cobaltstrike | 8e925d15c7966f8ba40e6b02a22b48dfb2252928e19456c747a593cc8828f685

Analysis

max time kernel
62s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
Size

6.0MB
MD5

d5f46954766819079d94d15d4deea022
SHA1

141f7b2a51cc60b04e01b825ad2c3f4ab2ad912e
SHA256

8e925d15c7966f8ba40e6b02a22b48dfb2252928e19456c747a593cc8828f685
SHA512

23ed4e019d80c1ded3068dfde1041c92987b16d56139427bb06958cc7c734758f86c279e3f1b03239255838c532903d07624df2ee4ebf6016f6d173d52a3e149
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUj:T+q56utgpPF8u/7j

Score

10^/10

cobaltstrike xmrig 0 backdoor miner persistence trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 32 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00050000000227be-4.dat	cobalt_reflective_dll
behavioral1/files/0x000700000002425f-10.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024260-11.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024261-21.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024262-28.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024263-37.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024264-41.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024265-49.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024266-53.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024268-75.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024269-81.dat	cobalt_reflective_dll
behavioral1/files/0x000700000002426b-87.dat	cobalt_reflective_dll
behavioral1/files/0x000700000002426c-97.dat	cobalt_reflective_dll
behavioral1/files/0x000800000002425c-71.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024267-64.dat	cobalt_reflective_dll
behavioral1/files/0x000700000002426d-103.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024271-131.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024270-128.dat	cobalt_reflective_dll
behavioral1/files/0x000700000002426e-116.dat	cobalt_reflective_dll
behavioral1/files/0x000700000002426f-113.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024273-161.dat	cobalt_reflective_dll
behavioral1/files/0x000e0000000240e8-162.dat	cobalt_reflective_dll
behavioral1/files/0x000e0000000240e5-159.dat	cobalt_reflective_dll
behavioral1/files/0x000c0000000240c9-145.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024272-139.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024274-176.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024277-186.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024276-183.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024278-196.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000024279-200.dat	cobalt_reflective_dll
behavioral1/files/0x000700000002427c-211.dat	cobalt_reflective_dll
behavioral1/files/0x000700000002427a-205.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/1736-0-0x00007FF653540000-0x00007FF653894000-memory.dmp	xmrig
behavioral1/files/0x00050000000227be-4.dat	xmrig
behavioral1/memory/3128-8-0x00007FF69C4A0000-0x00007FF69C7F4000-memory.dmp	xmrig
behavioral1/files/0x000700000002425f-10.dat	xmrig
behavioral1/files/0x0007000000024260-11.dat	xmrig
behavioral1/files/0x0007000000024261-21.dat	xmrig
behavioral1/memory/1716-24-0x00007FF62F2E0000-0x00007FF62F634000-memory.dmp	xmrig
behavioral1/files/0x0007000000024262-28.dat	xmrig
behavioral1/memory/2852-30-0x00007FF67C7C0000-0x00007FF67CB14000-memory.dmp	xmrig
behavioral1/files/0x0007000000024263-37.dat	xmrig
behavioral1/files/0x0007000000024264-41.dat	xmrig
behavioral1/files/0x0007000000024265-49.dat	xmrig
behavioral1/files/0x0007000000024266-53.dat	xmrig
behavioral1/memory/2492-54-0x00007FF68FA60000-0x00007FF68FDB4000-memory.dmp	xmrig
behavioral1/memory/640-48-0x00007FF7014C0000-0x00007FF701814000-memory.dmp	xmrig
behavioral1/memory/2856-42-0x00007FF738940000-0x00007FF738C94000-memory.dmp	xmrig
behavioral1/memory/2236-36-0x00007FF76AFC0000-0x00007FF76B314000-memory.dmp	xmrig
behavioral1/memory/5848-27-0x00007FF675A20000-0x00007FF675D74000-memory.dmp	xmrig
behavioral1/memory/400-18-0x00007FF7E5070000-0x00007FF7E53C4000-memory.dmp	xmrig
behavioral1/memory/400-62-0x00007FF7E5070000-0x00007FF7E53C4000-memory.dmp	xmrig
behavioral1/memory/3128-61-0x00007FF69C4A0000-0x00007FF69C7F4000-memory.dmp	xmrig
behavioral1/files/0x0007000000024268-75.dat	xmrig
behavioral1/memory/4716-76-0x00007FF66A460000-0x00007FF66A7B4000-memory.dmp	xmrig
behavioral1/files/0x0007000000024269-81.dat	xmrig
behavioral1/memory/4764-84-0x00007FF711000000-0x00007FF711354000-memory.dmp	xmrig
behavioral1/files/0x000700000002426b-87.dat	xmrig
behavioral1/files/0x000700000002426c-97.dat	xmrig
behavioral1/memory/5968-94-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp	xmrig
behavioral1/memory/2236-93-0x00007FF76AFC0000-0x00007FF76B314000-memory.dmp	xmrig
behavioral1/memory/4812-91-0x00007FF7487E0000-0x00007FF748B34000-memory.dmp	xmrig
behavioral1/memory/2852-89-0x00007FF67C7C0000-0x00007FF67CB14000-memory.dmp	xmrig
behavioral1/memory/5848-82-0x00007FF675A20000-0x00007FF675D74000-memory.dmp	xmrig
behavioral1/files/0x000800000002425c-71.dat	xmrig
behavioral1/memory/1700-69-0x00007FF703170000-0x00007FF7034C4000-memory.dmp	xmrig
behavioral1/memory/1716-68-0x00007FF62F2E0000-0x00007FF62F634000-memory.dmp	xmrig
behavioral1/memory/5972-66-0x00007FF6BA510000-0x00007FF6BA864000-memory.dmp	xmrig
behavioral1/files/0x0007000000024267-64.dat	xmrig
behavioral1/memory/1736-59-0x00007FF653540000-0x00007FF653894000-memory.dmp	xmrig
behavioral1/memory/2856-99-0x00007FF738940000-0x00007FF738C94000-memory.dmp	xmrig
behavioral1/files/0x000700000002426d-103.dat	xmrig
behavioral1/memory/2940-115-0x00007FF6E71D0000-0x00007FF6E7524000-memory.dmp	xmrig
behavioral1/memory/2492-118-0x00007FF68FA60000-0x00007FF68FDB4000-memory.dmp	xmrig
behavioral1/memory/4936-125-0x00007FF737400000-0x00007FF737754000-memory.dmp	xmrig
behavioral1/memory/4892-130-0x00007FF6C9430000-0x00007FF6C9784000-memory.dmp	xmrig
behavioral1/files/0x0007000000024271-131.dat	xmrig
behavioral1/files/0x0007000000024270-128.dat	xmrig
behavioral1/memory/5972-124-0x00007FF6BA510000-0x00007FF6BA864000-memory.dmp	xmrig
behavioral1/memory/5304-119-0x00007FF6E67A0000-0x00007FF6E6AF4000-memory.dmp	xmrig
behavioral1/memory/4852-117-0x00007FF7E4830000-0x00007FF7E4B84000-memory.dmp	xmrig
behavioral1/files/0x000700000002426e-116.dat	xmrig
behavioral1/files/0x000700000002426f-113.dat	xmrig
behavioral1/memory/640-104-0x00007FF7014C0000-0x00007FF701814000-memory.dmp	xmrig
behavioral1/memory/2996-141-0x00007FF7F3B60000-0x00007FF7F3EB4000-memory.dmp	xmrig
behavioral1/memory/4716-138-0x00007FF66A460000-0x00007FF66A7B4000-memory.dmp	xmrig
behavioral1/memory/4764-147-0x00007FF711000000-0x00007FF711354000-memory.dmp	xmrig
behavioral1/memory/4812-154-0x00007FF7487E0000-0x00007FF748B34000-memory.dmp	xmrig
behavioral1/files/0x0007000000024273-161.dat	xmrig
behavioral1/memory/5968-164-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp	xmrig
behavioral1/memory/2940-169-0x00007FF6E71D0000-0x00007FF6E7524000-memory.dmp	xmrig
behavioral1/memory/6116-166-0x00007FF632A80000-0x00007FF632DD4000-memory.dmp	xmrig
behavioral1/memory/5172-165-0x00007FF74D290000-0x00007FF74D5E4000-memory.dmp	xmrig
behavioral1/files/0x000e0000000240e8-162.dat	xmrig
behavioral1/files/0x000e0000000240e5-159.dat	xmrig
behavioral1/memory/5468-155-0x00007FF6CCF50000-0x00007FF6CD2A4000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
3128	JyllIWW.exe
400	HRnDgkU.exe
1716	APNFGbI.exe
5848	LYgPCMk.exe
2852	RkvnMeC.exe
2236	ZSrsZNG.exe
2856	xmjyqOg.exe
640	VtiRUhj.exe
2492	LQXnzim.exe
5972	KzhmPYM.exe
1700	zNhEtcv.exe
4716	oyFEiwr.exe
4764	yIUoBCv.exe
4812	qLIYrAF.exe
5968	XLHdFcQ.exe
2940	rIOuqxJ.exe
5304	qwMwTSx.exe
4852	wQPZkZP.exe
4936	xylPbQF.exe
4892	rQCegDl.exe
2996	nmkMWdx.exe
5360	vElxDUA.exe
5468	ECOmyrp.exe
5172	LqYTMDr.exe
6116	wGzyAtg.exe
3328	NiHtDMs.exe
5404	lfNMNWx.exe
5376	eEnVxJg.exe
4916	cJjTTXQ.exe
5964	oNViyln.exe
2780	QaCyxsQ.exe
3748	PUUuFdt.exe
2024	KqoXveP.exe
6020	ccAFzgY.exe
5400	NsjmqPj.exe
2068	EsELYRf.exe
4348	afrLcvN.exe
5392	GpeUKCj.exe
1968	mInGvDf.exe
1920	dhczaKt.exe
1832	qoTcAmQ.exe
1524	lCLxctP.exe
3008	jdfriXR.exe
5384	VyFEcnz.exe
5044	XElsCZR.exe
5884	jrSGHIg.exe
264	oxqmZbL.exe
5268	srKYKXS.exe
4528	zoizFYV.exe
4704	HajyjIa.exe
972	pufMRoA.exe
1160	oWSQmXE.exe
5248	EqhfMlk.exe
5548	AsziRfT.exe
372	LizDkDe.exe
812	aQpFHks.exe
4380	XtqSQZQ.exe
4620	qBIWgGT.exe
4412	ErSByny.exe
4732	HaqcutK.exe
3560	vXXXFpl.exe
4828	MNrJqYH.exe
1444	YYovLJt.exe
4656	AlTrXpf.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-0-0x00007FF653540000-0x00007FF653894000-memory.dmp	upx
behavioral1/files/0x00050000000227be-4.dat	upx
behavioral1/memory/3128-8-0x00007FF69C4A0000-0x00007FF69C7F4000-memory.dmp	upx
behavioral1/files/0x000700000002425f-10.dat	upx
behavioral1/files/0x0007000000024260-11.dat	upx
behavioral1/files/0x0007000000024261-21.dat	upx
behavioral1/memory/1716-24-0x00007FF62F2E0000-0x00007FF62F634000-memory.dmp	upx
behavioral1/files/0x0007000000024262-28.dat	upx
behavioral1/memory/2852-30-0x00007FF67C7C0000-0x00007FF67CB14000-memory.dmp	upx
behavioral1/files/0x0007000000024263-37.dat	upx
behavioral1/files/0x0007000000024264-41.dat	upx
behavioral1/files/0x0007000000024265-49.dat	upx
behavioral1/files/0x0007000000024266-53.dat	upx
behavioral1/memory/2492-54-0x00007FF68FA60000-0x00007FF68FDB4000-memory.dmp	upx
behavioral1/memory/640-48-0x00007FF7014C0000-0x00007FF701814000-memory.dmp	upx
behavioral1/memory/2856-42-0x00007FF738940000-0x00007FF738C94000-memory.dmp	upx
behavioral1/memory/2236-36-0x00007FF76AFC0000-0x00007FF76B314000-memory.dmp	upx
behavioral1/memory/5848-27-0x00007FF675A20000-0x00007FF675D74000-memory.dmp	upx
behavioral1/memory/400-18-0x00007FF7E5070000-0x00007FF7E53C4000-memory.dmp	upx
behavioral1/memory/400-62-0x00007FF7E5070000-0x00007FF7E53C4000-memory.dmp	upx
behavioral1/memory/3128-61-0x00007FF69C4A0000-0x00007FF69C7F4000-memory.dmp	upx
behavioral1/files/0x0007000000024268-75.dat	upx
behavioral1/memory/4716-76-0x00007FF66A460000-0x00007FF66A7B4000-memory.dmp	upx
behavioral1/files/0x0007000000024269-81.dat	upx
behavioral1/memory/4764-84-0x00007FF711000000-0x00007FF711354000-memory.dmp	upx
behavioral1/files/0x000700000002426b-87.dat	upx
behavioral1/files/0x000700000002426c-97.dat	upx
behavioral1/memory/5968-94-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp	upx
behavioral1/memory/2236-93-0x00007FF76AFC0000-0x00007FF76B314000-memory.dmp	upx
behavioral1/memory/4812-91-0x00007FF7487E0000-0x00007FF748B34000-memory.dmp	upx
behavioral1/memory/2852-89-0x00007FF67C7C0000-0x00007FF67CB14000-memory.dmp	upx
behavioral1/memory/5848-82-0x00007FF675A20000-0x00007FF675D74000-memory.dmp	upx
behavioral1/files/0x000800000002425c-71.dat	upx
behavioral1/memory/1700-69-0x00007FF703170000-0x00007FF7034C4000-memory.dmp	upx
behavioral1/memory/1716-68-0x00007FF62F2E0000-0x00007FF62F634000-memory.dmp	upx
behavioral1/memory/5972-66-0x00007FF6BA510000-0x00007FF6BA864000-memory.dmp	upx
behavioral1/files/0x0007000000024267-64.dat	upx
behavioral1/memory/1736-59-0x00007FF653540000-0x00007FF653894000-memory.dmp	upx
behavioral1/memory/2856-99-0x00007FF738940000-0x00007FF738C94000-memory.dmp	upx
behavioral1/files/0x000700000002426d-103.dat	upx
behavioral1/memory/2940-115-0x00007FF6E71D0000-0x00007FF6E7524000-memory.dmp	upx
behavioral1/memory/2492-118-0x00007FF68FA60000-0x00007FF68FDB4000-memory.dmp	upx
behavioral1/memory/4936-125-0x00007FF737400000-0x00007FF737754000-memory.dmp	upx
behavioral1/memory/4892-130-0x00007FF6C9430000-0x00007FF6C9784000-memory.dmp	upx
behavioral1/files/0x0007000000024271-131.dat	upx
behavioral1/files/0x0007000000024270-128.dat	upx
behavioral1/memory/5972-124-0x00007FF6BA510000-0x00007FF6BA864000-memory.dmp	upx
behavioral1/memory/5304-119-0x00007FF6E67A0000-0x00007FF6E6AF4000-memory.dmp	upx
behavioral1/memory/4852-117-0x00007FF7E4830000-0x00007FF7E4B84000-memory.dmp	upx
behavioral1/files/0x000700000002426e-116.dat	upx
behavioral1/files/0x000700000002426f-113.dat	upx
behavioral1/memory/640-104-0x00007FF7014C0000-0x00007FF701814000-memory.dmp	upx
behavioral1/memory/2996-141-0x00007FF7F3B60000-0x00007FF7F3EB4000-memory.dmp	upx
behavioral1/memory/4716-138-0x00007FF66A460000-0x00007FF66A7B4000-memory.dmp	upx
behavioral1/memory/4764-147-0x00007FF711000000-0x00007FF711354000-memory.dmp	upx
behavioral1/memory/4812-154-0x00007FF7487E0000-0x00007FF748B34000-memory.dmp	upx
behavioral1/files/0x0007000000024273-161.dat	upx
behavioral1/memory/5968-164-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp	upx
behavioral1/memory/2940-169-0x00007FF6E71D0000-0x00007FF6E7524000-memory.dmp	upx
behavioral1/memory/6116-166-0x00007FF632A80000-0x00007FF632DD4000-memory.dmp	upx
behavioral1/memory/5172-165-0x00007FF74D290000-0x00007FF74D5E4000-memory.dmp	upx
behavioral1/files/0x000e0000000240e8-162.dat	upx
behavioral1/files/0x000e0000000240e5-159.dat	upx
behavioral1/memory/5468-155-0x00007FF6CCF50000-0x00007FF6CD2A4000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\sIKmlYF.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\noXUjbN.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\oyFEiwr.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\tfHOWLD.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\hiPbkKg.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\BiAddIo.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\CxhgSJa.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\wbRksGg.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\OkWKJAd.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\YmoOPdI.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\OvEjiHe.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\HwsrGbt.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\UNaloqI.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\vMbfHZi.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\DdOTHIz.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\lRZwaae.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\BswuTqG.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\VyFEcnz.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\gPQSVjj.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\XkHmPnu.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\avdBIXq.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\ZVUPrWR.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\XAnPpRq.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\goFQKng.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\WNLrhVc.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\TFoDPKf.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\RWELAGm.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\eEnVxJg.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\nxwnFJz.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\MFTkTKo.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\lAghnyl.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\ZxCTskP.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\tazBbxI.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\OjkmCyh.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\flntBtQ.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\DFLankl.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\sxCleaA.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\NvbNNEc.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\PEhHBYm.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\XxcNEQI.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\JyllIWW.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\NjkBUBl.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\uaKxhZm.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\wexRtuu.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\vSwzsGX.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\xGGIdDq.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\LjfHLST.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\pufMRoA.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\uSuwVya.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\GrFLANd.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\DYiZLLZ.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\blcVEkJ.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\fUVoiFV.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\GnqiBqR.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\ISbZYoI.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\AlTrXpf.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\pvGxLwH.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\XONlNzo.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\EtfyhTZ.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\qsXZQTl.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\midRbLx.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\ptVXKpE.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\eSyGNBi.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\PAdzlss.exe	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3342763580-2723508992-2885672917-1000\{EA78FCB1-E4F4-4397-82D8-3B16CE8AE860}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	15016	explorer.exe
Token: SeCreatePagefilePrivilege	15016	explorer.exe
Token: SeShutdownPrivilege	15016	explorer.exe
Token: SeCreatePagefilePrivilege	15016	explorer.exe
Token: SeShutdownPrivilege	15016	explorer.exe
Token: SeCreatePagefilePrivilege	15016	explorer.exe
Token: SeShutdownPrivilege	15016	explorer.exe
Token: SeCreatePagefilePrivilege	15016	explorer.exe
Token: SeShutdownPrivilege	15016	explorer.exe
Token: SeCreatePagefilePrivilege	15016	explorer.exe
Token: SeShutdownPrivilege	15016	explorer.exe
Token: SeCreatePagefilePrivilege	15016	explorer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
14704	sihost.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe
15016	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 3128	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	87
PID 1736 wrote to memory of 3128	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	87
PID 1736 wrote to memory of 400	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	88
PID 1736 wrote to memory of 400	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	88
PID 1736 wrote to memory of 1716	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	89
PID 1736 wrote to memory of 1716	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	89
PID 1736 wrote to memory of 5848	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	90
PID 1736 wrote to memory of 5848	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	90
PID 1736 wrote to memory of 2852	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	91
PID 1736 wrote to memory of 2852	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	91
PID 1736 wrote to memory of 2236	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	92
PID 1736 wrote to memory of 2236	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	92
PID 1736 wrote to memory of 2856	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	93
PID 1736 wrote to memory of 2856	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	93
PID 1736 wrote to memory of 640	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	94
PID 1736 wrote to memory of 640	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	94
PID 1736 wrote to memory of 2492	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	95
PID 1736 wrote to memory of 2492	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	95
PID 1736 wrote to memory of 5972	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	96
PID 1736 wrote to memory of 5972	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	96
PID 1736 wrote to memory of 1700	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	97
PID 1736 wrote to memory of 1700	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	97
PID 1736 wrote to memory of 4716	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	98
PID 1736 wrote to memory of 4716	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	98
PID 1736 wrote to memory of 4764	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	99
PID 1736 wrote to memory of 4764	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	99
PID 1736 wrote to memory of 4812	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	100
PID 1736 wrote to memory of 4812	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	100
PID 1736 wrote to memory of 5968	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	101
PID 1736 wrote to memory of 5968	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	101
PID 1736 wrote to memory of 2940	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	102
PID 1736 wrote to memory of 2940	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	102
PID 1736 wrote to memory of 5304	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	104
PID 1736 wrote to memory of 5304	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	104
PID 1736 wrote to memory of 4852	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	105
PID 1736 wrote to memory of 4852	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	105
PID 1736 wrote to memory of 4936	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	106
PID 1736 wrote to memory of 4936	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	106
PID 1736 wrote to memory of 4892	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	107
PID 1736 wrote to memory of 4892	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	107
PID 1736 wrote to memory of 2996	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	112
PID 1736 wrote to memory of 2996	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	112
PID 1736 wrote to memory of 5360	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	113
PID 1736 wrote to memory of 5360	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	113
PID 1736 wrote to memory of 5468	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	115
PID 1736 wrote to memory of 5468	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	115
PID 1736 wrote to memory of 5172	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	116
PID 1736 wrote to memory of 5172	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	116
PID 1736 wrote to memory of 6116	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	117
PID 1736 wrote to memory of 6116	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	117
PID 1736 wrote to memory of 3328	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	118
PID 1736 wrote to memory of 3328	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	118
PID 1736 wrote to memory of 5404	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	119
PID 1736 wrote to memory of 5404	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	119
PID 1736 wrote to memory of 5376	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	120
PID 1736 wrote to memory of 5376	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	120
PID 1736 wrote to memory of 4916	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	121
PID 1736 wrote to memory of 4916	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	121
PID 1736 wrote to memory of 5964	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	123
PID 1736 wrote to memory of 5964	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	123
PID 1736 wrote to memory of 2780	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	125
PID 1736 wrote to memory of 2780	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	125
PID 1736 wrote to memory of 3748	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	126
PID 1736 wrote to memory of 3748	1736	2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	126

C:\Users\Admin\AppData\Local\Temp\2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-08_d5f46954766819079d94d15d4deea022_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\System\JyllIWW.exe
  C:\Windows\System\JyllIWW.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\HRnDgkU.exe
  C:\Windows\System\HRnDgkU.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\APNFGbI.exe
  C:\Windows\System\APNFGbI.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\LYgPCMk.exe
  C:\Windows\System\LYgPCMk.exe
  2⤵
  - Executes dropped EXE
  PID:5848
- C:\Windows\System\RkvnMeC.exe
  C:\Windows\System\RkvnMeC.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\ZSrsZNG.exe
  C:\Windows\System\ZSrsZNG.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\xmjyqOg.exe
  C:\Windows\System\xmjyqOg.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\VtiRUhj.exe
  C:\Windows\System\VtiRUhj.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System\LQXnzim.exe
  C:\Windows\System\LQXnzim.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\KzhmPYM.exe
  C:\Windows\System\KzhmPYM.exe
  2⤵
  - Executes dropped EXE
  PID:5972
- C:\Windows\System\zNhEtcv.exe
  C:\Windows\System\zNhEtcv.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\oyFEiwr.exe
  C:\Windows\System\oyFEiwr.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\yIUoBCv.exe
  C:\Windows\System\yIUoBCv.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\qLIYrAF.exe
  C:\Windows\System\qLIYrAF.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\XLHdFcQ.exe
  C:\Windows\System\XLHdFcQ.exe
  2⤵
  - Executes dropped EXE
  PID:5968
- C:\Windows\System\rIOuqxJ.exe
  C:\Windows\System\rIOuqxJ.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\qwMwTSx.exe
  C:\Windows\System\qwMwTSx.exe
  2⤵
  - Executes dropped EXE
  PID:5304
- C:\Windows\System\wQPZkZP.exe
  C:\Windows\System\wQPZkZP.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\xylPbQF.exe
  C:\Windows\System\xylPbQF.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\rQCegDl.exe
  C:\Windows\System\rQCegDl.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\nmkMWdx.exe
  C:\Windows\System\nmkMWdx.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\vElxDUA.exe
  C:\Windows\System\vElxDUA.exe
  2⤵
  - Executes dropped EXE
  PID:5360
- C:\Windows\System\ECOmyrp.exe
  C:\Windows\System\ECOmyrp.exe
  2⤵
  - Executes dropped EXE
  PID:5468
- C:\Windows\System\LqYTMDr.exe
  C:\Windows\System\LqYTMDr.exe
  2⤵
  - Executes dropped EXE
  PID:5172
- C:\Windows\System\wGzyAtg.exe
  C:\Windows\System\wGzyAtg.exe
  2⤵
  - Executes dropped EXE
  PID:6116
- C:\Windows\System\NiHtDMs.exe
  C:\Windows\System\NiHtDMs.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System\lfNMNWx.exe
  C:\Windows\System\lfNMNWx.exe
  2⤵
  - Executes dropped EXE
  PID:5404
- C:\Windows\System\eEnVxJg.exe
  C:\Windows\System\eEnVxJg.exe
  2⤵
  - Executes dropped EXE
  PID:5376
- C:\Windows\System\cJjTTXQ.exe
  C:\Windows\System\cJjTTXQ.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\oNViyln.exe
  C:\Windows\System\oNViyln.exe
  2⤵
  - Executes dropped EXE
  PID:5964
- C:\Windows\System\QaCyxsQ.exe
  C:\Windows\System\QaCyxsQ.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\PUUuFdt.exe
  C:\Windows\System\PUUuFdt.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\KqoXveP.exe
  C:\Windows\System\KqoXveP.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\ccAFzgY.exe
  C:\Windows\System\ccAFzgY.exe
  2⤵
  - Executes dropped EXE
  PID:6020
- C:\Windows\System\NsjmqPj.exe
  C:\Windows\System\NsjmqPj.exe
  2⤵
  - Executes dropped EXE
  PID:5400
- C:\Windows\System\EsELYRf.exe
  C:\Windows\System\EsELYRf.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\afrLcvN.exe
  C:\Windows\System\afrLcvN.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\GpeUKCj.exe
  C:\Windows\System\GpeUKCj.exe
  2⤵
  - Executes dropped EXE
  PID:5392
- C:\Windows\System\mInGvDf.exe
  C:\Windows\System\mInGvDf.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\dhczaKt.exe
  C:\Windows\System\dhczaKt.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\qoTcAmQ.exe
  C:\Windows\System\qoTcAmQ.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\lCLxctP.exe
  C:\Windows\System\lCLxctP.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\jdfriXR.exe
  C:\Windows\System\jdfriXR.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\VyFEcnz.exe
  C:\Windows\System\VyFEcnz.exe
  2⤵
  - Executes dropped EXE
  PID:5384
- C:\Windows\System\XElsCZR.exe
  C:\Windows\System\XElsCZR.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\jrSGHIg.exe
  C:\Windows\System\jrSGHIg.exe
  2⤵
  - Executes dropped EXE
  PID:5884
- C:\Windows\System\oxqmZbL.exe
  C:\Windows\System\oxqmZbL.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System\srKYKXS.exe
  C:\Windows\System\srKYKXS.exe
  2⤵
  - Executes dropped EXE
  PID:5268
- C:\Windows\System\zoizFYV.exe
  C:\Windows\System\zoizFYV.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System\HajyjIa.exe
  C:\Windows\System\HajyjIa.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\pufMRoA.exe
  C:\Windows\System\pufMRoA.exe
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\System\oWSQmXE.exe
  C:\Windows\System\oWSQmXE.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\EqhfMlk.exe
  C:\Windows\System\EqhfMlk.exe
  2⤵
  - Executes dropped EXE
  PID:5248
- C:\Windows\System\AsziRfT.exe
  C:\Windows\System\AsziRfT.exe
  2⤵
  - Executes dropped EXE
  PID:5548
- C:\Windows\System\LizDkDe.exe
  C:\Windows\System\LizDkDe.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\aQpFHks.exe
  C:\Windows\System\aQpFHks.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System\XtqSQZQ.exe
  C:\Windows\System\XtqSQZQ.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\qBIWgGT.exe
  C:\Windows\System\qBIWgGT.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\ErSByny.exe
  C:\Windows\System\ErSByny.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\HaqcutK.exe
  C:\Windows\System\HaqcutK.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\vXXXFpl.exe
  C:\Windows\System\vXXXFpl.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\MNrJqYH.exe
  C:\Windows\System\MNrJqYH.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\YYovLJt.exe
  C:\Windows\System\YYovLJt.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\AlTrXpf.exe
  C:\Windows\System\AlTrXpf.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\YDJMzna.exe
  C:\Windows\System\YDJMzna.exe
  2⤵
  PID:3528
- C:\Windows\System\nRgHzHc.exe
  C:\Windows\System\nRgHzHc.exe
  2⤵
  PID:4584
- C:\Windows\System\zjzrEih.exe
  C:\Windows\System\zjzrEih.exe
  2⤵
  PID:4504
- C:\Windows\System\CtRGgXp.exe
  C:\Windows\System\CtRGgXp.exe
  2⤵
  PID:2292
- C:\Windows\System\gWByxGa.exe
  C:\Windows\System\gWByxGa.exe
  2⤵
  PID:4352
- C:\Windows\System\NSDLcsu.exe
  C:\Windows\System\NSDLcsu.exe
  2⤵
  PID:2232
- C:\Windows\System\iMxUscV.exe
  C:\Windows\System\iMxUscV.exe
  2⤵
  PID:4248
- C:\Windows\System\hsmUdJA.exe
  C:\Windows\System\hsmUdJA.exe
  2⤵
  PID:5556
- C:\Windows\System\LQOQPoc.exe
  C:\Windows\System\LQOQPoc.exe
  2⤵
  PID:1860
- C:\Windows\System\SDIyrNW.exe
  C:\Windows\System\SDIyrNW.exe
  2⤵
  PID:3036
- C:\Windows\System\DFLankl.exe
  C:\Windows\System\DFLankl.exe
  2⤵
  PID:3552
- C:\Windows\System\BGKlCTY.exe
  C:\Windows\System\BGKlCTY.exe
  2⤵
  PID:4468
- C:\Windows\System\FgReVuq.exe
  C:\Windows\System\FgReVuq.exe
  2⤵
  PID:3400
- C:\Windows\System\uSuwVya.exe
  C:\Windows\System\uSuwVya.exe
  2⤵
  PID:5688
- C:\Windows\System\wOZSRxe.exe
  C:\Windows\System\wOZSRxe.exe
  2⤵
  PID:4896
- C:\Windows\System\nxwnFJz.exe
  C:\Windows\System\nxwnFJz.exe
  2⤵
  PID:672
- C:\Windows\System\DEgjBAo.exe
  C:\Windows\System\DEgjBAo.exe
  2⤵
  PID:3868
- C:\Windows\System\aeTTVQT.exe
  C:\Windows\System\aeTTVQT.exe
  2⤵
  PID:2260
- C:\Windows\System\QVtNWBQ.exe
  C:\Windows\System\QVtNWBQ.exe
  2⤵
  PID:2272
- C:\Windows\System\dfJWftr.exe
  C:\Windows\System\dfJWftr.exe
  2⤵
  PID:4676
- C:\Windows\System\PAdzlss.exe
  C:\Windows\System\PAdzlss.exe
  2⤵
  PID:4492
- C:\Windows\System\osYfnAj.exe
  C:\Windows\System\osYfnAj.exe
  2⤵
  PID:3364
- C:\Windows\System\EAkwHAy.exe
  C:\Windows\System\EAkwHAy.exe
  2⤵
  PID:4520
- C:\Windows\System\erQrDzc.exe
  C:\Windows\System\erQrDzc.exe
  2⤵
  PID:4552
- C:\Windows\System\fuijXde.exe
  C:\Windows\System\fuijXde.exe
  2⤵
  PID:408
- C:\Windows\System\MFTkTKo.exe
  C:\Windows\System\MFTkTKo.exe
  2⤵
  PID:3104
- C:\Windows\System\NtPBGHk.exe
  C:\Windows\System\NtPBGHk.exe
  2⤵
  PID:1204
- C:\Windows\System\WsIudDc.exe
  C:\Windows\System\WsIudDc.exe
  2⤵
  PID:4748
- C:\Windows\System\tfHOWLD.exe
  C:\Windows\System\tfHOWLD.exe
  2⤵
  PID:5416
- C:\Windows\System\XTSuDWp.exe
  C:\Windows\System\XTSuDWp.exe
  2⤵
  PID:908
- C:\Windows\System\GAnajCU.exe
  C:\Windows\System\GAnajCU.exe
  2⤵
  PID:3388
- C:\Windows\System\oZUXFvT.exe
  C:\Windows\System\oZUXFvT.exe
  2⤵
  PID:1732
- C:\Windows\System\OXYMFgH.exe
  C:\Windows\System\OXYMFgH.exe
  2⤵
  PID:5692
- C:\Windows\System\jOrqNyS.exe
  C:\Windows\System\jOrqNyS.exe
  2⤵
  PID:5004
- C:\Windows\System\iOqNPIb.exe
  C:\Windows\System\iOqNPIb.exe
  2⤵
  PID:1952
- C:\Windows\System\glZomJc.exe
  C:\Windows\System\glZomJc.exe
  2⤵
  PID:2296
- C:\Windows\System\lAghnyl.exe
  C:\Windows\System\lAghnyl.exe
  2⤵
  PID:3672
- C:\Windows\System\jieBvuv.exe
  C:\Windows\System\jieBvuv.exe
  2⤵
  PID:5840
- C:\Windows\System\qUkSxgb.exe
  C:\Windows\System\qUkSxgb.exe
  2⤵
  PID:4776
- C:\Windows\System\AVBMLFD.exe
  C:\Windows\System\AVBMLFD.exe
  2⤵
  PID:644
- C:\Windows\System\VjYnMXQ.exe
  C:\Windows\System\VjYnMXQ.exe
  2⤵
  PID:1008
- C:\Windows\System\hSxlKyR.exe
  C:\Windows\System\hSxlKyR.exe
  2⤵
  PID:4808
- C:\Windows\System\jUAxwzL.exe
  C:\Windows\System\jUAxwzL.exe
  2⤵
  PID:3856
- C:\Windows\System\ZsUXkOa.exe
  C:\Windows\System\ZsUXkOa.exe
  2⤵
  PID:4820
- C:\Windows\System\YKTsGaW.exe
  C:\Windows\System\YKTsGaW.exe
  2⤵
  PID:4740
- C:\Windows\System\nUlFhug.exe
  C:\Windows\System\nUlFhug.exe
  2⤵
  PID:4364
- C:\Windows\System\GrFLANd.exe
  C:\Windows\System\GrFLANd.exe
  2⤵
  PID:2012
- C:\Windows\System\sEbYCXA.exe
  C:\Windows\System\sEbYCXA.exe
  2⤵
  PID:2776
- C:\Windows\System\NYBDRIA.exe
  C:\Windows\System\NYBDRIA.exe
  2⤵
  PID:2252
- C:\Windows\System\UUUNglU.exe
  C:\Windows\System\UUUNglU.exe
  2⤵
  PID:1640
- C:\Windows\System\OvEjiHe.exe
  C:\Windows\System\OvEjiHe.exe
  2⤵
  PID:4592
- C:\Windows\System\QMotHmn.exe
  C:\Windows\System\QMotHmn.exe
  2⤵
  PID:2560
- C:\Windows\System\gPQSVjj.exe
  C:\Windows\System\gPQSVjj.exe
  2⤵
  PID:2924
- C:\Windows\System\PnxVZcP.exe
  C:\Windows\System\PnxVZcP.exe
  2⤵
  PID:3324
- C:\Windows\System\SlccFOW.exe
  C:\Windows\System\SlccFOW.exe
  2⤵
  PID:2200
- C:\Windows\System\PSRvyii.exe
  C:\Windows\System\PSRvyii.exe
  2⤵
  PID:4340
- C:\Windows\System\mnSdvpV.exe
  C:\Windows\System\mnSdvpV.exe
  2⤵
  PID:4996
- C:\Windows\System\VkTRCcO.exe
  C:\Windows\System\VkTRCcO.exe
  2⤵
  PID:5764
- C:\Windows\System\LBkZYId.exe
  C:\Windows\System\LBkZYId.exe
  2⤵
  PID:432
- C:\Windows\System\uhgfiKy.exe
  C:\Windows\System\uhgfiKy.exe
  2⤵
  PID:3764
- C:\Windows\System\qCAJHTq.exe
  C:\Windows\System\qCAJHTq.exe
  2⤵
  PID:3936
- C:\Windows\System\OeikjkQ.exe
  C:\Windows\System\OeikjkQ.exe
  2⤵
  PID:2228
- C:\Windows\System\omRncsC.exe
  C:\Windows\System\omRncsC.exe
  2⤵
  PID:2208
- C:\Windows\System\lNTkkMs.exe
  C:\Windows\System\lNTkkMs.exe
  2⤵
  PID:6176
- C:\Windows\System\VkpVIub.exe
  C:\Windows\System\VkpVIub.exe
  2⤵
  PID:6204
- C:\Windows\System\zrPuMDf.exe
  C:\Windows\System\zrPuMDf.exe
  2⤵
  PID:6232
- C:\Windows\System\OtbQABT.exe
  C:\Windows\System\OtbQABT.exe
  2⤵
  PID:6260
- C:\Windows\System\ynmXgYH.exe
  C:\Windows\System\ynmXgYH.exe
  2⤵
  PID:6288
- C:\Windows\System\jBRwOZm.exe
  C:\Windows\System\jBRwOZm.exe
  2⤵
  PID:6320
- C:\Windows\System\vzXwEZz.exe
  C:\Windows\System\vzXwEZz.exe
  2⤵
  PID:6348
- C:\Windows\System\CBnyfov.exe
  C:\Windows\System\CBnyfov.exe
  2⤵
  PID:6376
- C:\Windows\System\ClMOIdE.exe
  C:\Windows\System\ClMOIdE.exe
  2⤵
  PID:6400
- C:\Windows\System\aEsmvbw.exe
  C:\Windows\System\aEsmvbw.exe
  2⤵
  PID:6432
- C:\Windows\System\OWWtfaB.exe
  C:\Windows\System\OWWtfaB.exe
  2⤵
  PID:6460
- C:\Windows\System\zrfzzBH.exe
  C:\Windows\System\zrfzzBH.exe
  2⤵
  PID:6488
- C:\Windows\System\RCjyDsF.exe
  C:\Windows\System\RCjyDsF.exe
  2⤵
  PID:6516
- C:\Windows\System\UnDroWR.exe
  C:\Windows\System\UnDroWR.exe
  2⤵
  PID:6544
- C:\Windows\System\RdyVjPF.exe
  C:\Windows\System\RdyVjPF.exe
  2⤵
  PID:6572
- C:\Windows\System\vdEcWLM.exe
  C:\Windows\System\vdEcWLM.exe
  2⤵
  PID:6600
- C:\Windows\System\DogfeAJ.exe
  C:\Windows\System\DogfeAJ.exe
  2⤵
  PID:6628
- C:\Windows\System\OUqbQBh.exe
  C:\Windows\System\OUqbQBh.exe
  2⤵
  PID:6652
- C:\Windows\System\EeSDGja.exe
  C:\Windows\System\EeSDGja.exe
  2⤵
  PID:6672
- C:\Windows\System\HnbNXyw.exe
  C:\Windows\System\HnbNXyw.exe
  2⤵
  PID:6704
- C:\Windows\System\dBbQKia.exe
  C:\Windows\System\dBbQKia.exe
  2⤵
  PID:6728
- C:\Windows\System\XkHmPnu.exe
  C:\Windows\System\XkHmPnu.exe
  2⤵
  PID:6764
- C:\Windows\System\IjubJPk.exe
  C:\Windows\System\IjubJPk.exe
  2⤵
  PID:6812
- C:\Windows\System\KxqfJSt.exe
  C:\Windows\System\KxqfJSt.exe
  2⤵
  PID:6844
- C:\Windows\System\hNJnGIH.exe
  C:\Windows\System\hNJnGIH.exe
  2⤵
  PID:6868
- C:\Windows\System\QKQdzLm.exe
  C:\Windows\System\QKQdzLm.exe
  2⤵
  PID:6888
- C:\Windows\System\nupausn.exe
  C:\Windows\System\nupausn.exe
  2⤵
  PID:6904
- C:\Windows\System\gKkghpK.exe
  C:\Windows\System\gKkghpK.exe
  2⤵
  PID:6944
- C:\Windows\System\swAohrG.exe
  C:\Windows\System\swAohrG.exe
  2⤵
  PID:6980
- C:\Windows\System\avdBIXq.exe
  C:\Windows\System\avdBIXq.exe
  2⤵
  PID:7012
- C:\Windows\System\hiPbkKg.exe
  C:\Windows\System\hiPbkKg.exe
  2⤵
  PID:7048
- C:\Windows\System\nysXWWP.exe
  C:\Windows\System\nysXWWP.exe
  2⤵
  PID:7080
- C:\Windows\System\dBCggWg.exe
  C:\Windows\System\dBCggWg.exe
  2⤵
  PID:7108
- C:\Windows\System\NjkBUBl.exe
  C:\Windows\System\NjkBUBl.exe
  2⤵
  PID:7128
- C:\Windows\System\xRieazT.exe
  C:\Windows\System\xRieazT.exe
  2⤵
  PID:7156
- C:\Windows\System\kFHnftS.exe
  C:\Windows\System\kFHnftS.exe
  2⤵
  PID:6212
- C:\Windows\System\pvGxLwH.exe
  C:\Windows\System\pvGxLwH.exe
  2⤵
  PID:6268
- C:\Windows\System\QamfJyx.exe
  C:\Windows\System\QamfJyx.exe
  2⤵
  PID:2108
- C:\Windows\System\jepixBt.exe
  C:\Windows\System\jepixBt.exe
  2⤵
  PID:1456
- C:\Windows\System\FLnrkvI.exe
  C:\Windows\System\FLnrkvI.exe
  2⤵
  PID:6308
- C:\Windows\System\HwsrGbt.exe
  C:\Windows\System\HwsrGbt.exe
  2⤵
  PID:6368
- C:\Windows\System\TFPEIVX.exe
  C:\Windows\System\TFPEIVX.exe
  2⤵
  PID:6424
- C:\Windows\System\qkKwrXw.exe
  C:\Windows\System\qkKwrXw.exe
  2⤵
  PID:6476
- C:\Windows\System\QZHhSss.exe
  C:\Windows\System\QZHhSss.exe
  2⤵
  PID:6532
- C:\Windows\System\tyqXxCy.exe
  C:\Windows\System\tyqXxCy.exe
  2⤵
  PID:6624
- C:\Windows\System\ZxCTskP.exe
  C:\Windows\System\ZxCTskP.exe
  2⤵
  PID:6664
- C:\Windows\System\JhDZjSB.exe
  C:\Windows\System\JhDZjSB.exe
  2⤵
  PID:6740
- C:\Windows\System\TGzenMk.exe
  C:\Windows\System\TGzenMk.exe
  2⤵
  PID:6824
- C:\Windows\System\Yyxktyq.exe
  C:\Windows\System\Yyxktyq.exe
  2⤵
  PID:6880
- C:\Windows\System\pQsXWFp.exe
  C:\Windows\System\pQsXWFp.exe
  2⤵
  PID:6956
- C:\Windows\System\ZVUPrWR.exe
  C:\Windows\System\ZVUPrWR.exe
  2⤵
  PID:7024
- C:\Windows\System\AGCFjCj.exe
  C:\Windows\System\AGCFjCj.exe
  2⤵
  PID:7076
- C:\Windows\System\VLtIZQr.exe
  C:\Windows\System\VLtIZQr.exe
  2⤵
  PID:7148
- C:\Windows\System\YLtwMax.exe
  C:\Windows\System\YLtwMax.exe
  2⤵
  PID:6244
- C:\Windows\System\IbsSAwJ.exe
  C:\Windows\System\IbsSAwJ.exe
  2⤵
  PID:4464
- C:\Windows\System\cJrtAck.exe
  C:\Windows\System\cJrtAck.exe
  2⤵
  PID:5064
- C:\Windows\System\MiHMTRw.exe
  C:\Windows\System\MiHMTRw.exe
  2⤵
  PID:5192
- C:\Windows\System\KhyanqI.exe
  C:\Windows\System\KhyanqI.exe
  2⤵
  PID:6644
- C:\Windows\System\hEkLbmZ.exe
  C:\Windows\System\hEkLbmZ.exe
  2⤵
  PID:6796
- C:\Windows\System\gxLFppP.exe
  C:\Windows\System\gxLFppP.exe
  2⤵
  PID:6988
- C:\Windows\System\cTTkONv.exe
  C:\Windows\System\cTTkONv.exe
  2⤵
  PID:7096
- C:\Windows\System\aLnhkRv.exe
  C:\Windows\System\aLnhkRv.exe
  2⤵
  PID:32
- C:\Windows\System\TvkIVHm.exe
  C:\Windows\System\TvkIVHm.exe
  2⤵
  PID:6512
- C:\Windows\System\iwqtNhJ.exe
  C:\Windows\System\iwqtNhJ.exe
  2⤵
  PID:6820
- C:\Windows\System\SEUosvZ.exe
  C:\Windows\System\SEUosvZ.exe
  2⤵
  PID:7032
- C:\Windows\System\tdZLNUR.exe
  C:\Windows\System\tdZLNUR.exe
  2⤵
  PID:6568
- C:\Windows\System\QXkvQaK.exe
  C:\Windows\System\QXkvQaK.exe
  2⤵
  PID:6276
- C:\Windows\System\eJlTbgQ.exe
  C:\Windows\System\eJlTbgQ.exe
  2⤵
  PID:7176
- C:\Windows\System\htTpgUS.exe
  C:\Windows\System\htTpgUS.exe
  2⤵
  PID:7196
- C:\Windows\System\qbytZdV.exe
  C:\Windows\System\qbytZdV.exe
  2⤵
  PID:7232
- C:\Windows\System\gouecZi.exe
  C:\Windows\System\gouecZi.exe
  2⤵
  PID:7260
- C:\Windows\System\wfhiKuH.exe
  C:\Windows\System\wfhiKuH.exe
  2⤵
  PID:7288
- C:\Windows\System\TFoDPKf.exe
  C:\Windows\System\TFoDPKf.exe
  2⤵
  PID:7316
- C:\Windows\System\XEuFEJR.exe
  C:\Windows\System\XEuFEJR.exe
  2⤵
  PID:7344
- C:\Windows\System\nHBQlHm.exe
  C:\Windows\System\nHBQlHm.exe
  2⤵
  PID:7372
- C:\Windows\System\hTFjWxI.exe
  C:\Windows\System\hTFjWxI.exe
  2⤵
  PID:7404
- C:\Windows\System\QbHtQTh.exe
  C:\Windows\System\QbHtQTh.exe
  2⤵
  PID:7432
- C:\Windows\System\IwnDhST.exe
  C:\Windows\System\IwnDhST.exe
  2⤵
  PID:7460
- C:\Windows\System\rILvmul.exe
  C:\Windows\System\rILvmul.exe
  2⤵
  PID:7488
- C:\Windows\System\hEhTrgZ.exe
  C:\Windows\System\hEhTrgZ.exe
  2⤵
  PID:7516
- C:\Windows\System\rFerigf.exe
  C:\Windows\System\rFerigf.exe
  2⤵
  PID:7544
- C:\Windows\System\TQZwjEf.exe
  C:\Windows\System\TQZwjEf.exe
  2⤵
  PID:7572
- C:\Windows\System\cvaTEDp.exe
  C:\Windows\System\cvaTEDp.exe
  2⤵
  PID:7600
- C:\Windows\System\AvRNCPW.exe
  C:\Windows\System\AvRNCPW.exe
  2⤵
  PID:7628
- C:\Windows\System\wEcgKlT.exe
  C:\Windows\System\wEcgKlT.exe
  2⤵
  PID:7656
- C:\Windows\System\nDywnts.exe
  C:\Windows\System\nDywnts.exe
  2⤵
  PID:7684
- C:\Windows\System\TThkjka.exe
  C:\Windows\System\TThkjka.exe
  2⤵
  PID:7712
- C:\Windows\System\XPPTMDS.exe
  C:\Windows\System\XPPTMDS.exe
  2⤵
  PID:7736
- C:\Windows\System\wKwqfdj.exe
  C:\Windows\System\wKwqfdj.exe
  2⤵
  PID:7768
- C:\Windows\System\UilVfoz.exe
  C:\Windows\System\UilVfoz.exe
  2⤵
  PID:7796
- C:\Windows\System\fFULYiq.exe
  C:\Windows\System\fFULYiq.exe
  2⤵
  PID:7824
- C:\Windows\System\thSrcas.exe
  C:\Windows\System\thSrcas.exe
  2⤵
  PID:7852
- C:\Windows\System\NlgvVZy.exe
  C:\Windows\System\NlgvVZy.exe
  2⤵
  PID:7876
- C:\Windows\System\EOBoozM.exe
  C:\Windows\System\EOBoozM.exe
  2⤵
  PID:7908
- C:\Windows\System\RhzWijJ.exe
  C:\Windows\System\RhzWijJ.exe
  2⤵
  PID:7924
- C:\Windows\System\GghmdkL.exe
  C:\Windows\System\GghmdkL.exe
  2⤵
  PID:7952
- C:\Windows\System\rrGQZRc.exe
  C:\Windows\System\rrGQZRc.exe
  2⤵
  PID:7988
- C:\Windows\System\CBjzvbc.exe
  C:\Windows\System\CBjzvbc.exe
  2⤵
  PID:8012
- C:\Windows\System\BiAddIo.exe
  C:\Windows\System\BiAddIo.exe
  2⤵
  PID:8044
- C:\Windows\System\eqlYdaw.exe
  C:\Windows\System\eqlYdaw.exe
  2⤵
  PID:8076
- C:\Windows\System\qgGfuQs.exe
  C:\Windows\System\qgGfuQs.exe
  2⤵
  PID:8092
- C:\Windows\System\cjSkhac.exe
  C:\Windows\System\cjSkhac.exe
  2⤵
  PID:8128
- C:\Windows\System\VLIEXVB.exe
  C:\Windows\System\VLIEXVB.exe
  2⤵
  PID:8148
- C:\Windows\System\Hbneoor.exe
  C:\Windows\System\Hbneoor.exe
  2⤵
  PID:8180
- C:\Windows\System\ukQubuy.exe
  C:\Windows\System\ukQubuy.exe
  2⤵
  PID:1552
- C:\Windows\System\cTHSeum.exe
  C:\Windows\System\cTHSeum.exe
  2⤵
  PID:7252
- C:\Windows\System\bUrKOUB.exe
  C:\Windows\System\bUrKOUB.exe
  2⤵
  PID:7324
- C:\Windows\System\KlLUmEp.exe
  C:\Windows\System\KlLUmEp.exe
  2⤵
  PID:7400
- C:\Windows\System\mFIQHkV.exe
  C:\Windows\System\mFIQHkV.exe
  2⤵
  PID:7468
- C:\Windows\System\MbHdNXr.exe
  C:\Windows\System\MbHdNXr.exe
  2⤵
  PID:7540
- C:\Windows\System\KuFtqot.exe
  C:\Windows\System\KuFtqot.exe
  2⤵
  PID:7580
- C:\Windows\System\KBUROGu.exe
  C:\Windows\System\KBUROGu.exe
  2⤵
  PID:7652
- C:\Windows\System\tqJTeqs.exe
  C:\Windows\System\tqJTeqs.exe
  2⤵
  PID:7708
- C:\Windows\System\gUahQdM.exe
  C:\Windows\System\gUahQdM.exe
  2⤵
  PID:7756
- C:\Windows\System\WIQldUu.exe
  C:\Windows\System\WIQldUu.exe
  2⤵
  PID:7840
- C:\Windows\System\afeXmlf.exe
  C:\Windows\System\afeXmlf.exe
  2⤵
  PID:7888
- C:\Windows\System\FVvTTAo.exe
  C:\Windows\System\FVvTTAo.exe
  2⤵
  PID:7948
- C:\Windows\System\pwPSuVD.exe
  C:\Windows\System\pwPSuVD.exe
  2⤵
  PID:8028
- C:\Windows\System\wLOfZDM.exe
  C:\Windows\System\wLOfZDM.exe
  2⤵
  PID:8060
- C:\Windows\System\owjEign.exe
  C:\Windows\System\owjEign.exe
  2⤵
  PID:8140
- C:\Windows\System\WMPFccp.exe
  C:\Windows\System\WMPFccp.exe
  2⤵
  PID:7184
- C:\Windows\System\KIOInxE.exe
  C:\Windows\System\KIOInxE.exe
  2⤵
  PID:7356
- C:\Windows\System\ZauImoc.exe
  C:\Windows\System\ZauImoc.exe
  2⤵
  PID:7496
- C:\Windows\System\lDsLhXh.exe
  C:\Windows\System\lDsLhXh.exe
  2⤵
  PID:7680
- C:\Windows\System\gSVdfKN.exe
  C:\Windows\System\gSVdfKN.exe
  2⤵
  PID:7764
- C:\Windows\System\OTHhorb.exe
  C:\Windows\System\OTHhorb.exe
  2⤵
  PID:4288
- C:\Windows\System\DYiZLLZ.exe
  C:\Windows\System\DYiZLLZ.exe
  2⤵
  PID:8052
- C:\Windows\System\juiYOwm.exe
  C:\Windows\System\juiYOwm.exe
  2⤵
  PID:7240
- C:\Windows\System\ctiMPiq.exe
  C:\Windows\System\ctiMPiq.exe
  2⤵
  PID:7568
- C:\Windows\System\XOMSXjd.exe
  C:\Windows\System\XOMSXjd.exe
  2⤵
  PID:7748
- C:\Windows\System\ueGwjSt.exe
  C:\Windows\System\ueGwjSt.exe
  2⤵
  PID:8104
- C:\Windows\System\jMUGFXc.exe
  C:\Windows\System\jMUGFXc.exe
  2⤵
  PID:5456
- C:\Windows\System\nursJRX.exe
  C:\Windows\System\nursJRX.exe
  2⤵
  PID:7312
- C:\Windows\System\SfkqyVE.exe
  C:\Windows\System\SfkqyVE.exe
  2⤵
  PID:8216
- C:\Windows\System\HpppYKf.exe
  C:\Windows\System\HpppYKf.exe
  2⤵
  PID:8236
- C:\Windows\System\NJeLuid.exe
  C:\Windows\System\NJeLuid.exe
  2⤵
  PID:8264
- C:\Windows\System\lqBHIPe.exe
  C:\Windows\System\lqBHIPe.exe
  2⤵
  PID:8292
- C:\Windows\System\TBXBFlX.exe
  C:\Windows\System\TBXBFlX.exe
  2⤵
  PID:8324
- C:\Windows\System\lmhhalQ.exe
  C:\Windows\System\lmhhalQ.exe
  2⤵
  PID:8356
- C:\Windows\System\TWcyXml.exe
  C:\Windows\System\TWcyXml.exe
  2⤵
  PID:8376
- C:\Windows\System\gbvxmBq.exe
  C:\Windows\System\gbvxmBq.exe
  2⤵
  PID:8404
- C:\Windows\System\FDBfpCh.exe
  C:\Windows\System\FDBfpCh.exe
  2⤵
  PID:8432
- C:\Windows\System\HHTPNgn.exe
  C:\Windows\System\HHTPNgn.exe
  2⤵
  PID:8464
- C:\Windows\System\FrPUhvX.exe
  C:\Windows\System\FrPUhvX.exe
  2⤵
  PID:8488
- C:\Windows\System\BppJFkd.exe
  C:\Windows\System\BppJFkd.exe
  2⤵
  PID:8524
- C:\Windows\System\vMXKjpq.exe
  C:\Windows\System\vMXKjpq.exe
  2⤵
  PID:8552
- C:\Windows\System\cbLVuCc.exe
  C:\Windows\System\cbLVuCc.exe
  2⤵
  PID:8580
- C:\Windows\System\cxirtYh.exe
  C:\Windows\System\cxirtYh.exe
  2⤵
  PID:8608
- C:\Windows\System\BHpELOu.exe
  C:\Windows\System\BHpELOu.exe
  2⤵
  PID:8636
- C:\Windows\System\JPTxrca.exe
  C:\Windows\System\JPTxrca.exe
  2⤵
  PID:8668
- C:\Windows\System\sXGfKLO.exe
  C:\Windows\System\sXGfKLO.exe
  2⤵
  PID:8700
- C:\Windows\System\mptQDaM.exe
  C:\Windows\System\mptQDaM.exe
  2⤵
  PID:8728
- C:\Windows\System\ctJAWtu.exe
  C:\Windows\System\ctJAWtu.exe
  2⤵
  PID:8756
- C:\Windows\System\XWbpHCO.exe
  C:\Windows\System\XWbpHCO.exe
  2⤵
  PID:8780
- C:\Windows\System\kXtAgtA.exe
  C:\Windows\System\kXtAgtA.exe
  2⤵
  PID:8804
- C:\Windows\System\KuBxdwq.exe
  C:\Windows\System\KuBxdwq.exe
  2⤵
  PID:8832
- C:\Windows\System\pJMHiZw.exe
  C:\Windows\System\pJMHiZw.exe
  2⤵
  PID:8860
- C:\Windows\System\fiSdDza.exe
  C:\Windows\System\fiSdDza.exe
  2⤵
  PID:8888
- C:\Windows\System\gUTVZzr.exe
  C:\Windows\System\gUTVZzr.exe
  2⤵
  PID:8924
- C:\Windows\System\FeNllwM.exe
  C:\Windows\System\FeNllwM.exe
  2⤵
  PID:8948
- C:\Windows\System\GHILacV.exe
  C:\Windows\System\GHILacV.exe
  2⤵
  PID:8972
- C:\Windows\System\iaKjnzx.exe
  C:\Windows\System\iaKjnzx.exe
  2⤵
  PID:9000
- C:\Windows\System\BybIXOF.exe
  C:\Windows\System\BybIXOF.exe
  2⤵
  PID:9028
- C:\Windows\System\VCNRnoT.exe
  C:\Windows\System\VCNRnoT.exe
  2⤵
  PID:9060
- C:\Windows\System\NuuHVnC.exe
  C:\Windows\System\NuuHVnC.exe
  2⤵
  PID:9084
- C:\Windows\System\Bacfkme.exe
  C:\Windows\System\Bacfkme.exe
  2⤵
  PID:9116
- C:\Windows\System\WwvMSQb.exe
  C:\Windows\System\WwvMSQb.exe
  2⤵
  PID:9140
- C:\Windows\System\DTOdlgs.exe
  C:\Windows\System\DTOdlgs.exe
  2⤵
  PID:9168
- C:\Windows\System\XrCUzVb.exe
  C:\Windows\System\XrCUzVb.exe
  2⤵
  PID:9196
- C:\Windows\System\cVuFjxc.exe
  C:\Windows\System\cVuFjxc.exe
  2⤵
  PID:8224
- C:\Windows\System\JCDbAZn.exe
  C:\Windows\System\JCDbAZn.exe
  2⤵
  PID:8276
- C:\Windows\System\YGNjohK.exe
  C:\Windows\System\YGNjohK.exe
  2⤵
  PID:8364
- C:\Windows\System\aHyLVph.exe
  C:\Windows\System\aHyLVph.exe
  2⤵
  PID:8400
- C:\Windows\System\TnSKAFv.exe
  C:\Windows\System\TnSKAFv.exe
  2⤵
  PID:8480
- C:\Windows\System\xbbbSEa.exe
  C:\Windows\System\xbbbSEa.exe
  2⤵
  PID:8536
- C:\Windows\System\MAFKbaB.exe
  C:\Windows\System\MAFKbaB.exe
  2⤵
  PID:4268
- C:\Windows\System\XhLRyCB.exe
  C:\Windows\System\XhLRyCB.exe
  2⤵
  PID:8652
- C:\Windows\System\hUgoSjR.exe
  C:\Windows\System\hUgoSjR.exe
  2⤵
  PID:8736
- C:\Windows\System\gdHtGmj.exe
  C:\Windows\System\gdHtGmj.exe
  2⤵
  PID:8796
- C:\Windows\System\ieTzctQ.exe
  C:\Windows\System\ieTzctQ.exe
  2⤵
  PID:8856
- C:\Windows\System\QkrQCOE.exe
  C:\Windows\System\QkrQCOE.exe
  2⤵
  PID:8912
- C:\Windows\System\HjLKmgJ.exe
  C:\Windows\System\HjLKmgJ.exe
  2⤵
  PID:8984
- C:\Windows\System\qXbymfd.exe
  C:\Windows\System\qXbymfd.exe
  2⤵
  PID:9052
- C:\Windows\System\LYZPSqY.exe
  C:\Windows\System\LYZPSqY.exe
  2⤵
  PID:9108
- C:\Windows\System\gcgUrGK.exe
  C:\Windows\System\gcgUrGK.exe
  2⤵
  PID:9180
- C:\Windows\System\oKVoIje.exe
  C:\Windows\System\oKVoIje.exe
  2⤵
  PID:8260
- C:\Windows\System\ifqTUfe.exe
  C:\Windows\System\ifqTUfe.exe
  2⤵
  PID:8396
- C:\Windows\System\qHywflf.exe
  C:\Windows\System\qHywflf.exe
  2⤵
  PID:8532
- C:\Windows\System\HUOAwVq.exe
  C:\Windows\System\HUOAwVq.exe
  2⤵
  PID:8696
- C:\Windows\System\jUxcCdP.exe
  C:\Windows\System\jUxcCdP.exe
  2⤵
  PID:8828
- C:\Windows\System\xSMDOSr.exe
  C:\Windows\System\xSMDOSr.exe
  2⤵
  PID:9012
- C:\Windows\System\zACoZRd.exe
  C:\Windows\System\zACoZRd.exe
  2⤵
  PID:9136
- C:\Windows\System\XAnPpRq.exe
  C:\Windows\System\XAnPpRq.exe
  2⤵
  PID:8388
- C:\Windows\System\pbXqptb.exe
  C:\Windows\System\pbXqptb.exe
  2⤵
  PID:8648
- C:\Windows\System\sCaAUNo.exe
  C:\Windows\System\sCaAUNo.exe
  2⤵
  PID:9040
- C:\Windows\System\goFQKng.exe
  C:\Windows\System\goFQKng.exe
  2⤵
  PID:8232
- C:\Windows\System\IYXAqFq.exe
  C:\Windows\System\IYXAqFq.exe
  2⤵
  PID:9096
- C:\Windows\System\jFRxqVD.exe
  C:\Windows\System\jFRxqVD.exe
  2⤵
  PID:8900
- C:\Windows\System\aSnxZCd.exe
  C:\Windows\System\aSnxZCd.exe
  2⤵
  PID:9244
- C:\Windows\System\tazBbxI.exe
  C:\Windows\System\tazBbxI.exe
  2⤵
  PID:9272
- C:\Windows\System\oKjPnMJ.exe
  C:\Windows\System\oKjPnMJ.exe
  2⤵
  PID:9308
- C:\Windows\System\mZIrQDM.exe
  C:\Windows\System\mZIrQDM.exe
  2⤵
  PID:9332
- C:\Windows\System\nvYapmJ.exe
  C:\Windows\System\nvYapmJ.exe
  2⤵
  PID:9356
- C:\Windows\System\diMgvmh.exe
  C:\Windows\System\diMgvmh.exe
  2⤵
  PID:9384
- C:\Windows\System\sIKmlYF.exe
  C:\Windows\System\sIKmlYF.exe
  2⤵
  PID:9416
- C:\Windows\System\GUgpcur.exe
  C:\Windows\System\GUgpcur.exe
  2⤵
  PID:9436
- C:\Windows\System\yWfrRPD.exe
  C:\Windows\System\yWfrRPD.exe
  2⤵
  PID:9464
- C:\Windows\System\VmYdrEH.exe
  C:\Windows\System\VmYdrEH.exe
  2⤵
  PID:9492
- C:\Windows\System\XqVeuVS.exe
  C:\Windows\System\XqVeuVS.exe
  2⤵
  PID:9524
- C:\Windows\System\CYFSckz.exe
  C:\Windows\System\CYFSckz.exe
  2⤵
  PID:9548
- C:\Windows\System\ghjfJei.exe
  C:\Windows\System\ghjfJei.exe
  2⤵
  PID:9576
- C:\Windows\System\KNAtKOD.exe
  C:\Windows\System\KNAtKOD.exe
  2⤵
  PID:9604
- C:\Windows\System\uaKxhZm.exe
  C:\Windows\System\uaKxhZm.exe
  2⤵
  PID:9632
- C:\Windows\System\ziGxkDE.exe
  C:\Windows\System\ziGxkDE.exe
  2⤵
  PID:9660
- C:\Windows\System\QXkyFFI.exe
  C:\Windows\System\QXkyFFI.exe
  2⤵
  PID:9688
- C:\Windows\System\NntqTPw.exe
  C:\Windows\System\NntqTPw.exe
  2⤵
  PID:9716
- C:\Windows\System\hKjBgyd.exe
  C:\Windows\System\hKjBgyd.exe
  2⤵
  PID:9744
- C:\Windows\System\kPkTFjH.exe
  C:\Windows\System\kPkTFjH.exe
  2⤵
  PID:9772
- C:\Windows\System\huETnbu.exe
  C:\Windows\System\huETnbu.exe
  2⤵
  PID:9800
- C:\Windows\System\ApCiwFz.exe
  C:\Windows\System\ApCiwFz.exe
  2⤵
  PID:9828
- C:\Windows\System\XevcwbL.exe
  C:\Windows\System\XevcwbL.exe
  2⤵
  PID:9856
- C:\Windows\System\WNUVIQE.exe
  C:\Windows\System\WNUVIQE.exe
  2⤵
  PID:9892
- C:\Windows\System\BcfOEFT.exe
  C:\Windows\System\BcfOEFT.exe
  2⤵
  PID:9912
- C:\Windows\System\NkJiqXz.exe
  C:\Windows\System\NkJiqXz.exe
  2⤵
  PID:9940
- C:\Windows\System\RhziMzl.exe
  C:\Windows\System\RhziMzl.exe
  2⤵
  PID:9980
- C:\Windows\System\wzVnkKM.exe
  C:\Windows\System\wzVnkKM.exe
  2⤵
  PID:9996
- C:\Windows\System\pvbGbMN.exe
  C:\Windows\System\pvbGbMN.exe
  2⤵
  PID:10024
- C:\Windows\System\NHLZKRF.exe
  C:\Windows\System\NHLZKRF.exe
  2⤵
  PID:10052
- C:\Windows\System\LwSvgbx.exe
  C:\Windows\System\LwSvgbx.exe
  2⤵
  PID:10084
- C:\Windows\System\KTTipGZ.exe
  C:\Windows\System\KTTipGZ.exe
  2⤵
  PID:10108
- C:\Windows\System\CxhgSJa.exe
  C:\Windows\System\CxhgSJa.exe
  2⤵
  PID:10140
- C:\Windows\System\yLhVGJu.exe
  C:\Windows\System\yLhVGJu.exe
  2⤵
  PID:10164
- C:\Windows\System\gLxlWQI.exe
  C:\Windows\System\gLxlWQI.exe
  2⤵
  PID:10200
- C:\Windows\System\qUlBmaj.exe
  C:\Windows\System\qUlBmaj.exe
  2⤵
  PID:9260
- C:\Windows\System\XmgHlvU.exe
  C:\Windows\System\XmgHlvU.exe
  2⤵
  PID:3948
- C:\Windows\System\faBlmCe.exe
  C:\Windows\System\faBlmCe.exe
  2⤵
  PID:1424
- C:\Windows\System\RuXuUnm.exe
  C:\Windows\System\RuXuUnm.exe
  2⤵
  PID:9428
- C:\Windows\System\KxyquLa.exe
  C:\Windows\System\KxyquLa.exe
  2⤵
  PID:9532
- C:\Windows\System\cZlybXY.exe
  C:\Windows\System\cZlybXY.exe
  2⤵
  PID:9600
- C:\Windows\System\AvegbEB.exe
  C:\Windows\System\AvegbEB.exe
  2⤵
  PID:9656
- C:\Windows\System\pFTKUPS.exe
  C:\Windows\System\pFTKUPS.exe
  2⤵
  PID:9740
- C:\Windows\System\FMtAMDX.exe
  C:\Windows\System\FMtAMDX.exe
  2⤵
  PID:9792
- C:\Windows\System\nQTQVfL.exe
  C:\Windows\System\nQTQVfL.exe
  2⤵
  PID:9852
- C:\Windows\System\ZDaGQYn.exe
  C:\Windows\System\ZDaGQYn.exe
  2⤵
  PID:9936
- C:\Windows\System\OjkmCyh.exe
  C:\Windows\System\OjkmCyh.exe
  2⤵
  PID:9988
- C:\Windows\System\VlEaJbu.exe
  C:\Windows\System\VlEaJbu.exe
  2⤵
  PID:10048
- C:\Windows\System\kvMSsRL.exe
  C:\Windows\System\kvMSsRL.exe
  2⤵
  PID:10104
- C:\Windows\System\MowISRL.exe
  C:\Windows\System\MowISRL.exe
  2⤵
  PID:1712
- C:\Windows\System\rGHrApK.exe
  C:\Windows\System\rGHrApK.exe
  2⤵
  PID:940
- C:\Windows\System\INvIiCW.exe
  C:\Windows\System\INvIiCW.exe
  2⤵
  PID:9284
- C:\Windows\System\sevnkBs.exe
  C:\Windows\System\sevnkBs.exe
  2⤵
  PID:9460
- C:\Windows\System\UNaloqI.exe
  C:\Windows\System\UNaloqI.exe
  2⤵
  PID:9644
- C:\Windows\System\BzAIueM.exe
  C:\Windows\System\BzAIueM.exe
  2⤵
  PID:9764
- C:\Windows\System\pMUqqbi.exe
  C:\Windows\System\pMUqqbi.exe
  2⤵
  PID:3196
- C:\Windows\System\xbieSni.exe
  C:\Windows\System\xbieSni.exe
  2⤵
  PID:9960
- C:\Windows\System\puGpQBZ.exe
  C:\Windows\System\puGpQBZ.exe
  2⤵
  PID:10072
- C:\Windows\System\ntooZgl.exe
  C:\Windows\System\ntooZgl.exe
  2⤵
  PID:2888
- C:\Windows\System\MplrcED.exe
  C:\Windows\System\MplrcED.exe
  2⤵
  PID:9232
- C:\Windows\System\LtjgwVO.exe
  C:\Windows\System\LtjgwVO.exe
  2⤵
  PID:9588
- C:\Windows\System\aTbiMGY.exe
  C:\Windows\System\aTbiMGY.exe
  2⤵
  PID:4564
- C:\Windows\System\rGmZsSK.exe
  C:\Windows\System\rGmZsSK.exe
  2⤵
  PID:10036
- C:\Windows\System\lVTARpF.exe
  C:\Windows\System\lVTARpF.exe
  2⤵
  PID:9228
- C:\Windows\System\WHteTsh.exe
  C:\Windows\System\WHteTsh.exe
  2⤵
  PID:9820
- C:\Windows\System\DELoINx.exe
  C:\Windows\System\DELoINx.exe
  2⤵
  PID:868
- C:\Windows\System\vLEtpFQ.exe
  C:\Windows\System\vLEtpFQ.exe
  2⤵
  PID:10248
- C:\Windows\System\XutOOTO.exe
  C:\Windows\System\XutOOTO.exe
  2⤵
  PID:10272
- C:\Windows\System\aGAunsm.exe
  C:\Windows\System\aGAunsm.exe
  2⤵
  PID:10296
- C:\Windows\System\hVPFBbd.exe
  C:\Windows\System\hVPFBbd.exe
  2⤵
  PID:10320
- C:\Windows\System\GxFgEiJ.exe
  C:\Windows\System\GxFgEiJ.exe
  2⤵
  PID:10348
- C:\Windows\System\jjxrWPM.exe
  C:\Windows\System\jjxrWPM.exe
  2⤵
  PID:10376
- C:\Windows\System\nqqZacs.exe
  C:\Windows\System\nqqZacs.exe
  2⤵
  PID:10408
- C:\Windows\System\SVpTLbU.exe
  C:\Windows\System\SVpTLbU.exe
  2⤵
  PID:10432
- C:\Windows\System\ZCEbdNu.exe
  C:\Windows\System\ZCEbdNu.exe
  2⤵
  PID:10460
- C:\Windows\System\nxKqFxC.exe
  C:\Windows\System\nxKqFxC.exe
  2⤵
  PID:10492
- C:\Windows\System\RqDckCA.exe
  C:\Windows\System\RqDckCA.exe
  2⤵
  PID:10516
- C:\Windows\System\YzceSvJ.exe
  C:\Windows\System\YzceSvJ.exe
  2⤵
  PID:10544
- C:\Windows\System\pdScPWA.exe
  C:\Windows\System\pdScPWA.exe
  2⤵
  PID:10572
- C:\Windows\System\lCqRJWV.exe
  C:\Windows\System\lCqRJWV.exe
  2⤵
  PID:10600
- C:\Windows\System\CbpDJwz.exe
  C:\Windows\System\CbpDJwz.exe
  2⤵
  PID:10628
- C:\Windows\System\tdCdwCp.exe
  C:\Windows\System\tdCdwCp.exe
  2⤵
  PID:10656
- C:\Windows\System\DWytlLD.exe
  C:\Windows\System\DWytlLD.exe
  2⤵
  PID:10688
- C:\Windows\System\UgIWTSy.exe
  C:\Windows\System\UgIWTSy.exe
  2⤵
  PID:10716
- C:\Windows\System\DgMydqM.exe
  C:\Windows\System\DgMydqM.exe
  2⤵
  PID:10744
- C:\Windows\System\aqZCfPM.exe
  C:\Windows\System\aqZCfPM.exe
  2⤵
  PID:10772
- C:\Windows\System\IviqKDY.exe
  C:\Windows\System\IviqKDY.exe
  2⤵
  PID:10816
- C:\Windows\System\KuZNIgl.exe
  C:\Windows\System\KuZNIgl.exe
  2⤵
  PID:10832
- C:\Windows\System\ZvOgcBl.exe
  C:\Windows\System\ZvOgcBl.exe
  2⤵
  PID:10860
- C:\Windows\System\RaFrHnk.exe
  C:\Windows\System\RaFrHnk.exe
  2⤵
  PID:10892
- C:\Windows\System\oVwHWHg.exe
  C:\Windows\System\oVwHWHg.exe
  2⤵
  PID:10916
- C:\Windows\System\JMrpVjY.exe
  C:\Windows\System\JMrpVjY.exe
  2⤵
  PID:10944
- C:\Windows\System\TrOeTep.exe
  C:\Windows\System\TrOeTep.exe
  2⤵
  PID:10972
- C:\Windows\System\lTOfYjC.exe
  C:\Windows\System\lTOfYjC.exe
  2⤵
  PID:11000
- C:\Windows\System\wexRtuu.exe
  C:\Windows\System\wexRtuu.exe
  2⤵
  PID:11028
- C:\Windows\System\QjMNpav.exe
  C:\Windows\System\QjMNpav.exe
  2⤵
  PID:11056
- C:\Windows\System\gePqCQq.exe
  C:\Windows\System\gePqCQq.exe
  2⤵
  PID:11084
- C:\Windows\System\HvXvDJG.exe
  C:\Windows\System\HvXvDJG.exe
  2⤵
  PID:11112
- C:\Windows\System\JqXdIbo.exe
  C:\Windows\System\JqXdIbo.exe
  2⤵
  PID:11140
- C:\Windows\System\WDIKBKM.exe
  C:\Windows\System\WDIKBKM.exe
  2⤵
  PID:11168
- C:\Windows\System\KsbyUwU.exe
  C:\Windows\System\KsbyUwU.exe
  2⤵
  PID:11196
- C:\Windows\System\vUSeGfq.exe
  C:\Windows\System\vUSeGfq.exe
  2⤵
  PID:11224
- C:\Windows\System\bFEjsUB.exe
  C:\Windows\System\bFEjsUB.exe
  2⤵
  PID:11252
- C:\Windows\System\CqHBLtF.exe
  C:\Windows\System\CqHBLtF.exe
  2⤵
  PID:10280
- C:\Windows\System\wuCTgTA.exe
  C:\Windows\System\wuCTgTA.exe
  2⤵
  PID:10340
- C:\Windows\System\bjfnxoc.exe
  C:\Windows\System\bjfnxoc.exe
  2⤵
  PID:10400
- C:\Windows\System\EMciFPi.exe
  C:\Windows\System\EMciFPi.exe
  2⤵
  PID:10472
- C:\Windows\System\MJrJAmK.exe
  C:\Windows\System\MJrJAmK.exe
  2⤵
  PID:10540
- C:\Windows\System\KOYLnRz.exe
  C:\Windows\System\KOYLnRz.exe
  2⤵
  PID:10612
- C:\Windows\System\eubpPkD.exe
  C:\Windows\System\eubpPkD.exe
  2⤵
  PID:10668
- C:\Windows\System\CSUdDNT.exe
  C:\Windows\System\CSUdDNT.exe
  2⤵
  PID:3484
- C:\Windows\System\EhQdDKz.exe
  C:\Windows\System\EhQdDKz.exe
  2⤵
  PID:10768
- C:\Windows\System\fzdPieH.exe
  C:\Windows\System\fzdPieH.exe
  2⤵
  PID:10824
- C:\Windows\System\QEOmfQT.exe
  C:\Windows\System\QEOmfQT.exe
  2⤵
  PID:10856
- C:\Windows\System\XGQBUxL.exe
  C:\Windows\System\XGQBUxL.exe
  2⤵
  PID:10928
- C:\Windows\System\EMmNMwP.exe
  C:\Windows\System\EMmNMwP.exe
  2⤵
  PID:11024
- C:\Windows\System\OyuxTwa.exe
  C:\Windows\System\OyuxTwa.exe
  2⤵
  PID:11104
- C:\Windows\System\XxcNEQI.exe
  C:\Windows\System\XxcNEQI.exe
  2⤵
  PID:11180
- C:\Windows\System\lSAhlFv.exe
  C:\Windows\System\lSAhlFv.exe
  2⤵
  PID:11236
- C:\Windows\System\vqKreOl.exe
  C:\Windows\System\vqKreOl.exe
  2⤵
  PID:10316
- C:\Windows\System\dkPveme.exe
  C:\Windows\System\dkPveme.exe
  2⤵
  PID:10452
- C:\Windows\System\FcmcXSS.exe
  C:\Windows\System\FcmcXSS.exe
  2⤵
  PID:10596
- C:\Windows\System\TdwhfTZ.exe
  C:\Windows\System\TdwhfTZ.exe
  2⤵
  PID:3476
- C:\Windows\System\Lyjxbew.exe
  C:\Windows\System\Lyjxbew.exe
  2⤵
  PID:10812
- C:\Windows\System\rSOendU.exe
  C:\Windows\System\rSOendU.exe
  2⤵
  PID:10992
- C:\Windows\System\FcvSOWY.exe
  C:\Windows\System\FcvSOWY.exe
  2⤵
  PID:9376
- C:\Windows\System\NIhjeuZ.exe
  C:\Windows\System\NIhjeuZ.exe
  2⤵
  PID:9404
- C:\Windows\System\XEatCZq.exe
  C:\Windows\System\XEatCZq.exe
  2⤵
  PID:11220
- C:\Windows\System\iMXkegu.exe
  C:\Windows\System\iMXkegu.exe
  2⤵
  PID:10512
- C:\Windows\System\cHrgaEo.exe
  C:\Windows\System\cHrgaEo.exe
  2⤵
  PID:10792
- C:\Windows\System\vXaTSqC.exe
  C:\Windows\System\vXaTSqC.exe
  2⤵
  PID:10236
- C:\Windows\System\fbhZGyN.exe
  C:\Windows\System\fbhZGyN.exe
  2⤵
  PID:10308
- C:\Windows\System\dsdJwJW.exe
  C:\Windows\System\dsdJwJW.exe
  2⤵
  PID:11076
- C:\Windows\System\RGziKcJ.exe
  C:\Windows\System\RGziKcJ.exe
  2⤵
  PID:10764
- C:\Windows\System\vSwzsGX.exe
  C:\Windows\System\vSwzsGX.exe
  2⤵
  PID:11272
- C:\Windows\System\SkcYSHh.exe
  C:\Windows\System\SkcYSHh.exe
  2⤵
  PID:11300
- C:\Windows\System\nxtQTkL.exe
  C:\Windows\System\nxtQTkL.exe
  2⤵
  PID:11328
- C:\Windows\System\XklXWsn.exe
  C:\Windows\System\XklXWsn.exe
  2⤵
  PID:11356
- C:\Windows\System\wAsDgxW.exe
  C:\Windows\System\wAsDgxW.exe
  2⤵
  PID:11384
- C:\Windows\System\zhXIypP.exe
  C:\Windows\System\zhXIypP.exe
  2⤵
  PID:11412
- C:\Windows\System\DIGkpGa.exe
  C:\Windows\System\DIGkpGa.exe
  2⤵
  PID:11440
- C:\Windows\System\XPaeYxC.exe
  C:\Windows\System\XPaeYxC.exe
  2⤵
  PID:11468
- C:\Windows\System\SIyvuiH.exe
  C:\Windows\System\SIyvuiH.exe
  2⤵
  PID:11500
- C:\Windows\System\gdInMiR.exe
  C:\Windows\System\gdInMiR.exe
  2⤵
  PID:11528
- C:\Windows\System\nzVUSCw.exe
  C:\Windows\System\nzVUSCw.exe
  2⤵
  PID:11556
- C:\Windows\System\BzOCFzM.exe
  C:\Windows\System\BzOCFzM.exe
  2⤵
  PID:11584
- C:\Windows\System\lzgZZRx.exe
  C:\Windows\System\lzgZZRx.exe
  2⤵
  PID:11612
- C:\Windows\System\bscOtSZ.exe
  C:\Windows\System\bscOtSZ.exe
  2⤵
  PID:11640
- C:\Windows\System\NUSTFkl.exe
  C:\Windows\System\NUSTFkl.exe
  2⤵
  PID:11668
- C:\Windows\System\pVCdzRZ.exe
  C:\Windows\System\pVCdzRZ.exe
  2⤵
  PID:11696
- C:\Windows\System\zoJKaZa.exe
  C:\Windows\System\zoJKaZa.exe
  2⤵
  PID:11724
- C:\Windows\System\vMbfHZi.exe
  C:\Windows\System\vMbfHZi.exe
  2⤵
  PID:11752
- C:\Windows\System\kndrQjh.exe
  C:\Windows\System\kndrQjh.exe
  2⤵
  PID:11780
- C:\Windows\System\ngIeZWj.exe
  C:\Windows\System\ngIeZWj.exe
  2⤵
  PID:11808
- C:\Windows\System\tcWHGWX.exe
  C:\Windows\System\tcWHGWX.exe
  2⤵
  PID:11836
- C:\Windows\System\RONIvmW.exe
  C:\Windows\System\RONIvmW.exe
  2⤵
  PID:11864
- C:\Windows\System\kRtGYIR.exe
  C:\Windows\System\kRtGYIR.exe
  2⤵
  PID:11892
- C:\Windows\System\elfZZdc.exe
  C:\Windows\System\elfZZdc.exe
  2⤵
  PID:11920
- C:\Windows\System\LhEQdrl.exe
  C:\Windows\System\LhEQdrl.exe
  2⤵
  PID:11948
- C:\Windows\System\OEWiEuI.exe
  C:\Windows\System\OEWiEuI.exe
  2⤵
  PID:11976
- C:\Windows\System\skZFHpR.exe
  C:\Windows\System\skZFHpR.exe
  2⤵
  PID:12004
- C:\Windows\System\LrtOBOL.exe
  C:\Windows\System\LrtOBOL.exe
  2⤵
  PID:12032
- C:\Windows\System\wbRksGg.exe
  C:\Windows\System\wbRksGg.exe
  2⤵
  PID:12060
- C:\Windows\System\xGGIdDq.exe
  C:\Windows\System\xGGIdDq.exe
  2⤵
  PID:12088
- C:\Windows\System\aEDluSo.exe
  C:\Windows\System\aEDluSo.exe
  2⤵
  PID:12116
- C:\Windows\System\LgdWAYx.exe
  C:\Windows\System\LgdWAYx.exe
  2⤵
  PID:12144
- C:\Windows\System\TEtlQHa.exe
  C:\Windows\System\TEtlQHa.exe
  2⤵
  PID:12172
- C:\Windows\System\HAzTiAg.exe
  C:\Windows\System\HAzTiAg.exe
  2⤵
  PID:12200
- C:\Windows\System\DYnkdyS.exe
  C:\Windows\System\DYnkdyS.exe
  2⤵
  PID:12228
- C:\Windows\System\BCHrjKX.exe
  C:\Windows\System\BCHrjKX.exe
  2⤵
  PID:12256
- C:\Windows\System\bNzRdjm.exe
  C:\Windows\System\bNzRdjm.exe
  2⤵
  PID:12284
- C:\Windows\System\BpLPEGg.exe
  C:\Windows\System\BpLPEGg.exe
  2⤵
  PID:11312
- C:\Windows\System\KVslfzu.exe
  C:\Windows\System\KVslfzu.exe
  2⤵
  PID:11376
- C:\Windows\System\zjJWUge.exe
  C:\Windows\System\zjJWUge.exe
  2⤵
  PID:11436
- C:\Windows\System\puUNMZY.exe
  C:\Windows\System\puUNMZY.exe
  2⤵
  PID:11496
- C:\Windows\System\zbVvTNk.exe
  C:\Windows\System\zbVvTNk.exe
  2⤵
  PID:11568
- C:\Windows\System\GQSRFQF.exe
  C:\Windows\System\GQSRFQF.exe
  2⤵
  PID:11624
- C:\Windows\System\blcVEkJ.exe
  C:\Windows\System\blcVEkJ.exe
  2⤵
  PID:11688
- C:\Windows\System\DNCaTwS.exe
  C:\Windows\System\DNCaTwS.exe
  2⤵
  PID:11748
- C:\Windows\System\RGAgDMu.exe
  C:\Windows\System\RGAgDMu.exe
  2⤵
  PID:11820
- C:\Windows\System\hhvCYfP.exe
  C:\Windows\System\hhvCYfP.exe
  2⤵
  PID:11884
- C:\Windows\System\yLbXGCR.exe
  C:\Windows\System\yLbXGCR.exe
  2⤵
  PID:11944
- C:\Windows\System\gxFXYLg.exe
  C:\Windows\System\gxFXYLg.exe
  2⤵
  PID:12016
- C:\Windows\System\CeInkYs.exe
  C:\Windows\System\CeInkYs.exe
  2⤵
  PID:12072
- C:\Windows\System\jibgXHM.exe
  C:\Windows\System\jibgXHM.exe
  2⤵
  PID:12128
- C:\Windows\System\dLlfUyd.exe
  C:\Windows\System\dLlfUyd.exe
  2⤵
  PID:12192
- C:\Windows\System\XONlNzo.exe
  C:\Windows\System\XONlNzo.exe
  2⤵
  PID:12252
- C:\Windows\System\Acddguv.exe
  C:\Windows\System\Acddguv.exe
  2⤵
  PID:11340
- C:\Windows\System\TVzHIxt.exe
  C:\Windows\System\TVzHIxt.exe
  2⤵
  PID:11480
- C:\Windows\System\sXpROKL.exe
  C:\Windows\System\sXpROKL.exe
  2⤵
  PID:11608
- C:\Windows\System\hrgbyMQ.exe
  C:\Windows\System\hrgbyMQ.exe
  2⤵
  PID:11776
- C:\Windows\System\dIwODNo.exe
  C:\Windows\System\dIwODNo.exe
  2⤵
  PID:11932
- C:\Windows\System\gVUYtWp.exe
  C:\Windows\System\gVUYtWp.exe
  2⤵
  PID:12056
- C:\Windows\System\flntBtQ.exe
  C:\Windows\System\flntBtQ.exe
  2⤵
  PID:12220
- C:\Windows\System\vlJstHf.exe
  C:\Windows\System\vlJstHf.exe
  2⤵
  PID:11296
- C:\Windows\System\CPFiSqW.exe
  C:\Windows\System\CPFiSqW.exe
  2⤵
  PID:11736
- C:\Windows\System\NzwHPzS.exe
  C:\Windows\System\NzwHPzS.exe
  2⤵
  PID:11912
- C:\Windows\System\BBVZSFo.exe
  C:\Windows\System\BBVZSFo.exe
  2⤵
  PID:12184
- C:\Windows\System\zLvvgYL.exe
  C:\Windows\System\zLvvgYL.exe
  2⤵
  PID:1072
- C:\Windows\System\ZMksgcq.exe
  C:\Windows\System\ZMksgcq.exe
  2⤵
  PID:11292
- C:\Windows\System\WNLrhVc.exe
  C:\Windows\System\WNLrhVc.exe
  2⤵
  PID:12168
- C:\Windows\System\isVAXbw.exe
  C:\Windows\System\isVAXbw.exe
  2⤵
  PID:12316
- C:\Windows\System\EUxBhmq.exe
  C:\Windows\System\EUxBhmq.exe
  2⤵
  PID:12344
- C:\Windows\System\iicKZad.exe
  C:\Windows\System\iicKZad.exe
  2⤵
  PID:12372
- C:\Windows\System\tAmglyr.exe
  C:\Windows\System\tAmglyr.exe
  2⤵
  PID:12400
- C:\Windows\System\SyltlTH.exe
  C:\Windows\System\SyltlTH.exe
  2⤵
  PID:12428
- C:\Windows\System\aLOURDs.exe
  C:\Windows\System\aLOURDs.exe
  2⤵
  PID:12456
- C:\Windows\System\sqcROla.exe
  C:\Windows\System\sqcROla.exe
  2⤵
  PID:12484
- C:\Windows\System\PwmrDZa.exe
  C:\Windows\System\PwmrDZa.exe
  2⤵
  PID:12512
- C:\Windows\System\XhxbSKh.exe
  C:\Windows\System\XhxbSKh.exe
  2⤵
  PID:12540
- C:\Windows\System\LjfHLST.exe
  C:\Windows\System\LjfHLST.exe
  2⤵
  PID:12568
- C:\Windows\System\UdADYNv.exe
  C:\Windows\System\UdADYNv.exe
  2⤵
  PID:12596
- C:\Windows\System\lOtsgjS.exe
  C:\Windows\System\lOtsgjS.exe
  2⤵
  PID:12624
- C:\Windows\System\xzgvDLN.exe
  C:\Windows\System\xzgvDLN.exe
  2⤵
  PID:12652
- C:\Windows\System\StTmdyu.exe
  C:\Windows\System\StTmdyu.exe
  2⤵
  PID:12680
- C:\Windows\System\MBeVMVn.exe
  C:\Windows\System\MBeVMVn.exe
  2⤵
  PID:12708
- C:\Windows\System\pqnXZje.exe
  C:\Windows\System\pqnXZje.exe
  2⤵
  PID:12736
- C:\Windows\System\fvvSsXj.exe
  C:\Windows\System\fvvSsXj.exe
  2⤵
  PID:12764
- C:\Windows\System\iMWfwiq.exe
  C:\Windows\System\iMWfwiq.exe
  2⤵
  PID:12792
- C:\Windows\System\PUGMCnW.exe
  C:\Windows\System\PUGMCnW.exe
  2⤵
  PID:12820
- C:\Windows\System\LZfZxOE.exe
  C:\Windows\System\LZfZxOE.exe
  2⤵
  PID:12848
- C:\Windows\System\XZVeRmJ.exe
  C:\Windows\System\XZVeRmJ.exe
  2⤵
  PID:12876
- C:\Windows\System\EnywzOa.exe
  C:\Windows\System\EnywzOa.exe
  2⤵
  PID:12920
- C:\Windows\System\djqqePd.exe
  C:\Windows\System\djqqePd.exe
  2⤵
  PID:12936
- C:\Windows\System\AZixwcl.exe
  C:\Windows\System\AZixwcl.exe
  2⤵
  PID:12964
- C:\Windows\System\KYuSwGu.exe
  C:\Windows\System\KYuSwGu.exe
  2⤵
  PID:12992
- C:\Windows\System\SiqinlM.exe
  C:\Windows\System\SiqinlM.exe
  2⤵
  PID:13020
- C:\Windows\System\DAvrFHG.exe
  C:\Windows\System\DAvrFHG.exe
  2⤵
  PID:13048
- C:\Windows\System\mnFLnEA.exe
  C:\Windows\System\mnFLnEA.exe
  2⤵
  PID:13076
- C:\Windows\System\kSRxhNA.exe
  C:\Windows\System\kSRxhNA.exe
  2⤵
  PID:13104
- C:\Windows\System\OXJHRgV.exe
  C:\Windows\System\OXJHRgV.exe
  2⤵
  PID:13132
- C:\Windows\System\cEkJAjP.exe
  C:\Windows\System\cEkJAjP.exe
  2⤵
  PID:13160
- C:\Windows\System\RxvCTSl.exe
  C:\Windows\System\RxvCTSl.exe
  2⤵
  PID:13188
- C:\Windows\System\ZmrEuDx.exe
  C:\Windows\System\ZmrEuDx.exe
  2⤵
  PID:13216
- C:\Windows\System\TADgfgC.exe
  C:\Windows\System\TADgfgC.exe
  2⤵
  PID:13244
- C:\Windows\System\hSwCdxL.exe
  C:\Windows\System\hSwCdxL.exe
  2⤵
  PID:13272
- C:\Windows\System\rbptGxN.exe
  C:\Windows\System\rbptGxN.exe
  2⤵
  PID:13300
- C:\Windows\System\wDdflQx.exe
  C:\Windows\System\wDdflQx.exe
  2⤵
  PID:12312
- C:\Windows\System\apjPZsV.exe
  C:\Windows\System\apjPZsV.exe
  2⤵
  PID:12368
- C:\Windows\System\wzDsDps.exe
  C:\Windows\System\wzDsDps.exe
  2⤵
  PID:12440
- C:\Windows\System\PsmhlhA.exe
  C:\Windows\System\PsmhlhA.exe
  2⤵
  PID:12496
- C:\Windows\System\sxCleaA.exe
  C:\Windows\System\sxCleaA.exe
  2⤵
  PID:12560
- C:\Windows\System\ABeeszi.exe
  C:\Windows\System\ABeeszi.exe
  2⤵
  PID:12620
- C:\Windows\System\eddICqa.exe
  C:\Windows\System\eddICqa.exe
  2⤵
  PID:12676
- C:\Windows\System\AuRCxyT.exe
  C:\Windows\System\AuRCxyT.exe
  2⤵
  PID:548
- C:\Windows\System\GMkxbZB.exe
  C:\Windows\System\GMkxbZB.exe
  2⤵
  PID:12788
- C:\Windows\System\dkJmIyL.exe
  C:\Windows\System\dkJmIyL.exe
  2⤵
  PID:12860
- C:\Windows\System\FYZSwLu.exe
  C:\Windows\System\FYZSwLu.exe
  2⤵
  PID:12928
- C:\Windows\System\zsQbouU.exe
  C:\Windows\System\zsQbouU.exe
  2⤵
  PID:12988
- C:\Windows\System\HxnoJQi.exe
  C:\Windows\System\HxnoJQi.exe
  2⤵
  PID:13044
- C:\Windows\System\lycRdiO.exe
  C:\Windows\System\lycRdiO.exe
  2⤵
  PID:13116
- C:\Windows\System\XOWtMwT.exe
  C:\Windows\System\XOWtMwT.exe
  2⤵
  PID:13180
- C:\Windows\System\cONwYZm.exe
  C:\Windows\System\cONwYZm.exe
  2⤵
  PID:13240
- C:\Windows\System\McwQNCx.exe
  C:\Windows\System\McwQNCx.exe
  2⤵
  PID:11876
- C:\Windows\System\ENCvBkZ.exe
  C:\Windows\System\ENCvBkZ.exe
  2⤵
  PID:12420
- C:\Windows\System\BLuihKh.exe
  C:\Windows\System\BLuihKh.exe
  2⤵
  PID:12552
- C:\Windows\System\cDBwFeW.exe
  C:\Windows\System\cDBwFeW.exe
  2⤵
  PID:12704
- C:\Windows\System\ZPKXcjO.exe
  C:\Windows\System\ZPKXcjO.exe
  2⤵
  PID:12840
- C:\Windows\System\RdLPvBB.exe
  C:\Windows\System\RdLPvBB.exe
  2⤵
  PID:12984
- C:\Windows\System\fUVoiFV.exe
  C:\Windows\System\fUVoiFV.exe
  2⤵
  PID:13100
- C:\Windows\System\eFVENZa.exe
  C:\Windows\System\eFVENZa.exe
  2⤵
  PID:13268
- C:\Windows\System\aaUotGf.exe
  C:\Windows\System\aaUotGf.exe
  2⤵
  PID:12524
- C:\Windows\System\lcVhJwg.exe
  C:\Windows\System\lcVhJwg.exe
  2⤵
  PID:12816
- C:\Windows\System\VdenFdO.exe
  C:\Windows\System\VdenFdO.exe
  2⤵
  PID:12340
- C:\Windows\System\jRlwQhm.exe
  C:\Windows\System\jRlwQhm.exe
  2⤵
  PID:12756
- C:\Windows\System\HYIlYhO.exe
  C:\Windows\System\HYIlYhO.exe
  2⤵
  PID:12664
- C:\Windows\System\RWELAGm.exe
  C:\Windows\System\RWELAGm.exe
  2⤵
  PID:2700
- C:\Windows\System\HiMikmx.exe
  C:\Windows\System\HiMikmx.exe
  2⤵
  PID:13328
- C:\Windows\System\sPgCjCQ.exe
  C:\Windows\System\sPgCjCQ.exe
  2⤵
  PID:13356
- C:\Windows\System\yvNAgRM.exe
  C:\Windows\System\yvNAgRM.exe
  2⤵
  PID:13384
- C:\Windows\System\pvdWxTb.exe
  C:\Windows\System\pvdWxTb.exe
  2⤵
  PID:13412
- C:\Windows\System\VVNmCBi.exe
  C:\Windows\System\VVNmCBi.exe
  2⤵
  PID:13440
- C:\Windows\System\BMVrVLX.exe
  C:\Windows\System\BMVrVLX.exe
  2⤵
  PID:13468
- C:\Windows\System\kEBGhsf.exe
  C:\Windows\System\kEBGhsf.exe
  2⤵
  PID:13496
- C:\Windows\System\PETJXbw.exe
  C:\Windows\System\PETJXbw.exe
  2⤵
  PID:13524
- C:\Windows\System\YCfpADO.exe
  C:\Windows\System\YCfpADO.exe
  2⤵
  PID:13552
- C:\Windows\System\cqrYKqj.exe
  C:\Windows\System\cqrYKqj.exe
  2⤵
  PID:13580
- C:\Windows\System\dvfRFeI.exe
  C:\Windows\System\dvfRFeI.exe
  2⤵
  PID:13608
- C:\Windows\System\uylcJcU.exe
  C:\Windows\System\uylcJcU.exe
  2⤵
  PID:13636
- C:\Windows\System\ygMuAij.exe
  C:\Windows\System\ygMuAij.exe
  2⤵
  PID:13664
- C:\Windows\System\ZqdYTtI.exe
  C:\Windows\System\ZqdYTtI.exe
  2⤵
  PID:13692
- C:\Windows\System\TKBbrGI.exe
  C:\Windows\System\TKBbrGI.exe
  2⤵
  PID:13720
- C:\Windows\System\XPPamxo.exe
  C:\Windows\System\XPPamxo.exe
  2⤵
  PID:13748
- C:\Windows\System\wFspdub.exe
  C:\Windows\System\wFspdub.exe
  2⤵
  PID:13776
- C:\Windows\System\ebGPAMT.exe
  C:\Windows\System\ebGPAMT.exe
  2⤵
  PID:13804
- C:\Windows\System\xPCmnwp.exe
  C:\Windows\System\xPCmnwp.exe
  2⤵
  PID:13832
- C:\Windows\System\JVgFZLs.exe
  C:\Windows\System\JVgFZLs.exe
  2⤵
  PID:13860
- C:\Windows\System\ddYuNDK.exe
  C:\Windows\System\ddYuNDK.exe
  2⤵
  PID:13888
- C:\Windows\System\mPzOili.exe
  C:\Windows\System\mPzOili.exe
  2⤵
  PID:13916
- C:\Windows\System\sEsHosb.exe
  C:\Windows\System\sEsHosb.exe
  2⤵
  PID:13944
- C:\Windows\System\mrILIFn.exe
  C:\Windows\System\mrILIFn.exe
  2⤵
  PID:13972
- C:\Windows\System\wPNQmIc.exe
  C:\Windows\System\wPNQmIc.exe
  2⤵
  PID:14000
- C:\Windows\System\zYpDayg.exe
  C:\Windows\System\zYpDayg.exe
  2⤵
  PID:14028
- C:\Windows\System\BCsLpKf.exe
  C:\Windows\System\BCsLpKf.exe
  2⤵
  PID:14056
- C:\Windows\System\XShrCrJ.exe
  C:\Windows\System\XShrCrJ.exe
  2⤵
  PID:14084
- C:\Windows\System\GnqiBqR.exe
  C:\Windows\System\GnqiBqR.exe
  2⤵
  PID:14112
- C:\Windows\System\SrfKiNm.exe
  C:\Windows\System\SrfKiNm.exe
  2⤵
  PID:14152
- C:\Windows\System\AVSLZdg.exe
  C:\Windows\System\AVSLZdg.exe
  2⤵
  PID:14176
- C:\Windows\System\gdhZgVG.exe
  C:\Windows\System\gdhZgVG.exe
  2⤵
  PID:14216
- C:\Windows\System\kHgzKhv.exe
  C:\Windows\System\kHgzKhv.exe
  2⤵
  PID:14256
- C:\Windows\System\ISbZYoI.exe
  C:\Windows\System\ISbZYoI.exe
  2⤵
  PID:14300
- C:\Windows\System\DdOTHIz.exe
  C:\Windows\System\DdOTHIz.exe
  2⤵
  PID:4588
- C:\Windows\System\yUaFoUB.exe
  C:\Windows\System\yUaFoUB.exe
  2⤵
  PID:13376
- C:\Windows\System\ghfZcMz.exe
  C:\Windows\System\ghfZcMz.exe
  2⤵
  PID:13452
- C:\Windows\System\SJdhxkJ.exe
  C:\Windows\System\SJdhxkJ.exe
  2⤵
  PID:13492
- C:\Windows\System\EtfyhTZ.exe
  C:\Windows\System\EtfyhTZ.exe
  2⤵
  PID:13576
- C:\Windows\System\qsXZQTl.exe
  C:\Windows\System\qsXZQTl.exe
  2⤵
  PID:13648
- C:\Windows\System\VMLoWOo.exe
  C:\Windows\System\VMLoWOo.exe
  2⤵
  PID:13732
- C:\Windows\System\hRJqzxM.exe
  C:\Windows\System\hRJqzxM.exe
  2⤵
  PID:13796
- C:\Windows\System\XnueeLM.exe
  C:\Windows\System\XnueeLM.exe
  2⤵
  PID:13912
- C:\Windows\System\NfNSxoM.exe
  C:\Windows\System\NfNSxoM.exe
  2⤵
  PID:13996
- C:\Windows\System\eYDwgCA.exe
  C:\Windows\System\eYDwgCA.exe
  2⤵
  PID:14068
- C:\Windows\System\eybjuwS.exe
  C:\Windows\System\eybjuwS.exe
  2⤵
  PID:5596
- C:\Windows\System\XgeVyoB.exe
  C:\Windows\System\XgeVyoB.exe
  2⤵
  PID:14160
- C:\Windows\System\TTgHDiZ.exe
  C:\Windows\System\TTgHDiZ.exe
  2⤵
  PID:14268
- C:\Windows\System\pPXrSMl.exe
  C:\Windows\System\pPXrSMl.exe
  2⤵
  PID:13368
- C:\Windows\System\lRZwaae.exe
  C:\Windows\System\lRZwaae.exe
  2⤵
  PID:13564
- C:\Windows\System\sftxDGA.exe
  C:\Windows\System\sftxDGA.exe
  2⤵
  PID:5660
- C:\Windows\System\OUQhaaI.exe
  C:\Windows\System\OUQhaaI.exe
  2⤵
  PID:14052
- C:\Windows\System\FrbVqfe.exe
  C:\Windows\System\FrbVqfe.exe
  2⤵
  PID:3164
- C:\Windows\System\EtiuJxx.exe
  C:\Windows\System\EtiuJxx.exe
  2⤵
  PID:14248
- C:\Windows\System\KOFfEht.exe
  C:\Windows\System\KOFfEht.exe
  2⤵
  PID:13628
- C:\Windows\System\KcNykme.exe
  C:\Windows\System\KcNykme.exe
  2⤵
  PID:13716
- C:\Windows\System\mmozcRK.exe
  C:\Windows\System\mmozcRK.exe
  2⤵
  PID:13984
- C:\Windows\System\rkXNJTp.exe
  C:\Windows\System\rkXNJTp.exe
  2⤵
  PID:13488
- C:\Windows\System\UFlKSAx.exe
  C:\Windows\System\UFlKSAx.exe
  2⤵
  PID:14348
- C:\Windows\System\ilenvqf.exe
  C:\Windows\System\ilenvqf.exe
  2⤵
  PID:14372
- C:\Windows\System\xZFdliu.exe
  C:\Windows\System\xZFdliu.exe
  2⤵
  PID:14400
- C:\Windows\System\jRTuvrm.exe
  C:\Windows\System\jRTuvrm.exe
  2⤵
  PID:14436
- C:\Windows\System\QTsIxUC.exe
  C:\Windows\System\QTsIxUC.exe
  2⤵
  PID:14472
- C:\Windows\System\midRbLx.exe
  C:\Windows\System\midRbLx.exe
  2⤵
  PID:14500
- C:\Windows\System\XHcLzfC.exe
  C:\Windows\System\XHcLzfC.exe
  2⤵
  PID:14532
- C:\Windows\System\wwLXgWZ.exe
  C:\Windows\System\wwLXgWZ.exe
  2⤵
  PID:14564
- C:\Windows\System\bZkVSnQ.exe
  C:\Windows\System\bZkVSnQ.exe
  2⤵
  PID:14592
- C:\Windows\System\uaAJFAX.exe
  C:\Windows\System\uaAJFAX.exe
  2⤵
  PID:14620
- C:\Windows\System\ayoVdct.exe
  C:\Windows\System\ayoVdct.exe
  2⤵
  PID:14648
- C:\Windows\System\ixZAEbM.exe
  C:\Windows\System\ixZAEbM.exe
  2⤵
  PID:14680
- C:\Windows\System\nCUuUvb.exe
  C:\Windows\System\nCUuUvb.exe
  2⤵
  PID:14712
- C:\Windows\System\GcemHFF.exe
  C:\Windows\System\GcemHFF.exe
  2⤵
  PID:14744
- C:\Windows\System\iDPZpqr.exe
  C:\Windows\System\iDPZpqr.exe
  2⤵
  PID:14772
- C:\Windows\System\pkhreRj.exe
  C:\Windows\System\pkhreRj.exe
  2⤵
  PID:14800
- C:\Windows\System\mAhNeIY.exe
  C:\Windows\System\mAhNeIY.exe
  2⤵
  PID:14828
- C:\Windows\System\GPfTuNr.exe
  C:\Windows\System\GPfTuNr.exe
  2⤵
  PID:14856
- C:\Windows\System\MeOaLfn.exe
  C:\Windows\System\MeOaLfn.exe
  2⤵
  PID:14884
- C:\Windows\System\fWHTdSk.exe
  C:\Windows\System\fWHTdSk.exe
  2⤵
  PID:14912
- C:\Windows\System\pFERzTI.exe
  C:\Windows\System\pFERzTI.exe
  2⤵
  PID:14940
- C:\Windows\System\OgnwuRD.exe
  C:\Windows\System\OgnwuRD.exe
  2⤵
  PID:14968
- C:\Windows\System\nnYDkLq.exe
  C:\Windows\System\nnYDkLq.exe
  2⤵
  PID:14996
- C:\Windows\System\KPLFmOV.exe
  C:\Windows\System\KPLFmOV.exe
  2⤵
  PID:15024
- C:\Windows\System\ELLlcjB.exe
  C:\Windows\System\ELLlcjB.exe
  2⤵
  PID:15060
- C:\Windows\System\MIKXgGf.exe
  C:\Windows\System\MIKXgGf.exe
  2⤵
  PID:15104
- C:\Windows\System\RhPgUEP.exe
  C:\Windows\System\RhPgUEP.exe
  2⤵
  PID:15160
- C:\Windows\System\qNDYhtl.exe
  C:\Windows\System\qNDYhtl.exe
  2⤵
  PID:15188
- C:\Windows\System\UhEpIQp.exe
  C:\Windows\System\UhEpIQp.exe
  2⤵
  PID:15224
- C:\Windows\System\iaQgokh.exe
  C:\Windows\System\iaQgokh.exe
  2⤵
  PID:15252
- C:\Windows\System\HPKSkQj.exe
  C:\Windows\System\HPKSkQj.exe
  2⤵
  PID:15280
- C:\Windows\System\ZqafTcv.exe
  C:\Windows\System\ZqafTcv.exe
  2⤵
  PID:15316
- C:\Windows\System\noXUjbN.exe
  C:\Windows\System\noXUjbN.exe
  2⤵
  PID:15356
- C:\Windows\System\nxMxwVq.exe
  C:\Windows\System\nxMxwVq.exe
  2⤵
  PID:14360
- C:\Windows\System\lELpMtC.exe
  C:\Windows\System\lELpMtC.exe
  2⤵
  PID:14412
- C:\Windows\System\hpXqGmZ.exe
  C:\Windows\System\hpXqGmZ.exe
  2⤵
  PID:14484
- C:\Windows\System\QJjFfEo.exe
  C:\Windows\System\QJjFfEo.exe
  2⤵
  PID:14960

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:14704
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:15016

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4724

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2656

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6428

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7308

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7704

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6012

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5884

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4860

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:15036

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6520

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5088

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:32

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8076

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7224

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8264

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 8264 -ip 8264
1⤵
PID:8648

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7204

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13336

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9672
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 9672 -s 7624
  2⤵
  PID:10860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14676

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9992

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:10656

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5224

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11196

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 5224 -ip 5224
1⤵
PID:11668

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6308

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11812

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:6764

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2564

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:15056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2456

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6196
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 6196 -s 980
  2⤵
  PID:13628

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3492

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13944

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 6196 -ip 6196
1⤵
PID:7796

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14348

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:15064

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11860

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:7824

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7528

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12520

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7268

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7648

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14296

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14148

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7148

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12120

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:548

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5524

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\64MR4AY0\microsoft.windows[1].xml

Filesize
97B

MD5
eade1a8f8b02913c4dbcc0c1499d53a3

SHA1
609c71c0a3ffff2d2c2c4c695dd94357f271cdd9

SHA256
3cb590a16bbe151fd2c6344231ed6f2ca8b3abcf44143346a84edc50e9555d84

SHA512
fbfb8e6bb8c716a701c1d008c117ee8d08690de0745d7323e22cf6e7a8ed385e02314ec93ecd44d2fb3f7286148becb668f6a7d4759a536e2ef7d830b8f3536d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133885717099283386.txt

Filesize
87KB

MD5
0acdc7806b7544dce582f99347becd09

SHA1
dae5d9616baf814fd111fefc87043fca2b9703e3

SHA256
e4099e2e92c1269ed4181f8984b2089be44caed6d9e2b5176e86876fb62b6536

SHA512
2796c3bc55b45bdc9d6795e6743059ef8cf5cff3f3e7e072966427115c433347ef208b0237cc2ab226f2fc17d2db72ae8f021d2cd1180232dc1cc470ed72d775

Download Submit
C:\Windows\System\APNFGbI.exe

Filesize
6.0MB

MD5
2abd7f20bbb3224a28c25b12c6d16567

SHA1
282ac0fb9d654238ed868e73709e078e214fa4b3

SHA256
16af8636d01a71bad55d0fd1e556773456a43ccbe4150c6304d4c3a71767239b

SHA512
8c30a8b8d6d69110eb16f4b620ccc813832e92aacf2f0928251dd32a6461d8095d19b9c7ba2307ba7b478d5a7404c792985ca31535f4e857a8b74f9efd92114c

Download Submit
C:\Windows\System\ECOmyrp.exe

Filesize
6.0MB

MD5
6552ffef9cb95c3212b82770b8976ff4

SHA1
cf723f3dab9b08090ececff3df6a0969201f2fc7

SHA256
dda8bacc206d82e753dd26d403c2afa2ff938479f190dd42d2bc7cb2905644a9

SHA512
890f63b24ac683ba8ad07197103261953848a800962f8488ef4062495f253d62eff2b31169c77e28faace5fc414b436cfb8c14e0ba140be599693f8e8a3150b5

Download Submit
C:\Windows\System\HRnDgkU.exe

Filesize
6.0MB

MD5
f2d86ff39145ceff2d2fbbfb3bd9955c

SHA1
cfe8c6ec56498660c6ef2e168384853c8a34032f

SHA256
8303d49fd3a1ab27c4ce3fe6a02ef167e02535ae6d23dad487e6dd3faba541ec

SHA512
daf6f6fc155f10b1760ad7c07c566b9ed9ba7f5cb3c66596f3966699ded075cac5ea33cd8cc463704d39e0171a2414434795b6c3d0d87e9b6771b13fc2e6c35f

Download Submit
C:\Windows\System\JyllIWW.exe

Filesize
6.0MB

MD5
94e758c042e2dc9b37b28c97ba604bb8

SHA1
b4e61ac6529a93a6666425e8c3f595503b6ed1e8

SHA256
060bd0352d59cc576e8044d2cc6bc12614e9cba64db67f32e60496611462f534

SHA512
78c5470a558ecbc7d5ba2ee9aff4c6062fa1eba6d46b5c37ba78dde527fc7a5b63e1fbd81820ce0921012d88d8f96687c5d1b9d566d2cfb6ebe1c055db7f092c

Download Submit
C:\Windows\System\KzhmPYM.exe

Filesize
6.0MB

MD5
d62c9663cf8d007859306830f8caf9b4

SHA1
966ceb968328dc5cebf245d05cd84a6fad19db50

SHA256
c4f2c9e1ad482b3dc39806a7297299cab4576e913027621dcc6f18d3e3b9a205

SHA512
269fe5ca205ea5f09aa3fc8bbf0710a2220a74833183b26dcf7c8ddf3b74565b37d26d4caa35ded24c5dd2c47f2d121772d6dd3cb7a6cbe71c16c594d733a8be

Download Submit
C:\Windows\System\LQXnzim.exe

Filesize
6.0MB

MD5
4008a703c172bdcc242357bd00e6713c

SHA1
53872ce2bad558b3a4840af93d9693e14b0a5781

SHA256
b11ee6492f43680b986327d0c6f2d45de8c77e9bc67fc829bc5136eef8f22027

SHA512
35ac23675cc980ee8fc03f9efe0913c03fad655d282e88f4b3f816d58ea73ad4b447c78a57f8378fce8029718479c3609f4554b92c647bfc83c3bf1b0e035fbe

Download Submit
C:\Windows\System\LYgPCMk.exe

Filesize
6.0MB

MD5
9f88be5005e13b28e000d4fb9b14a8af

SHA1
c2de600931f326e418a9e86a8cf076053c7db1de

SHA256
fddbe120bf23848f503741e357b78cfae5ec647019f65658895c4f70c3ad5d5a

SHA512
ae7662a28b48a213900cc69a92e56b5be2ec07903e96c4a00396c3ce30c89805b8bdcaa904ad73cac8409c84565940a21267168ffefa54a69518701cb04af853

Download Submit
C:\Windows\System\LqYTMDr.exe

Filesize
6.0MB

MD5
d2f09a3c8aa46e2b18a42a94bea7d1a5

SHA1
dd40710b17ad76487ab729ba5ac5fb8d28650452

SHA256
29f39e0fef3a7b6488a6a1bb8d6932ffca7618eeaa4d0c1749f0f15daa41267a

SHA512
73cbf1343a50e5c6cbf75aa8dbb021525b859ba2b3e5993e95ece78d74e173a2900945d2ee61ea9a2f15eb2c4d92b508ec76c06acd92a6f2b4a66be30ae2de7a

Download Submit
C:\Windows\System\NiHtDMs.exe

Filesize
6.0MB

MD5
f17d7a78988b3928180ad41fae8dd7fb

SHA1
3edb68e60b656b75b970dd1ea1cae16537d7ef26

SHA256
cfd594c075d157d0e48f1e87671f34af6bc6f19c31d81bc403c1e19d78e8e16f

SHA512
287d209adfda7151aa9f58abfcc92ae6892df45230366531405361958e450395377e010d8fadaec18a44a9d0ea342797484b095caee08398b17561f5570f3834

Download Submit
C:\Windows\System\PUUuFdt.exe

Filesize
6.0MB

MD5
b9dbfcc37e36cc7e05bc61671b2d6b7c

SHA1
a9d5e583d30d7d702b301cb4f1b258d3afd130f1

SHA256
7f997ec69a6a30ebd88cde1927e569b8f4740e2c852a37984057b25e6bd3cf58

SHA512
ad4460f51a904899167f838472e472ea5031e63d765826697cd8132e39d7deb8f8f26008dfc937eae8fe2e517830ae8529e78730ba10209899bbf2f4be1907df

Download Submit
C:\Windows\System\QaCyxsQ.exe

Filesize
6.0MB

MD5
a3a7a3ca9a0c2490bf52e8268534bf2f

SHA1
348252cbfb548dfcf27b83bface235d8152b3bf3

SHA256
da321d2cb56968e640060ec9873919cced96b6d1291c9864cdd1aba5dbdac959

SHA512
8fb0d50298396ea9d5259349f35b4b844944594db93a62d1a6e6bce26ff66f6790d7238d5ddde056068bf75a1d7b3ae045159adf2527ee0f6648ccca869c58f5

Download Submit
C:\Windows\System\RkvnMeC.exe

Filesize
6.0MB

MD5
69acdeca2bfe45d44ff9a5d1cc29913b

SHA1
8798b54cd62ac13a0cdd93dc229c416f99d13b44

SHA256
da1877dbc7c7f8846b9290c56e728c0a450389a16ec7a0d1cf760273bba8d6c3

SHA512
febd306524daae98db8bca2cd85c5823f83256149985f0468f60b55b76ca23e573baed76c4de14e14f281da845f5f3de9ed46dca03abd1e7c9303bcf059cbcbc

Download Submit
C:\Windows\System\VtiRUhj.exe

Filesize
6.0MB

MD5
09704c025f15519c75d3b09cfbc9993b

SHA1
da76fc18a1906c7fcc083c3c8550e31f8c585eb0

SHA256
3fccacdfbd7bb96d4054baab7edcce4c208cdad50c76e41d77d5fdb1b60baae4

SHA512
22597bfe8bfb856c4e88968d00047ae6945fee38bbc3774c386c4a5cdb5e8ec33cd6aa684a02adf51ae8a3c930576ecbc6570442d9126d9b3ea286596cdb4885

Download Submit
C:\Windows\System\XLHdFcQ.exe

Filesize
6.0MB

MD5
6ab330d95a730cad274820806d9ea13c

SHA1
91600eca61d900c8cf56fc75a39aaac57c3423c2

SHA256
b255ec1729b79c6b99e658d7255b76429c7e1ff3d2e41bc10fe7524d9ef58008

SHA512
520a53ac9da98a10fbd7c6bf85917790c024689f2a6d910eece62021470b91838b760545a5c6467b229baeae72f4efcf33a5f578e22c426aa3363283f8bb98be

Download Submit
C:\Windows\System\ZSrsZNG.exe

Filesize
6.0MB

MD5
750125aae932047bb9ad4d5d88259b36

SHA1
29c57a5496a426d3b6787bc260af90ffee013933

SHA256
3ec2d166dacdff625439509a878bf30dbd69687cc9984e3e8d872b26552d6781

SHA512
dfbb03eaf80ecda9ffeee6cb6245d36dfd236e5e3d2994ab47fd0af63bc5832ebd455529549e266c5d3276e682cc50ad9ebb13d570d41648cde6a7c44a4c68f4

Download Submit
C:\Windows\System\cJjTTXQ.exe

Filesize
6.0MB

MD5
17064ab1d18cf872e6e3a1620804584c

SHA1
22c826d921d9165719a77a45ec1eec293cd32355

SHA256
49218e682910028008451dcbb04139434f17a82244b0c9897624df753b3c6e0d

SHA512
cf5d5604edc356320e7aea25380b0997c5dd668681b3ba86720495fc26e8d9813a7f9b147b3cf096ae62af1f1912a04d6fb2e0a2bc0a3f54d294ddcad3d81364

Download Submit
C:\Windows\System\eEnVxJg.exe

Filesize
6.0MB

MD5
41c39584ddcda67b8ef82685da77f66f

SHA1
ba6b2011b30b9d11664fbe60af5f49cac620cef0

SHA256
0dea481df1495c2b90f841e83d3382e25034fdd9af9d4a18225e2eeb66077e8c

SHA512
460512b32be09b2417635ef0433444ac0da22d8ae9acb40e8280b5c9632b6dfb5b01c21c08c5d2404619fcf336643b6409636c38a445e2901c8e49c5d99a515d

Download Submit
C:\Windows\System\lfNMNWx.exe

Filesize
6.0MB

MD5
64c9b2882dae7ea6e7202c154fd8d925

SHA1
d4265bd29d99247e0990d884d960c8635f71adbf

SHA256
672bd4eb8c90ebc80e361040f13c8559c88defd7af282b1f7abb291241327e8e

SHA512
24faf90ffc0b086c3ff8c24a3288895a0b5224cad8f76787d6a9abd66c4a1da6702e848acb548111e0c330b6e5f361eddda4253b797df092f316a49a7eafd155

Download Submit
C:\Windows\System\nmkMWdx.exe

Filesize
6.0MB

MD5
c204cda75469176050b20daf27f20687

SHA1
fcc159dd07ac79eafebdef098cd85b9c16b5bd6a

SHA256
5b39b9ed444efc915159f63122fcce3296979cc1aebc996937d78ad97647d244

SHA512
eac4b78754f97f67adfefaf5db3d4fe015a82d30b96d9027c0b824bd4389980ab7f19d30582eb15e166ed9d95c947465f620b23632854b5e2fec37b32eecd470

Download Submit
C:\Windows\System\oNViyln.exe

Filesize
6.0MB

MD5
ae54a29694a8a6230fe395c23dded6b2

SHA1
0b160ac9058d945711f37bc4e6565496a62a0425

SHA256
b1ff8b81f091311cd432ca1a2b98f62423b77b666fa7cfd770bc60763147bf85

SHA512
26fb735bb36dbdad705aca25fad863e1e86d023a030f2a54d629dfddaba677f1b2e9f902e6f31962640c21a4646318d806e0c93b1b891bb5c79a655054cd6eb5

Download Submit
C:\Windows\System\oyFEiwr.exe

Filesize
6.0MB

MD5
45bd3ee44b90be746e22c9f533423e88

SHA1
c56de58b6222bb0d018eee03f0e2a6108130c2a9

SHA256
c2e4a1885ab319c08572e94f9e2d4e8ebc9e3f84e412c2a309f8b9bd17f8afe2

SHA512
83665b1cbbb6cc07be187c9cda4f8e25fa27dcf94b23d176e668a340a5613bc1d3b0e4080897958bf9ab87646ccd88c9e591d72a2bf90bff8515bef44ea1fec7

Download Submit
C:\Windows\System\qLIYrAF.exe

Filesize
6.0MB

MD5
464e22920cdf2f7eb39af51be8889d37

SHA1
c2ac9238ad13225ccf1c089b8d1bfe462b107539

SHA256
27c0ad2d4d5a5f5fdb89b0b2212a4b73d28c8a323a8457666342ff605ad374c0

SHA512
cf172f512e7b88e94aa1e57119227c18fbd1c9e3a9a1ec759b2fec18130339e5990780afa69c1b87c1a64e1d41bfaec0ea4f46faf166558d4b94842552c76630

Download Submit
C:\Windows\System\qwMwTSx.exe

Filesize
6.0MB

MD5
54ed37a8f245c27e36fd2b2324db44c2

SHA1
cfd61ed8b9c49106dc5add22df174206c037cd45

SHA256
722e9b956315e50c182eead636524264cdc89514ea799aa49549fde5cd2bbe7b

SHA512
07fa0a0a97c69e4771010d16aa7b88859bbe647f5f5d609f0668bd1d77e0238d8cb7c71cb71ee5e155ef583ecc4a8b0708bbf754e4813c8111d9237ab3492fb2

Download Submit
C:\Windows\System\rIOuqxJ.exe

Filesize
6.0MB

MD5
6924286f462250f898f1ae020368e66a

SHA1
d6d2423e3c015990d37181854bda8e785c5fa31d

SHA256
3946aa2c0fed7e6bf4686bd681c19f8393027c9d00f44a2d5590a1520f7f97f2

SHA512
d1a46b351306f18d7f442feb21a6fa25404651cc7bb9feca64fedc5c1dbdab0af7eeed299a47568bee9d61ddc0d5d499c90cdbb1e7ee5792fdcdeffc7e6f0f74

Download Submit
C:\Windows\System\rQCegDl.exe

Filesize
6.0MB

MD5
6828a74b9d0740ffc50203f89a0b703e

SHA1
b34fe4bea08d03f1a01ca7430f8e1c281355b9ac

SHA256
28b46529251d26ae4dc921e2334343e143b2a8c0fd4fcffa82147f952594b7ab

SHA512
474f555a131704816f9438858e59fe50a83be4447c0748a3cf8ccf4651e40d1cc8e174f38954b3b88a32342d6444859fd9b8ad0e1ba3091b37e741fc9c0c1401

Download Submit
C:\Windows\System\vElxDUA.exe

Filesize
6.0MB

MD5
89478d5532910846e8e36537311020cd

SHA1
3cf93892351f39ba56c47173d603b30b0070e1eb

SHA256
e9c4539ac8b2d3e6cd6c5fab2792b992a8faf61e89ebe088d357b0285f56d673

SHA512
ebea30e1dd0000c3354f29df31a1626e2b2d101f372e62e53b50574cb0ef243213e0967c9ee47c88bde55e50e9a5e28c6296025f1989a467fc4d88f0394459d9

Download Submit
C:\Windows\System\wGzyAtg.exe

Filesize
6.0MB

MD5
f900f1d62189f4d1d592d3f5bb0452ba

SHA1
cd72b09fe12d82460a26b5e53de217b57b0b77a3

SHA256
f46bd0bf7ec01ea61eeda2f88913b7cfd69452e711c74cf453c444eb63ed92aa

SHA512
761761e4b61abaee4aa7cefc694b8edc3f47cc6a8aaa4845c3fb0f3f948ee86708cb538048b25acefb62674e37089861c6176d661b0b675c5520c63d2456d0e9

Download Submit
C:\Windows\System\wQPZkZP.exe

Filesize
6.0MB

MD5
dacbc87c1f77e5f267201122d038624c

SHA1
22383b70dd0ad62d6e1eb0ed4e326796f5bafef5

SHA256
db44294a789e8cf9d2a4cb6807608b5b2cbd0510fa9c782adafce4cff7884b4d

SHA512
dced8ac7feae6f707bf168333eeb2e22ad36a8327601b79fe8de0417cb8a11b83b8eb737e4eb2a4e6783be0a88a970cc129ac9a4a8fecb28bfa8018cfb60bf64

Download Submit
C:\Windows\System\xmjyqOg.exe

Filesize
6.0MB

MD5
823fd5ab0a9815e94663426b17a6a276

SHA1
ae20560dd32ff7b75583953a23b13c329acd52ab

SHA256
d317681c7608e6600271e7072755d87a86b8eb1c2d49148904313f0137f1af2f

SHA512
1113f20104d14298dab59e80947e40fde2c40821cad94c27e281264fa66fd5d2d300962c99b4ab3bf88a01f2b91a1450cd707f8d4267e35f632f40f710d814ca

Download Submit
C:\Windows\System\xylPbQF.exe

Filesize
6.0MB

MD5
638f37450d527f6ade437af0d0c5ae30

SHA1
3c73f7e66ec4302679c85854939d5e33770c688e

SHA256
cf15a0135d662a8c2da32dc02295866f16db0d34345c6ee6a200514cf5ff11ee

SHA512
acfe0b0d2cf1d58890cb9bd23b8bfec044b61da1c43d226fedb1aa8f2fcd4689fbedc6cde1fc56aeda955dfcef8202fd545f0ed956d1da4e3bc09ed26f23238b

Download Submit
C:\Windows\System\yIUoBCv.exe

Filesize
6.0MB

MD5
fff06cade4a5cded933b2cf8272392b4

SHA1
6bb3396d310ed7858588d9e036d30fab9106d8ef

SHA256
936339a3a01c731b10c0d5079ff8d2ffea77b30af6c9f1d4991d85efcb9c1f25

SHA512
bc1b1e3d787f5b52b1110346701b213d531483dc02b92b264172dc4fec23b16bbb10a063a0a42e2bc1eed873fdd9b26bf0d4090118c8e525d5e17c37c130b60e

Download Submit
C:\Windows\System\zNhEtcv.exe

Filesize
6.0MB

MD5
5f52f5af69acda220b8de626c077661a

SHA1
e673a4f31c1d4763fa8bc6f18e9a355adc9e4660

SHA256
f198948b96e4dc39fbe13041ddc681fa363bf3c15e55cdeecca7b99a6e93ab2f

SHA512
dc7d125f8a30bb0c01c567ade53a8650a0f2f1f1abea6c759792827c99478c6439ae3dbff0044fcc0209018f9260793f36f8f3ec83ac3810482c1f2eb94544e3

Download Submit
memory/400-62-0x00007FF7E5070000-0x00007FF7E53C4000-memory.dmp

Filesize
3.3MB

Download
memory/400-2031-0x00007FF7E5070000-0x00007FF7E53C4000-memory.dmp

Filesize
3.3MB

Download
memory/400-18-0x00007FF7E5070000-0x00007FF7E53C4000-memory.dmp

Filesize
3.3MB

Download
memory/640-104-0x00007FF7014C0000-0x00007FF701814000-memory.dmp

Filesize
3.3MB

Download
memory/640-2068-0x00007FF7014C0000-0x00007FF701814000-memory.dmp

Filesize
3.3MB

Download
memory/640-48-0x00007FF7014C0000-0x00007FF701814000-memory.dmp

Filesize
3.3MB

Download
memory/1700-69-0x00007FF703170000-0x00007FF7034C4000-memory.dmp

Filesize
3.3MB

Download
memory/1700-134-0x00007FF703170000-0x00007FF7034C4000-memory.dmp

Filesize
3.3MB

Download
memory/1700-2150-0x00007FF703170000-0x00007FF7034C4000-memory.dmp

Filesize
3.3MB

Download
memory/1716-68-0x00007FF62F2E0000-0x00007FF62F634000-memory.dmp

Filesize
3.3MB

Download
memory/1716-2038-0x00007FF62F2E0000-0x00007FF62F634000-memory.dmp

Filesize
3.3MB

Download
memory/1716-24-0x00007FF62F2E0000-0x00007FF62F634000-memory.dmp

Filesize
3.3MB

Download
memory/1736-0-0x00007FF653540000-0x00007FF653894000-memory.dmp

Filesize
3.3MB

Download
memory/1736-59-0x00007FF653540000-0x00007FF653894000-memory.dmp

Filesize
3.3MB

Download
memory/1736-1-0x0000021CB2710000-0x0000021CB2720000-memory.dmp

Filesize
64KB

Download
memory/2236-36-0x00007FF76AFC0000-0x00007FF76B314000-memory.dmp

Filesize
3.3MB

Download
memory/2236-2056-0x00007FF76AFC0000-0x00007FF76B314000-memory.dmp

Filesize
3.3MB

Download
memory/2236-93-0x00007FF76AFC0000-0x00007FF76B314000-memory.dmp

Filesize
3.3MB

Download
memory/2492-54-0x00007FF68FA60000-0x00007FF68FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-118-0x00007FF68FA60000-0x00007FF68FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-2072-0x00007FF68FA60000-0x00007FF68FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2852-89-0x00007FF67C7C0000-0x00007FF67CB14000-memory.dmp

Filesize
3.3MB

Download
memory/2852-30-0x00007FF67C7C0000-0x00007FF67CB14000-memory.dmp

Filesize
3.3MB

Download
memory/2852-2049-0x00007FF67C7C0000-0x00007FF67CB14000-memory.dmp

Filesize
3.3MB

Download
memory/2856-2060-0x00007FF738940000-0x00007FF738C94000-memory.dmp

Filesize
3.3MB

Download
memory/2856-99-0x00007FF738940000-0x00007FF738C94000-memory.dmp

Filesize
3.3MB

Download
memory/2856-42-0x00007FF738940000-0x00007FF738C94000-memory.dmp

Filesize
3.3MB

Download
memory/2940-2273-0x00007FF6E71D0000-0x00007FF6E7524000-memory.dmp

Filesize
3.3MB

Download
memory/2940-169-0x00007FF6E71D0000-0x00007FF6E7524000-memory.dmp

Filesize
3.3MB

Download
memory/2940-115-0x00007FF6E71D0000-0x00007FF6E7524000-memory.dmp

Filesize
3.3MB

Download
memory/2996-194-0x00007FF7F3B60000-0x00007FF7F3EB4000-memory.dmp

Filesize
3.3MB

Download
memory/2996-141-0x00007FF7F3B60000-0x00007FF7F3EB4000-memory.dmp

Filesize
3.3MB

Download
memory/2996-2278-0x00007FF7F3B60000-0x00007FF7F3EB4000-memory.dmp

Filesize
3.3MB

Download
memory/3128-2022-0x00007FF69C4A0000-0x00007FF69C7F4000-memory.dmp

Filesize
3.3MB

Download
memory/3128-8-0x00007FF69C4A0000-0x00007FF69C7F4000-memory.dmp

Filesize
3.3MB

Download
memory/3128-61-0x00007FF69C4A0000-0x00007FF69C7F4000-memory.dmp

Filesize
3.3MB

Download
memory/3328-484-0x00007FF63E3C0000-0x00007FF63E714000-memory.dmp

Filesize
3.3MB

Download
memory/3328-178-0x00007FF63E3C0000-0x00007FF63E714000-memory.dmp

Filesize
3.3MB

Download
memory/3328-2283-0x00007FF63E3C0000-0x00007FF63E714000-memory.dmp

Filesize
3.3MB

Download
memory/4716-2155-0x00007FF66A460000-0x00007FF66A7B4000-memory.dmp

Filesize
3.3MB

Download
memory/4716-76-0x00007FF66A460000-0x00007FF66A7B4000-memory.dmp

Filesize
3.3MB

Download
memory/4716-138-0x00007FF66A460000-0x00007FF66A7B4000-memory.dmp

Filesize
3.3MB

Download
memory/4764-2164-0x00007FF711000000-0x00007FF711354000-memory.dmp

Filesize
3.3MB

Download
memory/4764-84-0x00007FF711000000-0x00007FF711354000-memory.dmp

Filesize
3.3MB

Download
memory/4764-147-0x00007FF711000000-0x00007FF711354000-memory.dmp

Filesize
3.3MB

Download
memory/4812-91-0x00007FF7487E0000-0x00007FF748B34000-memory.dmp

Filesize
3.3MB

Download
memory/4812-154-0x00007FF7487E0000-0x00007FF748B34000-memory.dmp

Filesize
3.3MB

Download
memory/4812-2175-0x00007FF7487E0000-0x00007FF748B34000-memory.dmp

Filesize
3.3MB

Download
memory/4852-117-0x00007FF7E4830000-0x00007FF7E4B84000-memory.dmp

Filesize
3.3MB

Download
memory/4852-2274-0x00007FF7E4830000-0x00007FF7E4B84000-memory.dmp

Filesize
3.3MB

Download
memory/4892-2277-0x00007FF6C9430000-0x00007FF6C9784000-memory.dmp

Filesize
3.3MB

Download
memory/4892-187-0x00007FF6C9430000-0x00007FF6C9784000-memory.dmp

Filesize
3.3MB

Download
memory/4892-130-0x00007FF6C9430000-0x00007FF6C9784000-memory.dmp

Filesize
3.3MB

Download
memory/4916-195-0x00007FF697AF0000-0x00007FF697E44000-memory.dmp

Filesize
3.3MB

Download
memory/4916-2286-0x00007FF697AF0000-0x00007FF697E44000-memory.dmp

Filesize
3.3MB

Download
memory/4916-721-0x00007FF697AF0000-0x00007FF697E44000-memory.dmp

Filesize
3.3MB

Download
memory/4936-125-0x00007FF737400000-0x00007FF737754000-memory.dmp

Filesize
3.3MB

Download
memory/4936-180-0x00007FF737400000-0x00007FF737754000-memory.dmp

Filesize
3.3MB

Download
memory/4936-2276-0x00007FF737400000-0x00007FF737754000-memory.dmp

Filesize
3.3MB

Download
memory/5172-165-0x00007FF74D290000-0x00007FF74D5E4000-memory.dmp

Filesize
3.3MB

Download
memory/5172-2281-0x00007FF74D290000-0x00007FF74D5E4000-memory.dmp

Filesize
3.3MB

Download
memory/5304-2275-0x00007FF6E67A0000-0x00007FF6E6AF4000-memory.dmp

Filesize
3.3MB

Download
memory/5304-119-0x00007FF6E67A0000-0x00007FF6E6AF4000-memory.dmp

Filesize
3.3MB

Download
memory/5304-174-0x00007FF6E67A0000-0x00007FF6E6AF4000-memory.dmp

Filesize
3.3MB

Download
memory/5360-2279-0x00007FF7B5E60000-0x00007FF7B61B4000-memory.dmp

Filesize
3.3MB

Download
memory/5360-150-0x00007FF7B5E60000-0x00007FF7B61B4000-memory.dmp

Filesize
3.3MB

Download
memory/5376-599-0x00007FF641C40000-0x00007FF641F94000-memory.dmp

Filesize
3.3MB

Download
memory/5376-2285-0x00007FF641C40000-0x00007FF641F94000-memory.dmp

Filesize
3.3MB

Download
memory/5376-190-0x00007FF641C40000-0x00007FF641F94000-memory.dmp

Filesize
3.3MB

Download
memory/5404-2284-0x00007FF74B7C0000-0x00007FF74BB14000-memory.dmp

Filesize
3.3MB

Download
memory/5404-185-0x00007FF74B7C0000-0x00007FF74BB14000-memory.dmp

Filesize
3.3MB

Download
memory/5468-155-0x00007FF6CCF50000-0x00007FF6CD2A4000-memory.dmp

Filesize
3.3MB

Download
memory/5468-2280-0x00007FF6CCF50000-0x00007FF6CD2A4000-memory.dmp

Filesize
3.3MB

Download
memory/5468-252-0x00007FF6CCF50000-0x00007FF6CD2A4000-memory.dmp

Filesize
3.3MB

Download
memory/5848-82-0x00007FF675A20000-0x00007FF675D74000-memory.dmp

Filesize
3.3MB

Download
memory/5848-27-0x00007FF675A20000-0x00007FF675D74000-memory.dmp

Filesize
3.3MB

Download
memory/5848-2044-0x00007FF675A20000-0x00007FF675D74000-memory.dmp

Filesize
3.3MB

Download
memory/5968-2174-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp

Filesize
3.3MB

Download
memory/5968-94-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp

Filesize
3.3MB

Download
memory/5968-164-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp

Filesize
3.3MB

Download
memory/5972-2152-0x00007FF6BA510000-0x00007FF6BA864000-memory.dmp

Filesize
3.3MB

Download
memory/5972-66-0x00007FF6BA510000-0x00007FF6BA864000-memory.dmp

Filesize
3.3MB

Download
memory/5972-124-0x00007FF6BA510000-0x00007FF6BA864000-memory.dmp

Filesize
3.3MB

Download
memory/6116-304-0x00007FF632A80000-0x00007FF632DD4000-memory.dmp

Filesize
3.3MB

Download
memory/6116-2282-0x00007FF632A80000-0x00007FF632DD4000-memory.dmp

Filesize
3.3MB

Download
memory/6116-166-0x00007FF632A80000-0x00007FF632DD4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads