.exe
  C:\Windows\System\AicGxCd.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\eJOVPPs.exe
  C:\Windows\System\eJOVPPs.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System\kVhcuCi.exe
  C:\Windows\System\kVhcuCi.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\WQNnfmL.exe
  C:\Windows\System\WQNnfmL.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\luTkBKy.exe
  C:\Windows\System\luTkBKy.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\rBBcnbr.exe
  C:\Windows\System\rBBcnbr.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Windows\System\fclMRrF.exe
  C:\Windows\System\fclMRrF.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\AbTZtRX.exe
  C:\Windows\System\AbTZtRX.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\MyUdeEb.exe
  C:\Windows\System\MyUdeEb.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\hVUUBAB.exe
  C:\Windows\System\hVUUBAB.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\QfYgMbZ.exe
  C:\Windows\System\QfYgMbZ.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\NuQlxrE.exe
  C:\Windows\System\NuQlxrE.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\qdxEzfX.exe
  C:\Windows\System\qdxEzfX.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System\zaixoaZ.exe
  C:\Windows\System\zaixoaZ.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\ugGuIve.exe
  C:\Windows\System\ugGuIve.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System\iQwwtgn.exe
  C:\Windows\System\iQwwtgn.exe
  2⤵
  - Executes dropped EXE
  PID:184
- C:\Windows\System\CjBxfkD.exe
  C:\Windows\System\CjBxfkD.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\MnwqSTw.exe
  C:\Windows\System\MnwqSTw.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\BqyQiyT.exe
  C:\Windows\System\BqyQiyT.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\YCkuzfH.exe
  C:\Windows\System\YCkuzfH.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\rxjpVPX.exe
  C:\Windows\System\rxjpVPX.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\uaKexdk.exe
  C:\Windows\System\uaKexdk.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\LcVoZuT.exe
  C:\Windows\System\LcVoZuT.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\OzELDBr.exe
  C:\Windows\System\OzELDBr.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\zQopFmN.exe
  C:\Windows\System\zQopFmN.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\VMhvMgU.exe
  C:\Windows\System\VMhvMgU.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\TEyZSJC.exe
  C:\Windows\System\TEyZSJC.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\zPYIOFl.exe
  C:\Windows\System\zPYIOFl.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\vFKJXLj.exe
  C:\Windows\System\vFKJXLj.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System\AvYHGjs.exe
  C:\Windows\System\AvYHGjs.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\aKnkvDY.exe
  C:\Windows\System\aKnkvDY.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\jqnoRiI.exe
  C:\Windows\System\jqnoRiI.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\NQOfiPc.exe
  C:\Windows\System\NQOfiPc.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System\dAnWNAB.exe
  C:\Windows\System\dAnWNAB.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System\PdUZVxq.exe
  C:\Windows\System\PdUZVxq.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\qoHjjOf.exe
  C:\Windows\System\qoHjjOf.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\GvjlIpF.exe
  C:\Windows\System\GvjlIpF.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\KrnyqSf.exe
  C:\Windows\System\KrnyqSf.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System\DlOrIUA.exe
  C:\Windows\System\DlOrIUA.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\qznCUQs.exe
  C:\Windows\System\qznCUQs.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\DaoZsRv.exe
  C:\Windows\System\DaoZsRv.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\DWQmtzZ.exe
  C:\Windows\System\DWQmtzZ.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System\CEaZidk.exe
  C:\Windows\System\CEaZidk.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\BUGSfII.exe
  C:\Windows\System\BUGSfII.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\VTXwKTa.exe
  C:\Windows\System\VTXwKTa.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\xcgrteO.exe
  C:\Windows\System\xcgrteO.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System\VOiRmtK.exe
  C:\Windows\System\VOiRmtK.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\ZNHSvgo.exe
  C:\Windows\System\ZNHSvgo.exe
  2⤵
  PID:4492
- C:\Windows\System\NYikedh.exe
  C:\Windows\System\NYikedh.exe
  2⤵
  PID:4732
- C:\Windows\System\YoOAmhL.exe
  C:\Windows\System\YoOAmhL.exe
  2⤵
  PID:4384
- C:\Windows\System\DVoevQQ.exe
  C:\Windows\System\DVoevQQ.exe
  2⤵
  PID:1788
- C:\Windows\System\mHPitSa.exe
  C:\Windows\System\mHPitSa.exe
  2⤵
  PID:3544
- C:\Windows\System\dkDnfxx.exe
  C:\Windows\System\dkDnfxx.exe
  2⤵
  PID:4856
- C:\Windows\System\wOnmiMg.exe
  C:\Windows\System\wOnmiMg.exe
  2⤵
  PID:2424
- C:\Windows\System\cSmTYnv.exe
  C:\Windows\System\cSmTYnv.exe
  2⤵
  PID:4552
- C:\Windows\System\ipESbMh.exe
  C:\Windows\System\ipESbMh.exe
  2⤵
  PID:4160
- C:\Windows\System\MEwjDOK.exe
  C:\Windows\System\MEwjDOK.exe
  2⤵
  PID:3740
- C:\Windows\System\mDYeuXL.exe
  C:\Windows\System\mDYeuXL.exe
  2⤵
  PID:4112
- C:\Windows\System\GVtaPZD.exe
  C:\Windows\System\GVtaPZD.exe
  2⤵
  PID:1168
- C:\Windows\System\aJZrHQg.exe
  C:\Windows\System\aJZrHQg.exe
  2⤵
  PID:3444
- C:\Windows\System\yzWOqpE.exe
  C:\Windows\System\yzWOqpE.exe
  2⤵
  PID:3412
- C:\Windows\System\AIBQsQJ.exe
  C:\Windows\System\AIBQsQJ.exe
  2⤵
  PID:4200
- C:\Windows\System\kPmFluN.exe
  C:\Windows\System\kPmFluN.exe
  2⤵
  PID:1808
- C:\Windows\System\KVlRfvN.exe
  C:\Windows\System\KVlRfvN.exe
  2⤵
  PID:2020
- C:\Windows\System\MpVOgzX.exe
  C:\Windows\System\MpVOgzX.exe
  2⤵
  PID:3524
- C:\Windows\System\eWJUVdW.exe
  C:\Windows\System\eWJUVdW.exe
  2⤵
  PID:4332
- C:\Windows\System\vgiHfAS.exe
  C:\Windows\System\vgiHfAS.exe
  2⤵
  PID:5028
- C:\Windows\System\DrFnDQO.exe
  C:\Windows\System\DrFnDQO.exe
  2⤵
  PID:3236
- C:\Windows\System\xwlrRLi.exe
  C:\Windows\System\xwlrRLi.exe
  2⤵
  PID:1956
- C:\Windows\System\ljuUzjy.exe
  C:\Windows\System\ljuUzjy.exe
  2⤵
  PID:4840
- C:\Windows\System\USSdSnY.exe
  C:\Windows\System\USSdSnY.exe
  2⤵
  PID:436
- C:\Windows\System\yIfQfXD.exe
  C:\Windows\System\yIfQfXD.exe
  2⤵
  PID:3928
- C:\Windows\System\veWDgUX.exe
  C:\Windows\System\veWDgUX.exe
  2⤵
  PID:4472
- C:\Windows\System\OWkEkFa.exe
  C:\Windows\System\OWkEkFa.exe
  2⤵
  PID:3088
- C:\Windows\System\cTaJaqn.exe
  C:\Windows\System\cTaJaqn.exe
  2⤵
  PID:220
- C:\Windows\System\YOSzHRP.exe
  C:\Windows\System\YOSzHRP.exe
  2⤵
  PID:1992
- C:\Windows\System\dBuzlEK.exe
  C:\Windows\System\dBuzlEK.exe
  2⤵
  PID:3240
- C:\Windows\System\mzSzcQS.exe
  C:\Windows\System\mzSzcQS.exe
  2⤵
  PID:5152
- C:\Windows\System\XFIauxa.exe
  C:\Windows\System\XFIauxa.exe
  2⤵
  PID:5184
- C:\Windows\System\NTYvyGB.exe
  C:\Windows\System\NTYvyGB.exe
  2⤵
  PID:5216
- C:\Windows\System\FHxfYJJ.exe
  C:\Windows\System\FHxfYJJ.exe
  2⤵
  PID:5252
- C:\Windows\System\tzflhdE.exe
  C:\Windows\System\tzflhdE.exe
  2⤵
  PID:5280
- C:\Windows\System\XGsbwvo.exe
  C:\Windows\System\XGsbwvo.exe
  2⤵
  PID:5312
- C:\Windows\System\UxBrlFB.exe
  C:\Windows\System\UxBrlFB.exe
  2⤵
  PID:5348
- C:\Windows\System\IzgwZtR.exe
  C:\Windows\System\IzgwZtR.exe
  2⤵
  PID:5380
- C:\Windows\System\TWsIPnK.exe
  C:\Windows\System\TWsIPnK.exe
  2⤵
  PID:5412
- C:\Windows\System\sPcrDYj.exe
  C:\Windows\System\sPcrDYj.exe
  2⤵
  PID:5444
- C:\Windows\System\iqBoNJX.exe
  C:\Windows\System\iqBoNJX.exe
  2⤵
  PID:5472
- C:\Windows\System\fmhSKhq.exe
  C:\Windows\System\fmhSKhq.exe
  2⤵
  PID:5508
- C:\Windows\System\CfNmLTK.exe
  C:\Windows\System\CfNmLTK.exe
  2⤵
  PID:5540
- C:\Windows\System\NGwspiD.exe
  C:\Windows\System\NGwspiD.exe
  2⤵
  PID:5572
- C:\Windows\System\yFJUWAh.exe
  C:\Windows\System\yFJUWAh.exe
  2⤵
  PID:5600
- C:\Windows\System\sSEyvFW.exe
  C:\Windows\System\sSEyvFW.exe
  2⤵
  PID:5632
- C:\Windows\System\QEYmqRK.exe
  C:\Windows\System\QEYmqRK.exe
  2⤵
  PID:5664
- C:\Windows\System\VuhBjQE.exe
  C:\Windows\System\VuhBjQE.exe
  2⤵
  PID:5700
- C:\Windows\System\JTxGwfi.exe
  C:\Windows\System\JTxGwfi.exe
  2⤵
  PID:5732
- C:\Windows\System\ufKNbbF.exe
  C:\Windows\System\ufKNbbF.exe
  2⤵
  PID:5764
- C:\Windows\System\lwQLjaa.exe
  C:\Windows\System\lwQLjaa.exe
  2⤵
  PID:5800
- C:\Windows\System\qyCiLrU.exe
  C:\Windows\System\qyCiLrU.exe
  2⤵
  PID:5832
- C:\Windows\System\CxGPkGb.exe
  C:\Windows\System\CxGPkGb.exe
  2⤵
  PID:5856
- C:\Windows\System\fTiVlpr.exe
  C:\Windows\System\fTiVlpr.exe
  2⤵
  PID:5892
- C:\Windows\System\nuyBKDW.exe
  C:\Windows\System\nuyBKDW.exe
  2⤵
  PID:5936
- C:\Windows\System\KSlODYJ.exe
  C:\Windows\System\KSlODYJ.exe
  2⤵
  PID:5956
- C:\Windows\System\TRmrRIx.exe
  C:\Windows\System\TRmrRIx.exe
  2⤵
  PID:5992
- C:\Windows\System\CPKTqnk.exe
  C:\Windows\System\CPKTqnk.exe
  2⤵
  PID:6024
- C:\Windows\System\ztZqoyb.exe
  C:\Windows\System\ztZqoyb.exe
  2⤵
  PID:6052
- C:\Windows\System\lpvcklW.exe
  C:\Windows\System\lpvcklW.exe
  2⤵
  PID:6080
- C:\Windows\System\SIzywiO.exe
  C:\Windows\System\SIzywiO.exe
  2⤵
  PID:6112
- C:\Windows\System\LLbyxKN.exe
  C:\Windows\System\LLbyxKN.exe
  2⤵
  PID:5132
- C:\Windows\System\NTxNznc.exe
  C:\Windows\System\NTxNznc.exe
  2⤵
  PID:5204
- C:\Windows\System\wMEtRpD.exe
  C:\Windows\System\wMEtRpD.exe
  2⤵
  PID:5268
- C:\Windows\System\MWUWiCg.exe
  C:\Windows\System\MWUWiCg.exe
  2⤵
  PID:5332
- C:\Windows\System\yzUwOQL.exe
  C:\Windows\System\yzUwOQL.exe
  2⤵
  PID:5396
- C:\Windows\System\fHHJMjK.exe
  C:\Windows\System\fHHJMjK.exe
  2⤵
  PID:5460
- C:\Windows\System\JkImfYi.exe
  C:\Windows\System\JkImfYi.exe
  2⤵
  PID:5524
- C:\Windows\System\pfgnzSB.exe
  C:\Windows\System\pfgnzSB.exe
  2⤵
  PID:5584
- C:\Windows\System\OESgoCl.exe
  C:\Windows\System\OESgoCl.exe
  2⤵
  PID:5640
- C:\Windows\System\ECgHjPz.exe
  C:\Windows\System\ECgHjPz.exe
  2⤵
  PID:5712
- C:\Windows\System\bEXbZAi.exe
  C:\Windows\System\bEXbZAi.exe
  2⤵
  PID:5776
- C:\Windows\System\lUfigxJ.exe
  C:\Windows\System\lUfigxJ.exe
  2⤵
  PID:5840
- C:\Windows\System\ATywByM.exe
  C:\Windows\System\ATywByM.exe
  2⤵
  PID:5904
- C:\Windows\System\acIhtca.exe
  C:\Windows\System\acIhtca.exe
  2⤵
  PID:5964
- C:\Windows\System\nrOLODJ.exe
  C:\Windows\System\nrOLODJ.exe
  2⤵
  PID:6036
- C:\Windows\System\XaYRlXz.exe
  C:\Windows\System\XaYRlXz.exe
  2⤵
  PID:6092
- C:\Windows\System\aUTuxhP.exe
  C:\Windows\System\aUTuxhP.exe
  2⤵
  PID:5160
- C:\Windows\System\tMGoexB.exe
  C:\Windows\System\tMGoexB.exe
  2⤵
  PID:5292
- C:\Windows\System\DdBKKyF.exe
  C:\Windows\System\DdBKKyF.exe
  2⤵
  PID:5424
- C:\Windows\System\lQfUkjN.exe
  C:\Windows\System\lQfUkjN.exe
  2⤵
  PID:5496
- C:\Windows\System\qzXeYwD.exe
  C:\Windows\System\qzXeYwD.exe
  2⤵
  PID:5672
- C:\Windows\System\YJPrJMR.exe
  C:\Windows\System\YJPrJMR.exe
  2⤵
  PID:5788
- C:\Windows\System\ujtlnVG.exe
  C:\Windows\System\ujtlnVG.exe
  2⤵
  PID:5884
- C:\Windows\System\jtkPUXa.exe
  C:\Windows\System\jtkPUXa.exe
  2⤵
  PID:6008
- C:\Windows\System\iSeXgLq.exe
  C:\Windows\System\iSeXgLq.exe
  2⤵
  PID:6124
- C:\Windows\System\dWpCLqG.exe
  C:\Windows\System\dWpCLqG.exe
  2⤵
  PID:5480
- C:\Windows\System\hzAOHgN.exe
  C:\Windows\System\hzAOHgN.exe
  2⤵
  PID:5608
- C:\Windows\System\RmhcbpI.exe
  C:\Windows\System\RmhcbpI.exe
  2⤵
  PID:5852
- C:\Windows\System\BVpcTox.exe
  C:\Windows\System\BVpcTox.exe
  2⤵
  PID:5224
- C:\Windows\System\dulURzV.exe
  C:\Windows\System\dulURzV.exe
  2⤵
  PID:5556
- C:\Windows\System\JJqfLke.exe
  C:\Windows\System\JJqfLke.exe
  2⤵
  PID:5304
- C:\Windows\System\bOtdxMt.exe
  C:\Windows\System\bOtdxMt.exe
  2⤵
  PID:5432
- C:\Windows\System\ZNFPTUm.exe
  C:\Windows\System\ZNFPTUm.exe
  2⤵
  PID:5812
- C:\Windows\System\idNiDQS.exe
  C:\Windows\System\idNiDQS.exe
  2⤵
  PID:6180
- C:\Windows\System\OUaGqew.exe
  C:\Windows\System\OUaGqew.exe
  2⤵
  PID:6212
- C:\Windows\System\FmmzzrT.exe
  C:\Windows\System\FmmzzrT.exe
  2⤵
  PID:6256
- C:\Windows\System\nBpwXga.exe
  C:\Windows\System\nBpwXga.exe
  2⤵
  PID:6276
- C:\Windows\System\FxVYeTO.exe
  C:\Windows\System\FxVYeTO.exe
  2⤵
  PID:6312
- C:\Windows\System\FvMfSHI.exe
  C:\Windows\System\FvMfSHI.exe
  2⤵
  PID:6344
- C:\Windows\System\LOFMPEl.exe
  C:\Windows\System\LOFMPEl.exe
  2⤵
  PID:6376
- C:\Windows\System\zKUewJw.exe
  C:\Windows\System\zKUewJw.exe
  2⤵
  PID:6404
- C:\Windows\System\JavYYAp.exe
  C:\Windows\System\JavYYAp.exe
  2⤵
  PID:6440
- C:\Windows\System\scsJvKA.exe
  C:\Windows\System\scsJvKA.exe
  2⤵
  PID:6472
- C:\Windows\System\vNvbmQD.exe
  C:\Windows\System\vNvbmQD.exe
  2⤵
  PID:6516
- C:\Windows\System\mXfqQDF.exe
  C:\Windows\System\mXfqQDF.exe
  2⤵
  PID:6540
- C:\Windows\System\qdRVazH.exe
  C:\Windows\System\qdRVazH.exe
  2⤵
  PID:6572
- C:\Windows\System\VUUUjZV.exe
  C:\Windows\System\VUUUjZV.exe
  2⤵
  PID:6596
- C:\Windows\System\QxKgHcm.exe
  C:\Windows\System\QxKgHcm.exe
  2⤵
  PID:6628
- C:\Windows\System\TzTJxvV.exe
  C:\Windows\System\TzTJxvV.exe
  2⤵
  PID:6668
- C:\Windows\System\mXeSVup.exe
  C:\Windows\System\mXeSVup.exe
  2⤵
  PID:6700
- C:\Windows\System\ztEqwOV.exe
  C:\Windows\System\ztEqwOV.exe
  2⤵
  PID:6732
- C:\Windows\System\MlMtPnw.exe
  C:\Windows\System\MlMtPnw.exe
  2⤵
  PID:6764
- C:\Windows\System\ukCfmlk.exe
  C:\Windows\System\ukCfmlk.exe
  2⤵
  PID:6796
- C:\Windows\System\hnMEpOU.exe
  C:\Windows\System\hnMEpOU.exe
  2⤵
  PID:6824
- C:\Windows\System\evCMRre.exe
  C:\Windows\System\evCMRre.exe
  2⤵
  PID:6860
- C:\Windows\System\qEWXCPo.exe
  C:\Windows\System\qEWXCPo.exe
  2⤵
  PID:6900
- C:\Windows\System\BQUuasl.exe
  C:\Windows\System\BQUuasl.exe
  2⤵
  PID:6924
- C:\Windows\System\KRlBuUK.exe
  C:\Windows\System\KRlBuUK.exe
  2⤵
  PID:6956
- C:\Windows\System\UKxdfJp.exe
  C:\Windows\System\UKxdfJp.exe
  2⤵
  PID:6988
- C:\Windows\System\sPbGJee.exe
  C:\Windows\System\sPbGJee.exe
  2⤵
  PID:7016
- C:\Windows\System\YkVwKGz.exe
  C:\Windows\System\YkVwKGz.exe
  2⤵
  PID:7052
- C:\Windows\System\uSuGdeb.exe
  C:\Windows\System\uSuGdeb.exe
  2⤵
  PID:7080
- C:\Windows\System\VvKdYwV.exe
  C:\Windows\System\VvKdYwV.exe
  2⤵
  PID:7116
- C:\Windows\System\KbUqRJP.exe
  C:\Windows\System\KbUqRJP.exe
  2⤵
  PID:7140
- C:\Windows\System\KPBFWbZ.exe
  C:\Windows\System\KPBFWbZ.exe
  2⤵
  PID:6156
- C:\Windows\System\toZpAyv.exe
  C:\Windows\System\toZpAyv.exe
  2⤵
  PID:4028
- C:\Windows\System\jYGtipq.exe
  C:\Windows\System\jYGtipq.exe
  2⤵
  PID:3796
- C:\Windows\System\EDUmYWJ.exe
  C:\Windows\System\EDUmYWJ.exe
  2⤵
  PID:4236
- C:\Windows\System\WVuoDSa.exe
  C:\Windows\System\WVuoDSa.exe
  2⤵
  PID:4252
- C:\Windows\System\AETerlL.exe
  C:\Windows\System\AETerlL.exe
  2⤵
  PID:2632
- C:\Windows\System\AvBPfTt.exe
  C:\Windows\System\AvBPfTt.exe
  2⤵
  PID:6324
- C:\Windows\System\wGxzGna.exe
  C:\Windows\System\wGxzGna.exe
  2⤵
  PID:6384
- C:\Windows\System\xZzqVaV.exe
  C:\Windows\System\xZzqVaV.exe
  2⤵
  PID:6448
- C:\Windows\System\QHiKUZq.exe
  C:\Windows\System\QHiKUZq.exe
  2⤵
  PID:6492
- C:\Windows\System\xgRYjvG.exe
  C:\Windows\System\xgRYjvG.exe
  2⤵
  PID:6584
- C:\Windows\System\YYFjZlV.exe
  C:\Windows\System\YYFjZlV.exe
  2⤵
  PID:6644
- C:\Windows\System\KtYQEjV.exe
  C:\Windows\System\KtYQEjV.exe
  2⤵
  PID:6712
- C:\Windows\System\CicoVvk.exe
  C:\Windows\System\CicoVvk.exe
  2⤵
  PID:6776
- C:\Windows\System\JiufcLj.exe
  C:\Windows\System\JiufcLj.exe
  2⤵
  PID:6836
- C:\Windows\System\rtjqBLA.exe
  C:\Windows\System\rtjqBLA.exe
  2⤵
  PID:6912
- C:\Windows\System\zNpYHoa.exe
  C:\Windows\System\zNpYHoa.exe
  2⤵
  PID:6972
- C:\Windows\System\LgtJPxx.exe
  C:\Windows\System\LgtJPxx.exe
  2⤵
  PID:7028
- C:\Windows\System\dZoqAGQ.exe
  C:\Windows\System\dZoqAGQ.exe
  2⤵
  PID:7088
- C:\Windows\System\UIUQMGt.exe
  C:\Windows\System\UIUQMGt.exe
  2⤵
  PID:7156
- C:\Windows\System\kQVhxix.exe
  C:\Windows\System\kQVhxix.exe
  2⤵
  PID:3328
- C:\Windows\System\tHaBKMH.exe
  C:\Windows\System\tHaBKMH.exe
  2⤵
  PID:4464
- C:\Windows\System\XGFvWZH.exe
  C:\Windows\System\XGFvWZH.exe
  2⤵
  PID:6288
- C:\Windows\System\HtgqHix.exe
  C:\Windows\System\HtgqHix.exe
  2⤵
  PID:6412
- C:\Windows\System\oBRJLdy.exe
  C:\Windows\System\oBRJLdy.exe
  2⤵
  PID:6528
- C:\Windows\System\CqyJqwO.exe
  C:\Windows\System\CqyJqwO.exe
  2⤵
  PID:6676
- C:\Windows\System\giNaChX.exe
  C:\Windows\System\giNaChX.exe
  2⤵
  PID:6816
- C:\Windows\System\tJtZPAh.exe
  C:\Windows\System\tJtZPAh.exe
  2⤵
  PID:6936
- C:\Windows\System\ibMFHZd.exe
  C:\Windows\System\ibMFHZd.exe
  2⤵
  PID:7060
- C:\Windows\System\gEuQKpX.exe
  C:\Windows\System\gEuQKpX.exe
  2⤵
  PID:6188
- C:\Windows\System\gboWkUt.exe
  C:\Windows\System\gboWkUt.exe
  2⤵
  PID:6228
- C:\Windows\System\wUUXlTU.exe
  C:\Windows\System\wUUXlTU.exe
  2⤵
  PID:6428
- C:\Windows\System\TKqVoeS.exe
  C:\Windows\System\TKqVoeS.exe
  2⤵
  PID:6708
- C:\Windows\System\PgRCeym.exe
  C:\Windows\System\PgRCeym.exe
  2⤵
  PID:6996
- C:\Windows\System\xCACnNd.exe
  C:\Windows\System\xCACnNd.exe
  2⤵
  PID:2128
- C:\Windows\System\hqaQqCR.exe
  C:\Windows\System\hqaQqCR.exe
  2⤵
  PID:6508
- C:\Windows\System\RvJOuPc.exe
  C:\Windows\System\RvJOuPc.exe
  2⤵
  PID:7136
- C:\Windows\System\AFQPXma.exe
  C:\Windows\System\AFQPXma.exe
  2⤵
  PID:6640
- C:\Windows\System\VRfhbtc.exe
  C:\Windows\System\VRfhbtc.exe
  2⤵
  PID:7152
- C:\Windows\System\hKiIPkw.exe
  C:\Windows\System\hKiIPkw.exe
  2⤵
  PID:7188
- C:\Windows\System\GtDJKQa.exe
  C:\Windows\System\GtDJKQa.exe
  2⤵
  PID:7216
- C:\Windows\System\gDBZfXA.exe
  C:\Windows\System\gDBZfXA.exe
  2⤵
  PID:7248
- C:\Windows\System\UQHDUwX.exe
  C:\Windows\System\UQHDUwX.exe
  2⤵
  PID:7280
- C:\Windows\System\BZonWdn.exe
  C:\Windows\System\BZonWdn.exe
  2⤵
  PID:7312
- C:\Windows\System\siRmIPz.exe
  C:\Windows\System\siRmIPz.exe
  2⤵
  PID:7344
- C:\Windows\System\KVZELXm.exe
  C:\Windows\System\KVZELXm.exe
  2⤵
  PID:7380
- C:\Windows\System\GLrCoLy.exe
  C:\Windows\System\GLrCoLy.exe
  2⤵
  PID:7416
- C:\Windows\System\OXnLhse.exe
  C:\Windows\System\OXnLhse.exe
  2⤵
  PID:7444
- C:\Windows\System\ndliXrA.exe
  C:\Windows\System\ndliXrA.exe
  2⤵
  PID:7476
- C:\Windows\System\chTEPhX.exe
  C:\Windows\System\chTEPhX.exe
  2⤵
  PID:7508
- C:\Windows\System\wnvybNd.exe
  C:\Windows\System\wnvybNd.exe
  2⤵
  PID:7540
- C:\Windows\System\oPCDQNK.exe
  C:\Windows\System\oPCDQNK.exe
  2⤵
  PID:7572
- C:\Windows\System\BoCsSXJ.exe
  C:\Windows\System\BoCsSXJ.exe
  2⤵
  PID:7604
- C:\Windows\System\oQZosSt.exe
  C:\Windows\System\oQZosSt.exe
  2⤵
  PID:7636
- C:\Windows\System\UpofWWB.exe
  C:\Windows\System\UpofWWB.exe
  2⤵
  PID:7668
- C:\Windows\System\JRiGtEU.exe
  C:\Windows\System\JRiGtEU.exe
  2⤵
  PID:7700
- C:\Windows\System\fFMICyo.exe
  C:\Windows\System\fFMICyo.exe
  2⤵
  PID:7732
- C:\Windows\System\VBRjMim.exe
  C:\Windows\System\VBRjMim.exe
  2⤵
  PID:7764
- C:\Windows\System\NElzQfP.exe
  C:\Windows\System\NElzQfP.exe
  2⤵
  PID:7796
- C:\Windows\System\WuqysPv.exe
  C:\Windows\System\WuqysPv.exe
  2⤵
  PID:7828
- C:\Windows\System\kuQpyms.exe
  C:\Windows\System\kuQpyms.exe
  2⤵
  PID:7860
- C:\Windows\System\IurSLvN.exe
  C:\Windows\System\IurSLvN.exe
  2⤵
  PID:7892
- C:\Windows\System\WJLTAeg.exe
  C:\Windows\System\WJLTAeg.exe
  2⤵
  PID:7924
- C:\Windows\System\NoFBDEt.exe
  C:\Windows\System\NoFBDEt.exe
  2⤵
  PID:7956
- C:\Windows\System\asSmTzB.exe
  C:\Windows\System\asSmTzB.exe
  2⤵
  PID:7988
- C:\Windows\System\jJSydQR.exe
  C:\Windows\System\jJSydQR.exe
  2⤵
  PID:8020
- C:\Windows\System\eEMsrCA.exe
  C:\Windows\System\eEMsrCA.exe
  2⤵
  PID:8052
- C:\Windows\System\BCtRBIN.exe
  C:\Windows\System\BCtRBIN.exe
  2⤵
  PID:8084
- C:\Windows\System\hCIHxVM.exe
  C:\Windows\System\hCIHxVM.exe
  2⤵
  PID:8116
- C:\Windows\System\RIIKWBf.exe
  C:\Windows\System\RIIKWBf.exe
  2⤵
  PID:8148
- C:\Windows\System\ZLxKlRb.exe
  C:\Windows\System\ZLxKlRb.exe
  2⤵
  PID:8180
- C:\Windows\System\KbubGRG.exe
  C:\Windows\System\KbubGRG.exe
  2⤵
  PID:7200
- C:\Windows\System\VeCCtsO.exe
  C:\Windows\System\VeCCtsO.exe
  2⤵
  PID:7264
- C:\Windows\System\SQHCDiA.exe
  C:\Windows\System\SQHCDiA.exe
  2⤵
  PID:7328
- C:\Windows\System\FXTIjqQ.exe
  C:\Windows\System\FXTIjqQ.exe
  2⤵
  PID:7396
- C:\Windows\System\lMtKJsp.exe
  C:\Windows\System\lMtKJsp.exe
  2⤵
  PID:7460
- C:\Windows\System\kWyEQVL.exe
  C:\Windows\System\kWyEQVL.exe
  2⤵
  PID:7520
- C:\Windows\System\VMMaXVA.exe
  C:\Windows\System\VMMaXVA.exe
  2⤵
  PID:7588
- C:\Windows\System\otHHArs.exe
  C:\Windows\System\otHHArs.exe
  2⤵
  PID:7652
- C:\Windows\System\JTSQxoO.exe
  C:\Windows\System\JTSQxoO.exe
  2⤵
  PID:7724
- C:\Windows\System\iDOjdxx.exe
  C:\Windows\System\iDOjdxx.exe
  2⤵
  PID:7792
- C:\Windows\System\CxSEHoe.exe
  C:\Windows\System\CxSEHoe.exe
  2⤵
  PID:7852
- C:\Windows\System\OrXqOfF.exe
  C:\Windows\System\OrXqOfF.exe
  2⤵
  PID:7916
- C:\Windows\System\dNPivXp.exe
  C:\Windows\System\dNPivXp.exe
  2⤵
  PID:7980
- C:\Windows\System\JrDkEwN.exe
  C:\Windows\System\JrDkEwN.exe
  2⤵
  PID:8044
- C:\Windows\System\GUxbIIr.exe
  C:\Windows\System\GUxbIIr.exe
  2⤵
  PID:8112
- C:\Windows\System\ZShsNno.exe
  C:\Windows\System\ZShsNno.exe
  2⤵
  PID:8176
- C:\Windows\System\lActmGC.exe
  C:\Windows\System\lActmGC.exe
  2⤵
  PID:7260
- C:\Windows\System\PsRQMvu.exe
  C:\Windows\System\PsRQMvu.exe
  2⤵
  PID:7376
- C:\Windows\System\sXFCggi.exe
  C:\Windows\System\sXFCggi.exe
  2⤵
  PID:7492
- C:\Windows\System\fAvWynh.exe
  C:\Windows\System\fAvWynh.exe
  2⤵
  PID:7632
- C:\Windows\System\isPshPm.exe
  C:\Windows\System\isPshPm.exe
  2⤵
  PID:7776
- C:\Windows\System\HrOCgnv.exe
  C:\Windows\System\HrOCgnv.exe
  2⤵
  PID:7912
- C:\Windows\System\GdDvMcW.exe
  C:\Windows\System\GdDvMcW.exe
  2⤵
  PID:8032
- C:\Windows\System\cFsALPz.exe
  C:\Windows\System\cFsALPz.exe
  2⤵
  PID:8164
- C:\Windows\System\tkHESqh.exe
  C:\Windows\System\tkHESqh.exe
  2⤵
  PID:7356
- C:\Windows\System\erJtYHW.exe
  C:\Windows\System\erJtYHW.exe
  2⤵
  PID:7696
- C:\Windows\System\azYpoEP.exe
  C:\Windows\System\azYpoEP.exe
  2⤵
  PID:8144
- C:\Windows\System\mqSZysL.exe
  C:\Windows\System\mqSZysL.exe
  2⤵
  PID:7876
- C:\Windows\System\fvNwpEE.exe
  C:\Windows\System\fvNwpEE.exe
  2⤵
  PID:4972
- C:\Windows\System\RSBjHSl.exe
  C:\Windows\System\RSBjHSl.exe
  2⤵
  PID:7524
- C:\Windows\System\LhrZhBV.exe
  C:\Windows\System\LhrZhBV.exe
  2⤵
  PID:8076
- C:\Windows\System\ebzNkyJ.exe
  C:\Windows\System\ebzNkyJ.exe
  2⤵
  PID:8216
- C:\Windows\System\eFLkkYQ.exe
  C:\Windows\System\eFLkkYQ.exe
  2⤵
  PID:8288
- C:\Windows\System\vVDKEmY.exe
  C:\Windows\System\vVDKEmY.exe
  2⤵
  PID:8336
- C:\Windows\System\hZJNmJH.exe
  C:\Windows\System\hZJNmJH.exe
  2⤵
  PID:8404
- C:\Windows\System\SifhigZ.exe
  C:\Windows\System\SifhigZ.exe
  2⤵
  PID:8440
- C:\Windows\System\ApbAemD.exe
  C:\Windows\System\ApbAemD.exe
  2⤵
  PID:8472
- C:\Windows\System\VoTWoSn.exe
  C:\Windows\System\VoTWoSn.exe
  2⤵
  PID:8512
- C:\Windows\System\soRqNxH.exe
  C:\Windows\System\soRqNxH.exe
  2⤵
  PID:8544
- C:\Windows\System\IbPmsrY.exe
  C:\Windows\System\IbPmsrY.exe
  2⤵
  PID:8576
- C:\Windows\System\GAQLFhk.exe
  C:\Windows\System\GAQLFhk.exe
  2⤵
  PID:8608
- C:\Windows\System\QAFUQaH.exe
  C:\Windows\System\QAFUQaH.exe
  2⤵
  PID:8644
- C:\Windows\System\ctBcJLm.exe
  C:\Windows\System\ctBcJLm.exe
  2⤵
  PID:8680
- C:\Windows\System\tziOKwo.exe
  C:\Windows\System\tziOKwo.exe
  2⤵
  PID:8732
- C:\Windows\System\GWylBCJ.exe
  C:\Windows\System\GWylBCJ.exe
  2⤵
  PID:8748
- C:\Windows\System\zqqdrSk.exe
  C:\Windows\System\zqqdrSk.exe
  2⤵
  PID:8780
- C:\Windows\System\PMWYRCg.exe
  C:\Windows\System\PMWYRCg.exe
  2⤵
  PID:8812
- C:\Windows\System\yfkUacj.exe
  C:\Windows\System\yfkUacj.exe
  2⤵
  PID:8844
- C:\Windows\System\PdOZNfi.exe
  C:\Windows\System\PdOZNfi.exe
  2⤵
  PID:8880
- C:\Windows\System\jTNQlDS.exe
  C:\Windows\System\jTNQlDS.exe
  2⤵
  PID:8916
- C:\Windows\System\CSvTOMq.exe
  C:\Windows\System\CSvTOMq.exe
  2⤵
  PID:8948
- C:\Windows\System\hWhsiSX.exe
  C:\Windows\System\hWhsiSX.exe
  2⤵
  PID:8980
- C:\Windows\System\qmMkiDs.exe
  C:\Windows\System\qmMkiDs.exe
  2⤵
  PID:9012
- C:\Windows\System\Akfhcur.exe
  C:\Windows\System\Akfhcur.exe
  2⤵
  PID:9044
- C:\Windows\System\VIwZiAp.exe
  C:\Windows\System\VIwZiAp.exe
  2⤵
  PID:9080
- C:\Windows\System\EbCcoaz.exe
  C:\Windows\System\EbCcoaz.exe
  2⤵
  PID:9112
- C:\Windows\System\foiMfId.exe
  C:\Windows\System\foiMfId.exe
  2⤵
  PID:9144
- C:\Windows\System\naMVmVF.exe
  C:\Windows\System\naMVmVF.exe
  2⤵
  PID:9176
- C:\Windows\System\qGqhcBE.exe
  C:\Windows\System\qGqhcBE.exe
  2⤵
  PID:9208
- C:\Windows\System\XRSHmLX.exe
  C:\Windows\System\XRSHmLX.exe
  2⤵
  PID:8268
- C:\Windows\System\whVBmOh.exe
  C:\Windows\System\whVBmOh.exe
  2⤵
  PID:3220
- C:\Windows\System\HdKWAxU.exe
  C:\Windows\System\HdKWAxU.exe
  2⤵
  PID:4284
- C:\Windows\System\JfxSTgE.exe
  C:\Windows\System\JfxSTgE.exe
  2⤵
  PID:8488
- C:\Windows\System\yEafbFC.exe
  C:\Windows\System\yEafbFC.exe
  2⤵
  PID:8556
- C:\Windows\System\DvmjYDD.exe
  C:\Windows\System\DvmjYDD.exe
  2⤵
  PID:8656
- C:\Windows\System\PIUszlW.exe
  C:\Windows\System\PIUszlW.exe
  2⤵
  PID:8692
- C:\Windows\System\ZWiUJND.exe
  C:\Windows\System\ZWiUJND.exe
  2⤵
  PID:8760
- C:\Windows\System\VldXXhp.exe
  C:\Windows\System\VldXXhp.exe
  2⤵
  PID:8824
- C:\Windows\System\TFPioeF.exe
  C:\Windows\System\TFPioeF.exe
  2⤵
  PID:8876
- C:\Windows\System\FxgnhXE.exe
  C:\Windows\System\FxgnhXE.exe
  2⤵
  PID:8932
- C:\Windows\System\DMYYNBK.exe
  C:\Windows\System\DMYYNBK.exe
  2⤵
  PID:8976
- C:\Windows\System\pZDWABy.exe
  C:\Windows\System\pZDWABy.exe
  2⤵
  PID:9068
- C:\Windows\System\PfpgDBP.exe
  C:\Windows\System\PfpgDBP.exe
  2⤵
  PID:9140
- C:\Windows\System\BeNUFBN.exe
  C:\Windows\System\BeNUFBN.exe
  2⤵
  PID:8200
- C:\Windows\System\WDaYSpD.exe
  C:\Windows\System\WDaYSpD.exe
  2⤵
  PID:2044
- C:\Windows\System\aBaieUM.exe
  C:\Windows\System\aBaieUM.exe
  2⤵
  PID:8468
- C:\Windows\System\rakZpba.exe
  C:\Windows\System\rakZpba.exe
  2⤵
  PID:8600
- C:\Windows\System\xZaLfvX.exe
  C:\Windows\System\xZaLfvX.exe
  2⤵
  PID:8724
- C:\Windows\System\uzMZPZl.exe
  C:\Windows\System\uzMZPZl.exe
  2⤵
  PID:8856
- C:\Windows\System\PjGyGMI.exe
  C:\Windows\System\PjGyGMI.exe
  2⤵
  PID:8896
- C:\Windows\System\PpskXGp.exe
  C:\Windows\System\PpskXGp.exe
  2⤵
  PID:9092
- C:\Windows\System\vtEZxOn.exe
  C:\Windows\System\vtEZxOn.exe
  2⤵
  PID:9204
- C:\Windows\System\HAKAivC.exe
  C:\Windows\System\HAKAivC.exe
  2⤵
  PID:8464
- C:\Windows\System\kdNquGg.exe
  C:\Windows\System\kdNquGg.exe
  2⤵
  PID:8728
- C:\Windows\System\YYkBDMD.exe
  C:\Windows\System\YYkBDMD.exe
  2⤵
  PID:8908
- C:\Windows\System\GyaGfxP.exe
  C:\Windows\System\GyaGfxP.exe
  2⤵
  PID:9172
- C:\Windows\System\fRYmUUb.exe
  C:\Windows\System\fRYmUUb.exe
  2⤵
  PID:8676
- C:\Windows\System\tUeXqMO.exe
  C:\Windows\System\tUeXqMO.exe
  2⤵
  PID:9192
- C:\Windows\System\dLCxcLp.exe
  C:\Windows\System\dLCxcLp.exe
  2⤵
  PID:9104
- C:\Windows\System\qFeeEjD.exe
  C:\Windows\System\qFeeEjD.exe
  2⤵
  PID:9232
- C:\Windows\System\tvtgZos.exe
  C:\Windows\System\tvtgZos.exe
  2⤵
  PID:9264
- C:\Windows\System\DlwbNTA.exe
  C:\Windows\System\DlwbNTA.exe
  2⤵
  PID:9296
- C:\Windows\System\GQlALJi.exe
  C:\Windows\System\GQlALJi.exe
  2⤵
  PID:9328
- C:\Windows\System\BhuHYbQ.exe
  C:\Windows\System\BhuHYbQ.exe
  2⤵
  PID:9364
- C:\Windows\System\kqSqVBB.exe
  C:\Windows\System\kqSqVBB.exe
  2⤵
  PID:9392
- C:\Windows\System\tGerzOe.exe
  C:\Windows\System\tGerzOe.exe
  2⤵
  PID:9424
- C:\Windows\System\vuQceIf.exe
  C:\Windows\System\vuQceIf.exe
  2⤵
  PID:9452
- C:\Windows\System\xZVEICv.exe
  C:\Windows\System\xZVEICv.exe
  2⤵
  PID:9488
- C:\Windows\System\mvudoJa.exe
  C:\Windows\System\mvudoJa.exe
  2⤵
  PID:9520
- C:\Windows\System\PULLNkt.exe
  C:\Windows\System\PULLNkt.exe
  2⤵
  PID:9552
- C:\Windows\System\NzkUEAv.exe
  C:\Windows\System\NzkUEAv.exe
  2⤵
  PID:9584
- C:\Windows\System\yRRFajY.exe
  C:\Windows\System\yRRFajY.exe
  2⤵
  PID:9616
- C:\Windows\System\KpdgXHa.exe
  C:\Windows\System\KpdgXHa.exe
  2⤵
  PID:9648
- C:\Windows\System\TjyrMGa.exe
  C:\Windows\System\TjyrMGa.exe
  2⤵
  PID:9680
- C:\Windows\System\aAZBdTg.exe
  C:\Windows\System\aAZBdTg.exe
  2⤵
  PID:9712
- C:\Windows\System\qbDwAzG.exe
  C:\Windows\System\qbDwAzG.exe
  2⤵
  PID:9744
- C:\Windows\System\RJtZKXd.exe
  C:\Windows\System\RJtZKXd.exe
  2⤵
  PID:9776
- C:\Windows\System\IqCWrMo.exe
  C:\Windows\System\IqCWrMo.exe
  2⤵
  PID:9812
- C:\Windows\System\URwRIBD.exe
  C:\Windows\System\URwRIBD.exe
  2⤵
  PID:9844
- C:\Windows\System\RbSqBtK.exe
  C:\Windows\System\RbSqBtK.exe
  2⤵
  PID:9876
- C:\Windows\System\MSDXvzd.exe
  C:\Windows\System\MSDXvzd.exe
  2⤵
  PID:9908
- C:\Windows\System\hiKvxMu.exe
  C:\Windows\System\hiKvxMu.exe
  2⤵
  PID:9940
- C:\Windows\System\wACfmde.exe
  C:\Windows\System\wACfmde.exe
  2⤵
  PID:9972
- C:\Windows\System\EBZmziU.exe
  C:\Windows\System\EBZmziU.exe
  2⤵
  PID:10004
- C:\Windows\System\ozXQHIK.exe
  C:\Windows\System\ozXQHIK.exe
  2⤵
  PID:10036
- C:\Windows\System\sRtGKxu.exe
  C:\Windows\System\sRtGKxu.exe
  2⤵
  PID:10068
- C:\Windows\System\rmAIUJN.exe
  C:\Windows\System\rmAIUJN.exe
  2⤵
  PID:10100
- C:\Windows\System\ksyyTWo.exe
  C:\Windows\System\ksyyTWo.exe
  2⤵
  PID:10132
- C:\Windows\System\GBxvKic.exe
  C:\Windows\System\GBxvKic.exe
  2⤵
  PID:10164
- C:\Windows\System\kTTZOVS.exe
  C:\Windows\System\kTTZOVS.exe
  2⤵
  PID:10196
- C:\Windows\System\hGsTPdg.exe
  C:\Windows\System\hGsTPdg.exe
  2⤵
  PID:10228
- C:\Windows\System\tYItZyS.exe
  C:\Windows\System\tYItZyS.exe
  2⤵
  PID:9248
- C:\Windows\System\uFwaukD.exe
  C:\Windows\System\uFwaukD.exe
  2⤵
  PID:9312
- C:\Windows\System\vGgSaxN.exe
  C:\Windows\System\vGgSaxN.exe
  2⤵
  PID:9344
- C:\Windows\System\fIGWheu.exe
  C:\Windows\System\fIGWheu.exe
  2⤵
  PID:9384
- C:\Windows\System\UqoEIip.exe
  C:\Windows\System\UqoEIip.exe
  2⤵
  PID:9416
- C:\Windows\System\wQamRho.exe
  C:\Windows\System\wQamRho.exe
  2⤵
  PID:9504
- C:\Windows\System\dVedsMt.exe
  C:\Windows\System\dVedsMt.exe
  2⤵
  PID:9160
- C:\Windows\System\ftISqqD.exe
  C:\Windows\System\ftISqqD.exe
  2⤵
  PID:9628
- C:\Windows\System\ZXrHxRe.exe
  C:\Windows\System\ZXrHxRe.exe
  2⤵
  PID:9708
- C:\Windows\System\BobEbja.exe
  C:\Windows\System\BobEbja.exe
  2⤵
  PID:9772
- C:\Windows\System\IqnzZOw.exe
  C:\Windows\System\IqnzZOw.exe
  2⤵
  PID:9836
- C:\Windows\System\CKLpCGp.exe
  C:\Windows\System\CKLpCGp.exe
  2⤵
  PID:9936
- C:\Windows\System\krmHnqz.exe
  C:\Windows\System\krmHnqz.exe
  2⤵
  PID:9988
- C:\Windows\System\BroKcZy.exe
  C:\Windows\System\BroKcZy.exe
  2⤵
  PID:10060
- C:\Windows\System\WpxeHlA.exe
  C:\Windows\System\WpxeHlA.exe
  2⤵
  PID:10128
- C:\Windows\System\NWYlqfb.exe
  C:\Windows\System\NWYlqfb.exe
  2⤵
  PID:10180
- C:\Windows\System\OyCXloM.exe
  C:\Windows\System\OyCXloM.exe
  2⤵
  PID:2228
- C:\Windows\System\PWPuIBE.exe
  C:\Windows\System\PWPuIBE.exe
  2⤵
  PID:9372
- C:\Windows\System\tVlioai.exe
  C:\Windows\System\tVlioai.exe
  2⤵
  PID:9536
- C:\Windows\System\JATqOqK.exe
  C:\Windows\System\JATqOqK.exe
  2⤵
  PID:9608
- C:\Windows\System\wJcFYTY.exe
  C:\Windows\System\wJcFYTY.exe
  2⤵
  PID:9640
- C:\Windows\System\xRPPwql.exe
  C:\Windows\System\xRPPwql.exe
  2⤵
  PID:9808
- C:\Windows\System\sMZxLMV.exe
  C:\Windows\System\sMZxLMV.exe
  2⤵
  PID:10000
- C:\Windows\System\sSEelnK.exe
  C:\Windows\System\sSEelnK.exe
  2⤵
  PID:10052
- C:\Windows\System\dZVrdBv.exe
  C:\Windows\System\dZVrdBv.exe
  2⤵
  PID:10112
- C:\Windows\System\bhuQSUW.exe
  C:\Windows\System\bhuQSUW.exe
  2⤵
  PID:9288
- C:\Windows\System\dkndpGp.exe
  C:\Windows\System\dkndpGp.exe
  2⤵
  PID:9664
- C:\Windows\System\ntDYkgB.exe
  C:\Windows\System\ntDYkgB.exe
  2⤵
  PID:9804
- C:\Windows\System\trtaaky.exe
  C:\Windows\System\trtaaky.exe
  2⤵
  PID:8228
- C:\Windows\System\rwudhkj.exe
  C:\Windows\System\rwudhkj.exe
  2⤵
  PID:10192
- C:\Windows\System\ykyPIkF.exe
  C:\Windows\System\ykyPIkF.exe
  2⤵
  PID:9280
- C:\Windows\System\QpCNDUX.exe
  C:\Windows\System\QpCNDUX.exe
  2⤵
  PID:9740
- C:\Windows\System\SUOxKaT.exe
  C:\Windows\System\SUOxKaT.exe
  2⤵
  PID:9568
- C:\Windows\System\CvACJyp.exe
  C:\Windows\System\CvACJyp.exe
  2⤵
  PID:8628
- C:\Windows\System\vXXKdkP.exe
  C:\Windows\System\vXXKdkP.exe
  2⤵
  PID:10276
- C:\Windows\System\naoLMcV.exe
  C:\Windows\System\naoLMcV.exe
  2⤵
  PID:10292
- C:\Windows\System\kKGgPvp.exe
  C:\Windows\System\kKGgPvp.exe
  2⤵
  PID:10324
- C:\Windows\System\tjBQBqY.exe
  C:\Windows\System\tjBQBqY.exe
  2⤵
  PID:10356
- C:\Windows\System\ICPuRUj.exe
  C:\Windows\System\ICPuRUj.exe
  2⤵
  PID:10388
- C:\Windows\System\CmJjFpz.exe
  C:\Windows\System\CmJjFpz.exe
  2⤵
  PID:10420
- C:\Windows\System\HKSsHdN.exe
  C:\Windows\System\HKSsHdN.exe
  2⤵
  PID:10452
- C:\Windows\System\RersZUh.exe
  C:\Windows\System\RersZUh.exe
  2⤵
  PID:10484
- C:\Windows\System\QfcEuID.exe
  C:\Windows\System\QfcEuID.exe
  2⤵
  PID:10516
- C:\Windows\System\eUvJuqc.exe
  C:\Windows\System\eUvJuqc.exe
  2⤵
  PID:10548
- C:\Windows\System\dMjwlso.exe
  C:\Windows\System\dMjwlso.exe
  2⤵
  PID:10580
- C:\Windows\System\rRlWTtf.exe
  C:\Windows\System\rRlWTtf.exe
  2⤵
  PID:10612
- C:\Windows\System\vUfmSsZ.exe
  C:\Windows\System\vUfmSsZ.exe
  2⤵
  PID:10644
- C:\Windows\System\UCnIChW.exe
  C:\Windows\System\UCnIChW.exe
  2⤵
  PID:10676
- C:\Windows\System\hnLxLfi.exe
  C:\Windows\System\hnLxLfi.exe
  2⤵
  PID:10708
- C:\Windows\System\XtwUprM.exe
  C:\Windows\System\XtwUprM.exe
  2⤵
  PID:10748
- C:\Windows\System\XPVxdga.exe
  C:\Windows\System\XPVxdga.exe
  2⤵
  PID:10780
- C:\Windows\System\LFoDffW.exe
  C:\Windows\System\LFoDffW.exe
  2⤵
  PID:10796
- C:\Windows\System\pvfqAZN.exe
  C:\Windows\System\pvfqAZN.exe
  2⤵
  PID:10824
- C:\Windows\System\cjMfyZY.exe
  C:\Windows\System\cjMfyZY.exe
  2⤵
  PID:10864
- C:\Windows\System\KWOcPDJ.exe
  C:\Windows\System\KWOcPDJ.exe
  2⤵
  PID:10892
- C:\Windows\System\FOqVEBB.exe
  C:\Windows\System\FOqVEBB.exe
  2⤵
  PID:10924
- C:\Windows\System\eVfpJTL.exe
  C:\Windows\System\eVfpJTL.exe
  2⤵
  PID:10956
- C:\Windows\System\OliffnW.exe
  C:\Windows\System\OliffnW.exe
  2⤵
  PID:10992
- C:\Windows\System\PIlHChu.exe
  C:\Windows\System\PIlHChu.exe
  2⤵
  PID:11028
- C:\Windows\System\BzVlAun.exe
  C:\Windows\System\BzVlAun.exe
  2⤵
  PID:11068
- C:\Windows\System\mrtpfUk.exe
  C:\Windows\System\mrtpfUk.exe
  2⤵
  PID:11100
- C:\Windows\System\RtWikZQ.exe
  C:\Windows\System\RtWikZQ.exe
  2⤵
  PID:11132
- C:\Windows\System\UjzVrCR.exe
  C:\Windows\System\UjzVrCR.exe
  2⤵
  PID:11164
- C:\Windows\System\xPthRyd.exe
  C:\Windows\System\xPthRyd.exe
  2⤵
  PID:11196
- C:\Windows\System\FfrbDKu.exe
  C:\Windows\System\FfrbDKu.exe
  2⤵
  PID:11228
- C:\Windows\System\jPswQey.exe
  C:\Windows\System\jPswQey.exe
  2⤵
  PID:11260
- C:\Windows\System\jprUbjp.exe
  C:\Windows\System\jprUbjp.exe
  2⤵
  PID:10268
- C:\Windows\System\wdOCIkX.exe
  C:\Windows\System\wdOCIkX.exe
  2⤵
  PID:10336
- C:\Windows\System\cjbaWbd.exe
  C:\Windows\System\cjbaWbd.exe
  2⤵
  PID:10400
- C:\Windows\System\qUDRNqR.exe
  C:\Windows\System\qUDRNqR.exe
  2⤵
  PID:10464
- C:\Windows\System\BHQRwOw.exe
  C:\Windows\System\BHQRwOw.exe
  2⤵
  PID:10528
- C:\Windows\System\yGFxSKY.exe
  C:\Windows\System\yGFxSKY.exe
  2⤵
  PID:10576
- C:\Windows\System\EuJQKXr.exe
  C:\Windows\System\EuJQKXr.exe
  2⤵
  PID:10640
- C:\Windows\System\uTyhYLe.exe
  C:\Windows\System\uTyhYLe.exe
  2⤵
  PID:10688
- C:\Windows\System\OZhZQbN.exe
  C:\Windows\System\OZhZQbN.exe
  2⤵
  PID:10816
- C:\Windows\System\SslYDAq.exe
  C:\Windows\System\SslYDAq.exe
  2⤵
  PID:10808
- C:\Windows\System\UHMtCaE.exe
  C:\Windows\System\UHMtCaE.exe
  2⤵
  PID:10916
- C:\Windows\System\hIAjVeY.exe
  C:\Windows\System\hIAjVeY.exe
  2⤵
  PID:10936
- C:\Windows\System\pDJgdsn.exe
  C:\Windows\System\pDJgdsn.exe
  2⤵
  PID:11048
- C:\Windows\System\ZoABWhw.exe
  C:\Windows\System\ZoABWhw.exe
  2⤵
  PID:11084
- C:\Windows\System\kyJvElP.exe
  C:\Windows\System\kyJvElP.exe
  2⤵
  PID:11160
- C:\Windows\System\KsXexkV.exe
  C:\Windows\System\KsXexkV.exe
  2⤵
  PID:11240
- C:\Windows\System\bgFJmBx.exe
  C:\Windows\System\bgFJmBx.exe
  2⤵
  PID:10288
- C:\Windows\System\FOcRXnD.exe
  C:\Windows\System\FOcRXnD.exe
  2⤵
  PID:10416
- C:\Windows\System\mMLjJQS.exe
  C:\Windows\System\mMLjJQS.exe
  2⤵
  PID:10560
- C:\Windows\System\DtaoBQf.exe
  C:\Windows\System\DtaoBQf.exe
  2⤵
  PID:10668
- C:\Windows\System\NGyKXSK.exe
  C:\Windows\System\NGyKXSK.exe
  2⤵
  PID:10776
- C:\Windows\System\EgQUYFy.exe
  C:\Windows\System\EgQUYFy.exe
  2⤵
  PID:10904
- C:\Windows\System\cXscnBQ.exe
  C:\Windows\System\cXscnBQ.exe
  2⤵
  PID:11064
- C:\Windows\System\pooCZYa.exe
  C:\Windows\System\pooCZYa.exe
  2⤵
  PID:11156
- C:\Windows\System\RKOMIic.exe
  C:\Windows\System\RKOMIic.exe
  2⤵
  PID:10272
- C:\Windows\System\PizAAqW.exe
  C:\Windows\System\PizAAqW.exe
  2⤵
  PID:10512
- C:\Windows\System\jvAqLEO.exe
  C:\Windows\System\jvAqLEO.exe
  2⤵
  PID:10772
- C:\Windows\System\GlrvTZh.exe
  C:\Windows\System\GlrvTZh.exe
  2⤵
  PID:11004
- C:\Windows\System\pENtUzZ.exe
  C:\Windows\System\pENtUzZ.exe
  2⤵
  PID:10252
- C:\Windows\System\uRJdgle.exe
  C:\Windows\System\uRJdgle.exe
  2⤵
  PID:10764
- C:\Windows\System\dXLmwDD.exe
  C:\Windows\System\dXLmwDD.exe
  2⤵
  PID:10212
- C:\Windows\System\EwlhgLu.exe
  C:\Windows\System\EwlhgLu.exe
  2⤵
  PID:11220
- C:\Windows\System\avxgfUY.exe
  C:\Windows\System\avxgfUY.exe
  2⤵
  PID:11280
- C:\Windows\System\QtBTICv.exe
  C:\Windows\System\QtBTICv.exe
  2⤵
  PID:11312
- C:\Windows\System\CpDnDNg.exe
  C:\Windows\System\CpDnDNg.exe
  2⤵
  PID:11344
- C:\Windows\System\RmQlLHk.exe
  C:\Windows\System\RmQlLHk.exe
  2⤵
  PID:11376
- C:\Windows\System\UyymvxA.exe
  C:\Windows\System\UyymvxA.exe
  2⤵
  PID:11416
- C:\Windows\System\VICelDu.exe
  C:\Windows\System\VICelDu.exe
  2⤵
  PID:11432
- C:\Windows\System\LUYymfM.exe
  C:\Windows\System\LUYymfM.exe
  2⤵
  PID:11460
- C:\Windows\System\URVoeSA.exe
  C:\Windows\System\URVoeSA.exe
  2⤵
  PID:11496
- C:\Windows\System\YucgfFK.exe
  C:\Windows\System\YucgfFK.exe
  2⤵
  PID:11540
- C:\Windows\System\dPdLXGU.exe
  C:\Windows\System\dPdLXGU.exe
  2⤵
  PID:11560
- C:\Windows\System\MVZqhGa.exe
  C:\Windows\System\MVZqhGa.exe
  2⤵
  PID:11608
- C:\Windows\System\vkyvhsi.exe
  C:\Windows\System\vkyvhsi.exe
  2⤵
  PID:11640
- C:\Windows\System\xhKvcxj.exe
  C:\Windows\System\xhKvcxj.exe
  2⤵
  PID:11672
- C:\Windows\System\WjMqRrL.exe
  C:\Windows\System\WjMqRrL.exe
  2⤵
  PID:11704
- C:\Windows\System\KnJkaGh.exe
  C:\Windows\System\KnJkaGh.exe
  2⤵
  PID:11736
- C:\Windows\System\WnEdwsP.exe
  C:\Windows\System\WnEdwsP.exe
  2⤵
  PID:11768
- C:\Windows\System\pXtYDxf.exe
  C:\Windows\System\pXtYDxf.exe
  2⤵
  PID:11800
- C:\Windows\System\YenzhXt.exe
  C:\Windows\System\YenzhXt.exe
  2⤵
  PID:11836
- C:\Windows\System\dRnRkKf.exe
  C:\Windows\System\dRnRkKf.exe
  2⤵
  PID:11868
- C:\Windows\System\EDdRqkd.exe
  C:\Windows\System\EDdRqkd.exe
  2⤵
  PID:11900
- C:\Windows\System\wqJKxks.exe
  C:\Windows\System\wqJKxks.exe
  2⤵
  PID:11932
- C:\Windows\System\cKCXsZp.exe
  C:\Windows\System\cKCXsZp.exe
  2⤵
  PID:11964
- C:\Windows\System\NUkOBvK.exe
  C:\Windows\System\NUkOBvK.exe
  2⤵
  PID:11996
- C:\Windows\System\WUfIeoe.exe
  C:\Windows\System\WUfIeoe.exe
  2⤵
  PID:12028
- C:\Windows\System\ExRPYJo.exe
  C:\Windows\System\ExRPYJo.exe
  2⤵
  PID:12060
- C:\Windows\System\oRdssuI.exe
  C:\Windows\System\oRdssuI.exe
  2⤵
  PID:12092
- C:\Windows\System\LMhhgmR.exe
  C:\Windows\System\LMhhgmR.exe
  2⤵
  PID:12124
- C:\Windows\System\ITooSMf.exe
  C:\Windows\System\ITooSMf.exe
  2⤵
  PID:12156
- C:\Windows\System\uYMisKg.exe
  C:\Windows\System\uYMisKg.exe
  2⤵
  PID:12188
- C:\Windows\System\FPLngYI.exe
  C:\Windows\System\FPLngYI.exe
  2⤵
  PID:12220
- C:\Windows\System\FHIzAUz.exe
  C:\Windows\System\FHIzAUz.exe
  2⤵
  PID:12252
- C:\Windows\System\WnqQoqh.exe
  C:\Windows\System\WnqQoqh.exe
  2⤵
  PID:12284
- C:\Windows\System\RqpSprH.exe
  C:\Windows\System\RqpSprH.exe
  2⤵
  PID:11308
- C:\Windows\System\OSITKej.exe
  C:\Windows\System\OSITKej.exe
  2⤵
  PID:11340
- C:\Windows\System\QaxsIxQ.exe
  C:\Windows\System\QaxsIxQ.exe
  2⤵
  PID:11372
- C:\Windows\System\IOYjlnR.exe
  C:\Windows\System\IOYjlnR.exe
  2⤵
  PID:11440
- C:\Windows\System\WOwCPCT.exe
  C:\Windows\System\WOwCPCT.exe
  2⤵
  PID:11508
- C:\Windows\System\wSCkXaU.exe
  C:\Windows\System\wSCkXaU.exe
  2⤵
  PID:11572
- C:\Windows\System\hekWrsY.exe
  C:\Windows\System\hekWrsY.exe
  2⤵
  PID:11660
- C:\Windows\System\ILDYTGt.exe
  C:\Windows\System\ILDYTGt.exe
  2⤵
  PID:11752
- C:\Windows\System\wmnEEIA.exe
  C:\Windows\System\wmnEEIA.exe
  2⤵
  PID:11792
- C:\Windows\System\XjiSIWj.exe
  C:\Windows\System\XjiSIWj.exe
  2⤵
  PID:11864
- C:\Windows\System\uqTIXCH.exe
  C:\Windows\System\uqTIXCH.exe
  2⤵
  PID:11928
- C:\Windows\System\lEZYXvk.exe
  C:\Windows\System\lEZYXvk.exe
  2⤵
  PID:12008
- C:\Windows\System\hQvnnqJ.exe
  C:\Windows\System\hQvnnqJ.exe
  2⤵
  PID:12084
- C:\Windows\System\EUbFTEr.exe
  C:\Windows\System\EUbFTEr.exe
  2⤵
  PID:12148
- C:\Windows\System\LXOhBJD.exe
  C:\Windows\System\LXOhBJD.exe
  2⤵
  PID:12212
- C:\Windows\System\GclvKZa.exe
  C:\Windows\System\GclvKZa.exe
  2⤵
  PID:12276
- C:\Windows\System\xZNYhMD.exe
  C:\Windows\System\xZNYhMD.exe
  2⤵
  PID:11328
- C:\Windows\System\PJAFaXI.exe
  C:\Windows\System\PJAFaXI.exe
  2⤵
  PID:11524
- C:\Windows\System\DmhlYAr.exe
  C:\Windows\System\DmhlYAr.exe
  2⤵
  PID:11628
- C:\Windows\System\gkdAIHD.exe
  C:\Windows\System\gkdAIHD.exe
  2⤵
  PID:11728
- C:\Windows\System\zNaBhzX.exe
  C:\Windows\System\zNaBhzX.exe
  2⤵
  PID:11892
- C:\Windows\System\jSoJcAn.exe
  C:\Windows\System\jSoJcAn.exe
  2⤵
  PID:11960
- C:\Windows\System\URtWVRN.exe
  C:\Windows\System\URtWVRN.exe
  2⤵
  PID:12116
- C:\Windows\System\PTLFYnu.exe
  C:\Windows\System\PTLFYnu.exe
  2⤵
  PID:12268
- C:\Windows\System\QmMiouy.exe
  C:\Windows\System\QmMiouy.exe
  2⤵
  PID:11400
- C:\Windows\System\VoCCHjc.exe
  C:\Windows\System\VoCCHjc.exe
  2⤵
  PID:11684
- C:\Windows\System\cSTlYAp.exe
  C:\Windows\System\cSTlYAp.exe
  2⤵
  PID:12012
- C:\Windows\System\kMZxaHw.exe
  C:\Windows\System\kMZxaHw.exe
  2⤵
  PID:12264
- C:\Windows\System\OFVpxQY.exe
  C:\Windows\System\OFVpxQY.exe
  2⤵
  PID:11488
- C:\Windows\System\XgFlRbM.exe
  C:\Windows\System\XgFlRbM.exe
  2⤵
  PID:11848
- C:\Windows\System\QrfAoKU.exe
  C:\Windows\System\QrfAoKU.exe
  2⤵
  PID:11824
- C:\Windows\System\SaEWuXX.exe
  C:\Windows\System\SaEWuXX.exe
  2⤵
  PID:12316
- C:\Windows\System\kOkxpyf.exe
  C:\Windows\System\kOkxpyf.exe
  2⤵
  PID:12336
- C:\Windows\System\CoHtsTC.exe
  C:\Windows\System\CoHtsTC.exe
  2⤵
  PID:12364
- C:\Windows\System\XEzTMDR.exe
  C:\Windows\System\XEzTMDR.exe
  2⤵
  PID:12412
- C:\Windows\System\MArlChX.exe
  C:\Windows\System\MArlChX.exe
  2⤵
  PID:12444
- C:\Windows\System\KPTNAIB.exe
  C:\Windows\System\KPTNAIB.exe
  2⤵
  PID:12492
- C:\Windows\System\fVIAWCT.exe
  C:\Windows\System\fVIAWCT.exe
  2⤵
  PID:12508
- C:\Windows\System\kipxwHv.exe
  C:\Windows\System\kipxwHv.exe
  2⤵
  PID:12540
- C:\Windows\System\VxlelrM.exe
  C:\Windows\System\VxlelrM.exe
  2⤵
  PID:12572
- C:\Windows\System\SrYNGPZ.exe
  C:\Windows\System\SrYNGPZ.exe
  2⤵
  PID:12608
- C:\Windows\System\diofbEl.exe
  C:\Windows\System\diofbEl.exe
  2⤵
  PID:12644
- C:\Windows\System\xyAhmoT.exe
  C:\Windows\System\xyAhmoT.exe
  2⤵
  PID:12676
- C:\Windows\System\iVejjYD.exe
  C:\Windows\System\iVejjYD.exe
  2⤵
  PID:12712
- C:\Windows\System\HETZpUZ.exe
  C:\Windows\System\HETZpUZ.exe
  2⤵
  PID:12744
- C:\Windows\System\PfWbxDR.exe
  C:\Windows\System\PfWbxDR.exe
  2⤵
  PID:12760
- C:\Windows\System\XsBlrjl.exe
  C:\Windows\System\XsBlrjl.exe
  2⤵
  PID:12788
- C:\Windows\System\WhPPata.exe
  C:\Windows\System\WhPPata.exe
  2⤵
  PID:12824
- C:\Windows\System\aygHjPZ.exe
  C:\Windows\System\aygHjPZ.exe
  2⤵
  PID:12856
- C:\Windows\System\Gobsyvw.exe
  C:\Windows\System\Gobsyvw.exe
  2⤵
  PID:12888
- C:\Windows\System\IaUZqHu.exe
  C:\Windows\System\IaUZqHu.exe
  2⤵
  PID:12920
- C:\Windows\System\LJyEnvl.exe
  C:\Windows\System\LJyEnvl.exe
  2⤵
  PID:12968
- C:\Windows\System\rTmBNgP.exe
  C:\Windows\System\rTmBNgP.exe
  2⤵
  PID:13000
- C:\Windows\System\bQncYWX.exe
  C:\Windows\System\bQncYWX.exe
  2⤵
  PID:13032
- C:\Windows\System\aBCNpWN.exe
  C:\Windows\System\aBCNpWN.exe
  2⤵
  PID:13056
- C:\Windows\System\zPlCYEX.exe
  C:\Windows\System\zPlCYEX.exe
  2⤵
  PID:13096
- C:\Windows\System\hRufPet.exe
  C:\Windows\System\hRufPet.exe
  2⤵
  PID:13128
- C:\Windows\System\YfXdvkq.exe
  C:\Windows\System\YfXdvkq.exe
  2⤵
  PID:13160
- C:\Windows\System\gMQcLAh.exe
  C:\Windows\System\gMQcLAh.exe
  2⤵
  PID:13192
- C:\Windows\System\mgNGSUk.exe
  C:\Windows\System\mgNGSUk.exe
  2⤵
  PID:13224
- C:\Windows\System\JJYAzxc.exe
  C:\Windows\System\JJYAzxc.exe
  2⤵
  PID:13256
- C:\Windows\System\UtYkADh.exe
  C:\Windows\System\UtYkADh.exe
  2⤵
  PID:13288
- C:\Windows\System\DvWQsRT.exe
  C:\Windows\System\DvWQsRT.exe
  2⤵
  PID:12292
- C:\Windows\System\xrDuYak.exe
  C:\Windows\System\xrDuYak.exe
  2⤵
  PID:12344
- C:\Windows\System\zDsDceT.exe
  C:\Windows\System\zDsDceT.exe
  2⤵
  PID:12404
- C:\Windows\System\BDkZrVo.exe
  C:\Windows\System\BDkZrVo.exe
  2⤵
  PID:12456
- C:\Windows\System\HzYJQfU.exe
  C:\Windows\System\HzYJQfU.exe
  2⤵
  PID:12500
- C:\Windows\System\gDWiWFT.exe
  C:\Windows\System\gDWiWFT.exe
  2⤵
  PID:12536
- C:\Windows\System\EReFBtG.exe
  C:\Windows\System\EReFBtG.exe
  2⤵
  PID:12624
- C:\Windows\System\JtjmEPC.exe
  C:\Windows\System\JtjmEPC.exe
  2⤵
  PID:12640
- C:\Windows\System\OzWGCsR.exe
  C:\Windows\System\OzWGCsR.exe
  2⤵
  PID:12688
- C:\Windows\System\bkqxWME.exe
  C:\Windows\System\bkqxWME.exe
  2⤵
  PID:12740
- C:\Windows\System\kHieRaN.exe
  C:\Windows\System\kHieRaN.exe
  2⤵
  PID:12796
- C:\Windows\System\GuoNDqP.exe
  C:\Windows\System\GuoNDqP.exe
  2⤵
  PID:12876
- C:\Windows\System\jghSEOE.exe
  C:\Windows\System\jghSEOE.exe
  2⤵
  PID:5040
- C:\Windows\System\DXyVZxf.exe
  C:\Windows\System\DXyVZxf.exe
  2⤵
  PID:12988
- C:\Windows\System\CPbobWn.exe
  C:\Windows\System\CPbobWn.exe
  2⤵
  PID:13064
- C:\Windows\System\DXDglAF.exe
  C:\Windows\System\DXDglAF.exe
  2⤵
  PID:13144
- C:\Windows\System\nkxdmcz.exe
  C:\Windows\System\nkxdmcz.exe
  2⤵
  PID:13188
- C:\Windows\System\CccOBJD.exe
  C:\Windows\System\CccOBJD.exe
  2⤵
  PID:13240
- C:\Windows\System\pNsKqAG.exe
  C:\Windows\System\pNsKqAG.exe
  2⤵
  PID:4132
- C:\Windows\System\BBZXFOZ.exe
  C:\Windows\System\BBZXFOZ.exe
  2⤵
  PID:12360
- C:\Windows\System\Iagugam.exe
  C:\Windows\System\Iagugam.exe
  2⤵
  PID:12520
- C:\Windows\System\AORcfWy.exe
  C:\Windows\System\AORcfWy.exe
  2⤵
  PID:11700
- C:\Windows\System\uYImXKc.exe
  C:\Windows\System\uYImXKc.exe
  2⤵
  PID:12736
- C:\Windows\System\teVuBrO.exe
  C:\Windows\System\teVuBrO.exe
  2⤵
  PID:1252
- C:\Windows\System\gEhZyjW.exe
  C:\Windows\System\gEhZyjW.exe
  2⤵
  PID:3580
- C:\Windows\System\vSZOaIv.exe
  C:\Windows\System\vSZOaIv.exe
  2⤵
  PID:13084
- C:\Windows\System\SlaAtkO.exe
  C:\Windows\System\SlaAtkO.exe
  2⤵
  PID:13116
- C:\Windows\System\MGrJynS.exe
  C:\Windows\System\MGrJynS.exe
  2⤵
  PID:13140
- C:\Windows\System\knbsvpq.exe
  C:\Windows\System\knbsvpq.exe
  2⤵
  PID:13204
- C:\Windows\System\pniSSJO.exe
  C:\Windows\System\pniSSJO.exe
  2⤵
  PID:5108
- C:\Windows\System\HHEHYEw.exe
  C:\Windows\System\HHEHYEw.exe
  2⤵
  PID:3980
- C:\Windows\System\PCVswOc.exe
  C:\Windows\System\PCVswOc.exe
  2⤵
  PID:12708
- C:\Windows\System\kcJMQNh.exe
  C:\Windows\System\kcJMQNh.exe
  2⤵
  PID:12872
- C:\Windows\System\mFCkbus.exe
  C:\Windows\System\mFCkbus.exe
  2⤵
  PID:12980
- C:\Windows\System\GMmPdEY.exe
  C:\Windows\System\GMmPdEY.exe
  2⤵
  PID:3516
- C:\Windows\System\iwRYOOd.exe
  C:\Windows\System\iwRYOOd.exe
  2⤵
  PID:13028
- C:\Windows\System\TRsiDmI.exe
  C:\Windows\System\TRsiDmI.exe
  2⤵
  PID:13252
- C:\Windows\System\yIzhGog.exe
  C:\Windows\System\yIzhGog.exe
  2⤵
  PID:12380
- C:\Windows\System\RYuwveG.exe
  C:\Windows\System\RYuwveG.exe
  2⤵
  PID:12704
- C:\Windows\System\cZNClti.exe
  C:\Windows\System\cZNClti.exe
  2⤵
  PID:3044
- C:\Windows\System\vVkyRie.exe
  C:\Windows\System\vVkyRie.exe
  2⤵
  PID:12308
- C:\Windows\System\PGzpDSb.exe
  C:\Windows\System\PGzpDSb.exe
  2⤵
  PID:1316
- C:\Windows\System\MmtZSdJ.exe
  C:\Windows\System\MmtZSdJ.exe
  2⤵
  PID:12848
- C:\Windows\System\apyxeSq.exe
  C:\Windows\System\apyxeSq.exe
  2⤵
  PID:13336
- C:\Windows\System\iZCGsoh.exe
  C:\Windows\System\iZCGsoh.exe
  2⤵
  PID:13360
- C:\Windows\System\sZjImEj.exe
  C:\Windows\System\sZjImEj.exe
  2⤵
  PID:13388
- C:\Windows\System\TOatVtw.exe
  C:\Windows\System\TOatVtw.exe
  2⤵
  PID:13436
- C:\Windows\System\XFHshnW.exe
  C:\Windows\System\XFHshnW.exe
  2⤵
  PID:13472
- C:\Windows\System\uyzDjnU.exe
  C:\Windows\System\uyzDjnU.exe
  2⤵
  PID:13504
- C:\Windows\System\vPMnTwh.exe
  C:\Windows\System\vPMnTwh.exe
  2⤵
  PID:13544
- C:\Windows\System\SDoJQFi.exe
  C:\Windows\System\SDoJQFi.exe
  2⤵
  PID:13572
- C:\Windows\System\AFermcv.exe
  C:\Windows\System\AFermcv.exe
  2⤵
  PID:13608
- C:\Windows\System\SaRksRQ.exe
  C:\Windows\System\SaRksRQ.exe
  2⤵
  PID:13640
- C:\Windows\System\BekyBym.exe
  C:\Windows\System\BekyBym.exe
  2⤵
  PID:13668
- C:\Windows\System\KpsvJXT.exe
  C:\Windows\System\KpsvJXT.exe
  2⤵
  PID:13688
- C:\Windows\System\hyftCPc.exe
  C:\Windows\System\hyftCPc.exe
  2⤵
  PID:13716
- C:\Windows\System\ruKZHQs.exe
  C:\Windows\System\ruKZHQs.exe
  2⤵
  PID:13748
- C:\Windows\System\mzetFXr.exe
  C:\Windows\System\mzetFXr.exe
  2⤵
  PID:13796
- C:\Windows\System\gXujfns.exe
  C:\Windows\System\gXujfns.exe
  2⤵
  PID:13832
- C:\Windows\System\JGzTAhE.exe
  C:\Windows\System\JGzTAhE.exe
  2⤵
  PID:13860
- C:\Windows\System\vHQTSnr.exe
  C:\Windows\System\vHQTSnr.exe
  2⤵
  PID:13876
- C:\Windows\System\nsLHyNj.exe
  C:\Windows\System\nsLHyNj.exe
  2⤵
  PID:13892
- C:\Windows\System\xvKpyqP.exe
  C:\Windows\System\xvKpyqP.exe
  2⤵
  PID:13924
- C:\Windows\System\lqexVmw.exe
  C:\Windows\System\lqexVmw.exe
  2⤵
  PID:13980
- C:\Windows\System\OkjyXJM.exe
  C:\Windows\System\OkjyXJM.exe
  2⤵
  PID:14004
- C:\Windows\System\OEttPfX.exe
  C:\Windows\System\OEttPfX.exe
  2⤵
  PID:14024
- C:\Windows\System\wCrcRHV.exe
  C:\Windows\System\wCrcRHV.exe
  2⤵
  PID:14080
- C:\Windows\System\llmtjop.exe
  C:\Windows\System\llmtjop.exe
  2⤵
  PID:14104
- C:\Windows\System\gLTSBuq.exe
  C:\Windows\System\gLTSBuq.exe
  2⤵
  PID:14148
- C:\Windows\System\gDTIZQv.exe
  C:\Windows\System\gDTIZQv.exe
  2⤵
  PID:14172
- C:\Windows\System\vwSmTit.exe
  C:\Windows\System\vwSmTit.exe
  2⤵
  PID:14212
- C:\Windows\System\iqJUboS.exe
  C:\Windows\System\iqJUboS.exe
  2⤵
  PID:14236
- C:\Windows\System\RkGYcSq.exe
  C:\Windows\System\RkGYcSq.exe
  2⤵
  PID:14276
- C:\Windows\System\sxwXEoY.exe
  C:\Windows\System\sxwXEoY.exe
  2⤵
  PID:14308
- C:\Windows\System\YelsDVw.exe
  C:\Windows\System\YelsDVw.exe
  2⤵
  PID:3548
- C:\Windows\System\JuhNGwM.exe
  C:\Windows\System\JuhNGwM.exe
  2⤵
  PID:13320
- C:\Windows\System\nQonLoY.exe
  C:\Windows\System\nQonLoY.exe
  2⤵
  PID:13424
- C:\Windows\System\VoKVhsv.exe
  C:\Windows\System\VoKVhsv.exe
  2⤵
  PID:13452
- C:\Windows\System\Qqljulu.exe
  C:\Windows\System\Qqljulu.exe
  2⤵
  PID:13520
- C:\Windows\System\QtnPREc.exe
  C:\Windows\System\QtnPREc.exe
  2⤵
  PID:13584
- C:\Windows\System\sOfuixG.exe
  C:\Windows\System\sOfuixG.exe
  2⤵
  PID:13712
- C:\Windows\System\wRSfMfs.exe
  C:\Windows\System\wRSfMfs.exe
  2⤵
  PID:13736
- C:\Windows\System\VrwcLdo.exe
  C:\Windows\System\VrwcLdo.exe
  2⤵
  PID:13840
- C:\Windows\System\sVJDznq.exe
  C:\Windows\System\sVJDznq.exe
  2⤵
  PID:4124
- C:\Windows\System\fRTHpYa.exe
  C:\Windows\System\fRTHpYa.exe
  2⤵
  PID:13948
- C:\Windows\System\UKkIcCe.exe
  C:\Windows\System\UKkIcCe.exe
  2⤵
  PID:13916
- C:\Windows\System\XQDMdAW.exe
  C:\Windows\System\XQDMdAW.exe
  2⤵
  PID:14044
- C:\Windows\System\igxvfiE.exe
  C:\Windows\System\igxvfiE.exe
  2⤵
  PID:14116
- C:\Windows\System\yPaWTon.exe
  C:\Windows\System\yPaWTon.exe
  2⤵
  PID:14180
- C:\Windows\System\QeBIuID.exe
  C:\Windows\System\QeBIuID.exe
  2⤵
  PID:14260
- C:\Windows\System\vDheExT.exe
  C:\Windows\System\vDheExT.exe
  2⤵
  PID:14292
- C:\Windows\System\DOXePxY.exe
  C:\Windows\System\DOXePxY.exe
  2⤵
  PID:13316
- C:\Windows\System\nHjPbDp.exe
  C:\Windows\System\nHjPbDp.exe
  2⤵
  PID:13428
- C:\Windows\System\mQQrHcy.exe
  C:\Windows\System\mQQrHcy.exe
  2⤵
  PID:13592
- C:\Windows\System\tZFqKzX.exe
  C:\Windows\System\tZFqKzX.exe
  2⤵
  PID:13744
- C:\Windows\System\XydfLuD.exe
  C:\Windows\System\XydfLuD.exe
  2⤵
  PID:13824
- C:\Windows\System\dpdKzti.exe
  C:\Windows\System\dpdKzti.exe
  2⤵
  PID:13868
- C:\Windows\System\kENgUHB.exe
  C:\Windows\System\kENgUHB.exe
  2⤵
  PID:14072
- C:\Windows\System\mkBjarH.exe
  C:\Windows\System\mkBjarH.exe
  2⤵
  PID:14128
- C:\Windows\System\DwEJAcs.exe
  C:\Windows\System\DwEJAcs.exe
  2⤵
  PID:14200
- C:\Windows\System\akBFmpW.exe
  C:\Windows\System\akBFmpW.exe
  2⤵
  PID:13324
- C:\Windows\System\XXOBPzj.exe
  C:\Windows\System\XXOBPzj.exe
  2⤵
  PID:13448
- C:\Windows\System\MyHOaTg.exe
  C:\Windows\System\MyHOaTg.exe
  2⤵
  PID:13664
- C:\Windows\System\cTPMwVb.exe
  C:\Windows\System\cTPMwVb.exe
  2⤵
  PID:13852
- C:\Windows\System\GUxctLV.exe
  C:\Windows\System\GUxctLV.exe
  2⤵
  PID:14096
- C:\Windows\System\yXcaNDH.exe
  C:\Windows\System\yXcaNDH.exe
  2⤵
  PID:14328
- C:\Windows\System\NJFYaRz.exe
  C:\Windows\System\NJFYaRz.exe
  2⤵
  PID:13616
- C:\Windows\System\wSxFwxW.exe
  C:\Windows\System\wSxFwxW.exe
  2⤵
  PID:14016
- C:\Windows\System\yepADLp.exe
  C:\Windows\System\yepADLp.exe
  2⤵
  PID:14248
- C:\Windows\System\iQQovFw.exe
  C:\Windows\System\iQQovFw.exe
  2⤵
  PID:13684
- C:\Windows\System\HaMSwuu.exe
  C:\Windows\System\HaMSwuu.exe
  2⤵
  PID:14340
- C:\Windows\System\yadNjXV.exe
  C:\Windows\System\yadNjXV.exe
  2⤵
  PID:14356
- C:\Windows\System\FwMrrCw.exe
  C:\Windows\System\FwMrrCw.exe
  2⤵
  PID:14372
- C:\Windows\System\iGXwcaE.exe
  C:\Windows\System\iGXwcaE.exe
  2⤵
  PID:14388
- C:\Windows\System\RnMrPUd.exe
  C:\Windows\System\RnMrPUd.exe
  2⤵
  PID:14408
- C:\Windows\System\sUfPSJC.exe
  C:\Windows\System\sUfPSJC.exe
  2⤵
  PID:14444
- C:\Windows\System\PsCCYYQ.exe
  C:\Windows\System\PsCCYYQ.exe
  2⤵
  PID:14488
- C:\Windows\System\ZqVENvG.exe
  C:\Windows\System\ZqVENvG.exe
  2⤵
  PID:14532
- C:\Windows\System\wLxenFy.exe
  C:\Windows\System\wLxenFy.exe
  2⤵
  PID:14592
- C:\Windows\System\NeoJtZX.exe
  C:\Windows\System\NeoJtZX.exe
  2⤵
  PID:14624
- C:\Windows\System\ekdnxcj.exe
  C:\Windows\System\ekdnxcj.exe
  2⤵
  PID:14648
- C:\Windows\System\twVPaUA.exe
  C:\Windows\System\twVPaUA.exe
  2⤵
  PID:14692
- C:\Windows\System\zkTzEqB.exe
  C:\Windows\System\zkTzEqB.exe
  2⤵
  PID:14716
- C:\Windows\System\PpBvJRN.exe
  C:\Windows\System\PpBvJRN.exe
  2⤵
  PID:14768
- C:\Windows\System\aMPtnTf.exe
  C:\Windows\System\aMPtnTf.exe
  2⤵
  PID:14792
- C:\Windows\System\zGdkIyo.exe
  C:\Windows\System\zGdkIyo.exe
  2⤵
  PID:14824
- C:\Windows\System\etdSkqT.exe
  C:\Windows\System\etdSkqT.exe
  2⤵
  PID:14876
- C:\Windows\System\WpcOTeZ.exe
  C:\Windows\System\WpcOTeZ.exe
  2⤵
  PID:14904
- C:\Windows\System\iuqferx.exe
  C:\Windows\System\iuqferx.exe
  2⤵
  PID:14936
- C:\Windows\System\cViCJwX.exe
  C:\Windows\System\cViCJwX.exe
  2⤵
  PID:14964
- C:\Windows\System\UbuFKQC.exe
  C:\Windows\System\UbuFKQC.exe
  2⤵
  PID:15000
- C:\Windows\System\eoCLSxf.exe
  C:\Windows\System\eoCLSxf.exe
  2⤵
  PID:15036
- C:\Windows\System\JeqGjKf.exe
  C:\Windows\System\JeqGjKf.exe
  2⤵
  PID:15080
- C:\Windows\System\XlFBpsB.exe
  C:\Windows\System\XlFBpsB.exe
  2⤵
  PID:15112
- C:\Windows\System\MdFEDad.exe
  C:\Windows\System\MdFEDad.exe
  2⤵
  PID:15128
- C:\Windows\System\mdLVQON.exe
  C:\Windows\System\mdLVQON.exe
  2⤵
  PID:15148
- C:\Windows\System\VmMvaCD.exe
  C:\Windows\System\VmMvaCD.exe
  2⤵
  PID:15204
- C:\Windows\System\WCXvqPo.exe
  C:\Windows\System\WCXvqPo.exe
  2⤵
  PID:15240
- C:\Windows\System\qbzJLYG.exe
  C:\Windows\System\qbzJLYG.exe
  2⤵
  PID:15264
- C:\Windows\System\qbrzgBp.exe
  C:\Windows\System\qbrzgBp.exe
  2⤵
  PID:15288
- C:\Windows\System\vLaQnmx.exe
  C:\Windows\System\vLaQnmx.exe
  2⤵
  PID:15320
- C:\Windows\System\SovRivS.exe
  C:\Windows\System\SovRivS.exe
  2⤵
  PID:4704
- C:\Windows\System\MaerlXR.exe
  C:\Windows\System\MaerlXR.exe
  2⤵
  PID:8264
- C:\Windows\System\dlXexBu.exe
  C:\Windows\System\dlXexBu.exe
  2⤵
  PID:14424
- C:\Windows\System\apHcCZW.exe
  C:\Windows\System\apHcCZW.exe
  2⤵
  PID:14484
- C:\Windows\System\bjKxCEa.exe
  C:\Windows\System\bjKxCEa.exe
  2⤵
  PID:14568
- C:\Windows\System\QxgFCiI.exe
  C:\Windows\System\QxgFCiI.exe
  2⤵
  PID:14544
- C:\Windows\System\ZOPIEDj.exe
  C:\Windows\System\ZOPIEDj.exe
  2⤵
  PID:14676
- C:\Windows\System\WKOjbvp.exe
  C:\Windows\System\WKOjbvp.exe
  2⤵
  PID:14756
- C:\Windows\System\CpAUKrN.exe
  C:\Windows\System\CpAUKrN.exe
  2⤵
  PID:14764
- C:\Windows\System\BVhYFdH.exe
  C:\Windows\System\BVhYFdH.exe
  2⤵
  PID:14804
- C:\Windows\System\TSSEniM.exe
  C:\Windows\System\TSSEniM.exe
  2⤵
  PID:14836
- C:\Windows\System\CnOpaDk.exe
  C:\Windows\System\CnOpaDk.exe
  2⤵
  PID:14924
- C:\Windows\System\OzbVqbg.exe
  C:\Windows\System\OzbVqbg.exe
  2⤵
  PID:15016
- C:\Windows\System\wngnQAD.exe
  C:\Windows\System\wngnQAD.exe
  2⤵
  PID:15124
- C:\Windows\System\oZQZAmd.exe
  C:\Windows\System\oZQZAmd.exe
  2⤵
  PID:15168
- C:\Windows\System\laqhMNi.exe
  C:\Windows\System\laqhMNi.exe
  2⤵
  PID:15256
- C:\Windows\System\uzSoNnR.exe
  C:\Windows\System\uzSoNnR.exe
  2⤵
  PID:15312
- C:\Windows\System\NgEPjAv.exe
  C:\Windows\System\NgEPjAv.exe
  2⤵
  PID:15348
- C:\Windows\System\JBkCgen.exe
  C:\Windows\System\JBkCgen.exe
  2⤵
  PID:14436
- C:\Windows\System\wvXRVFj.exe
  C:\Windows\System\wvXRVFj.exe
  2⤵
  PID:14516
- C:\Windows\System\afHCnGP.exe
  C:\Windows\System\afHCnGP.exe
  2⤵
  PID:14704
- C:\Windows\System\mPQAciF.exe
  C:\Windows\System\mPQAciF.exe
  2⤵
  PID:14852
- C:\Windows\System\gFdkcUU.exe
  C:\Windows\System\gFdkcUU.exe
  2⤵
  PID:14928
- C:\Windows\System\damDHRF.exe
  C:\Windows\System\damDHRF.exe
  2⤵
  PID:14068
- C:\Windows\System\rVWBpfs.exe
  C:\Windows\System\rVWBpfs.exe
  2⤵
  PID:15248
- C:\Windows\System\NVTVoad.exe
  C:\Windows\System\NVTVoad.exe
  2⤵
  PID:15332
- C:\Windows\System\TAtdVVn.exe
  C:\Windows\System\TAtdVVn.exe
  2⤵
  PID:14524
- C:\Windows\System\ecsNgXY.exe
  C:\Windows\System\ecsNgXY.exe
  2⤵
  PID:14864
- C:\Windows\System\yZuhCTD.exe
  C:\Windows\System\yZuhCTD.exe
  2⤵
  PID:15012
- C:\Windows\System\aCGzMQw.exe
  C:\Windows\System\aCGzMQw.exe
  2⤵
  PID:15160
- C:\Windows\System\XTrGlIf.exe
  C:\Windows\System\XTrGlIf.exe
  2⤵
  PID:14560
- C:\Windows\System\Vvsdrow.exe
  C:\Windows\System\Vvsdrow.exe
  2⤵
  PID:13888
- C:\Windows\System\edJvYXQ.exe
  C:\Windows\System\edJvYXQ.exe
  2⤵
  PID:15232
- C:\Windows\System\BWvWKJN.exe
  C:\Windows\System\BWvWKJN.exe
  2⤵
  PID:15048
- C:\Windows\System\RBLCTUt.exe
  C:\Windows\System\RBLCTUt.exe
  2⤵
  PID:15380
- C:\Windows\System\CrfFazw.exe
  C:\Windows\System\CrfFazw.exe
  2⤵
  PID:15408
- C:\Windows\System\lmUjHKM.exe
  C:\Windows\System\lmUjHKM.exe
  2⤵
  PID:15444
- C:\Windows\System\MBgoKTK.exe
  C:\Windows\System\MBgoKTK.exe
  2⤵
  PID:15476
- C:\Windows\System\aztBgIh.exe
  C:\Windows\System\aztBgIh.exe
  2⤵
  PID:15508
- C:\Windows\System\zRzNpTy.exe
  C:\Windows\System\zRzNpTy.exe
  2⤵
  PID:15540
- C:\Windows\System\KMHVdMn.exe
  C:\Windows\System\KMHVdMn.exe
  2⤵
  PID:15572
- C:\Windows\System\qygipFG.exe
  C:\Windows\System\qygipFG.exe
  2⤵
  PID:15604
- C:\Windows\System\dUpWtvc.exe
  C:\Windows\System\dUpWtvc.exe
  2⤵
  PID:15636
- C:\Windows\System\KCdbiDq.exe
  C:\Windows\System\KCdbiDq.exe
  2⤵
  PID:15668
- C:\Windows\System\xtjuVUd.exe
  C:\Windows\System\xtjuVUd.exe
  2⤵
  PID:15700
- C:\Windows\System\dzAuSlo.exe
  C:\Windows\System\dzAuSlo.exe
  2⤵
  PID:15732
- C:\Windows\System\flCQGjQ.exe
  C:\Windows\System\flCQGjQ.exe
  2⤵
  PID:15764
- C:\Windows\System\sEXvIUF.exe
  C:\Windows\System\sEXvIUF.exe
  2⤵
  PID:15796
- C:\Windows\System\CbTErkr.exe
  C:\Windows\System\CbTErkr.exe
  2⤵
  PID:15828
- C:\Windows\System\whTqtVb.exe
  C:\Windows\System\whTqtVb.exe
  2⤵
  PID:15844
- C:\Windows\System\PEqmTuM.exe
  C:\Windows\System\PEqmTuM.exe
  2⤵
  PID:15892
- C:\Windows\System\HMfhjse.exe
  C:\Windows\System\HMfhjse.exe
  2⤵
  PID:15912
- C:\Windows\System\yjoIaHe.exe
  C:\Windows\System\yjoIaHe.exe
  2⤵
  PID:15952
- C:\Windows\System\LTVplRk.exe
  C:\Windows\System\LTVplRk.exe
  2⤵
  PID:15988
- C:\Windows\System\VzIfYxM.exe
  C:\Windows\System\VzIfYxM.exe
  2⤵
  PID:16020
- C:\Windows\System\tIdaaeB.exe
  C:\Windows\System\tIdaaeB.exe
  2⤵
  PID:16052
- C:\Windows\System\xaaDtkF.exe
  C:\Windows\System\xaaDtkF.exe
  2⤵
  PID:16084
- C:\Windows\System\RedADxU.exe
  C:\Windows\System\RedADxU.exe
  2⤵
  PID:16120
- C:\Windows\System\kDQuZZR.exe
  C:\Windows\System\kDQuZZR.exe
  2⤵
  PID:16152
- C:\Windows\System\msoELmM.exe
  C:\Windows\System\msoELmM.exe
  2⤵
  PID:16184
- C:\Windows\System\ItdMqcI.exe
  C:\Windows\System\ItdMqcI.exe
  2⤵
  PID:16216
- C:\Windows\System\AMmSfgV.exe
  C:\Windows\System\AMmSfgV.exe
  2⤵
  PID:16248
- C:\Windows\System\sEgXdha.exe
  C:\Windows\System\sEgXdha.exe
  2⤵
  PID:16280
- C:\Windows\System\uFJBIkl.exe
  C:\Windows\System\uFJBIkl.exe
  2⤵
  PID:16312
- C:\Windows\System\KqgoVHf.exe
  C:\Windows\System\KqgoVHf.exe
  2⤵
  PID:16344
- C:\Windows\System\EqgtrLI.exe
  C:\Windows\System\EqgtrLI.exe
  2⤵
  PID:16364
- C:\Windows\System\dsjUfWq.exe
  C:\Windows\System\dsjUfWq.exe
  2⤵
  PID:15372
- C:\Windows\System\CAIhEIK.exe
  C:\Windows\System\CAIhEIK.exe
  2⤵
  PID:15436
- C:\Windows\System\TddxzIr.exe
  C:\Windows\System\TddxzIr.exe
  2⤵
  PID:15504
- C:\Windows\System\RUIjyAO.exe
  C:\Windows\System\RUIjyAO.exe
  2⤵
  PID:15584
- C:\Windows\System\fITLcps.exe
  C:\Windows\System\fITLcps.exe
  2⤵
  PID:15628
- C:\Windows\System\syZHXTj.exe
  C:\Windows\System\syZHXTj.exe
  2⤵
  PID:15716
- C:\Windows\System\wbojpYS.exe
  C:\Windows\System\wbojpYS.exe
  2⤵
  PID:15756
- C:\Windows\System\vSlVogB.exe
  C:\Windows\System\vSlVogB.exe
  2⤵
  PID:900
- C:\Windows\System\GivUzbG.exe
  C:\Windows\System\GivUzbG.exe
  2⤵
  PID:15856
- C:\Windows\System\GYENNFp.exe
  C:\Windows\System\GYENNFp.exe
  2⤵
  PID:14976
- C:\Windows\System\NwLeCMd.exe
  C:\Windows\System\NwLeCMd.exe
  2⤵
  PID:15984
- C:\Windows\System\zKzYsjN.exe
  C:\Windows\System\zKzYsjN.exe
  2⤵
  PID:16048
- C:\Windows\System\SiLpfRQ.exe
  C:\Windows\System\SiLpfRQ.exe
  2⤵
  PID:16100
- C:\Windows\System\zrOrjUh.exe
  C:\Windows\System\zrOrjUh.exe
  2⤵
  PID:16168
- C:\Windows\System\YdAslnN.exe
  C:\Windows\System\YdAslnN.exe
  2⤵
  PID:16232
- C:\Windows\System\WXVxAwf.exe
  C:\Windows\System\WXVxAwf.exe
  2⤵
  PID:16296
- C:\Windows\System\vCRMqKt.exe
  C:\Windows\System\vCRMqKt.exe
  2⤵
  PID:16380
- C:\Windows\System\oZLySPI.exe
  C:\Windows\System\oZLySPI.exe
  2⤵
  PID:15400
- C:\Windows\System\VnnhORJ.exe
  C:\Windows\System\VnnhORJ.exe
  2⤵
  PID:15532
- C:\Windows\System\ocTwjGE.exe
  C:\Windows\System\ocTwjGE.exe
  2⤵
  PID:15712
- C:\Windows\System\PTkYgLT.exe
  C:\Windows\System\PTkYgLT.exe
  2⤵
  PID:1228
- C:\Windows\System\inHdEez.exe
  C:\Windows\System\inHdEez.exe
  2⤵
  PID:15900
- C:\Windows\System\jFukFfs.exe
  C:\Windows\System\jFukFfs.exe
  2⤵
  PID:16036
- C:\Windows\System\bYkeeor.exe
  C:\Windows\System\bYkeeor.exe
  2⤵
  PID:16096
- C:\Windows\System\JzmKTiE.exe
  C:\Windows\System\JzmKTiE.exe
  2⤵
  PID:16260
- C:\Windows\System\MJheOOU.exe
  C:\Windows\System\MJheOOU.exe
  2⤵
  PID:15428
- C:\Windows\System\QUzFyOG.exe
  C:\Windows\System\QUzFyOG.exe
  2⤵
  PID:16116
- C:\Windows\System\hpHqvda.exe
  C:\Windows\System\hpHqvda.exe
  2⤵
  PID:15616
- C:\Windows\System\IMPwGpF.exe
  C:\Windows\System\IMPwGpF.exe
  2⤵
  PID:4892
- C:\Windows\System\kdrJRcV.exe
  C:\Windows\System\kdrJRcV.exe
  2⤵
  PID:16076
- C:\Windows\System\eRGXHRm.exe
  C:\Windows\System\eRGXHRm.exe
  2⤵
  PID:16148
- C:\Windows\System\UmVODqo.exe
  C:\Windows\System\UmVODqo.exe
  2⤵
  PID:860
- C:\Windows\System\eQqWvKQ.exe
  C:\Windows\System\eQqWvKQ.exe
  2⤵
  PID:15684
- C:\Windows\System\UvzYMHM.exe
  C:\Windows\System\UvzYMHM.exe
  2⤵
  PID:5004
- C:\Windows\System\yKUsGBU.exe
  C:\Windows\System\yKUsGBU.exe
  2⤵
  PID:4996
- C:\Windows\System\lykBCrd.exe
  C:\Windows\System\lykBCrd.exe
  2⤵
  PID:16276
- C:\Windows\System\APqJiKZ.exe
  C:\Windows\System\APqJiKZ.exe
  2⤵
  PID:2508
- C:\Windows\System\DQUSKWS.exe
  C:\Windows\System\DQUSKWS.exe
  2⤵
  PID:3060
- C:\Windows\System\JpBmTpf.exe
  C:\Windows\System\JpBmTpf.exe
  2⤵
  PID:3828
- C:\Windows\System\dxVkKzN.exe
  C:\Windows\System\dxVkKzN.exe
  2⤵
  PID:1404
- C:\Windows\System\ZJBxKun.exe
  C:\Windows\System\ZJBxKun.exe
  2⤵
  PID:2912
- C:\Windows\System\fJwMCsm.exe
  C:\Windows\System\fJwMCsm.exe
  2⤵
  PID:2488
- C:\Windows\System\zOSqYrh.exe
  C:\Windows\System\zOSqYrh.exe
  2⤵
  PID:460
- C:\Windows\System\yKBhGkF.exe
  C:\Windows\System\yKBhGkF.exe
  2⤵
  PID:4680
- C:\Windows\System\rOkrJEK.exe
  C:\Windows\System\rOkrJEK.exe
  2⤵
  PID:1896
- C:\Windows\System\NzLwDlh.exe
  C:\Windows\System\NzLwDlh.exe
  2⤵
  PID:4852
- C:\Windows\System\ZqJkrOt.exe
  C:\Windows\System\ZqJkrOt.exe
  2⤵
  PID:1652
- C:\Windows\System\vQgPNCn.exe
  C:\Windows\System\vQgPNCn.exe
  2⤵
  PID:16404
- C:\Windows\System\GMcCnba.exe
  C:\Windows\System\GMcCnba.exe
  2⤵
  PID:16444
- C:\Windows\System\WynEArH.exe
  C:\Windows\System\WynEArH.exe
  2⤵
  PID:16468
- C:\Windows\System\SBVQHkK.exe
  C:\Windows\System\SBVQHkK.exe
  2⤵
  PID:16500
- C:\Windows\System\JGMdIcJ.exe
  C:\Windows\System\JGMdIcJ.exe
  2⤵
  PID:16536
- C:\Windows\System\UflohrV.exe
  C:\Windows\System\UflohrV.exe
  2⤵
  PID:16568
- C:\Windows\System\AkAqiHS.exe
  C:\Windows\System\AkAqiHS.exe
  2⤵
  PID:16600
- C:\Windows\System\iOQnPIs.exe
  C:\Windows\System\iOQnPIs.exe
  2⤵
  PID:16632
- C:\Windows\System\MLQeFiA.exe
  C:\Windows\System\MLQeFiA.exe
  2⤵
  PID:16664
- C:\Windows\System\yQCDfYU.exe
  C:\Windows\System\yQCDfYU.exe
  2⤵
  PID:16696
- C:\Windows\System\cfrPWwm.exe
  C:\Windows\System\cfrPWwm.exe
  2⤵
  PID:16728
- C:\Windows\System\AzFThFb.exe
  C:\Windows\System\AzFThFb.exe
  2⤵
  PID:16760
- C:\Windows\System\hCtXBNX.exe
  C:\Windows\System\hCtXBNX.exe
  2⤵
  PID:16792
- C:\Windows\System\HCHtFgb.exe
  C:\Windows\System\HCHtFgb.exe
  2⤵
  PID:16824
- C:\Windows\System\bFIiqgb.exe
  C:\Windows\System\bFIiqgb.exe
  2⤵
  PID:16852
- C:\Windows\System\ZAZPUcy.exe
  C:\Windows\System\ZAZPUcy.exe
  2⤵
  PID:16888
- C:\Windows\System\RHpFYeb.exe
  C:\Windows\System\RHpFYeb.exe
  2⤵
  PID:16920

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:17236
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:17396

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5232

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5324

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5976

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6984

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7332

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9184

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9128

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:1440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3316

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:6652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8144

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13232

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9236

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5244

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13780

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9244

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10580

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:15252

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:15188

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11348

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11632

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10596

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11428

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2796

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8504

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12688

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5268

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5932

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14600

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:220

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4044

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:15384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7344

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7572

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6936

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7728

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8580

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9636

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:17148

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:16976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\P56Q32J4\microsoft.windows[1].xml

Filesize
97B

MD5
75de445e72210c4fc85641c9121a64cf

SHA1
991e559f592b96bd50e72705811f05b453d889aa

SHA256
7fdafd928f21a79d34079338964c9ad86f6cd56a09f60e325d2144a1cf311299

SHA512
f1cc988b855fe4a64d94b0344175a14fc5207b4a6b6cb8666e9c6c0a3531e422f62940616a2029da294c80cf6aa161ae302ccee0a5e53692f6dc05afda22852a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133828277877861883.txt

Filesize
75KB

MD5
85a788703cf18abfb43b6f1ec41d7d08

SHA1
4c965f8435c7e3d9fc43d234b32dbb1f4d35173d

SHA256
148eab8ba3a610d2018e78d75a9f8c70c9ed5465e118166798d6bc1a49ef46be

SHA512
ae717e262e2d126d9876602d0002451c2634f7d34ecf5e3be6c6b84e5ad7b53d00c2d32b6e2c02b465ccb9b7eb2796eb6ffa8994c6966bdfdc4584e4625a5cb0

Download Submit
C:\Windows\System\AbTZtRX.exe

Filesize
5.7MB

MD5
27c56eb4032396ddb8c0fc3c8b5e795e

SHA1
26c30429e57ba702903f7199e5f1b1b3fe7c04d5

SHA256
32b45d441477b6bb06ffe0679dd20ab5e1795af96153cf50511f4040850b8f43

SHA512
6e7cc37bbad6489b6e67934fe19ef9f6b00b8f3f117b2a87fea73d8f8616a942decf839c1327a9efbbf7b13a15a74071f3b3d2228442111b35a797785967ab61

Download Submit
C:\Windows\System\AicGxCd.exe

Filesize
5.7MB

MD5
9dbd67f4cbe1ea27d974256f845cef48

SHA1
096a393aa3b87e9dc38efc99b3d3b54aec999e3b

SHA256
2e17050c665496f6af9cc35c9a17187b763954d965b2280c20b540843cc7d678

SHA512
ff1fc23397ff1218b79e8f5a89af169c018ea71bf78a68ed8832f0752e5241b0da86b5947461bd31684108bbb835148672a78538bc089515b39967c12735f6a3

Download Submit
C:\Windows\System\CjBxfkD.exe

Filesize
5.7MB

MD5
4cd884dc50b3128e21b13da4612cff21

SHA1
f19ffc7c857a67d6ca031758bc9f6a3b06cb0219

SHA256
af6d9d1cc8555df86385eab513f9a0b002134c5b041e76d4251d526e3ab48dae

SHA512
69fffd9b481eda40563df9e28783bdded769ae5ddc2858c1d93b75d9363aad8bbf5ccc0bc69a19339688a6314c5f7ca9cc524dc7cc039424cde21f6abfae48fb

Download Submit
C:\Windows\System\EwyXiUG.exe

Filesize
5.7MB

MD5
0c2e62ba4daf6912c296494ea4b64c8b

SHA1
06109ac92628f0e5c1d482e2ed99f8c7f0525587

SHA256
325804c9ddd83200385bd2399d40400c5bd2628f791242030b94425137276101

SHA512
05dfa7ee6c95748f889bcf5db5917c94999f616fe4801e007bab871584a0b81e87d8d922af73cef85f5026457f6846ae0f954dc82cb73a311253bcc2709aba2a

Download Submit
C:\Windows\System\FnyEwNN.exe

Filesize
5.7MB

MD5
3931247358bb0e295a2196d3c6e21240

SHA1
8788d7827e34d87538456409dcd721451ecb0bde

SHA256
4f74b67456dfe6d80f178c40a71c9b9b48c8f266da56b42bc5681e15fa6b1eb1

SHA512
a97923735f2cdea81ee2f852b012272c166e21a326d76f11d8dac203db04d715fce98f6afee3e6255603117e10c0b318e7fee22d121645d111fe296ba55416c4

Download Submit
C:\Windows\System\JgjHCTS.exe

Filesize
5.7MB

MD5
2bf910f252845e065807b1576bd930f7

SHA1
11b4e4de0fb36ecd57c06b8bed96cc5836fd148b

SHA256
4c4d0f5cac1d90623ad65ec844f998e184e10b92aed3ccf775eeb807cb97ad9f

SHA512
5983a69270e410a0242b55624e6828cf12e94a23d72711cd52071392de659c385b80bb64f92e2444a4931594fee5c9d9d95694ce246f7808fd10137475bbdbaa

Download Submit
C:\Windows\System\MyUdeEb.exe

Filesize
5.7MB

MD5
66d0c5ff4294ee4bac063dd99866b550

SHA1
32b8d56a4599adde4beda315a678f4fc3377d206

SHA256
52e4f2e36cbbf1451c4c522182051d09de0bf677e1ed9712947070489c3f82e6

SHA512
4f39b7663ce04aadf5828591d6a13bf00bd77c1d69f21d388bc31526e08c69495cfc573729e7224ac54365feb45d44f298089096643d11522ae33f5d025f7dc3

Download Submit
C:\Windows\System\NTOMdpQ.exe

Filesize
5.7MB

MD5
79dbe4d2155b342e266006cb3e319f6d

SHA1
a987bca611db516bf19ac7809e67055c72cc40e1

SHA256
63169f13bcb6e803e0a02c4b814041f759b79eb9bd770cace03ee20ce4906480

SHA512
36ff738e1897ae666082dc6cc2bab53ddc7a71213be56e98242be37c192c9e0fe3a55b290979ac94f275c82c718145aa7e912d215e52748fd19d6f55fe1e3cb0

Download Submit
C:\Windows\System\NuQlxrE.exe

Filesize
5.7MB

MD5
dc645181ebacbc7dd0c4141436de508b

SHA1
da5f9167bb6e1a759cf4ae439ce965fe0105fcbb

SHA256
e4c5623d538ff8d6e1ffd9de205e2dc6b9b923e4a811f2836a80304e7014f76f

SHA512
7b1cf575e6ee203551c1c5ef93a237483269d073356eee346aa37316c80b2159d2ec7bf73bce89930e5b0486789a69c9d6d8330b351e81a1d20f66b511a9d05a

Download Submit
C:\Windows\System\QNOiqhk.exe

Filesize
5.7MB

MD5
e09fb14f8b3011cfec6f454f7911c55a

SHA1
52f3226e7d45014dc5ff2881c87db0080bb4dfb5

SHA256
60d5e4f6778a354476183a48a9b26052105f029f5765e5557a491b6292c432a7

SHA512
70948b1cf2b2bebce4f31aac3d467f6273d7bd9caf599f988c133f597664da5713dfbc1e290aa087590cd155bdd0d28581f846448e7fdc42e465dca930492e9f

Download Submit
C:\Windows\System\QfYgMbZ.exe

Filesize
5.7MB

MD5
a7ceca11d43297aa1d770a5d68761531

SHA1
49dd2625f1d65bb8ec2dd946c0b05110d286e640

SHA256
eed2047ba54c1b3e7ad6548afea958e8cf8b2eeace7049e596b13457e207748e

SHA512
574d2733667e1db0218316f6177f7e52528af5839ab6fa589be9a98fd8c388686ec11ddce400ac441bdb57712a8febca630f42bcc8e2fa297d206f9ba17cdddf

Download Submit
C:\Windows\System\TQwpbNk.exe

Filesize
5.7MB

MD5
e1c4c752504505530b157f3cb6373de5

SHA1
37551f1d652f01b0aaff85cf321ddf6790190184

SHA256
9740ddf4bdb14244539b2751d0833b97dd6ad3360df6baffd42cbb76ace9b908

SHA512
faaeafa399194f06fc3acd5ee47a1a926fd3b7b9f74bca1cdbc8c62981050c2bc49a0f97f3ecf0fb2b68aa395dd4181dd90a1fde9df7eb57de4803a4694da321

Download Submit
C:\Windows\System\WQNnfmL.exe

Filesize
5.7MB

MD5
028c2fea6c3d9260808c750d3f34a2ea

SHA1
805fd1b7f001492e2ccc195102865694259473d8

SHA256
e9919057156c0567a54f83aea91a2085d9dc85f2766f467236dd4958183d7f19

SHA512
f0e3c6d4f3a56459096396b0068e8018e720eb60a6b7b943a32f8c27f9ba1436cb80ef8050640a9c8b01cda4bc9a717b66c98fdb2004d20cd8acaef24d2b3ee7

Download Submit
C:\Windows\System\XiAXmvu.exe

Filesize
5.7MB

MD5
8eba1a2043c29931fad03d09c470c861

SHA1
80b8373d4722580dcc141bb554a158371d4ecfa1

SHA256
b164d467ab66eb562a2c96203621446efe1697a31870c4d4121a3aa0613b13fc

SHA512
ad5f4f1cb5ed631ee9ab136e350c2bfd5c37b4748c66b5f380da4a7833ab0c5221fc1ec636c74b3b97463329c926805a16d292b3cfd093df5b7c46d59fabc636

Download Submit
C:\Windows\System\ZCklPyL.exe

Filesize
5.7MB

MD5
53bd3057375cbc94d68624d3674a1ff4

SHA1
d1086f5b7a6d933da29bac1c4f2428cb6c7ae232

SHA256
3f2ea920c86dde0b86d50cbc4cf56ca654d96f03968407e02d9a15e3b8bea788

SHA512
b7081f548c735dfd9938ccf796ecdd9141f73b99201fe2ad5c4fa6e4432feaf9dd9ce01fe3c6c426b54e28ad85fb5ce9a640a6148bd1395cafe95a01f8f79c4f

Download Submit
C:\Windows\System\cqsqgKh.exe

Filesize
5.7MB

MD5
1e61c20e2dea6821ad5465fc49aed886

SHA1
3359a95a912bff5855a230dafa3903bd03c16a64

SHA256
3c55a1ec68259080a3fae27a2036c03a78e3be8a446a4c517f53befbbf8fc8b3

SHA512
c4bf7f73aa9ce2a20a7c39ac4c605376d90134374a84bf29acc50c21cb2d7941d8f36dd122b48b05750ff198cf30c7b119a18692f64deeee0a805b1c81aab62b

Download Submit
C:\Windows\System\eJOVPPs.exe

Filesize
5.7MB

MD5
1859ace54da38c4527e22752fadcd3b3

SHA1
b6e2fe5f6bceaed43ee62a320131598ca7df858a

SHA256
b18ffebd269d206fe6457e745cf6fd3a274b028c315860bdb144da456a4381e0

SHA512
3ef6ee5c2a1730e40b2c9b30e1dbc0adc1442f80bf1328d8bc6abe5f7986bbbb657728832a56955aae17890f44251ebebaae8f9fd18327d50664c420cbe1d6fc

Download Submit
C:\Windows\System\fclMRrF.exe

Filesize
5.7MB

MD5
b4849ac2199abcebfc79566db4617d7a

SHA1
d3a0b6fb4d9d6636e9724e303598f8e20e98865c

SHA256
44cddffbd06bacddfa819d9617304a1266cead0016bd352d36dd6dff7ec812d2

SHA512
a4ef24a83dfc460c41a1086c50561aae33e5deba0633925ffd3cf30b4298ba229b7505b80959ce85ee57258e8f1ef3f013c59e2e1dde47bc226aa3eb86f7df94

Download Submit
C:\Windows\System\hVUUBAB.exe

Filesize
5.7MB

MD5
4a1f2c472496d1fc5755e5f40bb9e12d

SHA1
2e63744b4a07c35753530b70a69aebc18796008a

SHA256
a48faa291c312f30d8067a089a0e998ce5306f465e4f7b6201d5342f33bcced4

SHA512
2b6567a5c242d6e27e200cc3fc18e441c89a7df2459b6284d34b4bd278c14a0fdb8df9027a3accb5b74bc50c875fbd215fa583aee099b2b71e6a6247ca9084ac

Download Submit
C:\Windows\System\iQwwtgn.exe

Filesize
5.7MB

MD5
f6fdfc0929433531f07d3db30406576b

SHA1
eb7c6a27646cad6e028bc83c7fd5b1846dd9f02a

SHA256
34c6becb43c9cbafc6b2f6997b2e17279f4c2a94d4af89f1eb387b663bb89027

SHA512
b2dfaed07aeb8b040694439779b98306bfd661e07859f7956b0c59d2264d352c57edc3543d163835ff801da0a15289020b44e4146cdc64c6507b6e7fcfaf466f

Download Submit
C:\Windows\System\kVhcuCi.exe

Filesize
5.7MB

MD5
ca69cb6c970ae4acd2a79c6470738e6e

SHA1
7faf97cd5d6c484a487ab08d2fd7bd61ad6c451e

SHA256
5cb8ef6bce06030c51267d564311d01c848acaaf8f4283d7a057b8dee3a2b9a6

SHA512
ce3029e09c82a887e1ea5252207d20b065d1c018c6a8a7f9f6f5c6f0f8778f3d37c465468000ac1649d340eedc59eaa8613c4177a88d91f88d6a15964d00fb38

Download Submit
C:\Windows\System\lHqyAyy.exe

Filesize
5.7MB

MD5
291f8fc304afa9aba43ac0bc50ea254d

SHA1
4f603135a6c6fb46e5a5b42e94c4106a25c6dc13

SHA256
519ebe354842529f6a375406bd26a652ad96ee16cc5430d02c41896e1908003a

SHA512
95398a51f91403217fac9118c052b76b9888f78aee794c5461dc2e464c7325d4e40bafa008616c02a6e184a08f59b7dd3967b6599a8bfdd9797814b039a30f73

Download Submit
C:\Windows\System\luTkBKy.exe

Filesize
5.7MB

MD5
2c2e835fe1d31269f79a55def4303e4b

SHA1
9e7e5b3cf9db685ac196c4784e0b876274478b66

SHA256
0577e7de7102ae6a2d282a493c17b52e2c59b6e2e93c2a72d19191dc580db6f9

SHA512
507182e3962301e38e0675a96899355f32fbdf0b969236bcbfb5a5b5116ab2d9e7c832be4d013eb5b2743aa76d142c5fd646e4e82f7f4acd4fcf8938838b8cc5

Download Submit
C:\Windows\System\pOvtsaV.exe

Filesize
5.7MB

MD5
bc4fd5a5de3e6b31f420f0a78545980c

SHA1
abddef40ae264aaab05c0450298ba68e99e52008

SHA256
a67553a5f68de01d384a393e2b77a0f61f0895b2556c2ed8f74d385752d0ca4d

SHA512
ea6024a01969e539dfee1585f39a3876d79a4276e8bc592b74e100d2337987e8f8f263c742981be0655ffe0499b1146ed7476e5be6c0c7e3214a6a019222794f

Download Submit
C:\Windows\System\qbpGoju.exe

Filesize
5.7MB

MD5
c5db68cecc24b2c2acb53b0d1cd7adf7

SHA1
78173efe7798b9449ca94b6e0c27c3e5960c1261

SHA256
1d433575598423933b031fd2da5e357b300d65d40aea9397c02ce8421241347a

SHA512
a97444d98ba6b395c5c67c2d9de16f7ea5ba3fcf78e8e64205222bc35e0568a3b9f278310a1b59c71265b13d2e25653b6e6a1f90c73f522dcca78a598d37c3b7

Download Submit
C:\Windows\System\qdxEzfX.exe

Filesize
5.7MB

MD5
e7e950f86712ab5e3706337ed64a7cec

SHA1
a562da1243ea69680a8c1fb76a7547ce3f6fa8c1

SHA256
b8e1e18c7ef3c75fe5be64af6987254e4f53c111843bda57fcb12a0b2696452b

SHA512
15082833f3214199a204a223d50d4b0bc1fccd95fcbcc00a490c50337886377fe786cefb25d66a0ca534c17b1238843d9f7a89ae642b6ecc4c3dcccdfca0a5ce

Download Submit
C:\Windows\System\rBBcnbr.exe

Filesize
5.7MB

MD5
5894b12f5aa30c531c120ec0c7008c53

SHA1
a9168b8a59e7a29e8d87074d9092abf2af478e4b

SHA256
a9eed1c12e3d3869b0c7de76bd24eb4793748aa0af9405f2f1a265f12c6094b6

SHA512
bbf5c16053d6a41557a37776a88ded352a59a1b12a45f10d63e0684f454ad904959fdc428e46f8c75b4ce4b4fb78c97ce1e4b8e644086683a6e85f09ada59bfc

Download Submit
C:\Windows\System\rbocLcu.exe

Filesize
5.7MB

MD5
e29151f9ce2cdfa4b5a00b3df7a91c0a

SHA1
435eab0aed6ffb2582ab6175de50bcec853913de

SHA256
f1034bfd37badc0a1af68116a1b13c72021d371c10e14ecd6f3bf7c1a727820c

SHA512
a0ade8116aff9dd34eb77d522b3a4fd4a0e2b425f34f3879a1a2b62d6d1ae5896979ba5c8fa17073917b5929e79b438974eefab62048b295cbe2266dfaff8421

Download Submit
C:\Windows\System\ugGuIve.exe

Filesize
5.7MB

MD5
1f113e1b4d58b7cb2c31ce5cb086b616

SHA1
918309dac66bf5d760653fe74a815c8419bcb6bd

SHA256
16bff8fafc5c711b2abd75047557b7c50affcf2d0f91973740dae3f44b0b7bf4

SHA512
3e5367b004197fe1a0df82a431cfb543a2f2bfd701cb0f0fa15b39a4b52d55eab54c4e2b9c624925266c1bcefa705e5f79aa720a7aa422589781f3e9364b8cd5

Download Submit
C:\Windows\System\wcmsoGt.exe

Filesize
5.7MB

MD5
cb2cebe71aee30a2da4a01c23d21fd37

SHA1
e79b6a8768ec53cb72e036c7fe31f6da1146fb13

SHA256
941794bc7decc6fb552e23475e8915503f4cee41277e0ca330e2ff6df392e3cf

SHA512
13cbd6987c216486713b06c47e589a9d7000462dd6693692eea2037dc1263bc8a952748877225febdc1aa7fa2608c2911e4a59132aecbc5e1a6a614efb1dc944

Download Submit
C:\Windows\System\wnruLyy.exe

Filesize
5.7MB

MD5
60036258650910a481f7b29280278ed3

SHA1
3426112dd2e225b739cddd5363b04579bc1b26c4

SHA256
fd4a2b786f9e854bd441b8a58b795ddd2ea3329084fb0a4ede8ad071ce05f23f

SHA512
b2d42a380f2e1adf354c0b96decce53b321e27d52d1a486531ea1fec2870b4fd06ae31c40dc8d13be092c3e57299654b53a68d8855a9a7c4140d2ce18ffd0ee5

Download Submit
C:\Windows\System\xeAQOeV.exe

Filesize
5.7MB

MD5
08c032d74b792ec14aa2b886c4b28210

SHA1
af66ecd64f330a4ec78381b679e8a2b4507e53f0

SHA256
bc917a4c5b6215105ae739501d32ffd23f3f799d7b0cf633e1efdaf5ed729ebd

SHA512
54ca556024967ad24f37816bc83885f01d6c9459fc3974d95dbada270bb74784f622b2c7e0a3a7c6dbfa2c6771ac9aacc89dc74033491d0a0dc54e1252f9281b

Download Submit
C:\Windows\System\ybzgReO.exe

Filesize
5.7MB

MD5
7ac20e10b352c592deae7e27f2bd4a00

SHA1
cbe81757acd3aaf47332386181a4a83a75707c43

SHA256
2224e6f5a2bdbe9bdd0f431c14fceb47a30e008420d160c5130e2cfebbd82fb9

SHA512
dea56a9658b0a51b7a70dc7c7358ab2e545a8b15868e12096ee1f2c97014c2a865c8ac1f45d46693bbf028358879cb8bce64f03b7b83dce2a053b25afee91ad1

Download Submit
C:\Windows\System\zaixoaZ.exe

Filesize
5.7MB

MD5
a9236ea4344333ce1da15f5faadd0743

SHA1
026a75b22efe2e8959cda26b8ef1bb8f5f65fcbd

SHA256
1dff40b5ad7e0d80f25b814530ee9e26fc6164650b790e1b05a4fabdc5fc8818

SHA512
f70284bf53f386fa712c49063ec1f6f3d58db2e4871f731485e1ef4472cec41f33c16202d3f55510c687173194accd657db719ea862fbf614df2234574c310ce

Download Submit
memory/384-81-0x00007FF69C4E0000-0x00007FF69C82D000-memory.dmp

Filesize
3.3MB

Download
memory/664-115-0x00007FF78FEC0000-0x00007FF79020D000-memory.dmp

Filesize
3.3MB

Download
memory/1060-34-0x00007FF790430000-0x00007FF79077D000-memory.dmp

Filesize
3.3MB

Download
memory/1068-58-0x00007FF605CF0000-0x00007FF60603D000-memory.dmp

Filesize
3.3MB

Download
memory/1156-121-0x00007FF746B30000-0x00007FF746E7D000-memory.dmp

Filesize
3.3MB

Download
memory/1312-25-0x00007FF6B1830000-0x00007FF6B1B7D000-memory.dmp

Filesize
3.3MB

Download
memory/1324-179-0x00007FF768EF0000-0x00007FF76923D000-memory.dmp

Filesize
3.3MB

Download
memory/1484-86-0x00007FF78DC30000-0x00007FF78DF7D000-memory.dmp

Filesize
3.3MB

Download
memory/1556-103-0x00007FF6D58F0000-0x00007FF6D5C3D000-memory.dmp

Filesize
3.3MB

Download
memory/1584-130-0x00007FF6F7F10000-0x00007FF6F825D000-memory.dmp

Filesize
3.3MB

Download
memory/1628-46-0x00007FF7D9640000-0x00007FF7D998D000-memory.dmp

Filesize
3.3MB

Download
memory/1940-61-0x00007FF6711A0000-0x00007FF6714ED000-memory.dmp

Filesize
3.3MB

Download
memory/1976-109-0x00007FF6E7FF0000-0x00007FF6E833D000-memory.dmp

Filesize
3.3MB

Download
memory/1980-175-0x00007FF784A40000-0x00007FF784D8D000-memory.dmp

Filesize
3.3MB

Download
memory/2292-91-0x00007FF63EBB0000-0x00007FF63EEFD000-memory.dmp

Filesize
3.3MB

Download
memory/2396-153-0x00007FF7901F0000-0x00007FF79053D000-memory.dmp

Filesize
3.3MB

Download
memory/2684-55-0x00007FF74B4A0000-0x00007FF74B7ED000-memory.dmp

Filesize
3.3MB

Download
memory/2960-145-0x00007FF66BCE0000-0x00007FF66C02D000-memory.dmp

Filesize
3.3MB

Download
memory/3180-189-0x00007FF666A10000-0x00007FF666D5D000-memory.dmp

Filesize
3.3MB

Download
memory/3252-191-0x00007FF7FEC30000-0x00007FF7FEF7D000-memory.dmp

Filesize
3.3MB

Download
memory/3260-7-0x00007FF7E6940000-0x00007FF7E6C8D000-memory.dmp

Filesize
3.3MB

Download
memory/3396-199-0x00007FF607910000-0x00007FF607C5D000-memory.dmp

Filesize
3.3MB

Download
memory/3512-67-0x00007FF73F220000-0x00007FF73F56D000-memory.dmp

Filesize
3.3MB

Download
memory/3584-21-0x00007FF7ED640000-0x00007FF7ED98D000-memory.dmp

Filesize
3.3MB

Download
memory/3676-1-0x00000179BFD20000-0x00000179BFD30000-memory.dmp

Filesize
64KB

Download
memory/3676-0-0x00007FF6035D0000-0x00007FF60391D000-memory.dmp

Filesize
3.3MB

Download
memory/3748-136-0x00007FF7F2400000-0x00007FF7F274D000-memory.dmp

Filesize
3.3MB

Download
memory/3840-138-0x00007FF66E4E0000-0x00007FF66E82D000-memory.dmp

Filesize
3.3MB

Download
memory/4064-16-0x00007FF69C9C0000-0x00007FF69CD0D000-memory.dmp

Filesize
3.3MB

Download
memory/4336-50-0x00007FF686B60000-0x00007FF686EAD000-memory.dmp

Filesize
3.3MB

Download
memory/4352-97-0x00007FF6E26B0000-0x00007FF6E29FD000-memory.dmp

Filesize
3.3MB

Download
memory/4572-94-0x00007FF6BD910000-0x00007FF6BDC5D000-memory.dmp

Filesize
3.3MB

Download
memory/4976-165-0x00007FF62FFF0000-0x00007FF63033D000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads