cobaltstrike | 949637da46f94d7f8f907db87550557da3f411ef4bc9afbb9fe8686fa0c47abc

Analysis

max time kernel
136s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

0279ad3319c94d3869d56fece5f5ed49
SHA1

c097791665a5bc842acb55bb12e30787e7f6f63d
SHA256

949637da46f94d7f8f907db87550557da3f411ef4bc9afbb9fe8686fa0c47abc
SHA512

362b1e0b5d05f903882451e5243a7e922e40ab512f5e776554256715387523b85f16f23dd9f1a0a3e88ba344d7547922d969792e1afd1b54f1e857e8fcfc62c9
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lU5:j+R56utgpPF8u/75

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 32 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0033000000023c2d-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d24-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d27-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d2a-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d2d-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d2f-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d31-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d32-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d33-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d36-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d3a-143.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d38-152.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d3e-183.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d41-192.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d40-189.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d3f-186.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d3d-180.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d3c-177.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d3b-174.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d39-162.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d35-126.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023d21-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d34-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d30-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d2e-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d2c-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d29-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d28-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d2b-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d25-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023d26-30.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023d20-12.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3568-0-0x00007FF678E90000-0x00007FF6791DD000-memory.dmp	xmrig
behavioral2/files/0x0033000000023c2d-5.dat	xmrig
behavioral2/memory/3668-7-0x00007FF768770000-0x00007FF768ABD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d24-10.dat	xmrig
behavioral2/memory/2032-18-0x00007FF774360000-0x00007FF7746AD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d27-26.dat	xmrig
behavioral2/memory/1260-62-0x00007FF648830000-0x00007FF648B7D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d2a-64.dat	xmrig
behavioral2/files/0x0007000000023d2d-67.dat	xmrig
behavioral2/memory/3032-79-0x00007FF7D1510000-0x00007FF7D185D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d2f-83.dat	xmrig
behavioral2/files/0x0007000000023d31-92.dat	xmrig
behavioral2/files/0x0007000000023d32-93.dat	xmrig
behavioral2/files/0x0007000000023d33-105.dat	xmrig
behavioral2/memory/4676-124-0x00007FF664FE0000-0x00007FF66532D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d36-132.dat	xmrig
behavioral2/files/0x0007000000023d3a-143.dat	xmrig
behavioral2/files/0x0007000000023d38-152.dat	xmrig
behavioral2/files/0x0007000000023d3e-183.dat	xmrig
behavioral2/files/0x0007000000023d41-192.dat	xmrig
behavioral2/memory/1760-190-0x00007FF61FFE0000-0x00007FF62032D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d40-189.dat	xmrig
behavioral2/memory/668-187-0x00007FF6AC650000-0x00007FF6AC99D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d3f-186.dat	xmrig
behavioral2/memory/4200-184-0x00007FF61E270000-0x00007FF61E5BD000-memory.dmp	xmrig
behavioral2/memory/4912-181-0x00007FF687C90000-0x00007FF687FDD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d3d-180.dat	xmrig
behavioral2/memory/3724-178-0x00007FF6001B0000-0x00007FF6004FD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d3c-177.dat	xmrig
behavioral2/memory/2580-175-0x00007FF7C6000000-0x00007FF7C634D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d3b-174.dat	xmrig
behavioral2/memory/2980-172-0x00007FF776560000-0x00007FF7768AD000-memory.dmp	xmrig
behavioral2/memory/3576-163-0x00007FF784AE0000-0x00007FF784E2D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d39-162.dat	xmrig
behavioral2/memory/2780-159-0x00007FF668F10000-0x00007FF66925D000-memory.dmp	xmrig
behavioral2/memory/4060-135-0x00007FF74F370000-0x00007FF74F6BD000-memory.dmp	xmrig
behavioral2/memory/1340-127-0x00007FF6E51D0000-0x00007FF6E551D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d35-126.dat	xmrig
behavioral2/files/0x0008000000023d21-123.dat	xmrig
behavioral2/memory/220-121-0x00007FF795F40000-0x00007FF79628D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d34-120.dat	xmrig
behavioral2/memory/380-118-0x00007FF6B95E0000-0x00007FF6B992D000-memory.dmp	xmrig
behavioral2/memory/1196-114-0x00007FF6E1930000-0x00007FF6E1C7D000-memory.dmp	xmrig
behavioral2/memory/3416-111-0x00007FF6647A0000-0x00007FF664AED000-memory.dmp	xmrig
behavioral2/memory/2336-101-0x00007FF72E600000-0x00007FF72E94D000-memory.dmp	xmrig
behavioral2/memory/1496-97-0x00007FF7422C0000-0x00007FF74260D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d30-96.dat	xmrig
behavioral2/files/0x0007000000023d2e-78.dat	xmrig
behavioral2/memory/4116-76-0x00007FF6E3A80000-0x00007FF6E3DCD000-memory.dmp	xmrig
behavioral2/memory/1524-72-0x00007FF79C7D0000-0x00007FF79CB1D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d2c-71.dat	xmrig
behavioral2/memory/2388-65-0x00007FF68FD90000-0x00007FF6900DD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d29-61.dat	xmrig
behavioral2/memory/5024-57-0x00007FF697BD0000-0x00007FF697F1D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d28-56.dat	xmrig
behavioral2/memory/2712-54-0x00007FF715A40000-0x00007FF715D8D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d2b-53.dat	xmrig
behavioral2/memory/2512-47-0x00007FF754360000-0x00007FF7546AD000-memory.dmp	xmrig
behavioral2/memory/1960-44-0x00007FF637060000-0x00007FF6373AD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d25-35.dat	xmrig
behavioral2/memory/5004-31-0x00007FF60B920000-0x00007FF60BC6D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023d26-30.dat	xmrig
behavioral2/memory/3048-28-0x00007FF6C94E0000-0x00007FF6C982D000-memory.dmp	xmrig
behavioral2/files/0x0008000000023d20-12.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3668	OrHbder.exe
2032	UEKkDgF.exe
3048	oytOukv.exe
1960	njyiKEE.exe
5004	nSxQSug.exe
2512	tmhuwSW.exe
5024	dmBNYnH.exe
2712	sGkeRkL.exe
1260	iAYhTDO.exe
2388	gtEsFVY.exe
1524	QVMCdfa.exe
4116	FBVpCpf.exe
3032	EVMypLp.exe
2336	HhvCEvf.exe
1496	IodXMPm.exe
3416	OKAFcTR.exe
1196	zrJmmXm.exe
380	GGBtTsN.exe
220	kNjukta.exe
4676	gEOFokr.exe
1340	iUOeHoI.exe
4060	bAVZUkx.exe
2780	clnKnfQ.exe
3576	PkgYzjq.exe
2980	FHPbyvB.exe
2580	TiWNehc.exe
3724	lhRdXnO.exe
4912	pYhSJda.exe
4200	sThknji.exe
668	PlCUzcU.exe
1760	lqRxRqE.exe
2344	QDfanjj.exe
1888	CHdUouJ.exe
4248	teNKOhp.exe
3136	HWYCqZg.exe
3220	eQXvAaZ.exe
1664	CslPREU.exe
4788	PhVmtFk.exe
3572	qAXiDGz.exe
1164	qgNrQut.exe
940	JGgDoTM.exe
3920	yaxRODv.exe
4884	ICzzobW.exe
3760	NBipCiM.exe
4028	zADeiUh.exe
1208	xOzeOOO.exe
60	cdugyuZ.exe
3968	MLChwzh.exe
4172	JgnMWDI.exe
2356	RfZRSwX.exe
4892	KSwHCFq.exe
1000	lEQKAiG.exe
3192	KwyxKSF.exe
1700	fYQnvYz.exe
316	UfRfRwh.exe
2908	oMeFQgE.exe
1048	jispZqP.exe
4728	mOtHXiE.exe
4340	ZZwJdCG.exe
4980	dHfFZfW.exe
4668	hdwyoLl.exe
2572	IeCJmdj.exe
4684	vRdUAdj.exe
1424	QxOKAig.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\JgnMWDI.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kWoQhsI.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\deoJbvJ.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eQadvoa.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IUOqxem.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NInMjoZ.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lhRdXnO.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MRgSdtO.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SIngFVe.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mAfMWYP.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\coFgLlK.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qIgJCxQ.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CiYbhGt.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UptKxaD.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HJBSgQT.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZfPuQet.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UMOvUNb.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uiKXwDN.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PHdzrle.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TIqHBGg.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lJzvWtK.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qsdFPFh.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CewSzPk.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UGjErwf.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wiiaTML.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cVcHVkB.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dNqAGeE.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LPdeFrU.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vdskyBF.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PzzMgwo.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xjqkITg.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KSwHCFq.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aHhQOxn.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nNrhkni.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PWqbzHm.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CPjoqkh.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VUEbXFK.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tApzjUm.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oytOukv.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HNYnyQE.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\faOJAHA.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HbRrUHO.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zBOwnYq.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VtKERgP.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lDqXlrr.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\piXlVcN.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aLRnGzv.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lEQKAiG.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZmcUmfd.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QpMPYrB.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZCDjZDD.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dafBEUu.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zKfUJPk.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DqeEZaV.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UEKkDgF.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iUOeHoI.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ICktpJI.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VZwWEll.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gQAqgzX.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XyHnaSH.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AcadsMT.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KtvGSYk.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MiiShud.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CpttUvl.exe	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	5376	dwm.exe
Token: SeChangeNotifyPrivilege	5376	dwm.exe
Token: 33	5376	dwm.exe
Token: SeIncBasePriorityPrivilege	5376	dwm.exe
Token: SeShutdownPrivilege	5376	dwm.exe
Token: SeCreatePagefilePrivilege	5376	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 3668	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3568 wrote to memory of 3668	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3568 wrote to memory of 2032	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3568 wrote to memory of 2032	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3568 wrote to memory of 3048	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3568 wrote to memory of 3048	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3568 wrote to memory of 1960	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3568 wrote to memory of 1960	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3568 wrote to memory of 5004	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3568 wrote to memory of 5004	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3568 wrote to memory of 2512	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3568 wrote to memory of 2512	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3568 wrote to memory of 5024	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3568 wrote to memory of 5024	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3568 wrote to memory of 1260	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3568 wrote to memory of 1260	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3568 wrote to memory of 2388	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3568 wrote to memory of 2388	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3568 wrote to memory of 2712	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3568 wrote to memory of 2712	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3568 wrote to memory of 1524	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3568 wrote to memory of 1524	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3568 wrote to memory of 4116	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3568 wrote to memory of 4116	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3568 wrote to memory of 3032	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3568 wrote to memory of 3032	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3568 wrote to memory of 2336	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3568 wrote to memory of 2336	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3568 wrote to memory of 1496	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3568 wrote to memory of 1496	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3568 wrote to memory of 3416	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3568 wrote to memory of 3416	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3568 wrote to memory of 1196	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3568 wrote to memory of 1196	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3568 wrote to memory of 380	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3568 wrote to memory of 380	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3568 wrote to memory of 220	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3568 wrote to memory of 220	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3568 wrote to memory of 4676	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3568 wrote to memory of 4676	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3568 wrote to memory of 1340	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3568 wrote to memory of 1340	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3568 wrote to memory of 4060	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3568 wrote to memory of 4060	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3568 wrote to memory of 2780	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3568 wrote to memory of 2780	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3568 wrote to memory of 3576	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3568 wrote to memory of 3576	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3568 wrote to memory of 2980	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3568 wrote to memory of 2980	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3568 wrote to memory of 2580	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 3568 wrote to memory of 2580	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 3568 wrote to memory of 3724	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 3568 wrote to memory of 3724	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 3568 wrote to memory of 4912	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 3568 wrote to memory of 4912	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 3568 wrote to memory of 4200	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 3568 wrote to memory of 4200	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 3568 wrote to memory of 668	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 3568 wrote to memory of 668	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 3568 wrote to memory of 1760	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 3568 wrote to memory of 1760	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 3568 wrote to memory of 2344	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 3568 wrote to memory of 2344	3568	2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe	116

C:\Users\Admin\AppData\Local\Temp\2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-01_0279ad3319c94d3869d56fece5f5ed49_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\System\OrHbder.exe
  C:\Windows\System\OrHbder.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\UEKkDgF.exe
  C:\Windows\System\UEKkDgF.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\oytOukv.exe
  C:\Windows\System\oytOukv.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\njyiKEE.exe
  C:\Windows\System\njyiKEE.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\nSxQSug.exe
  C:\Windows\System\nSxQSug.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\tmhuwSW.exe
  C:\Windows\System\tmhuwSW.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\dmBNYnH.exe
  C:\Windows\System\dmBNYnH.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\iAYhTDO.exe
  C:\Windows\System\iAYhTDO.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System\gtEsFVY.exe
  C:\Windows\System\gtEsFVY.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\sGkeRkL.exe
  C:\Windows\System\sGkeRkL.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\QVMCdfa.exe
  C:\Windows\System\QVMCdfa.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\FBVpCpf.exe
  C:\Windows\System\FBVpCpf.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System\EVMypLp.exe
  C:\Windows\System\EVMypLp.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\HhvCEvf.exe
  C:\Windows\System\HhvCEvf.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\IodXMPm.exe
  C:\Windows\System\IodXMPm.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\OKAFcTR.exe
  C:\Windows\System\OKAFcTR.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\zrJmmXm.exe
  C:\Windows\System\zrJmmXm.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\GGBtTsN.exe
  C:\Windows\System\GGBtTsN.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\kNjukta.exe
  C:\Windows\System\kNjukta.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\gEOFokr.exe
  C:\Windows\System\gEOFokr.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\iUOeHoI.exe
  C:\Windows\System\iUOeHoI.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System\bAVZUkx.exe
  C:\Windows\System\bAVZUkx.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\clnKnfQ.exe
  C:\Windows\System\clnKnfQ.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\PkgYzjq.exe
  C:\Windows\System\PkgYzjq.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\FHPbyvB.exe
  C:\Windows\System\FHPbyvB.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\TiWNehc.exe
  C:\Windows\System\TiWNehc.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\lhRdXnO.exe
  C:\Windows\System\lhRdXnO.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System\pYhSJda.exe
  C:\Windows\System\pYhSJda.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\sThknji.exe
  C:\Windows\System\sThknji.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\PlCUzcU.exe
  C:\Windows\System\PlCUzcU.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System\lqRxRqE.exe
  C:\Windows\System\lqRxRqE.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System\QDfanjj.exe
  C:\Windows\System\QDfanjj.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\CHdUouJ.exe
  C:\Windows\System\CHdUouJ.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\teNKOhp.exe
  C:\Windows\System\teNKOhp.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\HWYCqZg.exe
  C:\Windows\System\HWYCqZg.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\eQXvAaZ.exe
  C:\Windows\System\eQXvAaZ.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System\CslPREU.exe
  C:\Windows\System\CslPREU.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\PhVmtFk.exe
  C:\Windows\System\PhVmtFk.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\qAXiDGz.exe
  C:\Windows\System\qAXiDGz.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System\qgNrQut.exe
  C:\Windows\System\qgNrQut.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System\JGgDoTM.exe
  C:\Windows\System\JGgDoTM.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\yaxRODv.exe
  C:\Windows\System\yaxRODv.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System\ICzzobW.exe
  C:\Windows\System\ICzzobW.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\NBipCiM.exe
  C:\Windows\System\NBipCiM.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System\zADeiUh.exe
  C:\Windows\System\zADeiUh.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\xOzeOOO.exe
  C:\Windows\System\xOzeOOO.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System\cdugyuZ.exe
  C:\Windows\System\cdugyuZ.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\MLChwzh.exe
  C:\Windows\System\MLChwzh.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System\JgnMWDI.exe
  C:\Windows\System\JgnMWDI.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\RfZRSwX.exe
  C:\Windows\System\RfZRSwX.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\KSwHCFq.exe
  C:\Windows\System\KSwHCFq.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\lEQKAiG.exe
  C:\Windows\System\lEQKAiG.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System\KwyxKSF.exe
  C:\Windows\System\KwyxKSF.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\fYQnvYz.exe
  C:\Windows\System\fYQnvYz.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\UfRfRwh.exe
  C:\Windows\System\UfRfRwh.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System\oMeFQgE.exe
  C:\Windows\System\oMeFQgE.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System\jispZqP.exe
  C:\Windows\System\jispZqP.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System\mOtHXiE.exe
  C:\Windows\System\mOtHXiE.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\ZZwJdCG.exe
  C:\Windows\System\ZZwJdCG.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System\dHfFZfW.exe
  C:\Windows\System\dHfFZfW.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\hdwyoLl.exe
  C:\Windows\System\hdwyoLl.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System\IeCJmdj.exe
  C:\Windows\System\IeCJmdj.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\vRdUAdj.exe
  C:\Windows\System\vRdUAdj.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\QxOKAig.exe
  C:\Windows\System\QxOKAig.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\nTwiKDR.exe
  C:\Windows\System\nTwiKDR.exe
  2⤵
  PID:3484
- C:\Windows\System\jorKQry.exe
  C:\Windows\System\jorKQry.exe
  2⤵
  PID:1080
- C:\Windows\System\yTCBEHC.exe
  C:\Windows\System\yTCBEHC.exe
  2⤵
  PID:932
- C:\Windows\System\aCdHzoQ.exe
  C:\Windows\System\aCdHzoQ.exe
  2⤵
  PID:4928
- C:\Windows\System\MZbnWyf.exe
  C:\Windows\System\MZbnWyf.exe
  2⤵
  PID:4160
- C:\Windows\System\aHhQOxn.exe
  C:\Windows\System\aHhQOxn.exe
  2⤵
  PID:4212
- C:\Windows\System\HNYnyQE.exe
  C:\Windows\System\HNYnyQE.exe
  2⤵
  PID:1356
- C:\Windows\System\AGvCdcf.exe
  C:\Windows\System\AGvCdcf.exe
  2⤵
  PID:2584
- C:\Windows\System\IgYooTe.exe
  C:\Windows\System\IgYooTe.exe
  2⤵
  PID:2220
- C:\Windows\System\aLUCbcw.exe
  C:\Windows\System\aLUCbcw.exe
  2⤵
  PID:4372
- C:\Windows\System\nNrhkni.exe
  C:\Windows\System\nNrhkni.exe
  2⤵
  PID:4752
- C:\Windows\System\xFtptXK.exe
  C:\Windows\System\xFtptXK.exe
  2⤵
  PID:3016
- C:\Windows\System\FfsMwXT.exe
  C:\Windows\System\FfsMwXT.exe
  2⤵
  PID:3908
- C:\Windows\System\hcUpgnb.exe
  C:\Windows\System\hcUpgnb.exe
  2⤵
  PID:5020
- C:\Windows\System\vhsxucA.exe
  C:\Windows\System\vhsxucA.exe
  2⤵
  PID:1168
- C:\Windows\System\gqEMAUB.exe
  C:\Windows\System\gqEMAUB.exe
  2⤵
  PID:1864
- C:\Windows\System\WMfHkJf.exe
  C:\Windows\System\WMfHkJf.exe
  2⤵
  PID:1492
- C:\Windows\System\efJKXWj.exe
  C:\Windows\System\efJKXWj.exe
  2⤵
  PID:1280
- C:\Windows\System\VWZnMBl.exe
  C:\Windows\System\VWZnMBl.exe
  2⤵
  PID:2792
- C:\Windows\System\CewSzPk.exe
  C:\Windows\System\CewSzPk.exe
  2⤵
  PID:1500
- C:\Windows\System\TIqHBGg.exe
  C:\Windows\System\TIqHBGg.exe
  2⤵
  PID:2416
- C:\Windows\System\uTtlHKu.exe
  C:\Windows\System\uTtlHKu.exe
  2⤵
  PID:736
- C:\Windows\System\GKPrPHt.exe
  C:\Windows\System\GKPrPHt.exe
  2⤵
  PID:3528
- C:\Windows\System\SRWsDTu.exe
  C:\Windows\System\SRWsDTu.exe
  2⤵
  PID:4716
- C:\Windows\System\xUIrrwD.exe
  C:\Windows\System\xUIrrwD.exe
  2⤵
  PID:2844
- C:\Windows\System\faOJAHA.exe
  C:\Windows\System\faOJAHA.exe
  2⤵
  PID:3012
- C:\Windows\System\qAJjzfw.exe
  C:\Windows\System\qAJjzfw.exe
  2⤵
  PID:3900
- C:\Windows\System\MiiShud.exe
  C:\Windows\System\MiiShud.exe
  2⤵
  PID:4484
- C:\Windows\System\bSIBdeS.exe
  C:\Windows\System\bSIBdeS.exe
  2⤵
  PID:4988
- C:\Windows\System\xqwGIvL.exe
  C:\Windows\System\xqwGIvL.exe
  2⤵
  PID:3052
- C:\Windows\System\mMAlsJF.exe
  C:\Windows\System\mMAlsJF.exe
  2⤵
  PID:1724
- C:\Windows\System\KHxPyNo.exe
  C:\Windows\System\KHxPyNo.exe
  2⤵
  PID:1576
- C:\Windows\System\SbKNIAT.exe
  C:\Windows\System\SbKNIAT.exe
  2⤵
  PID:4440
- C:\Windows\System\Aqqgcvf.exe
  C:\Windows\System\Aqqgcvf.exe
  2⤵
  PID:3672
- C:\Windows\System\lQORtjt.exe
  C:\Windows\System\lQORtjt.exe
  2⤵
  PID:1680
- C:\Windows\System\LAlzJbK.exe
  C:\Windows\System\LAlzJbK.exe
  2⤵
  PID:2396
- C:\Windows\System\NmuoHZK.exe
  C:\Windows\System\NmuoHZK.exe
  2⤵
  PID:2644
- C:\Windows\System\OegDWmJ.exe
  C:\Windows\System\OegDWmJ.exe
  2⤵
  PID:5140
- C:\Windows\System\RmTtveK.exe
  C:\Windows\System\RmTtveK.exe
  2⤵
  PID:5172
- C:\Windows\System\kQgMWKs.exe
  C:\Windows\System\kQgMWKs.exe
  2⤵
  PID:5216
- C:\Windows\System\RjUgcxf.exe
  C:\Windows\System\RjUgcxf.exe
  2⤵
  PID:5256
- C:\Windows\System\NOTTvLf.exe
  C:\Windows\System\NOTTvLf.exe
  2⤵
  PID:5312
- C:\Windows\System\ddpsWPp.exe
  C:\Windows\System\ddpsWPp.exe
  2⤵
  PID:5340
- C:\Windows\System\GsPCCIN.exe
  C:\Windows\System\GsPCCIN.exe
  2⤵
  PID:5380
- C:\Windows\System\QWTQVwA.exe
  C:\Windows\System\QWTQVwA.exe
  2⤵
  PID:5408
- C:\Windows\System\sAtOqVz.exe
  C:\Windows\System\sAtOqVz.exe
  2⤵
  PID:5460
- C:\Windows\System\uWEFLcj.exe
  C:\Windows\System\uWEFLcj.exe
  2⤵
  PID:5492
- C:\Windows\System\wuYJfoc.exe
  C:\Windows\System\wuYJfoc.exe
  2⤵
  PID:5556
- C:\Windows\System\Glosnit.exe
  C:\Windows\System\Glosnit.exe
  2⤵
  PID:5580
- C:\Windows\System\ZBmuLkK.exe
  C:\Windows\System\ZBmuLkK.exe
  2⤵
  PID:5612
- C:\Windows\System\akGfqzC.exe
  C:\Windows\System\akGfqzC.exe
  2⤵
  PID:5636
- C:\Windows\System\qTZCnzv.exe
  C:\Windows\System\qTZCnzv.exe
  2⤵
  PID:5680
- C:\Windows\System\ZDhYbYQ.exe
  C:\Windows\System\ZDhYbYQ.exe
  2⤵
  PID:5716
- C:\Windows\System\IzUmFGU.exe
  C:\Windows\System\IzUmFGU.exe
  2⤵
  PID:5752
- C:\Windows\System\CHCWCjw.exe
  C:\Windows\System\CHCWCjw.exe
  2⤵
  PID:5784
- C:\Windows\System\bmUltKE.exe
  C:\Windows\System\bmUltKE.exe
  2⤵
  PID:5824
- C:\Windows\System\rdeeDaL.exe
  C:\Windows\System\rdeeDaL.exe
  2⤵
  PID:5860
- C:\Windows\System\CpwJkVn.exe
  C:\Windows\System\CpwJkVn.exe
  2⤵
  PID:5892
- C:\Windows\System\AzmBMWT.exe
  C:\Windows\System\AzmBMWT.exe
  2⤵
  PID:5928
- C:\Windows\System\GLyeqDP.exe
  C:\Windows\System\GLyeqDP.exe
  2⤵
  PID:5964
- C:\Windows\System\zRIHfcR.exe
  C:\Windows\System\zRIHfcR.exe
  2⤵
  PID:5996
- C:\Windows\System\uOpkJft.exe
  C:\Windows\System\uOpkJft.exe
  2⤵
  PID:6028
- C:\Windows\System\DHnArlk.exe
  C:\Windows\System\DHnArlk.exe
  2⤵
  PID:6064
- C:\Windows\System\jpOMxFD.exe
  C:\Windows\System\jpOMxFD.exe
  2⤵
  PID:6096
- C:\Windows\System\hjXuimP.exe
  C:\Windows\System\hjXuimP.exe
  2⤵
  PID:6132
- C:\Windows\System\ZmcUmfd.exe
  C:\Windows\System\ZmcUmfd.exe
  2⤵
  PID:5188
- C:\Windows\System\PnjAArU.exe
  C:\Windows\System\PnjAArU.exe
  2⤵
  PID:5276
- C:\Windows\System\RFaVqGp.exe
  C:\Windows\System\RFaVqGp.exe
  2⤵
  PID:5352
- C:\Windows\System\EDaGqEI.exe
  C:\Windows\System\EDaGqEI.exe
  2⤵
  PID:5424
- C:\Windows\System\nFLXzbJ.exe
  C:\Windows\System\nFLXzbJ.exe
  2⤵
  PID:5500
- C:\Windows\System\vFdLGsV.exe
  C:\Windows\System\vFdLGsV.exe
  2⤵
  PID:5592
- C:\Windows\System\hQiyTjH.exe
  C:\Windows\System\hQiyTjH.exe
  2⤵
  PID:5664
- C:\Windows\System\BghrRQz.exe
  C:\Windows\System\BghrRQz.exe
  2⤵
  PID:5736
- C:\Windows\System\eLFWyME.exe
  C:\Windows\System\eLFWyME.exe
  2⤵
  PID:5808
- C:\Windows\System\eAjcYYD.exe
  C:\Windows\System\eAjcYYD.exe
  2⤵
  PID:5880
- C:\Windows\System\PBnraZR.exe
  C:\Windows\System\PBnraZR.exe
  2⤵
  PID:5976
- C:\Windows\System\Gromddf.exe
  C:\Windows\System\Gromddf.exe
  2⤵
  PID:6080
- C:\Windows\System\JxTliBG.exe
  C:\Windows\System\JxTliBG.exe
  2⤵
  PID:5152
- C:\Windows\System\vudRvny.exe
  C:\Windows\System\vudRvny.exe
  2⤵
  PID:5320
- C:\Windows\System\xwzqJef.exe
  C:\Windows\System\xwzqJef.exe
  2⤵
  PID:5564
- C:\Windows\System\ChfZQGI.exe
  C:\Windows\System\ChfZQGI.exe
  2⤵
  PID:5696
- C:\Windows\System\CSGLMwA.exe
  C:\Windows\System\CSGLMwA.exe
  2⤵
  PID:5868
- C:\Windows\System\MRgSdtO.exe
  C:\Windows\System\MRgSdtO.exe
  2⤵
  PID:6008
- C:\Windows\System\CdrxNJu.exe
  C:\Windows\System\CdrxNJu.exe
  2⤵
  PID:5232
- C:\Windows\System\LLTHAUV.exe
  C:\Windows\System\LLTHAUV.exe
  2⤵
  PID:5572
- C:\Windows\System\xeYvFRS.exe
  C:\Windows\System\xeYvFRS.exe
  2⤵
  PID:5936
- C:\Windows\System\IQtTCRi.exe
  C:\Windows\System\IQtTCRi.exe
  2⤵
  PID:5576
- C:\Windows\System\kYEvZnT.exe
  C:\Windows\System\kYEvZnT.exe
  2⤵
  PID:5904
- C:\Windows\System\JSPlvsw.exe
  C:\Windows\System\JSPlvsw.exe
  2⤵
  PID:6172
- C:\Windows\System\dYGdwGe.exe
  C:\Windows\System\dYGdwGe.exe
  2⤵
  PID:6204
- C:\Windows\System\rFduMPM.exe
  C:\Windows\System\rFduMPM.exe
  2⤵
  PID:6244
- C:\Windows\System\ZFWosOM.exe
  C:\Windows\System\ZFWosOM.exe
  2⤵
  PID:6276
- C:\Windows\System\YHLVRyP.exe
  C:\Windows\System\YHLVRyP.exe
  2⤵
  PID:6312
- C:\Windows\System\HJBSgQT.exe
  C:\Windows\System\HJBSgQT.exe
  2⤵
  PID:6344
- C:\Windows\System\JWqAtKS.exe
  C:\Windows\System\JWqAtKS.exe
  2⤵
  PID:6376
- C:\Windows\System\LbXTFIO.exe
  C:\Windows\System\LbXTFIO.exe
  2⤵
  PID:6424
- C:\Windows\System\GvwIzNZ.exe
  C:\Windows\System\GvwIzNZ.exe
  2⤵
  PID:6440
- C:\Windows\System\GuLSKxj.exe
  C:\Windows\System\GuLSKxj.exe
  2⤵
  PID:6464
- C:\Windows\System\JqbQJtT.exe
  C:\Windows\System\JqbQJtT.exe
  2⤵
  PID:6488
- C:\Windows\System\RrhJESO.exe
  C:\Windows\System\RrhJESO.exe
  2⤵
  PID:6540
- C:\Windows\System\fQegiKm.exe
  C:\Windows\System\fQegiKm.exe
  2⤵
  PID:6572
- C:\Windows\System\ZYxBLNm.exe
  C:\Windows\System\ZYxBLNm.exe
  2⤵
  PID:6608
- C:\Windows\System\VcpxlKV.exe
  C:\Windows\System\VcpxlKV.exe
  2⤵
  PID:6636
- C:\Windows\System\cTDocPR.exe
  C:\Windows\System\cTDocPR.exe
  2⤵
  PID:6668
- C:\Windows\System\PxzrLVu.exe
  C:\Windows\System\PxzrLVu.exe
  2⤵
  PID:6704
- C:\Windows\System\QNWNtjC.exe
  C:\Windows\System\QNWNtjC.exe
  2⤵
  PID:6740
- C:\Windows\System\lvbxVtF.exe
  C:\Windows\System\lvbxVtF.exe
  2⤵
  PID:6764
- C:\Windows\System\wmvZFtK.exe
  C:\Windows\System\wmvZFtK.exe
  2⤵
  PID:6796
- C:\Windows\System\MwXRWTN.exe
  C:\Windows\System\MwXRWTN.exe
  2⤵
  PID:6828
- C:\Windows\System\wqpPKTl.exe
  C:\Windows\System\wqpPKTl.exe
  2⤵
  PID:6868
- C:\Windows\System\VMAswJZ.exe
  C:\Windows\System\VMAswJZ.exe
  2⤵
  PID:6896
- C:\Windows\System\aoqtHeN.exe
  C:\Windows\System\aoqtHeN.exe
  2⤵
  PID:6924
- C:\Windows\System\ZHnuXJy.exe
  C:\Windows\System\ZHnuXJy.exe
  2⤵
  PID:6968
- C:\Windows\System\USCHJgg.exe
  C:\Windows\System\USCHJgg.exe
  2⤵
  PID:6996
- C:\Windows\System\RdhGwhk.exe
  C:\Windows\System\RdhGwhk.exe
  2⤵
  PID:7028
- C:\Windows\System\BunodLQ.exe
  C:\Windows\System\BunodLQ.exe
  2⤵
  PID:7064
- C:\Windows\System\KZEaofk.exe
  C:\Windows\System\KZEaofk.exe
  2⤵
  PID:7092
- C:\Windows\System\mCFzvvQ.exe
  C:\Windows\System\mCFzvvQ.exe
  2⤵
  PID:7128
- C:\Windows\System\ZrhmKhH.exe
  C:\Windows\System\ZrhmKhH.exe
  2⤵
  PID:7160
- C:\Windows\System\VjCwbNz.exe
  C:\Windows\System\VjCwbNz.exe
  2⤵
  PID:6196
- C:\Windows\System\fVKkVhO.exe
  C:\Windows\System\fVKkVhO.exe
  2⤵
  PID:6300
- C:\Windows\System\iPSzWUg.exe
  C:\Windows\System\iPSzWUg.exe
  2⤵
  PID:5544
- C:\Windows\System\CsserSe.exe
  C:\Windows\System\CsserSe.exe
  2⤵
  PID:5944
- C:\Windows\System\HkbcrLc.exe
  C:\Windows\System\HkbcrLc.exe
  2⤵
  PID:6436
- C:\Windows\System\csvPvKo.exe
  C:\Windows\System\csvPvKo.exe
  2⤵
  PID:6508
- C:\Windows\System\VeHdGEC.exe
  C:\Windows\System\VeHdGEC.exe
  2⤵
  PID:6588
- C:\Windows\System\cuABooB.exe
  C:\Windows\System\cuABooB.exe
  2⤵
  PID:6652
- C:\Windows\System\pspmfoF.exe
  C:\Windows\System\pspmfoF.exe
  2⤵
  PID:6724
- C:\Windows\System\MEJctkZ.exe
  C:\Windows\System\MEJctkZ.exe
  2⤵
  PID:6792
- C:\Windows\System\jPddMQm.exe
  C:\Windows\System\jPddMQm.exe
  2⤵
  PID:6876
- C:\Windows\System\DRpakTz.exe
  C:\Windows\System\DRpakTz.exe
  2⤵
  PID:6936
- C:\Windows\System\RaxJRHR.exe
  C:\Windows\System\RaxJRHR.exe
  2⤵
  PID:7004
- C:\Windows\System\YMgonBv.exe
  C:\Windows\System\YMgonBv.exe
  2⤵
  PID:7072
- C:\Windows\System\BoLcXIG.exe
  C:\Windows\System\BoLcXIG.exe
  2⤵
  PID:7136
- C:\Windows\System\PKQMiHZ.exe
  C:\Windows\System\PKQMiHZ.exe
  2⤵
  PID:6192
- C:\Windows\System\KAROaex.exe
  C:\Windows\System\KAROaex.exe
  2⤵
  PID:5948
- C:\Windows\System\TIlaeQd.exe
  C:\Windows\System\TIlaeQd.exe
  2⤵
  PID:6432
- C:\Windows\System\GVJynop.exe
  C:\Windows\System\GVJynop.exe
  2⤵
  PID:6600
- C:\Windows\System\sWTKOSn.exe
  C:\Windows\System\sWTKOSn.exe
  2⤵
  PID:6756
- C:\Windows\System\iegXGlA.exe
  C:\Windows\System\iegXGlA.exe
  2⤵
  PID:6852
- C:\Windows\System\SRNPmXR.exe
  C:\Windows\System\SRNPmXR.exe
  2⤵
  PID:6984
- C:\Windows\System\ZRYHzTG.exe
  C:\Windows\System\ZRYHzTG.exe
  2⤵
  PID:7116
- C:\Windows\System\FEQivFs.exe
  C:\Windows\System\FEQivFs.exe
  2⤵
  PID:6392
- C:\Windows\System\FBHowNH.exe
  C:\Windows\System\FBHowNH.exe
  2⤵
  PID:6624
- C:\Windows\System\kDlegWF.exe
  C:\Windows\System\kDlegWF.exe
  2⤵
  PID:6904
- C:\Windows\System\sdKDere.exe
  C:\Windows\System\sdKDere.exe
  2⤵
  PID:5516
- C:\Windows\System\rPGKPtJ.exe
  C:\Windows\System\rPGKPtJ.exe
  2⤵
  PID:6788
- C:\Windows\System\PohqLSf.exe
  C:\Windows\System\PohqLSf.exe
  2⤵
  PID:7040
- C:\Windows\System\aYrzPDJ.exe
  C:\Windows\System\aYrzPDJ.exe
  2⤵
  PID:7200
- C:\Windows\System\ChNOqMW.exe
  C:\Windows\System\ChNOqMW.exe
  2⤵
  PID:7236
- C:\Windows\System\wfOAPGH.exe
  C:\Windows\System\wfOAPGH.exe
  2⤵
  PID:7272
- C:\Windows\System\pSeSIJn.exe
  C:\Windows\System\pSeSIJn.exe
  2⤵
  PID:7328
- C:\Windows\System\eMMcVCi.exe
  C:\Windows\System\eMMcVCi.exe
  2⤵
  PID:7372
- C:\Windows\System\rRHpIWm.exe
  C:\Windows\System\rRHpIWm.exe
  2⤵
  PID:7420
- C:\Windows\System\iZBMeYa.exe
  C:\Windows\System\iZBMeYa.exe
  2⤵
  PID:7456
- C:\Windows\System\QgNrOZj.exe
  C:\Windows\System\QgNrOZj.exe
  2⤵
  PID:7496
- C:\Windows\System\hwXFuan.exe
  C:\Windows\System\hwXFuan.exe
  2⤵
  PID:7536
- C:\Windows\System\DfnknQn.exe
  C:\Windows\System\DfnknQn.exe
  2⤵
  PID:7584
- C:\Windows\System\BNBzSmH.exe
  C:\Windows\System\BNBzSmH.exe
  2⤵
  PID:7644
- C:\Windows\System\vAZaCoz.exe
  C:\Windows\System\vAZaCoz.exe
  2⤵
  PID:7684
- C:\Windows\System\AxhpWgL.exe
  C:\Windows\System\AxhpWgL.exe
  2⤵
  PID:7720
- C:\Windows\System\nsxHFAt.exe
  C:\Windows\System\nsxHFAt.exe
  2⤵
  PID:7752
- C:\Windows\System\dZovWTc.exe
  C:\Windows\System\dZovWTc.exe
  2⤵
  PID:7788
- C:\Windows\System\AYfAGVK.exe
  C:\Windows\System\AYfAGVK.exe
  2⤵
  PID:7820
- C:\Windows\System\fvjRudE.exe
  C:\Windows\System\fvjRudE.exe
  2⤵
  PID:7852
- C:\Windows\System\ajgxHTo.exe
  C:\Windows\System\ajgxHTo.exe
  2⤵
  PID:7896
- C:\Windows\System\WHhcLDT.exe
  C:\Windows\System\WHhcLDT.exe
  2⤵
  PID:7928
- C:\Windows\System\ZcLYEIg.exe
  C:\Windows\System\ZcLYEIg.exe
  2⤵
  PID:7964
- C:\Windows\System\ZQXAmkC.exe
  C:\Windows\System\ZQXAmkC.exe
  2⤵
  PID:7996
- C:\Windows\System\tPwGYEW.exe
  C:\Windows\System\tPwGYEW.exe
  2⤵
  PID:8028
- C:\Windows\System\RsVVNXY.exe
  C:\Windows\System\RsVVNXY.exe
  2⤵
  PID:8068
- C:\Windows\System\YdgFvxP.exe
  C:\Windows\System\YdgFvxP.exe
  2⤵
  PID:8100
- C:\Windows\System\AosKIkY.exe
  C:\Windows\System\AosKIkY.exe
  2⤵
  PID:8140
- C:\Windows\System\QNHqhYj.exe
  C:\Windows\System\QNHqhYj.exe
  2⤵
  PID:8172
- C:\Windows\System\puWkoUv.exe
  C:\Windows\System\puWkoUv.exe
  2⤵
  PID:7192
- C:\Windows\System\UYkVIZI.exe
  C:\Windows\System\UYkVIZI.exe
  2⤵
  PID:7260
- C:\Windows\System\dSwpOOY.exe
  C:\Windows\System\dSwpOOY.exe
  2⤵
  PID:7348
- C:\Windows\System\qGKjbaL.exe
  C:\Windows\System\qGKjbaL.exe
  2⤵
  PID:7448
- C:\Windows\System\rYvqKsg.exe
  C:\Windows\System\rYvqKsg.exe
  2⤵
  PID:7528
- C:\Windows\System\cJAIGdi.exe
  C:\Windows\System\cJAIGdi.exe
  2⤵
  PID:7600
- C:\Windows\System\DxycqGn.exe
  C:\Windows\System\DxycqGn.exe
  2⤵
  PID:7736
- C:\Windows\System\pSFxTvp.exe
  C:\Windows\System\pSFxTvp.exe
  2⤵
  PID:7768
- C:\Windows\System\SIngFVe.exe
  C:\Windows\System\SIngFVe.exe
  2⤵
  PID:7836
- C:\Windows\System\ZucPmxH.exe
  C:\Windows\System\ZucPmxH.exe
  2⤵
  PID:7912
- C:\Windows\System\tGkgJvm.exe
  C:\Windows\System\tGkgJvm.exe
  2⤵
  PID:7976
- C:\Windows\System\CLhQZUn.exe
  C:\Windows\System\CLhQZUn.exe
  2⤵
  PID:8052
- C:\Windows\System\PgGWHEH.exe
  C:\Windows\System\PgGWHEH.exe
  2⤵
  PID:8112
- C:\Windows\System\CZCQjFt.exe
  C:\Windows\System\CZCQjFt.exe
  2⤵
  PID:8184
- C:\Windows\System\MKrHVdA.exe
  C:\Windows\System\MKrHVdA.exe
  2⤵
  PID:7304
- C:\Windows\System\xkjTXfc.exe
  C:\Windows\System\xkjTXfc.exe
  2⤵
  PID:7524
- C:\Windows\System\bxyQsJf.exe
  C:\Windows\System\bxyQsJf.exe
  2⤵
  PID:7660
- C:\Windows\System\nphbOcg.exe
  C:\Windows\System\nphbOcg.exe
  2⤵
  PID:7804
- C:\Windows\System\JZQYmZP.exe
  C:\Windows\System\JZQYmZP.exe
  2⤵
  PID:7920
- C:\Windows\System\YmXPQSp.exe
  C:\Windows\System\YmXPQSp.exe
  2⤵
  PID:8064
- C:\Windows\System\GSipGgl.exe
  C:\Windows\System\GSipGgl.exe
  2⤵
  PID:7252
- C:\Windows\System\PWqbzHm.exe
  C:\Windows\System\PWqbzHm.exe
  2⤵
  PID:7556
- C:\Windows\System\Wfjmmwg.exe
  C:\Windows\System\Wfjmmwg.exe
  2⤵
  PID:7892
- C:\Windows\System\BbVPqHY.exe
  C:\Windows\System\BbVPqHY.exe
  2⤵
  PID:8152
- C:\Windows\System\pjlneQa.exe
  C:\Windows\System\pjlneQa.exe
  2⤵
  PID:7384
- C:\Windows\System\BDUenyO.exe
  C:\Windows\System\BDUenyO.exe
  2⤵
  PID:8228
- C:\Windows\System\eJuwmOu.exe
  C:\Windows\System\eJuwmOu.exe
  2⤵
  PID:8268
- C:\Windows\System\ZiyacCd.exe
  C:\Windows\System\ZiyacCd.exe
  2⤵
  PID:8316
- C:\Windows\System\kWoQhsI.exe
  C:\Windows\System\kWoQhsI.exe
  2⤵
  PID:8352
- C:\Windows\System\mAfMWYP.exe
  C:\Windows\System\mAfMWYP.exe
  2⤵
  PID:8384
- C:\Windows\System\RThnRuB.exe
  C:\Windows\System\RThnRuB.exe
  2⤵
  PID:8416
- C:\Windows\System\GPbLIny.exe
  C:\Windows\System\GPbLIny.exe
  2⤵
  PID:8448
- C:\Windows\System\gydlqqW.exe
  C:\Windows\System\gydlqqW.exe
  2⤵
  PID:8480
- C:\Windows\System\cVbtPou.exe
  C:\Windows\System\cVbtPou.exe
  2⤵
  PID:8508
- C:\Windows\System\SylUHsW.exe
  C:\Windows\System\SylUHsW.exe
  2⤵
  PID:8544
- C:\Windows\System\RSPrVDf.exe
  C:\Windows\System\RSPrVDf.exe
  2⤵
  PID:8576
- C:\Windows\System\BgEVCiW.exe
  C:\Windows\System\BgEVCiW.exe
  2⤵
  PID:8608
- C:\Windows\System\QMNcQOZ.exe
  C:\Windows\System\QMNcQOZ.exe
  2⤵
  PID:8640
- C:\Windows\System\IckzwzD.exe
  C:\Windows\System\IckzwzD.exe
  2⤵
  PID:8672
- C:\Windows\System\AFTDeNL.exe
  C:\Windows\System\AFTDeNL.exe
  2⤵
  PID:8704
- C:\Windows\System\FydysiI.exe
  C:\Windows\System\FydysiI.exe
  2⤵
  PID:8736
- C:\Windows\System\deoJbvJ.exe
  C:\Windows\System\deoJbvJ.exe
  2⤵
  PID:8768
- C:\Windows\System\NDHFvvH.exe
  C:\Windows\System\NDHFvvH.exe
  2⤵
  PID:8784
- C:\Windows\System\fMoAWDo.exe
  C:\Windows\System\fMoAWDo.exe
  2⤵
  PID:8824
- C:\Windows\System\RUmeRdC.exe
  C:\Windows\System\RUmeRdC.exe
  2⤵
  PID:8872
- C:\Windows\System\HbRrUHO.exe
  C:\Windows\System\HbRrUHO.exe
  2⤵
  PID:8896
- C:\Windows\System\FjuwYHE.exe
  C:\Windows\System\FjuwYHE.exe
  2⤵
  PID:8980
- C:\Windows\System\zvAvuWb.exe
  C:\Windows\System\zvAvuWb.exe
  2⤵
  PID:9004
- C:\Windows\System\epbZSUI.exe
  C:\Windows\System\epbZSUI.exe
  2⤵
  PID:9036
- C:\Windows\System\aBvpUUB.exe
  C:\Windows\System\aBvpUUB.exe
  2⤵
  PID:9072
- C:\Windows\System\PbMrHuG.exe
  C:\Windows\System\PbMrHuG.exe
  2⤵
  PID:9112
- C:\Windows\System\AxesCQh.exe
  C:\Windows\System\AxesCQh.exe
  2⤵
  PID:9148
- C:\Windows\System\EUGZJLD.exe
  C:\Windows\System\EUGZJLD.exe
  2⤵
  PID:9180
- C:\Windows\System\QFEUkCL.exe
  C:\Windows\System\QFEUkCL.exe
  2⤵
  PID:9212
- C:\Windows\System\fKkMfLs.exe
  C:\Windows\System\fKkMfLs.exe
  2⤵
  PID:8288
- C:\Windows\System\IzGOOcm.exe
  C:\Windows\System\IzGOOcm.exe
  2⤵
  PID:8396
- C:\Windows\System\UGjErwf.exe
  C:\Windows\System\UGjErwf.exe
  2⤵
  PID:8500
- C:\Windows\System\AginSDe.exe
  C:\Windows\System\AginSDe.exe
  2⤵
  PID:8572
- C:\Windows\System\BvyyASa.exe
  C:\Windows\System\BvyyASa.exe
  2⤵
  PID:8620
- C:\Windows\System\xbDkkaZ.exe
  C:\Windows\System\xbDkkaZ.exe
  2⤵
  PID:8688
- C:\Windows\System\XPPBudB.exe
  C:\Windows\System\XPPBudB.exe
  2⤵
  PID:8752
- C:\Windows\System\QpMPYrB.exe
  C:\Windows\System\QpMPYrB.exe
  2⤵
  PID:8820
- C:\Windows\System\eSpKbBu.exe
  C:\Windows\System\eSpKbBu.exe
  2⤵
  PID:8884
- C:\Windows\System\SpcOjvR.exe
  C:\Windows\System\SpcOjvR.exe
  2⤵
  PID:8908
- C:\Windows\System\mVSauna.exe
  C:\Windows\System\mVSauna.exe
  2⤵
  PID:8924
- C:\Windows\System\lkmMmoJ.exe
  C:\Windows\System\lkmMmoJ.exe
  2⤵
  PID:9064
- C:\Windows\System\vpYGRax.exe
  C:\Windows\System\vpYGRax.exe
  2⤵
  PID:3872
- C:\Windows\System\LMrnzwR.exe
  C:\Windows\System\LMrnzwR.exe
  2⤵
  PID:9160
- C:\Windows\System\laWxmDG.exe
  C:\Windows\System\laWxmDG.exe
  2⤵
  PID:9208
- C:\Windows\System\EGjZbBk.exe
  C:\Windows\System\EGjZbBk.exe
  2⤵
  PID:8432
- C:\Windows\System\aptGySQ.exe
  C:\Windows\System\aptGySQ.exe
  2⤵
  PID:8532
- C:\Windows\System\hjTpnVK.exe
  C:\Windows\System\hjTpnVK.exe
  2⤵
  PID:8684
- C:\Windows\System\LSzXklZ.exe
  C:\Windows\System\LSzXklZ.exe
  2⤵
  PID:8812
- C:\Windows\System\RvmNDFa.exe
  C:\Windows\System\RvmNDFa.exe
  2⤵
  PID:9048
- C:\Windows\System\Ifsegru.exe
  C:\Windows\System\Ifsegru.exe
  2⤵
  PID:4824
- C:\Windows\System\ICktpJI.exe
  C:\Windows\System\ICktpJI.exe
  2⤵
  PID:3688
- C:\Windows\System\jikhZNv.exe
  C:\Windows\System\jikhZNv.exe
  2⤵
  PID:8524
- C:\Windows\System\aPUxiiu.exe
  C:\Windows\System\aPUxiiu.exe
  2⤵
  PID:8776
- C:\Windows\System\wiiaTML.exe
  C:\Windows\System\wiiaTML.exe
  2⤵
  PID:1148
- C:\Windows\System\KqInHVK.exe
  C:\Windows\System\KqInHVK.exe
  2⤵
  PID:5960
- C:\Windows\System\eZTsMAc.exe
  C:\Windows\System\eZTsMAc.exe
  2⤵
  PID:8252
- C:\Windows\System\zBOwnYq.exe
  C:\Windows\System\zBOwnYq.exe
  2⤵
  PID:8380
- C:\Windows\System\eQadvoa.exe
  C:\Windows\System\eQadvoa.exe
  2⤵
  PID:1056
- C:\Windows\System\YoATagS.exe
  C:\Windows\System\YoATagS.exe
  2⤵
  PID:2860
- C:\Windows\System\xuvaFmN.exe
  C:\Windows\System\xuvaFmN.exe
  2⤵
  PID:8748
- C:\Windows\System\WIxLMJi.exe
  C:\Windows\System\WIxLMJi.exe
  2⤵
  PID:4292
- C:\Windows\System\cFWIqDM.exe
  C:\Windows\System\cFWIqDM.exe
  2⤵
  PID:5956
- C:\Windows\System\dmGXNFt.exe
  C:\Windows\System\dmGXNFt.exe
  2⤵
  PID:9244
- C:\Windows\System\ghAEQAQ.exe
  C:\Windows\System\ghAEQAQ.exe
  2⤵
  PID:9276
- C:\Windows\System\YsYhxmQ.exe
  C:\Windows\System\YsYhxmQ.exe
  2⤵
  PID:9296
- C:\Windows\System\afGbWnU.exe
  C:\Windows\System\afGbWnU.exe
  2⤵
  PID:9340
- C:\Windows\System\PqfoDsH.exe
  C:\Windows\System\PqfoDsH.exe
  2⤵
  PID:9372
- C:\Windows\System\QpcStPM.exe
  C:\Windows\System\QpcStPM.exe
  2⤵
  PID:9404
- C:\Windows\System\vyULVZL.exe
  C:\Windows\System\vyULVZL.exe
  2⤵
  PID:9436
- C:\Windows\System\jDKvwtj.exe
  C:\Windows\System\jDKvwtj.exe
  2⤵
  PID:9468
- C:\Windows\System\pBxEzpy.exe
  C:\Windows\System\pBxEzpy.exe
  2⤵
  PID:9500
- C:\Windows\System\fhImJeB.exe
  C:\Windows\System\fhImJeB.exe
  2⤵
  PID:9548
- C:\Windows\System\ygcicbe.exe
  C:\Windows\System\ygcicbe.exe
  2⤵
  PID:9580
- C:\Windows\System\eyQXsJk.exe
  C:\Windows\System\eyQXsJk.exe
  2⤵
  PID:9612
- C:\Windows\System\qeLLavC.exe
  C:\Windows\System\qeLLavC.exe
  2⤵
  PID:9644
- C:\Windows\System\CPjoqkh.exe
  C:\Windows\System\CPjoqkh.exe
  2⤵
  PID:9684
- C:\Windows\System\TpqAsru.exe
  C:\Windows\System\TpqAsru.exe
  2⤵
  PID:9716
- C:\Windows\System\iHlPqjK.exe
  C:\Windows\System\iHlPqjK.exe
  2⤵
  PID:9748
- C:\Windows\System\WyMqeQs.exe
  C:\Windows\System\WyMqeQs.exe
  2⤵
  PID:9784
- C:\Windows\System\sGNCgBZ.exe
  C:\Windows\System\sGNCgBZ.exe
  2⤵
  PID:9816
- C:\Windows\System\BRrjEtg.exe
  C:\Windows\System\BRrjEtg.exe
  2⤵
  PID:9848
- C:\Windows\System\YHckonF.exe
  C:\Windows\System\YHckonF.exe
  2⤵
  PID:9880
- C:\Windows\System\bjFHJco.exe
  C:\Windows\System\bjFHJco.exe
  2⤵
  PID:9912
- C:\Windows\System\atGcRvF.exe
  C:\Windows\System\atGcRvF.exe
  2⤵
  PID:9944
- C:\Windows\System\PYbyIfC.exe
  C:\Windows\System\PYbyIfC.exe
  2⤵
  PID:9976
- C:\Windows\System\QICfDJE.exe
  C:\Windows\System\QICfDJE.exe
  2⤵
  PID:10008
- C:\Windows\System\lfzXHnL.exe
  C:\Windows\System\lfzXHnL.exe
  2⤵
  PID:10040
- C:\Windows\System\gNDMGJK.exe
  C:\Windows\System\gNDMGJK.exe
  2⤵
  PID:10072
- C:\Windows\System\coFgLlK.exe
  C:\Windows\System\coFgLlK.exe
  2⤵
  PID:10104
- C:\Windows\System\HBcvsHk.exe
  C:\Windows\System\HBcvsHk.exe
  2⤵
  PID:10144
- C:\Windows\System\HoUpQxw.exe
  C:\Windows\System\HoUpQxw.exe
  2⤵
  PID:10200
- C:\Windows\System\RhjasSE.exe
  C:\Windows\System\RhjasSE.exe
  2⤵
  PID:10232
- C:\Windows\System\BXOTYNI.exe
  C:\Windows\System\BXOTYNI.exe
  2⤵
  PID:9236
- C:\Windows\System\zXRgSfa.exe
  C:\Windows\System\zXRgSfa.exe
  2⤵
  PID:9320
- C:\Windows\System\fXVBIzv.exe
  C:\Windows\System\fXVBIzv.exe
  2⤵
  PID:9396
- C:\Windows\System\gmYRDfO.exe
  C:\Windows\System\gmYRDfO.exe
  2⤵
  PID:9428
- C:\Windows\System\KPdDMlZ.exe
  C:\Windows\System\KPdDMlZ.exe
  2⤵
  PID:9516
- C:\Windows\System\CvXiguB.exe
  C:\Windows\System\CvXiguB.exe
  2⤵
  PID:9576
- C:\Windows\System\paeERMS.exe
  C:\Windows\System\paeERMS.exe
  2⤵
  PID:9640
- C:\Windows\System\VtKERgP.exe
  C:\Windows\System\VtKERgP.exe
  2⤵
  PID:9712
- C:\Windows\System\iCWrQXu.exe
  C:\Windows\System\iCWrQXu.exe
  2⤵
  PID:9812
- C:\Windows\System\EgZOsLV.exe
  C:\Windows\System\EgZOsLV.exe
  2⤵
  PID:9844
- C:\Windows\System\NxyMYtT.exe
  C:\Windows\System\NxyMYtT.exe
  2⤵
  PID:9908
- C:\Windows\System\AkAVwbI.exe
  C:\Windows\System\AkAVwbI.exe
  2⤵
  PID:9968
- C:\Windows\System\FhMrJJx.exe
  C:\Windows\System\FhMrJJx.exe
  2⤵
  PID:10064
- C:\Windows\System\RdVMmAH.exe
  C:\Windows\System\RdVMmAH.exe
  2⤵
  PID:10100
- C:\Windows\System\PZPjgSF.exe
  C:\Windows\System\PZPjgSF.exe
  2⤵
  PID:10168
- C:\Windows\System\tfMvPvz.exe
  C:\Windows\System\tfMvPvz.exe
  2⤵
  PID:10220
- C:\Windows\System\miYHWYN.exe
  C:\Windows\System\miYHWYN.exe
  2⤵
  PID:9384
- C:\Windows\System\NKQfeOj.exe
  C:\Windows\System\NKQfeOj.exe
  2⤵
  PID:9496
- C:\Windows\System\vczieie.exe
  C:\Windows\System\vczieie.exe
  2⤵
  PID:9624
- C:\Windows\System\qUlsKqw.exe
  C:\Windows\System\qUlsKqw.exe
  2⤵
  PID:9776
- C:\Windows\System\EUhPgaP.exe
  C:\Windows\System\EUhPgaP.exe
  2⤵
  PID:9940
- C:\Windows\System\IGTxzCx.exe
  C:\Windows\System\IGTxzCx.exe
  2⤵
  PID:10056
- C:\Windows\System\NvXyqas.exe
  C:\Windows\System\NvXyqas.exe
  2⤵
  PID:10224
- C:\Windows\System\SvLVUIk.exe
  C:\Windows\System\SvLVUIk.exe
  2⤵
  PID:9604
- C:\Windows\System\vyjEMVQ.exe
  C:\Windows\System\vyjEMVQ.exe
  2⤵
  PID:9840
- C:\Windows\System\SNCdLMU.exe
  C:\Windows\System\SNCdLMU.exe
  2⤵
  PID:9872
- C:\Windows\System\IwQQyxM.exe
  C:\Windows\System\IwQQyxM.exe
  2⤵
  PID:10268
- C:\Windows\System\jeiajfd.exe
  C:\Windows\System\jeiajfd.exe
  2⤵
  PID:10292
- C:\Windows\System\fzGdkaG.exe
  C:\Windows\System\fzGdkaG.exe
  2⤵
  PID:10328
- C:\Windows\System\pvqPIuQ.exe
  C:\Windows\System\pvqPIuQ.exe
  2⤵
  PID:10356
- C:\Windows\System\rcmwkCa.exe
  C:\Windows\System\rcmwkCa.exe
  2⤵
  PID:10388
- C:\Windows\System\OAZwtcD.exe
  C:\Windows\System\OAZwtcD.exe
  2⤵
  PID:10408
- C:\Windows\System\KSzoUKP.exe
  C:\Windows\System\KSzoUKP.exe
  2⤵
  PID:10452
- C:\Windows\System\sNBpHXB.exe
  C:\Windows\System\sNBpHXB.exe
  2⤵
  PID:10496
- C:\Windows\System\PjkVrtr.exe
  C:\Windows\System\PjkVrtr.exe
  2⤵
  PID:10536
- C:\Windows\System\AnaahmN.exe
  C:\Windows\System\AnaahmN.exe
  2⤵
  PID:10572
- C:\Windows\System\WcbcbTt.exe
  C:\Windows\System\WcbcbTt.exe
  2⤵
  PID:10616
- C:\Windows\System\kFgscea.exe
  C:\Windows\System\kFgscea.exe
  2⤵
  PID:10672
- C:\Windows\System\cksruev.exe
  C:\Windows\System\cksruev.exe
  2⤵
  PID:10700
- C:\Windows\System\XGsjqyS.exe
  C:\Windows\System\XGsjqyS.exe
  2⤵
  PID:10724
- C:\Windows\System\lJzvWtK.exe
  C:\Windows\System\lJzvWtK.exe
  2⤵
  PID:10760
- C:\Windows\System\hxzLFhA.exe
  C:\Windows\System\hxzLFhA.exe
  2⤵
  PID:10776
- C:\Windows\System\QTQfami.exe
  C:\Windows\System\QTQfami.exe
  2⤵
  PID:10836
- C:\Windows\System\cluIagr.exe
  C:\Windows\System\cluIagr.exe
  2⤵
  PID:10864
- C:\Windows\System\cVcHVkB.exe
  C:\Windows\System\cVcHVkB.exe
  2⤵
  PID:10948
- C:\Windows\System\LWgUJhu.exe
  C:\Windows\System\LWgUJhu.exe
  2⤵
  PID:10972
- C:\Windows\System\aUYqTIj.exe
  C:\Windows\System\aUYqTIj.exe
  2⤵
  PID:10988
- C:\Windows\System\iRmikef.exe
  C:\Windows\System\iRmikef.exe
  2⤵
  PID:11028
- C:\Windows\System\suGOHYs.exe
  C:\Windows\System\suGOHYs.exe
  2⤵
  PID:11052
- C:\Windows\System\WYSaaog.exe
  C:\Windows\System\WYSaaog.exe
  2⤵
  PID:11088
- C:\Windows\System\mQDGAiB.exe
  C:\Windows\System\mQDGAiB.exe
  2⤵
  PID:11108
- C:\Windows\System\nbMIzuK.exe
  C:\Windows\System\nbMIzuK.exe
  2⤵
  PID:11144
- C:\Windows\System\MzNhrIy.exe
  C:\Windows\System\MzNhrIy.exe
  2⤵
  PID:11188
- C:\Windows\System\lDgsEBz.exe
  C:\Windows\System\lDgsEBz.exe
  2⤵
  PID:11204
- C:\Windows\System\evaSldz.exe
  C:\Windows\System\evaSldz.exe
  2⤵
  PID:11252
- C:\Windows\System\XJyhGil.exe
  C:\Windows\System\XJyhGil.exe
  2⤵
  PID:10244
- C:\Windows\System\VZwWEll.exe
  C:\Windows\System\VZwWEll.exe
  2⤵
  PID:10340
- C:\Windows\System\aIauHPa.exe
  C:\Windows\System\aIauHPa.exe
  2⤵
  PID:10376
- C:\Windows\System\gQAqgzX.exe
  C:\Windows\System\gQAqgzX.exe
  2⤵
  PID:9452
- C:\Windows\System\TeNRodj.exe
  C:\Windows\System\TeNRodj.exe
  2⤵
  PID:10488
- C:\Windows\System\ZGYPrWh.exe
  C:\Windows\System\ZGYPrWh.exe
  2⤵
  PID:10632
- C:\Windows\System\kQDJveT.exe
  C:\Windows\System\kQDJveT.exe
  2⤵
  PID:10684
- C:\Windows\System\ueuhmqE.exe
  C:\Windows\System\ueuhmqE.exe
  2⤵
  PID:10712
- C:\Windows\System\SEhMpbD.exe
  C:\Windows\System\SEhMpbD.exe
  2⤵
  PID:10808
- C:\Windows\System\nZTnUkM.exe
  C:\Windows\System\nZTnUkM.exe
  2⤵
  PID:10876
- C:\Windows\System\lDqXlrr.exe
  C:\Windows\System\lDqXlrr.exe
  2⤵
  PID:10932
- C:\Windows\System\YTvKhBd.exe
  C:\Windows\System\YTvKhBd.exe
  2⤵
  PID:11008
- C:\Windows\System\UPagyRJ.exe
  C:\Windows\System\UPagyRJ.exe
  2⤵
  PID:11084
- C:\Windows\System\PwNNDBL.exe
  C:\Windows\System\PwNNDBL.exe
  2⤵
  PID:2752
- C:\Windows\System\QEmkcZR.exe
  C:\Windows\System\QEmkcZR.exe
  2⤵
  PID:11240
- C:\Windows\System\IwFdHDJ.exe
  C:\Windows\System\IwFdHDJ.exe
  2⤵
  PID:11244
- C:\Windows\System\JKUDcsN.exe
  C:\Windows\System\JKUDcsN.exe
  2⤵
  PID:10372
- C:\Windows\System\xjqkITg.exe
  C:\Windows\System\xjqkITg.exe
  2⤵
  PID:10532
- C:\Windows\System\ZHmCJJr.exe
  C:\Windows\System\ZHmCJJr.exe
  2⤵
  PID:10424
- C:\Windows\System\ymjARNJ.exe
  C:\Windows\System\ymjARNJ.exe
  2⤵
  PID:10640
- C:\Windows\System\MYRrpPn.exe
  C:\Windows\System\MYRrpPn.exe
  2⤵
  PID:10668
- C:\Windows\System\cyrNNta.exe
  C:\Windows\System\cyrNNta.exe
  2⤵
  PID:10936
- C:\Windows\System\MBRYWFp.exe
  C:\Windows\System\MBRYWFp.exe
  2⤵
  PID:11040
- C:\Windows\System\GxIqSFf.exe
  C:\Windows\System\GxIqSFf.exe
  2⤵
  PID:11196
- C:\Windows\System\piXlVcN.exe
  C:\Windows\System\piXlVcN.exe
  2⤵
  PID:11232
- C:\Windows\System\tYjExSr.exe
  C:\Windows\System\tYjExSr.exe
  2⤵
  PID:10140
- C:\Windows\System\XXksAYs.exe
  C:\Windows\System\XXksAYs.exe
  2⤵
  PID:10656
- C:\Windows\System\FeteAJP.exe
  C:\Windows\System\FeteAJP.exe
  2⤵
  PID:10752
- C:\Windows\System\aLRnGzv.exe
  C:\Windows\System\aLRnGzv.exe
  2⤵
  PID:11016
- C:\Windows\System\HfoJroG.exe
  C:\Windows\System\HfoJroG.exe
  2⤵
  PID:11100
- C:\Windows\System\GojeQsx.exe
  C:\Windows\System\GojeQsx.exe
  2⤵
  PID:9292
- C:\Windows\System\pPeGdsV.exe
  C:\Windows\System\pPeGdsV.exe
  2⤵
  PID:11268
- C:\Windows\System\BOtnorY.exe
  C:\Windows\System\BOtnorY.exe
  2⤵
  PID:11288
- C:\Windows\System\ZhRlFLG.exe
  C:\Windows\System\ZhRlFLG.exe
  2⤵
  PID:11340
- C:\Windows\System\EvWwLFL.exe
  C:\Windows\System\EvWwLFL.exe
  2⤵
  PID:11364
- C:\Windows\System\AHTTsRH.exe
  C:\Windows\System\AHTTsRH.exe
  2⤵
  PID:11416
- C:\Windows\System\IDzpFsf.exe
  C:\Windows\System\IDzpFsf.exe
  2⤵
  PID:11452
- C:\Windows\System\mUapLHs.exe
  C:\Windows\System\mUapLHs.exe
  2⤵
  PID:11480
- C:\Windows\System\YOEkfPL.exe
  C:\Windows\System\YOEkfPL.exe
  2⤵
  PID:11500
- C:\Windows\System\xoMoTmn.exe
  C:\Windows\System\xoMoTmn.exe
  2⤵
  PID:11556
- C:\Windows\System\jhDdTvv.exe
  C:\Windows\System\jhDdTvv.exe
  2⤵
  PID:11576
- C:\Windows\System\LQengmQ.exe
  C:\Windows\System\LQengmQ.exe
  2⤵
  PID:11624
- C:\Windows\System\gYxehzh.exe
  C:\Windows\System\gYxehzh.exe
  2⤵
  PID:11660
- C:\Windows\System\qsdFPFh.exe
  C:\Windows\System\qsdFPFh.exe
  2⤵
  PID:11704
- C:\Windows\System\piRiqHi.exe
  C:\Windows\System\piRiqHi.exe
  2⤵
  PID:11740
- C:\Windows\System\LXDqvdr.exe
  C:\Windows\System\LXDqvdr.exe
  2⤵
  PID:11836
- C:\Windows\System\KccGdFY.exe
  C:\Windows\System\KccGdFY.exe
  2⤵
  PID:11872
- C:\Windows\System\wBpxTpN.exe
  C:\Windows\System\wBpxTpN.exe
  2⤵
  PID:11892
- C:\Windows\System\mmRgACu.exe
  C:\Windows\System\mmRgACu.exe
  2⤵
  PID:11908
- C:\Windows\System\VEYODIq.exe
  C:\Windows\System\VEYODIq.exe
  2⤵
  PID:11944
- C:\Windows\System\pOoDHGy.exe
  C:\Windows\System\pOoDHGy.exe
  2⤵
  PID:11964
- C:\Windows\System\ZjqoYCz.exe
  C:\Windows\System\ZjqoYCz.exe
  2⤵
  PID:12000
- C:\Windows\System\aNZgrQy.exe
  C:\Windows\System\aNZgrQy.exe
  2⤵
  PID:12024
- C:\Windows\System\hwoHYxx.exe
  C:\Windows\System\hwoHYxx.exe
  2⤵
  PID:12080
- C:\Windows\System\ZCDjZDD.exe
  C:\Windows\System\ZCDjZDD.exe
  2⤵
  PID:12100
- C:\Windows\System\JRpZWyW.exe
  C:\Windows\System\JRpZWyW.exe
  2⤵
  PID:12140
- C:\Windows\System\CWskORy.exe
  C:\Windows\System\CWskORy.exe
  2⤵
  PID:12168
- C:\Windows\System\ZAJNJje.exe
  C:\Windows\System\ZAJNJje.exe
  2⤵
  PID:12212
- C:\Windows\System\qIgJCxQ.exe
  C:\Windows\System\qIgJCxQ.exe
  2⤵
  PID:12232
- C:\Windows\System\syIMqvS.exe
  C:\Windows\System\syIMqvS.exe
  2⤵
  PID:12280
- C:\Windows\System\fkpDqBj.exe
  C:\Windows\System\fkpDqBj.exe
  2⤵
  PID:11284
- C:\Windows\System\dPoGSgL.exe
  C:\Windows\System\dPoGSgL.exe
  2⤵
  PID:10768
- C:\Windows\System\PgFhDiZ.exe
  C:\Windows\System\PgFhDiZ.exe
  2⤵
  PID:11312
- C:\Windows\System\szjMecL.exe
  C:\Windows\System\szjMecL.exe
  2⤵
  PID:11404
- C:\Windows\System\HUTRAFw.exe
  C:\Windows\System\HUTRAFw.exe
  2⤵
  PID:11512
- C:\Windows\System\fGKjraR.exe
  C:\Windows\System\fGKjraR.exe
  2⤵
  PID:11540
- C:\Windows\System\jbmVceO.exe
  C:\Windows\System\jbmVceO.exe
  2⤵
  PID:11688
- C:\Windows\System\wNDNDmr.exe
  C:\Windows\System\wNDNDmr.exe
  2⤵
  PID:11832
- C:\Windows\System\TzxDJnR.exe
  C:\Windows\System\TzxDJnR.exe
  2⤵
  PID:11884
- C:\Windows\System\JmKpglS.exe
  C:\Windows\System\JmKpglS.exe
  2⤵
  PID:11848
- C:\Windows\System\qkQImwu.exe
  C:\Windows\System\qkQImwu.exe
  2⤵
  PID:11924
- C:\Windows\System\XqEdWjj.exe
  C:\Windows\System\XqEdWjj.exe
  2⤵
  PID:8948
- C:\Windows\System\ieXELkE.exe
  C:\Windows\System\ieXELkE.exe
  2⤵
  PID:12036
- C:\Windows\System\HMVQboB.exe
  C:\Windows\System\HMVQboB.exe
  2⤵
  PID:12092
- C:\Windows\System\CFUtyLy.exe
  C:\Windows\System\CFUtyLy.exe
  2⤵
  PID:12148
- C:\Windows\System\hASpRdX.exe
  C:\Windows\System\hASpRdX.exe
  2⤵
  PID:12244
- C:\Windows\System\ysHpwpw.exe
  C:\Windows\System\ysHpwpw.exe
  2⤵
  PID:10000
- C:\Windows\System\EAlMYYW.exe
  C:\Windows\System\EAlMYYW.exe
  2⤵
  PID:11328
- C:\Windows\System\rhfnvOR.exe
  C:\Windows\System\rhfnvOR.exe
  2⤵
  PID:11492
- C:\Windows\System\ZgIFyWm.exe
  C:\Windows\System\ZgIFyWm.exe
  2⤵
  PID:11588
- C:\Windows\System\ldjqJJQ.exe
  C:\Windows\System\ldjqJJQ.exe
  2⤵
  PID:11800
- C:\Windows\System\RxEnSpl.exe
  C:\Windows\System\RxEnSpl.exe
  2⤵
  PID:11864
- C:\Windows\System\dafBEUu.exe
  C:\Windows\System\dafBEUu.exe
  2⤵
  PID:8972
- C:\Windows\System\PMWFsoT.exe
  C:\Windows\System\PMWFsoT.exe
  2⤵
  PID:9204
- C:\Windows\System\YZXVeAx.exe
  C:\Windows\System\YZXVeAx.exe
  2⤵
  PID:12116
- C:\Windows\System\iZRvrCK.exe
  C:\Windows\System\iZRvrCK.exe
  2⤵
  PID:12192
- C:\Windows\System\BuyimAG.exe
  C:\Windows\System\BuyimAG.exe
  2⤵
  PID:11468
- C:\Windows\System\Bvdtmhn.exe
  C:\Windows\System\Bvdtmhn.exe
  2⤵
  PID:11632
- C:\Windows\System\IYCzgNi.exe
  C:\Windows\System\IYCzgNi.exe
  2⤵
  PID:11796
- C:\Windows\System\MeUmyfx.exe
  C:\Windows\System\MeUmyfx.exe
  2⤵
  PID:11988
- C:\Windows\System\haTIHhb.exe
  C:\Windows\System\haTIHhb.exe
  2⤵
  PID:11784
- C:\Windows\System\ZktaRvk.exe
  C:\Windows\System\ZktaRvk.exe
  2⤵
  PID:12128
- C:\Windows\System\XyHnaSH.exe
  C:\Windows\System\XyHnaSH.exe
  2⤵
  PID:11804
- C:\Windows\System\woqWrev.exe
  C:\Windows\System\woqWrev.exe
  2⤵
  PID:12180
- C:\Windows\System\MXaRlgh.exe
  C:\Windows\System\MXaRlgh.exe
  2⤵
  PID:11352
- C:\Windows\System\puxiETh.exe
  C:\Windows\System\puxiETh.exe
  2⤵
  PID:11376
- C:\Windows\System\uAoexKp.exe
  C:\Windows\System\uAoexKp.exe
  2⤵
  PID:12300
- C:\Windows\System\QpgEVUr.exe
  C:\Windows\System\QpgEVUr.exe
  2⤵
  PID:12320
- C:\Windows\System\dTGaZOU.exe
  C:\Windows\System\dTGaZOU.exe
  2⤵
  PID:12356
- C:\Windows\System\gHvwJat.exe
  C:\Windows\System\gHvwJat.exe
  2⤵
  PID:12376
- C:\Windows\System\vIuWuXN.exe
  C:\Windows\System\vIuWuXN.exe
  2⤵
  PID:12412
- C:\Windows\System\IofBays.exe
  C:\Windows\System\IofBays.exe
  2⤵
  PID:12460
- C:\Windows\System\hucqBCO.exe
  C:\Windows\System\hucqBCO.exe
  2⤵
  PID:12508
- C:\Windows\System\mymrUOr.exe
  C:\Windows\System\mymrUOr.exe
  2⤵
  PID:12536
- C:\Windows\System\SMRClad.exe
  C:\Windows\System\SMRClad.exe
  2⤵
  PID:12552
- C:\Windows\System\NcMvmwl.exe
  C:\Windows\System\NcMvmwl.exe
  2⤵
  PID:12588
- C:\Windows\System\fKQCAgK.exe
  C:\Windows\System\fKQCAgK.exe
  2⤵
  PID:12636
- C:\Windows\System\SdkOTOc.exe
  C:\Windows\System\SdkOTOc.exe
  2⤵
  PID:12668
- C:\Windows\System\zKfUJPk.exe
  C:\Windows\System\zKfUJPk.exe
  2⤵
  PID:12712
- C:\Windows\System\XovRcLs.exe
  C:\Windows\System\XovRcLs.exe
  2⤵
  PID:12748
- C:\Windows\System\mLWyyte.exe
  C:\Windows\System\mLWyyte.exe
  2⤵
  PID:12780
- C:\Windows\System\LAGrBBR.exe
  C:\Windows\System\LAGrBBR.exe
  2⤵
  PID:12812
- C:\Windows\System\HxuEvbB.exe
  C:\Windows\System\HxuEvbB.exe
  2⤵
  PID:12844
- C:\Windows\System\tYjVzJq.exe
  C:\Windows\System\tYjVzJq.exe
  2⤵
  PID:12872
- C:\Windows\System\VKZGePH.exe
  C:\Windows\System\VKZGePH.exe
  2⤵
  PID:12908
- C:\Windows\System\nnqyhEL.exe
  C:\Windows\System\nnqyhEL.exe
  2⤵
  PID:12940
- C:\Windows\System\eOrCuXV.exe
  C:\Windows\System\eOrCuXV.exe
  2⤵
  PID:12976
- C:\Windows\System\cvZfkis.exe
  C:\Windows\System\cvZfkis.exe
  2⤵
  PID:13016
- C:\Windows\System\wcncRQx.exe
  C:\Windows\System\wcncRQx.exe
  2⤵
  PID:13036
- C:\Windows\System\zwWcOYr.exe
  C:\Windows\System\zwWcOYr.exe
  2⤵
  PID:13052
- C:\Windows\System\cdzGWFA.exe
  C:\Windows\System\cdzGWFA.exe
  2⤵
  PID:13108
- C:\Windows\System\baVqOZE.exe
  C:\Windows\System\baVqOZE.exe
  2⤵
  PID:13132
- C:\Windows\System\EKxTkDr.exe
  C:\Windows\System\EKxTkDr.exe
  2⤵
  PID:13148
- C:\Windows\System\mdMwizX.exe
  C:\Windows\System\mdMwizX.exe
  2⤵
  PID:13164
- C:\Windows\System\hqddDAh.exe
  C:\Windows\System\hqddDAh.exe
  2⤵
  PID:13196
- C:\Windows\System\yOnjCot.exe
  C:\Windows\System\yOnjCot.exe
  2⤵
  PID:13236
- C:\Windows\System\iaBValn.exe
  C:\Windows\System\iaBValn.exe
  2⤵
  PID:13288
- C:\Windows\System\NBgqkba.exe
  C:\Windows\System\NBgqkba.exe
  2⤵
  PID:13308
- C:\Windows\System\WxIKIFd.exe
  C:\Windows\System\WxIKIFd.exe
  2⤵
  PID:12352
- C:\Windows\System\nxHKNWZ.exe
  C:\Windows\System\nxHKNWZ.exe
  2⤵
  PID:12436
- C:\Windows\System\gRuLmhJ.exe
  C:\Windows\System\gRuLmhJ.exe
  2⤵
  PID:12400
- C:\Windows\System\xgVrKTg.exe
  C:\Windows\System\xgVrKTg.exe
  2⤵
  PID:12492
- C:\Windows\System\ZqDDyUD.exe
  C:\Windows\System\ZqDDyUD.exe
  2⤵
  PID:12600
- C:\Windows\System\hlVvWra.exe
  C:\Windows\System\hlVvWra.exe
  2⤵
  PID:12696
- C:\Windows\System\RggpshF.exe
  C:\Windows\System\RggpshF.exe
  2⤵
  PID:12764
- C:\Windows\System\AFyojJc.exe
  C:\Windows\System\AFyojJc.exe
  2⤵
  PID:12792
- C:\Windows\System\ujRBBOL.exe
  C:\Windows\System\ujRBBOL.exe
  2⤵
  PID:12840
- C:\Windows\System\gnGbxoH.exe
  C:\Windows\System\gnGbxoH.exe
  2⤵
  PID:12896
- C:\Windows\System\ruVcclK.exe
  C:\Windows\System\ruVcclK.exe
  2⤵
  PID:12936
- C:\Windows\System\kCgZdgu.exe
  C:\Windows\System\kCgZdgu.exe
  2⤵
  PID:13004
- C:\Windows\System\VeRQhEo.exe
  C:\Windows\System\VeRQhEo.exe
  2⤵
  PID:13044
- C:\Windows\System\grFGNtk.exe
  C:\Windows\System\grFGNtk.exe
  2⤵
  PID:13100
- C:\Windows\System\DqeEZaV.exe
  C:\Windows\System\DqeEZaV.exe
  2⤵
  PID:7544
- C:\Windows\System\ujXgvSd.exe
  C:\Windows\System\ujXgvSd.exe
  2⤵
  PID:13256
- C:\Windows\System\wHOwjal.exe
  C:\Windows\System\wHOwjal.exe
  2⤵
  PID:12368
- C:\Windows\System\yjUgQBf.exe
  C:\Windows\System\yjUgQBf.exe
  2⤵
  PID:12564
- C:\Windows\System\knlEfkU.exe
  C:\Windows\System\knlEfkU.exe
  2⤵
  PID:12612
- C:\Windows\System\NeaMHCi.exe
  C:\Windows\System\NeaMHCi.exe
  2⤵
  PID:12684
- C:\Windows\System\GyomNhs.exe
  C:\Windows\System\GyomNhs.exe
  2⤵
  PID:12736
- C:\Windows\System\zWMhpko.exe
  C:\Windows\System\zWMhpko.exe
  2⤵
  PID:12828
- C:\Windows\System\CPCRhag.exe
  C:\Windows\System\CPCRhag.exe
  2⤵
  PID:12968
- C:\Windows\System\qQivOFd.exe
  C:\Windows\System\qQivOFd.exe
  2⤵
  PID:13080
- C:\Windows\System\CpttUvl.exe
  C:\Windows\System\CpttUvl.exe
  2⤵
  PID:13180
- C:\Windows\System\xFnpXWL.exe
  C:\Windows\System\xFnpXWL.exe
  2⤵
  PID:12452
- C:\Windows\System\pwGYzcc.exe
  C:\Windows\System\pwGYzcc.exe
  2⤵
  PID:12728
- C:\Windows\System\KbctZcC.exe
  C:\Windows\System\KbctZcC.exe
  2⤵
  PID:12692
- C:\Windows\System\FGrZhra.exe
  C:\Windows\System\FGrZhra.exe
  2⤵
  PID:13188
- C:\Windows\System\EtBfUAz.exe
  C:\Windows\System\EtBfUAz.exe
  2⤵
  PID:12424
- C:\Windows\System\wDzNFfC.exe
  C:\Windows\System\wDzNFfC.exe
  2⤵
  PID:13336
- C:\Windows\System\osAatav.exe
  C:\Windows\System\osAatav.exe
  2⤵
  PID:13356
- C:\Windows\System\PcvgfSF.exe
  C:\Windows\System\PcvgfSF.exe
  2⤵
  PID:13388
- C:\Windows\System\giiEtTZ.exe
  C:\Windows\System\giiEtTZ.exe
  2⤵
  PID:13404
- C:\Windows\System\IZekkLf.exe
  C:\Windows\System\IZekkLf.exe
  2⤵
  PID:13452
- C:\Windows\System\GbFWaPs.exe
  C:\Windows\System\GbFWaPs.exe
  2⤵
  PID:13472
- C:\Windows\System\nHPhuaL.exe
  C:\Windows\System\nHPhuaL.exe
  2⤵
  PID:13516
- C:\Windows\System\leTxDdP.exe
  C:\Windows\System\leTxDdP.exe
  2⤵
  PID:13532
- C:\Windows\System\HbvWXcZ.exe
  C:\Windows\System\HbvWXcZ.exe
  2⤵
  PID:13580
- C:\Windows\System\CiYbhGt.exe
  C:\Windows\System\CiYbhGt.exe
  2⤵
  PID:13600
- C:\Windows\System\ZfPuQet.exe
  C:\Windows\System\ZfPuQet.exe
  2⤵
  PID:13636
- C:\Windows\System\YwIxwpu.exe
  C:\Windows\System\YwIxwpu.exe
  2⤵
  PID:13688
- C:\Windows\System\BePmItu.exe
  C:\Windows\System\BePmItu.exe
  2⤵
  PID:13712
- C:\Windows\System\XcMlune.exe
  C:\Windows\System\XcMlune.exe
  2⤵
  PID:13744
- C:\Windows\System\TiDrohd.exe
  C:\Windows\System\TiDrohd.exe
  2⤵
  PID:13804
- C:\Windows\System\GIvaTGb.exe
  C:\Windows\System\GIvaTGb.exe
  2⤵
  PID:13824
- C:\Windows\System\vnzMCtg.exe
  C:\Windows\System\vnzMCtg.exe
  2⤵
  PID:13844
- C:\Windows\System\WSjpoJX.exe
  C:\Windows\System\WSjpoJX.exe
  2⤵
  PID:13864
- C:\Windows\System\vKCMrVB.exe
  C:\Windows\System\vKCMrVB.exe
  2⤵
  PID:13884
- C:\Windows\System\LFcvHFO.exe
  C:\Windows\System\LFcvHFO.exe
  2⤵
  PID:13908
- C:\Windows\System\PluFPlC.exe
  C:\Windows\System\PluFPlC.exe
  2⤵
  PID:13932
- C:\Windows\System\inECVtw.exe
  C:\Windows\System\inECVtw.exe
  2⤵
  PID:13976
- C:\Windows\System\mkrNRVA.exe
  C:\Windows\System\mkrNRVA.exe
  2⤵
  PID:13996
- C:\Windows\System\vUlWRRR.exe
  C:\Windows\System\vUlWRRR.exe
  2⤵
  PID:14036
- C:\Windows\System\gRiCnsX.exe
  C:\Windows\System\gRiCnsX.exe
  2⤵
  PID:14076
- C:\Windows\System\YmvSvym.exe
  C:\Windows\System\YmvSvym.exe
  2⤵
  PID:14128
- C:\Windows\System\qzSLits.exe
  C:\Windows\System\qzSLits.exe
  2⤵
  PID:14152
- C:\Windows\System\npbYqRy.exe
  C:\Windows\System\npbYqRy.exe
  2⤵
  PID:14184
- C:\Windows\System\yrLFumr.exe
  C:\Windows\System\yrLFumr.exe
  2⤵
  PID:14224
- C:\Windows\System\dwZpeJs.exe
  C:\Windows\System\dwZpeJs.exe
  2⤵
  PID:14252
- C:\Windows\System\UMOvUNb.exe
  C:\Windows\System\UMOvUNb.exe
  2⤵
  PID:14288
- C:\Windows\System\qouQcWZ.exe
  C:\Windows\System\qouQcWZ.exe
  2⤵
  PID:14332
- C:\Windows\System\iMzyHnJ.exe
  C:\Windows\System\iMzyHnJ.exe
  2⤵
  PID:13028
- C:\Windows\System\hexTLCP.exe
  C:\Windows\System\hexTLCP.exe
  2⤵
  PID:13372
- C:\Windows\System\UptKxaD.exe
  C:\Windows\System\UptKxaD.exe
  2⤵
  PID:13440
- C:\Windows\System\sMGDRNl.exe
  C:\Windows\System\sMGDRNl.exe
  2⤵
  PID:13492
- C:\Windows\System\PRHAGJR.exe
  C:\Windows\System\PRHAGJR.exe
  2⤵
  PID:13560
- C:\Windows\System\bmoqsKI.exe
  C:\Windows\System\bmoqsKI.exe
  2⤵
  PID:13660
- C:\Windows\System\zwbhRUh.exe
  C:\Windows\System\zwbhRUh.exe
  2⤵
  PID:13724
- C:\Windows\System\ELHcBLv.exe
  C:\Windows\System\ELHcBLv.exe
  2⤵
  PID:13704
- C:\Windows\System\yuRbRAQ.exe
  C:\Windows\System\yuRbRAQ.exe
  2⤵
  PID:13772
- C:\Windows\System\kvYPSwH.exe
  C:\Windows\System\kvYPSwH.exe
  2⤵
  PID:13836
- C:\Windows\System\QLTlWgI.exe
  C:\Windows\System\QLTlWgI.exe
  2⤵
  PID:2104
- C:\Windows\System\RAVEWCM.exe
  C:\Windows\System\RAVEWCM.exe
  2⤵
  PID:4828
- C:\Windows\System\iyjRLCd.exe
  C:\Windows\System\iyjRLCd.exe
  2⤵
  PID:14008
- C:\Windows\System\HlUyjGM.exe
  C:\Windows\System\HlUyjGM.exe
  2⤵
  PID:14100
- C:\Windows\System\dNqAGeE.exe
  C:\Windows\System\dNqAGeE.exe
  2⤵
  PID:14220
- C:\Windows\System\KgFTwSc.exe
  C:\Windows\System\KgFTwSc.exe
  2⤵
  PID:3452
- C:\Windows\System\BpIGXxC.exe
  C:\Windows\System\BpIGXxC.exe
  2⤵
  PID:14196
- C:\Windows\System\eoHAkHv.exe
  C:\Windows\System\eoHAkHv.exe
  2⤵
  PID:3024
- C:\Windows\System\iUciuoI.exe
  C:\Windows\System\iUciuoI.exe
  2⤵
  PID:12884
- C:\Windows\System\cazeMcZ.exe
  C:\Windows\System\cazeMcZ.exe
  2⤵
  PID:12744
- C:\Windows\System\qbiTIIY.exe
  C:\Windows\System\qbiTIIY.exe
  2⤵
  PID:13432
- C:\Windows\System\JVRptmk.exe
  C:\Windows\System\JVRptmk.exe
  2⤵
  PID:13480
- C:\Windows\System\RkTAbIf.exe
  C:\Windows\System\RkTAbIf.exe
  2⤵
  PID:13620
- C:\Windows\System\QnKWdDT.exe
  C:\Windows\System\QnKWdDT.exe
  2⤵
  PID:896
- C:\Windows\System\duAiffS.exe
  C:\Windows\System\duAiffS.exe
  2⤵
  PID:844
- C:\Windows\System\vPTpXSm.exe
  C:\Windows\System\vPTpXSm.exe
  2⤵
  PID:13876
- C:\Windows\System\DEUqtau.exe
  C:\Windows\System\DEUqtau.exe
  2⤵
  PID:13816
- C:\Windows\System\fktSXMe.exe
  C:\Windows\System\fktSXMe.exe
  2⤵
  PID:13940
- C:\Windows\System\kEKcgHP.exe
  C:\Windows\System\kEKcgHP.exe
  2⤵
  PID:2732
- C:\Windows\System\UrgZdkn.exe
  C:\Windows\System\UrgZdkn.exe
  2⤵
  PID:14060
- C:\Windows\System\MTpUHYa.exe
  C:\Windows\System\MTpUHYa.exe
  2⤵
  PID:1840
- C:\Windows\System\oHwrSkE.exe
  C:\Windows\System\oHwrSkE.exe
  2⤵
  PID:12476
- C:\Windows\System\EMSrwgm.exe
  C:\Windows\System\EMSrwgm.exe
  2⤵
  PID:13676
- C:\Windows\System\SkExLWf.exe
  C:\Windows\System\SkExLWf.exe
  2⤵
  PID:2976
- C:\Windows\System\vcOeyDv.exe
  C:\Windows\System\vcOeyDv.exe
  2⤵
  PID:4764
- C:\Windows\System\uPWtzdH.exe
  C:\Windows\System\uPWtzdH.exe
  2⤵
  PID:3144
- C:\Windows\System\LbbRwSF.exe
  C:\Windows\System\LbbRwSF.exe
  2⤵
  PID:3656
- C:\Windows\System\tAuexii.exe
  C:\Windows\System\tAuexii.exe
  2⤵
  PID:1624
- C:\Windows\System\RuLqFSd.exe
  C:\Windows\System\RuLqFSd.exe
  2⤵
  PID:488
- C:\Windows\System\BzAAVxz.exe
  C:\Windows\System\BzAAVxz.exe
  2⤵
  PID:1620
- C:\Windows\System\iEnLsQg.exe
  C:\Windows\System\iEnLsQg.exe
  2⤵
  PID:13592
- C:\Windows\System\eVeWoDZ.exe
  C:\Windows\System\eVeWoDZ.exe
  2⤵
  PID:1084
- C:\Windows\System\LPdeFrU.exe
  C:\Windows\System\LPdeFrU.exe
  2⤵
  PID:808
- C:\Windows\System\AcadsMT.exe
  C:\Windows\System\AcadsMT.exe
  2⤵
  PID:2056
- C:\Windows\System\KtvGSYk.exe
  C:\Windows\System\KtvGSYk.exe
  2⤵
  PID:4320
- C:\Windows\System\FCItImw.exe
  C:\Windows\System\FCItImw.exe
  2⤵
  PID:1820
- C:\Windows\System\bPkACWv.exe
  C:\Windows\System\bPkACWv.exe
  2⤵
  PID:14348
- C:\Windows\System\keDsiyQ.exe
  C:\Windows\System\keDsiyQ.exe
  2⤵
  PID:14384
- C:\Windows\System\FMFzwfX.exe
  C:\Windows\System\FMFzwfX.exe
  2⤵
  PID:14416
- C:\Windows\System\UHhCoSM.exe
  C:\Windows\System\UHhCoSM.exe
  2⤵
  PID:14444
- C:\Windows\System\baTstDj.exe
  C:\Windows\System\baTstDj.exe
  2⤵
  PID:14480
- C:\Windows\System\Rqoilbi.exe
  C:\Windows\System\Rqoilbi.exe
  2⤵
  PID:14512
- C:\Windows\System\VmQPgIL.exe
  C:\Windows\System\VmQPgIL.exe
  2⤵
  PID:14532
- C:\Windows\System\eEwLRZA.exe
  C:\Windows\System\eEwLRZA.exe
  2⤵
  PID:14548
- C:\Windows\System\raEuTab.exe
  C:\Windows\System\raEuTab.exe
  2⤵
  PID:14572
- C:\Windows\System\tjGlbnc.exe
  C:\Windows\System\tjGlbnc.exe
  2⤵
  PID:14592
- C:\Windows\System\pMnhsmF.exe
  C:\Windows\System\pMnhsmF.exe
  2⤵
  PID:14624
- C:\Windows\System\UHMEdKA.exe
  C:\Windows\System\UHMEdKA.exe
  2⤵
  PID:14660
- C:\Windows\System\OTaEgiG.exe
  C:\Windows\System\OTaEgiG.exe
  2⤵
  PID:14704
- C:\Windows\System\vdskyBF.exe
  C:\Windows\System\vdskyBF.exe
  2⤵
  PID:14740
- C:\Windows\System\vjcjuyB.exe
  C:\Windows\System\vjcjuyB.exe
  2⤵
  PID:14792
- C:\Windows\System\icNYBNq.exe
  C:\Windows\System\icNYBNq.exe
  2⤵
  PID:14812
- C:\Windows\System\zjxfbIQ.exe
  C:\Windows\System\zjxfbIQ.exe
  2⤵
  PID:14832
- C:\Windows\System\VUFAurQ.exe
  C:\Windows\System\VUFAurQ.exe
  2⤵
  PID:14868
- C:\Windows\System\PzzMgwo.exe
  C:\Windows\System\PzzMgwo.exe
  2⤵
  PID:14924
- C:\Windows\System\lZXYkCS.exe
  C:\Windows\System\lZXYkCS.exe
  2⤵
  PID:14952
- C:\Windows\System\iUGdyzc.exe
  C:\Windows\System\iUGdyzc.exe
  2⤵
  PID:14976
- C:\Windows\System\uffKaCR.exe
  C:\Windows\System\uffKaCR.exe
  2⤵
  PID:15016
- C:\Windows\System\SUfiqWL.exe
  C:\Windows\System\SUfiqWL.exe
  2⤵
  PID:15056
- C:\Windows\System\naKvZZZ.exe
  C:\Windows\System\naKvZZZ.exe
  2⤵
  PID:15088
- C:\Windows\System\bsuwMCf.exe
  C:\Windows\System\bsuwMCf.exe
  2⤵
  PID:15120
- C:\Windows\System\xDKNOPX.exe
  C:\Windows\System\xDKNOPX.exe
  2⤵
  PID:15152
- C:\Windows\System\UzYgGyn.exe
  C:\Windows\System\UzYgGyn.exe
  2⤵
  PID:15172
- C:\Windows\System\nkSKhUM.exe
  C:\Windows\System\nkSKhUM.exe
  2⤵
  PID:15192
- C:\Windows\System\RVVVvHw.exe
  C:\Windows\System\RVVVvHw.exe
  2⤵
  PID:15232
- C:\Windows\System\gRyCufp.exe
  C:\Windows\System\gRyCufp.exe
  2⤵
  PID:15276
- C:\Windows\System\VUEbXFK.exe
  C:\Windows\System\VUEbXFK.exe
  2⤵
  PID:15312
- C:\Windows\System\IUOqxem.exe
  C:\Windows\System\IUOqxem.exe
  2⤵
  PID:15352
- C:\Windows\System\WktlxCs.exe
  C:\Windows\System\WktlxCs.exe
  2⤵
  PID:13860
- C:\Windows\System\wzVoIYa.exe
  C:\Windows\System\wzVoIYa.exe
  2⤵
  PID:14356
- C:\Windows\System\TUjKnWe.exe
  C:\Windows\System\TUjKnWe.exe
  2⤵
  PID:14460
- C:\Windows\System\mkSrLwm.exe
  C:\Windows\System\mkSrLwm.exe
  2⤵
  PID:14504
- C:\Windows\System\HzjXmma.exe
  C:\Windows\System\HzjXmma.exe
  2⤵
  PID:13920
- C:\Windows\System\DmHSEqn.exe
  C:\Windows\System\DmHSEqn.exe
  2⤵
  PID:14696
- C:\Windows\System\sRDJSVe.exe
  C:\Windows\System\sRDJSVe.exe
  2⤵
  PID:14756
- C:\Windows\System\pdqPtRz.exe
  C:\Windows\System\pdqPtRz.exe
  2⤵
  PID:14728
- C:\Windows\System\NWMPBau.exe
  C:\Windows\System\NWMPBau.exe
  2⤵
  PID:14804
- C:\Windows\System\TNFveeR.exe
  C:\Windows\System\TNFveeR.exe
  2⤵
  PID:14908
- C:\Windows\System\RcMEQHR.exe
  C:\Windows\System\RcMEQHR.exe
  2⤵
  PID:14968
- C:\Windows\System\fJhzWMc.exe
  C:\Windows\System\fJhzWMc.exe
  2⤵
  PID:14996
- C:\Windows\System\DhbSgth.exe
  C:\Windows\System\DhbSgth.exe
  2⤵
  PID:15084
- C:\Windows\System\zkcdWIQ.exe
  C:\Windows\System\zkcdWIQ.exe
  2⤵
  PID:15076
- C:\Windows\System\jzSEXuZ.exe
  C:\Windows\System\jzSEXuZ.exe
  2⤵
  PID:15248
- C:\Windows\System\rnPuDmN.exe
  C:\Windows\System\rnPuDmN.exe
  2⤵
  PID:15300
- C:\Windows\System\FIihEqq.exe
  C:\Windows\System\FIihEqq.exe
  2⤵
  PID:2000
- C:\Windows\System\vJnXZQU.exe
  C:\Windows\System\vJnXZQU.exe
  2⤵
  PID:14364
- C:\Windows\System\aZfmGsO.exe
  C:\Windows\System\aZfmGsO.exe
  2⤵
  PID:14428
- C:\Windows\System\jObgKzB.exe
  C:\Windows\System\jObgKzB.exe
  2⤵
  PID:14648
- C:\Windows\System\ydRDKFb.exe
  C:\Windows\System\ydRDKFb.exe
  2⤵
  PID:14784
- C:\Windows\System\QlklhtZ.exe
  C:\Windows\System\QlklhtZ.exe
  2⤵
  PID:14860
- C:\Windows\System\qLDWtdU.exe
  C:\Windows\System\qLDWtdU.exe
  2⤵
  PID:15036
- C:\Windows\System\tCYMsDR.exe
  C:\Windows\System\tCYMsDR.exe
  2⤵
  PID:15148
- C:\Windows\System\bqgAzan.exe
  C:\Windows\System\bqgAzan.exe
  2⤵
  PID:15268
- C:\Windows\System\oSBjcha.exe
  C:\Windows\System\oSBjcha.exe
  2⤵
  PID:14408
- C:\Windows\System\WOimTUj.exe
  C:\Windows\System\WOimTUj.exe
  2⤵
  PID:6484
- C:\Windows\System\UXEwgVf.exe
  C:\Windows\System\UXEwgVf.exe
  2⤵
  PID:14848
- C:\Windows\System\gbLSTQM.exe
  C:\Windows\System\gbLSTQM.exe
  2⤵
  PID:6320
- C:\Windows\System\SNaSESV.exe
  C:\Windows\System\SNaSESV.exe
  2⤵
  PID:14900
- C:\Windows\System\DrrZQqo.exe
  C:\Windows\System\DrrZQqo.exe
  2⤵
  PID:15256
- C:\Windows\System\QCtTicH.exe
  C:\Windows\System\QCtTicH.exe
  2⤵
  PID:1648
- C:\Windows\System\BUwXXJB.exe
  C:\Windows\System\BUwXXJB.exe
  2⤵
  PID:6288
- C:\Windows\System\unvVKqT.exe
  C:\Windows\System\unvVKqT.exe
  2⤵
  PID:15224
- C:\Windows\System\wBqIyfF.exe
  C:\Windows\System\wBqIyfF.exe
  2⤵
  PID:6616
- C:\Windows\System\sWfntou.exe
  C:\Windows\System\sWfntou.exe
  2⤵
  PID:15328
- C:\Windows\System\OsBnwZE.exe
  C:\Windows\System\OsBnwZE.exe
  2⤵
  PID:15376
- C:\Windows\System\tApzjUm.exe
  C:\Windows\System\tApzjUm.exe
  2⤵
  PID:15396
- C:\Windows\System\uBZhODm.exe
  C:\Windows\System\uBZhODm.exe
  2⤵
  PID:15424
- C:\Windows\System\bumCbfN.exe
  C:\Windows\System\bumCbfN.exe
  2⤵
  PID:15472
- C:\Windows\System\SJoEkFW.exe
  C:\Windows\System\SJoEkFW.exe
  2⤵
  PID:15488
- C:\Windows\System\KZnIDTh.exe
  C:\Windows\System\KZnIDTh.exe
  2⤵
  PID:15520
- C:\Windows\System\MHivdmU.exe
  C:\Windows\System\MHivdmU.exe
  2⤵
  PID:15548
- C:\Windows\System\LadxAGL.exe
  C:\Windows\System\LadxAGL.exe
  2⤵
  PID:15584
- C:\Windows\System\SydkPrW.exe
  C:\Windows\System\SydkPrW.exe
  2⤵
  PID:15616
- C:\Windows\System\ZVmqMeD.exe
  C:\Windows\System\ZVmqMeD.exe
  2⤵
  PID:15632
- C:\Windows\System\HBakzei.exe
  C:\Windows\System\HBakzei.exe
  2⤵
  PID:15660
- C:\Windows\System\DgSMPVf.exe
  C:\Windows\System\DgSMPVf.exe
  2⤵
  PID:15696
- C:\Windows\System\gTbxCue.exe
  C:\Windows\System\gTbxCue.exe
  2⤵
  PID:15712
- C:\Windows\System\AnocWVs.exe
  C:\Windows\System\AnocWVs.exe
  2⤵
  PID:15728
- C:\Windows\System\VSJtsbe.exe
  C:\Windows\System\VSJtsbe.exe
  2⤵
  PID:15744
- C:\Windows\System\vXZdaXn.exe
  C:\Windows\System\vXZdaXn.exe
  2⤵
  PID:15760
- C:\Windows\System\CRbAlFD.exe
  C:\Windows\System\CRbAlFD.exe
  2⤵
  PID:15780
- C:\Windows\System\djimFit.exe
  C:\Windows\System\djimFit.exe
  2⤵
  PID:15824
- C:\Windows\System\HBHXMrQ.exe
  C:\Windows\System\HBHXMrQ.exe
  2⤵
  PID:15840
- C:\Windows\System\TptxVJm.exe
  C:\Windows\System\TptxVJm.exe
  2⤵
  PID:15872
- C:\Windows\System\QAaFizR.exe
  C:\Windows\System\QAaFizR.exe
  2⤵
  PID:15940
- C:\Windows\System\uSRunbg.exe
  C:\Windows\System\uSRunbg.exe
  2⤵
  PID:15992
- C:\Windows\System\qayVFmm.exe
  C:\Windows\System\qayVFmm.exe
  2⤵
  PID:16016
- C:\Windows\System\hPIIBsv.exe
  C:\Windows\System\hPIIBsv.exe
  2⤵
  PID:16036
- C:\Windows\System\uZgYVLx.exe
  C:\Windows\System\uZgYVLx.exe
  2⤵
  PID:16064
- C:\Windows\System\gmFCamD.exe
  C:\Windows\System\gmFCamD.exe
  2⤵
  PID:16096
- C:\Windows\System\bhewkcx.exe
  C:\Windows\System\bhewkcx.exe
  2⤵
  PID:16124
- C:\Windows\System\KAnSKhN.exe
  C:\Windows\System\KAnSKhN.exe
  2⤵
  PID:16144
- C:\Windows\System\YciBwtM.exe
  C:\Windows\System\YciBwtM.exe
  2⤵
  PID:16224
- C:\Windows\System\pWtlNHi.exe
  C:\Windows\System\pWtlNHi.exe
  2⤵
  PID:16276
- C:\Windows\System\HbZMnqT.exe
  C:\Windows\System\HbZMnqT.exe
  2⤵
  PID:16320
- C:\Windows\System\ArCpzWM.exe
  C:\Windows\System\ArCpzWM.exe
  2⤵
  PID:16340
- C:\Windows\System\zFjUrlB.exe
  C:\Windows\System\zFjUrlB.exe
  2⤵
  PID:16372
- C:\Windows\System\EWiAnSu.exe
  C:\Windows\System\EWiAnSu.exe
  2⤵
  PID:15456
- C:\Windows\System\ceNfdWC.exe
  C:\Windows\System\ceNfdWC.exe
  2⤵
  PID:15504
- C:\Windows\System\ThyzJDq.exe
  C:\Windows\System\ThyzJDq.exe
  2⤵
  PID:15596
- C:\Windows\System\SiTtaCh.exe
  C:\Windows\System\SiTtaCh.exe
  2⤵
  PID:15608
- C:\Windows\System\qbosTeq.exe
  C:\Windows\System\qbosTeq.exe
  2⤵
  PID:15652
- C:\Windows\System\eUmkwVX.exe
  C:\Windows\System\eUmkwVX.exe
  2⤵
  PID:15688
- C:\Windows\System\COGIemp.exe
  C:\Windows\System\COGIemp.exe
  2⤵
  PID:15792
- C:\Windows\System\PqTzDtu.exe
  C:\Windows\System\PqTzDtu.exe
  2⤵
  PID:15916
- C:\Windows\System\bNWeAba.exe
  C:\Windows\System\bNWeAba.exe
  2⤵
  PID:7516
- C:\Windows\System\IgRfKHJ.exe
  C:\Windows\System\IgRfKHJ.exe
  2⤵
  PID:15924
- C:\Windows\System\nwEStqC.exe
  C:\Windows\System\nwEStqC.exe
  2⤵
  PID:16108
- C:\Windows\System\CuwkJoa.exe
  C:\Windows\System\CuwkJoa.exe
  2⤵
  PID:16168
- C:\Windows\System\stPTRUJ.exe
  C:\Windows\System\stPTRUJ.exe
  2⤵
  PID:16268
- C:\Windows\System\xTqLAfz.exe
  C:\Windows\System\xTqLAfz.exe
  2⤵
  PID:16236
- C:\Windows\System\HHfaWIR.exe
  C:\Windows\System\HHfaWIR.exe
  2⤵
  PID:16360
- C:\Windows\System\EGsIQfx.exe
  C:\Windows\System\EGsIQfx.exe
  2⤵
  PID:15384
- C:\Windows\System\MnBZCQY.exe
  C:\Windows\System\MnBZCQY.exe
  2⤵
  PID:15568
- C:\Windows\System\veMPzIW.exe
  C:\Windows\System\veMPzIW.exe
  2⤵
  PID:4996
- C:\Windows\System\WsVTWLU.exe
  C:\Windows\System\WsVTWLU.exe
  2⤵
  PID:15684
- C:\Windows\System\WCIXhYp.exe
  C:\Windows\System\WCIXhYp.exe
  2⤵
  PID:15808
- C:\Windows\System\HZGtcWa.exe
  C:\Windows\System\HZGtcWa.exe
  2⤵
  PID:15852
- C:\Windows\System\IpCmuZP.exe
  C:\Windows\System\IpCmuZP.exe
  2⤵
  PID:15920
- C:\Windows\System\ajXKVIX.exe
  C:\Windows\System\ajXKVIX.exe
  2⤵
  PID:16200
- C:\Windows\System\IdSJaOL.exe
  C:\Windows\System\IdSJaOL.exe
  2⤵
  PID:16312
- C:\Windows\System\ALsZHLi.exe
  C:\Windows\System\ALsZHLi.exe
  2⤵
  PID:15484
- C:\Windows\System\efnoIGq.exe
  C:\Windows\System\efnoIGq.exe
  2⤵
  PID:760
- C:\Windows\System\BicbeEN.exe
  C:\Windows\System\BicbeEN.exe
  2⤵
  PID:15928
- C:\Windows\System\MCbrLIz.exe
  C:\Windows\System\MCbrLIz.exe
  2⤵
  PID:16088
- C:\Windows\System\qXrdkeI.exe
  C:\Windows\System\qXrdkeI.exe
  2⤵
  PID:15480
- C:\Windows\System\QzkezLs.exe
  C:\Windows\System\QzkezLs.exe
  2⤵
  PID:15676
- C:\Windows\System\QQojIKr.exe
  C:\Windows\System\QQojIKr.exe
  2⤵
  PID:15976
- C:\Windows\System\LFWePFf.exe
  C:\Windows\System\LFWePFf.exe
  2⤵
  PID:2276
- C:\Windows\System\WPJlLEi.exe
  C:\Windows\System\WPJlLEi.exe
  2⤵
  PID:1504
- C:\Windows\System\CQXDCrr.exe
  C:\Windows\System\CQXDCrr.exe
  2⤵
  PID:1236
- C:\Windows\System\qMefRAK.exe
  C:\Windows\System\qMefRAK.exe
  2⤵
  PID:16116
- C:\Windows\System\CUPkRDd.exe
  C:\Windows\System\CUPkRDd.exe
  2⤵
  PID:1848
- C:\Windows\System\OCEKvfg.exe
  C:\Windows\System\OCEKvfg.exe
  2⤵
  PID:16412
- C:\Windows\System\HfTtpei.exe
  C:\Windows\System\HfTtpei.exe
  2⤵
  PID:16428
- C:\Windows\System\SgrqMOZ.exe
  C:\Windows\System\SgrqMOZ.exe
  2⤵
  PID:16476
- C:\Windows\System\xAstTVA.exe
  C:\Windows\System\xAstTVA.exe
  2⤵
  PID:16508
- C:\Windows\System\wiLJufG.exe
  C:\Windows\System\wiLJufG.exe
  2⤵
  PID:16556
- C:\Windows\System\yGoFFKx.exe
  C:\Windows\System\yGoFFKx.exe
  2⤵
  PID:16572
- C:\Windows\System\uiKXwDN.exe
  C:\Windows\System\uiKXwDN.exe
  2⤵
  PID:16604
- C:\Windows\System\KzmxQTw.exe
  C:\Windows\System\KzmxQTw.exe
  2⤵
  PID:16640
- C:\Windows\System\tMrsDEL.exe
  C:\Windows\System\tMrsDEL.exe
  2⤵
  PID:16672
- C:\Windows\System\tGxbqJR.exe
  C:\Windows\System\tGxbqJR.exe
  2⤵
  PID:16692
- C:\Windows\System\lkOdoBS.exe
  C:\Windows\System\lkOdoBS.exe
  2⤵
  PID:16740
- C:\Windows\System\ahAnVbB.exe
  C:\Windows\System\ahAnVbB.exe
  2⤵
  PID:16772
- C:\Windows\System\NInMjoZ.exe
  C:\Windows\System\NInMjoZ.exe
  2⤵
  PID:16804
- C:\Windows\System\QlYzLdf.exe
  C:\Windows\System\QlYzLdf.exe
  2⤵
  PID:16828
- C:\Windows\System\xSvitdj.exe
  C:\Windows\System\xSvitdj.exe
  2⤵
  PID:16864
- C:\Windows\System\ecRPfKP.exe
  C:\Windows\System\ecRPfKP.exe
  2⤵
  PID:16888
- C:\Windows\System\mbIWuJA.exe
  C:\Windows\System\mbIWuJA.exe
  2⤵
  PID:16928
- C:\Windows\System\iUyNLtR.exe
  C:\Windows\System\iUyNLtR.exe
  2⤵
  PID:16980
- C:\Windows\System\KInyjRk.exe
  C:\Windows\System\KInyjRk.exe
  2⤵
  PID:17024
- C:\Windows\System\OlWjUft.exe
  C:\Windows\System\OlWjUft.exe
  2⤵
  PID:17044
- C:\Windows\System\BUSoIoI.exe
  C:\Windows\System\BUSoIoI.exe
  2⤵
  PID:17076
- C:\Windows\System\UdgdysT.exe
  C:\Windows\System\UdgdysT.exe
  2⤵
  PID:17108
- C:\Windows\System\BgBtmrw.exe
  C:\Windows\System\BgBtmrw.exe
  2⤵
  PID:17140
- C:\Windows\System\oItmVKA.exe
  C:\Windows\System\oItmVKA.exe
  2⤵
  PID:17188
- C:\Windows\System\dzlWPqM.exe
  C:\Windows\System\dzlWPqM.exe
  2⤵
  PID:17204
- C:\Windows\System\AAYHxdH.exe
  C:\Windows\System\AAYHxdH.exe
  2⤵
  PID:17232
- C:\Windows\System\REeDghQ.exe
  C:\Windows\System\REeDghQ.exe
  2⤵
  PID:17264
- C:\Windows\System\adOZBYb.exe
  C:\Windows\System\adOZBYb.exe
  2⤵
  PID:17300
- C:\Windows\System\FzjrSWc.exe
  C:\Windows\System\FzjrSWc.exe
  2⤵
  PID:17320
- C:\Windows\System\cCTkpYs.exe
  C:\Windows\System\cCTkpYs.exe
  2⤵
  PID:17364
- C:\Windows\System\WtnpdDV.exe
  C:\Windows\System\WtnpdDV.exe
  2⤵
  PID:17400
- C:\Windows\System\sNcgCVh.exe
  C:\Windows\System\sNcgCVh.exe
  2⤵
  PID:16392
- C:\Windows\System\kPfgyyo.exe
  C:\Windows\System\kPfgyyo.exe
  2⤵
  PID:16460
- C:\Windows\System\wMmOzJl.exe
  C:\Windows\System\wMmOzJl.exe
  2⤵
  PID:4548
- C:\Windows\System\YdchjNc.exe
  C:\Windows\System\YdchjNc.exe
  2⤵
  PID:16540
- C:\Windows\System\JlevcdR.exe
  C:\Windows\System\JlevcdR.exe
  2⤵
  PID:16588
- C:\Windows\System\kGKYaxt.exe
  C:\Windows\System\kGKYaxt.exe
  2⤵
  PID:16656
- C:\Windows\System\lFhVXcm.exe
  C:\Windows\System\lFhVXcm.exe
  2⤵
  PID:16708
- C:\Windows\System\MKuLOKY.exe
  C:\Windows\System\MKuLOKY.exe
  2⤵
  PID:16788
- C:\Windows\System\NlZMwou.exe
  C:\Windows\System\NlZMwou.exe
  2⤵
  PID:3304
- C:\Windows\System\VkeiTOh.exe
  C:\Windows\System\VkeiTOh.exe
  2⤵
  PID:15368
- C:\Windows\System\RBjmAEM.exe
  C:\Windows\System\RBjmAEM.exe
  2⤵
  PID:16920
- C:\Windows\System\qbHFThP.exe
  C:\Windows\System\qbHFThP.exe
  2⤵
  PID:3696
- C:\Windows\System\xJTZaaW.exe
  C:\Windows\System\xJTZaaW.exe
  2⤵
  PID:17000
- C:\Windows\System\NCPkWCm.exe
  C:\Windows\System\NCPkWCm.exe
  2⤵
  PID:17032
- C:\Windows\System\PHdzrle.exe
  C:\Windows\System\PHdzrle.exe
  2⤵
  PID:17128
- C:\Windows\System\sXkUXWf.exe
  C:\Windows\System\sXkUXWf.exe
  2⤵
  PID:17156
- C:\Windows\System\fHWFFdv.exe
  C:\Windows\System\fHWFFdv.exe
  2⤵
  PID:17252
- C:\Windows\System\YRHHWPV.exe
  C:\Windows\System\YRHHWPV.exe
  2⤵
  PID:17348
- C:\Windows\System\mEREEGi.exe
  C:\Windows\System\mEREEGi.exe
  2⤵
  PID:17384
- C:\Windows\System\vStYvft.exe
  C:\Windows\System\vStYvft.exe
  2⤵
  PID:16400
- C:\Windows\System\HdoQmpM.exe
  C:\Windows\System\HdoQmpM.exe
  2⤵
  PID:4984
- C:\Windows\System\HrFYCLo.exe
  C:\Windows\System\HrFYCLo.exe
  2⤵
  PID:16488

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EVMypLp.exe

Filesize
5.7MB

MD5
ddb5a1e5a2055263bb3b236d1ca3cf1b

SHA1
f105757e06ee617caf525cdff3001bc22eda943f

SHA256
b3a1df2527d35b2579b7b78d0813f1ff1c73d7fd7d4eefa68be97ea71914e459

SHA512
6ad7957422582eabdc41640bdf43918e1f862c205fac1d4b19f5886417a452778dcf9c5f1487283aaff1cf213e3a23703bae82ca0394cfcfdef7dad7e616f728

Download Submit
C:\Windows\System\FBVpCpf.exe

Filesize
5.7MB

MD5
1c8486b338e44f2929eded3ff9a89b17

SHA1
5a123d2585782e28f706cdf6e438d498c5223534

SHA256
b115929a1e7e55c8090d59017c041da8fb5a3004a65d8c5381f431ce750be2d8

SHA512
0030cdc3c3515b341405d1a04a6c7260d6e96420350b533911222f602ef6ceb1927fabb4904872d4dca8b5327a382ab27a7b0e39dae20096e8603daa7a1ebc65

Download Submit
C:\Windows\System\FHPbyvB.exe

Filesize
5.7MB

MD5
9244317712c9c9332abe940264216b90

SHA1
ffc294bd4d71c9b90c0906c4eec5f6c968a6c1e4

SHA256
4334c778804c6787d9bf04dcd5a98811d36872c81b8f946cd3e4a98c548020f7

SHA512
e2edf1b961be9755ed07cbc6ef96b2c944f7193ce40d9d6d8c4a3d4107cddefdc2826e277f356e42c3e7a77f23d867166933370e452ee5d03efe8c7f40d2447f

Download Submit
C:\Windows\System\GGBtTsN.exe

Filesize
5.7MB

MD5
1feb741b2c17abbca53a45d8f1d8fe2d

SHA1
16d057ef6b967c7b9e511330edf9eee37c1d9f4a

SHA256
0c145b16d3f79dbea74d7749648c9a4b784cb6ffceb90d12e06cdc77c9b081d3

SHA512
40ce157165aca631532f39094c88037455d7987ed8f3e6000b82de6f7d7d5e6a2bee165a51efff95437be7fd29dafa0de1a3ca327f2b1dbc4b3d774f6da0537d

Download Submit
C:\Windows\System\HhvCEvf.exe

Filesize
5.7MB

MD5
4bb3e40799cc6272b893ee4f04e99548

SHA1
52f7ccfcb4936d8d58bee7b40b70dae1027f566e

SHA256
5a84d5913d56aa4d7be730efd4dfc2c6e06cd06819ea2e03e7d356a981375100

SHA512
a34f185483367e98a0a20d8d15d920ad30643433e8ffeb1a99f591f71a0e1aa0ba0c16bfae962f1fe57641b77ef355d28f8dc64bc5d337b1c748d23a03ec7493

Download Submit
C:\Windows\System\IodXMPm.exe

Filesize
5.7MB

MD5
76dd4c94d413459efaca3f7a0e64df7a

SHA1
29de64e422ddc918841a0972bdb5f3f6e0fd8f9d

SHA256
ee74d85fd132c2f9618eef5f614759b5bba6ac13d627f13998e47668018aae6d

SHA512
325468e4bd276347b8b9f94badde046fc5a64d24bf7eda6d57be3d4029eddf2e1fb00bd7112c449e70522422bb0fdabd13525668560d5ec8d254cd386ee14d8a

Download Submit
C:\Windows\System\OKAFcTR.exe

Filesize
5.7MB

MD5
eb3829a006e5e68c0467568583a79640

SHA1
08a5ca681415724c7da18b57fa3d13a006b4b114

SHA256
416db3ea259a5b2eb81825edb488f2e926b9dbd5a0b3b89ca6e49c37adf80549

SHA512
ae554a32ae238169d3cf0a8008a6e2f16c7e3ca2381417736348a32d5073b54a8322f18227a8b6da9e2879279984332d39db34a08022de4a409bee38a38b3929

Download Submit
C:\Windows\System\OrHbder.exe

Filesize
5.7MB

MD5
75853a32e5e08dd7a791fe797dfafaa9

SHA1
8433325627dedf30f54433e7d803205a51cbcd72

SHA256
21c5285bc42dc10be08dd82e76b792796c3db3f001896b7e9187bbc5e8c9a783

SHA512
2c39bd1b7ed270c6c2bd34ec2d2f2b6f92ddc176808e0e4d1f2e7f1480ae160ace0895489a079d4019d249c99b556841eb494bd999bf5a1f268b4cd008c947a4

Download Submit
C:\Windows\System\PkgYzjq.exe

Filesize
5.7MB

MD5
0b3eb45be9d6ead3fb32979f57ce6902

SHA1
e853e49c9842bfcebf2cca3ddf1fd95e8bf4405a

SHA256
5fa7587da300585a517247f1d1837e5247bc3de22cd1488264491fdc4a0702e2

SHA512
f44e3a4387f76ec0ca09cc596bdad4de9136ccfa9f93b6f60aa503ff030594c3e7b12e1183583b5bf4dbfab14f1b160b207e096a976bae250325620a0bf288b6

Download Submit
C:\Windows\System\PlCUzcU.exe

Filesize
5.7MB

MD5
dc972f031970ddb29f6335b75aafd04f

SHA1
d66406f153d90f2c3d4f1606b469380217c1bf88

SHA256
6b23c6a2c2f2c8cfcb4be4577a5e85891f8b847077880eed2dc16fac6a086b7c

SHA512
8a9bab8ff841117b4c69f7c5ae79714b36d0275b8de24eabff439765d19186d3b97f63f9136159edfac81f2502156cc7da56169f25e6ea7e03b716afe990382b

Download Submit
C:\Windows\System\QDfanjj.exe

Filesize
5.7MB

MD5
1842906bc99d957bd18d97d514b39289

SHA1
612bedda57c277b5b4c24ffff4210c3ca300148f

SHA256
547c1a2202f982c0f3173a7e9143da5412cee15116485e881f002b5d3c62a25c

SHA512
87ed5999d71f511f2e7f95bc670989a16ed7761f68baaab374c8129332bece625e8da455dff12f14f5c7e3c451d3108cef0d03a149f4b27d6a946adae25c101f

Download Submit
C:\Windows\System\QVMCdfa.exe

Filesize
5.7MB

MD5
943b49907504c264d35ae510f8b85b94

SHA1
2b873ff439f263987632229e97e9c0ccb037f42d

SHA256
d7e9415d6579c790ac1437ad6839c1b2df075a2a08962f03242df396d67e8446

SHA512
d5901cb9b71571b2e45014e2de842bc7bcc9424953dcabef5137c82e93e5f2935eacb277e5a76d7373a6058ad883337d7401b674f5fab27e5764a79a59595f69

Download Submit
C:\Windows\System\TiWNehc.exe

Filesize
5.7MB

MD5
1dc479d6469216927bcd9554bcc2795a

SHA1
79e1c5e8f000068eecfaac8f5ff0c100a6210ff5

SHA256
369754340eb4b210e900bfa66cc5ee9e14014ababb67eae4c031fda174e89c83

SHA512
a803c25814fb46bc8a69ab3bbc2034cbb5b5b88d9fd11de7be5bf94769362675ed890dce46845f3b5c16750d0c6480a2ca136defd257e04c1dde3ed46b722886

Download Submit
C:\Windows\System\UEKkDgF.exe

Filesize
5.7MB

MD5
627b8ca585b0c2ce02fdf3bced5d14d6

SHA1
f24f95f1ef64149d3717cce2843ad8deadd32433

SHA256
dcc52f92e75ef0b880c762b598eabfc22ef796b7cf0b64f07726ce62d6cc7ab9

SHA512
5dbe56010cd84d98c7e361c64df43ae1d5e39f01397f742fdb99b59d6ecd20dacd51af5b372af81d4edb83c44b3b0b5beaca251488831ffc772fb42ef19f383d

Download Submit
C:\Windows\System\bAVZUkx.exe

Filesize
5.7MB

MD5
918f564c7712f3ff84d5a3a2d17e4168

SHA1
19585fede9b4c9f90d9f36118b70e6cf569be7d2

SHA256
8e9b5545def149d2fb002426e038c15df61cdb6beaf2fdf2b748db2db73bb15c

SHA512
1bb1634dee3d42411f0ec44ec600355ad88e7ab82125ffee79ff1feb625248639c3305ab7d2a7939465627341b110ac9ab036515a81113a8d0190d65a4a67c9a

Download Submit
C:\Windows\System\clnKnfQ.exe

Filesize
5.7MB

MD5
f254a064c51b52bbd170877d0467f6a2

SHA1
9b97729f52683ed6c1d627ce0bbc49859ed5baa8

SHA256
9f8c3a29b7b4198439e406d5ff5770b2f3a9978b5d0a7c5335976928f545639d

SHA512
6917586a0ba16b41a13c363b1259a39b35e0b5cf491d28cf087a54921d7b548f8a9cce45968f590faf05c9e29dd22685a7327070de2dfd7f700de4ae1ca00712

Download Submit
C:\Windows\System\dmBNYnH.exe

Filesize
5.7MB

MD5
aa67ab1e66a1e095ddb66da72fa07392

SHA1
4e36b1d685fc371f959123fdcb77a76c4e6d7781

SHA256
38d3e55838a97850f14ab83ee3ecf108ce91556067aec8dd8177a983b0a845da

SHA512
158c6458d6045f91f3692fac7661c06b96fdec2caf1c1fb21c59a1d654ced34d594653d5a87727faabe531c4f33864feceabebaa9f7185ac11b34afbf131acdf

Download Submit
C:\Windows\System\gEOFokr.exe

Filesize
5.7MB

MD5
c6e5b0b55202286d7a816391d09b004c

SHA1
97d13a40bedc1976fbbaa6953b5aefa61bf8ac46

SHA256
455d4b6e79e15d036c4c8f0c50842e0a232687e573b7936cd0456de0181a6b25

SHA512
e896053c419ebf0f3a554276140ce88bbeea5758cb072a08d36ad7306ed4c678e9a27941657e3f078357ad5a27daa16efc3adba6dbb770714273e7862ac14b72

Download Submit
C:\Windows\System\gtEsFVY.exe

Filesize
5.7MB

MD5
ed98164aa3334f57c46e8bb76d71f285

SHA1
d50985ea852c4dc22c868cb7a69f44fcc4052411

SHA256
df526db79b16796e4700c22dbc93d9af503df53b8afec630543fff93c780f729

SHA512
c238dc2d0f4d2b4094d7621523fd48c98425a0abfbefba644d5b83603ba61245ecb73c00800a222a9a364baec170e01849254a86aa5085146050d439935cc024

Download Submit
C:\Windows\System\iAYhTDO.exe

Filesize
5.7MB

MD5
5b08c730b378b2759c3a8187aeb466cf

SHA1
c33f7713efef5b4d0d0061968304e0e85d6f8566

SHA256
5217405e2addb458b5823657818270934214dac1bc7741106b7dc13d7d4bc277

SHA512
40587cf1293268f1d65e2fcd0931664bbce9a09e2664ecb1b9da033295b174c58e115d9f87f7d998337c6b822658cc7148202afcdc163f4c8a2c0064c944aa34

Download Submit
C:\Windows\System\iUOeHoI.exe

Filesize
5.7MB

MD5
e1047ce3c0ff740e992f23959f3d7daa

SHA1
158372f4f99b3fdbde731301199e106b4d96d737

SHA256
3706e148b25a4a83e6bc274ff322eb7c8a19b1072be6904766d696e6fbe2fb05

SHA512
990134ef81e6c5beed37ee953beb2698680b3804011f30c6e42d7c30aeedae1c840761ef95d44817a3c01d8668373503c170d8a13c19168d1df1e2afb25278e6

Download Submit
C:\Windows\System\kNjukta.exe

Filesize
5.7MB

MD5
508e20d3522e9cb156886b932ddabb6c

SHA1
504a68a85e934b322eefb79d5a819cc4c3394391

SHA256
6d4c8f178d4bb5c170a1daf391877df33553bdd69d9b1eb8ba15e6622660b0d4

SHA512
b33aa114c8ceafc632eeb3dbb9e86ed937adc03a351d5c96f59340b29a44a8c503057fea5b3fc677e1c8c87ec229b15234928d8a3fe03f37675c98cc639e7481

Download Submit
C:\Windows\System\lhRdXnO.exe

Filesize
5.7MB

MD5
63e8b97ce439d8117403a566e0e7c061

SHA1
6bc104d1fc412ff6c01093b3f328a51f31d29601

SHA256
72da0f58fbe9b25b31f1a3d18ea2031d5d6dcd02ca22c176de908f85324db1ce

SHA512
6f73296d50ebe039d0cf8b2f15b3db30c2ba01559af7588029b71e7f8b4f7c842fa02993408082115405bc859f7adbd126db6836af948620a90e2712567cb398

Download Submit
C:\Windows\System\lqRxRqE.exe

Filesize
5.7MB

MD5
5d2403338de33580b69dbe22aeab5f23

SHA1
5ce50cf5d560cee7f6db39964c21e4f2dfb5421b

SHA256
d4b1307de6f937a6a0cf310c58e1c54278ec9554c5e200cb6f0ea8062b2a0d64

SHA512
7574a5565bebd9e11c158d990ff788c47e18c67eefcb5f3b68f0e40823990a49185184287414116dc712ecbdd36dcdd0cd2e6159ea81e1c46206da549abf7ecb

Download Submit
C:\Windows\System\nSxQSug.exe

Filesize
5.7MB

MD5
fd20bda0234faf67085b8160d7ed327f

SHA1
a79095a5f70b7ba2a0aba3fe6e46654e9d39934a

SHA256
06ea24bfc2e52dbb0248157f730e9d6399ec6aa5b1fd4f4b89b5f5ede0753f84

SHA512
db09d9a9abaa10a7396529cb9012c8f4aff55f8b0cf2e95dc804407143240c36c70ae6f9f00bda7285df92920921d32ba81523cdf8341ca4231ac36c0a72bbeb

Download Submit
C:\Windows\System\njyiKEE.exe

Filesize
5.7MB

MD5
2bf177ac980ad50d01c899e996c73604

SHA1
65b2012643aa7cf094c964de77ec133eadd90954

SHA256
35165063bb2852b0664c93584f889a7d845ae39aa4d9b0c6ca713a8c49945847

SHA512
6553dbbb3a94786a5d921e58d1a1419a23ff054fa2dfb364f1784586beb38dc0879b584fe78f04d5224d4b9c4508dd3514adfed34669711c0317e05ab4248a8a

Download Submit
C:\Windows\System\oytOukv.exe

Filesize
5.7MB

MD5
3927d66730ab2e8179743a666fb7142c

SHA1
f1a6192db997f90a9b731f4898d23e2d4a9bef8d

SHA256
3365796a93b8bfcc1168126cd8f0330a2729a582ae3da3cf23822d5281fac9c4

SHA512
c220633346f70865b5739b6f537f28a0fb98ffe37a7832c8beaec7da173fa907ece29ace4caa0024bf4f12658c1fed8a0bb2cb3cb997c97ab396b14f67ab6a48

Download Submit
C:\Windows\System\pYhSJda.exe

Filesize
5.7MB

MD5
9a67a6b968708bc91a82594136d382c5

SHA1
4cdf51a6a973d16e2372c83eab6b15fea4dfa473

SHA256
433c447410aaaea0bfbedd19a578a58d6feea21a39ea466f7fb8fb19f998b47c

SHA512
0024628a284dc30f087aea617e124456b70dad0ab8ec3097097eb04ef97e0700fc035760f49b9e939b744d7ef53971afbf0134138497d87c56c0cf08afd42ada

Download Submit
C:\Windows\System\sGkeRkL.exe

Filesize
5.7MB

MD5
fe54bc5b8b34229aa16054e47a53e112

SHA1
88803a2a408c5a59351348ed57eb59db2e589d8d

SHA256
af3748e3804133fe77652cc0162beeb695d30312e2f2d9092d3df2b24a3269a3

SHA512
c5b772a72bda1d29aa8e3aa23e16709cf5799aa515548970dd8f28e6ae9010d74791111f63058f3d5c43e88506d86d66757f7612d87a33cfb492225e65918628

Download Submit
C:\Windows\System\sThknji.exe

Filesize
5.7MB

MD5
af922f64c3d7d733fcb77f94de411416

SHA1
98f35a134e001d112914c8acca823289d58c462e

SHA256
abd06ef02e925a563a0010181b46ab05a923480504e5b5fae1f8fe8799fe6c8a

SHA512
826400e90f4d7ea47b0a6655473af3f86da9268f44844ea9954050b97440b3986ed644168b5727b4d7011bfe1eae2de7c3aac4e446147a6d1c8d1e1f5cdb80f7

Download Submit
C:\Windows\System\tmhuwSW.exe

Filesize
5.7MB

MD5
17c810831e752d8822084a1c6507a012

SHA1
ff1c87fa3ab05857661ea81bc3466554b81f601a

SHA256
5a813edb57ef7a34108167175ca4dd1834a201d9a220e54b6b9a8bfc78818bb2

SHA512
6c5135184ad9e88d45b404c9d1ca2c4d12987a660d66a08596c5b63f1a11393481331861e463e2f57fcb0f2a7af56dec03046533f9d84d514c39033e195397d9

Download Submit
C:\Windows\System\zrJmmXm.exe

Filesize
5.7MB

MD5
76f09febebaabf10cf738d6c7ee398f5

SHA1
f69985e75a31f04c4bd61ca8c446c3f4d33b8bb7

SHA256
3b5ae11679a0dbd7b7a29c5f6bb50e5d14dc202591220f85a5bc89f3bc17499c

SHA512
7f1665492b77eb4fa63ecc4af4c89b9ab0f57be153a4cb0dc709275fff9dd4d872243e383b71861422364a2a9fd9254fd2ee22d51cfa5908af78f0a8cb7520c9

Download Submit
memory/220-121-0x00007FF795F40000-0x00007FF79628D000-memory.dmp

Filesize
3.3MB

Download
memory/380-118-0x00007FF6B95E0000-0x00007FF6B992D000-memory.dmp

Filesize
3.3MB

Download
memory/668-187-0x00007FF6AC650000-0x00007FF6AC99D000-memory.dmp

Filesize
3.3MB

Download
memory/1196-114-0x00007FF6E1930000-0x00007FF6E1C7D000-memory.dmp

Filesize
3.3MB

Download
memory/1260-62-0x00007FF648830000-0x00007FF648B7D000-memory.dmp

Filesize
3.3MB

Download
memory/1340-127-0x00007FF6E51D0000-0x00007FF6E551D000-memory.dmp

Filesize
3.3MB

Download
memory/1496-97-0x00007FF7422C0000-0x00007FF74260D000-memory.dmp

Filesize
3.3MB

Download
memory/1524-72-0x00007FF79C7D0000-0x00007FF79CB1D000-memory.dmp

Filesize
3.3MB

Download
memory/1760-190-0x00007FF61FFE0000-0x00007FF62032D000-memory.dmp

Filesize
3.3MB

Download
memory/1960-44-0x00007FF637060000-0x00007FF6373AD000-memory.dmp

Filesize
3.3MB

Download
memory/2032-18-0x00007FF774360000-0x00007FF7746AD000-memory.dmp

Filesize
3.3MB

Download
memory/2336-101-0x00007FF72E600000-0x00007FF72E94D000-memory.dmp

Filesize
3.3MB

Download
memory/2388-65-0x00007FF68FD90000-0x00007FF6900DD000-memory.dmp

Filesize
3.3MB

Download
memory/2512-47-0x00007FF754360000-0x00007FF7546AD000-memory.dmp

Filesize
3.3MB

Download
memory/2580-175-0x00007FF7C6000000-0x00007FF7C634D000-memory.dmp

Filesize
3.3MB

Download
memory/2712-54-0x00007FF715A40000-0x00007FF715D8D000-memory.dmp

Filesize
3.3MB

Download
memory/2780-159-0x00007FF668F10000-0x00007FF66925D000-memory.dmp

Filesize
3.3MB

Download
memory/2980-172-0x00007FF776560000-0x00007FF7768AD000-memory.dmp

Filesize
3.3MB

Download
memory/3032-79-0x00007FF7D1510000-0x00007FF7D185D000-memory.dmp

Filesize
3.3MB

Download
memory/3048-28-0x00007FF6C94E0000-0x00007FF6C982D000-memory.dmp

Filesize
3.3MB

Download
memory/3416-111-0x00007FF6647A0000-0x00007FF664AED000-memory.dmp

Filesize
3.3MB

Download
memory/3568-0-0x00007FF678E90000-0x00007FF6791DD000-memory.dmp

Filesize
3.3MB

Download
memory/3568-1-0x000002BD58620000-0x000002BD58630000-memory.dmp

Filesize
64KB

Download
memory/3576-163-0x00007FF784AE0000-0x00007FF784E2D000-memory.dmp

Filesize
3.3MB

Download
memory/3668-7-0x00007FF768770000-0x00007FF768ABD000-memory.dmp

Filesize
3.3MB

Download
memory/3724-178-0x00007FF6001B0000-0x00007FF6004FD000-memory.dmp

Filesize
3.3MB

Download
memory/4060-135-0x00007FF74F370000-0x00007FF74F6BD000-memory.dmp

Filesize
3.3MB

Download
memory/4116-76-0x00007FF6E3A80000-0x00007FF6E3DCD000-memory.dmp

Filesize
3.3MB

Download
memory/4200-184-0x00007FF61E270000-0x00007FF61E5BD000-memory.dmp

Filesize
3.3MB

Download
memory/4676-124-0x00007FF664FE0000-0x00007FF66532D000-memory.dmp

Filesize
3.3MB

Download
memory/4912-181-0x00007FF687C90000-0x00007FF687FDD000-memory.dmp

Filesize
3.3MB

Download
memory/5004-31-0x00007FF60B920000-0x00007FF60BC6D000-memory.dmp

Filesize
3.3MB

Download
memory/5024-57-0x00007FF697BD0000-0x00007FF697F1D000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads