cobaltstrike | 4e133a9d6cc5fe782b7834889c9d7292cd9e43937ed5de01ed9172b7f288fd74

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

6.0MB
MD5

3c6b2b44a512f9b393b823a8ee8d021e
SHA1

5b213d9e2a2657f55b8574a7524508495fd5f66b
SHA256

4e133a9d6cc5fe782b7834889c9d7292cd9e43937ed5de01ed9172b7f288fd74
SHA512

04868ce762b7bb33877ad7254e40973e783a9b8fb120d58ec88194fcee0433922c4b3e1916a472763f4dc8eeeb7cbad17c2221f413ee48d6550709bf464628e6
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUw:T+q56utgpPF8u/7w

Score

10^/10

cobaltstrike xmrig 0 backdoor miner persistence trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 33 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b02-4.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b65-16.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b67-19.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6a-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b69-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b68-36.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6b-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6c-53.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b6d-59.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b6e-64.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b72-84.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b76-104.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-114.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-131.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-148.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-158.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-156.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-154.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-151.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-129.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-124.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b77-109.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b75-101.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b74-96.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b73-91.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b71-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b70-74.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b6f-69.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b66-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-184.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b63-187.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-191.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2144-0-0x00007FF79DEF0000-0x00007FF79E244000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b02-4.dat	xmrig
behavioral2/memory/4880-8-0x00007FF62F040000-0x00007FF62F394000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b65-16.dat	xmrig
behavioral2/files/0x000a000000023b67-19.dat	xmrig
behavioral2/files/0x000a000000023b6a-33.dat	xmrig
behavioral2/files/0x000a000000023b69-35.dat	xmrig
behavioral2/files/0x000a000000023b68-36.dat	xmrig
behavioral2/files/0x000a000000023b6b-48.dat	xmrig
behavioral2/files/0x000a000000023b6c-53.dat	xmrig
behavioral2/files/0x0031000000023b6d-59.dat	xmrig
behavioral2/files/0x0031000000023b6e-64.dat	xmrig
behavioral2/files/0x000a000000023b72-84.dat	xmrig
behavioral2/files/0x000a000000023b76-104.dat	xmrig
behavioral2/files/0x000a000000023b78-114.dat	xmrig
behavioral2/files/0x000a000000023b7c-131.dat	xmrig
behavioral2/files/0x000a000000023b81-148.dat	xmrig
behavioral2/memory/2508-163-0x00007FF6F99E0000-0x00007FF6F9D34000-memory.dmp	xmrig
behavioral2/memory/2056-168-0x00007FF7751A0000-0x00007FF7754F4000-memory.dmp	xmrig
behavioral2/memory/3120-175-0x00007FF69FBE0000-0x00007FF69FF34000-memory.dmp	xmrig
behavioral2/memory/2788-180-0x00007FF66E560000-0x00007FF66E8B4000-memory.dmp	xmrig
behavioral2/memory/4276-179-0x00007FF601100000-0x00007FF601454000-memory.dmp	xmrig
behavioral2/memory/4240-178-0x00007FF613640000-0x00007FF613994000-memory.dmp	xmrig
behavioral2/memory/1716-177-0x00007FF6041B0000-0x00007FF604504000-memory.dmp	xmrig
behavioral2/memory/1652-176-0x00007FF6144B0000-0x00007FF614804000-memory.dmp	xmrig
behavioral2/memory/3500-174-0x00007FF6A0CA0000-0x00007FF6A0FF4000-memory.dmp	xmrig
behavioral2/memory/2748-173-0x00007FF7D94C0000-0x00007FF7D9814000-memory.dmp	xmrig
behavioral2/memory/4876-172-0x00007FF6BE8E0000-0x00007FF6BEC34000-memory.dmp	xmrig
behavioral2/memory/3092-171-0x00007FF732270000-0x00007FF7325C4000-memory.dmp	xmrig
behavioral2/memory/444-170-0x00007FF7639F0000-0x00007FF763D44000-memory.dmp	xmrig
behavioral2/memory/2312-169-0x00007FF707030000-0x00007FF707384000-memory.dmp	xmrig
behavioral2/memory/2472-167-0x00007FF729440000-0x00007FF729794000-memory.dmp	xmrig
behavioral2/memory/3936-166-0x00007FF78CD70000-0x00007FF78D0C4000-memory.dmp	xmrig
behavioral2/memory/4656-165-0x00007FF7A8540000-0x00007FF7A8894000-memory.dmp	xmrig
behavioral2/memory/1240-164-0x00007FF64EE10000-0x00007FF64F164000-memory.dmp	xmrig
behavioral2/memory/3968-162-0x00007FF76B0E0000-0x00007FF76B434000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b80-158.dat	xmrig
behavioral2/files/0x000a000000023b7f-156.dat	xmrig
behavioral2/files/0x000a000000023b7e-154.dat	xmrig
behavioral2/memory/396-153-0x00007FF6477C0000-0x00007FF647B14000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b7d-151.dat	xmrig
behavioral2/memory/2364-150-0x00007FF6FC380000-0x00007FF6FC6D4000-memory.dmp	xmrig
behavioral2/memory/764-149-0x00007FF61BDC0000-0x00007FF61C114000-memory.dmp	xmrig
behavioral2/memory/392-143-0x00007FF6D98C0000-0x00007FF6D9C14000-memory.dmp	xmrig
behavioral2/memory/1660-142-0x00007FF76DAE0000-0x00007FF76DE34000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b7b-129.dat	xmrig
behavioral2/files/0x000a000000023b7a-124.dat	xmrig
behavioral2/files/0x000a000000023b79-119.dat	xmrig
behavioral2/files/0x000a000000023b77-109.dat	xmrig
behavioral2/files/0x000a000000023b75-101.dat	xmrig
behavioral2/files/0x000a000000023b74-96.dat	xmrig
behavioral2/files/0x000a000000023b73-91.dat	xmrig
behavioral2/files/0x000a000000023b71-81.dat	xmrig
behavioral2/files/0x000a000000023b70-74.dat	xmrig
behavioral2/files/0x0031000000023b6f-69.dat	xmrig
behavioral2/memory/4988-39-0x00007FF607660000-0x00007FF6079B4000-memory.dmp	xmrig
behavioral2/memory/4256-31-0x00007FF75AEA0000-0x00007FF75B1F4000-memory.dmp	xmrig
behavioral2/memory/1944-24-0x00007FF776110000-0x00007FF776464000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b66-23.dat	xmrig
behavioral2/memory/3440-14-0x00007FF60CC80000-0x00007FF60CFD4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b82-184.dat	xmrig
behavioral2/files/0x000b000000023b63-187.dat	xmrig
behavioral2/files/0x000a000000023b83-191.dat	xmrig
behavioral2/memory/2144-338-0x00007FF79DEF0000-0x00007FF79E244000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
4880	WabbrzS.exe
3440	jbNBDga.exe
1944	fxdyMEk.exe
4256	uVfMvXB.exe
4988	NDQnDqT.exe
4240	VaKTRjG.exe
1660	wHQQVJc.exe
4276	pASJgVU.exe
392	cQdaVmF.exe
764	FNciIyr.exe
2364	VNdSqsv.exe
396	xTbpXKz.exe
3968	bYTGpiV.exe
2508	LOevird.exe
1240	CSgTAtd.exe
4656	IHRJOGi.exe
3936	iVtzMRO.exe
2472	ijbhHzd.exe
2056	uMNAxrG.exe
2312	DWQtEFL.exe
444	XGqncWq.exe
3092	SSsYvhC.exe
4876	YLbeiyK.exe
2748	oLWzRHT.exe
3500	ciqdFho.exe
3120	oHtJIta.exe
2788	rOmHwJw.exe
1652	MxLrnxN.exe
1716	wxfRqQj.exe
1648	BocjLwJ.exe
1496	iygNylg.exe
3816	Cfyjheh.exe
2424	IIZSoXR.exe
1804	lcIeqel.exe
3140	TcdFLBH.exe
3700	BKfHMIE.exe
4120	DVPwodu.exe
4660	houOEKT.exe
3068	tmEzDxI.exe
1912	HACbpEm.exe
2188	AbNePeO.exe
2432	ZTiXdJi.exe
2640	XrPXQtT.exe
2876	oIhhmat.exe
3388	BUYerwG.exe
2452	LYImXLo.exe
2568	mWPypNI.exe
2540	ZcpmAxi.exe
1220	zARpuLj.exe
4036	qMUcCen.exe
732	kfoysdx.exe
2336	GWwLzOS.exe
5116	VDgVixl.exe
3436	KdlBnhX.exe
2176	yGqAIoh.exe
2368	rnBfans.exe
2028	XCwSlvj.exe
4080	tvRSKzp.exe
2564	vBuAHRU.exe
4512	nrwkcAC.exe
3932	IAeXrWO.exe
4816	nBDZsUU.exe
2916	FsQilAQ.exe
1940	LXZlNCY.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2144-0-0x00007FF79DEF0000-0x00007FF79E244000-memory.dmp	upx
behavioral2/files/0x000c000000023b02-4.dat	upx
behavioral2/memory/4880-8-0x00007FF62F040000-0x00007FF62F394000-memory.dmp	upx
behavioral2/files/0x000b000000023b65-16.dat	upx
behavioral2/files/0x000a000000023b67-19.dat	upx
behavioral2/files/0x000a000000023b6a-33.dat	upx
behavioral2/files/0x000a000000023b69-35.dat	upx
behavioral2/files/0x000a000000023b68-36.dat	upx
behavioral2/files/0x000a000000023b6b-48.dat	upx
behavioral2/files/0x000a000000023b6c-53.dat	upx
behavioral2/files/0x0031000000023b6d-59.dat	upx
behavioral2/files/0x0031000000023b6e-64.dat	upx
behavioral2/files/0x000a000000023b72-84.dat	upx
behavioral2/files/0x000a000000023b76-104.dat	upx
behavioral2/files/0x000a000000023b78-114.dat	upx
behavioral2/files/0x000a000000023b7c-131.dat	upx
behavioral2/files/0x000a000000023b81-148.dat	upx
behavioral2/memory/2508-163-0x00007FF6F99E0000-0x00007FF6F9D34000-memory.dmp	upx
behavioral2/memory/2056-168-0x00007FF7751A0000-0x00007FF7754F4000-memory.dmp	upx
behavioral2/memory/3120-175-0x00007FF69FBE0000-0x00007FF69FF34000-memory.dmp	upx
behavioral2/memory/2788-180-0x00007FF66E560000-0x00007FF66E8B4000-memory.dmp	upx
behavioral2/memory/4276-179-0x00007FF601100000-0x00007FF601454000-memory.dmp	upx
behavioral2/memory/4240-178-0x00007FF613640000-0x00007FF613994000-memory.dmp	upx
behavioral2/memory/1716-177-0x00007FF6041B0000-0x00007FF604504000-memory.dmp	upx
behavioral2/memory/1652-176-0x00007FF6144B0000-0x00007FF614804000-memory.dmp	upx
behavioral2/memory/3500-174-0x00007FF6A0CA0000-0x00007FF6A0FF4000-memory.dmp	upx
behavioral2/memory/2748-173-0x00007FF7D94C0000-0x00007FF7D9814000-memory.dmp	upx
behavioral2/memory/4876-172-0x00007FF6BE8E0000-0x00007FF6BEC34000-memory.dmp	upx
behavioral2/memory/3092-171-0x00007FF732270000-0x00007FF7325C4000-memory.dmp	upx
behavioral2/memory/444-170-0x00007FF7639F0000-0x00007FF763D44000-memory.dmp	upx
behavioral2/memory/2312-169-0x00007FF707030000-0x00007FF707384000-memory.dmp	upx
behavioral2/memory/2472-167-0x00007FF729440000-0x00007FF729794000-memory.dmp	upx
behavioral2/memory/3936-166-0x00007FF78CD70000-0x00007FF78D0C4000-memory.dmp	upx
behavioral2/memory/4656-165-0x00007FF7A8540000-0x00007FF7A8894000-memory.dmp	upx
behavioral2/memory/1240-164-0x00007FF64EE10000-0x00007FF64F164000-memory.dmp	upx
behavioral2/memory/3968-162-0x00007FF76B0E0000-0x00007FF76B434000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-158.dat	upx
behavioral2/files/0x000a000000023b7f-156.dat	upx
behavioral2/files/0x000a000000023b7e-154.dat	upx
behavioral2/memory/396-153-0x00007FF6477C0000-0x00007FF647B14000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-151.dat	upx
behavioral2/memory/2364-150-0x00007FF6FC380000-0x00007FF6FC6D4000-memory.dmp	upx
behavioral2/memory/764-149-0x00007FF61BDC0000-0x00007FF61C114000-memory.dmp	upx
behavioral2/memory/392-143-0x00007FF6D98C0000-0x00007FF6D9C14000-memory.dmp	upx
behavioral2/memory/1660-142-0x00007FF76DAE0000-0x00007FF76DE34000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-129.dat	upx
behavioral2/files/0x000a000000023b7a-124.dat	upx
behavioral2/files/0x000a000000023b79-119.dat	upx
behavioral2/files/0x000a000000023b77-109.dat	upx
behavioral2/files/0x000a000000023b75-101.dat	upx
behavioral2/files/0x000a000000023b74-96.dat	upx
behavioral2/files/0x000a000000023b73-91.dat	upx
behavioral2/files/0x000a000000023b71-81.dat	upx
behavioral2/files/0x000a000000023b70-74.dat	upx
behavioral2/files/0x0031000000023b6f-69.dat	upx
behavioral2/memory/4988-39-0x00007FF607660000-0x00007FF6079B4000-memory.dmp	upx
behavioral2/memory/4256-31-0x00007FF75AEA0000-0x00007FF75B1F4000-memory.dmp	upx
behavioral2/memory/1944-24-0x00007FF776110000-0x00007FF776464000-memory.dmp	upx
behavioral2/files/0x000a000000023b66-23.dat	upx
behavioral2/memory/3440-14-0x00007FF60CC80000-0x00007FF60CFD4000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-184.dat	upx
behavioral2/files/0x000b000000023b63-187.dat	upx
behavioral2/files/0x000a000000023b83-191.dat	upx
behavioral2/memory/2144-338-0x00007FF79DEF0000-0x00007FF79E244000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\YwVgYsd.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Qowobtl.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZeihjmV.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mFuTdMx.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\irCepHi.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\piniCCz.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sNbpXrZ.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DvUGsGi.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xHZUVmM.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ixqEVnj.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lPdYCZy.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vbXklUH.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oLwWYkZ.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AzncWPW.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wkRdRiR.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tkgnBGX.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mwQdsGh.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tAOKhyq.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hmfTpKh.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\scQQrwz.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GIzppoN.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wzlkzwN.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FzNzJMS.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VfVRcJo.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\itBuJVD.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gNWQOCA.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\byqLARA.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qLQgUUt.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xfqepmV.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fKagbOU.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jrWStvT.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vfarRAC.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jpWpRmr.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\doyoYYj.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VUeDiaU.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YXkNdeA.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NxRHjtU.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PPNhTCh.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ApypmFa.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SQnjdmP.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JbDDkfQ.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fbDXoPy.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qWKUdVZ.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HeiSTFT.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NwHwett.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qIqoqqw.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OrGtilS.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QWlLsjo.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cVpweJx.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BosALVx.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qsKZWVK.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XNDMzdt.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vDADPcc.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tvRSKzp.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vBuAHRU.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TRfAIlz.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iRoIiFm.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kCtScUl.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rEVQWkO.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rnBfans.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RKxhOJO.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WfzsMJG.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fSnIQTS.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RmNapPx.exe	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-805940606-1861219160-370298170-1000\{737522EA-11A7-447C-AB26-5FF47DB91931}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8349"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8382"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-805940606-1861219160-370298170-1000\{ADEFB16F-170F-4D7D-B18D-0818BB9E3EA9}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8382"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-805940606-1861219160-370298170-1000\{778EBFBE-D543-434A-97A8-CCB26E979F21}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8382"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	14936	explorer.exe
Token: SeCreatePagefilePrivilege	14936	explorer.exe
Token: SeShutdownPrivilege	14936	explorer.exe
Token: SeCreatePagefilePrivilege	14936	explorer.exe
Token: SeShutdownPrivilege	14936	explorer.exe
Token: SeCreatePagefilePrivilege	14936	explorer.exe
Token: SeShutdownPrivilege	14936	explorer.exe
Token: SeCreatePagefilePrivilege	14936	explorer.exe
Token: SeShutdownPrivilege	14936	explorer.exe
Token: SeCreatePagefilePrivilege	14936	explorer.exe
Token: SeShutdownPrivilege	14936	explorer.exe
Token: SeCreatePagefilePrivilege	14936	explorer.exe
Token: SeShutdownPrivilege	14936	explorer.exe
Token: SeCreatePagefilePrivilege	14936	explorer.exe
Token: SeShutdownPrivilege	14936	explorer.exe
Token: SeCreatePagefilePrivilege	14936	explorer.exe
Token: SeShutdownPrivilege	14936	explorer.exe
Token: SeCreatePagefilePrivilege	14936	explorer.exe
Token: SeShutdownPrivilege	14936	explorer.exe
Token: SeCreatePagefilePrivilege	14936	explorer.exe
Token: SeShutdownPrivilege	14936	explorer.exe
Token: SeCreatePagefilePrivilege	14936	explorer.exe
Token: SeShutdownPrivilege	6032	explorer.exe
Token: SeCreatePagefilePrivilege	6032	explorer.exe
Token: SeShutdownPrivilege	6032	explorer.exe
Token: SeCreatePagefilePrivilege	6032	explorer.exe
Token: SeShutdownPrivilege	6032	explorer.exe
Token: SeCreatePagefilePrivilege	6032	explorer.exe
Token: SeShutdownPrivilege	6032	explorer.exe
Token: SeCreatePagefilePrivilege	6032	explorer.exe
Token: SeShutdownPrivilege	6032	explorer.exe
Token: SeCreatePagefilePrivilege	6032	explorer.exe
Token: SeShutdownPrivilege	6032	explorer.exe
Token: SeCreatePagefilePrivilege	6032	explorer.exe
Token: SeShutdownPrivilege	6032	explorer.exe
Token: SeCreatePagefilePrivilege	6032	explorer.exe
Token: SeShutdownPrivilege	6032	explorer.exe
Token: SeCreatePagefilePrivilege	6032	explorer.exe
Token: SeShutdownPrivilege	6032	explorer.exe
Token: SeCreatePagefilePrivilege	6032	explorer.exe
Token: SeShutdownPrivilege	6032	explorer.exe
Token: SeCreatePagefilePrivilege	6032	explorer.exe
Token: SeShutdownPrivilege	6032	explorer.exe
Token: SeCreatePagefilePrivilege	6032	explorer.exe
Token: SeShutdownPrivilege	2716	explorer.exe
Token: SeCreatePagefilePrivilege	2716	explorer.exe
Token: SeShutdownPrivilege	2716	explorer.exe
Token: SeCreatePagefilePrivilege	2716	explorer.exe
Token: SeShutdownPrivilege	2716	explorer.exe
Token: SeCreatePagefilePrivilege	2716	explorer.exe
Token: SeShutdownPrivilege	2716	explorer.exe
Token: SeCreatePagefilePrivilege	2716	explorer.exe
Token: SeShutdownPrivilege	2716	explorer.exe
Token: SeCreatePagefilePrivilege	2716	explorer.exe
Token: SeShutdownPrivilege	2716	explorer.exe
Token: SeCreatePagefilePrivilege	2716	explorer.exe
Token: SeShutdownPrivilege	2716	explorer.exe
Token: SeCreatePagefilePrivilege	2716	explorer.exe
Token: SeShutdownPrivilege	2716	explorer.exe
Token: SeCreatePagefilePrivilege	2716	explorer.exe
Token: SeShutdownPrivilege	2716	explorer.exe
Token: SeCreatePagefilePrivilege	2716	explorer.exe
Token: SeShutdownPrivilege	2716	explorer.exe
Token: SeCreatePagefilePrivilege	2716	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
14788	sihost.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
14936	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
6032	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
2716	explorer.exe
9708	explorer.exe
9708	explorer.exe
9708	explorer.exe
9708	explorer.exe
9708	explorer.exe
9708	explorer.exe
9708	explorer.exe
9708	explorer.exe
9708	explorer.exe
9708	explorer.exe
9708	explorer.exe
9708	explorer.exe
9708	explorer.exe
9708	explorer.exe
9708	explorer.exe
9708	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
15340	StartMenuExperienceHost.exe
5808	StartMenuExperienceHost.exe
7644	StartMenuExperienceHost.exe
7404	SearchApp.exe
10680	StartMenuExperienceHost.exe
6832	SearchApp.exe
6020	StartMenuExperienceHost.exe
5900	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 4880	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2144 wrote to memory of 4880	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2144 wrote to memory of 3440	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2144 wrote to memory of 3440	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2144 wrote to memory of 1944	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2144 wrote to memory of 1944	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2144 wrote to memory of 4256	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2144 wrote to memory of 4256	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2144 wrote to memory of 4988	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2144 wrote to memory of 4988	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2144 wrote to memory of 1660	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2144 wrote to memory of 1660	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2144 wrote to memory of 4240	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2144 wrote to memory of 4240	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2144 wrote to memory of 4276	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2144 wrote to memory of 4276	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2144 wrote to memory of 392	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2144 wrote to memory of 392	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2144 wrote to memory of 764	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2144 wrote to memory of 764	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2144 wrote to memory of 2364	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2144 wrote to memory of 2364	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2144 wrote to memory of 396	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2144 wrote to memory of 396	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2144 wrote to memory of 3968	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2144 wrote to memory of 3968	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2144 wrote to memory of 2508	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2144 wrote to memory of 2508	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2144 wrote to memory of 1240	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2144 wrote to memory of 1240	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2144 wrote to memory of 4656	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2144 wrote to memory of 4656	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2144 wrote to memory of 3936	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2144 wrote to memory of 3936	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2144 wrote to memory of 2472	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2144 wrote to memory of 2472	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2144 wrote to memory of 2056	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2144 wrote to memory of 2056	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2144 wrote to memory of 2312	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2144 wrote to memory of 2312	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2144 wrote to memory of 444	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2144 wrote to memory of 444	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2144 wrote to memory of 3092	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2144 wrote to memory of 3092	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2144 wrote to memory of 4876	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2144 wrote to memory of 4876	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2144 wrote to memory of 2748	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2144 wrote to memory of 2748	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2144 wrote to memory of 3500	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2144 wrote to memory of 3500	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2144 wrote to memory of 3120	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2144 wrote to memory of 3120	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2144 wrote to memory of 2788	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 2144 wrote to memory of 2788	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 2144 wrote to memory of 1652	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 2144 wrote to memory of 1652	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 2144 wrote to memory of 1716	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 2144 wrote to memory of 1716	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 2144 wrote to memory of 1648	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 2144 wrote to memory of 1648	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 2144 wrote to memory of 1496	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	117
PID 2144 wrote to memory of 1496	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	117
PID 2144 wrote to memory of 3816	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	118
PID 2144 wrote to memory of 3816	2144	2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe	118

C:\Users\Admin\AppData\Local\Temp\2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-01_3c6b2b44a512f9b393b823a8ee8d021e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\System\WabbrzS.exe
  C:\Windows\System\WabbrzS.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\jbNBDga.exe
  C:\Windows\System\jbNBDga.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System\fxdyMEk.exe
  C:\Windows\System\fxdyMEk.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\uVfMvXB.exe
  C:\Windows\System\uVfMvXB.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System\NDQnDqT.exe
  C:\Windows\System\NDQnDqT.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\wHQQVJc.exe
  C:\Windows\System\wHQQVJc.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\VaKTRjG.exe
  C:\Windows\System\VaKTRjG.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\pASJgVU.exe
  C:\Windows\System\pASJgVU.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\cQdaVmF.exe
  C:\Windows\System\cQdaVmF.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System\FNciIyr.exe
  C:\Windows\System\FNciIyr.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\VNdSqsv.exe
  C:\Windows\System\VNdSqsv.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\xTbpXKz.exe
  C:\Windows\System\xTbpXKz.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\bYTGpiV.exe
  C:\Windows\System\bYTGpiV.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System\LOevird.exe
  C:\Windows\System\LOevird.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\CSgTAtd.exe
  C:\Windows\System\CSgTAtd.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System\IHRJOGi.exe
  C:\Windows\System\IHRJOGi.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\iVtzMRO.exe
  C:\Windows\System\iVtzMRO.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System\ijbhHzd.exe
  C:\Windows\System\ijbhHzd.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\uMNAxrG.exe
  C:\Windows\System\uMNAxrG.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\DWQtEFL.exe
  C:\Windows\System\DWQtEFL.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System\XGqncWq.exe
  C:\Windows\System\XGqncWq.exe
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Windows\System\SSsYvhC.exe
  C:\Windows\System\SSsYvhC.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System\YLbeiyK.exe
  C:\Windows\System\YLbeiyK.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\oLWzRHT.exe
  C:\Windows\System\oLWzRHT.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\ciqdFho.exe
  C:\Windows\System\ciqdFho.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\oHtJIta.exe
  C:\Windows\System\oHtJIta.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\rOmHwJw.exe
  C:\Windows\System\rOmHwJw.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\MxLrnxN.exe
  C:\Windows\System\MxLrnxN.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\wxfRqQj.exe
  C:\Windows\System\wxfRqQj.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\BocjLwJ.exe
  C:\Windows\System\BocjLwJ.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\iygNylg.exe
  C:\Windows\System\iygNylg.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\Cfyjheh.exe
  C:\Windows\System\Cfyjheh.exe
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\System\IIZSoXR.exe
  C:\Windows\System\IIZSoXR.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\lcIeqel.exe
  C:\Windows\System\lcIeqel.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\TcdFLBH.exe
  C:\Windows\System\TcdFLBH.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System\BKfHMIE.exe
  C:\Windows\System\BKfHMIE.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System\DVPwodu.exe
  C:\Windows\System\DVPwodu.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System\houOEKT.exe
  C:\Windows\System\houOEKT.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System\tmEzDxI.exe
  C:\Windows\System\tmEzDxI.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\HACbpEm.exe
  C:\Windows\System\HACbpEm.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\AbNePeO.exe
  C:\Windows\System\AbNePeO.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\ZTiXdJi.exe
  C:\Windows\System\ZTiXdJi.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\XrPXQtT.exe
  C:\Windows\System\XrPXQtT.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\oIhhmat.exe
  C:\Windows\System\oIhhmat.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\BUYerwG.exe
  C:\Windows\System\BUYerwG.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\LYImXLo.exe
  C:\Windows\System\LYImXLo.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\mWPypNI.exe
  C:\Windows\System\mWPypNI.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\ZcpmAxi.exe
  C:\Windows\System\ZcpmAxi.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\zARpuLj.exe
  C:\Windows\System\zARpuLj.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\qMUcCen.exe
  C:\Windows\System\qMUcCen.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\kfoysdx.exe
  C:\Windows\System\kfoysdx.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System\GWwLzOS.exe
  C:\Windows\System\GWwLzOS.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\VDgVixl.exe
  C:\Windows\System\VDgVixl.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\KdlBnhX.exe
  C:\Windows\System\KdlBnhX.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System\yGqAIoh.exe
  C:\Windows\System\yGqAIoh.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\rnBfans.exe
  C:\Windows\System\rnBfans.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\XCwSlvj.exe
  C:\Windows\System\XCwSlvj.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\tvRSKzp.exe
  C:\Windows\System\tvRSKzp.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System\vBuAHRU.exe
  C:\Windows\System\vBuAHRU.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\nrwkcAC.exe
  C:\Windows\System\nrwkcAC.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\IAeXrWO.exe
  C:\Windows\System\IAeXrWO.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\nBDZsUU.exe
  C:\Windows\System\nBDZsUU.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\FsQilAQ.exe
  C:\Windows\System\FsQilAQ.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\LXZlNCY.exe
  C:\Windows\System\LXZlNCY.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\hmfTpKh.exe
  C:\Windows\System\hmfTpKh.exe
  2⤵
  PID:1164
- C:\Windows\System\rSwPeuO.exe
  C:\Windows\System\rSwPeuO.exe
  2⤵
  PID:3504
- C:\Windows\System\SaqhGsh.exe
  C:\Windows\System\SaqhGsh.exe
  2⤵
  PID:3852
- C:\Windows\System\kYkPwUC.exe
  C:\Windows\System\kYkPwUC.exe
  2⤵
  PID:4564
- C:\Windows\System\VeGIxNS.exe
  C:\Windows\System\VeGIxNS.exe
  2⤵
  PID:1840
- C:\Windows\System\GKVTuSf.exe
  C:\Windows\System\GKVTuSf.exe
  2⤵
  PID:4888
- C:\Windows\System\QPPHIBX.exe
  C:\Windows\System\QPPHIBX.exe
  2⤵
  PID:3132
- C:\Windows\System\CjqwweF.exe
  C:\Windows\System\CjqwweF.exe
  2⤵
  PID:2644
- C:\Windows\System\UsGBOzS.exe
  C:\Windows\System\UsGBOzS.exe
  2⤵
  PID:3848
- C:\Windows\System\RmNapPx.exe
  C:\Windows\System\RmNapPx.exe
  2⤵
  PID:4548
- C:\Windows\System\YXRzCPQ.exe
  C:\Windows\System\YXRzCPQ.exe
  2⤵
  PID:3788
- C:\Windows\System\GKwCIlr.exe
  C:\Windows\System\GKwCIlr.exe
  2⤵
  PID:512
- C:\Windows\System\rwLvxzL.exe
  C:\Windows\System\rwLvxzL.exe
  2⤵
  PID:2560
- C:\Windows\System\AVkbNYO.exe
  C:\Windows\System\AVkbNYO.exe
  2⤵
  PID:1932
- C:\Windows\System\kVAgMbm.exe
  C:\Windows\System\kVAgMbm.exe
  2⤵
  PID:2208
- C:\Windows\System\AGLwHwQ.exe
  C:\Windows\System\AGLwHwQ.exe
  2⤵
  PID:3656
- C:\Windows\System\RmLWPAj.exe
  C:\Windows\System\RmLWPAj.exe
  2⤵
  PID:3592
- C:\Windows\System\jzgogMM.exe
  C:\Windows\System\jzgogMM.exe
  2⤵
  PID:3952
- C:\Windows\System\wYWBWYl.exe
  C:\Windows\System\wYWBWYl.exe
  2⤵
  PID:4376
- C:\Windows\System\ncyIURE.exe
  C:\Windows\System\ncyIURE.exe
  2⤵
  PID:2420
- C:\Windows\System\kolfOUM.exe
  C:\Windows\System\kolfOUM.exe
  2⤵
  PID:3924
- C:\Windows\System\gnwdSyc.exe
  C:\Windows\System\gnwdSyc.exe
  2⤵
  PID:4412
- C:\Windows\System\YnOoYam.exe
  C:\Windows\System\YnOoYam.exe
  2⤵
  PID:3464
- C:\Windows\System\repHAcn.exe
  C:\Windows\System\repHAcn.exe
  2⤵
  PID:2272
- C:\Windows\System\xGukRfg.exe
  C:\Windows\System\xGukRfg.exe
  2⤵
  PID:3600
- C:\Windows\System\SiVvkWo.exe
  C:\Windows\System\SiVvkWo.exe
  2⤵
  PID:4604
- C:\Windows\System\AhNivgm.exe
  C:\Windows\System\AhNivgm.exe
  2⤵
  PID:1472
- C:\Windows\System\aPzErGx.exe
  C:\Windows\System\aPzErGx.exe
  2⤵
  PID:2012
- C:\Windows\System\NxRHjtU.exe
  C:\Windows\System\NxRHjtU.exe
  2⤵
  PID:5132
- C:\Windows\System\EutPFjN.exe
  C:\Windows\System\EutPFjN.exe
  2⤵
  PID:5160
- C:\Windows\System\MzCYQfP.exe
  C:\Windows\System\MzCYQfP.exe
  2⤵
  PID:5188
- C:\Windows\System\jhllEqJ.exe
  C:\Windows\System\jhllEqJ.exe
  2⤵
  PID:5216
- C:\Windows\System\WljZShn.exe
  C:\Windows\System\WljZShn.exe
  2⤵
  PID:5248
- C:\Windows\System\ZnqMfcZ.exe
  C:\Windows\System\ZnqMfcZ.exe
  2⤵
  PID:5276
- C:\Windows\System\aYoclJR.exe
  C:\Windows\System\aYoclJR.exe
  2⤵
  PID:5304
- C:\Windows\System\aHGEFwc.exe
  C:\Windows\System\aHGEFwc.exe
  2⤵
  PID:5332
- C:\Windows\System\qdRSBDL.exe
  C:\Windows\System\qdRSBDL.exe
  2⤵
  PID:5360
- C:\Windows\System\uxVQFJx.exe
  C:\Windows\System\uxVQFJx.exe
  2⤵
  PID:5380
- C:\Windows\System\FzNzJMS.exe
  C:\Windows\System\FzNzJMS.exe
  2⤵
  PID:5404
- C:\Windows\System\kDJuXlj.exe
  C:\Windows\System\kDJuXlj.exe
  2⤵
  PID:5444
- C:\Windows\System\JfOGjAA.exe
  C:\Windows\System\JfOGjAA.exe
  2⤵
  PID:5472
- C:\Windows\System\uOfVygK.exe
  C:\Windows\System\uOfVygK.exe
  2⤵
  PID:5504
- C:\Windows\System\VuwtsKi.exe
  C:\Windows\System\VuwtsKi.exe
  2⤵
  PID:5524
- C:\Windows\System\ePSjCOu.exe
  C:\Windows\System\ePSjCOu.exe
  2⤵
  PID:5556
- C:\Windows\System\izjzoZP.exe
  C:\Windows\System\izjzoZP.exe
  2⤵
  PID:5588
- C:\Windows\System\CLSzkuF.exe
  C:\Windows\System\CLSzkuF.exe
  2⤵
  PID:5616
- C:\Windows\System\rgQNKKH.exe
  C:\Windows\System\rgQNKKH.exe
  2⤵
  PID:5640
- C:\Windows\System\YILOtie.exe
  C:\Windows\System\YILOtie.exe
  2⤵
  PID:5672
- C:\Windows\System\OncWyxP.exe
  C:\Windows\System\OncWyxP.exe
  2⤵
  PID:5700
- C:\Windows\System\DvUGsGi.exe
  C:\Windows\System\DvUGsGi.exe
  2⤵
  PID:5728
- C:\Windows\System\eRUXyvw.exe
  C:\Windows\System\eRUXyvw.exe
  2⤵
  PID:5756
- C:\Windows\System\OebEHlm.exe
  C:\Windows\System\OebEHlm.exe
  2⤵
  PID:5780
- C:\Windows\System\AyUKgZl.exe
  C:\Windows\System\AyUKgZl.exe
  2⤵
  PID:5812
- C:\Windows\System\wbKtWtQ.exe
  C:\Windows\System\wbKtWtQ.exe
  2⤵
  PID:5840
- C:\Windows\System\XmFngIN.exe
  C:\Windows\System\XmFngIN.exe
  2⤵
  PID:5868
- C:\Windows\System\KNuaKoH.exe
  C:\Windows\System\KNuaKoH.exe
  2⤵
  PID:5892
- C:\Windows\System\yRBZTmd.exe
  C:\Windows\System\yRBZTmd.exe
  2⤵
  PID:5928
- C:\Windows\System\Rvqyxal.exe
  C:\Windows\System\Rvqyxal.exe
  2⤵
  PID:5948
- C:\Windows\System\LKCIxSj.exe
  C:\Windows\System\LKCIxSj.exe
  2⤵
  PID:5976
- C:\Windows\System\ixrROJi.exe
  C:\Windows\System\ixrROJi.exe
  2⤵
  PID:6016
- C:\Windows\System\pvvESXq.exe
  C:\Windows\System\pvvESXq.exe
  2⤵
  PID:6048
- C:\Windows\System\oLwWYkZ.exe
  C:\Windows\System\oLwWYkZ.exe
  2⤵
  PID:6072
- C:\Windows\System\LAUsLyK.exe
  C:\Windows\System\LAUsLyK.exe
  2⤵
  PID:6104
- C:\Windows\System\iqFxyQq.exe
  C:\Windows\System\iqFxyQq.exe
  2⤵
  PID:6132
- C:\Windows\System\fSnIQTS.exe
  C:\Windows\System\fSnIQTS.exe
  2⤵
  PID:5148
- C:\Windows\System\YwVgYsd.exe
  C:\Windows\System\YwVgYsd.exe
  2⤵
  PID:5224
- C:\Windows\System\BJMPCAi.exe
  C:\Windows\System\BJMPCAi.exe
  2⤵
  PID:5300
- C:\Windows\System\AXpHdwA.exe
  C:\Windows\System\AXpHdwA.exe
  2⤵
  PID:5340
- C:\Windows\System\uflbFtZ.exe
  C:\Windows\System\uflbFtZ.exe
  2⤵
  PID:5412
- C:\Windows\System\OduPcAE.exe
  C:\Windows\System\OduPcAE.exe
  2⤵
  PID:4076
- C:\Windows\System\ZYOzlFN.exe
  C:\Windows\System\ZYOzlFN.exe
  2⤵
  PID:5024
- C:\Windows\System\EYwWEYl.exe
  C:\Windows\System\EYwWEYl.exe
  2⤵
  PID:4844
- C:\Windows\System\zEUVgJM.exe
  C:\Windows\System\zEUVgJM.exe
  2⤵
  PID:2152
- C:\Windows\System\NqUJAAL.exe
  C:\Windows\System\NqUJAAL.exe
  2⤵
  PID:5480
- C:\Windows\System\YMvmdWN.exe
  C:\Windows\System\YMvmdWN.exe
  2⤵
  PID:5516
- C:\Windows\System\cNkdGCd.exe
  C:\Windows\System\cNkdGCd.exe
  2⤵
  PID:5584
- C:\Windows\System\gZwzrld.exe
  C:\Windows\System\gZwzrld.exe
  2⤵
  PID:5652
- C:\Windows\System\pTmhhkg.exe
  C:\Windows\System\pTmhhkg.exe
  2⤵
  PID:5716
- C:\Windows\System\cVURWbU.exe
  C:\Windows\System\cVURWbU.exe
  2⤵
  PID:5788
- C:\Windows\System\VCOmYjK.exe
  C:\Windows\System\VCOmYjK.exe
  2⤵
  PID:5848
- C:\Windows\System\cohRrFm.exe
  C:\Windows\System\cohRrFm.exe
  2⤵
  PID:5900
- C:\Windows\System\ldQKPpP.exe
  C:\Windows\System\ldQKPpP.exe
  2⤵
  PID:5972
- C:\Windows\System\qtRGBVn.exe
  C:\Windows\System\qtRGBVn.exe
  2⤵
  PID:6064
- C:\Windows\System\qrHMwnX.exe
  C:\Windows\System\qrHMwnX.exe
  2⤵
  PID:6128
- C:\Windows\System\ptZCfyE.exe
  C:\Windows\System\ptZCfyE.exe
  2⤵
  PID:5232
- C:\Windows\System\dTbYkCz.exe
  C:\Windows\System\dTbYkCz.exe
  2⤵
  PID:5388
- C:\Windows\System\TPZdavL.exe
  C:\Windows\System\TPZdavL.exe
  2⤵
  PID:4312
- C:\Windows\System\CgRSIRe.exe
  C:\Windows\System\CgRSIRe.exe
  2⤵
  PID:1936
- C:\Windows\System\yVXbJnO.exe
  C:\Windows\System\yVXbJnO.exe
  2⤵
  PID:5576
- C:\Windows\System\AzncWPW.exe
  C:\Windows\System\AzncWPW.exe
  2⤵
  PID:5708
- C:\Windows\System\PTyDZnO.exe
  C:\Windows\System\PTyDZnO.exe
  2⤵
  PID:5856
- C:\Windows\System\OZeFrpu.exe
  C:\Windows\System\OZeFrpu.exe
  2⤵
  PID:6008
- C:\Windows\System\zHpUjtM.exe
  C:\Windows\System\zHpUjtM.exe
  2⤵
  PID:5128
- C:\Windows\System\mXOwPku.exe
  C:\Windows\System\mXOwPku.exe
  2⤵
  PID:4904
- C:\Windows\System\RRPwSAX.exe
  C:\Windows\System\RRPwSAX.exe
  2⤵
  PID:5512
- C:\Windows\System\kqmzxHB.exe
  C:\Windows\System\kqmzxHB.exe
  2⤵
  PID:5884
- C:\Windows\System\TrERFsm.exe
  C:\Windows\System\TrERFsm.exe
  2⤵
  PID:5324
- C:\Windows\System\qIqoqqw.exe
  C:\Windows\System\qIqoqqw.exe
  2⤵
  PID:5820
- C:\Windows\System\VVRCrKi.exe
  C:\Windows\System\VVRCrKi.exe
  2⤵
  PID:5196
- C:\Windows\System\esJzKvt.exe
  C:\Windows\System\esJzKvt.exe
  2⤵
  PID:6160
- C:\Windows\System\mXlTJlk.exe
  C:\Windows\System\mXlTJlk.exe
  2⤵
  PID:6184
- C:\Windows\System\pGsSnXF.exe
  C:\Windows\System\pGsSnXF.exe
  2⤵
  PID:6220
- C:\Windows\System\Qowobtl.exe
  C:\Windows\System\Qowobtl.exe
  2⤵
  PID:6244
- C:\Windows\System\fDuAjff.exe
  C:\Windows\System\fDuAjff.exe
  2⤵
  PID:6280
- C:\Windows\System\ZYTTbvP.exe
  C:\Windows\System\ZYTTbvP.exe
  2⤵
  PID:6312
- C:\Windows\System\FHPCQfC.exe
  C:\Windows\System\FHPCQfC.exe
  2⤵
  PID:6340
- C:\Windows\System\HkWOSkt.exe
  C:\Windows\System\HkWOSkt.exe
  2⤵
  PID:6368
- C:\Windows\System\uaqCGBM.exe
  C:\Windows\System\uaqCGBM.exe
  2⤵
  PID:6396
- C:\Windows\System\HwrirvR.exe
  C:\Windows\System\HwrirvR.exe
  2⤵
  PID:6424
- C:\Windows\System\cywemLw.exe
  C:\Windows\System\cywemLw.exe
  2⤵
  PID:6452
- C:\Windows\System\uhilcWY.exe
  C:\Windows\System\uhilcWY.exe
  2⤵
  PID:6480
- C:\Windows\System\befOQjd.exe
  C:\Windows\System\befOQjd.exe
  2⤵
  PID:6508
- C:\Windows\System\bDAoaSl.exe
  C:\Windows\System\bDAoaSl.exe
  2⤵
  PID:6536
- C:\Windows\System\BIGQJAI.exe
  C:\Windows\System\BIGQJAI.exe
  2⤵
  PID:6564
- C:\Windows\System\kqZsfIW.exe
  C:\Windows\System\kqZsfIW.exe
  2⤵
  PID:6592
- C:\Windows\System\wTeXUbo.exe
  C:\Windows\System\wTeXUbo.exe
  2⤵
  PID:6620
- C:\Windows\System\swZXkpv.exe
  C:\Windows\System\swZXkpv.exe
  2⤵
  PID:6648
- C:\Windows\System\kCTaVwW.exe
  C:\Windows\System\kCTaVwW.exe
  2⤵
  PID:6668
- C:\Windows\System\jCDkhfw.exe
  C:\Windows\System\jCDkhfw.exe
  2⤵
  PID:6692
- C:\Windows\System\iCJxEwW.exe
  C:\Windows\System\iCJxEwW.exe
  2⤵
  PID:6708
- C:\Windows\System\UBJNWDr.exe
  C:\Windows\System\UBJNWDr.exe
  2⤵
  PID:6736
- C:\Windows\System\uJRdeVs.exe
  C:\Windows\System\uJRdeVs.exe
  2⤵
  PID:6764
- C:\Windows\System\LhMfuHp.exe
  C:\Windows\System\LhMfuHp.exe
  2⤵
  PID:6784
- C:\Windows\System\cDiwlpk.exe
  C:\Windows\System\cDiwlpk.exe
  2⤵
  PID:6812
- C:\Windows\System\QBaZXQP.exe
  C:\Windows\System\QBaZXQP.exe
  2⤵
  PID:6864
- C:\Windows\System\ncEHJvb.exe
  C:\Windows\System\ncEHJvb.exe
  2⤵
  PID:6892
- C:\Windows\System\XrbSKqx.exe
  C:\Windows\System\XrbSKqx.exe
  2⤵
  PID:6916
- C:\Windows\System\tIHQbzo.exe
  C:\Windows\System\tIHQbzo.exe
  2⤵
  PID:6948
- C:\Windows\System\XFqfvtc.exe
  C:\Windows\System\XFqfvtc.exe
  2⤵
  PID:6976
- C:\Windows\System\dHYwMip.exe
  C:\Windows\System\dHYwMip.exe
  2⤵
  PID:7004
- C:\Windows\System\ZOrIIJz.exe
  C:\Windows\System\ZOrIIJz.exe
  2⤵
  PID:7028
- C:\Windows\System\fKagbOU.exe
  C:\Windows\System\fKagbOU.exe
  2⤵
  PID:7056
- C:\Windows\System\kSWOQhb.exe
  C:\Windows\System\kSWOQhb.exe
  2⤵
  PID:7100
- C:\Windows\System\NIrUOxP.exe
  C:\Windows\System\NIrUOxP.exe
  2⤵
  PID:7128
- C:\Windows\System\BVaRNfd.exe
  C:\Windows\System\BVaRNfd.exe
  2⤵
  PID:7156
- C:\Windows\System\DXLDmmY.exe
  C:\Windows\System\DXLDmmY.exe
  2⤵
  PID:6168
- C:\Windows\System\wRdvrSM.exe
  C:\Windows\System\wRdvrSM.exe
  2⤵
  PID:6232
- C:\Windows\System\ZAkwmBo.exe
  C:\Windows\System\ZAkwmBo.exe
  2⤵
  PID:6308
- C:\Windows\System\ZeihjmV.exe
  C:\Windows\System\ZeihjmV.exe
  2⤵
  PID:6356
- C:\Windows\System\iAgEZqY.exe
  C:\Windows\System\iAgEZqY.exe
  2⤵
  PID:6468
- C:\Windows\System\SFPSgXS.exe
  C:\Windows\System\SFPSgXS.exe
  2⤵
  PID:6636
- C:\Windows\System\kiMMNCs.exe
  C:\Windows\System\kiMMNCs.exe
  2⤵
  PID:6748
- C:\Windows\System\TRfAIlz.exe
  C:\Windows\System\TRfAIlz.exe
  2⤵
  PID:6872
- C:\Windows\System\qpbSvxz.exe
  C:\Windows\System\qpbSvxz.exe
  2⤵
  PID:7012
- C:\Windows\System\IOmyvUf.exe
  C:\Windows\System\IOmyvUf.exe
  2⤵
  PID:7140
- C:\Windows\System\oFYLGGh.exe
  C:\Windows\System\oFYLGGh.exe
  2⤵
  PID:6252
- C:\Windows\System\FYdiAjU.exe
  C:\Windows\System\FYdiAjU.exe
  2⤵
  PID:6384
- C:\Windows\System\weQWKQX.exe
  C:\Windows\System\weQWKQX.exe
  2⤵
  PID:6392
- C:\Windows\System\nwnRqAJ.exe
  C:\Windows\System\nwnRqAJ.exe
  2⤵
  PID:6776
- C:\Windows\System\IQKLEjJ.exe
  C:\Windows\System\IQKLEjJ.exe
  2⤵
  PID:6984
- C:\Windows\System\gDECdXr.exe
  C:\Windows\System\gDECdXr.exe
  2⤵
  PID:7164
- C:\Windows\System\OsXkAmZ.exe
  C:\Windows\System\OsXkAmZ.exe
  2⤵
  PID:2896
- C:\Windows\System\lUjEOdB.exe
  C:\Windows\System\lUjEOdB.exe
  2⤵
  PID:7076
- C:\Windows\System\XCnsSko.exe
  C:\Windows\System\XCnsSko.exe
  2⤵
  PID:2196
- C:\Windows\System\ZndUWKn.exe
  C:\Windows\System\ZndUWKn.exe
  2⤵
  PID:6404
- C:\Windows\System\ibxosKN.exe
  C:\Windows\System\ibxosKN.exe
  2⤵
  PID:696
- C:\Windows\System\qonYKSd.exe
  C:\Windows\System\qonYKSd.exe
  2⤵
  PID:7184
- C:\Windows\System\mFuTdMx.exe
  C:\Windows\System\mFuTdMx.exe
  2⤵
  PID:7212
- C:\Windows\System\RzkNBHV.exe
  C:\Windows\System\RzkNBHV.exe
  2⤵
  PID:7236
- C:\Windows\System\CcMbIok.exe
  C:\Windows\System\CcMbIok.exe
  2⤵
  PID:7268
- C:\Windows\System\StBWtmL.exe
  C:\Windows\System\StBWtmL.exe
  2⤵
  PID:7296
- C:\Windows\System\MynIXQn.exe
  C:\Windows\System\MynIXQn.exe
  2⤵
  PID:7324
- C:\Windows\System\FtPaXKr.exe
  C:\Windows\System\FtPaXKr.exe
  2⤵
  PID:7348
- C:\Windows\System\EhQjksU.exe
  C:\Windows\System\EhQjksU.exe
  2⤵
  PID:7376
- C:\Windows\System\mICHTrI.exe
  C:\Windows\System\mICHTrI.exe
  2⤵
  PID:7408
- C:\Windows\System\crPuqXb.exe
  C:\Windows\System\crPuqXb.exe
  2⤵
  PID:7436
- C:\Windows\System\pJEHeAh.exe
  C:\Windows\System\pJEHeAh.exe
  2⤵
  PID:7464
- C:\Windows\System\iRoIiFm.exe
  C:\Windows\System\iRoIiFm.exe
  2⤵
  PID:7492
- C:\Windows\System\cEARQJk.exe
  C:\Windows\System\cEARQJk.exe
  2⤵
  PID:7520
- C:\Windows\System\vtEKuTd.exe
  C:\Windows\System\vtEKuTd.exe
  2⤵
  PID:7548
- C:\Windows\System\KHiPrxT.exe
  C:\Windows\System\KHiPrxT.exe
  2⤵
  PID:7572
- C:\Windows\System\wySXTpA.exe
  C:\Windows\System\wySXTpA.exe
  2⤵
  PID:7604
- C:\Windows\System\RKxhOJO.exe
  C:\Windows\System\RKxhOJO.exe
  2⤵
  PID:7628
- C:\Windows\System\wkRdRiR.exe
  C:\Windows\System\wkRdRiR.exe
  2⤵
  PID:7660
- C:\Windows\System\JHPzyfS.exe
  C:\Windows\System\JHPzyfS.exe
  2⤵
  PID:7688
- C:\Windows\System\LilILzt.exe
  C:\Windows\System\LilILzt.exe
  2⤵
  PID:7716
- C:\Windows\System\frnfvUQ.exe
  C:\Windows\System\frnfvUQ.exe
  2⤵
  PID:7744
- C:\Windows\System\ckKwJdG.exe
  C:\Windows\System\ckKwJdG.exe
  2⤵
  PID:7764
- C:\Windows\System\QkULDmf.exe
  C:\Windows\System\QkULDmf.exe
  2⤵
  PID:7792
- C:\Windows\System\tkgnBGX.exe
  C:\Windows\System\tkgnBGX.exe
  2⤵
  PID:7824
- C:\Windows\System\UoknDpt.exe
  C:\Windows\System\UoknDpt.exe
  2⤵
  PID:7852
- C:\Windows\System\XZLsJIC.exe
  C:\Windows\System\XZLsJIC.exe
  2⤵
  PID:7884
- C:\Windows\System\KWuieog.exe
  C:\Windows\System\KWuieog.exe
  2⤵
  PID:7912
- C:\Windows\System\WNqmpBJ.exe
  C:\Windows\System\WNqmpBJ.exe
  2⤵
  PID:7936
- C:\Windows\System\IAZOlaY.exe
  C:\Windows\System\IAZOlaY.exe
  2⤵
  PID:7964
- C:\Windows\System\PmKqKpE.exe
  C:\Windows\System\PmKqKpE.exe
  2⤵
  PID:7992
- C:\Windows\System\lKoiyhY.exe
  C:\Windows\System\lKoiyhY.exe
  2⤵
  PID:8008
- C:\Windows\System\QWlLsjo.exe
  C:\Windows\System\QWlLsjo.exe
  2⤵
  PID:8036
- C:\Windows\System\nASIHtj.exe
  C:\Windows\System\nASIHtj.exe
  2⤵
  PID:8064
- C:\Windows\System\haFiKrL.exe
  C:\Windows\System\haFiKrL.exe
  2⤵
  PID:8112
- C:\Windows\System\irCepHi.exe
  C:\Windows\System\irCepHi.exe
  2⤵
  PID:8140
- C:\Windows\System\xfqepmV.exe
  C:\Windows\System\xfqepmV.exe
  2⤵
  PID:8176
- C:\Windows\System\OlNCfSI.exe
  C:\Windows\System\OlNCfSI.exe
  2⤵
  PID:7192
- C:\Windows\System\TdMcjME.exe
  C:\Windows\System\TdMcjME.exe
  2⤵
  PID:7264
- C:\Windows\System\eFpcyCo.exe
  C:\Windows\System\eFpcyCo.exe
  2⤵
  PID:7316
- C:\Windows\System\NZyDqWh.exe
  C:\Windows\System\NZyDqWh.exe
  2⤵
  PID:7388
- C:\Windows\System\iwkLmNO.exe
  C:\Windows\System\iwkLmNO.exe
  2⤵
  PID:7444
- C:\Windows\System\SPXONkc.exe
  C:\Windows\System\SPXONkc.exe
  2⤵
  PID:7508
- C:\Windows\System\fmFcfAu.exe
  C:\Windows\System\fmFcfAu.exe
  2⤵
  PID:7584
- C:\Windows\System\aRUXaEo.exe
  C:\Windows\System\aRUXaEo.exe
  2⤵
  PID:7636
- C:\Windows\System\ApypmFa.exe
  C:\Windows\System\ApypmFa.exe
  2⤵
  PID:7680
- C:\Windows\System\rQStDzV.exe
  C:\Windows\System\rQStDzV.exe
  2⤵
  PID:7700
- C:\Windows\System\yLfDLRW.exe
  C:\Windows\System\yLfDLRW.exe
  2⤵
  PID:7760
- C:\Windows\System\yzUFELV.exe
  C:\Windows\System\yzUFELV.exe
  2⤵
  PID:7832
- C:\Windows\System\krUgYJT.exe
  C:\Windows\System\krUgYJT.exe
  2⤵
  PID:7900
- C:\Windows\System\JhNgumR.exe
  C:\Windows\System\JhNgumR.exe
  2⤵
  PID:7960
- C:\Windows\System\klKUPSN.exe
  C:\Windows\System\klKUPSN.exe
  2⤵
  PID:8024
- C:\Windows\System\kCtScUl.exe
  C:\Windows\System\kCtScUl.exe
  2⤵
  PID:8092
- C:\Windows\System\cXvwMmt.exe
  C:\Windows\System\cXvwMmt.exe
  2⤵
  PID:6544
- C:\Windows\System\zffbWjX.exe
  C:\Windows\System\zffbWjX.exe
  2⤵
  PID:7084
- C:\Windows\System\BGruldO.exe
  C:\Windows\System\BGruldO.exe
  2⤵
  PID:7180
- C:\Windows\System\URYIfOi.exe
  C:\Windows\System\URYIfOi.exe
  2⤵
  PID:7312
- C:\Windows\System\qhDmIKV.exe
  C:\Windows\System\qhDmIKV.exe
  2⤵
  PID:7472
- C:\Windows\System\HdonEHT.exe
  C:\Windows\System\HdonEHT.exe
  2⤵
  PID:7620
- C:\Windows\System\BPWIYBb.exe
  C:\Windows\System\BPWIYBb.exe
  2⤵
  PID:3764
- C:\Windows\System\GaGZajj.exe
  C:\Windows\System\GaGZajj.exe
  2⤵
  PID:7812
- C:\Windows\System\aMaBLeu.exe
  C:\Windows\System\aMaBLeu.exe
  2⤵
  PID:7956
- C:\Windows\System\KgBreCt.exe
  C:\Windows\System\KgBreCt.exe
  2⤵
  PID:8088
- C:\Windows\System\BJFclun.exe
  C:\Windows\System\BJFclun.exe
  2⤵
  PID:8168
- C:\Windows\System\buDYxRt.exe
  C:\Windows\System\buDYxRt.exe
  2⤵
  PID:7424
- C:\Windows\System\Zeezjjo.exe
  C:\Windows\System\Zeezjjo.exe
  2⤵
  PID:776
- C:\Windows\System\OjLWpJG.exe
  C:\Windows\System\OjLWpJG.exe
  2⤵
  PID:8020
- C:\Windows\System\jJdHJgB.exe
  C:\Windows\System\jJdHJgB.exe
  2⤵
  PID:7304
- C:\Windows\System\MJgvStb.exe
  C:\Windows\System\MJgvStb.exe
  2⤵
  PID:7948
- C:\Windows\System\VzuIZWa.exe
  C:\Windows\System\VzuIZWa.exe
  2⤵
  PID:7244
- C:\Windows\System\GfmLkKm.exe
  C:\Windows\System\GfmLkKm.exe
  2⤵
  PID:8212
- C:\Windows\System\OgUOxrH.exe
  C:\Windows\System\OgUOxrH.exe
  2⤵
  PID:8244
- C:\Windows\System\JeyAfHw.exe
  C:\Windows\System\JeyAfHw.exe
  2⤵
  PID:8268
- C:\Windows\System\yeyKgZg.exe
  C:\Windows\System\yeyKgZg.exe
  2⤵
  PID:8296
- C:\Windows\System\QQxrplW.exe
  C:\Windows\System\QQxrplW.exe
  2⤵
  PID:8328
- C:\Windows\System\piniCCz.exe
  C:\Windows\System\piniCCz.exe
  2⤵
  PID:8352
- C:\Windows\System\VSEsgnp.exe
  C:\Windows\System\VSEsgnp.exe
  2⤵
  PID:8384
- C:\Windows\System\dFZMxRr.exe
  C:\Windows\System\dFZMxRr.exe
  2⤵
  PID:8424
- C:\Windows\System\nePhWqc.exe
  C:\Windows\System\nePhWqc.exe
  2⤵
  PID:8440
- C:\Windows\System\WRwDzWJ.exe
  C:\Windows\System\WRwDzWJ.exe
  2⤵
  PID:8468
- C:\Windows\System\eVRctQa.exe
  C:\Windows\System\eVRctQa.exe
  2⤵
  PID:8496
- C:\Windows\System\frIPanL.exe
  C:\Windows\System\frIPanL.exe
  2⤵
  PID:8524
- C:\Windows\System\jrWStvT.exe
  C:\Windows\System\jrWStvT.exe
  2⤵
  PID:8552
- C:\Windows\System\SNoxVqm.exe
  C:\Windows\System\SNoxVqm.exe
  2⤵
  PID:8580
- C:\Windows\System\PMYmzAT.exe
  C:\Windows\System\PMYmzAT.exe
  2⤵
  PID:8608
- C:\Windows\System\inOjkRt.exe
  C:\Windows\System\inOjkRt.exe
  2⤵
  PID:8636
- C:\Windows\System\fxPMric.exe
  C:\Windows\System\fxPMric.exe
  2⤵
  PID:8664
- C:\Windows\System\gZRaZAA.exe
  C:\Windows\System\gZRaZAA.exe
  2⤵
  PID:8692
- C:\Windows\System\gVqYrUs.exe
  C:\Windows\System\gVqYrUs.exe
  2⤵
  PID:8724
- C:\Windows\System\FukiYxD.exe
  C:\Windows\System\FukiYxD.exe
  2⤵
  PID:8752
- C:\Windows\System\kwzPlrc.exe
  C:\Windows\System\kwzPlrc.exe
  2⤵
  PID:8780
- C:\Windows\System\gSjZYLh.exe
  C:\Windows\System\gSjZYLh.exe
  2⤵
  PID:8808
- C:\Windows\System\HSADwPn.exe
  C:\Windows\System\HSADwPn.exe
  2⤵
  PID:8836
- C:\Windows\System\DQcJUEB.exe
  C:\Windows\System\DQcJUEB.exe
  2⤵
  PID:8864
- C:\Windows\System\IAQThwj.exe
  C:\Windows\System\IAQThwj.exe
  2⤵
  PID:8892
- C:\Windows\System\GBJPpKh.exe
  C:\Windows\System\GBJPpKh.exe
  2⤵
  PID:8924
- C:\Windows\System\TszcIPR.exe
  C:\Windows\System\TszcIPR.exe
  2⤵
  PID:8948
- C:\Windows\System\CCETqqS.exe
  C:\Windows\System\CCETqqS.exe
  2⤵
  PID:8976
- C:\Windows\System\ZosmrCV.exe
  C:\Windows\System\ZosmrCV.exe
  2⤵
  PID:9004
- C:\Windows\System\gHFLWfV.exe
  C:\Windows\System\gHFLWfV.exe
  2⤵
  PID:9032
- C:\Windows\System\ahajzMO.exe
  C:\Windows\System\ahajzMO.exe
  2⤵
  PID:9060
- C:\Windows\System\zhkfLBB.exe
  C:\Windows\System\zhkfLBB.exe
  2⤵
  PID:9088
- C:\Windows\System\dtRGBLi.exe
  C:\Windows\System\dtRGBLi.exe
  2⤵
  PID:9116
- C:\Windows\System\zmgoNqw.exe
  C:\Windows\System\zmgoNqw.exe
  2⤵
  PID:9148
- C:\Windows\System\psOOtIJ.exe
  C:\Windows\System\psOOtIJ.exe
  2⤵
  PID:9172
- C:\Windows\System\dLwQuOn.exe
  C:\Windows\System\dLwQuOn.exe
  2⤵
  PID:9200
- C:\Windows\System\OakBVpy.exe
  C:\Windows\System\OakBVpy.exe
  2⤵
  PID:8232
- C:\Windows\System\tPwxBmx.exe
  C:\Windows\System\tPwxBmx.exe
  2⤵
  PID:8288
- C:\Windows\System\SQnjdmP.exe
  C:\Windows\System\SQnjdmP.exe
  2⤵
  PID:8348
- C:\Windows\System\vaeBSiN.exe
  C:\Windows\System\vaeBSiN.exe
  2⤵
  PID:8404
- C:\Windows\System\sSqumcG.exe
  C:\Windows\System\sSqumcG.exe
  2⤵
  PID:8488
- C:\Windows\System\cVpweJx.exe
  C:\Windows\System\cVpweJx.exe
  2⤵
  PID:8544
- C:\Windows\System\JbDDkfQ.exe
  C:\Windows\System\JbDDkfQ.exe
  2⤵
  PID:8604
- C:\Windows\System\XXmSWTQ.exe
  C:\Windows\System\XXmSWTQ.exe
  2⤵
  PID:8676
- C:\Windows\System\FMuecoI.exe
  C:\Windows\System\FMuecoI.exe
  2⤵
  PID:4640
- C:\Windows\System\sJAdqYI.exe
  C:\Windows\System\sJAdqYI.exe
  2⤵
  PID:8800
- C:\Windows\System\PRmSsfp.exe
  C:\Windows\System\PRmSsfp.exe
  2⤵
  PID:8860
- C:\Windows\System\ShjzSdR.exe
  C:\Windows\System\ShjzSdR.exe
  2⤵
  PID:8932
- C:\Windows\System\CMXDCdQ.exe
  C:\Windows\System\CMXDCdQ.exe
  2⤵
  PID:8996
- C:\Windows\System\pWeoEzT.exe
  C:\Windows\System\pWeoEzT.exe
  2⤵
  PID:9072
- C:\Windows\System\jFcENfF.exe
  C:\Windows\System\jFcENfF.exe
  2⤵
  PID:9136
- C:\Windows\System\BUwLlEJ.exe
  C:\Windows\System\BUwLlEJ.exe
  2⤵
  PID:9196
- C:\Windows\System\XbaxYAg.exe
  C:\Windows\System\XbaxYAg.exe
  2⤵
  PID:8316
- C:\Windows\System\bPPsAJa.exe
  C:\Windows\System\bPPsAJa.exe
  2⤵
  PID:8452
- C:\Windows\System\wqrpXEN.exe
  C:\Windows\System\wqrpXEN.exe
  2⤵
  PID:8572
- C:\Windows\System\fQFoNox.exe
  C:\Windows\System\fQFoNox.exe
  2⤵
  PID:8716
- C:\Windows\System\yToSYXJ.exe
  C:\Windows\System\yToSYXJ.exe
  2⤵
  PID:8856
- C:\Windows\System\lBXPiSz.exe
  C:\Windows\System\lBXPiSz.exe
  2⤵
  PID:9024
- C:\Windows\System\YERlAeU.exe
  C:\Windows\System\YERlAeU.exe
  2⤵
  PID:9184
- C:\Windows\System\ZTiBfsI.exe
  C:\Windows\System\ZTiBfsI.exe
  2⤵
  PID:8420
- C:\Windows\System\UVCaVdw.exe
  C:\Windows\System\UVCaVdw.exe
  2⤵
  PID:8776
- C:\Windows\System\YbBHWnG.exe
  C:\Windows\System\YbBHWnG.exe
  2⤵
  PID:9128
- C:\Windows\System\rjVCDJy.exe
  C:\Windows\System\rjVCDJy.exe
  2⤵
  PID:8704
- C:\Windows\System\xxvfmUe.exe
  C:\Windows\System\xxvfmUe.exe
  2⤵
  PID:9100
- C:\Windows\System\JKCJjZM.exe
  C:\Windows\System\JKCJjZM.exe
  2⤵
  PID:9236
- C:\Windows\System\fkhtOkX.exe
  C:\Windows\System\fkhtOkX.exe
  2⤵
  PID:9264
- C:\Windows\System\ojYyjwu.exe
  C:\Windows\System\ojYyjwu.exe
  2⤵
  PID:9292
- C:\Windows\System\Qrqtzzc.exe
  C:\Windows\System\Qrqtzzc.exe
  2⤵
  PID:9320
- C:\Windows\System\ktnFsBn.exe
  C:\Windows\System\ktnFsBn.exe
  2⤵
  PID:9348
- C:\Windows\System\XgtnKtH.exe
  C:\Windows\System\XgtnKtH.exe
  2⤵
  PID:9376
- C:\Windows\System\CVBvhpg.exe
  C:\Windows\System\CVBvhpg.exe
  2⤵
  PID:9404
- C:\Windows\System\pCJEAvr.exe
  C:\Windows\System\pCJEAvr.exe
  2⤵
  PID:9432
- C:\Windows\System\PFPIsiD.exe
  C:\Windows\System\PFPIsiD.exe
  2⤵
  PID:9460
- C:\Windows\System\SYvFRED.exe
  C:\Windows\System\SYvFRED.exe
  2⤵
  PID:9488
- C:\Windows\System\qUcWXQe.exe
  C:\Windows\System\qUcWXQe.exe
  2⤵
  PID:9516
- C:\Windows\System\vSOYmhj.exe
  C:\Windows\System\vSOYmhj.exe
  2⤵
  PID:9544
- C:\Windows\System\sybwZeP.exe
  C:\Windows\System\sybwZeP.exe
  2⤵
  PID:9572
- C:\Windows\System\hTYBtUU.exe
  C:\Windows\System\hTYBtUU.exe
  2⤵
  PID:9600
- C:\Windows\System\wcVyzNG.exe
  C:\Windows\System\wcVyzNG.exe
  2⤵
  PID:9628
- C:\Windows\System\svEhCHU.exe
  C:\Windows\System\svEhCHU.exe
  2⤵
  PID:9664
- C:\Windows\System\DFePzfF.exe
  C:\Windows\System\DFePzfF.exe
  2⤵
  PID:9684
- C:\Windows\System\soHUuyh.exe
  C:\Windows\System\soHUuyh.exe
  2⤵
  PID:9716
- C:\Windows\System\DXQvCnW.exe
  C:\Windows\System\DXQvCnW.exe
  2⤵
  PID:9744
- C:\Windows\System\KqKwkmh.exe
  C:\Windows\System\KqKwkmh.exe
  2⤵
  PID:9784
- C:\Windows\System\UULranr.exe
  C:\Windows\System\UULranr.exe
  2⤵
  PID:9800
- C:\Windows\System\IyJRict.exe
  C:\Windows\System\IyJRict.exe
  2⤵
  PID:9828
- C:\Windows\System\oRAnKQl.exe
  C:\Windows\System\oRAnKQl.exe
  2⤵
  PID:9856
- C:\Windows\System\JcLcpbd.exe
  C:\Windows\System\JcLcpbd.exe
  2⤵
  PID:9884
- C:\Windows\System\rZkjqcZ.exe
  C:\Windows\System\rZkjqcZ.exe
  2⤵
  PID:9912
- C:\Windows\System\FuXvRMX.exe
  C:\Windows\System\FuXvRMX.exe
  2⤵
  PID:9940
- C:\Windows\System\VfVRcJo.exe
  C:\Windows\System\VfVRcJo.exe
  2⤵
  PID:9968
- C:\Windows\System\DhYhTrF.exe
  C:\Windows\System\DhYhTrF.exe
  2⤵
  PID:9996
- C:\Windows\System\oyYHJWY.exe
  C:\Windows\System\oyYHJWY.exe
  2⤵
  PID:10024
- C:\Windows\System\srbEumh.exe
  C:\Windows\System\srbEumh.exe
  2⤵
  PID:10052
- C:\Windows\System\bwNEXnu.exe
  C:\Windows\System\bwNEXnu.exe
  2⤵
  PID:10080
- C:\Windows\System\PdahkLk.exe
  C:\Windows\System\PdahkLk.exe
  2⤵
  PID:10108
- C:\Windows\System\MDZgBFk.exe
  C:\Windows\System\MDZgBFk.exe
  2⤵
  PID:10136
- C:\Windows\System\MVYvMrY.exe
  C:\Windows\System\MVYvMrY.exe
  2⤵
  PID:10164
- C:\Windows\System\vfarRAC.exe
  C:\Windows\System\vfarRAC.exe
  2⤵
  PID:10192
- C:\Windows\System\tRJMUCB.exe
  C:\Windows\System\tRJMUCB.exe
  2⤵
  PID:10220
- C:\Windows\System\RtPKdll.exe
  C:\Windows\System\RtPKdll.exe
  2⤵
  PID:9232
- C:\Windows\System\YgyqzDq.exe
  C:\Windows\System\YgyqzDq.exe
  2⤵
  PID:9304
- C:\Windows\System\naDBnxJ.exe
  C:\Windows\System\naDBnxJ.exe
  2⤵
  PID:9368
- C:\Windows\System\ATSBOpW.exe
  C:\Windows\System\ATSBOpW.exe
  2⤵
  PID:9428
- C:\Windows\System\vevukWi.exe
  C:\Windows\System\vevukWi.exe
  2⤵
  PID:9484
- C:\Windows\System\jyVFgQJ.exe
  C:\Windows\System\jyVFgQJ.exe
  2⤵
  PID:9556
- C:\Windows\System\maOeNYo.exe
  C:\Windows\System\maOeNYo.exe
  2⤵
  PID:9620
- C:\Windows\System\SdCyXts.exe
  C:\Windows\System\SdCyXts.exe
  2⤵
  PID:9672
- C:\Windows\System\EDCAzIF.exe
  C:\Windows\System\EDCAzIF.exe
  2⤵
  PID:9736
- C:\Windows\System\LtWLWpU.exe
  C:\Windows\System\LtWLWpU.exe
  2⤵
  PID:9796
- C:\Windows\System\bTPUjuK.exe
  C:\Windows\System\bTPUjuK.exe
  2⤵
  PID:9868
- C:\Windows\System\zMLvcPi.exe
  C:\Windows\System\zMLvcPi.exe
  2⤵
  PID:9936
- C:\Windows\System\zvsNAOF.exe
  C:\Windows\System\zvsNAOF.exe
  2⤵
  PID:10008
- C:\Windows\System\aHbRKtH.exe
  C:\Windows\System\aHbRKtH.exe
  2⤵
  PID:10072
- C:\Windows\System\sMPJkWi.exe
  C:\Windows\System\sMPJkWi.exe
  2⤵
  PID:10132
- C:\Windows\System\lVTmRKQ.exe
  C:\Windows\System\lVTmRKQ.exe
  2⤵
  PID:10204
- C:\Windows\System\DEngdYC.exe
  C:\Windows\System\DEngdYC.exe
  2⤵
  PID:9284
- C:\Windows\System\pohodne.exe
  C:\Windows\System\pohodne.exe
  2⤵
  PID:9416
- C:\Windows\System\ZsCIWlK.exe
  C:\Windows\System\ZsCIWlK.exe
  2⤵
  PID:9540
- C:\Windows\System\BosALVx.exe
  C:\Windows\System\BosALVx.exe
  2⤵
  PID:9696
- C:\Windows\System\zJgIcNS.exe
  C:\Windows\System\zJgIcNS.exe
  2⤵
  PID:9848
- C:\Windows\System\qsKZWVK.exe
  C:\Windows\System\qsKZWVK.exe
  2⤵
  PID:9992
- C:\Windows\System\PXzwqZL.exe
  C:\Windows\System\PXzwqZL.exe
  2⤵
  PID:10160
- C:\Windows\System\itBuJVD.exe
  C:\Windows\System\itBuJVD.exe
  2⤵
  PID:9704
- C:\Windows\System\gDVwxDp.exe
  C:\Windows\System\gDVwxDp.exe
  2⤵
  PID:9652
- C:\Windows\System\bJpjHgV.exe
  C:\Windows\System\bJpjHgV.exe
  2⤵
  PID:10064
- C:\Windows\System\XEwgzDw.exe
  C:\Windows\System\XEwgzDw.exe
  2⤵
  PID:9592
- C:\Windows\System\hvLADYU.exe
  C:\Windows\System\hvLADYU.exe
  2⤵
  PID:9512
- C:\Windows\System\IDwzpfu.exe
  C:\Windows\System\IDwzpfu.exe
  2⤵
  PID:10256
- C:\Windows\System\aShcaJm.exe
  C:\Windows\System\aShcaJm.exe
  2⤵
  PID:10284
- C:\Windows\System\qkJNbXu.exe
  C:\Windows\System\qkJNbXu.exe
  2⤵
  PID:10320
- C:\Windows\System\qhRSFir.exe
  C:\Windows\System\qhRSFir.exe
  2⤵
  PID:10340
- C:\Windows\System\mCQkVkl.exe
  C:\Windows\System\mCQkVkl.exe
  2⤵
  PID:10368
- C:\Windows\System\sNbpXrZ.exe
  C:\Windows\System\sNbpXrZ.exe
  2⤵
  PID:10396
- C:\Windows\System\zRgxsob.exe
  C:\Windows\System\zRgxsob.exe
  2⤵
  PID:10424
- C:\Windows\System\cCtFqIx.exe
  C:\Windows\System\cCtFqIx.exe
  2⤵
  PID:10452
- C:\Windows\System\gOxNilV.exe
  C:\Windows\System\gOxNilV.exe
  2⤵
  PID:10480
- C:\Windows\System\DmEDeeA.exe
  C:\Windows\System\DmEDeeA.exe
  2⤵
  PID:10508
- C:\Windows\System\MkXiWbX.exe
  C:\Windows\System\MkXiWbX.exe
  2⤵
  PID:10536
- C:\Windows\System\CgQEIzz.exe
  C:\Windows\System\CgQEIzz.exe
  2⤵
  PID:10564
- C:\Windows\System\RFXemXl.exe
  C:\Windows\System\RFXemXl.exe
  2⤵
  PID:10592
- C:\Windows\System\XVEBxIw.exe
  C:\Windows\System\XVEBxIw.exe
  2⤵
  PID:10620
- C:\Windows\System\aOEqlyo.exe
  C:\Windows\System\aOEqlyo.exe
  2⤵
  PID:10648
- C:\Windows\System\EjWEEgU.exe
  C:\Windows\System\EjWEEgU.exe
  2⤵
  PID:10692
- C:\Windows\System\YCmpbti.exe
  C:\Windows\System\YCmpbti.exe
  2⤵
  PID:10708
- C:\Windows\System\xZvVxwe.exe
  C:\Windows\System\xZvVxwe.exe
  2⤵
  PID:10736
- C:\Windows\System\zAJCJZS.exe
  C:\Windows\System\zAJCJZS.exe
  2⤵
  PID:10764
- C:\Windows\System\whapXWq.exe
  C:\Windows\System\whapXWq.exe
  2⤵
  PID:10792
- C:\Windows\System\nbHgnGA.exe
  C:\Windows\System\nbHgnGA.exe
  2⤵
  PID:10820
- C:\Windows\System\GjKytfx.exe
  C:\Windows\System\GjKytfx.exe
  2⤵
  PID:10848
- C:\Windows\System\ebxyblu.exe
  C:\Windows\System\ebxyblu.exe
  2⤵
  PID:10876
- C:\Windows\System\BMelaFO.exe
  C:\Windows\System\BMelaFO.exe
  2⤵
  PID:10904
- C:\Windows\System\mbFPyUj.exe
  C:\Windows\System\mbFPyUj.exe
  2⤵
  PID:10932
- C:\Windows\System\weszZCI.exe
  C:\Windows\System\weszZCI.exe
  2⤵
  PID:10960
- C:\Windows\System\VJvoNiJ.exe
  C:\Windows\System\VJvoNiJ.exe
  2⤵
  PID:10988
- C:\Windows\System\YbNmzQo.exe
  C:\Windows\System\YbNmzQo.exe
  2⤵
  PID:11016
- C:\Windows\System\usrdwBh.exe
  C:\Windows\System\usrdwBh.exe
  2⤵
  PID:11044
- C:\Windows\System\qrZbQuP.exe
  C:\Windows\System\qrZbQuP.exe
  2⤵
  PID:11072
- C:\Windows\System\daZbOjO.exe
  C:\Windows\System\daZbOjO.exe
  2⤵
  PID:11100
- C:\Windows\System\uZwoyiF.exe
  C:\Windows\System\uZwoyiF.exe
  2⤵
  PID:11128
- C:\Windows\System\onFZgYi.exe
  C:\Windows\System\onFZgYi.exe
  2⤵
  PID:11156
- C:\Windows\System\vbXklUH.exe
  C:\Windows\System\vbXklUH.exe
  2⤵
  PID:11184
- C:\Windows\System\xHZUVmM.exe
  C:\Windows\System\xHZUVmM.exe
  2⤵
  PID:11212
- C:\Windows\System\NtYXmyC.exe
  C:\Windows\System\NtYXmyC.exe
  2⤵
  PID:11240
- C:\Windows\System\WtSPJWz.exe
  C:\Windows\System\WtSPJWz.exe
  2⤵
  PID:10248
- C:\Windows\System\nawobJI.exe
  C:\Windows\System\nawobJI.exe
  2⤵
  PID:10308
- C:\Windows\System\cyNPrDE.exe
  C:\Windows\System\cyNPrDE.exe
  2⤵
  PID:10380
- C:\Windows\System\YMtzXnB.exe
  C:\Windows\System\YMtzXnB.exe
  2⤵
  PID:10444
- C:\Windows\System\OUOZVgm.exe
  C:\Windows\System\OUOZVgm.exe
  2⤵
  PID:10500
- C:\Windows\System\ipLMsoQ.exe
  C:\Windows\System\ipLMsoQ.exe
  2⤵
  PID:10560
- C:\Windows\System\WOAayUS.exe
  C:\Windows\System\WOAayUS.exe
  2⤵
  PID:10632
- C:\Windows\System\yGouKjI.exe
  C:\Windows\System\yGouKjI.exe
  2⤵
  PID:10700
- C:\Windows\System\aiqfmjD.exe
  C:\Windows\System\aiqfmjD.exe
  2⤵
  PID:10760
- C:\Windows\System\xZkLGAi.exe
  C:\Windows\System\xZkLGAi.exe
  2⤵
  PID:10832
- C:\Windows\System\bSnFNdy.exe
  C:\Windows\System\bSnFNdy.exe
  2⤵
  PID:10900
- C:\Windows\System\WCTsXDx.exe
  C:\Windows\System\WCTsXDx.exe
  2⤵
  PID:10972
- C:\Windows\System\QTojwkW.exe
  C:\Windows\System\QTojwkW.exe
  2⤵
  PID:11036
- C:\Windows\System\DbiSjnA.exe
  C:\Windows\System\DbiSjnA.exe
  2⤵
  PID:11096
- C:\Windows\System\AnmfQSR.exe
  C:\Windows\System\AnmfQSR.exe
  2⤵
  PID:11168
- C:\Windows\System\NEANrZj.exe
  C:\Windows\System\NEANrZj.exe
  2⤵
  PID:11232
- C:\Windows\System\xdpUHea.exe
  C:\Windows\System\xdpUHea.exe
  2⤵
  PID:10304
- C:\Windows\System\poKifLX.exe
  C:\Windows\System\poKifLX.exe
  2⤵
  PID:10436
- C:\Windows\System\glybIDb.exe
  C:\Windows\System\glybIDb.exe
  2⤵
  PID:10588
- C:\Windows\System\TkjxzYn.exe
  C:\Windows\System\TkjxzYn.exe
  2⤵
  PID:10748
- C:\Windows\System\gQqcYLJ.exe
  C:\Windows\System\gQqcYLJ.exe
  2⤵
  PID:10896
- C:\Windows\System\jwDitNp.exe
  C:\Windows\System\jwDitNp.exe
  2⤵
  PID:11064
- C:\Windows\System\QKAHCzF.exe
  C:\Windows\System\QKAHCzF.exe
  2⤵
  PID:11208
- C:\Windows\System\LmFjbXS.exe
  C:\Windows\System\LmFjbXS.exe
  2⤵
  PID:10420
- C:\Windows\System\fpIPufu.exe
  C:\Windows\System\fpIPufu.exe
  2⤵
  PID:10812
- C:\Windows\System\xTtxxHm.exe
  C:\Windows\System\xTtxxHm.exe
  2⤵
  PID:11152
- C:\Windows\System\LDhxNgq.exe
  C:\Windows\System\LDhxNgq.exe
  2⤵
  PID:10728
- C:\Windows\System\bhSNlHj.exe
  C:\Windows\System\bhSNlHj.exe
  2⤵
  PID:11272
- C:\Windows\System\gjEfJaE.exe
  C:\Windows\System\gjEfJaE.exe
  2⤵
  PID:11308
- C:\Windows\System\YnqVVqV.exe
  C:\Windows\System\YnqVVqV.exe
  2⤵
  PID:11328
- C:\Windows\System\jSmVrdf.exe
  C:\Windows\System\jSmVrdf.exe
  2⤵
  PID:11356
- C:\Windows\System\wiJbiom.exe
  C:\Windows\System\wiJbiom.exe
  2⤵
  PID:11392
- C:\Windows\System\rEVQWkO.exe
  C:\Windows\System\rEVQWkO.exe
  2⤵
  PID:11412
- C:\Windows\System\kvBohPM.exe
  C:\Windows\System\kvBohPM.exe
  2⤵
  PID:11444
- C:\Windows\System\IItTFWV.exe
  C:\Windows\System\IItTFWV.exe
  2⤵
  PID:11472
- C:\Windows\System\hjAbueE.exe
  C:\Windows\System\hjAbueE.exe
  2⤵
  PID:11516
- C:\Windows\System\NWRCdZT.exe
  C:\Windows\System\NWRCdZT.exe
  2⤵
  PID:11540
- C:\Windows\System\EWaMOYh.exe
  C:\Windows\System\EWaMOYh.exe
  2⤵
  PID:11568
- C:\Windows\System\asdOGUe.exe
  C:\Windows\System\asdOGUe.exe
  2⤵
  PID:11596
- C:\Windows\System\nHdzVhO.exe
  C:\Windows\System\nHdzVhO.exe
  2⤵
  PID:11624
- C:\Windows\System\zgvrXDc.exe
  C:\Windows\System\zgvrXDc.exe
  2⤵
  PID:11660
- C:\Windows\System\ccrzSRF.exe
  C:\Windows\System\ccrzSRF.exe
  2⤵
  PID:11692
- C:\Windows\System\EbYxGTq.exe
  C:\Windows\System\EbYxGTq.exe
  2⤵
  PID:11728
- C:\Windows\System\fbDXoPy.exe
  C:\Windows\System\fbDXoPy.exe
  2⤵
  PID:11756
- C:\Windows\System\hShWNjW.exe
  C:\Windows\System\hShWNjW.exe
  2⤵
  PID:11876
- C:\Windows\System\zQIJraq.exe
  C:\Windows\System\zQIJraq.exe
  2⤵
  PID:11908
- C:\Windows\System\LmKvNtk.exe
  C:\Windows\System\LmKvNtk.exe
  2⤵
  PID:11928
- C:\Windows\System\XdEWEbr.exe
  C:\Windows\System\XdEWEbr.exe
  2⤵
  PID:11956
- C:\Windows\System\MPqHNbz.exe
  C:\Windows\System\MPqHNbz.exe
  2⤵
  PID:11984
- C:\Windows\System\QTfYJEo.exe
  C:\Windows\System\QTfYJEo.exe
  2⤵
  PID:12012
- C:\Windows\System\ZeBgiXf.exe
  C:\Windows\System\ZeBgiXf.exe
  2⤵
  PID:12040
- C:\Windows\System\YAEyLlp.exe
  C:\Windows\System\YAEyLlp.exe
  2⤵
  PID:12068
- C:\Windows\System\BMMNRTh.exe
  C:\Windows\System\BMMNRTh.exe
  2⤵
  PID:12104
- C:\Windows\System\vPRiTod.exe
  C:\Windows\System\vPRiTod.exe
  2⤵
  PID:12124
- C:\Windows\System\scQQrwz.exe
  C:\Windows\System\scQQrwz.exe
  2⤵
  PID:12152
- C:\Windows\System\BLQuJhT.exe
  C:\Windows\System\BLQuJhT.exe
  2⤵
  PID:12180
- C:\Windows\System\jyeVAiQ.exe
  C:\Windows\System\jyeVAiQ.exe
  2⤵
  PID:12208
- C:\Windows\System\oQaQaUi.exe
  C:\Windows\System\oQaQaUi.exe
  2⤵
  PID:12236
- C:\Windows\System\MCiKnKK.exe
  C:\Windows\System\MCiKnKK.exe
  2⤵
  PID:12264
- C:\Windows\System\EyFUVbT.exe
  C:\Windows\System\EyFUVbT.exe
  2⤵
  PID:10360
- C:\Windows\System\FmwdOek.exe
  C:\Windows\System\FmwdOek.exe
  2⤵
  PID:11324
- C:\Windows\System\KSaZVWa.exe
  C:\Windows\System\KSaZVWa.exe
  2⤵
  PID:3588
- C:\Windows\System\RWEbang.exe
  C:\Windows\System\RWEbang.exe
  2⤵
  PID:11432
- C:\Windows\System\GPxZOPr.exe
  C:\Windows\System\GPxZOPr.exe
  2⤵
  PID:2064
- C:\Windows\System\uQBiHaG.exe
  C:\Windows\System\uQBiHaG.exe
  2⤵
  PID:11424
- C:\Windows\System\EoaECGo.exe
  C:\Windows\System\EoaECGo.exe
  2⤵
  PID:5088
- C:\Windows\System\iYdoGum.exe
  C:\Windows\System\iYdoGum.exe
  2⤵
  PID:316
- C:\Windows\System\mtJaFad.exe
  C:\Windows\System\mtJaFad.exe
  2⤵
  PID:11528
- C:\Windows\System\yQybYma.exe
  C:\Windows\System\yQybYma.exe
  2⤵
  PID:4052
- C:\Windows\System\iWmHTEb.exe
  C:\Windows\System\iWmHTEb.exe
  2⤵
  PID:11636
- C:\Windows\System\AWaPcme.exe
  C:\Windows\System\AWaPcme.exe
  2⤵
  PID:11716
- C:\Windows\System\jMTNUpr.exe
  C:\Windows\System\jMTNUpr.exe
  2⤵
  PID:11752
- C:\Windows\System\ixqEVnj.exe
  C:\Windows\System\ixqEVnj.exe
  2⤵
  PID:1868
- C:\Windows\System\xxRzAti.exe
  C:\Windows\System\xxRzAti.exe
  2⤵
  PID:11564
- C:\Windows\System\zcMeRpp.exe
  C:\Windows\System\zcMeRpp.exe
  2⤵
  PID:11804
- C:\Windows\System\AIbWyNy.exe
  C:\Windows\System\AIbWyNy.exe
  2⤵
  PID:3432
- C:\Windows\System\ValsQpq.exe
  C:\Windows\System\ValsQpq.exe
  2⤵
  PID:11864
- C:\Windows\System\NVaOXhU.exe
  C:\Windows\System\NVaOXhU.exe
  2⤵
  PID:3568
- C:\Windows\System\PXNKUNC.exe
  C:\Windows\System\PXNKUNC.exe
  2⤵
  PID:11836
- C:\Windows\System\mSGHzYC.exe
  C:\Windows\System\mSGHzYC.exe
  2⤵
  PID:11888
- C:\Windows\System\trhluOr.exe
  C:\Windows\System\trhluOr.exe
  2⤵
  PID:11968
- C:\Windows\System\jpWpRmr.exe
  C:\Windows\System\jpWpRmr.exe
  2⤵
  PID:12032
- C:\Windows\System\nHIdlkk.exe
  C:\Windows\System\nHIdlkk.exe
  2⤵
  PID:12092
- C:\Windows\System\vwtrztv.exe
  C:\Windows\System\vwtrztv.exe
  2⤵
  PID:12164
- C:\Windows\System\qWKUdVZ.exe
  C:\Windows\System\qWKUdVZ.exe
  2⤵
  PID:12228
- C:\Windows\System\VnKerRE.exe
  C:\Windows\System\VnKerRE.exe
  2⤵
  PID:10672
- C:\Windows\System\QgNXOmE.exe
  C:\Windows\System\QgNXOmE.exe
  2⤵
  PID:11512
- C:\Windows\System\ZNSCegA.exe
  C:\Windows\System\ZNSCegA.exe
  2⤵
  PID:11460
- C:\Windows\System\JrzbQRa.exe
  C:\Windows\System\JrzbQRa.exe
  2⤵
  PID:1852
- C:\Windows\System\OCwIvhQ.exe
  C:\Windows\System\OCwIvhQ.exe
  2⤵
  PID:876
- C:\Windows\System\cYYVCBH.exe
  C:\Windows\System\cYYVCBH.exe
  2⤵
  PID:11700
- C:\Windows\System\AjmAUfI.exe
  C:\Windows\System\AjmAUfI.exe
  2⤵
  PID:4336
- C:\Windows\System\JElfEdp.exe
  C:\Windows\System\JElfEdp.exe
  2⤵
  PID:4992
- C:\Windows\System\gttZefQ.exe
  C:\Windows\System\gttZefQ.exe
  2⤵
  PID:1252
- C:\Windows\System\KTXjJQe.exe
  C:\Windows\System\KTXjJQe.exe
  2⤵
  PID:6704
- C:\Windows\System\TZyWRjg.exe
  C:\Windows\System\TZyWRjg.exe
  2⤵
  PID:12060
- C:\Windows\System\eViNsrz.exe
  C:\Windows\System\eViNsrz.exe
  2⤵
  PID:12204
- C:\Windows\System\mcHAzRQ.exe
  C:\Windows\System\mcHAzRQ.exe
  2⤵
  PID:2120
- C:\Windows\System\albfKBC.exe
  C:\Windows\System\albfKBC.exe
  2⤵
  PID:1900
- C:\Windows\System\sxHfaid.exe
  C:\Windows\System\sxHfaid.exe
  2⤵
  PID:1416
- C:\Windows\System\zPOFEVE.exe
  C:\Windows\System\zPOFEVE.exe
  2⤵
  PID:2708
- C:\Windows\System\SsiQQCZ.exe
  C:\Windows\System\SsiQQCZ.exe
  2⤵
  PID:12120
- C:\Windows\System\ysrUWHq.exe
  C:\Windows\System\ysrUWHq.exe
  2⤵
  PID:11464
- C:\Windows\System\oRzqoQS.exe
  C:\Windows\System\oRzqoQS.exe
  2⤵
  PID:4680
- C:\Windows\System\dQmklYU.exe
  C:\Windows\System\dQmklYU.exe
  2⤵
  PID:2684
- C:\Windows\System\HeiSTFT.exe
  C:\Windows\System\HeiSTFT.exe
  2⤵
  PID:6676
- C:\Windows\System\rhSrhlz.exe
  C:\Windows\System\rhSrhlz.exe
  2⤵
  PID:12316
- C:\Windows\System\oAdEPEF.exe
  C:\Windows\System\oAdEPEF.exe
  2⤵
  PID:12344
- C:\Windows\System\zcYrVEG.exe
  C:\Windows\System\zcYrVEG.exe
  2⤵
  PID:12372
- C:\Windows\System\OpjAwwx.exe
  C:\Windows\System\OpjAwwx.exe
  2⤵
  PID:12400
- C:\Windows\System\hzbYNzT.exe
  C:\Windows\System\hzbYNzT.exe
  2⤵
  PID:12428
- C:\Windows\System\OjHBMzT.exe
  C:\Windows\System\OjHBMzT.exe
  2⤵
  PID:12456
- C:\Windows\System\wqYOomT.exe
  C:\Windows\System\wqYOomT.exe
  2⤵
  PID:12484
- C:\Windows\System\AwfDNok.exe
  C:\Windows\System\AwfDNok.exe
  2⤵
  PID:12512
- C:\Windows\System\IUxJIYg.exe
  C:\Windows\System\IUxJIYg.exe
  2⤵
  PID:12540
- C:\Windows\System\ZECZBPN.exe
  C:\Windows\System\ZECZBPN.exe
  2⤵
  PID:12568
- C:\Windows\System\lndmioa.exe
  C:\Windows\System\lndmioa.exe
  2⤵
  PID:12596
- C:\Windows\System\wLtYkKJ.exe
  C:\Windows\System\wLtYkKJ.exe
  2⤵
  PID:12624
- C:\Windows\System\iDthNBn.exe
  C:\Windows\System\iDthNBn.exe
  2⤵
  PID:12652
- C:\Windows\System\nxQduDB.exe
  C:\Windows\System\nxQduDB.exe
  2⤵
  PID:12680
- C:\Windows\System\KdgxENU.exe
  C:\Windows\System\KdgxENU.exe
  2⤵
  PID:12708
- C:\Windows\System\sQPZExb.exe
  C:\Windows\System\sQPZExb.exe
  2⤵
  PID:12736
- C:\Windows\System\bUBsXNN.exe
  C:\Windows\System\bUBsXNN.exe
  2⤵
  PID:12764
- C:\Windows\System\gynpcXL.exe
  C:\Windows\System\gynpcXL.exe
  2⤵
  PID:12792
- C:\Windows\System\ySowmhN.exe
  C:\Windows\System\ySowmhN.exe
  2⤵
  PID:12820
- C:\Windows\System\REgRrrA.exe
  C:\Windows\System\REgRrrA.exe
  2⤵
  PID:12848
- C:\Windows\System\PmnfoZG.exe
  C:\Windows\System\PmnfoZG.exe
  2⤵
  PID:12876
- C:\Windows\System\oLEqMwf.exe
  C:\Windows\System\oLEqMwf.exe
  2⤵
  PID:12904
- C:\Windows\System\hYMmVjO.exe
  C:\Windows\System\hYMmVjO.exe
  2⤵
  PID:12932
- C:\Windows\System\XNDMzdt.exe
  C:\Windows\System\XNDMzdt.exe
  2⤵
  PID:12960
- C:\Windows\System\doyoYYj.exe
  C:\Windows\System\doyoYYj.exe
  2⤵
  PID:12988
- C:\Windows\System\XqfOvPH.exe
  C:\Windows\System\XqfOvPH.exe
  2⤵
  PID:13016
- C:\Windows\System\OLZwKch.exe
  C:\Windows\System\OLZwKch.exe
  2⤵
  PID:13044
- C:\Windows\System\qlnEdkt.exe
  C:\Windows\System\qlnEdkt.exe
  2⤵
  PID:13072
- C:\Windows\System\CyUiGCv.exe
  C:\Windows\System\CyUiGCv.exe
  2⤵
  PID:13100
- C:\Windows\System\wVoHhgq.exe
  C:\Windows\System\wVoHhgq.exe
  2⤵
  PID:13128
- C:\Windows\System\gtheWWc.exe
  C:\Windows\System\gtheWWc.exe
  2⤵
  PID:13156
- C:\Windows\System\LWGBBcY.exe
  C:\Windows\System\LWGBBcY.exe
  2⤵
  PID:13184
- C:\Windows\System\tzaZvcc.exe
  C:\Windows\System\tzaZvcc.exe
  2⤵
  PID:13212
- C:\Windows\System\ZPGqbdU.exe
  C:\Windows\System\ZPGqbdU.exe
  2⤵
  PID:13244
- C:\Windows\System\zzHvtTW.exe
  C:\Windows\System\zzHvtTW.exe
  2⤵
  PID:13272
- C:\Windows\System\kSoFxjb.exe
  C:\Windows\System\kSoFxjb.exe
  2⤵
  PID:13300
- C:\Windows\System\UzYyVXw.exe
  C:\Windows\System\UzYyVXw.exe
  2⤵
  PID:12328
- C:\Windows\System\gNWQOCA.exe
  C:\Windows\System\gNWQOCA.exe
  2⤵
  PID:12392
- C:\Windows\System\lZWrVcm.exe
  C:\Windows\System\lZWrVcm.exe
  2⤵
  PID:12452
- C:\Windows\System\shypDqE.exe
  C:\Windows\System\shypDqE.exe
  2⤵
  PID:12524
- C:\Windows\System\mwQdsGh.exe
  C:\Windows\System\mwQdsGh.exe
  2⤵
  PID:12588
- C:\Windows\System\yMzvzYs.exe
  C:\Windows\System\yMzvzYs.exe
  2⤵
  PID:12648
- C:\Windows\System\geAPaLw.exe
  C:\Windows\System\geAPaLw.exe
  2⤵
  PID:12748
- C:\Windows\System\ELGGzdO.exe
  C:\Windows\System\ELGGzdO.exe
  2⤵
  PID:12784
- C:\Windows\System\DjaxeMQ.exe
  C:\Windows\System\DjaxeMQ.exe
  2⤵
  PID:12844
- C:\Windows\System\guuFFli.exe
  C:\Windows\System\guuFFli.exe
  2⤵
  PID:12916
- C:\Windows\System\ROVsbxi.exe
  C:\Windows\System\ROVsbxi.exe
  2⤵
  PID:12980
- C:\Windows\System\FAjbSgc.exe
  C:\Windows\System\FAjbSgc.exe
  2⤵
  PID:13036
- C:\Windows\System\BrgJdPE.exe
  C:\Windows\System\BrgJdPE.exe
  2⤵
  PID:13096
- C:\Windows\System\DaYzvSL.exe
  C:\Windows\System\DaYzvSL.exe
  2⤵
  PID:13168
- C:\Windows\System\uAEtJQO.exe
  C:\Windows\System\uAEtJQO.exe
  2⤵
  PID:13236
- C:\Windows\System\PShliBj.exe
  C:\Windows\System\PShliBj.exe
  2⤵
  PID:13296
- C:\Windows\System\cJzdjOf.exe
  C:\Windows\System\cJzdjOf.exe
  2⤵
  PID:12420
- C:\Windows\System\TeZpPSi.exe
  C:\Windows\System\TeZpPSi.exe
  2⤵
  PID:12564
- C:\Windows\System\cDbYijj.exe
  C:\Windows\System\cDbYijj.exe
  2⤵
  PID:12732
- C:\Windows\System\bWQNSVz.exe
  C:\Windows\System\bWQNSVz.exe
  2⤵
  PID:12872
- C:\Windows\System\JkTndII.exe
  C:\Windows\System\JkTndII.exe
  2⤵
  PID:13012
- C:\Windows\System\PuKUONw.exe
  C:\Windows\System\PuKUONw.exe
  2⤵
  PID:13152
- C:\Windows\System\uzVYRuR.exe
  C:\Windows\System\uzVYRuR.exe
  2⤵
  PID:3456
- C:\Windows\System\FFQDNoB.exe
  C:\Windows\System\FFQDNoB.exe
  2⤵
  PID:13232
- C:\Windows\System\IMlneUc.exe
  C:\Windows\System\IMlneUc.exe
  2⤵
  PID:12840
- C:\Windows\System\VUeDiaU.exe
  C:\Windows\System\VUeDiaU.exe
  2⤵
  PID:13224
- C:\Windows\System\pPReUYn.exe
  C:\Windows\System\pPReUYn.exe
  2⤵
  PID:12832
- C:\Windows\System\tRxKmoo.exe
  C:\Windows\System\tRxKmoo.exe
  2⤵
  PID:2072
- C:\Windows\System\fWZArmc.exe
  C:\Windows\System\fWZArmc.exe
  2⤵
  PID:1532
- C:\Windows\System\gEVyEDS.exe
  C:\Windows\System\gEVyEDS.exe
  2⤵
  PID:13148
- C:\Windows\System\mYGOkGi.exe
  C:\Windows\System\mYGOkGi.exe
  2⤵
  PID:13328
- C:\Windows\System\lMsPoel.exe
  C:\Windows\System\lMsPoel.exe
  2⤵
  PID:13356
- C:\Windows\System\RxTfPrU.exe
  C:\Windows\System\RxTfPrU.exe
  2⤵
  PID:13384
- C:\Windows\System\iofgmkf.exe
  C:\Windows\System\iofgmkf.exe
  2⤵
  PID:13412
- C:\Windows\System\zGnfYQx.exe
  C:\Windows\System\zGnfYQx.exe
  2⤵
  PID:13440
- C:\Windows\System\iJvwmpW.exe
  C:\Windows\System\iJvwmpW.exe
  2⤵
  PID:13468
- C:\Windows\System\YXkNdeA.exe
  C:\Windows\System\YXkNdeA.exe
  2⤵
  PID:13496
- C:\Windows\System\toTVEHw.exe
  C:\Windows\System\toTVEHw.exe
  2⤵
  PID:13524
- C:\Windows\System\iEXfeML.exe
  C:\Windows\System\iEXfeML.exe
  2⤵
  PID:13552
- C:\Windows\System\FByBrcF.exe
  C:\Windows\System\FByBrcF.exe
  2⤵
  PID:13580
- C:\Windows\System\CKJfszs.exe
  C:\Windows\System\CKJfszs.exe
  2⤵
  PID:13608
- C:\Windows\System\iNeHWYj.exe
  C:\Windows\System\iNeHWYj.exe
  2⤵
  PID:13636
- C:\Windows\System\HvGjpzy.exe
  C:\Windows\System\HvGjpzy.exe
  2⤵
  PID:13664
- C:\Windows\System\GFUfwDu.exe
  C:\Windows\System\GFUfwDu.exe
  2⤵
  PID:13692
- C:\Windows\System\GxGtWxs.exe
  C:\Windows\System\GxGtWxs.exe
  2⤵
  PID:13720
- C:\Windows\System\WXLvjMU.exe
  C:\Windows\System\WXLvjMU.exe
  2⤵
  PID:13748
- C:\Windows\System\XJKKBsl.exe
  C:\Windows\System\XJKKBsl.exe
  2⤵
  PID:13776
- C:\Windows\System\eoPZkYL.exe
  C:\Windows\System\eoPZkYL.exe
  2⤵
  PID:13804
- C:\Windows\System\FuxkSuR.exe
  C:\Windows\System\FuxkSuR.exe
  2⤵
  PID:13832
- C:\Windows\System\CFwjpFP.exe
  C:\Windows\System\CFwjpFP.exe
  2⤵
  PID:13860
- C:\Windows\System\SgyXjzt.exe
  C:\Windows\System\SgyXjzt.exe
  2⤵
  PID:13888
- C:\Windows\System\FnAGgmU.exe
  C:\Windows\System\FnAGgmU.exe
  2⤵
  PID:13916
- C:\Windows\System\EaRPgfQ.exe
  C:\Windows\System\EaRPgfQ.exe
  2⤵
  PID:13944
- C:\Windows\System\HUafCrn.exe
  C:\Windows\System\HUafCrn.exe
  2⤵
  PID:13972
- C:\Windows\System\vTshmWI.exe
  C:\Windows\System\vTshmWI.exe
  2⤵
  PID:14000
- C:\Windows\System\zjiphUD.exe
  C:\Windows\System\zjiphUD.exe
  2⤵
  PID:14028
- C:\Windows\System\JSplKFS.exe
  C:\Windows\System\JSplKFS.exe
  2⤵
  PID:14056
- C:\Windows\System\evacEqZ.exe
  C:\Windows\System\evacEqZ.exe
  2⤵
  PID:14084
- C:\Windows\System\eoglDnH.exe
  C:\Windows\System\eoglDnH.exe
  2⤵
  PID:14116
- C:\Windows\System\dmHjAdX.exe
  C:\Windows\System\dmHjAdX.exe
  2⤵
  PID:14144
- C:\Windows\System\PpbENkb.exe
  C:\Windows\System\PpbENkb.exe
  2⤵
  PID:14172
- C:\Windows\System\EBIynLg.exe
  C:\Windows\System\EBIynLg.exe
  2⤵
  PID:14200
- C:\Windows\System\yqfuyJa.exe
  C:\Windows\System\yqfuyJa.exe
  2⤵
  PID:14228
- C:\Windows\System\AEjmhiW.exe
  C:\Windows\System\AEjmhiW.exe
  2⤵
  PID:14260
- C:\Windows\System\wOSgOWA.exe
  C:\Windows\System\wOSgOWA.exe
  2⤵
  PID:14288
- C:\Windows\System\WfzsMJG.exe
  C:\Windows\System\WfzsMJG.exe
  2⤵
  PID:14316
- C:\Windows\System\fOmOVwn.exe
  C:\Windows\System\fOmOVwn.exe
  2⤵
  PID:13324
- C:\Windows\System\oeymvVe.exe
  C:\Windows\System\oeymvVe.exe
  2⤵
  PID:2000
- C:\Windows\System\jjlxOYd.exe
  C:\Windows\System\jjlxOYd.exe
  2⤵
  PID:13424
- C:\Windows\System\PQEnwlv.exe
  C:\Windows\System\PQEnwlv.exe
  2⤵
  PID:13488
- C:\Windows\System\zBDJBZj.exe
  C:\Windows\System\zBDJBZj.exe
  2⤵
  PID:13548
- C:\Windows\System\feswuZU.exe
  C:\Windows\System\feswuZU.exe
  2⤵
  PID:13620
- C:\Windows\System\xCSUsAy.exe
  C:\Windows\System\xCSUsAy.exe
  2⤵
  PID:13684
- C:\Windows\System\bpTTFHL.exe
  C:\Windows\System\bpTTFHL.exe
  2⤵
  PID:13788
- C:\Windows\System\gwryObJ.exe
  C:\Windows\System\gwryObJ.exe
  2⤵
  PID:13824
- C:\Windows\System\HHKgSuh.exe
  C:\Windows\System\HHKgSuh.exe
  2⤵
  PID:13884
- C:\Windows\System\HcpXnUx.exe
  C:\Windows\System\HcpXnUx.exe
  2⤵
  PID:13940
- C:\Windows\System\lpXAfHX.exe
  C:\Windows\System\lpXAfHX.exe
  2⤵
  PID:4964
- C:\Windows\System\cxFXlnK.exe
  C:\Windows\System\cxFXlnK.exe
  2⤵
  PID:13984
- C:\Windows\System\YFjswaB.exe
  C:\Windows\System\YFjswaB.exe
  2⤵
  PID:4380
- C:\Windows\System\RLHJhSh.exe
  C:\Windows\System\RLHJhSh.exe
  2⤵
  PID:3948
- C:\Windows\System\byqLARA.exe
  C:\Windows\System\byqLARA.exe
  2⤵
  PID:14080
- C:\Windows\System\cFHrhyg.exe
  C:\Windows\System\cFHrhyg.exe
  2⤵
  PID:3112
- C:\Windows\System\iskgZDr.exe
  C:\Windows\System\iskgZDr.exe
  2⤵
  PID:1040
- C:\Windows\System\cihxCmd.exe
  C:\Windows\System\cihxCmd.exe
  2⤵
  PID:14196
- C:\Windows\System\QLYxwSw.exe
  C:\Windows\System\QLYxwSw.exe
  2⤵
  PID:14224
- C:\Windows\System\tAOKhyq.exe
  C:\Windows\System\tAOKhyq.exe
  2⤵
  PID:14284
- C:\Windows\System\xrQqseZ.exe
  C:\Windows\System\xrQqseZ.exe
  2⤵
  PID:14312
- C:\Windows\System\FsmXQwM.exe
  C:\Windows\System\FsmXQwM.exe
  2⤵
  PID:13352
- C:\Windows\System\MWswrpr.exe
  C:\Windows\System\MWswrpr.exe
  2⤵
  PID:2980
- C:\Windows\System\DPMZDev.exe
  C:\Windows\System\DPMZDev.exe
  2⤵
  PID:1264
- C:\Windows\System\qLQgUUt.exe
  C:\Windows\System\qLQgUUt.exe
  2⤵
  PID:13576
- C:\Windows\System\HFyggMt.exe
  C:\Windows\System\HFyggMt.exe
  2⤵
  PID:13676
- C:\Windows\System\fJONxAF.exe
  C:\Windows\System\fJONxAF.exe
  2⤵
  PID:408
- C:\Windows\System\FmZZKol.exe
  C:\Windows\System\FmZZKol.exe
  2⤵
  PID:4204
- C:\Windows\System\oFOwmRs.exe
  C:\Windows\System\oFOwmRs.exe
  2⤵
  PID:13880
- C:\Windows\System\IbbrEKz.exe
  C:\Windows\System\IbbrEKz.exe
  2⤵
  PID:4264
- C:\Windows\System\vnZGQhj.exe
  C:\Windows\System\vnZGQhj.exe
  2⤵
  PID:4372
- C:\Windows\System\YycZcfI.exe
  C:\Windows\System\YycZcfI.exe
  2⤵
  PID:3180
- C:\Windows\System\PuXuAtB.exe
  C:\Windows\System\PuXuAtB.exe
  2⤵
  PID:2552
- C:\Windows\System\tZgtIYI.exe
  C:\Windows\System\tZgtIYI.exe
  2⤵
  PID:14140
- C:\Windows\System\cJIOjSr.exe
  C:\Windows\System\cJIOjSr.exe
  2⤵
  PID:1272
- C:\Windows\System\sjTDAoo.exe
  C:\Windows\System\sjTDAoo.exe
  2⤵
  PID:2884
- C:\Windows\System\OJVZaCd.exe
  C:\Windows\System\OJVZaCd.exe
  2⤵
  PID:1712
- C:\Windows\System\MRlTUkX.exe
  C:\Windows\System\MRlTUkX.exe
  2⤵
  PID:836
- C:\Windows\System\RvuZQGM.exe
  C:\Windows\System\RvuZQGM.exe
  2⤵
  PID:2300
- C:\Windows\System\YKkZSix.exe
  C:\Windows\System\YKkZSix.exe
  2⤵
  PID:3516
- C:\Windows\System\giAbIUu.exe
  C:\Windows\System\giAbIUu.exe
  2⤵
  PID:1324
- C:\Windows\System\rDhBzsb.exe
  C:\Windows\System\rDhBzsb.exe
  2⤵
  PID:13772
- C:\Windows\System\vDADPcc.exe
  C:\Windows\System\vDADPcc.exe
  2⤵
  PID:708
- C:\Windows\System\CJBMnze.exe
  C:\Windows\System\CJBMnze.exe
  2⤵
  PID:1872
- C:\Windows\System\iKQnMCM.exe
  C:\Windows\System\iKQnMCM.exe
  2⤵
  PID:2600
- C:\Windows\System\UpTKtFq.exe
  C:\Windows\System\UpTKtFq.exe
  2⤵
  PID:2520
- C:\Windows\System\QFduhWW.exe
  C:\Windows\System\QFduhWW.exe
  2⤵
  PID:4388
- C:\Windows\System\qnkJqxM.exe
  C:\Windows\System\qnkJqxM.exe
  2⤵
  PID:14220
- C:\Windows\System\uVlBSyx.exe
  C:\Windows\System\uVlBSyx.exe
  2⤵
  PID:3400
- C:\Windows\System\PPNhTCh.exe
  C:\Windows\System\PPNhTCh.exe
  2⤵
  PID:536
- C:\Windows\System\BxQKiJE.exe
  C:\Windows\System\BxQKiJE.exe
  2⤵
  PID:3032
- C:\Windows\System\lWOYVEP.exe
  C:\Windows\System\lWOYVEP.exe
  2⤵
  PID:1328
- C:\Windows\System\BCuRLNA.exe
  C:\Windows\System\BCuRLNA.exe
  2⤵
  PID:3460
- C:\Windows\System\oOyuRVG.exe
  C:\Windows\System\oOyuRVG.exe
  2⤵
  PID:14128
- C:\Windows\System\BgyEGxb.exe
  C:\Windows\System\BgyEGxb.exe
  2⤵
  PID:14300
- C:\Windows\System\eESVUSo.exe
  C:\Windows\System\eESVUSo.exe
  2⤵
  PID:1812
- C:\Windows\System\ZzXDXIk.exe
  C:\Windows\System\ZzXDXIk.exe
  2⤵
  PID:4612
- C:\Windows\System\NlgCFLa.exe
  C:\Windows\System\NlgCFLa.exe
  2⤵
  PID:2004
- C:\Windows\System\KEDwlne.exe
  C:\Windows\System\KEDwlne.exe
  2⤵
  PID:5212
- C:\Windows\System\lwFJdXR.exe
  C:\Windows\System\lwFJdXR.exe
  2⤵
  PID:5228
- C:\Windows\System\gEFIBYJ.exe
  C:\Windows\System\gEFIBYJ.exe
  2⤵
  PID:3824
- C:\Windows\System\iefiMTJ.exe
  C:\Windows\System\iefiMTJ.exe
  2⤵
  PID:5260
- C:\Windows\System\NzyUFof.exe
  C:\Windows\System\NzyUFof.exe
  2⤵
  PID:5268
- C:\Windows\System\TgauJTV.exe
  C:\Windows\System\TgauJTV.exe
  2⤵
  PID:5296
- C:\Windows\System\bTmkaqm.exe
  C:\Windows\System\bTmkaqm.exe
  2⤵
  PID:5328
- C:\Windows\System\zjsITuA.exe
  C:\Windows\System\zjsITuA.exe
  2⤵
  PID:5460
- C:\Windows\System\rhhZaIY.exe
  C:\Windows\System\rhhZaIY.exe
  2⤵
  PID:14356
- C:\Windows\System\jdAfnkV.exe
  C:\Windows\System\jdAfnkV.exe
  2⤵
  PID:14384
- C:\Windows\System\njgiDaZ.exe
  C:\Windows\System\njgiDaZ.exe
  2⤵
  PID:14412
- C:\Windows\System\piaUlBy.exe
  C:\Windows\System\piaUlBy.exe
  2⤵
  PID:14440

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:14788
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:14936

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:15340

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5808

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7404

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:9708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:10680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6832

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4604

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6020

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5900

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:2896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7792

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7264

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9148

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11492

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9664

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10164

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6516

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11276

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2640

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5168

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1532

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5644

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14596

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:15304

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5572

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8928

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12028

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5828

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6380

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12436

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8568

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13180

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QYLSGBRE\microsoft.windows[1].xml

Filesize
97B

MD5
bcfc637d71de995845ab604d45d85a63

SHA1
9c61f2a58eac7a938f1d2846fc1949d4a9dd9e5e

SHA256
7562f5f17076bce0f9c56eddd3331e2a89ebc97ff12ac5703371e7e8570250b4

SHA512
214eda9024d4bc9135ead531f2db440323606b156f813a8883ca71888e6e2756b97c40981f024c2625df3ced5b49abf8203d1e1baaecaea3a4aecaed0c2cea6a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133828648021423449.txt

Filesize
75KB

MD5
e14d1036af872125cc58a2dd3a6c154d

SHA1
c20bb390835a3e25d069d9092a01d4dd437f0421

SHA256
8d613afdce5d2e75e8ad8c8bf8fc1a5310f94c859baedc365a77ddd34d72d234

SHA512
a242be3257b4e9accc28edb867fc108f895cbe97bba2e01bfb61f883478823ba49bbf38e11a5656f582c7aac59a58d4af3576eba45a3894ef16f642e6cd0eac2

Download Submit
C:\Windows\System\BocjLwJ.exe

Filesize
6.0MB

MD5
bf95e5c719112cc5a8e2f254eb8c86ca

SHA1
f3e2302c528c332cc707d07748ef58dc04993fb8

SHA256
3050ea62eb811e755814f5f00748cdb03f3ac5bd4263f8e83990a11c1fef3ed3

SHA512
f41815114f88277b2c15129b69809a55fdb2c849b8ff614260ecde1f22acd07325539e6fa438020c63c15abe3ff07e698ab85bdad6e05c837e3781f1b37a1a6a

Download Submit
C:\Windows\System\CSgTAtd.exe

Filesize
6.0MB

MD5
accbe27b78220f9166c1f0eb00207c95

SHA1
b5c2bb2ab93184111c71238b70f8d609280a4dbe

SHA256
152fedfee5819d4003c1b39b13b672e4b89c010d14352b9adc0b105ae931976e

SHA512
c164f8a151f164889f8a385414e08971500ca084a4d6aa2dfe874432687ac07fbe315b99a61135b7c80a4eae49154891ad4be1ffec92f59e1101e5b389dbdfc4

Download Submit
C:\Windows\System\Cfyjheh.exe

Filesize
6.0MB

MD5
6135a213ef7626a2f64298dbbf8c3ab1

SHA1
ccf27c7d1263228724f8fb6d736160038d784b16

SHA256
ecc5bb8cc3d09bcd3752d59367723687a63fc59b8c35723decb1c96bf5597783

SHA512
bc3c8982bb9d4ad528bdff9df767d9b9eb934bf885e67353b9d10143d6e687839fce8d070cef517ef160be82fd3de3067da743e8743af1fc0ca35202124ad874

Download Submit
C:\Windows\System\DWQtEFL.exe

Filesize
6.0MB

MD5
421505d2709ace212fc606d5338d8570

SHA1
13e1067f806dae46532abfc34011ff4e39c98657

SHA256
cc3ea5de819517527e6f91d5c68b28ed6be8680c10b8b0529d98ee4328e3fc21

SHA512
613c14af9edbb20116e1c091639adda4e194ead0b09b56f6ee772952f465a4a0fa8730919a30528b90c0da0477b46093a40a0649c0e314bf5ac4bd084c4beecb

Download Submit
C:\Windows\System\FNciIyr.exe

Filesize
6.0MB

MD5
37b438760098cf4ad851f5db6336e31a

SHA1
45d9a2ef867d4ff869587f225c7ca17c9291de3e

SHA256
4d48f4613ddfbfe00d8b166a22b5b74ad30e9a231db7a36459e3dba1f7679077

SHA512
e89320a68654f7c660dc754880a755b65b543f2cbb28f6127e252346632d8e5f4ae301634bd441841e1073fe6a069e402e602054a8512c2be061101e7bf67abf

Download Submit
C:\Windows\System\IHRJOGi.exe

Filesize
6.0MB

MD5
b943782a10a985264cf46239b976c244

SHA1
24698887a668f7f7604c9ca476e60916eea97212

SHA256
46fd7893725d572cae5c24bbc6340ee8d5209c924e271263eba0361a86742a3b

SHA512
e5e079303af8daf6b8c5a0fa353139dbc136030a0ca417aa4e695b900f19a98cfde87353d20ff8d3bf8eac4bcb9389527fcde8f560a40d1d2c434bc4b5ffb3ff

Download Submit
C:\Windows\System\IIZSoXR.exe

Filesize
6.0MB

MD5
08998c04f4fdacd92746efe030632a5a

SHA1
d6d8f4be6ca03fb89ed17094a571f17e6f6c9228

SHA256
e6d55583b664f8c838b22777bbb5d07b789e89d7e6c087bbd8ee263628de4903

SHA512
728ca528d9ad9b0d6116cae226802e0da5015b56c22505622b2dd50a0b51bcba9e295f4e2757d71daf5b637034e69ceee50f5b818eca184c0d2306787dc3f50b

Download Submit
C:\Windows\System\LOevird.exe

Filesize
6.0MB

MD5
3b2c26bf82ade00dcf2ffd3ce4b3eb01

SHA1
92e587c6eb1c2b1004eceb2a595beed9042e464c

SHA256
bbb195212c394eac16fec2cc734025433dee88681411101172718cbc4ab8bbd1

SHA512
2e9f405f4b5083f830388fdeaa9b20a1e5a0ccb21b2282e6e44a9bd9baa4e40937d329660d252f5f7636419d44c78e041369ffecaa343fe8dd0fb3e4b53acaf9

Download Submit
C:\Windows\System\MxLrnxN.exe

Filesize
6.0MB

MD5
8649c1f3b6ee12fcdc991b23bb9f2398

SHA1
98ffcae1642581fe9cf3794ec8ab8bee89f2ce4a

SHA256
c4b7f6ac8252cc76776a1db31016b2dd52d5a3c2c58758d2e98a4cf19c14a0d6

SHA512
517d542c8857889ee620c8ced38c104e856a4c670b00f1ff14ac91e3efa68422241cd4ddc8e6e5c39a0b52009df555bae226c56cc7e3ced9d2c52124c0e345dd

Download Submit
C:\Windows\System\NDQnDqT.exe

Filesize
6.0MB

MD5
fadaf2417aec69bb1fde6458e6c93865

SHA1
db6e0aaee46f39b2551d8055f7b7ddb5d132916a

SHA256
237ad38275766ed8f38ba7da36271fb3168529bdca7fa2b4fb9fb3ddaf6cf0fc

SHA512
5141e74ac42a4b9b213b4ec447e490ead94c90fa6d4164af07cf70a199f9b687c74f9f11a2c75a237ce65b4bf54535a676e9771893377e999f48db47f5c6fba3

Download Submit
C:\Windows\System\SSsYvhC.exe

Filesize
6.0MB

MD5
457adda21e9626dc575ed5667531d8c6

SHA1
69f8e0659872f46d5af6a3a1b148186f1142d4df

SHA256
56bd60a0a06d3d8591120c4e31a09cda4e2be320362eb3698145eb976fe7bc64

SHA512
0823bd94f84be9bf37540a1d856dbee575c6232cea1fc23dd61f2e2e113e233c38d59231eaa2b7f8280750ee64e17a9612a266bc7de5538d88c1f32db24a96fc

Download Submit
C:\Windows\System\VNdSqsv.exe

Filesize
6.0MB

MD5
ead213f9058267d6113f4b7b5f61fda7

SHA1
600153c26470316097cdb54d86aded30fb27697f

SHA256
b568f92984b1cae1311ee245a44fdc76a7a724fbb293f56500fa8679a1885fe0

SHA512
5ee6de3474c7cb419aced276579fa4fa4d6a5f16dfc002b7faaa44bb61e770f76451c73ee403231329be256738c36f66efce3e19c917a77591788addd1b6ca0c

Download Submit
C:\Windows\System\VaKTRjG.exe

Filesize
6.0MB

MD5
d62fc123465789cb75f443a80ec47aaa

SHA1
be38532bd9f7ca9c5fc5b0d2d25034c784f1bc33

SHA256
1bb41276b2444ab36e03f9336f3fca0b9a0ad82a68d1be229687d678d6b901e8

SHA512
55bd510b995725441fb28223becef73f6a62bcb029cdbd93d373236fc7690e1d41397c37be51024f667d7805416034d2b392f22c540462dc6d0cc39f81bfb72f

Download Submit
C:\Windows\System\WabbrzS.exe

Filesize
6.0MB

MD5
0638cef95f2d73c0f4300b75d46f265b

SHA1
49b4e3468d40529f40cd98217f728197a1572efe

SHA256
a3fe186c6cf40e0c1077db36e0172548044be8e8fd60d074727e2c17a613b44d

SHA512
98342db018ad36176bc6da3b6ebc236c05208ef583aa6086d9738234a0f5ec6d4bbdc30807f128b9f388384531f615b250f937d1ae2e402cfc4ea43afa4b5860

Download Submit
C:\Windows\System\XGqncWq.exe

Filesize
6.0MB

MD5
7df54e4cf6bc0c82585da5242ff47fc9

SHA1
24476765663854350de7e5a241fbeb4cbe59ffdf

SHA256
716c042adbb5ee5954c8590aec1e107688666e2f70726ad2a029c782b775741a

SHA512
1a822977890a3d8c198aeaf5afda9817f2e117b9442eb68f2da51ee4cd81bb9cc6ca8f183b7c7d8bbda4bcc16a360b38bc9a81afa593e3b2394cd31aa51d8163

Download Submit
C:\Windows\System\YLbeiyK.exe

Filesize
6.0MB

MD5
4371c60d286b7c8cc9cfe4514378d92e

SHA1
b7a166ae010c5f61b95105eaa9200371fbc6c30d

SHA256
4b73defc2a6ee9ac8523962f4ade4ec1c76f5f9e8b53c3c1b34ee6554307b312

SHA512
3af13dd2a0fc52590d67164d6158c599f80c28cc0dfaf864e4b5fe8c1fd59897a29be0a1b275a31bcf114518b27fe3baa2e64776f084091e2e92ca88fded7fb9

Download Submit
C:\Windows\System\bYTGpiV.exe

Filesize
6.0MB

MD5
c015b088ab0d664b5ccb00b2b7e2d584

SHA1
47daa9e5f1d0e264170040b700e75eb81025b25e

SHA256
0f22cfd4a98c76d1a2e38636f6a53a3c5fe4a9eba09c8c4f19f60d672ad10b3e

SHA512
2a4c7886cb13125708a507de4c85a183933fe2145d213efcfbc902d05a78adbb60230052b27f8839951fde23253237a98772702ee0c22047d634bebbfcb18e79

Download Submit
C:\Windows\System\cQdaVmF.exe

Filesize
6.0MB

MD5
5d348190deb1ec4397d6fbb71f4b0b48

SHA1
4edd2f606e897143cc75f37f5a75574808bec8c7

SHA256
c46abfb0ea759e6bd1e768b572554eb321a910876f23864c4d637dc971d8f990

SHA512
71a19245c258e4471be23536c4d84f43ac97b1e5dadd6d0ca8d731aa4ba6a2b724d95ffffe9f3a292b9ca2cd8b4cdcedf715b8a955d84cb187262a7475ca5467

Download Submit
C:\Windows\System\ciqdFho.exe

Filesize
6.0MB

MD5
6eaf93746ebbd95015bf309006ddbc41

SHA1
f6a7e4b52b11c2d8228432af29d421cdd201bb83

SHA256
cfd95b74552f5afa715eb929d8a7b54edeccebf5819a6d86ae9b0cbd3dde63ea

SHA512
e9035ad5b51407dcff8769e0b76dfc0341629ad2eee28cb558d3b7e5a660c5e68dcb365bbd263d838ee5ec0e56028af8536ef6d53d439e194227adef230bebff

Download Submit
C:\Windows\System\fxdyMEk.exe

Filesize
6.0MB

MD5
4a4348d816723e33ff62472ea3ee06b9

SHA1
97bf63f6546597bf6ed42fe54f1df62af437ffb1

SHA256
694914efcb29ad24e7c935bc387005b1158982ba753f30615d68f4673e0f6da4

SHA512
f6baab53440f4ac293c2848f42ce6273f4235f54bb8d457c4f0216013d717a0317704cfc100a5e48c16fdf3f0c8274a88798325990885c74b8b8d991986a30b9

Download Submit
C:\Windows\System\iVtzMRO.exe

Filesize
6.0MB

MD5
411f9f727769cd6b0759d1a834c8a24c

SHA1
6fcb8cf742685a375bf758979d54eda12d9b54a6

SHA256
fa013e7cfa35d27a4c7c1b39a2d9dd0411069d0ebe9423c33608513b6366cbdc

SHA512
444e72bcc29118866ee1cc5653379b9509f829755cbe5d23a9528f872d61ce32bf1a5e2a3a8b4d8d9f331efe26c497c577c88509388a3ff5acada8bec116bbb2

Download Submit
C:\Windows\System\ijbhHzd.exe

Filesize
6.0MB

MD5
421f2765442a345e13c6c32e5f19b15f

SHA1
deea6d0d255d129c5c201de5dea4864054618848

SHA256
b0fc0234706982c9d56e34dfd10993bbbb6343a26ed9f620595f7332d0c05d92

SHA512
c0355ca61ec0cf012d46da903ae43d453a659b1e1ef94c9dcf890443142cfedbf8940e582a179399fb97c284504d9ee82f89c2684ebf048d47f1ac444b3a3534

Download Submit
C:\Windows\System\iygNylg.exe

Filesize
6.0MB

MD5
6ff92789cf129d41881ece1b30295f84

SHA1
ee1d6702c8e924930f531a3e7801b15b0362cf47

SHA256
27b84b95a470588e7c727a9be337425d491b5edc143f59c6b5ff8f4a073f0ff3

SHA512
99d7737143669893d7a48e66397f9628326b8020116bead520d3e56e9909c7d6159f09905885e110cf316b226375ac75e94756f45166b0c2e7da3749647fc586

Download Submit
C:\Windows\System\jbNBDga.exe

Filesize
6.0MB

MD5
9edd0e4b771937b41496673f9c210329

SHA1
294b9c4b5cce598e79ad0f4fd1e63476d9893f14

SHA256
7914cf7d0e2c29d11541c960d0714f2c5e704d6b98e1afda70526c490d52f7c8

SHA512
b391aa9cc6622be423fcfa9eb31dc306a4a10420321a056f05b7970a2b0cfb912f90f62b7dbc04d60c782f019fa4cd2aa171dc0bf50647bb80765e35a739c565

Download Submit
C:\Windows\System\oHtJIta.exe

Filesize
6.0MB

MD5
ec5f4d65b480519d3b506b49505143a0

SHA1
5ab4e96a99bfb839bbdd83691920e9eee93c410a

SHA256
4fb2aaf57026dc0f5692d5c689fe512bfb36dacdb2ddfa949fde68f0a29214d6

SHA512
f42460ab419ebce62a2a1ec442dc36b245d27675e8173f944f8462f55730db0c1e44c1b44dee710a6235526e3556130d45df13dd6af68d03369faa940b9a9c79

Download Submit
C:\Windows\System\oLWzRHT.exe

Filesize
6.0MB

MD5
d1c509bc2f13818e0df3d6791a263cde

SHA1
0d81f0b9286cc566d8dfa69b4b507b7b2b0809eb

SHA256
8bf523c359d00423fe6710dfc3dc126619cab6a03c42e174cc56ee42a6dac7e5

SHA512
11ee9100f8e059f218e6c98ff58c5a8779ef3394ddf88b49aca9cf9c6c5d56ec9da3b205022e5640e63f16823e49e82cdab8b05826f41aa2fc9150f64ede3465

Download Submit
C:\Windows\System\pASJgVU.exe

Filesize
6.0MB

MD5
e3c45610a32e9bc05a050584e509b937

SHA1
fd0d995ffc82b357ea769e4bab1950ed34849215

SHA256
29c01a1ec0dd0ec1999862f43baf666fa7d7f5151acb9245cca27fe9e826fdea

SHA512
8c3b21c9bba8117a926784d7646f1e7b06964aa3867cfa2c1c7754f130870e896893d33015c690dff4f012f3584ef5eba89fdaba0174871f4c7c8212db834e3d

Download Submit
C:\Windows\System\rOmHwJw.exe

Filesize
6.0MB

MD5
410ac78757c41d6929f8e724972a2122

SHA1
f40d6c3cc03505c51432b8496e98d6a7bed82cec

SHA256
3b7d51f6051dfa6d02809774b14c1f40ba476f3eab1970b60e08bc07466f1bb8

SHA512
2097185318afd45d70232a7e59b67ab53689f29c69764cdcc1df2fe9265656a985aff08cc35a20b9e56b3b38c643fd9098143a8a2a57039ec7bb1ecfb970a44e

Download Submit
C:\Windows\System\uMNAxrG.exe

Filesize
6.0MB

MD5
185e5af1f6d05d1bb4d0803260b3cc7b

SHA1
058cee6ef75901cf610a4bdde4d5c41c32dc3873

SHA256
bb243cae3680ba4b39b51fd4346751ac8ff23510b0123f08896ea6f7b2243693

SHA512
99f2d15736b9955979e26028746b3243c03c331f016a2f11848b28b19b644c75f1ca9523034335a52e50a0387bfb93f59f3c1455746ad8178cf6ffb8fa4048f3

Download Submit
C:\Windows\System\uVfMvXB.exe

Filesize
6.0MB

MD5
78e2d83484855fe053f6fd86bd2c6bd5

SHA1
0703cc1381c597ab1b7c456c54771d6fbf271e22

SHA256
11e8cfd89b43e3d557503565f9070a89f6f6f71eca88fc5d387f12f75da39cbc

SHA512
3deeae4f361e30616ddbad46269a9a5d1370365313c03fb4e8a635f2859a8c9013727e21a041ebb46f34ee4f29fdf72dce2712d90648bda5e90aa45975d64671

Download Submit
C:\Windows\System\wHQQVJc.exe

Filesize
6.0MB

MD5
8a2db9af9ac86a38d2eca6d1a17a756e

SHA1
df60185cdd1431a5e4fc00206681e97f6905b05c

SHA256
4151f331e636198e43097e1632548b3ff88a3922fcf7f548db068de7d5cd02bd

SHA512
0d7a3e14ac67fee397dde3f65836eb938c20dafc5ad3beb3059594899d452439756c8a7390773d8b738ee0eaf48c943458e3fb5a37d3aa815f4103841b7fcd6d

Download Submit
C:\Windows\System\wxfRqQj.exe

Filesize
6.0MB

MD5
0d54ab337a40f83d7aa477f972e07ed5

SHA1
13f337de65a80df8518e7c7c9a114b29ee19f856

SHA256
c336c936efb11ed42f50197f29b5bc674b799a39c2fa51b37d92e56fa9041d11

SHA512
e8f567e18a4815c73b4ee0c2ca2f170df2086da3700d7d3b8c694d42d9cb4e9ec9f64cee95cf2e58c97cc576f249d7b9dad8e9df729f4e69644683c6f53863f6

Download Submit
C:\Windows\System\xTbpXKz.exe

Filesize
6.0MB

MD5
fabb20c70590d9cf9ced26f055b6f2df

SHA1
d0398612e8a87beae3d6d016c76f57a389646b5c

SHA256
1a084658ce9edd818a20236d3ce6ee4eb8442ea0d8f787ee7d1bbbc01bd74ead

SHA512
b0c96b844479958973445f1d23c4bf085a1df4bea526660a123d5d62f4d198225526958e8dfe8195af46a2f9cc2655cfad24e8f9621a4d6de8edae9a7ec58006

Download Submit
memory/392-1573-0x00007FF6D98C0000-0x00007FF6D9C14000-memory.dmp

Filesize
3.3MB

Download
memory/392-143-0x00007FF6D98C0000-0x00007FF6D9C14000-memory.dmp

Filesize
3.3MB

Download
memory/396-153-0x00007FF6477C0000-0x00007FF647B14000-memory.dmp

Filesize
3.3MB

Download
memory/396-1583-0x00007FF6477C0000-0x00007FF647B14000-memory.dmp

Filesize
3.3MB

Download
memory/444-170-0x00007FF7639F0000-0x00007FF763D44000-memory.dmp

Filesize
3.3MB

Download
memory/444-1612-0x00007FF7639F0000-0x00007FF763D44000-memory.dmp

Filesize
3.3MB

Download
memory/764-1575-0x00007FF61BDC0000-0x00007FF61C114000-memory.dmp

Filesize
3.3MB

Download
memory/764-149-0x00007FF61BDC0000-0x00007FF61C114000-memory.dmp

Filesize
3.3MB

Download
memory/1240-1599-0x00007FF64EE10000-0x00007FF64F164000-memory.dmp

Filesize
3.3MB

Download
memory/1240-164-0x00007FF64EE10000-0x00007FF64F164000-memory.dmp

Filesize
3.3MB

Download
memory/1652-176-0x00007FF6144B0000-0x00007FF614804000-memory.dmp

Filesize
3.3MB

Download
memory/1652-1622-0x00007FF6144B0000-0x00007FF614804000-memory.dmp

Filesize
3.3MB

Download
memory/1660-1574-0x00007FF76DAE0000-0x00007FF76DE34000-memory.dmp

Filesize
3.3MB

Download
memory/1660-142-0x00007FF76DAE0000-0x00007FF76DE34000-memory.dmp

Filesize
3.3MB

Download
memory/1660-592-0x00007FF76DAE0000-0x00007FF76DE34000-memory.dmp

Filesize
3.3MB

Download
memory/1716-177-0x00007FF6041B0000-0x00007FF604504000-memory.dmp

Filesize
3.3MB

Download
memory/1716-1620-0x00007FF6041B0000-0x00007FF604504000-memory.dmp

Filesize
3.3MB

Download
memory/1944-1554-0x00007FF776110000-0x00007FF776464000-memory.dmp

Filesize
3.3MB

Download
memory/1944-24-0x00007FF776110000-0x00007FF776464000-memory.dmp

Filesize
3.3MB

Download
memory/1944-463-0x00007FF776110000-0x00007FF776464000-memory.dmp

Filesize
3.3MB

Download
memory/2056-1618-0x00007FF7751A0000-0x00007FF7754F4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-168-0x00007FF7751A0000-0x00007FF7754F4000-memory.dmp

Filesize
3.3MB

Download
memory/2144-0-0x00007FF79DEF0000-0x00007FF79E244000-memory.dmp

Filesize
3.3MB

Download
memory/2144-338-0x00007FF79DEF0000-0x00007FF79E244000-memory.dmp

Filesize
3.3MB

Download
memory/2144-1-0x000001FFAD940000-0x000001FFAD950000-memory.dmp

Filesize
64KB

Download
memory/2312-1613-0x00007FF707030000-0x00007FF707384000-memory.dmp

Filesize
3.3MB

Download
memory/2312-169-0x00007FF707030000-0x00007FF707384000-memory.dmp

Filesize
3.3MB

Download
memory/2364-150-0x00007FF6FC380000-0x00007FF6FC6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-1579-0x00007FF6FC380000-0x00007FF6FC6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2472-1607-0x00007FF729440000-0x00007FF729794000-memory.dmp

Filesize
3.3MB

Download
memory/2472-167-0x00007FF729440000-0x00007FF729794000-memory.dmp

Filesize
3.3MB

Download
memory/2508-1595-0x00007FF6F99E0000-0x00007FF6F9D34000-memory.dmp

Filesize
3.3MB

Download
memory/2508-163-0x00007FF6F99E0000-0x00007FF6F9D34000-memory.dmp

Filesize
3.3MB

Download
memory/2748-173-0x00007FF7D94C0000-0x00007FF7D9814000-memory.dmp

Filesize
3.3MB

Download
memory/2748-1611-0x00007FF7D94C0000-0x00007FF7D9814000-memory.dmp

Filesize
3.3MB

Download
memory/2788-180-0x00007FF66E560000-0x00007FF66E8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2788-1615-0x00007FF66E560000-0x00007FF66E8B4000-memory.dmp

Filesize
3.3MB

Download
memory/3092-1616-0x00007FF732270000-0x00007FF7325C4000-memory.dmp

Filesize
3.3MB

Download
memory/3092-171-0x00007FF732270000-0x00007FF7325C4000-memory.dmp

Filesize
3.3MB

Download
memory/3120-1614-0x00007FF69FBE0000-0x00007FF69FF34000-memory.dmp

Filesize
3.3MB

Download
memory/3120-175-0x00007FF69FBE0000-0x00007FF69FF34000-memory.dmp

Filesize
3.3MB

Download
memory/3440-1552-0x00007FF60CC80000-0x00007FF60CFD4000-memory.dmp

Filesize
3.3MB

Download
memory/3440-14-0x00007FF60CC80000-0x00007FF60CFD4000-memory.dmp

Filesize
3.3MB

Download
memory/3440-397-0x00007FF60CC80000-0x00007FF60CFD4000-memory.dmp

Filesize
3.3MB

Download
memory/3500-1608-0x00007FF6A0CA0000-0x00007FF6A0FF4000-memory.dmp

Filesize
3.3MB

Download
memory/3500-174-0x00007FF6A0CA0000-0x00007FF6A0FF4000-memory.dmp

Filesize
3.3MB

Download
memory/3936-1605-0x00007FF78CD70000-0x00007FF78D0C4000-memory.dmp

Filesize
3.3MB

Download
memory/3936-166-0x00007FF78CD70000-0x00007FF78D0C4000-memory.dmp

Filesize
3.3MB

Download
memory/3968-1589-0x00007FF76B0E0000-0x00007FF76B434000-memory.dmp

Filesize
3.3MB

Download
memory/3968-162-0x00007FF76B0E0000-0x00007FF76B434000-memory.dmp

Filesize
3.3MB

Download
memory/4240-178-0x00007FF613640000-0x00007FF613994000-memory.dmp

Filesize
3.3MB

Download
memory/4240-1570-0x00007FF613640000-0x00007FF613994000-memory.dmp

Filesize
3.3MB

Download
memory/4256-1558-0x00007FF75AEA0000-0x00007FF75B1F4000-memory.dmp

Filesize
3.3MB

Download
memory/4256-525-0x00007FF75AEA0000-0x00007FF75B1F4000-memory.dmp

Filesize
3.3MB

Download
memory/4256-31-0x00007FF75AEA0000-0x00007FF75B1F4000-memory.dmp

Filesize
3.3MB

Download
memory/4276-1578-0x00007FF601100000-0x00007FF601454000-memory.dmp

Filesize
3.3MB

Download
memory/4276-179-0x00007FF601100000-0x00007FF601454000-memory.dmp

Filesize
3.3MB

Download
memory/4656-1602-0x00007FF7A8540000-0x00007FF7A8894000-memory.dmp

Filesize
3.3MB

Download
memory/4656-165-0x00007FF7A8540000-0x00007FF7A8894000-memory.dmp

Filesize
3.3MB

Download
memory/4876-172-0x00007FF6BE8E0000-0x00007FF6BEC34000-memory.dmp

Filesize
3.3MB

Download
memory/4876-1617-0x00007FF6BE8E0000-0x00007FF6BEC34000-memory.dmp

Filesize
3.3MB

Download
memory/4880-8-0x00007FF62F040000-0x00007FF62F394000-memory.dmp

Filesize
3.3MB

Download
memory/4880-1538-0x00007FF62F040000-0x00007FF62F394000-memory.dmp

Filesize
3.3MB

Download
memory/4988-39-0x00007FF607660000-0x00007FF6079B4000-memory.dmp

Filesize
3.3MB

Download
memory/4988-589-0x00007FF607660000-0x00007FF6079B4000-memory.dmp

Filesize
3.3MB

Download
memory/4988-1565-0x00007FF607660000-0x00007FF6079B4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads