cobaltstrike | 399f15e9abb85ec86c2a0e0a394b0763229e09d1509c8f480efe9f08860cd164

Analysis

max time kernel
71s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
Size

6.0MB
MD5

bda281369d96f9c4951f266905163ef6
SHA1

fd16d4ff03b2ead48e43f01b0bdf4236175cb2b9
SHA256

399f15e9abb85ec86c2a0e0a394b0763229e09d1509c8f480efe9f08860cd164
SHA512

dfa2d7225488d45030274172cf52fd6f67a03abc8b3795fba569eedb0718e104ceb101e789f5b35bf47fca309636f2ce2e7af1555fcc336b770240d45e4837e1
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUh:T+q56utgpPF8u/7h

Score

10^/10

cobaltstrike xmrig 0 backdoor miner persistence trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 32 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023c27-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-11.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c83-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c85-22.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c81-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c86-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8e-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c89-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-121.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b3d-148.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b3a-146.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b37-144.dat	cobalt_reflective_dll
behavioral2/files/0x0010000000023b30-134.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b4f-164.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b55-196.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b59-206.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b58-201.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b56-199.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b53-186.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b52-180.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b50-173.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b40-154.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1900-0-0x00007FF65C280000-0x00007FF65C5D4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023c27-4.dat	xmrig
behavioral2/files/0x0007000000023c84-11.dat	xmrig
behavioral2/memory/116-13-0x00007FF7AA870000-0x00007FF7AABC4000-memory.dmp	xmrig
behavioral2/memory/984-18-0x00007FF753B80000-0x00007FF753ED4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c83-12.dat	xmrig
behavioral2/memory/2392-7-0x00007FF6BA3F0000-0x00007FF6BA744000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c85-22.dat	xmrig
behavioral2/files/0x0008000000023c81-33.dat	xmrig
behavioral2/memory/4736-36-0x00007FF61B9F0000-0x00007FF61BD44000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c86-34.dat	xmrig
behavioral2/memory/3936-32-0x00007FF66FF20000-0x00007FF670274000-memory.dmp	xmrig
behavioral2/memory/2772-24-0x00007FF7FB8A0000-0x00007FF7FBBF4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c87-40.dat	xmrig
behavioral2/memory/3528-44-0x00007FF65CBA0000-0x00007FF65CEF4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c88-47.dat	xmrig
behavioral2/memory/1464-48-0x00007FF62FBA0000-0x00007FF62FEF4000-memory.dmp	xmrig
behavioral2/memory/2368-55-0x00007FF6D9C20000-0x00007FF6D9F74000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c8a-59.dat	xmrig
behavioral2/files/0x0007000000023c8b-66.dat	xmrig
behavioral2/memory/116-77-0x00007FF7AA870000-0x00007FF7AABC4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c8e-83.dat	xmrig
behavioral2/memory/2376-91-0x00007FF7F10B0000-0x00007FF7F1404000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c8f-96.dat	xmrig
behavioral2/memory/4932-95-0x00007FF78F770000-0x00007FF78FAC4000-memory.dmp	xmrig
behavioral2/memory/2772-92-0x00007FF7FB8A0000-0x00007FF7FBBF4000-memory.dmp	xmrig
behavioral2/memory/3684-90-0x00007FF66C3D0000-0x00007FF66C724000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c8d-88.dat	xmrig
behavioral2/memory/984-86-0x00007FF753B80000-0x00007FF753ED4000-memory.dmp	xmrig
behavioral2/memory/4468-79-0x00007FF6EF6A0000-0x00007FF6EF9F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c8c-76.dat	xmrig
behavioral2/memory/1576-70-0x00007FF77A940000-0x00007FF77AC94000-memory.dmp	xmrig
behavioral2/memory/2392-68-0x00007FF6BA3F0000-0x00007FF6BA744000-memory.dmp	xmrig
behavioral2/memory/2560-63-0x00007FF646B30000-0x00007FF646E84000-memory.dmp	xmrig
behavioral2/memory/1900-62-0x00007FF65C280000-0x00007FF65C5D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c89-54.dat	xmrig
behavioral2/files/0x0007000000023c90-101.dat	xmrig
behavioral2/files/0x0007000000023c97-112.dat	xmrig
behavioral2/files/0x0007000000023c96-113.dat	xmrig
behavioral2/memory/1956-110-0x00007FF6B01D0000-0x00007FF6B0524000-memory.dmp	xmrig
behavioral2/memory/2152-103-0x00007FF671C70000-0x00007FF671FC4000-memory.dmp	xmrig
behavioral2/memory/4736-102-0x00007FF61B9F0000-0x00007FF61BD44000-memory.dmp	xmrig
behavioral2/memory/3936-98-0x00007FF66FF20000-0x00007FF670274000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c98-121.dat	xmrig
behavioral2/memory/3216-141-0x00007FF7EA410000-0x00007FF7EA764000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b3d-148.dat	xmrig
behavioral2/files/0x000c000000023b3a-146.dat	xmrig
behavioral2/files/0x000c000000023b37-144.dat	xmrig
behavioral2/memory/2604-143-0x00007FF7BE060000-0x00007FF7BE3B4000-memory.dmp	xmrig
behavioral2/memory/1576-142-0x00007FF77A940000-0x00007FF77AC94000-memory.dmp	xmrig
behavioral2/memory/3272-140-0x00007FF6A0240000-0x00007FF6A0594000-memory.dmp	xmrig
behavioral2/memory/3908-136-0x00007FF77A030000-0x00007FF77A384000-memory.dmp	xmrig
behavioral2/files/0x0010000000023b30-134.dat	xmrig
behavioral2/memory/3684-157-0x00007FF66C3D0000-0x00007FF66C724000-memory.dmp	xmrig
behavioral2/memory/2636-163-0x00007FF6B8C00000-0x00007FF6B8F54000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b4f-164.dat	xmrig
behavioral2/memory/2376-162-0x00007FF7F10B0000-0x00007FF7F1404000-memory.dmp	xmrig
behavioral2/memory/1456-161-0x00007FF717E00000-0x00007FF718154000-memory.dmp	xmrig
behavioral2/memory/4468-156-0x00007FF6EF6A0000-0x00007FF6EF9F4000-memory.dmp	xmrig
behavioral2/memory/4932-169-0x00007FF78F770000-0x00007FF78FAC4000-memory.dmp	xmrig
behavioral2/memory/1956-189-0x00007FF6B01D0000-0x00007FF6B0524000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b55-196.dat	xmrig
behavioral2/files/0x000b000000023b59-206.dat	xmrig
behavioral2/files/0x000b000000023b58-201.dat	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
2392	TgUcoTX.exe
116	xBCHQOF.exe
984	vdzHVfq.exe
2772	TfSTbfS.exe
3936	BULRGux.exe
4736	FVlGQUd.exe
3528	MRVqCIC.exe
1464	bmQHFSW.exe
2368	gLoVjZt.exe
2560	LVQTscT.exe
1576	irHLVAX.exe
4468	urqfTyi.exe
3684	WdUcoLo.exe
2376	ralkRkU.exe
4932	SVjdniv.exe
2152	LXoBAIP.exe
1956	XXnDVFf.exe
2340	eDiIqrp.exe
4356	YEoqVWl.exe
3908	WtQkPOs.exe
3272	UUZJgYp.exe
2604	vqBJmtM.exe
3216	EuNwxgz.exe
1456	NSvLDgq.exe
2636	FetZMQE.exe
4796	jVUkgsc.exe
1304	fbZCjsf.exe
3284	RHfcIyJ.exe
3696	KtwOCtX.exe
2640	hvdJqeu.exe
1764	qiiSroI.exe
1052	KnRFBeF.exe
1712	fMpvBuO.exe
4452	CciRYQJ.exe
2968	mxWYPhb.exe
2848	csdetjn.exe
4576	BfCeSYA.exe
4328	MBllKdM.exe
4140	yItgsuz.exe
5020	UMrCnmU.exe
2168	sFdxUzt.exe
4552	fACRmFB.exe
812	ffgWptd.exe
264	AKypsJx.exe
1368	LIwzIBA.exe
4392	IOoSbaY.exe
4024	aQMqeCv.exe
4556	QBSURLz.exe
2460	MwAIYRF.exe
4612	RymmhxX.exe
5092	CyOozpN.exe
1240	UrEdlvE.exe
2284	RxyMQQe.exe
3540	rbxmLKO.exe
320	sQdnSJr.exe
1364	RMVjycx.exe
4884	QtMEyAl.exe
4400	ARKSdnu.exe
4896	BPrmxmy.exe
1196	DeVYmCR.exe
1888	lEyRBnk.exe
3204	ENwPjXm.exe
4724	jNPtmca.exe
1296	yvhdicC.exe

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1900-0-0x00007FF65C280000-0x00007FF65C5D4000-memory.dmp	upx
behavioral2/files/0x000a000000023c27-4.dat	upx
behavioral2/files/0x0007000000023c84-11.dat	upx
behavioral2/memory/116-13-0x00007FF7AA870000-0x00007FF7AABC4000-memory.dmp	upx
behavioral2/memory/984-18-0x00007FF753B80000-0x00007FF753ED4000-memory.dmp	upx
behavioral2/files/0x0008000000023c83-12.dat	upx
behavioral2/memory/2392-7-0x00007FF6BA3F0000-0x00007FF6BA744000-memory.dmp	upx
behavioral2/files/0x0007000000023c85-22.dat	upx
behavioral2/files/0x0008000000023c81-33.dat	upx
behavioral2/memory/4736-36-0x00007FF61B9F0000-0x00007FF61BD44000-memory.dmp	upx
behavioral2/files/0x0007000000023c86-34.dat	upx
behavioral2/memory/3936-32-0x00007FF66FF20000-0x00007FF670274000-memory.dmp	upx
behavioral2/memory/2772-24-0x00007FF7FB8A0000-0x00007FF7FBBF4000-memory.dmp	upx
behavioral2/files/0x0007000000023c87-40.dat	upx
behavioral2/memory/3528-44-0x00007FF65CBA0000-0x00007FF65CEF4000-memory.dmp	upx
behavioral2/files/0x0007000000023c88-47.dat	upx
behavioral2/memory/1464-48-0x00007FF62FBA0000-0x00007FF62FEF4000-memory.dmp	upx
behavioral2/memory/2368-55-0x00007FF6D9C20000-0x00007FF6D9F74000-memory.dmp	upx
behavioral2/files/0x0007000000023c8a-59.dat	upx
behavioral2/files/0x0007000000023c8b-66.dat	upx
behavioral2/memory/116-77-0x00007FF7AA870000-0x00007FF7AABC4000-memory.dmp	upx
behavioral2/files/0x0007000000023c8e-83.dat	upx
behavioral2/memory/2376-91-0x00007FF7F10B0000-0x00007FF7F1404000-memory.dmp	upx
behavioral2/files/0x0007000000023c8f-96.dat	upx
behavioral2/memory/4932-95-0x00007FF78F770000-0x00007FF78FAC4000-memory.dmp	upx
behavioral2/memory/2772-92-0x00007FF7FB8A0000-0x00007FF7FBBF4000-memory.dmp	upx
behavioral2/memory/3684-90-0x00007FF66C3D0000-0x00007FF66C724000-memory.dmp	upx
behavioral2/files/0x0007000000023c8d-88.dat	upx
behavioral2/memory/984-86-0x00007FF753B80000-0x00007FF753ED4000-memory.dmp	upx
behavioral2/memory/4468-79-0x00007FF6EF6A0000-0x00007FF6EF9F4000-memory.dmp	upx
behavioral2/files/0x0007000000023c8c-76.dat	upx
behavioral2/memory/1576-70-0x00007FF77A940000-0x00007FF77AC94000-memory.dmp	upx
behavioral2/memory/2392-68-0x00007FF6BA3F0000-0x00007FF6BA744000-memory.dmp	upx
behavioral2/memory/2560-63-0x00007FF646B30000-0x00007FF646E84000-memory.dmp	upx
behavioral2/memory/1900-62-0x00007FF65C280000-0x00007FF65C5D4000-memory.dmp	upx
behavioral2/files/0x0007000000023c89-54.dat	upx
behavioral2/files/0x0007000000023c90-101.dat	upx
behavioral2/files/0x0007000000023c97-112.dat	upx
behavioral2/files/0x0007000000023c96-113.dat	upx
behavioral2/memory/1956-110-0x00007FF6B01D0000-0x00007FF6B0524000-memory.dmp	upx
behavioral2/memory/2152-103-0x00007FF671C70000-0x00007FF671FC4000-memory.dmp	upx
behavioral2/memory/4736-102-0x00007FF61B9F0000-0x00007FF61BD44000-memory.dmp	upx
behavioral2/memory/3936-98-0x00007FF66FF20000-0x00007FF670274000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-121.dat	upx
behavioral2/memory/3216-141-0x00007FF7EA410000-0x00007FF7EA764000-memory.dmp	upx
behavioral2/files/0x000c000000023b3d-148.dat	upx
behavioral2/files/0x000c000000023b3a-146.dat	upx
behavioral2/files/0x000c000000023b37-144.dat	upx
behavioral2/memory/2604-143-0x00007FF7BE060000-0x00007FF7BE3B4000-memory.dmp	upx
behavioral2/memory/1576-142-0x00007FF77A940000-0x00007FF77AC94000-memory.dmp	upx
behavioral2/memory/3272-140-0x00007FF6A0240000-0x00007FF6A0594000-memory.dmp	upx
behavioral2/memory/3908-136-0x00007FF77A030000-0x00007FF77A384000-memory.dmp	upx
behavioral2/files/0x0010000000023b30-134.dat	upx
behavioral2/memory/3684-157-0x00007FF66C3D0000-0x00007FF66C724000-memory.dmp	upx
behavioral2/memory/2636-163-0x00007FF6B8C00000-0x00007FF6B8F54000-memory.dmp	upx
behavioral2/files/0x000b000000023b4f-164.dat	upx
behavioral2/memory/2376-162-0x00007FF7F10B0000-0x00007FF7F1404000-memory.dmp	upx
behavioral2/memory/1456-161-0x00007FF717E00000-0x00007FF718154000-memory.dmp	upx
behavioral2/memory/4468-156-0x00007FF6EF6A0000-0x00007FF6EF9F4000-memory.dmp	upx
behavioral2/memory/4932-169-0x00007FF78F770000-0x00007FF78FAC4000-memory.dmp	upx
behavioral2/memory/1956-189-0x00007FF6B01D0000-0x00007FF6B0524000-memory.dmp	upx
behavioral2/files/0x000b000000023b55-196.dat	upx
behavioral2/files/0x000b000000023b59-206.dat	upx
behavioral2/files/0x000b000000023b58-201.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\gMhAMeJ.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uLfHgCC.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FIrkrAA.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CKGteFe.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rrwZqGL.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wycXyeU.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yItgsuz.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\acrwUAc.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ULWUqFN.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hwFbTNQ.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HGFFYbU.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TkCNosc.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RiSIwnk.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RyhTiVM.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bonIOcC.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hmOxFJd.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FhMIlSP.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\roQSHMO.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nkDJNWJ.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GbBDnbH.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TEkMnhf.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IHQjBHT.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MBllKdM.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UsKchAs.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eDyyqXq.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\plzlsYH.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yUvmIVi.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\roJFICn.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IWFnnMc.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jNUpfpi.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gLrRekf.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hPfcCPF.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wFswbuZ.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RWctJRJ.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sDkdwOm.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HFjXfUk.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SJPgSQd.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PRJJfAs.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UCpmzPp.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eszazDx.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lYaxEYQ.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\phpiDkQ.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\csdetjn.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MwAIYRF.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sMEOsQm.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\heOCLMr.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HLuuOAe.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XTRRxMH.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TIRATfN.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mwuXyTa.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HjNuTwk.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NZybEns.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FUzSjsm.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ssSxdTF.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rodoCcP.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\urqfTyi.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sQdnSJr.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kBovTFI.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yEgTWPC.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UMuMWNY.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vSEjlsB.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yFQSDNR.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UrEdlvE.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NEjGOuc.exe	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-70482961-775596374-3727440602-1000\{8E73BFAC-F45F-48FD-A154-77414F4E4FEF}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost_ = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-70482961-775596374-3727440602-1000\{903C3FFE-DD77-4A66-8744-888E40BB520D}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-70482961-775596374-3727440602-1000\{2D9B4D7A-9414-455A-A843-526498333832}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-70482961-775596374-3727440602-1000\{1C160793-1BD4-4D11-9AB2-ADFC83AA5279}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost_ = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost_ = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost_ = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5432	explorer.exe
Token: SeCreatePagefilePrivilege	5432	explorer.exe
Token: SeShutdownPrivilege	5432	explorer.exe
Token: SeCreatePagefilePrivilege	5432	explorer.exe
Token: SeShutdownPrivilege	5432	explorer.exe
Token: SeCreatePagefilePrivilege	5432	explorer.exe
Token: SeShutdownPrivilege	5432	explorer.exe
Token: SeCreatePagefilePrivilege	5432	explorer.exe
Token: SeShutdownPrivilege	5432	explorer.exe
Token: SeCreatePagefilePrivilege	5432	explorer.exe
Token: SeShutdownPrivilege	5432	explorer.exe
Token: SeCreatePagefilePrivilege	5432	explorer.exe
Token: SeShutdownPrivilege	5432	explorer.exe
Token: SeCreatePagefilePrivilege	5432	explorer.exe
Token: SeShutdownPrivilege	5432	explorer.exe
Token: SeCreatePagefilePrivilege	5432	explorer.exe
Token: SeShutdownPrivilege	5432	explorer.exe
Token: SeCreatePagefilePrivilege	5432	explorer.exe
Token: SeShutdownPrivilege	5432	explorer.exe
Token: SeCreatePagefilePrivilege	5432	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	7472	explorer.exe
Token: SeCreatePagefilePrivilege	7472	explorer.exe
Token: SeShutdownPrivilege	7472	explorer.exe
Token: SeCreatePagefilePrivilege	7472	explorer.exe
Token: SeShutdownPrivilege	7472	explorer.exe
Token: SeCreatePagefilePrivilege	7472	explorer.exe
Token: SeShutdownPrivilege	7472	explorer.exe
Token: SeCreatePagefilePrivilege	7472	explorer.exe
Token: SeShutdownPrivilege	7472	explorer.exe
Token: SeCreatePagefilePrivilege	7472	explorer.exe
Token: SeShutdownPrivilege	7472	explorer.exe
Token: SeCreatePagefilePrivilege	7472	explorer.exe
Token: SeShutdownPrivilege	7472	explorer.exe
Token: SeCreatePagefilePrivilege	7472	explorer.exe
Token: SeShutdownPrivilege	7472	explorer.exe
Token: SeCreatePagefilePrivilege	7472	explorer.exe
Token: SeShutdownPrivilege	7472	explorer.exe
Token: SeCreatePagefilePrivilege	7472	explorer.exe
Token: SeShutdownPrivilege	7472	explorer.exe
Token: SeCreatePagefilePrivilege	7472	explorer.exe
Token: SeShutdownPrivilege	7472	explorer.exe
Token: SeCreatePagefilePrivilege	7472	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4740	sihost.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
5432	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
7472	explorer.exe
3264	explorer.exe
3264	explorer.exe
3264	explorer.exe
3264	explorer.exe
3264	explorer.exe
3264	explorer.exe
3264	explorer.exe
3264	explorer.exe
3264	explorer.exe
3264	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5236	StartMenuExperienceHost.exe
3032	StartMenuExperienceHost.exe
2320	StartMenuExperienceHost.exe
8968	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2392	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1900 wrote to memory of 2392	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1900 wrote to memory of 116	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1900 wrote to memory of 116	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1900 wrote to memory of 984	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1900 wrote to memory of 984	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1900 wrote to memory of 2772	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1900 wrote to memory of 2772	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1900 wrote to memory of 3936	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1900 wrote to memory of 3936	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1900 wrote to memory of 4736	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1900 wrote to memory of 4736	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1900 wrote to memory of 3528	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1900 wrote to memory of 3528	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1900 wrote to memory of 1464	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1900 wrote to memory of 1464	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1900 wrote to memory of 2368	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1900 wrote to memory of 2368	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1900 wrote to memory of 2560	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1900 wrote to memory of 2560	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1900 wrote to memory of 1576	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1900 wrote to memory of 1576	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1900 wrote to memory of 4468	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1900 wrote to memory of 4468	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1900 wrote to memory of 3684	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1900 wrote to memory of 3684	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1900 wrote to memory of 2376	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1900 wrote to memory of 2376	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1900 wrote to memory of 4932	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1900 wrote to memory of 4932	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1900 wrote to memory of 2152	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1900 wrote to memory of 2152	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1900 wrote to memory of 1956	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1900 wrote to memory of 1956	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1900 wrote to memory of 2340	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1900 wrote to memory of 2340	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1900 wrote to memory of 4356	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1900 wrote to memory of 4356	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1900 wrote to memory of 3908	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1900 wrote to memory of 3908	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1900 wrote to memory of 3272	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 1900 wrote to memory of 3272	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 1900 wrote to memory of 2604	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 1900 wrote to memory of 2604	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 1900 wrote to memory of 3216	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 1900 wrote to memory of 3216	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 1900 wrote to memory of 1456	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 1900 wrote to memory of 1456	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 1900 wrote to memory of 2636	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 1900 wrote to memory of 2636	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 1900 wrote to memory of 4796	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 1900 wrote to memory of 4796	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 1900 wrote to memory of 1304	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 1900 wrote to memory of 1304	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 1900 wrote to memory of 3284	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 1900 wrote to memory of 3284	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 1900 wrote to memory of 3696	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 1900 wrote to memory of 3696	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 1900 wrote to memory of 2640	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	117
PID 1900 wrote to memory of 2640	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	117
PID 1900 wrote to memory of 1764	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	118
PID 1900 wrote to memory of 1764	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	118
PID 1900 wrote to memory of 1052	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	119
PID 1900 wrote to memory of 1052	1900	2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe	119

C:\Users\Admin\AppData\Local\Temp\2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-02_bda281369d96f9c4951f266905163ef6_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\System\TgUcoTX.exe
  C:\Windows\System\TgUcoTX.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\xBCHQOF.exe
  C:\Windows\System\xBCHQOF.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\vdzHVfq.exe
  C:\Windows\System\vdzHVfq.exe
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\System\TfSTbfS.exe
  C:\Windows\System\TfSTbfS.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\BULRGux.exe
  C:\Windows\System\BULRGux.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System\FVlGQUd.exe
  C:\Windows\System\FVlGQUd.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\MRVqCIC.exe
  C:\Windows\System\MRVqCIC.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\bmQHFSW.exe
  C:\Windows\System\bmQHFSW.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\gLoVjZt.exe
  C:\Windows\System\gLoVjZt.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\LVQTscT.exe
  C:\Windows\System\LVQTscT.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\irHLVAX.exe
  C:\Windows\System\irHLVAX.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System\urqfTyi.exe
  C:\Windows\System\urqfTyi.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\WdUcoLo.exe
  C:\Windows\System\WdUcoLo.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\ralkRkU.exe
  C:\Windows\System\ralkRkU.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\SVjdniv.exe
  C:\Windows\System\SVjdniv.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\LXoBAIP.exe
  C:\Windows\System\LXoBAIP.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\XXnDVFf.exe
  C:\Windows\System\XXnDVFf.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\eDiIqrp.exe
  C:\Windows\System\eDiIqrp.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\YEoqVWl.exe
  C:\Windows\System\YEoqVWl.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\WtQkPOs.exe
  C:\Windows\System\WtQkPOs.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System\UUZJgYp.exe
  C:\Windows\System\UUZJgYp.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\vqBJmtM.exe
  C:\Windows\System\vqBJmtM.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\EuNwxgz.exe
  C:\Windows\System\EuNwxgz.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System\NSvLDgq.exe
  C:\Windows\System\NSvLDgq.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System\FetZMQE.exe
  C:\Windows\System\FetZMQE.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\jVUkgsc.exe
  C:\Windows\System\jVUkgsc.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\fbZCjsf.exe
  C:\Windows\System\fbZCjsf.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System\RHfcIyJ.exe
  C:\Windows\System\RHfcIyJ.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System\KtwOCtX.exe
  C:\Windows\System\KtwOCtX.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\hvdJqeu.exe
  C:\Windows\System\hvdJqeu.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\qiiSroI.exe
  C:\Windows\System\qiiSroI.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System\KnRFBeF.exe
  C:\Windows\System\KnRFBeF.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\fMpvBuO.exe
  C:\Windows\System\fMpvBuO.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\CciRYQJ.exe
  C:\Windows\System\CciRYQJ.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\mxWYPhb.exe
  C:\Windows\System\mxWYPhb.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\csdetjn.exe
  C:\Windows\System\csdetjn.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\BfCeSYA.exe
  C:\Windows\System\BfCeSYA.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\MBllKdM.exe
  C:\Windows\System\MBllKdM.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\yItgsuz.exe
  C:\Windows\System\yItgsuz.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\UMrCnmU.exe
  C:\Windows\System\UMrCnmU.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\sFdxUzt.exe
  C:\Windows\System\sFdxUzt.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\fACRmFB.exe
  C:\Windows\System\fACRmFB.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\ffgWptd.exe
  C:\Windows\System\ffgWptd.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System\AKypsJx.exe
  C:\Windows\System\AKypsJx.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System\LIwzIBA.exe
  C:\Windows\System\LIwzIBA.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\IOoSbaY.exe
  C:\Windows\System\IOoSbaY.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\aQMqeCv.exe
  C:\Windows\System\aQMqeCv.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\QBSURLz.exe
  C:\Windows\System\QBSURLz.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\MwAIYRF.exe
  C:\Windows\System\MwAIYRF.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\RymmhxX.exe
  C:\Windows\System\RymmhxX.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\CyOozpN.exe
  C:\Windows\System\CyOozpN.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\UrEdlvE.exe
  C:\Windows\System\UrEdlvE.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System\RxyMQQe.exe
  C:\Windows\System\RxyMQQe.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\rbxmLKO.exe
  C:\Windows\System\rbxmLKO.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\sQdnSJr.exe
  C:\Windows\System\sQdnSJr.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System\RMVjycx.exe
  C:\Windows\System\RMVjycx.exe
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\System\QtMEyAl.exe
  C:\Windows\System\QtMEyAl.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\ARKSdnu.exe
  C:\Windows\System\ARKSdnu.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\BPrmxmy.exe
  C:\Windows\System\BPrmxmy.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\DeVYmCR.exe
  C:\Windows\System\DeVYmCR.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\lEyRBnk.exe
  C:\Windows\System\lEyRBnk.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\ENwPjXm.exe
  C:\Windows\System\ENwPjXm.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\jNPtmca.exe
  C:\Windows\System\jNPtmca.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\yvhdicC.exe
  C:\Windows\System\yvhdicC.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\DrqTEzP.exe
  C:\Windows\System\DrqTEzP.exe
  2⤵
  PID:5040
- C:\Windows\System\wxZDEAz.exe
  C:\Windows\System\wxZDEAz.exe
  2⤵
  PID:640
- C:\Windows\System\ObfaNVd.exe
  C:\Windows\System\ObfaNVd.exe
  2⤵
  PID:4692
- C:\Windows\System\HHEpxdi.exe
  C:\Windows\System\HHEpxdi.exe
  2⤵
  PID:3672
- C:\Windows\System\dGPXRfv.exe
  C:\Windows\System\dGPXRfv.exe
  2⤵
  PID:2424
- C:\Windows\System\ujggXze.exe
  C:\Windows\System\ujggXze.exe
  2⤵
  PID:5036
- C:\Windows\System\vYrynFw.exe
  C:\Windows\System\vYrynFw.exe
  2⤵
  PID:4504
- C:\Windows\System\GZSJUOs.exe
  C:\Windows\System\GZSJUOs.exe
  2⤵
  PID:4016
- C:\Windows\System\USbnkxk.exe
  C:\Windows\System\USbnkxk.exe
  2⤵
  PID:3720
- C:\Windows\System\HmrtWKg.exe
  C:\Windows\System\HmrtWKg.exe
  2⤵
  PID:4600
- C:\Windows\System\WXKVogo.exe
  C:\Windows\System\WXKVogo.exe
  2⤵
  PID:4616
- C:\Windows\System\iZIiWNs.exe
  C:\Windows\System\iZIiWNs.exe
  2⤵
  PID:1760
- C:\Windows\System\xhKQoxo.exe
  C:\Windows\System\xhKQoxo.exe
  2⤵
  PID:1380
- C:\Windows\System\LAgtRDj.exe
  C:\Windows\System\LAgtRDj.exe
  2⤵
  PID:5024
- C:\Windows\System\rWMCKRT.exe
  C:\Windows\System\rWMCKRT.exe
  2⤵
  PID:1580
- C:\Windows\System\xhTZkrp.exe
  C:\Windows\System\xhTZkrp.exe
  2⤵
  PID:3676
- C:\Windows\System\XkevHkG.exe
  C:\Windows\System\XkevHkG.exe
  2⤵
  PID:876
- C:\Windows\System\IWFnnMc.exe
  C:\Windows\System\IWFnnMc.exe
  2⤵
  PID:556
- C:\Windows\System\EndNAVI.exe
  C:\Windows\System\EndNAVI.exe
  2⤵
  PID:3344
- C:\Windows\System\FpBdPhA.exe
  C:\Windows\System\FpBdPhA.exe
  2⤵
  PID:2024
- C:\Windows\System\acrwUAc.exe
  C:\Windows\System\acrwUAc.exe
  2⤵
  PID:5016
- C:\Windows\System\UjGpAMo.exe
  C:\Windows\System\UjGpAMo.exe
  2⤵
  PID:772
- C:\Windows\System\FstnOhJ.exe
  C:\Windows\System\FstnOhJ.exe
  2⤵
  PID:2672
- C:\Windows\System\gMhAMeJ.exe
  C:\Windows\System\gMhAMeJ.exe
  2⤵
  PID:5128
- C:\Windows\System\WRiWkNz.exe
  C:\Windows\System\WRiWkNz.exe
  2⤵
  PID:5148
- C:\Windows\System\HxTRhjP.exe
  C:\Windows\System\HxTRhjP.exe
  2⤵
  PID:5184
- C:\Windows\System\jiULAcH.exe
  C:\Windows\System\jiULAcH.exe
  2⤵
  PID:5208
- C:\Windows\System\SAPpPxT.exe
  C:\Windows\System\SAPpPxT.exe
  2⤵
  PID:5240
- C:\Windows\System\lDlobCc.exe
  C:\Windows\System\lDlobCc.exe
  2⤵
  PID:5264
- C:\Windows\System\ewmBuYK.exe
  C:\Windows\System\ewmBuYK.exe
  2⤵
  PID:5296
- C:\Windows\System\omPVuGe.exe
  C:\Windows\System\omPVuGe.exe
  2⤵
  PID:5328
- C:\Windows\System\zwGWxwj.exe
  C:\Windows\System\zwGWxwj.exe
  2⤵
  PID:5352
- C:\Windows\System\uLfHgCC.exe
  C:\Windows\System\uLfHgCC.exe
  2⤵
  PID:5384
- C:\Windows\System\NoKbhTJ.exe
  C:\Windows\System\NoKbhTJ.exe
  2⤵
  PID:5412
- C:\Windows\System\RfnhwAM.exe
  C:\Windows\System\RfnhwAM.exe
  2⤵
  PID:5436
- C:\Windows\System\PAHUcID.exe
  C:\Windows\System\PAHUcID.exe
  2⤵
  PID:5464
- C:\Windows\System\jTJMYLp.exe
  C:\Windows\System\jTJMYLp.exe
  2⤵
  PID:5496
- C:\Windows\System\MbElWsS.exe
  C:\Windows\System\MbElWsS.exe
  2⤵
  PID:5520
- C:\Windows\System\vkBMLID.exe
  C:\Windows\System\vkBMLID.exe
  2⤵
  PID:5552
- C:\Windows\System\YaiToOX.exe
  C:\Windows\System\YaiToOX.exe
  2⤵
  PID:5576
- C:\Windows\System\sxprjCm.exe
  C:\Windows\System\sxprjCm.exe
  2⤵
  PID:5608
- C:\Windows\System\iKjrzbx.exe
  C:\Windows\System\iKjrzbx.exe
  2⤵
  PID:5640
- C:\Windows\System\hgtRaou.exe
  C:\Windows\System\hgtRaou.exe
  2⤵
  PID:5668
- C:\Windows\System\VgiHVit.exe
  C:\Windows\System\VgiHVit.exe
  2⤵
  PID:5692
- C:\Windows\System\OXfOtzI.exe
  C:\Windows\System\OXfOtzI.exe
  2⤵
  PID:5724
- C:\Windows\System\NMUDpPd.exe
  C:\Windows\System\NMUDpPd.exe
  2⤵
  PID:5740
- C:\Windows\System\TcYNiIn.exe
  C:\Windows\System\TcYNiIn.exe
  2⤵
  PID:5772
- C:\Windows\System\NVIoMex.exe
  C:\Windows\System\NVIoMex.exe
  2⤵
  PID:5800
- C:\Windows\System\PgiGrQg.exe
  C:\Windows\System\PgiGrQg.exe
  2⤵
  PID:5828
- C:\Windows\System\XhJyAfE.exe
  C:\Windows\System\XhJyAfE.exe
  2⤵
  PID:5868
- C:\Windows\System\CwMJUdN.exe
  C:\Windows\System\CwMJUdN.exe
  2⤵
  PID:5888
- C:\Windows\System\mTZAxaN.exe
  C:\Windows\System\mTZAxaN.exe
  2⤵
  PID:5920
- C:\Windows\System\pHzDSmE.exe
  C:\Windows\System\pHzDSmE.exe
  2⤵
  PID:5948
- C:\Windows\System\fbpTBVm.exe
  C:\Windows\System\fbpTBVm.exe
  2⤵
  PID:5980
- C:\Windows\System\HrjtYzs.exe
  C:\Windows\System\HrjtYzs.exe
  2⤵
  PID:6016
- C:\Windows\System\YhXOoTS.exe
  C:\Windows\System\YhXOoTS.exe
  2⤵
  PID:6044
- C:\Windows\System\zluUcyb.exe
  C:\Windows\System\zluUcyb.exe
  2⤵
  PID:6064
- C:\Windows\System\LTILNgN.exe
  C:\Windows\System\LTILNgN.exe
  2⤵
  PID:6088
- C:\Windows\System\PUUvNFG.exe
  C:\Windows\System\PUUvNFG.exe
  2⤵
  PID:6104
- C:\Windows\System\ygucUfO.exe
  C:\Windows\System\ygucUfO.exe
  2⤵
  PID:5140
- C:\Windows\System\sqACwhL.exe
  C:\Windows\System\sqACwhL.exe
  2⤵
  PID:5192
- C:\Windows\System\TvOqBPs.exe
  C:\Windows\System\TvOqBPs.exe
  2⤵
  PID:2692
- C:\Windows\System\EIUuZNZ.exe
  C:\Windows\System\EIUuZNZ.exe
  2⤵
  PID:5320
- C:\Windows\System\UBdbpsE.exe
  C:\Windows\System\UBdbpsE.exe
  2⤵
  PID:5364
- C:\Windows\System\cUQZjbI.exe
  C:\Windows\System\cUQZjbI.exe
  2⤵
  PID:5428
- C:\Windows\System\TQRMCMM.exe
  C:\Windows\System\TQRMCMM.exe
  2⤵
  PID:5504
- C:\Windows\System\CkcZIkI.exe
  C:\Windows\System\CkcZIkI.exe
  2⤵
  PID:5540
- C:\Windows\System\CFaRAKK.exe
  C:\Windows\System\CFaRAKK.exe
  2⤵
  PID:5616
- C:\Windows\System\NNxxuVg.exe
  C:\Windows\System\NNxxuVg.exe
  2⤵
  PID:5680
- C:\Windows\System\NEjGOuc.exe
  C:\Windows\System\NEjGOuc.exe
  2⤵
  PID:3080
- C:\Windows\System\VpRloxQ.exe
  C:\Windows\System\VpRloxQ.exe
  2⤵
  PID:5796
- C:\Windows\System\CcBBmSV.exe
  C:\Windows\System\CcBBmSV.exe
  2⤵
  PID:5852
- C:\Windows\System\qfEVxVo.exe
  C:\Windows\System\qfEVxVo.exe
  2⤵
  PID:5932
- C:\Windows\System\wSajyKw.exe
  C:\Windows\System\wSajyKw.exe
  2⤵
  PID:5996
- C:\Windows\System\tqqcgpQ.exe
  C:\Windows\System\tqqcgpQ.exe
  2⤵
  PID:6072
- C:\Windows\System\cQynuUw.exe
  C:\Windows\System\cQynuUw.exe
  2⤵
  PID:6100
- C:\Windows\System\xMdpbQu.exe
  C:\Windows\System\xMdpbQu.exe
  2⤵
  PID:5164
- C:\Windows\System\BrKhYOz.exe
  C:\Windows\System\BrKhYOz.exe
  2⤵
  PID:5272
- C:\Windows\System\fFnWCwX.exe
  C:\Windows\System\fFnWCwX.exe
  2⤵
  PID:5360
- C:\Windows\System\PYnNdIK.exe
  C:\Windows\System\PYnNdIK.exe
  2⤵
  PID:5476
- C:\Windows\System\NsFLqbe.exe
  C:\Windows\System\NsFLqbe.exe
  2⤵
  PID:5664
- C:\Windows\System\OstBDnv.exe
  C:\Windows\System\OstBDnv.exe
  2⤵
  PID:1048
- C:\Windows\System\wJzBuiO.exe
  C:\Windows\System\wJzBuiO.exe
  2⤵
  PID:5900
- C:\Windows\System\CoKhyqm.exe
  C:\Windows\System\CoKhyqm.exe
  2⤵
  PID:6036
- C:\Windows\System\slPUOwy.exe
  C:\Windows\System\slPUOwy.exe
  2⤵
  PID:6136
- C:\Windows\System\QqNobCd.exe
  C:\Windows\System\QqNobCd.exe
  2⤵
  PID:5344
- C:\Windows\System\JVkkuhl.exe
  C:\Windows\System\JVkkuhl.exe
  2⤵
  PID:5620
- C:\Windows\System\CBfqzzA.exe
  C:\Windows\System\CBfqzzA.exe
  2⤵
  PID:5912
- C:\Windows\System\KxRCRJE.exe
  C:\Windows\System\KxRCRJE.exe
  2⤵
  PID:5276
- C:\Windows\System\sVnuozW.exe
  C:\Windows\System\sVnuozW.exe
  2⤵
  PID:5792
- C:\Windows\System\jNUpfpi.exe
  C:\Windows\System\jNUpfpi.exe
  2⤵
  PID:6084
- C:\Windows\System\SPGJTvP.exe
  C:\Windows\System\SPGJTvP.exe
  2⤵
  PID:6152
- C:\Windows\System\kBovTFI.exe
  C:\Windows\System\kBovTFI.exe
  2⤵
  PID:6180
- C:\Windows\System\mOdcVLf.exe
  C:\Windows\System\mOdcVLf.exe
  2⤵
  PID:6200
- C:\Windows\System\krYbpnG.exe
  C:\Windows\System\krYbpnG.exe
  2⤵
  PID:6236
- C:\Windows\System\TIRATfN.exe
  C:\Windows\System\TIRATfN.exe
  2⤵
  PID:6264
- C:\Windows\System\fudyUSE.exe
  C:\Windows\System\fudyUSE.exe
  2⤵
  PID:6288
- C:\Windows\System\wbbmYPH.exe
  C:\Windows\System\wbbmYPH.exe
  2⤵
  PID:6324
- C:\Windows\System\cYoKoEs.exe
  C:\Windows\System\cYoKoEs.exe
  2⤵
  PID:6344
- C:\Windows\System\FMxyLtU.exe
  C:\Windows\System\FMxyLtU.exe
  2⤵
  PID:6380
- C:\Windows\System\RLJXEsG.exe
  C:\Windows\System\RLJXEsG.exe
  2⤵
  PID:6412
- C:\Windows\System\uOKvtHx.exe
  C:\Windows\System\uOKvtHx.exe
  2⤵
  PID:6428
- C:\Windows\System\KCAaCfR.exe
  C:\Windows\System\KCAaCfR.exe
  2⤵
  PID:6460
- C:\Windows\System\IdOlicp.exe
  C:\Windows\System\IdOlicp.exe
  2⤵
  PID:6496
- C:\Windows\System\bHoUiIt.exe
  C:\Windows\System\bHoUiIt.exe
  2⤵
  PID:6512
- C:\Windows\System\QAZmTxQ.exe
  C:\Windows\System\QAZmTxQ.exe
  2⤵
  PID:6540
- C:\Windows\System\bonIOcC.exe
  C:\Windows\System\bonIOcC.exe
  2⤵
  PID:6576
- C:\Windows\System\QlgvXzT.exe
  C:\Windows\System\QlgvXzT.exe
  2⤵
  PID:6600
- C:\Windows\System\KuyVRTw.exe
  C:\Windows\System\KuyVRTw.exe
  2⤵
  PID:6636
- C:\Windows\System\xAkyzLs.exe
  C:\Windows\System\xAkyzLs.exe
  2⤵
  PID:6664
- C:\Windows\System\VeHeaHk.exe
  C:\Windows\System\VeHeaHk.exe
  2⤵
  PID:6692
- C:\Windows\System\ZtWJsBR.exe
  C:\Windows\System\ZtWJsBR.exe
  2⤵
  PID:6716
- C:\Windows\System\hekClqd.exe
  C:\Windows\System\hekClqd.exe
  2⤵
  PID:6748
- C:\Windows\System\aHhrVDp.exe
  C:\Windows\System\aHhrVDp.exe
  2⤵
  PID:6768
- C:\Windows\System\aajXvXZ.exe
  C:\Windows\System\aajXvXZ.exe
  2⤵
  PID:6804
- C:\Windows\System\qABtUDz.exe
  C:\Windows\System\qABtUDz.exe
  2⤵
  PID:6832
- C:\Windows\System\qZmzfiO.exe
  C:\Windows\System\qZmzfiO.exe
  2⤵
  PID:6852
- C:\Windows\System\uQksoLk.exe
  C:\Windows\System\uQksoLk.exe
  2⤵
  PID:6888
- C:\Windows\System\TVjlHCq.exe
  C:\Windows\System\TVjlHCq.exe
  2⤵
  PID:6916
- C:\Windows\System\vfyeIIS.exe
  C:\Windows\System\vfyeIIS.exe
  2⤵
  PID:6952
- C:\Windows\System\zCbkfUy.exe
  C:\Windows\System\zCbkfUy.exe
  2⤵
  PID:6976
- C:\Windows\System\SQmNHHX.exe
  C:\Windows\System\SQmNHHX.exe
  2⤵
  PID:7004
- C:\Windows\System\xtnVzZo.exe
  C:\Windows\System\xtnVzZo.exe
  2⤵
  PID:7036
- C:\Windows\System\GoLgdTE.exe
  C:\Windows\System\GoLgdTE.exe
  2⤵
  PID:7052
- C:\Windows\System\LUcPJRV.exe
  C:\Windows\System\LUcPJRV.exe
  2⤵
  PID:7088
- C:\Windows\System\TuLYznj.exe
  C:\Windows\System\TuLYznj.exe
  2⤵
  PID:7116
- C:\Windows\System\cErRYbm.exe
  C:\Windows\System\cErRYbm.exe
  2⤵
  PID:7148
- C:\Windows\System\fXuZKfl.exe
  C:\Windows\System\fXuZKfl.exe
  2⤵
  PID:668
- C:\Windows\System\gqNJjnO.exe
  C:\Windows\System\gqNJjnO.exe
  2⤵
  PID:6212
- C:\Windows\System\jkrxKZM.exe
  C:\Windows\System\jkrxKZM.exe
  2⤵
  PID:6252
- C:\Windows\System\BRmlIVt.exe
  C:\Windows\System\BRmlIVt.exe
  2⤵
  PID:6336
- C:\Windows\System\vFTobmg.exe
  C:\Windows\System\vFTobmg.exe
  2⤵
  PID:6392
- C:\Windows\System\VfnkWBg.exe
  C:\Windows\System\VfnkWBg.exe
  2⤵
  PID:6440
- C:\Windows\System\GxpOSVD.exe
  C:\Windows\System\GxpOSVD.exe
  2⤵
  PID:6524
- C:\Windows\System\NgJiwZQ.exe
  C:\Windows\System\NgJiwZQ.exe
  2⤵
  PID:6564
- C:\Windows\System\hmOxFJd.exe
  C:\Windows\System\hmOxFJd.exe
  2⤵
  PID:6648
- C:\Windows\System\itlIWtW.exe
  C:\Windows\System\itlIWtW.exe
  2⤵
  PID:6704
- C:\Windows\System\MdXKZIa.exe
  C:\Windows\System\MdXKZIa.exe
  2⤵
  PID:6760
- C:\Windows\System\FIrkrAA.exe
  C:\Windows\System\FIrkrAA.exe
  2⤵
  PID:6820
- C:\Windows\System\ghujeGQ.exe
  C:\Windows\System\ghujeGQ.exe
  2⤵
  PID:6876
- C:\Windows\System\JviKjlA.exe
  C:\Windows\System\JviKjlA.exe
  2⤵
  PID:6932
- C:\Windows\System\FofMEPJ.exe
  C:\Windows\System\FofMEPJ.exe
  2⤵
  PID:7012
- C:\Windows\System\RCqBWWV.exe
  C:\Windows\System\RCqBWWV.exe
  2⤵
  PID:7064
- C:\Windows\System\uCVThGu.exe
  C:\Windows\System\uCVThGu.exe
  2⤵
  PID:7140
- C:\Windows\System\uBOhpKc.exe
  C:\Windows\System\uBOhpKc.exe
  2⤵
  PID:6168
- C:\Windows\System\JvNsdHl.exe
  C:\Windows\System\JvNsdHl.exe
  2⤵
  PID:6312
- C:\Windows\System\gLrRekf.exe
  C:\Windows\System\gLrRekf.exe
  2⤵
  PID:4640
- C:\Windows\System\xoqAOsB.exe
  C:\Windows\System\xoqAOsB.exe
  2⤵
  PID:6556
- C:\Windows\System\WlQQqLc.exe
  C:\Windows\System\WlQQqLc.exe
  2⤵
  PID:6676
- C:\Windows\System\imMSBXo.exe
  C:\Windows\System\imMSBXo.exe
  2⤵
  PID:6844
- C:\Windows\System\SXzsvFK.exe
  C:\Windows\System\SXzsvFK.exe
  2⤵
  PID:6968
- C:\Windows\System\JWbolli.exe
  C:\Windows\System\JWbolli.exe
  2⤵
  PID:7080
- C:\Windows\System\LDEpeYp.exe
  C:\Windows\System\LDEpeYp.exe
  2⤵
  PID:6364
- C:\Windows\System\MlkQRlv.exe
  C:\Windows\System\MlkQRlv.exe
  2⤵
  PID:6928
- C:\Windows\System\jzNAYhB.exe
  C:\Windows\System\jzNAYhB.exe
  2⤵
  PID:6900
- C:\Windows\System\AbNoTuc.exe
  C:\Windows\System\AbNoTuc.exe
  2⤵
  PID:6424
- C:\Windows\System\XzPSJZw.exe
  C:\Windows\System\XzPSJZw.exe
  2⤵
  PID:7044
- C:\Windows\System\QmIxVxE.exe
  C:\Windows\System\QmIxVxE.exe
  2⤵
  PID:7176
- C:\Windows\System\jCjTYEr.exe
  C:\Windows\System\jCjTYEr.exe
  2⤵
  PID:7204
- C:\Windows\System\sMEOsQm.exe
  C:\Windows\System\sMEOsQm.exe
  2⤵
  PID:7220
- C:\Windows\System\ukZwsRW.exe
  C:\Windows\System\ukZwsRW.exe
  2⤵
  PID:7260
- C:\Windows\System\kqZdNJh.exe
  C:\Windows\System\kqZdNJh.exe
  2⤵
  PID:7292
- C:\Windows\System\zELNdSr.exe
  C:\Windows\System\zELNdSr.exe
  2⤵
  PID:7308
- C:\Windows\System\YDZOmiC.exe
  C:\Windows\System\YDZOmiC.exe
  2⤵
  PID:7344
- C:\Windows\System\DvyqbvK.exe
  C:\Windows\System\DvyqbvK.exe
  2⤵
  PID:7364
- C:\Windows\System\imTJRlM.exe
  C:\Windows\System\imTJRlM.exe
  2⤵
  PID:7392
- C:\Windows\System\rqVeclg.exe
  C:\Windows\System\rqVeclg.exe
  2⤵
  PID:7424
- C:\Windows\System\rTbnTXb.exe
  C:\Windows\System\rTbnTXb.exe
  2⤵
  PID:7452
- C:\Windows\System\wCDnBtR.exe
  C:\Windows\System\wCDnBtR.exe
  2⤵
  PID:7480
- C:\Windows\System\nNMBdqy.exe
  C:\Windows\System\nNMBdqy.exe
  2⤵
  PID:7508
- C:\Windows\System\BBLjHqu.exe
  C:\Windows\System\BBLjHqu.exe
  2⤵
  PID:7536
- C:\Windows\System\WSXvJPa.exe
  C:\Windows\System\WSXvJPa.exe
  2⤵
  PID:7564
- C:\Windows\System\ehvgGpQ.exe
  C:\Windows\System\ehvgGpQ.exe
  2⤵
  PID:7592
- C:\Windows\System\yuOsVLE.exe
  C:\Windows\System\yuOsVLE.exe
  2⤵
  PID:7620
- C:\Windows\System\CFdHDhG.exe
  C:\Windows\System\CFdHDhG.exe
  2⤵
  PID:7648
- C:\Windows\System\WpGbDDh.exe
  C:\Windows\System\WpGbDDh.exe
  2⤵
  PID:7676
- C:\Windows\System\EKSeQlv.exe
  C:\Windows\System\EKSeQlv.exe
  2⤵
  PID:7704
- C:\Windows\System\ECeRHQM.exe
  C:\Windows\System\ECeRHQM.exe
  2⤵
  PID:7732
- C:\Windows\System\GrryEKQ.exe
  C:\Windows\System\GrryEKQ.exe
  2⤵
  PID:7760
- C:\Windows\System\JXMRhdH.exe
  C:\Windows\System\JXMRhdH.exe
  2⤵
  PID:7788
- C:\Windows\System\GDFLuHH.exe
  C:\Windows\System\GDFLuHH.exe
  2⤵
  PID:7816
- C:\Windows\System\bjqjrQP.exe
  C:\Windows\System\bjqjrQP.exe
  2⤵
  PID:7844
- C:\Windows\System\OoroqHN.exe
  C:\Windows\System\OoroqHN.exe
  2⤵
  PID:7872
- C:\Windows\System\mwuXyTa.exe
  C:\Windows\System\mwuXyTa.exe
  2⤵
  PID:7900
- C:\Windows\System\aNrdyJy.exe
  C:\Windows\System\aNrdyJy.exe
  2⤵
  PID:7928
- C:\Windows\System\Iaqffco.exe
  C:\Windows\System\Iaqffco.exe
  2⤵
  PID:7956
- C:\Windows\System\jprUTUe.exe
  C:\Windows\System\jprUTUe.exe
  2⤵
  PID:7984
- C:\Windows\System\tZbRjfH.exe
  C:\Windows\System\tZbRjfH.exe
  2⤵
  PID:8012
- C:\Windows\System\iZYZYiK.exe
  C:\Windows\System\iZYZYiK.exe
  2⤵
  PID:8040
- C:\Windows\System\OzAdFnf.exe
  C:\Windows\System\OzAdFnf.exe
  2⤵
  PID:8068
- C:\Windows\System\heOCLMr.exe
  C:\Windows\System\heOCLMr.exe
  2⤵
  PID:8096
- C:\Windows\System\pdMkFOq.exe
  C:\Windows\System\pdMkFOq.exe
  2⤵
  PID:8112
- C:\Windows\System\HLdEDGl.exe
  C:\Windows\System\HLdEDGl.exe
  2⤵
  PID:8148
- C:\Windows\System\ybVyAED.exe
  C:\Windows\System\ybVyAED.exe
  2⤵
  PID:8180
- C:\Windows\System\MNqWbsm.exe
  C:\Windows\System\MNqWbsm.exe
  2⤵
  PID:7196
- C:\Windows\System\hyjRijv.exe
  C:\Windows\System\hyjRijv.exe
  2⤵
  PID:7268
- C:\Windows\System\mQPMnzU.exe
  C:\Windows\System\mQPMnzU.exe
  2⤵
  PID:7328
- C:\Windows\System\iJCMKsM.exe
  C:\Windows\System\iJCMKsM.exe
  2⤵
  PID:7388
- C:\Windows\System\ncZqZJB.exe
  C:\Windows\System\ncZqZJB.exe
  2⤵
  PID:7492
- C:\Windows\System\JcIBjJs.exe
  C:\Windows\System\JcIBjJs.exe
  2⤵
  PID:7532
- C:\Windows\System\MJhbvUY.exe
  C:\Windows\System\MJhbvUY.exe
  2⤵
  PID:7604
- C:\Windows\System\VoxamLk.exe
  C:\Windows\System\VoxamLk.exe
  2⤵
  PID:7668
- C:\Windows\System\COtLbZr.exe
  C:\Windows\System\COtLbZr.exe
  2⤵
  PID:7728
- C:\Windows\System\KsSSFIS.exe
  C:\Windows\System\KsSSFIS.exe
  2⤵
  PID:7800
- C:\Windows\System\NFjgSkk.exe
  C:\Windows\System\NFjgSkk.exe
  2⤵
  PID:7856
- C:\Windows\System\bGfZQBL.exe
  C:\Windows\System\bGfZQBL.exe
  2⤵
  PID:7920
- C:\Windows\System\NQvXnEY.exe
  C:\Windows\System\NQvXnEY.exe
  2⤵
  PID:8004
- C:\Windows\System\IfzJnaB.exe
  C:\Windows\System\IfzJnaB.exe
  2⤵
  PID:8052
- C:\Windows\System\NfPlskS.exe
  C:\Windows\System\NfPlskS.exe
  2⤵
  PID:8104
- C:\Windows\System\zkTMEOS.exe
  C:\Windows\System\zkTMEOS.exe
  2⤵
  PID:7184
- C:\Windows\System\VITuxck.exe
  C:\Windows\System\VITuxck.exe
  2⤵
  PID:7248
- C:\Windows\System\CBYtrFl.exe
  C:\Windows\System\CBYtrFl.exe
  2⤵
  PID:7384
- C:\Windows\System\NsOtcbM.exe
  C:\Windows\System\NsOtcbM.exe
  2⤵
  PID:7560
- C:\Windows\System\GQWakBX.exe
  C:\Windows\System\GQWakBX.exe
  2⤵
  PID:7716
- C:\Windows\System\ynEuoRL.exe
  C:\Windows\System\ynEuoRL.exe
  2⤵
  PID:7840
- C:\Windows\System\ozYnAAW.exe
  C:\Windows\System\ozYnAAW.exe
  2⤵
  PID:8024
- C:\Windows\System\HjNuTwk.exe
  C:\Windows\System\HjNuTwk.exe
  2⤵
  PID:8124
- C:\Windows\System\VMuzVNA.exe
  C:\Windows\System\VMuzVNA.exe
  2⤵
  PID:7356
- C:\Windows\System\jZQDDOy.exe
  C:\Windows\System\jZQDDOy.exe
  2⤵
  PID:7660
- C:\Windows\System\bVqVDDW.exe
  C:\Windows\System\bVqVDDW.exe
  2⤵
  PID:7968
- C:\Windows\System\yEgTWPC.exe
  C:\Windows\System\yEgTWPC.exe
  2⤵
  PID:7444
- C:\Windows\System\kUedNSz.exe
  C:\Windows\System\kUedNSz.exe
  2⤵
  PID:7912
- C:\Windows\System\rHaeMtS.exe
  C:\Windows\System\rHaeMtS.exe
  2⤵
  PID:7696
- C:\Windows\System\knptWaB.exe
  C:\Windows\System\knptWaB.exe
  2⤵
  PID:8200
- C:\Windows\System\zDksQMu.exe
  C:\Windows\System\zDksQMu.exe
  2⤵
  PID:8228
- C:\Windows\System\flYJodO.exe
  C:\Windows\System\flYJodO.exe
  2⤵
  PID:8264
- C:\Windows\System\LozcJJl.exe
  C:\Windows\System\LozcJJl.exe
  2⤵
  PID:8288
- C:\Windows\System\WzthJeR.exe
  C:\Windows\System\WzthJeR.exe
  2⤵
  PID:8316
- C:\Windows\System\hzcivcd.exe
  C:\Windows\System\hzcivcd.exe
  2⤵
  PID:8344
- C:\Windows\System\VVgNYwZ.exe
  C:\Windows\System\VVgNYwZ.exe
  2⤵
  PID:8372
- C:\Windows\System\CHDdrmg.exe
  C:\Windows\System\CHDdrmg.exe
  2⤵
  PID:8400
- C:\Windows\System\XNhWqUP.exe
  C:\Windows\System\XNhWqUP.exe
  2⤵
  PID:8428
- C:\Windows\System\sDkdwOm.exe
  C:\Windows\System\sDkdwOm.exe
  2⤵
  PID:8456
- C:\Windows\System\OmFtNUI.exe
  C:\Windows\System\OmFtNUI.exe
  2⤵
  PID:8484
- C:\Windows\System\btIwbVs.exe
  C:\Windows\System\btIwbVs.exe
  2⤵
  PID:8512
- C:\Windows\System\ZeoQfHz.exe
  C:\Windows\System\ZeoQfHz.exe
  2⤵
  PID:8540
- C:\Windows\System\CPtVORa.exe
  C:\Windows\System\CPtVORa.exe
  2⤵
  PID:8568
- C:\Windows\System\tZowfuq.exe
  C:\Windows\System\tZowfuq.exe
  2⤵
  PID:8596
- C:\Windows\System\CqzVPLe.exe
  C:\Windows\System\CqzVPLe.exe
  2⤵
  PID:8624
- C:\Windows\System\ORLpsVk.exe
  C:\Windows\System\ORLpsVk.exe
  2⤵
  PID:8652
- C:\Windows\System\iUSfjmC.exe
  C:\Windows\System\iUSfjmC.exe
  2⤵
  PID:8680
- C:\Windows\System\XDtPEXb.exe
  C:\Windows\System\XDtPEXb.exe
  2⤵
  PID:8708
- C:\Windows\System\LsoVDja.exe
  C:\Windows\System\LsoVDja.exe
  2⤵
  PID:8736
- C:\Windows\System\FXDjVyT.exe
  C:\Windows\System\FXDjVyT.exe
  2⤵
  PID:8764
- C:\Windows\System\yUpsgmv.exe
  C:\Windows\System\yUpsgmv.exe
  2⤵
  PID:8792
- C:\Windows\System\mwnYxdn.exe
  C:\Windows\System\mwnYxdn.exe
  2⤵
  PID:8820
- C:\Windows\System\uAiOFdB.exe
  C:\Windows\System\uAiOFdB.exe
  2⤵
  PID:8848
- C:\Windows\System\MYsUKAk.exe
  C:\Windows\System\MYsUKAk.exe
  2⤵
  PID:8876
- C:\Windows\System\WxbWFjX.exe
  C:\Windows\System\WxbWFjX.exe
  2⤵
  PID:8904
- C:\Windows\System\fjfWqzk.exe
  C:\Windows\System\fjfWqzk.exe
  2⤵
  PID:8932
- C:\Windows\System\SRYApHE.exe
  C:\Windows\System\SRYApHE.exe
  2⤵
  PID:8960
- C:\Windows\System\moqeJjk.exe
  C:\Windows\System\moqeJjk.exe
  2⤵
  PID:8988
- C:\Windows\System\ZORjtZW.exe
  C:\Windows\System\ZORjtZW.exe
  2⤵
  PID:9016
- C:\Windows\System\vGrMXKB.exe
  C:\Windows\System\vGrMXKB.exe
  2⤵
  PID:9044
- C:\Windows\System\lawPiYu.exe
  C:\Windows\System\lawPiYu.exe
  2⤵
  PID:9072
- C:\Windows\System\UjYDukV.exe
  C:\Windows\System\UjYDukV.exe
  2⤵
  PID:9100
- C:\Windows\System\jsQNPJV.exe
  C:\Windows\System\jsQNPJV.exe
  2⤵
  PID:9128
- C:\Windows\System\GJFZlEC.exe
  C:\Windows\System\GJFZlEC.exe
  2⤵
  PID:9160
- C:\Windows\System\ANOLEgx.exe
  C:\Windows\System\ANOLEgx.exe
  2⤵
  PID:9188
- C:\Windows\System\apeVyHa.exe
  C:\Windows\System\apeVyHa.exe
  2⤵
  PID:5764
- C:\Windows\System\KuzAney.exe
  C:\Windows\System\KuzAney.exe
  2⤵
  PID:8256
- C:\Windows\System\DOWFNaV.exe
  C:\Windows\System\DOWFNaV.exe
  2⤵
  PID:8328
- C:\Windows\System\DmHQvIE.exe
  C:\Windows\System\DmHQvIE.exe
  2⤵
  PID:8392
- C:\Windows\System\tyeKzre.exe
  C:\Windows\System\tyeKzre.exe
  2⤵
  PID:8452
- C:\Windows\System\sTwMMDg.exe
  C:\Windows\System\sTwMMDg.exe
  2⤵
  PID:8524
- C:\Windows\System\KHciFsp.exe
  C:\Windows\System\KHciFsp.exe
  2⤵
  PID:8588
- C:\Windows\System\aEUUabZ.exe
  C:\Windows\System\aEUUabZ.exe
  2⤵
  PID:8648
- C:\Windows\System\SkBHJmh.exe
  C:\Windows\System\SkBHJmh.exe
  2⤵
  PID:8720
- C:\Windows\System\ZfiLvkc.exe
  C:\Windows\System\ZfiLvkc.exe
  2⤵
  PID:8784
- C:\Windows\System\ESORkWv.exe
  C:\Windows\System\ESORkWv.exe
  2⤵
  PID:8844
- C:\Windows\System\rMETDdQ.exe
  C:\Windows\System\rMETDdQ.exe
  2⤵
  PID:8916
- C:\Windows\System\HFjXfUk.exe
  C:\Windows\System\HFjXfUk.exe
  2⤵
  PID:8972
- C:\Windows\System\BEzwitm.exe
  C:\Windows\System\BEzwitm.exe
  2⤵
  PID:9040
- C:\Windows\System\CKGteFe.exe
  C:\Windows\System\CKGteFe.exe
  2⤵
  PID:9096
- C:\Windows\System\ptBfdWz.exe
  C:\Windows\System\ptBfdWz.exe
  2⤵
  PID:9172
- C:\Windows\System\CICwTSS.exe
  C:\Windows\System\CICwTSS.exe
  2⤵
  PID:8308
- C:\Windows\System\rvJelVT.exe
  C:\Windows\System\rvJelVT.exe
  2⤵
  PID:8384
- C:\Windows\System\QfbtfWM.exe
  C:\Windows\System\QfbtfWM.exe
  2⤵
  PID:8552
- C:\Windows\System\jEkgZoK.exe
  C:\Windows\System\jEkgZoK.exe
  2⤵
  PID:8700
- C:\Windows\System\fsqipdG.exe
  C:\Windows\System\fsqipdG.exe
  2⤵
  PID:8868
- C:\Windows\System\RYeWtig.exe
  C:\Windows\System\RYeWtig.exe
  2⤵
  PID:9012
- C:\Windows\System\OGVaCuo.exe
  C:\Windows\System\OGVaCuo.exe
  2⤵
  PID:9156
- C:\Windows\System\rHDDtMH.exe
  C:\Windows\System\rHDDtMH.exe
  2⤵
  PID:8368
- C:\Windows\System\ZVzFPFN.exe
  C:\Windows\System\ZVzFPFN.exe
  2⤵
  PID:8676
- C:\Windows\System\NZybEns.exe
  C:\Windows\System\NZybEns.exe
  2⤵
  PID:9084
- C:\Windows\System\CAjXVHD.exe
  C:\Windows\System\CAjXVHD.exe
  2⤵
  PID:8616
- C:\Windows\System\SVTcnBJ.exe
  C:\Windows\System\SVTcnBJ.exe
  2⤵
  PID:4868
- C:\Windows\System\VXXJSix.exe
  C:\Windows\System\VXXJSix.exe
  2⤵
  PID:9232
- C:\Windows\System\uzDDIDj.exe
  C:\Windows\System\uzDDIDj.exe
  2⤵
  PID:9260
- C:\Windows\System\vvoCGKu.exe
  C:\Windows\System\vvoCGKu.exe
  2⤵
  PID:9288
- C:\Windows\System\egkjPKO.exe
  C:\Windows\System\egkjPKO.exe
  2⤵
  PID:9316
- C:\Windows\System\KwHqMdW.exe
  C:\Windows\System\KwHqMdW.exe
  2⤵
  PID:9344
- C:\Windows\System\AGsDqKP.exe
  C:\Windows\System\AGsDqKP.exe
  2⤵
  PID:9372
- C:\Windows\System\JlIjcmD.exe
  C:\Windows\System\JlIjcmD.exe
  2⤵
  PID:9400
- C:\Windows\System\PaXPLDh.exe
  C:\Windows\System\PaXPLDh.exe
  2⤵
  PID:9428
- C:\Windows\System\LyQSnCD.exe
  C:\Windows\System\LyQSnCD.exe
  2⤵
  PID:9456
- C:\Windows\System\JChlfzt.exe
  C:\Windows\System\JChlfzt.exe
  2⤵
  PID:9484
- C:\Windows\System\prHFnnZ.exe
  C:\Windows\System\prHFnnZ.exe
  2⤵
  PID:9512
- C:\Windows\System\BMWtVqd.exe
  C:\Windows\System\BMWtVqd.exe
  2⤵
  PID:9540
- C:\Windows\System\uDAtFWk.exe
  C:\Windows\System\uDAtFWk.exe
  2⤵
  PID:9608
- C:\Windows\System\vhFuUKT.exe
  C:\Windows\System\vhFuUKT.exe
  2⤵
  PID:9644
- C:\Windows\System\DydjxRA.exe
  C:\Windows\System\DydjxRA.exe
  2⤵
  PID:9684
- C:\Windows\System\jVXXvEm.exe
  C:\Windows\System\jVXXvEm.exe
  2⤵
  PID:9752
- C:\Windows\System\PwiUXKp.exe
  C:\Windows\System\PwiUXKp.exe
  2⤵
  PID:9820
- C:\Windows\System\mnxkiwS.exe
  C:\Windows\System\mnxkiwS.exe
  2⤵
  PID:9852
- C:\Windows\System\FpIePQF.exe
  C:\Windows\System\FpIePQF.exe
  2⤵
  PID:9884
- C:\Windows\System\bVqdZSj.exe
  C:\Windows\System\bVqdZSj.exe
  2⤵
  PID:9912
- C:\Windows\System\AZcAFqd.exe
  C:\Windows\System\AZcAFqd.exe
  2⤵
  PID:9940
- C:\Windows\System\jBfmzne.exe
  C:\Windows\System\jBfmzne.exe
  2⤵
  PID:9968
- C:\Windows\System\raQQQaJ.exe
  C:\Windows\System\raQQQaJ.exe
  2⤵
  PID:10004
- C:\Windows\System\VeATUSn.exe
  C:\Windows\System\VeATUSn.exe
  2⤵
  PID:10032
- C:\Windows\System\MdeBdOK.exe
  C:\Windows\System\MdeBdOK.exe
  2⤵
  PID:10060
- C:\Windows\System\pfFZVjC.exe
  C:\Windows\System\pfFZVjC.exe
  2⤵
  PID:10088
- C:\Windows\System\KbBWCDY.exe
  C:\Windows\System\KbBWCDY.exe
  2⤵
  PID:10116
- C:\Windows\System\UMuMWNY.exe
  C:\Windows\System\UMuMWNY.exe
  2⤵
  PID:10144
- C:\Windows\System\tAwhHWx.exe
  C:\Windows\System\tAwhHWx.exe
  2⤵
  PID:10172
- C:\Windows\System\NLoChdl.exe
  C:\Windows\System\NLoChdl.exe
  2⤵
  PID:10200
- C:\Windows\System\KCmiZlv.exe
  C:\Windows\System\KCmiZlv.exe
  2⤵
  PID:10228
- C:\Windows\System\HLuuOAe.exe
  C:\Windows\System\HLuuOAe.exe
  2⤵
  PID:9244
- C:\Windows\System\XUALaXE.exe
  C:\Windows\System\XUALaXE.exe
  2⤵
  PID:9308
- C:\Windows\System\RQWVLHH.exe
  C:\Windows\System\RQWVLHH.exe
  2⤵
  PID:9368
- C:\Windows\System\uAqwTyz.exe
  C:\Windows\System\uAqwTyz.exe
  2⤵
  PID:9452
- C:\Windows\System\DtUtimQ.exe
  C:\Windows\System\DtUtimQ.exe
  2⤵
  PID:9508
- C:\Windows\System\FhMIlSP.exe
  C:\Windows\System\FhMIlSP.exe
  2⤵
  PID:9564
- C:\Windows\System\TLFBVfk.exe
  C:\Windows\System\TLFBVfk.exe
  2⤵
  PID:9604
- C:\Windows\System\XRZtVLn.exe
  C:\Windows\System\XRZtVLn.exe
  2⤵
  PID:9664
- C:\Windows\System\GStmInQ.exe
  C:\Windows\System\GStmInQ.exe
  2⤵
  PID:9808
- C:\Windows\System\pTagtCz.exe
  C:\Windows\System\pTagtCz.exe
  2⤵
  PID:1852
- C:\Windows\System\abbMJut.exe
  C:\Windows\System\abbMJut.exe
  2⤵
  PID:9932
- C:\Windows\System\bOQPqmm.exe
  C:\Windows\System\bOQPqmm.exe
  2⤵
  PID:9996
- C:\Windows\System\Klxxbvm.exe
  C:\Windows\System\Klxxbvm.exe
  2⤵
  PID:10044
- C:\Windows\System\piWLFfB.exe
  C:\Windows\System\piWLFfB.exe
  2⤵
  PID:10128
- C:\Windows\System\KQCadKz.exe
  C:\Windows\System\KQCadKz.exe
  2⤵
  PID:10156
- C:\Windows\System\WQsfkvQ.exe
  C:\Windows\System\WQsfkvQ.exe
  2⤵
  PID:8356
- C:\Windows\System\geEVTyN.exe
  C:\Windows\System\geEVTyN.exe
  2⤵
  PID:9284
- C:\Windows\System\OCAadrt.exe
  C:\Windows\System\OCAadrt.exe
  2⤵
  PID:9364
- C:\Windows\System\IVJeWSu.exe
  C:\Windows\System\IVJeWSu.exe
  2⤵
  PID:9504
- C:\Windows\System\xbamiTW.exe
  C:\Windows\System\xbamiTW.exe
  2⤵
  PID:9640
- C:\Windows\System\aZAlnRi.exe
  C:\Windows\System\aZAlnRi.exe
  2⤵
  PID:9876
- C:\Windows\System\bJjDDmg.exe
  C:\Windows\System\bJjDDmg.exe
  2⤵
  PID:960
- C:\Windows\System\KaFcrQS.exe
  C:\Windows\System\KaFcrQS.exe
  2⤵
  PID:10140
- C:\Windows\System\kJjWySq.exe
  C:\Windows\System\kJjWySq.exe
  2⤵
  PID:3976
- C:\Windows\System\vLIjOfi.exe
  C:\Windows\System\vLIjOfi.exe
  2⤵
  PID:9300
- C:\Windows\System\GgJylcl.exe
  C:\Windows\System\GgJylcl.exe
  2⤵
  PID:1776
- C:\Windows\System\ULWUqFN.exe
  C:\Windows\System\ULWUqFN.exe
  2⤵
  PID:3400
- C:\Windows\System\rxWyqJv.exe
  C:\Windows\System\rxWyqJv.exe
  2⤵
  PID:10108
- C:\Windows\System\oMgvEZL.exe
  C:\Windows\System\oMgvEZL.exe
  2⤵
  PID:9272
- C:\Windows\System\haOPrqJ.exe
  C:\Windows\System\haOPrqJ.exe
  2⤵
  PID:9864
- C:\Windows\System\sxRlYUM.exe
  C:\Windows\System\sxRlYUM.exe
  2⤵
  PID:9476
- C:\Windows\System\SJPgSQd.exe
  C:\Windows\System\SJPgSQd.exe
  2⤵
  PID:9228
- C:\Windows\System\PhocORt.exe
  C:\Windows\System\PhocORt.exe
  2⤵
  PID:10260
- C:\Windows\System\yZGFlcT.exe
  C:\Windows\System\yZGFlcT.exe
  2⤵
  PID:10288
- C:\Windows\System\UCNJEpN.exe
  C:\Windows\System\UCNJEpN.exe
  2⤵
  PID:10316
- C:\Windows\System\fKWHphJ.exe
  C:\Windows\System\fKWHphJ.exe
  2⤵
  PID:10344
- C:\Windows\System\GoCXLRH.exe
  C:\Windows\System\GoCXLRH.exe
  2⤵
  PID:10372
- C:\Windows\System\QLVukZP.exe
  C:\Windows\System\QLVukZP.exe
  2⤵
  PID:10400
- C:\Windows\System\mIkwLih.exe
  C:\Windows\System\mIkwLih.exe
  2⤵
  PID:10432
- C:\Windows\System\gyuwYHO.exe
  C:\Windows\System\gyuwYHO.exe
  2⤵
  PID:10460
- C:\Windows\System\fmOkuoQ.exe
  C:\Windows\System\fmOkuoQ.exe
  2⤵
  PID:10488
- C:\Windows\System\LfRKqna.exe
  C:\Windows\System\LfRKqna.exe
  2⤵
  PID:10516
- C:\Windows\System\EypYTbY.exe
  C:\Windows\System\EypYTbY.exe
  2⤵
  PID:10544
- C:\Windows\System\UzFfrxw.exe
  C:\Windows\System\UzFfrxw.exe
  2⤵
  PID:10572
- C:\Windows\System\cjVapVW.exe
  C:\Windows\System\cjVapVW.exe
  2⤵
  PID:10600
- C:\Windows\System\yWccTZC.exe
  C:\Windows\System\yWccTZC.exe
  2⤵
  PID:10628
- C:\Windows\System\PutHIEk.exe
  C:\Windows\System\PutHIEk.exe
  2⤵
  PID:10656
- C:\Windows\System\PRJJfAs.exe
  C:\Windows\System\PRJJfAs.exe
  2⤵
  PID:10684
- C:\Windows\System\KVrHkhM.exe
  C:\Windows\System\KVrHkhM.exe
  2⤵
  PID:10712
- C:\Windows\System\kKFLcES.exe
  C:\Windows\System\kKFLcES.exe
  2⤵
  PID:10740
- C:\Windows\System\QzgbJFv.exe
  C:\Windows\System\QzgbJFv.exe
  2⤵
  PID:10772
- C:\Windows\System\ohNlsiS.exe
  C:\Windows\System\ohNlsiS.exe
  2⤵
  PID:10800
- C:\Windows\System\IdahEeT.exe
  C:\Windows\System\IdahEeT.exe
  2⤵
  PID:10828
- C:\Windows\System\kFxUJuw.exe
  C:\Windows\System\kFxUJuw.exe
  2⤵
  PID:10856
- C:\Windows\System\HOesURo.exe
  C:\Windows\System\HOesURo.exe
  2⤵
  PID:10884
- C:\Windows\System\yerTXaD.exe
  C:\Windows\System\yerTXaD.exe
  2⤵
  PID:10912
- C:\Windows\System\yGRGgmB.exe
  C:\Windows\System\yGRGgmB.exe
  2⤵
  PID:10940
- C:\Windows\System\HxOkeNW.exe
  C:\Windows\System\HxOkeNW.exe
  2⤵
  PID:10968
- C:\Windows\System\anrvIXS.exe
  C:\Windows\System\anrvIXS.exe
  2⤵
  PID:10996
- C:\Windows\System\pjwOFgq.exe
  C:\Windows\System\pjwOFgq.exe
  2⤵
  PID:11024
- C:\Windows\System\ebtMUoL.exe
  C:\Windows\System\ebtMUoL.exe
  2⤵
  PID:11052
- C:\Windows\System\KGlztdI.exe
  C:\Windows\System\KGlztdI.exe
  2⤵
  PID:11080
- C:\Windows\System\wLXOqbf.exe
  C:\Windows\System\wLXOqbf.exe
  2⤵
  PID:11108
- C:\Windows\System\vUrSvwX.exe
  C:\Windows\System\vUrSvwX.exe
  2⤵
  PID:11136
- C:\Windows\System\rNGYtYn.exe
  C:\Windows\System\rNGYtYn.exe
  2⤵
  PID:11164
- C:\Windows\System\KQWbzfV.exe
  C:\Windows\System\KQWbzfV.exe
  2⤵
  PID:11192
- C:\Windows\System\mxbEXJZ.exe
  C:\Windows\System\mxbEXJZ.exe
  2⤵
  PID:11220
- C:\Windows\System\KtgHkSA.exe
  C:\Windows\System\KtgHkSA.exe
  2⤵
  PID:11248
- C:\Windows\System\rcejvqq.exe
  C:\Windows\System\rcejvqq.exe
  2⤵
  PID:10256
- C:\Windows\System\jLalsxW.exe
  C:\Windows\System\jLalsxW.exe
  2⤵
  PID:10308
- C:\Windows\System\vbozFyh.exe
  C:\Windows\System\vbozFyh.exe
  2⤵
  PID:1904
- C:\Windows\System\NdzgRBH.exe
  C:\Windows\System\NdzgRBH.exe
  2⤵
  PID:10396
- C:\Windows\System\qTiJZGV.exe
  C:\Windows\System\qTiJZGV.exe
  2⤵
  PID:10456
- C:\Windows\System\ukTbtLL.exe
  C:\Windows\System\ukTbtLL.exe
  2⤵
  PID:10528
- C:\Windows\System\roQSHMO.exe
  C:\Windows\System\roQSHMO.exe
  2⤵
  PID:10584
- C:\Windows\System\oYuQlKF.exe
  C:\Windows\System\oYuQlKF.exe
  2⤵
  PID:10648
- C:\Windows\System\nOmrGgK.exe
  C:\Windows\System\nOmrGgK.exe
  2⤵
  PID:10680
- C:\Windows\System\exjdWYi.exe
  C:\Windows\System\exjdWYi.exe
  2⤵
  PID:10752
- C:\Windows\System\iyjeWxx.exe
  C:\Windows\System\iyjeWxx.exe
  2⤵
  PID:10820
- C:\Windows\System\HYKgpIq.exe
  C:\Windows\System\HYKgpIq.exe
  2⤵
  PID:10880
- C:\Windows\System\Ghbzcbn.exe
  C:\Windows\System\Ghbzcbn.exe
  2⤵
  PID:10992
- C:\Windows\System\VeyeRkS.exe
  C:\Windows\System\VeyeRkS.exe
  2⤵
  PID:11020
- C:\Windows\System\tZfnRfw.exe
  C:\Windows\System\tZfnRfw.exe
  2⤵
  PID:11092
- C:\Windows\System\gYwMdCU.exe
  C:\Windows\System\gYwMdCU.exe
  2⤵
  PID:11156
- C:\Windows\System\GOYQoKv.exe
  C:\Windows\System\GOYQoKv.exe
  2⤵
  PID:11212
- C:\Windows\System\DQEscqo.exe
  C:\Windows\System\DQEscqo.exe
  2⤵
  PID:10252
- C:\Windows\System\kQKnzlX.exe
  C:\Windows\System\kQKnzlX.exe
  2⤵
  PID:10368
- C:\Windows\System\iDSjpCt.exe
  C:\Windows\System\iDSjpCt.exe
  2⤵
  PID:1920
- C:\Windows\System\pgnOohP.exe
  C:\Windows\System\pgnOohP.exe
  2⤵
  PID:10564
- C:\Windows\System\hwFbTNQ.exe
  C:\Windows\System\hwFbTNQ.exe
  2⤵
  PID:10676
- C:\Windows\System\XDChvHP.exe
  C:\Windows\System\XDChvHP.exe
  2⤵
  PID:10848
- C:\Windows\System\gTvzjxN.exe
  C:\Windows\System\gTvzjxN.exe
  2⤵
  PID:10980
- C:\Windows\System\MBOkObN.exe
  C:\Windows\System\MBOkObN.exe
  2⤵
  PID:11120
- C:\Windows\System\cNloLfC.exe
  C:\Windows\System\cNloLfC.exe
  2⤵
  PID:11260
- C:\Windows\System\gVZXXLU.exe
  C:\Windows\System\gVZXXLU.exe
  2⤵
  PID:4916
- C:\Windows\System\kcmsWwj.exe
  C:\Windows\System\kcmsWwj.exe
  2⤵
  PID:10736
- C:\Windows\System\yHgrGVn.exe
  C:\Windows\System\yHgrGVn.exe
  2⤵
  PID:10932
- C:\Windows\System\TMiWOkQ.exe
  C:\Windows\System\TMiWOkQ.exe
  2⤵
  PID:1620
- C:\Windows\System\HGFFYbU.exe
  C:\Windows\System\HGFFYbU.exe
  2⤵
  PID:10668
- C:\Windows\System\jDwpjJf.exe
  C:\Windows\System\jDwpjJf.exe
  2⤵
  PID:10624
- C:\Windows\System\GHNQltq.exe
  C:\Windows\System\GHNQltq.exe
  2⤵
  PID:11272
- C:\Windows\System\kkWVvcq.exe
  C:\Windows\System\kkWVvcq.exe
  2⤵
  PID:11300
- C:\Windows\System\JvWWizR.exe
  C:\Windows\System\JvWWizR.exe
  2⤵
  PID:11328
- C:\Windows\System\laUMEIO.exe
  C:\Windows\System\laUMEIO.exe
  2⤵
  PID:11356
- C:\Windows\System\YslHVob.exe
  C:\Windows\System\YslHVob.exe
  2⤵
  PID:11384
- C:\Windows\System\MUSDXxw.exe
  C:\Windows\System\MUSDXxw.exe
  2⤵
  PID:11412
- C:\Windows\System\iwEaqHA.exe
  C:\Windows\System\iwEaqHA.exe
  2⤵
  PID:11440
- C:\Windows\System\vXJAdrn.exe
  C:\Windows\System\vXJAdrn.exe
  2⤵
  PID:11468
- C:\Windows\System\iilcPpa.exe
  C:\Windows\System\iilcPpa.exe
  2⤵
  PID:11496
- C:\Windows\System\wOWqBsq.exe
  C:\Windows\System\wOWqBsq.exe
  2⤵
  PID:11524
- C:\Windows\System\bvOxuRP.exe
  C:\Windows\System\bvOxuRP.exe
  2⤵
  PID:11556
- C:\Windows\System\MtgddSg.exe
  C:\Windows\System\MtgddSg.exe
  2⤵
  PID:11584
- C:\Windows\System\snxhEpj.exe
  C:\Windows\System\snxhEpj.exe
  2⤵
  PID:11616
- C:\Windows\System\NNJfbwq.exe
  C:\Windows\System\NNJfbwq.exe
  2⤵
  PID:11656
- C:\Windows\System\YKxFoCp.exe
  C:\Windows\System\YKxFoCp.exe
  2⤵
  PID:11672
- C:\Windows\System\fuHNzCp.exe
  C:\Windows\System\fuHNzCp.exe
  2⤵
  PID:11700
- C:\Windows\System\ZlueGjb.exe
  C:\Windows\System\ZlueGjb.exe
  2⤵
  PID:11728
- C:\Windows\System\XSkamas.exe
  C:\Windows\System\XSkamas.exe
  2⤵
  PID:11756
- C:\Windows\System\smSzoUR.exe
  C:\Windows\System\smSzoUR.exe
  2⤵
  PID:11784
- C:\Windows\System\TQCtHyn.exe
  C:\Windows\System\TQCtHyn.exe
  2⤵
  PID:11812
- C:\Windows\System\hENLLjx.exe
  C:\Windows\System\hENLLjx.exe
  2⤵
  PID:11840
- C:\Windows\System\GUbngbq.exe
  C:\Windows\System\GUbngbq.exe
  2⤵
  PID:11868
- C:\Windows\System\FADrgXy.exe
  C:\Windows\System\FADrgXy.exe
  2⤵
  PID:11896
- C:\Windows\System\VrArCQE.exe
  C:\Windows\System\VrArCQE.exe
  2⤵
  PID:11924
- C:\Windows\System\BieeZlK.exe
  C:\Windows\System\BieeZlK.exe
  2⤵
  PID:11952
- C:\Windows\System\uyujQQE.exe
  C:\Windows\System\uyujQQE.exe
  2⤵
  PID:11980
- C:\Windows\System\wTUOSfc.exe
  C:\Windows\System\wTUOSfc.exe
  2⤵
  PID:12008
- C:\Windows\System\ngghyOU.exe
  C:\Windows\System\ngghyOU.exe
  2⤵
  PID:12036
- C:\Windows\System\xupklgd.exe
  C:\Windows\System\xupklgd.exe
  2⤵
  PID:12064
- C:\Windows\System\VkANHty.exe
  C:\Windows\System\VkANHty.exe
  2⤵
  PID:12092
- C:\Windows\System\EwLeLXN.exe
  C:\Windows\System\EwLeLXN.exe
  2⤵
  PID:12120
- C:\Windows\System\OzDYrLT.exe
  C:\Windows\System\OzDYrLT.exe
  2⤵
  PID:12148
- C:\Windows\System\jjmGfLj.exe
  C:\Windows\System\jjmGfLj.exe
  2⤵
  PID:12176
- C:\Windows\System\iDKtcEV.exe
  C:\Windows\System\iDKtcEV.exe
  2⤵
  PID:12204
- C:\Windows\System\MbUhjCh.exe
  C:\Windows\System\MbUhjCh.exe
  2⤵
  PID:12232
- C:\Windows\System\kTVlauQ.exe
  C:\Windows\System\kTVlauQ.exe
  2⤵
  PID:12260
- C:\Windows\System\Byioiwb.exe
  C:\Windows\System\Byioiwb.exe
  2⤵
  PID:11076
- C:\Windows\System\mwxqcmD.exe
  C:\Windows\System\mwxqcmD.exe
  2⤵
  PID:9584
- C:\Windows\System\tGxHUKl.exe
  C:\Windows\System\tGxHUKl.exe
  2⤵
  PID:9580
- C:\Windows\System\hJoKOoL.exe
  C:\Windows\System\hJoKOoL.exe
  2⤵
  PID:11352
- C:\Windows\System\nXxyzfV.exe
  C:\Windows\System\nXxyzfV.exe
  2⤵
  PID:11408
- C:\Windows\System\ErsqWAc.exe
  C:\Windows\System\ErsqWAc.exe
  2⤵
  PID:11480
- C:\Windows\System\vuJuOSC.exe
  C:\Windows\System\vuJuOSC.exe
  2⤵
  PID:11544
- C:\Windows\System\iZmMJUF.exe
  C:\Windows\System\iZmMJUF.exe
  2⤵
  PID:11608
- C:\Windows\System\jdhjRQf.exe
  C:\Windows\System\jdhjRQf.exe
  2⤵
  PID:11664
- C:\Windows\System\UCpmzPp.exe
  C:\Windows\System\UCpmzPp.exe
  2⤵
  PID:11724
- C:\Windows\System\YexicIv.exe
  C:\Windows\System\YexicIv.exe
  2⤵
  PID:11780
- C:\Windows\System\nkWuFKG.exe
  C:\Windows\System\nkWuFKG.exe
  2⤵
  PID:11836
- C:\Windows\System\zJNHylU.exe
  C:\Windows\System\zJNHylU.exe
  2⤵
  PID:11908
- C:\Windows\System\FgDvgaA.exe
  C:\Windows\System\FgDvgaA.exe
  2⤵
  PID:11972
- C:\Windows\System\nuoCGbo.exe
  C:\Windows\System\nuoCGbo.exe
  2⤵
  PID:12032
- C:\Windows\System\WcQFoul.exe
  C:\Windows\System\WcQFoul.exe
  2⤵
  PID:12104
- C:\Windows\System\ZedvNve.exe
  C:\Windows\System\ZedvNve.exe
  2⤵
  PID:12168
- C:\Windows\System\hPfcCPF.exe
  C:\Windows\System\hPfcCPF.exe
  2⤵
  PID:12224
- C:\Windows\System\flohxhr.exe
  C:\Windows\System\flohxhr.exe
  2⤵
  PID:12280
- C:\Windows\System\OYyIzfe.exe
  C:\Windows\System\OYyIzfe.exe
  2⤵
  PID:11296
- C:\Windows\System\patuFqD.exe
  C:\Windows\System\patuFqD.exe
  2⤵
  PID:11436
- C:\Windows\System\YVjovDt.exe
  C:\Windows\System\YVjovDt.exe
  2⤵
  PID:3416
- C:\Windows\System\DNPJzjL.exe
  C:\Windows\System\DNPJzjL.exe
  2⤵
  PID:11692
- C:\Windows\System\cUxqWke.exe
  C:\Windows\System\cUxqWke.exe
  2⤵
  PID:11824
- C:\Windows\System\jCPVGsF.exe
  C:\Windows\System\jCPVGsF.exe
  2⤵
  PID:11964
- C:\Windows\System\YGkUohk.exe
  C:\Windows\System\YGkUohk.exe
  2⤵
  PID:12084
- C:\Windows\System\FvBbAsc.exe
  C:\Windows\System\FvBbAsc.exe
  2⤵
  PID:12388
- C:\Windows\System\fAgsvTh.exe
  C:\Windows\System\fAgsvTh.exe
  2⤵
  PID:12416
- C:\Windows\System\aVpOdfV.exe
  C:\Windows\System\aVpOdfV.exe
  2⤵
  PID:12444
- C:\Windows\System\DXqKTqi.exe
  C:\Windows\System\DXqKTqi.exe
  2⤵
  PID:12472
- C:\Windows\System\wFswbuZ.exe
  C:\Windows\System\wFswbuZ.exe
  2⤵
  PID:12500
- C:\Windows\System\kypmFRA.exe
  C:\Windows\System\kypmFRA.exe
  2⤵
  PID:12528
- C:\Windows\System\UsKchAs.exe
  C:\Windows\System\UsKchAs.exe
  2⤵
  PID:12556
- C:\Windows\System\AYtkyUt.exe
  C:\Windows\System\AYtkyUt.exe
  2⤵
  PID:12584
- C:\Windows\System\eDyyqXq.exe
  C:\Windows\System\eDyyqXq.exe
  2⤵
  PID:12612
- C:\Windows\System\CaCnJQl.exe
  C:\Windows\System\CaCnJQl.exe
  2⤵
  PID:12640
- C:\Windows\System\JMizrvM.exe
  C:\Windows\System\JMizrvM.exe
  2⤵
  PID:12668
- C:\Windows\System\EAweEmv.exe
  C:\Windows\System\EAweEmv.exe
  2⤵
  PID:12700
- C:\Windows\System\YURQOLq.exe
  C:\Windows\System\YURQOLq.exe
  2⤵
  PID:12728
- C:\Windows\System\gHSoEsm.exe
  C:\Windows\System\gHSoEsm.exe
  2⤵
  PID:12756
- C:\Windows\System\nHPXhiH.exe
  C:\Windows\System\nHPXhiH.exe
  2⤵
  PID:12792
- C:\Windows\System\uvXwZtO.exe
  C:\Windows\System\uvXwZtO.exe
  2⤵
  PID:12812
- C:\Windows\System\uimBEKN.exe
  C:\Windows\System\uimBEKN.exe
  2⤵
  PID:12840
- C:\Windows\System\iiSelDh.exe
  C:\Windows\System\iiSelDh.exe
  2⤵
  PID:12868
- C:\Windows\System\aZYHODl.exe
  C:\Windows\System\aZYHODl.exe
  2⤵
  PID:12896
- C:\Windows\System\wtnDLCd.exe
  C:\Windows\System\wtnDLCd.exe
  2⤵
  PID:12924
- C:\Windows\System\pKHfCCl.exe
  C:\Windows\System\pKHfCCl.exe
  2⤵
  PID:12952
- C:\Windows\System\rrwZqGL.exe
  C:\Windows\System\rrwZqGL.exe
  2⤵
  PID:12980
- C:\Windows\System\untguuC.exe
  C:\Windows\System\untguuC.exe
  2⤵
  PID:13008
- C:\Windows\System\inRGNBJ.exe
  C:\Windows\System\inRGNBJ.exe
  2⤵
  PID:13036
- C:\Windows\System\TznCfTE.exe
  C:\Windows\System\TznCfTE.exe
  2⤵
  PID:13064
- C:\Windows\System\YOBRcZg.exe
  C:\Windows\System\YOBRcZg.exe
  2⤵
  PID:13092
- C:\Windows\System\EILwXHf.exe
  C:\Windows\System\EILwXHf.exe
  2⤵
  PID:13120
- C:\Windows\System\jLpGWyh.exe
  C:\Windows\System\jLpGWyh.exe
  2⤵
  PID:13148
- C:\Windows\System\nLybAQp.exe
  C:\Windows\System\nLybAQp.exe
  2⤵
  PID:13176
- C:\Windows\System\wBQnUEy.exe
  C:\Windows\System\wBQnUEy.exe
  2⤵
  PID:13204
- C:\Windows\System\JQMDxnw.exe
  C:\Windows\System\JQMDxnw.exe
  2⤵
  PID:13232
- C:\Windows\System\sMsrlpu.exe
  C:\Windows\System\sMsrlpu.exe
  2⤵
  PID:13260
- C:\Windows\System\FUzSjsm.exe
  C:\Windows\System\FUzSjsm.exe
  2⤵
  PID:13288
- C:\Windows\System\GMzVDKG.exe
  C:\Windows\System\GMzVDKG.exe
  2⤵
  PID:12200
- C:\Windows\System\fmvioes.exe
  C:\Windows\System\fmvioes.exe
  2⤵
  PID:11348
- C:\Windows\System\rwucUGN.exe
  C:\Windows\System\rwucUGN.exe
  2⤵
  PID:11652
- C:\Windows\System\lTaATcQ.exe
  C:\Windows\System\lTaATcQ.exe
  2⤵
  PID:11948
- C:\Windows\System\KTGNCKK.exe
  C:\Windows\System\KTGNCKK.exe
  2⤵
  PID:12304
- C:\Windows\System\VaZZsCO.exe
  C:\Windows\System\VaZZsCO.exe
  2⤵
  PID:12328
- C:\Windows\System\GgVxwCa.exe
  C:\Windows\System\GgVxwCa.exe
  2⤵
  PID:12356
- C:\Windows\System\GbADKfO.exe
  C:\Windows\System\GbADKfO.exe
  2⤵
  PID:12408
- C:\Windows\System\PzUVqfR.exe
  C:\Windows\System\PzUVqfR.exe
  2⤵
  PID:12464
- C:\Windows\System\QHdpOMP.exe
  C:\Windows\System\QHdpOMP.exe
  2⤵
  PID:12540
- C:\Windows\System\NVzumkT.exe
  C:\Windows\System\NVzumkT.exe
  2⤵
  PID:12604
- C:\Windows\System\nnozrNC.exe
  C:\Windows\System\nnozrNC.exe
  2⤵
  PID:12664
- C:\Windows\System\HLieGIS.exe
  C:\Windows\System\HLieGIS.exe
  2⤵
  PID:12724
- C:\Windows\System\VkPVSMH.exe
  C:\Windows\System\VkPVSMH.exe
  2⤵
  PID:12780
- C:\Windows\System\DuJPwns.exe
  C:\Windows\System\DuJPwns.exe
  2⤵
  PID:1816
- C:\Windows\System\iRVzIMf.exe
  C:\Windows\System\iRVzIMf.exe
  2⤵
  PID:12880
- C:\Windows\System\CABxPlu.exe
  C:\Windows\System\CABxPlu.exe
  2⤵
  PID:12944
- C:\Windows\System\QRPrLhU.exe
  C:\Windows\System\QRPrLhU.exe
  2⤵
  PID:13004
- C:\Windows\System\tyRSxxe.exe
  C:\Windows\System\tyRSxxe.exe
  2⤵
  PID:13076
- C:\Windows\System\eUsaHIQ.exe
  C:\Windows\System\eUsaHIQ.exe
  2⤵
  PID:13140
- C:\Windows\System\JKpvkyy.exe
  C:\Windows\System\JKpvkyy.exe
  2⤵
  PID:13200
- C:\Windows\System\LOimrFF.exe
  C:\Windows\System\LOimrFF.exe
  2⤵
  PID:13300
- C:\Windows\System\wGtaECB.exe
  C:\Windows\System\wGtaECB.exe
  2⤵
  PID:9596
- C:\Windows\System\xFdXHeL.exe
  C:\Windows\System\xFdXHeL.exe
  2⤵
  PID:11888
- C:\Windows\System\bNKiZrC.exe
  C:\Windows\System\bNKiZrC.exe
  2⤵
  PID:12324
- C:\Windows\System\quhEnvZ.exe
  C:\Windows\System\quhEnvZ.exe
  2⤵
  PID:12436
- C:\Windows\System\qIsyQTY.exe
  C:\Windows\System\qIsyQTY.exe
  2⤵
  PID:12580
- C:\Windows\System\XYREqWV.exe
  C:\Windows\System\XYREqWV.exe
  2⤵
  PID:12720
- C:\Windows\System\vKGzrsP.exe
  C:\Windows\System\vKGzrsP.exe
  2⤵
  PID:12776
- C:\Windows\System\SbZJazt.exe
  C:\Windows\System\SbZJazt.exe
  2⤵
  PID:12860
- C:\Windows\System\pgKaJbU.exe
  C:\Windows\System\pgKaJbU.exe
  2⤵
  PID:13000
- C:\Windows\System\RWctJRJ.exe
  C:\Windows\System\RWctJRJ.exe
  2⤵
  PID:13168
- C:\Windows\System\XNxrFDh.exe
  C:\Windows\System\XNxrFDh.exe
  2⤵
  PID:12256
- C:\Windows\System\KcrwPjb.exe
  C:\Windows\System\KcrwPjb.exe
  2⤵
  PID:12316
- C:\Windows\System\rnRWXIT.exe
  C:\Windows\System\rnRWXIT.exe
  2⤵
  PID:12400
- C:\Windows\System\HiITLLb.exe
  C:\Windows\System\HiITLLb.exe
  2⤵
  PID:1280
- C:\Windows\System\RVNjxZi.exe
  C:\Windows\System\RVNjxZi.exe
  2⤵
  PID:12972
- C:\Windows\System\aVbBkUF.exe
  C:\Windows\System\aVbBkUF.exe
  2⤵
  PID:13256
- C:\Windows\System\BAFysRh.exe
  C:\Windows\System\BAFysRh.exe
  2⤵
  PID:12568
- C:\Windows\System\nkDJNWJ.exe
  C:\Windows\System\nkDJNWJ.exe
  2⤵
  PID:13116
- C:\Windows\System\GGRKcyq.exe
  C:\Windows\System\GGRKcyq.exe
  2⤵
  PID:12836
- C:\Windows\System\QmYKhuS.exe
  C:\Windows\System\QmYKhuS.exe
  2⤵
  PID:2656
- C:\Windows\System\KjppqgF.exe
  C:\Windows\System\KjppqgF.exe
  2⤵
  PID:12384
- C:\Windows\System\FwxfAiY.exe
  C:\Windows\System\FwxfAiY.exe
  2⤵
  PID:13332
- C:\Windows\System\uGHanaF.exe
  C:\Windows\System\uGHanaF.exe
  2⤵
  PID:13360
- C:\Windows\System\RQoaexs.exe
  C:\Windows\System\RQoaexs.exe
  2⤵
  PID:13388
- C:\Windows\System\TkCNosc.exe
  C:\Windows\System\TkCNosc.exe
  2⤵
  PID:13420
- C:\Windows\System\SjGwfOt.exe
  C:\Windows\System\SjGwfOt.exe
  2⤵
  PID:13448
- C:\Windows\System\VCyvIGH.exe
  C:\Windows\System\VCyvIGH.exe
  2⤵
  PID:13480
- C:\Windows\System\LMCGLcr.exe
  C:\Windows\System\LMCGLcr.exe
  2⤵
  PID:13504
- C:\Windows\System\nJVjTlH.exe
  C:\Windows\System\nJVjTlH.exe
  2⤵
  PID:13532
- C:\Windows\System\mJxLOxR.exe
  C:\Windows\System\mJxLOxR.exe
  2⤵
  PID:13560
- C:\Windows\System\IkpHtJV.exe
  C:\Windows\System\IkpHtJV.exe
  2⤵
  PID:13588
- C:\Windows\System\tPjzmSA.exe
  C:\Windows\System\tPjzmSA.exe
  2⤵
  PID:13616
- C:\Windows\System\dWAGcGn.exe
  C:\Windows\System\dWAGcGn.exe
  2⤵
  PID:13644
- C:\Windows\System\aLGXTmz.exe
  C:\Windows\System\aLGXTmz.exe
  2⤵
  PID:13672
- C:\Windows\System\LNAPRnc.exe
  C:\Windows\System\LNAPRnc.exe
  2⤵
  PID:13700
- C:\Windows\System\vSuysfE.exe
  C:\Windows\System\vSuysfE.exe
  2⤵
  PID:13728
- C:\Windows\System\WiIIlMX.exe
  C:\Windows\System\WiIIlMX.exe
  2⤵
  PID:13756
- C:\Windows\System\ruJtjbg.exe
  C:\Windows\System\ruJtjbg.exe
  2⤵
  PID:13784
- C:\Windows\System\EwzTnRN.exe
  C:\Windows\System\EwzTnRN.exe
  2⤵
  PID:13812
- C:\Windows\System\PfRwlKp.exe
  C:\Windows\System\PfRwlKp.exe
  2⤵
  PID:13840
- C:\Windows\System\XENpJzl.exe
  C:\Windows\System\XENpJzl.exe
  2⤵
  PID:13872
- C:\Windows\System\AWNgUJT.exe
  C:\Windows\System\AWNgUJT.exe
  2⤵
  PID:13900
- C:\Windows\System\WRkqSGQ.exe
  C:\Windows\System\WRkqSGQ.exe
  2⤵
  PID:13928
- C:\Windows\System\ngBGHGX.exe
  C:\Windows\System\ngBGHGX.exe
  2⤵
  PID:13960
- C:\Windows\System\LHFNTsL.exe
  C:\Windows\System\LHFNTsL.exe
  2⤵
  PID:13992
- C:\Windows\System\WKAnmfi.exe
  C:\Windows\System\WKAnmfi.exe
  2⤵
  PID:14020
- C:\Windows\System\mYRXaiJ.exe
  C:\Windows\System\mYRXaiJ.exe
  2⤵
  PID:14048
- C:\Windows\System\YAUEOPm.exe
  C:\Windows\System\YAUEOPm.exe
  2⤵
  PID:14080
- C:\Windows\System\jkRKWQH.exe
  C:\Windows\System\jkRKWQH.exe
  2⤵
  PID:14108
- C:\Windows\System\plzlsYH.exe
  C:\Windows\System\plzlsYH.exe
  2⤵
  PID:14136
- C:\Windows\System\QfJMTgJ.exe
  C:\Windows\System\QfJMTgJ.exe
  2⤵
  PID:14164
- C:\Windows\System\xDioYGh.exe
  C:\Windows\System\xDioYGh.exe
  2⤵
  PID:14192
- C:\Windows\System\QWBQrkr.exe
  C:\Windows\System\QWBQrkr.exe
  2⤵
  PID:14220
- C:\Windows\System\EzEFuSi.exe
  C:\Windows\System\EzEFuSi.exe
  2⤵
  PID:14248
- C:\Windows\System\GbBDnbH.exe
  C:\Windows\System\GbBDnbH.exe
  2⤵
  PID:14276
- C:\Windows\System\eszazDx.exe
  C:\Windows\System\eszazDx.exe
  2⤵
  PID:14304
- C:\Windows\System\HaCpCJu.exe
  C:\Windows\System\HaCpCJu.exe
  2⤵
  PID:14332
- C:\Windows\System\NxcorAE.exe
  C:\Windows\System\NxcorAE.exe
  2⤵
  PID:13352
- C:\Windows\System\ZgWpQZW.exe
  C:\Windows\System\ZgWpQZW.exe
  2⤵
  PID:13400
- C:\Windows\System\acKQaLY.exe
  C:\Windows\System\acKQaLY.exe
  2⤵
  PID:13500
- C:\Windows\System\jBXzmId.exe
  C:\Windows\System\jBXzmId.exe
  2⤵
  PID:13544
- C:\Windows\System\dVtfiNz.exe
  C:\Windows\System\dVtfiNz.exe
  2⤵
  PID:888
- C:\Windows\System\lGafzRM.exe
  C:\Windows\System\lGafzRM.exe
  2⤵
  PID:2632
- C:\Windows\System\YzutNCy.exe
  C:\Windows\System\YzutNCy.exe
  2⤵
  PID:760
- C:\Windows\System\ccFcowR.exe
  C:\Windows\System\ccFcowR.exe
  2⤵
  PID:13656
- C:\Windows\System\RiSIwnk.exe
  C:\Windows\System\RiSIwnk.exe
  2⤵
  PID:1876
- C:\Windows\System\RKPMxcS.exe
  C:\Windows\System\RKPMxcS.exe
  2⤵
  PID:13748
- C:\Windows\System\fmuvzql.exe
  C:\Windows\System\fmuvzql.exe
  2⤵
  PID:2356
- C:\Windows\System\nzYDNDV.exe
  C:\Windows\System\nzYDNDV.exe
  2⤵
  PID:13832
- C:\Windows\System\HvJsXhO.exe
  C:\Windows\System\HvJsXhO.exe
  2⤵
  PID:536
- C:\Windows\System\zybDAPV.exe
  C:\Windows\System\zybDAPV.exe
  2⤵
  PID:1340
- C:\Windows\System\wVKAmGW.exe
  C:\Windows\System\wVKAmGW.exe
  2⤵
  PID:2132
- C:\Windows\System\TNSFgrz.exe
  C:\Windows\System\TNSFgrz.exe
  2⤵
  PID:14040
- C:\Windows\System\ePmdxaY.exe
  C:\Windows\System\ePmdxaY.exe
  2⤵
  PID:14100
- C:\Windows\System\PyHnRQd.exe
  C:\Windows\System\PyHnRQd.exe
  2⤵
  PID:4008
- C:\Windows\System\muVGgUk.exe
  C:\Windows\System\muVGgUk.exe
  2⤵
  PID:14184
- C:\Windows\System\WpQtGGp.exe
  C:\Windows\System\WpQtGGp.exe
  2⤵
  PID:14260
- C:\Windows\System\GflDwNV.exe
  C:\Windows\System\GflDwNV.exe
  2⤵
  PID:14272
- C:\Windows\System\opdvytq.exe
  C:\Windows\System\opdvytq.exe
  2⤵
  PID:13328
- C:\Windows\System\RwvIcLI.exe
  C:\Windows\System\RwvIcLI.exe
  2⤵
  PID:4348
- C:\Windows\System\lYaxEYQ.exe
  C:\Windows\System\lYaxEYQ.exe
  2⤵
  PID:3208
- C:\Windows\System\ffjKlJE.exe
  C:\Windows\System\ffjKlJE.exe
  2⤵
  PID:13444
- C:\Windows\System\uMQtwKe.exe
  C:\Windows\System\uMQtwKe.exe
  2⤵
  PID:816
- C:\Windows\System\vMMeerD.exe
  C:\Windows\System\vMMeerD.exe
  2⤵
  PID:3056
- C:\Windows\System\WhxzhBA.exe
  C:\Windows\System\WhxzhBA.exe
  2⤵
  PID:13636
- C:\Windows\System\yQqwpnl.exe
  C:\Windows\System\yQqwpnl.exe
  2⤵
  PID:4544
- C:\Windows\System\SToSVfd.exe
  C:\Windows\System\SToSVfd.exe
  2⤵
  PID:13884
- C:\Windows\System\xLQBLhy.exe
  C:\Windows\System\xLQBLhy.exe
  2⤵
  PID:13984
- C:\Windows\System\ByKDCpd.exe
  C:\Windows\System\ByKDCpd.exe
  2⤵
  PID:14092
- C:\Windows\System\VCVSbaX.exe
  C:\Windows\System\VCVSbaX.exe
  2⤵
  PID:14128
- C:\Windows\System\dlPZqTE.exe
  C:\Windows\System\dlPZqTE.exe
  2⤵
  PID:14244
- C:\Windows\System\UXepnCn.exe
  C:\Windows\System\UXepnCn.exe
  2⤵
  PID:14324
- C:\Windows\System\wsOxMsb.exe
  C:\Windows\System\wsOxMsb.exe
  2⤵
  PID:4324
- C:\Windows\System\TEkMnhf.exe
  C:\Windows\System\TEkMnhf.exe
  2⤵
  PID:780
- C:\Windows\System\ouVddoc.exe
  C:\Windows\System\ouVddoc.exe
  2⤵
  PID:3888
- C:\Windows\System\judgSRX.exe
  C:\Windows\System\judgSRX.exe
  2⤵
  PID:13640
- C:\Windows\System\ltMHlUE.exe
  C:\Windows\System\ltMHlUE.exe
  2⤵
  PID:13824
- C:\Windows\System\zqogPBb.exe
  C:\Windows\System\zqogPBb.exe
  2⤵
  PID:1736
- C:\Windows\System\FwpwZbi.exe
  C:\Windows\System\FwpwZbi.exe
  2⤵
  PID:13384
- C:\Windows\System\YRtgNJZ.exe
  C:\Windows\System\YRtgNJZ.exe
  2⤵
  PID:13572
- C:\Windows\System\rvRhdPN.exe
  C:\Windows\System\rvRhdPN.exe
  2⤵
  PID:992
- C:\Windows\System\ATrfDKJ.exe
  C:\Windows\System\ATrfDKJ.exe
  2⤵
  PID:4056
- C:\Windows\System\phpiDkQ.exe
  C:\Windows\System\phpiDkQ.exe
  2⤵
  PID:13628

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4740
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5432

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5236

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6612

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7472

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2320

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8968

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3264

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:556

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11308

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6532

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7184

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8832

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9048

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7488

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13772

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14240

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10288

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10492

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4476

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5524

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12840

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14308

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7692

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13072

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7356

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4064

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14124

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5872

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3976

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3800

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3684

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0CG2OG3P\microsoft.windows[1].xml

Filesize
97B

MD5
bbb9d13417f84ed063a1c531f725d100

SHA1
0233da4e721d994ebed893c4a6d3864aa1c6c2e0

SHA256
452dadfbec8471649ced96721dffa324fe48cb5ca5d1de88448e8efd236052cc

SHA512
d21119a15ee648601757ba2ab1e1eef9e0ec6a7332591186c7b41f96ac1d34cde553c5a0d4231bd3ce4574eeae9a25163044e7748468e15a683334966ed72d80

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133829891371547029.txt

Filesize
75KB

MD5
ee584a553d166086fcbc14144ecf59d7

SHA1
685ddf458c868d816dc686c7ba77234fd69b441d

SHA256
423d3b999e7f797b38f1db9206f8062a972e94183a27fffc697e88f191c3c2a7

SHA512
b80b559806a8fc0ca07eafe7b3e78ba4dd3a3211e987207a3c0d190f32d321967b6101a33b2bd9cc5a037d5ce4ca4c05575d0e54e1f15307daa94bfde161c4b9

Download Submit
C:\Windows\System\BULRGux.exe

Filesize
6.0MB

MD5
4f74d3f9894b09500843e71c0a7e6d80

SHA1
fae974cc86283e3068ad83459322fde01a626d30

SHA256
0a80993642e1215f773322458148d5789bf313ba8c3af625e62680dab2e2a286

SHA512
bae4144883a8046f28f9e1c42b833c9aaea8245f372653f150eb00d9a70e78a64587d8941f8988fba406ed3922f4bceee4a9876e353ede2edb9af13979dd337a

Download Submit
C:\Windows\System\EuNwxgz.exe

Filesize
6.0MB

MD5
901e0e8bba45bf0feefd075b13bbd143

SHA1
f772e482999f36eccc2fe5a71a75f1ea8cc6ca0a

SHA256
1a314b0ca04495de6b215940bf171c4662239dabe933b19e87e2440f94186f80

SHA512
88d90abd18b2174d2e648d0e4b3af24b2d74e5dcc34f96eee87e73d4e0412cd43ae7c152ab23945b7ed2451a56c1809c5ed64380092cd4bfb420b7b5024c35bd

Download Submit
C:\Windows\System\FVlGQUd.exe

Filesize
6.0MB

MD5
55334e98e488c98dd81183a81eea8bbd

SHA1
c69ced315f16b2fc3b3f6eedd66f40b8467b27c2

SHA256
0a9ee3d837ac7f0035036624409d0606b9ed71cbe507ae2b48cb3763b9378199

SHA512
61e41380101953e5fd705f658aa98d675f641545d5558c1c07f571a04a642da1916668f5788fde0b48504adad5386c1a0130c1a4a030e5693ef94f7c3a6d092b

Download Submit
C:\Windows\System\FetZMQE.exe

Filesize
6.0MB

MD5
a0c6cf84a67a322a32d2d0d3c15bfe0f

SHA1
ee3fcb98f60db531b1ff697f3de1f0018f398a17

SHA256
82a7bd8dbee837e99fd7e294760eabd20b74a75224dac0ce23c5bb45445b5595

SHA512
9e4ca30fc4a370eb78a46a2fbac199a27198a1d93d34eb6e0843035d770320515f6570c5340dae7a49b682b895430db079e90f3cab9c2130f41213092bb78859

Download Submit
C:\Windows\System\KnRFBeF.exe

Filesize
6.0MB

MD5
00989c0cad56a1dc306c68417c8abea6

SHA1
1e19b104a84f6fbd906e742ec09582efc5d766cf

SHA256
c66318ac3baf6f25d5c2be3bf94e37f11f4fed48155725a44339bb6c0275ca37

SHA512
c767412eb7d619724985a7143d961c2d020cec498ab8cda449ed503d4d64cc82abdc65696ffd98165e0d015ac2cf63d824abce9ff6ba2502e23b873b29464320

Download Submit
C:\Windows\System\KtwOCtX.exe

Filesize
6.0MB

MD5
6f17abf12facc8e6962baa420ccd0e10

SHA1
99d681207825364f97ce6eb4c5b39dc8a084c420

SHA256
b48b158b042dacb4560a4d50876d91f760b3ae521a7bc4e763a05f918cd52f3e

SHA512
b664dece5317a8c3eaaac420a262e0561dedec9054a1283daa743e10865a7183db7d339d8c24db7573ec57dc319e065d9b6dba26633aa58468b236f46e9ef4b6

Download Submit
C:\Windows\System\LVQTscT.exe

Filesize
6.0MB

MD5
d2a68a147a7aef933c4b8b14f337bb9d

SHA1
6f2c9bf91e04a0c083baf9904f036410ae07b2c0

SHA256
384d439c6997eae93adb243aa94382693d2b452ccdac621ef34b0e27201ee8ae

SHA512
4dfc2eaf6a2360174df6ff43dd3675cc3491e95a6f391554c863eaa8aa707d427b4b032f5885f95c6eddf2a71258ee59a7ee690bf597f74240b7f4f0465b07ad

Download Submit
C:\Windows\System\LXoBAIP.exe

Filesize
6.0MB

MD5
e8dbf73292b38d32175864674b81f3d8

SHA1
0a35a7aa2dc9c33d682daff7f94b1243121a91cf

SHA256
7f83b743135aeed1144c99cf27cb42689026c255a5b5048130490e254c0f49e4

SHA512
3bd279d5870078ab36ee6646baeffe78d25569b3e8d2c5fa1c12a28820a3fb3263fb16366f89dda0246ea55e25ffdd2c5433f8bdd2b6e14ddb7203538c528ea7

Download Submit
C:\Windows\System\MRVqCIC.exe

Filesize
6.0MB

MD5
d129cbfe94eae90afc5f40f780be2fd3

SHA1
d78c50953801edd179218ea43f8fb36ae86bb063

SHA256
347d52352f0c3d53b8f9c7c3e10acec44cf694a92e2fb9fe5131158c67fcdc3f

SHA512
17885b8b1fb42c507f526a408342f88c220aaab43657dd5f864c0c02322d1a9039bf9af7af9f0d6b1e158af7674399504c8207b0681a1cab8c3719a7d0e238a0

Download Submit
C:\Windows\System\NSvLDgq.exe

Filesize
6.0MB

MD5
387490bfc3b03ed2778de62ecfa085c6

SHA1
2df5ad33da21d5988c405441219babac70a09cba

SHA256
8f4883a7c4686b7c2d4688de61b58bc071757233cc901c37b6282428fb1f536d

SHA512
71ac7f14d8512679bd6a3bc63a693289f52a0f43444c4b8442d6385035677e699143687cb2023d62cc294c2fe506f6bcd0dfd9792d3ecbdc6a5b9b4fbea55f49

Download Submit
C:\Windows\System\RHfcIyJ.exe

Filesize
6.0MB

MD5
10720f97a97f55fac5e48385adb0344e

SHA1
e38a9fbd710b10e7d1af1fb74300253d203774e4

SHA256
2857e1965c30428cd00e7c23320fc8b857b88b0291a465d03f33753fae659ed5

SHA512
f2d25fabb38d673f358a5ae52eafab32ee15028319ad9138b8a09bb03e7c78253c9db74e863fbd0b9e5c92ade05a08484bf86758aca132c2242678e724868638

Download Submit
C:\Windows\System\SVjdniv.exe

Filesize
6.0MB

MD5
d011c269d3a37ee7cb75a048700cf5a6

SHA1
0d07cb43a3de8c8d9adff483da2d6c357e0bec11

SHA256
9306cc82adef43e9d225aec6dde51a8ad4882b758889f6763eaeba919a5ce42b

SHA512
f8cd623e6c796a8d1d20bc84a77022ddfb06862fb008f272c33e0bd0ec8b88e5f35bff1b4c1c39fde167440428341fbdaafb951dcac41e87136815381bafcb32

Download Submit
C:\Windows\System\TfSTbfS.exe

Filesize
6.0MB

MD5
384bec5745773800c4af042075239328

SHA1
87cbccc9c59fecb89c634cef012bfccfa47b2cc3

SHA256
70ec75cc4e17017db0f1a48614e7b88e6292a3a2b5d1bebf27a88fd5a4043207

SHA512
4670c70d0269d3336402d3eb51f621f6d15249d62ac09eeb526d3c5648a51c440b5b24259aa567a9d9d80425d51f4607f5a96ad8f80fe2233d421b4ea172f1c0

Download Submit
C:\Windows\System\TgUcoTX.exe

Filesize
6.0MB

MD5
dd53639363937d7b9f7d260fb8dc3514

SHA1
bfd92baae5e8bda6416339d91bd3a43eb5cb23e9

SHA256
2d2558e360ecd8d022c1a6a06608ef11aa0bcfe587b6ec7effe8b574cf23395e

SHA512
06a0dbc579949492fe4579e9a2c01af429b9d8c2b2ef8f910f13bdf245a6148e59be65fae6481cfbb5e39d2a5fb43a61a110b21ba4b2eabd94af609b9d05763f

Download Submit
C:\Windows\System\UUZJgYp.exe

Filesize
6.0MB

MD5
f4bf518a0adf555b423cba092ab356b2

SHA1
e71d28c04043839888982741e8ba9a530d6d093b

SHA256
4469c725aea5c26283a33e468d8744b776bd838e42a7774ae62224f23d511d08

SHA512
257435f2f1beb4ae7d45b9b8caec334f9168dcd4e7be3ce7625bbe93accd4b0110d07f133985178e68d81c93aed5faa6fe46db45955677e742151e2576538d6c

Download Submit
C:\Windows\System\WdUcoLo.exe

Filesize
6.0MB

MD5
e289b4465e3778041a10b9e2dec7e8c3

SHA1
4719bdb3a6c334dff780a2e97e141f1d71c4a9d5

SHA256
e3e88d85fa28b86b3c4cc994dac6318491961af6d86faa2d801c272b19d08dc0

SHA512
180d1f2b7d4a3aedcbaf00b4c4c8260fcdc57ea309769fa65516d06af8e92728b71535cb9af9cfe730225c681ee5fc6779f057f058b61ef1737dd340f740b1f9

Download Submit
C:\Windows\System\WtQkPOs.exe

Filesize
6.0MB

MD5
513fe51557a822dbb1889e169aefce3d

SHA1
bd326e9f7aa9ef6129050da1dfbf5ea5069b114f

SHA256
26828b436c92475ef471ba6c196217784f668e0d52b1ec5e3100e76254af2775

SHA512
cbe22f52481d5a0639d717f47b485f43c203c6b89df78ef2bd769edfeca59d2bd64788a632b624d5f4e3c0cb01c52dac26ffa2606a311fa0992834f7830dc885

Download Submit
C:\Windows\System\XXnDVFf.exe

Filesize
6.0MB

MD5
dbbc2e882e8ddb4b5d70701ff533d358

SHA1
87a184deab7f80b16d380c72041750959039a887

SHA256
cea1fcaa7fe51aef1434ffca7de93521da5c50091bdae4eb0430dd6236741b1e

SHA512
189ceec759a87d6be47d21ef6021313cb02630991af600e999107ea278356f04bd3e57e3e1e9955c2d6fa649566c6e7b270d638cd9a2a131abf6e99a60b1284f

Download Submit
C:\Windows\System\YEoqVWl.exe

Filesize
6.0MB

MD5
0a9aa400226881e1ad80af6c8b9b42dc

SHA1
39dac6ee897708dfd8138ecbd780dba419f544ef

SHA256
9ddc5e211d242953c07cbcc9586b2f5a6ef01afa9f2e8f1d828a07899e0e2674

SHA512
9466b0e8a75765389ccb0f9a65abda61c8faa4e24519586347f373d7a9315227c762158c054b56f177a292ce03cd89cf3140662cb8b37264d65f40f5b1d3250e

Download Submit
C:\Windows\System\bmQHFSW.exe

Filesize
6.0MB

MD5
246544379db04bfae868e13f4ae31b1d

SHA1
1ce70a1814bc42eca8191837091137e27de9c40c

SHA256
5caaef6abc0f82f9e1d61d881aa5671dee8f6e2963b528236b4e4d3495d9091c

SHA512
097cd1e844f24d44cef60955ec61e6f41cbc81df017800224384ffa81288ddce4e4c8fd7c669ec44faae761b246c9ab30b3ccc13af171dea2fe5503511f1cebe

Download Submit
C:\Windows\System\eDiIqrp.exe

Filesize
6.0MB

MD5
d6aebfbc4290dbcd2a3754c3d41479b7

SHA1
15a27a4b71f7dd92f437c88f8032cdd910546f5f

SHA256
f492f81f87e133037e66fdd10aa72cb6901196961130a0ae475ba261eae896ef

SHA512
be56e68b36c76961540356c170efe52ef52d80c5301761d1eb98ce3ac4214b6cf18994d2d39df2e1946497498e55bc0b53b817e19aa201c6964eb1464cef7f2a

Download Submit
C:\Windows\System\fbZCjsf.exe

Filesize
6.0MB

MD5
3cd695183d4e7c4075a0c8b0d6b42a8a

SHA1
29e77c087ff06e37b8893eafc5f70606b25c66d2

SHA256
4c07cc7e1b6ff18c8f8bfda0519cf65d122c6dcc2dee80b239399c5504ff15cb

SHA512
f3f7e12e67ec10e2b46e1edc678ce56ac4b5250572b3365a8c69dd322eb6f8077b94e29bf7799150636eba745a7c044b7c5c44b5a22ce30df3e3911dd491be41

Download Submit
C:\Windows\System\gLoVjZt.exe

Filesize
6.0MB

MD5
1fe01016e3144af4595c6abfda446431

SHA1
0027a58a1f3c596135461fac2333086331ded85f

SHA256
b1106fa1760ce520263e6e88ace1cb871beafb3473e61ca60f5e80eef2764074

SHA512
44839e8fa153333fb92119952314ac36580a96db14ed1064d544ffc324acf46e5bedbcbb6ea73180258f924fab510f833e1a922aae0c253cf8551b03af57b018

Download Submit
C:\Windows\System\hvdJqeu.exe

Filesize
6.0MB

MD5
68130fcb448345da2ebf16b527a074ba

SHA1
7a4a768d2eb0e9870991800826e78060f7063335

SHA256
0cee2f164ec6b8fc4b4ed5e295c125825a7fb3b43084d6418af502018629f8d8

SHA512
e2658129773a4b83838e42421b193130c1edb878c2b9b445ba343c6156fffe04de8ba32b24fffd9b68c6f5353411e604c207c8d79f308499152742d276b5d4a3

Download Submit
C:\Windows\System\irHLVAX.exe

Filesize
6.0MB

MD5
f510f9b6bd8cd68b88f6725f62da5b39

SHA1
6bfeee6878165240abd94d7dc19c413b9f9a6a0b

SHA256
3899e2f7b9eccce51d759afb43a69ab3a4e2d9df303c8e79827237745aba5228

SHA512
f172f62444d08c262b3ed07d4a7f1e267db767f9d8003f93dbb6e4ca0dfcbb02e02a50ddecc33947e4bac27cf985a175b0c9befd31975483b5b64436d3eae087

Download Submit
C:\Windows\System\jVUkgsc.exe

Filesize
6.0MB

MD5
fd930b07a52d20e82f1d14cb81b40656

SHA1
a2ffd2cf0fbca65fe7a61ee119033580d5f753f9

SHA256
b3580067282ce98f0bd19535b093eab531faa4242db1e8ffd14e5a68da4ec1f4

SHA512
f5a73685a5c171bae3dd789ebceb59c445901aeef4f22d2949c54a1e0a5800fb45673c68023074b108f3806b27f564ced766bf37675457b2c03f8732dc64211a

Download Submit
C:\Windows\System\qiiSroI.exe

Filesize
6.0MB

MD5
05d673d7cbc22f6ad54b94bb61db8828

SHA1
69f5ecd643695179e854b337f36e154687c60bd2

SHA256
58f637d1141bf42ea2060148cb5b096ed523a12171da2a09face9fb62d7c80a1

SHA512
e2b42a415468af37d8e44d0d0c2f0135ae6cefb0ab119c028b8a7ba237ef0be756aa4d1bbb32617cc156fe87874c3b06550173a7ce524c6f1f62eb8200823534

Download Submit
C:\Windows\System\ralkRkU.exe

Filesize
6.0MB

MD5
d1403f36d631fb2d07032176cdc11ae9

SHA1
58a7e8ae108e26529adbe69751695752f478655c

SHA256
aaa8995669a1d4fe68e9ae373e68032dbcfe86d7960ede614a2663562cb11126

SHA512
9b50004f54e32d4f072e0d406ffdc5cd6d25bd0101a73d090f8a9677fe7ebaea0721f9fc5f3e7c63051eb982eeacf3c3f79f2228887aefa2d74acd8b171a2ca9

Download Submit
C:\Windows\System\urqfTyi.exe

Filesize
6.0MB

MD5
8499f20f754c72cb57a1957495674d18

SHA1
51258b1e6d74a526ce5bcda359db0078f2c1fe9f

SHA256
ed3b9dbcec3dd09035b16c6ce644469020b5c48c688c3b9c879bdc65a025868d

SHA512
f36f24db14550e0f1f9b445ee34a285cbdf8da79d0f2d425157886978e846c83e4106c3ecc44efe35414430a6be284c21932a4dfc1476b55d0525e3629656c2d

Download Submit
C:\Windows\System\vdzHVfq.exe

Filesize
6.0MB

MD5
74f0dbc3ae0c207f4391c56282586414

SHA1
48f8dc6ac0ba054fb69ea7214eb9ec5348919f04

SHA256
44b5ee808553bcae76eecef87fd216edbc2784ba10289b66ba8a907a1e0887a9

SHA512
8b9489985af2db4946fd6f48884fa30b5e0d85b7a40698bafbf46a4a7693a05ecb055e2f5503385f88b0a3fe1be626881215227781ec62f0de360ec03b33ab69

Download Submit
C:\Windows\System\vqBJmtM.exe

Filesize
6.0MB

MD5
15fd9dc7901fe0dfb589384779363669

SHA1
7c98b80535700a3ead8591a61bbe82f01712a1ce

SHA256
f99c239002a3d537ae8ef2e82bef63e2294375679e4c0193329240281ff542f5

SHA512
fbddde4c78be6ab70906cb9f8e0832ee9f8ef3ac5b1bd8a11021363d45075d901846162cea2daff204394f96526a1ef9c6bbcbc2999ed98d712d740ec88e381d

Download Submit
C:\Windows\System\xBCHQOF.exe

Filesize
6.0MB

MD5
3f2ab7a72fa7edfcf1745b30f38ef50c

SHA1
51ddf4a1aa8d293e2b84f6a27ac71dd45469c5c4

SHA256
ca23dc42a399409439e0fb16e00018ec10bd28908973915564cd84233567fcff

SHA512
feae4bbd85d1f4795c66c4eee786aacc30933d51e69d2815fe4a215d9ac5e07feaf8321b5d5dd845f26a33006062dd99626508d96e4fa5e9291ec748a5cd9f69

Download Submit
memory/116-2050-0x00007FF7AA870000-0x00007FF7AABC4000-memory.dmp

Filesize
3.3MB

Download
memory/116-77-0x00007FF7AA870000-0x00007FF7AABC4000-memory.dmp

Filesize
3.3MB

Download
memory/116-13-0x00007FF7AA870000-0x00007FF7AABC4000-memory.dmp

Filesize
3.3MB

Download
memory/984-2058-0x00007FF753B80000-0x00007FF753ED4000-memory.dmp

Filesize
3.3MB

Download
memory/984-86-0x00007FF753B80000-0x00007FF753ED4000-memory.dmp

Filesize
3.3MB

Download
memory/984-18-0x00007FF753B80000-0x00007FF753ED4000-memory.dmp

Filesize
3.3MB

Download
memory/1304-517-0x00007FF7B07A0000-0x00007FF7B0AF4000-memory.dmp

Filesize
3.3MB

Download
memory/1304-2374-0x00007FF7B07A0000-0x00007FF7B0AF4000-memory.dmp

Filesize
3.3MB

Download
memory/1304-179-0x00007FF7B07A0000-0x00007FF7B0AF4000-memory.dmp

Filesize
3.3MB

Download
memory/1456-2371-0x00007FF717E00000-0x00007FF718154000-memory.dmp

Filesize
3.3MB

Download
memory/1456-161-0x00007FF717E00000-0x00007FF718154000-memory.dmp

Filesize
3.3MB

Download
memory/1464-48-0x00007FF62FBA0000-0x00007FF62FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/1464-117-0x00007FF62FBA0000-0x00007FF62FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/1464-2159-0x00007FF62FBA0000-0x00007FF62FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/1576-70-0x00007FF77A940000-0x00007FF77AC94000-memory.dmp

Filesize
3.3MB

Download
memory/1576-2271-0x00007FF77A940000-0x00007FF77AC94000-memory.dmp

Filesize
3.3MB

Download
memory/1576-142-0x00007FF77A940000-0x00007FF77AC94000-memory.dmp

Filesize
3.3MB

Download
memory/1900-62-0x00007FF65C280000-0x00007FF65C5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1900-0-0x00007FF65C280000-0x00007FF65C5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1900-1-0x000001693B9B0000-0x000001693B9C0000-memory.dmp

Filesize
64KB

Download
memory/1956-2364-0x00007FF6B01D0000-0x00007FF6B0524000-memory.dmp

Filesize
3.3MB

Download
memory/1956-189-0x00007FF6B01D0000-0x00007FF6B0524000-memory.dmp

Filesize
3.3MB

Download
memory/1956-110-0x00007FF6B01D0000-0x00007FF6B0524000-memory.dmp

Filesize
3.3MB

Download
memory/2152-2363-0x00007FF671C70000-0x00007FF671FC4000-memory.dmp

Filesize
3.3MB

Download
memory/2152-185-0x00007FF671C70000-0x00007FF671FC4000-memory.dmp

Filesize
3.3MB

Download
memory/2152-103-0x00007FF671C70000-0x00007FF671FC4000-memory.dmp

Filesize
3.3MB

Download
memory/2340-120-0x00007FF6D7B30000-0x00007FF6D7E84000-memory.dmp

Filesize
3.3MB

Download
memory/2340-2365-0x00007FF6D7B30000-0x00007FF6D7E84000-memory.dmp

Filesize
3.3MB

Download
memory/2368-55-0x00007FF6D9C20000-0x00007FF6D9F74000-memory.dmp

Filesize
3.3MB

Download
memory/2368-125-0x00007FF6D9C20000-0x00007FF6D9F74000-memory.dmp

Filesize
3.3MB

Download
memory/2376-162-0x00007FF7F10B0000-0x00007FF7F1404000-memory.dmp

Filesize
3.3MB

Download
memory/2376-91-0x00007FF7F10B0000-0x00007FF7F1404000-memory.dmp

Filesize
3.3MB

Download
memory/2392-68-0x00007FF6BA3F0000-0x00007FF6BA744000-memory.dmp

Filesize
3.3MB

Download
memory/2392-7-0x00007FF6BA3F0000-0x00007FF6BA744000-memory.dmp

Filesize
3.3MB

Download
memory/2392-2043-0x00007FF6BA3F0000-0x00007FF6BA744000-memory.dmp

Filesize
3.3MB

Download
memory/2560-63-0x00007FF646B30000-0x00007FF646E84000-memory.dmp

Filesize
3.3MB

Download
memory/2604-143-0x00007FF7BE060000-0x00007FF7BE3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2604-2369-0x00007FF7BE060000-0x00007FF7BE3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2604-364-0x00007FF7BE060000-0x00007FF7BE3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-163-0x00007FF6B8C00000-0x00007FF6B8F54000-memory.dmp

Filesize
3.3MB

Download
memory/2636-2372-0x00007FF6B8C00000-0x00007FF6B8F54000-memory.dmp

Filesize
3.3MB

Download
memory/2636-460-0x00007FF6B8C00000-0x00007FF6B8F54000-memory.dmp

Filesize
3.3MB

Download
memory/2772-2094-0x00007FF7FB8A0000-0x00007FF7FBBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-92-0x00007FF7FB8A0000-0x00007FF7FBBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-24-0x00007FF7FB8A0000-0x00007FF7FBBF4000-memory.dmp

Filesize
3.3MB

Download
memory/3216-2370-0x00007FF7EA410000-0x00007FF7EA764000-memory.dmp

Filesize
3.3MB

Download
memory/3216-317-0x00007FF7EA410000-0x00007FF7EA764000-memory.dmp

Filesize
3.3MB

Download
memory/3216-141-0x00007FF7EA410000-0x00007FF7EA764000-memory.dmp

Filesize
3.3MB

Download
memory/3272-2368-0x00007FF6A0240000-0x00007FF6A0594000-memory.dmp

Filesize
3.3MB

Download
memory/3272-140-0x00007FF6A0240000-0x00007FF6A0594000-memory.dmp

Filesize
3.3MB

Download
memory/3272-275-0x00007FF6A0240000-0x00007FF6A0594000-memory.dmp

Filesize
3.3MB

Download
memory/3284-184-0x00007FF75E730000-0x00007FF75EA84000-memory.dmp

Filesize
3.3MB

Download
memory/3284-518-0x00007FF75E730000-0x00007FF75EA84000-memory.dmp

Filesize
3.3MB

Download
memory/3284-2375-0x00007FF75E730000-0x00007FF75EA84000-memory.dmp

Filesize
3.3MB

Download
memory/3528-44-0x00007FF65CBA0000-0x00007FF65CEF4000-memory.dmp

Filesize
3.3MB

Download
memory/3528-2148-0x00007FF65CBA0000-0x00007FF65CEF4000-memory.dmp

Filesize
3.3MB

Download
memory/3684-90-0x00007FF66C3D0000-0x00007FF66C724000-memory.dmp

Filesize
3.3MB

Download
memory/3684-157-0x00007FF66C3D0000-0x00007FF66C724000-memory.dmp

Filesize
3.3MB

Download
memory/3696-623-0x00007FF735210000-0x00007FF735564000-memory.dmp

Filesize
3.3MB

Download
memory/3696-2376-0x00007FF735210000-0x00007FF735564000-memory.dmp

Filesize
3.3MB

Download
memory/3696-191-0x00007FF735210000-0x00007FF735564000-memory.dmp

Filesize
3.3MB

Download
memory/3908-136-0x00007FF77A030000-0x00007FF77A384000-memory.dmp

Filesize
3.3MB

Download
memory/3908-2367-0x00007FF77A030000-0x00007FF77A384000-memory.dmp

Filesize
3.3MB

Download
memory/3936-2099-0x00007FF66FF20000-0x00007FF670274000-memory.dmp

Filesize
3.3MB

Download
memory/3936-98-0x00007FF66FF20000-0x00007FF670274000-memory.dmp

Filesize
3.3MB

Download
memory/3936-32-0x00007FF66FF20000-0x00007FF670274000-memory.dmp

Filesize
3.3MB

Download
memory/4356-2366-0x00007FF7074C0000-0x00007FF707814000-memory.dmp

Filesize
3.3MB

Download
memory/4356-126-0x00007FF7074C0000-0x00007FF707814000-memory.dmp

Filesize
3.3MB

Download
memory/4356-274-0x00007FF7074C0000-0x00007FF707814000-memory.dmp

Filesize
3.3MB

Download
memory/4468-156-0x00007FF6EF6A0000-0x00007FF6EF9F4000-memory.dmp

Filesize
3.3MB

Download
memory/4468-2276-0x00007FF6EF6A0000-0x00007FF6EF9F4000-memory.dmp

Filesize
3.3MB

Download
memory/4468-79-0x00007FF6EF6A0000-0x00007FF6EF9F4000-memory.dmp

Filesize
3.3MB

Download
memory/4736-102-0x00007FF61B9F0000-0x00007FF61BD44000-memory.dmp

Filesize
3.3MB

Download
memory/4736-2100-0x00007FF61B9F0000-0x00007FF61BD44000-memory.dmp

Filesize
3.3MB

Download
memory/4736-36-0x00007FF61B9F0000-0x00007FF61BD44000-memory.dmp

Filesize
3.3MB

Download
memory/4796-2373-0x00007FF7198B0000-0x00007FF719C04000-memory.dmp

Filesize
3.3MB

Download
memory/4796-487-0x00007FF7198B0000-0x00007FF719C04000-memory.dmp

Filesize
3.3MB

Download
memory/4796-172-0x00007FF7198B0000-0x00007FF719C04000-memory.dmp

Filesize
3.3MB

Download
memory/4932-169-0x00007FF78F770000-0x00007FF78FAC4000-memory.dmp

Filesize
3.3MB

Download
memory/4932-95-0x00007FF78F770000-0x00007FF78FAC4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads