cobaltstrike | 702ee62a835bb2e618124654dab287c4aa602e7a7c16926c0aa7cab1d1734ef4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30/01/2025, 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
Size

6.0MB
MD5

a6fcfe5dab3ceef4fbfe116352cce6c8
SHA1

e6b1b36cac91e0dda12801c9e69b0cbdff1b3319
SHA256

702ee62a835bb2e618124654dab287c4aa602e7a7c16926c0aa7cab1d1734ef4
SHA512

2bf3cfe7f691004947fb664265a0be2448669088f3028e8f056d2fc20c823f94e201e250997314b92845b3528bfd203e34d8898691210c04e5a6fbf9c284f00f
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUD:T+q56utgpPF8u/7D

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 32 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b27-4.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c08-11.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c09-9.dat	cobalt_reflective_dll
behavioral2/files/0x000700000001e5cc-23.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c0a-30.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0d-40.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bf8-51.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0e-52.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0f-56.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c11-74.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c10-72.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c0c-38.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c21-87.dat	cobalt_reflective_dll
behavioral2/files/0x000600000001e5c5-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c24-108.dat	cobalt_reflective_dll
behavioral2/files/0x000500000001e6a0-115.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023adf-121.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c23-96.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c12-82.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ae3-130.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ad6-142.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ad8-147.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023ad5-138.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023adc-172.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ae1-184.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023adb-176.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ae2-189.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ae4-195.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c1d-204.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ae5-201.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023ad9-165.dat	cobalt_reflective_dll
behavioral2/files/0x000700000001e6a6-154.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3080-0-0x00007FF73FE50000-0x00007FF7401A4000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b27-4.dat	xmrig
behavioral2/memory/5012-7-0x00007FF760F20000-0x00007FF761274000-memory.dmp	xmrig
behavioral2/files/0x0009000000023c08-11.dat	xmrig
behavioral2/memory/3668-12-0x00007FF775D20000-0x00007FF776074000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c09-9.dat	xmrig
behavioral2/memory/4924-20-0x00007FF66AD20000-0x00007FF66B074000-memory.dmp	xmrig
behavioral2/files/0x000700000001e5cc-23.dat	xmrig
behavioral2/files/0x0009000000023c0a-30.dat	xmrig
behavioral2/memory/5116-32-0x00007FF6B8B70000-0x00007FF6B8EC4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c0d-40.dat	xmrig
behavioral2/files/0x0009000000023bf8-51.dat	xmrig
behavioral2/files/0x0008000000023c0e-52.dat	xmrig
behavioral2/files/0x0008000000023c0f-56.dat	xmrig
behavioral2/memory/3668-76-0x00007FF775D20000-0x00007FF776074000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c11-74.dat	xmrig
behavioral2/files/0x0008000000023c10-72.dat	xmrig
behavioral2/memory/4324-71-0x00007FF6A22D0000-0x00007FF6A2624000-memory.dmp	xmrig
behavioral2/memory/3288-68-0x00007FF715120000-0x00007FF715474000-memory.dmp	xmrig
behavioral2/memory/5012-67-0x00007FF760F20000-0x00007FF761274000-memory.dmp	xmrig
behavioral2/memory/4928-62-0x00007FF614750000-0x00007FF614AA4000-memory.dmp	xmrig
behavioral2/memory/3080-60-0x00007FF73FE50000-0x00007FF7401A4000-memory.dmp	xmrig
behavioral2/memory/908-55-0x00007FF618F10000-0x00007FF619264000-memory.dmp	xmrig
behavioral2/memory/3788-50-0x00007FF7E8EB0000-0x00007FF7E9204000-memory.dmp	xmrig
behavioral2/memory/2216-41-0x00007FF77AB60000-0x00007FF77AEB4000-memory.dmp	xmrig
behavioral2/files/0x0009000000023c0c-38.dat	xmrig
behavioral2/memory/4556-37-0x00007FF6F9BC0000-0x00007FF6F9F14000-memory.dmp	xmrig
behavioral2/memory/1540-26-0x00007FF6F42F0000-0x00007FF6F4644000-memory.dmp	xmrig
behavioral2/memory/4632-84-0x00007FF652B20000-0x00007FF652E74000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c21-87.dat	xmrig
behavioral2/files/0x000600000001e5c5-104.dat	xmrig
behavioral2/files/0x0007000000023c24-108.dat	xmrig
behavioral2/files/0x000500000001e6a0-115.dat	xmrig
behavioral2/files/0x000b000000023adf-121.dat	xmrig
behavioral2/memory/2920-123-0x00007FF7B5150000-0x00007FF7B54A4000-memory.dmp	xmrig
behavioral2/memory/4928-122-0x00007FF614750000-0x00007FF614AA4000-memory.dmp	xmrig
behavioral2/memory/996-120-0x00007FF7BB0F0000-0x00007FF7BB444000-memory.dmp	xmrig
behavioral2/memory/908-117-0x00007FF618F10000-0x00007FF619264000-memory.dmp	xmrig
behavioral2/memory/4492-107-0x00007FF66B550000-0x00007FF66B8A4000-memory.dmp	xmrig
behavioral2/memory/3788-105-0x00007FF7E8EB0000-0x00007FF7E9204000-memory.dmp	xmrig
behavioral2/memory/1488-102-0x00007FF7025E0000-0x00007FF702934000-memory.dmp	xmrig
behavioral2/memory/2216-101-0x00007FF77AB60000-0x00007FF77AEB4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c23-96.dat	xmrig
behavioral2/memory/2800-95-0x00007FF759640000-0x00007FF759994000-memory.dmp	xmrig
behavioral2/memory/4556-94-0x00007FF6F9BC0000-0x00007FF6F9F14000-memory.dmp	xmrig
behavioral2/memory/4752-90-0x00007FF653E10000-0x00007FF654164000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c12-82.dat	xmrig
behavioral2/memory/1540-81-0x00007FF6F42F0000-0x00007FF6F4644000-memory.dmp	xmrig
behavioral2/files/0x000b000000023ae3-130.dat	xmrig
behavioral2/files/0x000b000000023ad6-142.dat	xmrig
behavioral2/memory/3648-143-0x00007FF6FD9D0000-0x00007FF6FDD24000-memory.dmp	xmrig
behavioral2/files/0x000b000000023ad8-147.dat	xmrig
behavioral2/memory/3304-150-0x00007FF7A38F0000-0x00007FF7A3C44000-memory.dmp	xmrig
behavioral2/files/0x000c000000023ad5-138.dat	xmrig
behavioral2/memory/2828-137-0x00007FF733C70000-0x00007FF733FC4000-memory.dmp	xmrig
behavioral2/memory/5024-131-0x00007FF6C0140000-0x00007FF6C0494000-memory.dmp	xmrig
behavioral2/memory/3288-126-0x00007FF715120000-0x00007FF715474000-memory.dmp	xmrig
behavioral2/memory/4324-127-0x00007FF6A22D0000-0x00007FF6A2624000-memory.dmp	xmrig
behavioral2/memory/2800-155-0x00007FF759640000-0x00007FF759994000-memory.dmp	xmrig
behavioral2/files/0x000c000000023adc-172.dat	xmrig
behavioral2/memory/2920-177-0x00007FF7B5150000-0x00007FF7B54A4000-memory.dmp	xmrig
behavioral2/files/0x000b000000023ae1-184.dat	xmrig
behavioral2/memory/5112-183-0x00007FF7B1500000-0x00007FF7B1854000-memory.dmp	xmrig
behavioral2/memory/3784-180-0x00007FF7B7470000-0x00007FF7B77C4000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
5012	GgdEoQk.exe
3668	pWuFIbW.exe
4924	zeDWbXV.exe
1540	piwhcul.exe
5116	scHRIlj.exe
4556	zghbFVt.exe
2216	awSxIQu.exe
3788	pZFZXLb.exe
908	IBHfiJr.exe
4928	PAjLkwQ.exe
3288	VqnSVTS.exe
4324	YreEEWl.exe
4632	OsheCkt.exe
4752	yrLxPkA.exe
2800	DeVsJTQ.exe
1488	doYlhPb.exe
4492	mZeEAVq.exe
996	KJyieAa.exe
2920	sECtqRg.exe
5024	SoUjfpB.exe
2828	ekzDVnm.exe
3648	tWAbfJI.exe
3304	BhKLOHf.exe
2492	PjHMNsZ.exe
964	QpogxuJ.exe
3964	ImLJjYp.exe
3784	ToPmMRR.exe
5112	IpxGQxu.exe
4344	CUxXYzq.exe
3492	knlANwM.exe
5040	wpkAVNR.exe
464	nqIKKAo.exe
3944	dAiXoJi.exe
2916	EZvYYHn.exe
220	dcZXseE.exe
5076	ePZkCCd.exe
2180	tkhIHcO.exe
2292	WRlmxee.exe
4304	dWTNamr.exe
1444	NdjeDXj.exe
4724	CcjbHok.exe
2652	YcrwvmC.exe
3892	LMceETt.exe
1948	GaXWKCo.exe
1852	DvPyPfe.exe
1956	xmpyefq.exe
2280	ntXYfoj.exe
1168	yWSyjVx.exe
1680	Olvvycl.exe
1340	hsvdMLn.exe
3996	XQhaXXw.exe
1624	WfOYCPP.exe
3200	YwHNIsw.exe
2448	JelvOPN.exe
3572	BjRzCbr.exe
5092	zJiVmOZ.exe
3680	sfofCFf.exe
3552	BOsMUTj.exe
1632	tiVEZCF.exe
2440	kbiTOgS.exe
3108	LrTdPEc.exe
1124	TuBmjIl.exe
3020	iIqgXTw.exe
4736	NooGPMs.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3080-0-0x00007FF73FE50000-0x00007FF7401A4000-memory.dmp	upx
behavioral2/files/0x000c000000023b27-4.dat	upx
behavioral2/memory/5012-7-0x00007FF760F20000-0x00007FF761274000-memory.dmp	upx
behavioral2/files/0x0009000000023c08-11.dat	upx
behavioral2/memory/3668-12-0x00007FF775D20000-0x00007FF776074000-memory.dmp	upx
behavioral2/files/0x0008000000023c09-9.dat	upx
behavioral2/memory/4924-20-0x00007FF66AD20000-0x00007FF66B074000-memory.dmp	upx
behavioral2/files/0x000700000001e5cc-23.dat	upx
behavioral2/files/0x0009000000023c0a-30.dat	upx
behavioral2/memory/5116-32-0x00007FF6B8B70000-0x00007FF6B8EC4000-memory.dmp	upx
behavioral2/files/0x0008000000023c0d-40.dat	upx
behavioral2/files/0x0009000000023bf8-51.dat	upx
behavioral2/files/0x0008000000023c0e-52.dat	upx
behavioral2/files/0x0008000000023c0f-56.dat	upx
behavioral2/memory/3668-76-0x00007FF775D20000-0x00007FF776074000-memory.dmp	upx
behavioral2/files/0x0008000000023c11-74.dat	upx
behavioral2/files/0x0008000000023c10-72.dat	upx
behavioral2/memory/4324-71-0x00007FF6A22D0000-0x00007FF6A2624000-memory.dmp	upx
behavioral2/memory/3288-68-0x00007FF715120000-0x00007FF715474000-memory.dmp	upx
behavioral2/memory/5012-67-0x00007FF760F20000-0x00007FF761274000-memory.dmp	upx
behavioral2/memory/4928-62-0x00007FF614750000-0x00007FF614AA4000-memory.dmp	upx
behavioral2/memory/3080-60-0x00007FF73FE50000-0x00007FF7401A4000-memory.dmp	upx
behavioral2/memory/908-55-0x00007FF618F10000-0x00007FF619264000-memory.dmp	upx
behavioral2/memory/3788-50-0x00007FF7E8EB0000-0x00007FF7E9204000-memory.dmp	upx
behavioral2/memory/2216-41-0x00007FF77AB60000-0x00007FF77AEB4000-memory.dmp	upx
behavioral2/files/0x0009000000023c0c-38.dat	upx
behavioral2/memory/4556-37-0x00007FF6F9BC0000-0x00007FF6F9F14000-memory.dmp	upx
behavioral2/memory/1540-26-0x00007FF6F42F0000-0x00007FF6F4644000-memory.dmp	upx
behavioral2/memory/4632-84-0x00007FF652B20000-0x00007FF652E74000-memory.dmp	upx
behavioral2/files/0x0008000000023c21-87.dat	upx
behavioral2/files/0x000600000001e5c5-104.dat	upx
behavioral2/files/0x0007000000023c24-108.dat	upx
behavioral2/files/0x000500000001e6a0-115.dat	upx
behavioral2/files/0x000b000000023adf-121.dat	upx
behavioral2/memory/2920-123-0x00007FF7B5150000-0x00007FF7B54A4000-memory.dmp	upx
behavioral2/memory/4928-122-0x00007FF614750000-0x00007FF614AA4000-memory.dmp	upx
behavioral2/memory/996-120-0x00007FF7BB0F0000-0x00007FF7BB444000-memory.dmp	upx
behavioral2/memory/908-117-0x00007FF618F10000-0x00007FF619264000-memory.dmp	upx
behavioral2/memory/4492-107-0x00007FF66B550000-0x00007FF66B8A4000-memory.dmp	upx
behavioral2/memory/3788-105-0x00007FF7E8EB0000-0x00007FF7E9204000-memory.dmp	upx
behavioral2/memory/1488-102-0x00007FF7025E0000-0x00007FF702934000-memory.dmp	upx
behavioral2/memory/2216-101-0x00007FF77AB60000-0x00007FF77AEB4000-memory.dmp	upx
behavioral2/files/0x0008000000023c23-96.dat	upx
behavioral2/memory/2800-95-0x00007FF759640000-0x00007FF759994000-memory.dmp	upx
behavioral2/memory/4556-94-0x00007FF6F9BC0000-0x00007FF6F9F14000-memory.dmp	upx
behavioral2/memory/4752-90-0x00007FF653E10000-0x00007FF654164000-memory.dmp	upx
behavioral2/files/0x0008000000023c12-82.dat	upx
behavioral2/memory/1540-81-0x00007FF6F42F0000-0x00007FF6F4644000-memory.dmp	upx
behavioral2/files/0x000b000000023ae3-130.dat	upx
behavioral2/files/0x000b000000023ad6-142.dat	upx
behavioral2/memory/3648-143-0x00007FF6FD9D0000-0x00007FF6FDD24000-memory.dmp	upx
behavioral2/files/0x000b000000023ad8-147.dat	upx
behavioral2/memory/3304-150-0x00007FF7A38F0000-0x00007FF7A3C44000-memory.dmp	upx
behavioral2/files/0x000c000000023ad5-138.dat	upx
behavioral2/memory/2828-137-0x00007FF733C70000-0x00007FF733FC4000-memory.dmp	upx
behavioral2/memory/5024-131-0x00007FF6C0140000-0x00007FF6C0494000-memory.dmp	upx
behavioral2/memory/3288-126-0x00007FF715120000-0x00007FF715474000-memory.dmp	upx
behavioral2/memory/4324-127-0x00007FF6A22D0000-0x00007FF6A2624000-memory.dmp	upx
behavioral2/memory/2800-155-0x00007FF759640000-0x00007FF759994000-memory.dmp	upx
behavioral2/files/0x000c000000023adc-172.dat	upx
behavioral2/memory/2920-177-0x00007FF7B5150000-0x00007FF7B54A4000-memory.dmp	upx
behavioral2/files/0x000b000000023ae1-184.dat	upx
behavioral2/memory/5112-183-0x00007FF7B1500000-0x00007FF7B1854000-memory.dmp	upx
behavioral2/memory/3784-180-0x00007FF7B7470000-0x00007FF7B77C4000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\qhyoWMN.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hSaiVSp.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vTOwESB.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GIbcLfK.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CiljYsr.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rtJxang.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cdmMvzy.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BOsMUTj.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iJFjUvj.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xsoStzJ.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bBpnBrI.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IJhhvtm.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GqJKsFG.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PAjLkwQ.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JzYEAwH.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ywiZGLf.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DNqiNbv.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FeJYauS.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zoDvsQb.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kAmuCNO.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hZBTKGv.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MymoDjL.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CHeAelB.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NooGPMs.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VyhzdrB.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PpXCirx.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RIEqkDA.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pbrfIYm.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qBeOIIP.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DnmaKiR.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RjzFGPu.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zGReAeC.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\itQvnZr.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\umUImIS.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KWtrLvI.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DvSHzdv.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rejGTJg.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xIRUZOL.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AjQqpvg.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WlKgCPF.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RVFYiDC.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ElabfrD.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pJOdpgh.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iRhohtl.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cOoKGBs.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KdgniFN.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dSuBxty.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\izPXVMr.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bCWXWjM.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\knlANwM.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GWcETJj.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qTXThiq.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qLlXVja.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZgQRuWu.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BFzXWky.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yrLxPkA.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eMNOkyH.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JiVlrPJ.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nJMchhZ.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EgsazsV.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mGVXeda.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tbDiQQN.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QXKeyuq.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\niAimFs.exe	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	14616	dwm.exe
Token: SeChangeNotifyPrivilege	14616	dwm.exe
Token: 33	14616	dwm.exe
Token: SeIncBasePriorityPrivilege	14616	dwm.exe
Token: SeShutdownPrivilege	14616	dwm.exe
Token: SeCreatePagefilePrivilege	14616	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 5012	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3080 wrote to memory of 5012	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3080 wrote to memory of 3668	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3080 wrote to memory of 3668	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3080 wrote to memory of 4924	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3080 wrote to memory of 4924	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3080 wrote to memory of 1540	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3080 wrote to memory of 1540	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3080 wrote to memory of 5116	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3080 wrote to memory of 5116	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3080 wrote to memory of 4556	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3080 wrote to memory of 4556	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3080 wrote to memory of 2216	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3080 wrote to memory of 2216	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3080 wrote to memory of 3788	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3080 wrote to memory of 3788	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3080 wrote to memory of 908	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3080 wrote to memory of 908	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3080 wrote to memory of 4928	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3080 wrote to memory of 4928	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3080 wrote to memory of 3288	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3080 wrote to memory of 3288	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3080 wrote to memory of 4324	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3080 wrote to memory of 4324	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3080 wrote to memory of 4632	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3080 wrote to memory of 4632	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3080 wrote to memory of 4752	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3080 wrote to memory of 4752	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3080 wrote to memory of 2800	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3080 wrote to memory of 2800	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3080 wrote to memory of 1488	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3080 wrote to memory of 1488	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3080 wrote to memory of 4492	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3080 wrote to memory of 4492	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3080 wrote to memory of 996	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3080 wrote to memory of 996	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3080 wrote to memory of 2920	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3080 wrote to memory of 2920	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3080 wrote to memory of 5024	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3080 wrote to memory of 5024	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3080 wrote to memory of 2828	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3080 wrote to memory of 2828	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3080 wrote to memory of 3648	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3080 wrote to memory of 3648	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3080 wrote to memory of 3304	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 3080 wrote to memory of 3304	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 3080 wrote to memory of 2492	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 3080 wrote to memory of 2492	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 3080 wrote to memory of 964	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 3080 wrote to memory of 964	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 3080 wrote to memory of 3964	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 3080 wrote to memory of 3964	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 3080 wrote to memory of 3784	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 3080 wrote to memory of 3784	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 3080 wrote to memory of 5112	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 3080 wrote to memory of 5112	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 3080 wrote to memory of 4344	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	117
PID 3080 wrote to memory of 4344	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	117
PID 3080 wrote to memory of 3492	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	118
PID 3080 wrote to memory of 3492	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	118
PID 3080 wrote to memory of 5040	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	119
PID 3080 wrote to memory of 5040	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	119
PID 3080 wrote to memory of 464	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	120
PID 3080 wrote to memory of 464	3080	2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe	120

C:\Users\Admin\AppData\Local\Temp\2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-30_a6fcfe5dab3ceef4fbfe116352cce6c8_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\System\GgdEoQk.exe
  C:\Windows\System\GgdEoQk.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\pWuFIbW.exe
  C:\Windows\System\pWuFIbW.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\zeDWbXV.exe
  C:\Windows\System\zeDWbXV.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\piwhcul.exe
  C:\Windows\System\piwhcul.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\scHRIlj.exe
  C:\Windows\System\scHRIlj.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\zghbFVt.exe
  C:\Windows\System\zghbFVt.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\awSxIQu.exe
  C:\Windows\System\awSxIQu.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\pZFZXLb.exe
  C:\Windows\System\pZFZXLb.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System\IBHfiJr.exe
  C:\Windows\System\IBHfiJr.exe
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\System\PAjLkwQ.exe
  C:\Windows\System\PAjLkwQ.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\VqnSVTS.exe
  C:\Windows\System\VqnSVTS.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System\YreEEWl.exe
  C:\Windows\System\YreEEWl.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System\OsheCkt.exe
  C:\Windows\System\OsheCkt.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System\yrLxPkA.exe
  C:\Windows\System\yrLxPkA.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\DeVsJTQ.exe
  C:\Windows\System\DeVsJTQ.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\doYlhPb.exe
  C:\Windows\System\doYlhPb.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\mZeEAVq.exe
  C:\Windows\System\mZeEAVq.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\KJyieAa.exe
  C:\Windows\System\KJyieAa.exe
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\System\sECtqRg.exe
  C:\Windows\System\sECtqRg.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\SoUjfpB.exe
  C:\Windows\System\SoUjfpB.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\ekzDVnm.exe
  C:\Windows\System\ekzDVnm.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\tWAbfJI.exe
  C:\Windows\System\tWAbfJI.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\BhKLOHf.exe
  C:\Windows\System\BhKLOHf.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\PjHMNsZ.exe
  C:\Windows\System\PjHMNsZ.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\QpogxuJ.exe
  C:\Windows\System\QpogxuJ.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\ImLJjYp.exe
  C:\Windows\System\ImLJjYp.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\ToPmMRR.exe
  C:\Windows\System\ToPmMRR.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\IpxGQxu.exe
  C:\Windows\System\IpxGQxu.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\CUxXYzq.exe
  C:\Windows\System\CUxXYzq.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\knlANwM.exe
  C:\Windows\System\knlANwM.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\wpkAVNR.exe
  C:\Windows\System\wpkAVNR.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\nqIKKAo.exe
  C:\Windows\System\nqIKKAo.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\dAiXoJi.exe
  C:\Windows\System\dAiXoJi.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\EZvYYHn.exe
  C:\Windows\System\EZvYYHn.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\dcZXseE.exe
  C:\Windows\System\dcZXseE.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\ePZkCCd.exe
  C:\Windows\System\ePZkCCd.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\tkhIHcO.exe
  C:\Windows\System\tkhIHcO.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\WRlmxee.exe
  C:\Windows\System\WRlmxee.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\dWTNamr.exe
  C:\Windows\System\dWTNamr.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\NdjeDXj.exe
  C:\Windows\System\NdjeDXj.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\CcjbHok.exe
  C:\Windows\System\CcjbHok.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\YcrwvmC.exe
  C:\Windows\System\YcrwvmC.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\LMceETt.exe
  C:\Windows\System\LMceETt.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\GaXWKCo.exe
  C:\Windows\System\GaXWKCo.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\DvPyPfe.exe
  C:\Windows\System\DvPyPfe.exe
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\System\xmpyefq.exe
  C:\Windows\System\xmpyefq.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\ntXYfoj.exe
  C:\Windows\System\ntXYfoj.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\yWSyjVx.exe
  C:\Windows\System\yWSyjVx.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\Olvvycl.exe
  C:\Windows\System\Olvvycl.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\hsvdMLn.exe
  C:\Windows\System\hsvdMLn.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System\XQhaXXw.exe
  C:\Windows\System\XQhaXXw.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\WfOYCPP.exe
  C:\Windows\System\WfOYCPP.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\YwHNIsw.exe
  C:\Windows\System\YwHNIsw.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System\JelvOPN.exe
  C:\Windows\System\JelvOPN.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\BjRzCbr.exe
  C:\Windows\System\BjRzCbr.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System\zJiVmOZ.exe
  C:\Windows\System\zJiVmOZ.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\sfofCFf.exe
  C:\Windows\System\sfofCFf.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\BOsMUTj.exe
  C:\Windows\System\BOsMUTj.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System\tiVEZCF.exe
  C:\Windows\System\tiVEZCF.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\kbiTOgS.exe
  C:\Windows\System\kbiTOgS.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\LrTdPEc.exe
  C:\Windows\System\LrTdPEc.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System\TuBmjIl.exe
  C:\Windows\System\TuBmjIl.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System\iIqgXTw.exe
  C:\Windows\System\iIqgXTw.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\NooGPMs.exe
  C:\Windows\System\NooGPMs.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\INjjjpx.exe
  C:\Windows\System\INjjjpx.exe
  2⤵
  PID:5000
- C:\Windows\System\rbNYEVJ.exe
  C:\Windows\System\rbNYEVJ.exe
  2⤵
  PID:2552
- C:\Windows\System\rxAwnzQ.exe
  C:\Windows\System\rxAwnzQ.exe
  2⤵
  PID:616
- C:\Windows\System\XeIVIRr.exe
  C:\Windows\System\XeIVIRr.exe
  2⤵
  PID:4564
- C:\Windows\System\hWLNTJK.exe
  C:\Windows\System\hWLNTJK.exe
  2⤵
  PID:1980
- C:\Windows\System\oSjbUrF.exe
  C:\Windows\System\oSjbUrF.exe
  2⤵
  PID:3008
- C:\Windows\System\bIYNzzR.exe
  C:\Windows\System\bIYNzzR.exe
  2⤵
  PID:448
- C:\Windows\System\MHIONXu.exe
  C:\Windows\System\MHIONXu.exe
  2⤵
  PID:5032
- C:\Windows\System\RdBaVLU.exe
  C:\Windows\System\RdBaVLU.exe
  2⤵
  PID:2736
- C:\Windows\System\qBeOIIP.exe
  C:\Windows\System\qBeOIIP.exe
  2⤵
  PID:4292
- C:\Windows\System\dtpkzoO.exe
  C:\Windows\System\dtpkzoO.exe
  2⤵
  PID:444
- C:\Windows\System\nxztLkQ.exe
  C:\Windows\System\nxztLkQ.exe
  2⤵
  PID:3872
- C:\Windows\System\pJOdpgh.exe
  C:\Windows\System\pJOdpgh.exe
  2⤵
  PID:2044
- C:\Windows\System\lGoSvGC.exe
  C:\Windows\System\lGoSvGC.exe
  2⤵
  PID:2416
- C:\Windows\System\hDcDwbp.exe
  C:\Windows\System\hDcDwbp.exe
  2⤵
  PID:4828
- C:\Windows\System\dojEaaG.exe
  C:\Windows\System\dojEaaG.exe
  2⤵
  PID:1420
- C:\Windows\System\hVedvXm.exe
  C:\Windows\System\hVedvXm.exe
  2⤵
  PID:2996
- C:\Windows\System\iCzFkik.exe
  C:\Windows\System\iCzFkik.exe
  2⤵
  PID:4000
- C:\Windows\System\PqHGCCE.exe
  C:\Windows\System\PqHGCCE.exe
  2⤵
  PID:4800
- C:\Windows\System\jtLEvqE.exe
  C:\Windows\System\jtLEvqE.exe
  2⤵
  PID:4172
- C:\Windows\System\fRhrYRs.exe
  C:\Windows\System\fRhrYRs.exe
  2⤵
  PID:2064
- C:\Windows\System\HxQerLq.exe
  C:\Windows\System\HxQerLq.exe
  2⤵
  PID:4668
- C:\Windows\System\AcLuIrB.exe
  C:\Windows\System\AcLuIrB.exe
  2⤵
  PID:5136
- C:\Windows\System\LWxOUeO.exe
  C:\Windows\System\LWxOUeO.exe
  2⤵
  PID:5172
- C:\Windows\System\jQsafqW.exe
  C:\Windows\System\jQsafqW.exe
  2⤵
  PID:5200
- C:\Windows\System\pNFGtsH.exe
  C:\Windows\System\pNFGtsH.exe
  2⤵
  PID:5228
- C:\Windows\System\sMdKcid.exe
  C:\Windows\System\sMdKcid.exe
  2⤵
  PID:5260
- C:\Windows\System\trMulcY.exe
  C:\Windows\System\trMulcY.exe
  2⤵
  PID:5292
- C:\Windows\System\iFgKphJ.exe
  C:\Windows\System\iFgKphJ.exe
  2⤵
  PID:5308
- C:\Windows\System\lRNArOO.exe
  C:\Windows\System\lRNArOO.exe
  2⤵
  PID:5348
- C:\Windows\System\sUpdxKo.exe
  C:\Windows\System\sUpdxKo.exe
  2⤵
  PID:5372
- C:\Windows\System\rtYhHJt.exe
  C:\Windows\System\rtYhHJt.exe
  2⤵
  PID:5408
- C:\Windows\System\DMOVeqy.exe
  C:\Windows\System\DMOVeqy.exe
  2⤵
  PID:5424
- C:\Windows\System\fVdrmtd.exe
  C:\Windows\System\fVdrmtd.exe
  2⤵
  PID:5452
- C:\Windows\System\NqAFqiq.exe
  C:\Windows\System\NqAFqiq.exe
  2⤵
  PID:5488
- C:\Windows\System\QqDHmja.exe
  C:\Windows\System\QqDHmja.exe
  2⤵
  PID:5516
- C:\Windows\System\wLaRKKj.exe
  C:\Windows\System\wLaRKKj.exe
  2⤵
  PID:5548
- C:\Windows\System\CotikXQ.exe
  C:\Windows\System\CotikXQ.exe
  2⤵
  PID:5572
- C:\Windows\System\kaFtgCb.exe
  C:\Windows\System\kaFtgCb.exe
  2⤵
  PID:5592
- C:\Windows\System\VyhzdrB.exe
  C:\Windows\System\VyhzdrB.exe
  2⤵
  PID:5628
- C:\Windows\System\xIRUZOL.exe
  C:\Windows\System\xIRUZOL.exe
  2⤵
  PID:5660
- C:\Windows\System\mmvliUv.exe
  C:\Windows\System\mmvliUv.exe
  2⤵
  PID:5684
- C:\Windows\System\xwPlRCg.exe
  C:\Windows\System\xwPlRCg.exe
  2⤵
  PID:5712
- C:\Windows\System\zBfcwZs.exe
  C:\Windows\System\zBfcwZs.exe
  2⤵
  PID:5740
- C:\Windows\System\Kimsfzt.exe
  C:\Windows\System\Kimsfzt.exe
  2⤵
  PID:5768
- C:\Windows\System\RlGXYtp.exe
  C:\Windows\System\RlGXYtp.exe
  2⤵
  PID:5796
- C:\Windows\System\xcklKcf.exe
  C:\Windows\System\xcklKcf.exe
  2⤵
  PID:5828
- C:\Windows\System\IaWzWSp.exe
  C:\Windows\System\IaWzWSp.exe
  2⤵
  PID:5860
- C:\Windows\System\pnsiapk.exe
  C:\Windows\System\pnsiapk.exe
  2⤵
  PID:5880
- C:\Windows\System\RNvoXcc.exe
  C:\Windows\System\RNvoXcc.exe
  2⤵
  PID:5908
- C:\Windows\System\jtJjQUc.exe
  C:\Windows\System\jtJjQUc.exe
  2⤵
  PID:5940
- C:\Windows\System\OOMrJbE.exe
  C:\Windows\System\OOMrJbE.exe
  2⤵
  PID:5972
- C:\Windows\System\XfFmTgm.exe
  C:\Windows\System\XfFmTgm.exe
  2⤵
  PID:5996
- C:\Windows\System\mTnJPZm.exe
  C:\Windows\System\mTnJPZm.exe
  2⤵
  PID:6028
- C:\Windows\System\dPunSQa.exe
  C:\Windows\System\dPunSQa.exe
  2⤵
  PID:6056
- C:\Windows\System\seOnHFq.exe
  C:\Windows\System\seOnHFq.exe
  2⤵
  PID:6084
- C:\Windows\System\lmESupx.exe
  C:\Windows\System\lmESupx.exe
  2⤵
  PID:6108
- C:\Windows\System\tWHvqxU.exe
  C:\Windows\System\tWHvqxU.exe
  2⤵
  PID:6136
- C:\Windows\System\NHfFkUk.exe
  C:\Windows\System\NHfFkUk.exe
  2⤵
  PID:5180
- C:\Windows\System\iRhohtl.exe
  C:\Windows\System\iRhohtl.exe
  2⤵
  PID:5072
- C:\Windows\System\LoVERTu.exe
  C:\Windows\System\LoVERTu.exe
  2⤵
  PID:5284
- C:\Windows\System\pcIKrUb.exe
  C:\Windows\System\pcIKrUb.exe
  2⤵
  PID:5356
- C:\Windows\System\ZlVAbUC.exe
  C:\Windows\System\ZlVAbUC.exe
  2⤵
  PID:5400
- C:\Windows\System\YdpnHiO.exe
  C:\Windows\System\YdpnHiO.exe
  2⤵
  PID:5496
- C:\Windows\System\RnFveZd.exe
  C:\Windows\System\RnFveZd.exe
  2⤵
  PID:5532
- C:\Windows\System\WKyuHIf.exe
  C:\Windows\System\WKyuHIf.exe
  2⤵
  PID:1692
- C:\Windows\System\AvOuObT.exe
  C:\Windows\System\AvOuObT.exe
  2⤵
  PID:5636
- C:\Windows\System\gjDrRJX.exe
  C:\Windows\System\gjDrRJX.exe
  2⤵
  PID:5240
- C:\Windows\System\jbFcMlN.exe
  C:\Windows\System\jbFcMlN.exe
  2⤵
  PID:5724
- C:\Windows\System\vXNJQfm.exe
  C:\Windows\System\vXNJQfm.exe
  2⤵
  PID:5812
- C:\Windows\System\TcBNnUV.exe
  C:\Windows\System\TcBNnUV.exe
  2⤵
  PID:5900
- C:\Windows\System\MbpGcaE.exe
  C:\Windows\System\MbpGcaE.exe
  2⤵
  PID:6004
- C:\Windows\System\tmevuOI.exe
  C:\Windows\System\tmevuOI.exe
  2⤵
  PID:6044
- C:\Windows\System\SgSVfnK.exe
  C:\Windows\System\SgSVfnK.exe
  2⤵
  PID:6120
- C:\Windows\System\saZNbZy.exe
  C:\Windows\System\saZNbZy.exe
  2⤵
  PID:5208
- C:\Windows\System\xsUXfMd.exe
  C:\Windows\System\xsUXfMd.exe
  2⤵
  PID:5276
- C:\Windows\System\YXQCqTw.exe
  C:\Windows\System\YXQCqTw.exe
  2⤵
  PID:5464
- C:\Windows\System\mFNXbxO.exe
  C:\Windows\System\mFNXbxO.exe
  2⤵
  PID:5616
- C:\Windows\System\WkfXnqE.exe
  C:\Windows\System\WkfXnqE.exe
  2⤵
  PID:5720
- C:\Windows\System\xlradYA.exe
  C:\Windows\System\xlradYA.exe
  2⤵
  PID:2472
- C:\Windows\System\uQtHPwQ.exe
  C:\Windows\System\uQtHPwQ.exe
  2⤵
  PID:6076
- C:\Windows\System\ORmIFHN.exe
  C:\Windows\System\ORmIFHN.exe
  2⤵
  PID:5268
- C:\Windows\System\saOqcTQ.exe
  C:\Windows\System\saOqcTQ.exe
  2⤵
  PID:5564
- C:\Windows\System\rejGTJg.exe
  C:\Windows\System\rejGTJg.exe
  2⤵
  PID:5784
- C:\Windows\System\QBgCjXI.exe
  C:\Windows\System\QBgCjXI.exe
  2⤵
  PID:5364
- C:\Windows\System\LIgqYAF.exe
  C:\Windows\System\LIgqYAF.exe
  2⤵
  PID:5988
- C:\Windows\System\OQDWyeJ.exe
  C:\Windows\System\OQDWyeJ.exe
  2⤵
  PID:5504
- C:\Windows\System\oqdbKRM.exe
  C:\Windows\System\oqdbKRM.exe
  2⤵
  PID:6172
- C:\Windows\System\xsoStzJ.exe
  C:\Windows\System\xsoStzJ.exe
  2⤵
  PID:6192
- C:\Windows\System\YdleiXu.exe
  C:\Windows\System\YdleiXu.exe
  2⤵
  PID:6220
- C:\Windows\System\mfcUOKl.exe
  C:\Windows\System\mfcUOKl.exe
  2⤵
  PID:6256
- C:\Windows\System\IRgsXOF.exe
  C:\Windows\System\IRgsXOF.exe
  2⤵
  PID:6284
- C:\Windows\System\agNgIgX.exe
  C:\Windows\System\agNgIgX.exe
  2⤵
  PID:6312
- C:\Windows\System\ErcdJXJ.exe
  C:\Windows\System\ErcdJXJ.exe
  2⤵
  PID:6340
- C:\Windows\System\ZXaHJdZ.exe
  C:\Windows\System\ZXaHJdZ.exe
  2⤵
  PID:6368
- C:\Windows\System\EyqTfVp.exe
  C:\Windows\System\EyqTfVp.exe
  2⤵
  PID:6396
- C:\Windows\System\zfpTdUM.exe
  C:\Windows\System\zfpTdUM.exe
  2⤵
  PID:6428
- C:\Windows\System\yLkQeoj.exe
  C:\Windows\System\yLkQeoj.exe
  2⤵
  PID:6456
- C:\Windows\System\DnmaKiR.exe
  C:\Windows\System\DnmaKiR.exe
  2⤵
  PID:6480
- C:\Windows\System\wJcXcTc.exe
  C:\Windows\System\wJcXcTc.exe
  2⤵
  PID:6512
- C:\Windows\System\IccaWkY.exe
  C:\Windows\System\IccaWkY.exe
  2⤵
  PID:6540
- C:\Windows\System\gbhiYio.exe
  C:\Windows\System\gbhiYio.exe
  2⤵
  PID:6572
- C:\Windows\System\RWiiSwI.exe
  C:\Windows\System\RWiiSwI.exe
  2⤵
  PID:6592
- C:\Windows\System\hZBTKGv.exe
  C:\Windows\System\hZBTKGv.exe
  2⤵
  PID:6624
- C:\Windows\System\udWVrHT.exe
  C:\Windows\System\udWVrHT.exe
  2⤵
  PID:6656
- C:\Windows\System\cqcFciT.exe
  C:\Windows\System\cqcFciT.exe
  2⤵
  PID:6680
- C:\Windows\System\DOULglO.exe
  C:\Windows\System\DOULglO.exe
  2⤵
  PID:6700
- C:\Windows\System\RMoyOeq.exe
  C:\Windows\System\RMoyOeq.exe
  2⤵
  PID:6740
- C:\Windows\System\mEYZeiF.exe
  C:\Windows\System\mEYZeiF.exe
  2⤵
  PID:6760
- C:\Windows\System\kAmuCNO.exe
  C:\Windows\System\kAmuCNO.exe
  2⤵
  PID:6788
- C:\Windows\System\RnZTyGA.exe
  C:\Windows\System\RnZTyGA.exe
  2⤵
  PID:6828
- C:\Windows\System\btjWFCF.exe
  C:\Windows\System\btjWFCF.exe
  2⤵
  PID:6852
- C:\Windows\System\RJOLnMo.exe
  C:\Windows\System\RJOLnMo.exe
  2⤵
  PID:6880
- C:\Windows\System\FMFiZed.exe
  C:\Windows\System\FMFiZed.exe
  2⤵
  PID:6908
- C:\Windows\System\HEaSgtb.exe
  C:\Windows\System\HEaSgtb.exe
  2⤵
  PID:6936
- C:\Windows\System\tZVfqVL.exe
  C:\Windows\System\tZVfqVL.exe
  2⤵
  PID:6964
- C:\Windows\System\XoVyIQx.exe
  C:\Windows\System\XoVyIQx.exe
  2⤵
  PID:6992
- C:\Windows\System\dVwDsls.exe
  C:\Windows\System\dVwDsls.exe
  2⤵
  PID:7024
- C:\Windows\System\MymoDjL.exe
  C:\Windows\System\MymoDjL.exe
  2⤵
  PID:7052
- C:\Windows\System\Nygcuwv.exe
  C:\Windows\System\Nygcuwv.exe
  2⤵
  PID:7076
- C:\Windows\System\UKUTfjp.exe
  C:\Windows\System\UKUTfjp.exe
  2⤵
  PID:7104
- C:\Windows\System\Svvtrfk.exe
  C:\Windows\System\Svvtrfk.exe
  2⤵
  PID:7136
- C:\Windows\System\RjzFGPu.exe
  C:\Windows\System\RjzFGPu.exe
  2⤵
  PID:7164
- C:\Windows\System\urMSiUn.exe
  C:\Windows\System\urMSiUn.exe
  2⤵
  PID:6204
- C:\Windows\System\niAimFs.exe
  C:\Windows\System\niAimFs.exe
  2⤵
  PID:6248
- C:\Windows\System\GWcETJj.exe
  C:\Windows\System\GWcETJj.exe
  2⤵
  PID:6320
- C:\Windows\System\emzgISh.exe
  C:\Windows\System\emzgISh.exe
  2⤵
  PID:6376
- C:\Windows\System\zjrmGxY.exe
  C:\Windows\System\zjrmGxY.exe
  2⤵
  PID:6436
- C:\Windows\System\ktGsFfi.exe
  C:\Windows\System\ktGsFfi.exe
  2⤵
  PID:6496
- C:\Windows\System\SDsHpmJ.exe
  C:\Windows\System\SDsHpmJ.exe
  2⤵
  PID:6552
- C:\Windows\System\umGinHl.exe
  C:\Windows\System\umGinHl.exe
  2⤵
  PID:6616
- C:\Windows\System\AwaRPsc.exe
  C:\Windows\System\AwaRPsc.exe
  2⤵
  PID:6688
- C:\Windows\System\xpgCcZs.exe
  C:\Windows\System\xpgCcZs.exe
  2⤵
  PID:6748
- C:\Windows\System\pYycYpw.exe
  C:\Windows\System\pYycYpw.exe
  2⤵
  PID:6800
- C:\Windows\System\OVSXoyH.exe
  C:\Windows\System\OVSXoyH.exe
  2⤵
  PID:6864
- C:\Windows\System\MNcGvSC.exe
  C:\Windows\System\MNcGvSC.exe
  2⤵
  PID:6920
- C:\Windows\System\QaHlKEh.exe
  C:\Windows\System\QaHlKEh.exe
  2⤵
  PID:6976
- C:\Windows\System\PRsSAbw.exe
  C:\Windows\System\PRsSAbw.exe
  2⤵
  PID:7040
- C:\Windows\System\RVXZFyS.exe
  C:\Windows\System\RVXZFyS.exe
  2⤵
  PID:7120
- C:\Windows\System\RHYmoHY.exe
  C:\Windows\System\RHYmoHY.exe
  2⤵
  PID:6156
- C:\Windows\System\YUwjHDT.exe
  C:\Windows\System\YUwjHDT.exe
  2⤵
  PID:6296
- C:\Windows\System\uclKzqf.exe
  C:\Windows\System\uclKzqf.exe
  2⤵
  PID:6404
- C:\Windows\System\StBbPfQ.exe
  C:\Windows\System\StBbPfQ.exe
  2⤵
  PID:6560
- C:\Windows\System\SldrGDR.exe
  C:\Windows\System\SldrGDR.exe
  2⤵
  PID:6712
- C:\Windows\System\eMNOkyH.exe
  C:\Windows\System\eMNOkyH.exe
  2⤵
  PID:6824
- C:\Windows\System\GfLSYpC.exe
  C:\Windows\System\GfLSYpC.exe
  2⤵
  PID:6948
- C:\Windows\System\dYWFGYb.exe
  C:\Windows\System\dYWFGYb.exe
  2⤵
  PID:7124
- C:\Windows\System\JiVlrPJ.exe
  C:\Windows\System\JiVlrPJ.exe
  2⤵
  PID:6268
- C:\Windows\System\ebNsrVA.exe
  C:\Windows\System\ebNsrVA.exe
  2⤵
  PID:6584
- C:\Windows\System\NQXEOzS.exe
  C:\Windows\System\NQXEOzS.exe
  2⤵
  PID:6916
- C:\Windows\System\qTXThiq.exe
  C:\Windows\System\qTXThiq.exe
  2⤵
  PID:4428
- C:\Windows\System\qhyoWMN.exe
  C:\Windows\System\qhyoWMN.exe
  2⤵
  PID:7012
- C:\Windows\System\tfccsep.exe
  C:\Windows\System\tfccsep.exe
  2⤵
  PID:6464
- C:\Windows\System\fQSuaLE.exe
  C:\Windows\System\fQSuaLE.exe
  2⤵
  PID:7200
- C:\Windows\System\NDhKHDB.exe
  C:\Windows\System\NDhKHDB.exe
  2⤵
  PID:7224
- C:\Windows\System\uYLipqP.exe
  C:\Windows\System\uYLipqP.exe
  2⤵
  PID:7244
- C:\Windows\System\PpXCirx.exe
  C:\Windows\System\PpXCirx.exe
  2⤵
  PID:7280
- C:\Windows\System\mZvTwWa.exe
  C:\Windows\System\mZvTwWa.exe
  2⤵
  PID:7312
- C:\Windows\System\OCWCain.exe
  C:\Windows\System\OCWCain.exe
  2⤵
  PID:7344
- C:\Windows\System\dqNAhmk.exe
  C:\Windows\System\dqNAhmk.exe
  2⤵
  PID:7368
- C:\Windows\System\avAuRtQ.exe
  C:\Windows\System\avAuRtQ.exe
  2⤵
  PID:7392
- C:\Windows\System\irNxFCl.exe
  C:\Windows\System\irNxFCl.exe
  2⤵
  PID:7428
- C:\Windows\System\BpomZmL.exe
  C:\Windows\System\BpomZmL.exe
  2⤵
  PID:7456
- C:\Windows\System\zIdxaRM.exe
  C:\Windows\System\zIdxaRM.exe
  2⤵
  PID:7488
- C:\Windows\System\IcwtumA.exe
  C:\Windows\System\IcwtumA.exe
  2⤵
  PID:7516
- C:\Windows\System\KKUAlIt.exe
  C:\Windows\System\KKUAlIt.exe
  2⤵
  PID:7544
- C:\Windows\System\NTmRJoD.exe
  C:\Windows\System\NTmRJoD.exe
  2⤵
  PID:7572
- C:\Windows\System\VPuzeGJ.exe
  C:\Windows\System\VPuzeGJ.exe
  2⤵
  PID:7600
- C:\Windows\System\WGSHfKR.exe
  C:\Windows\System\WGSHfKR.exe
  2⤵
  PID:7624
- C:\Windows\System\TlLoNHf.exe
  C:\Windows\System\TlLoNHf.exe
  2⤵
  PID:7656
- C:\Windows\System\iKmtCAI.exe
  C:\Windows\System\iKmtCAI.exe
  2⤵
  PID:7688
- C:\Windows\System\zXQOcuy.exe
  C:\Windows\System\zXQOcuy.exe
  2⤵
  PID:7712
- C:\Windows\System\SwypAms.exe
  C:\Windows\System\SwypAms.exe
  2⤵
  PID:7744
- C:\Windows\System\NDaxqkQ.exe
  C:\Windows\System\NDaxqkQ.exe
  2⤵
  PID:7776
- C:\Windows\System\AjxHKeX.exe
  C:\Windows\System\AjxHKeX.exe
  2⤵
  PID:7796
- C:\Windows\System\XuCNavM.exe
  C:\Windows\System\XuCNavM.exe
  2⤵
  PID:7824
- C:\Windows\System\dnyRkly.exe
  C:\Windows\System\dnyRkly.exe
  2⤵
  PID:7852
- C:\Windows\System\uYQYebG.exe
  C:\Windows\System\uYQYebG.exe
  2⤵
  PID:7880
- C:\Windows\System\YxCNmyO.exe
  C:\Windows\System\YxCNmyO.exe
  2⤵
  PID:7908
- C:\Windows\System\bPFtfKf.exe
  C:\Windows\System\bPFtfKf.exe
  2⤵
  PID:7936
- C:\Windows\System\DnzKEYT.exe
  C:\Windows\System\DnzKEYT.exe
  2⤵
  PID:7964
- C:\Windows\System\PiqXOGT.exe
  C:\Windows\System\PiqXOGT.exe
  2⤵
  PID:7996
- C:\Windows\System\eaZxktd.exe
  C:\Windows\System\eaZxktd.exe
  2⤵
  PID:8028
- C:\Windows\System\vcYcDLc.exe
  C:\Windows\System\vcYcDLc.exe
  2⤵
  PID:8048
- C:\Windows\System\pVMNgcq.exe
  C:\Windows\System\pVMNgcq.exe
  2⤵
  PID:8076
- C:\Windows\System\jXphWkE.exe
  C:\Windows\System\jXphWkE.exe
  2⤵
  PID:8104
- C:\Windows\System\OUdseyP.exe
  C:\Windows\System\OUdseyP.exe
  2⤵
  PID:8132
- C:\Windows\System\CeXIiJd.exe
  C:\Windows\System\CeXIiJd.exe
  2⤵
  PID:8160
- C:\Windows\System\NOmTRYm.exe
  C:\Windows\System\NOmTRYm.exe
  2⤵
  PID:8188
- C:\Windows\System\ZIDXUZV.exe
  C:\Windows\System\ZIDXUZV.exe
  2⤵
  PID:7232
- C:\Windows\System\xwCixmW.exe
  C:\Windows\System\xwCixmW.exe
  2⤵
  PID:7292
- C:\Windows\System\brYZQAZ.exe
  C:\Windows\System\brYZQAZ.exe
  2⤵
  PID:7360
- C:\Windows\System\rrXuVPo.exe
  C:\Windows\System\rrXuVPo.exe
  2⤵
  PID:7436
- C:\Windows\System\mTTDdpr.exe
  C:\Windows\System\mTTDdpr.exe
  2⤵
  PID:7496
- C:\Windows\System\UEEJvbv.exe
  C:\Windows\System\UEEJvbv.exe
  2⤵
  PID:7556
- C:\Windows\System\KFsFFZa.exe
  C:\Windows\System\KFsFFZa.exe
  2⤵
  PID:7612
- C:\Windows\System\rFVbrNu.exe
  C:\Windows\System\rFVbrNu.exe
  2⤵
  PID:7668
- C:\Windows\System\mSvJtKk.exe
  C:\Windows\System\mSvJtKk.exe
  2⤵
  PID:7740
- C:\Windows\System\LdDuVfT.exe
  C:\Windows\System\LdDuVfT.exe
  2⤵
  PID:7792
- C:\Windows\System\xychsug.exe
  C:\Windows\System\xychsug.exe
  2⤵
  PID:7864
- C:\Windows\System\JzYEAwH.exe
  C:\Windows\System\JzYEAwH.exe
  2⤵
  PID:7920
- C:\Windows\System\IkkPMvS.exe
  C:\Windows\System\IkkPMvS.exe
  2⤵
  PID:7984
- C:\Windows\System\yuKwyzW.exe
  C:\Windows\System\yuKwyzW.exe
  2⤵
  PID:8044
- C:\Windows\System\AjQqpvg.exe
  C:\Windows\System\AjQqpvg.exe
  2⤵
  PID:8116
- C:\Windows\System\IzCrWfm.exe
  C:\Windows\System\IzCrWfm.exe
  2⤵
  PID:8180
- C:\Windows\System\xDFiFGz.exe
  C:\Windows\System\xDFiFGz.exe
  2⤵
  PID:7324
- C:\Windows\System\EDTZjax.exe
  C:\Windows\System\EDTZjax.exe
  2⤵
  PID:7468
- C:\Windows\System\MjFIPWX.exe
  C:\Windows\System\MjFIPWX.exe
  2⤵
  PID:7608
- C:\Windows\System\dUHnVOo.exe
  C:\Windows\System\dUHnVOo.exe
  2⤵
  PID:7756
- C:\Windows\System\sbRUymq.exe
  C:\Windows\System\sbRUymq.exe
  2⤵
  PID:7844
- C:\Windows\System\uskvBxl.exe
  C:\Windows\System\uskvBxl.exe
  2⤵
  PID:7976
- C:\Windows\System\GzUhlmU.exe
  C:\Windows\System\GzUhlmU.exe
  2⤵
  PID:8144
- C:\Windows\System\hrotDzI.exe
  C:\Windows\System\hrotDzI.exe
  2⤵
  PID:7416
- C:\Windows\System\LPuSUAU.exe
  C:\Windows\System\LPuSUAU.exe
  2⤵
  PID:2436
- C:\Windows\System\RTOuYEG.exe
  C:\Windows\System\RTOuYEG.exe
  2⤵
  PID:7960
- C:\Windows\System\USQvhfd.exe
  C:\Windows\System\USQvhfd.exe
  2⤵
  PID:7352
- C:\Windows\System\AfkeUsf.exe
  C:\Windows\System\AfkeUsf.exe
  2⤵
  PID:7900
- C:\Windows\System\qVlAdjm.exe
  C:\Windows\System\qVlAdjm.exe
  2⤵
  PID:5328
- C:\Windows\System\QerPrQQ.exe
  C:\Windows\System\QerPrQQ.exe
  2⤵
  PID:7268
- C:\Windows\System\ayWRNYq.exe
  C:\Windows\System\ayWRNYq.exe
  2⤵
  PID:8216
- C:\Windows\System\pRHbuWr.exe
  C:\Windows\System\pRHbuWr.exe
  2⤵
  PID:8244
- C:\Windows\System\CvCXYvp.exe
  C:\Windows\System\CvCXYvp.exe
  2⤵
  PID:8272
- C:\Windows\System\xyunwav.exe
  C:\Windows\System\xyunwav.exe
  2⤵
  PID:8300
- C:\Windows\System\PnaQSyD.exe
  C:\Windows\System\PnaQSyD.exe
  2⤵
  PID:8328
- C:\Windows\System\bPTnSgW.exe
  C:\Windows\System\bPTnSgW.exe
  2⤵
  PID:8356
- C:\Windows\System\qabtvFL.exe
  C:\Windows\System\qabtvFL.exe
  2⤵
  PID:8384
- C:\Windows\System\DCVNObg.exe
  C:\Windows\System\DCVNObg.exe
  2⤵
  PID:8412
- C:\Windows\System\tzFnQpy.exe
  C:\Windows\System\tzFnQpy.exe
  2⤵
  PID:8440
- C:\Windows\System\xtOYMdA.exe
  C:\Windows\System\xtOYMdA.exe
  2⤵
  PID:8468
- C:\Windows\System\KSfbibs.exe
  C:\Windows\System\KSfbibs.exe
  2⤵
  PID:8496
- C:\Windows\System\ssPAMao.exe
  C:\Windows\System\ssPAMao.exe
  2⤵
  PID:8524
- C:\Windows\System\zWZpNWT.exe
  C:\Windows\System\zWZpNWT.exe
  2⤵
  PID:8552
- C:\Windows\System\VeDHWbY.exe
  C:\Windows\System\VeDHWbY.exe
  2⤵
  PID:8580
- C:\Windows\System\TBraYpz.exe
  C:\Windows\System\TBraYpz.exe
  2⤵
  PID:8608
- C:\Windows\System\Zwayyrh.exe
  C:\Windows\System\Zwayyrh.exe
  2⤵
  PID:8636
- C:\Windows\System\jmzWcLz.exe
  C:\Windows\System\jmzWcLz.exe
  2⤵
  PID:8664
- C:\Windows\System\HiPhIWu.exe
  C:\Windows\System\HiPhIWu.exe
  2⤵
  PID:8712
- C:\Windows\System\lKWGxYA.exe
  C:\Windows\System\lKWGxYA.exe
  2⤵
  PID:8732
- C:\Windows\System\OaFfHEH.exe
  C:\Windows\System\OaFfHEH.exe
  2⤵
  PID:8756
- C:\Windows\System\zRfDdUg.exe
  C:\Windows\System\zRfDdUg.exe
  2⤵
  PID:8784
- C:\Windows\System\DtDgpJq.exe
  C:\Windows\System\DtDgpJq.exe
  2⤵
  PID:8812
- C:\Windows\System\PjdVRFG.exe
  C:\Windows\System\PjdVRFG.exe
  2⤵
  PID:8840
- C:\Windows\System\GNLzLsd.exe
  C:\Windows\System\GNLzLsd.exe
  2⤵
  PID:8868
- C:\Windows\System\zvSLdUt.exe
  C:\Windows\System\zvSLdUt.exe
  2⤵
  PID:8896
- C:\Windows\System\IsusDgl.exe
  C:\Windows\System\IsusDgl.exe
  2⤵
  PID:8924
- C:\Windows\System\IAWYEXl.exe
  C:\Windows\System\IAWYEXl.exe
  2⤵
  PID:8952
- C:\Windows\System\SWIcdId.exe
  C:\Windows\System\SWIcdId.exe
  2⤵
  PID:8980
- C:\Windows\System\VQSvfGM.exe
  C:\Windows\System\VQSvfGM.exe
  2⤵
  PID:9016
- C:\Windows\System\iFzXmul.exe
  C:\Windows\System\iFzXmul.exe
  2⤵
  PID:9036
- C:\Windows\System\NBhtoaw.exe
  C:\Windows\System\NBhtoaw.exe
  2⤵
  PID:9064
- C:\Windows\System\fwgjixY.exe
  C:\Windows\System\fwgjixY.exe
  2⤵
  PID:9092
- C:\Windows\System\LcCAcIm.exe
  C:\Windows\System\LcCAcIm.exe
  2⤵
  PID:9120
- C:\Windows\System\rVsgTTs.exe
  C:\Windows\System\rVsgTTs.exe
  2⤵
  PID:9148
- C:\Windows\System\PahrufU.exe
  C:\Windows\System\PahrufU.exe
  2⤵
  PID:9176
- C:\Windows\System\khrJPFR.exe
  C:\Windows\System\khrJPFR.exe
  2⤵
  PID:9204
- C:\Windows\System\zGReAeC.exe
  C:\Windows\System\zGReAeC.exe
  2⤵
  PID:8236
- C:\Windows\System\sFzhupk.exe
  C:\Windows\System\sFzhupk.exe
  2⤵
  PID:8296
- C:\Windows\System\egVLYfU.exe
  C:\Windows\System\egVLYfU.exe
  2⤵
  PID:8352
- C:\Windows\System\XIngicM.exe
  C:\Windows\System\XIngicM.exe
  2⤵
  PID:8424
- C:\Windows\System\zSfOYQP.exe
  C:\Windows\System\zSfOYQP.exe
  2⤵
  PID:1352
- C:\Windows\System\HIEUhRP.exe
  C:\Windows\System\HIEUhRP.exe
  2⤵
  PID:8536
- C:\Windows\System\Fjsmzgu.exe
  C:\Windows\System\Fjsmzgu.exe
  2⤵
  PID:8592
- C:\Windows\System\HOPjjGo.exe
  C:\Windows\System\HOPjjGo.exe
  2⤵
  PID:8656
- C:\Windows\System\XMWPUep.exe
  C:\Windows\System\XMWPUep.exe
  2⤵
  PID:6180
- C:\Windows\System\hsYYKSP.exe
  C:\Windows\System\hsYYKSP.exe
  2⤵
  PID:8768
- C:\Windows\System\LCNWizv.exe
  C:\Windows\System\LCNWizv.exe
  2⤵
  PID:8824
- C:\Windows\System\YVvaKgh.exe
  C:\Windows\System\YVvaKgh.exe
  2⤵
  PID:8888
- C:\Windows\System\tCTPiKa.exe
  C:\Windows\System\tCTPiKa.exe
  2⤵
  PID:8944
- C:\Windows\System\ZYtqnLM.exe
  C:\Windows\System\ZYtqnLM.exe
  2⤵
  PID:9008
- C:\Windows\System\yLQETDH.exe
  C:\Windows\System\yLQETDH.exe
  2⤵
  PID:9076
- C:\Windows\System\dcppVTJ.exe
  C:\Windows\System\dcppVTJ.exe
  2⤵
  PID:9132
- C:\Windows\System\PbazFFn.exe
  C:\Windows\System\PbazFFn.exe
  2⤵
  PID:9196
- C:\Windows\System\jEmALBn.exe
  C:\Windows\System\jEmALBn.exe
  2⤵
  PID:8708
- C:\Windows\System\tFpkPEy.exe
  C:\Windows\System\tFpkPEy.exe
  2⤵
  PID:8348
- C:\Windows\System\IWgsguI.exe
  C:\Windows\System\IWgsguI.exe
  2⤵
  PID:8480
- C:\Windows\System\atSKfgV.exe
  C:\Windows\System\atSKfgV.exe
  2⤵
  PID:8572
- C:\Windows\System\NNUNxJk.exe
  C:\Windows\System\NNUNxJk.exe
  2⤵
  PID:2360
- C:\Windows\System\DnRynnV.exe
  C:\Windows\System\DnRynnV.exe
  2⤵
  PID:8852
- C:\Windows\System\jbFNMFS.exe
  C:\Windows\System\jbFNMFS.exe
  2⤵
  PID:8972
- C:\Windows\System\HdMmamt.exe
  C:\Windows\System\HdMmamt.exe
  2⤵
  PID:9112
- C:\Windows\System\uvzlQnn.exe
  C:\Windows\System\uvzlQnn.exe
  2⤵
  PID:8264
- C:\Windows\System\ywiZGLf.exe
  C:\Windows\System\ywiZGLf.exe
  2⤵
  PID:392
- C:\Windows\System\UzTXmpb.exe
  C:\Windows\System\UzTXmpb.exe
  2⤵
  PID:5096
- C:\Windows\System\pcsekYs.exe
  C:\Windows\System\pcsekYs.exe
  2⤵
  PID:4712
- C:\Windows\System\zndSeJI.exe
  C:\Windows\System\zndSeJI.exe
  2⤵
  PID:4388
- C:\Windows\System\FOwjMiV.exe
  C:\Windows\System\FOwjMiV.exe
  2⤵
  PID:8916
- C:\Windows\System\WlKgCPF.exe
  C:\Windows\System\WlKgCPF.exe
  2⤵
  PID:8804
- C:\Windows\System\qLlXVja.exe
  C:\Windows\System\qLlXVja.exe
  2⤵
  PID:9232
- C:\Windows\System\HbdBHFt.exe
  C:\Windows\System\HbdBHFt.exe
  2⤵
  PID:9260
- C:\Windows\System\nuXsvwQ.exe
  C:\Windows\System\nuXsvwQ.exe
  2⤵
  PID:9288
- C:\Windows\System\PlnLmTt.exe
  C:\Windows\System\PlnLmTt.exe
  2⤵
  PID:9316
- C:\Windows\System\VyNCbjB.exe
  C:\Windows\System\VyNCbjB.exe
  2⤵
  PID:9344
- C:\Windows\System\DNqiNbv.exe
  C:\Windows\System\DNqiNbv.exe
  2⤵
  PID:9372
- C:\Windows\System\YCCCQRh.exe
  C:\Windows\System\YCCCQRh.exe
  2⤵
  PID:9400
- C:\Windows\System\VprBsGO.exe
  C:\Windows\System\VprBsGO.exe
  2⤵
  PID:9428
- C:\Windows\System\VgimWzw.exe
  C:\Windows\System\VgimWzw.exe
  2⤵
  PID:9456
- C:\Windows\System\GvrYbql.exe
  C:\Windows\System\GvrYbql.exe
  2⤵
  PID:9484
- C:\Windows\System\rPOHuzS.exe
  C:\Windows\System\rPOHuzS.exe
  2⤵
  PID:9516
- C:\Windows\System\ZgQRuWu.exe
  C:\Windows\System\ZgQRuWu.exe
  2⤵
  PID:9544
- C:\Windows\System\qyiIIbx.exe
  C:\Windows\System\qyiIIbx.exe
  2⤵
  PID:9572
- C:\Windows\System\kCtnDSo.exe
  C:\Windows\System\kCtnDSo.exe
  2⤵
  PID:9600
- C:\Windows\System\IaRIRXp.exe
  C:\Windows\System\IaRIRXp.exe
  2⤵
  PID:9660
- C:\Windows\System\SKZNoQB.exe
  C:\Windows\System\SKZNoQB.exe
  2⤵
  PID:9728
- C:\Windows\System\gGJwfVC.exe
  C:\Windows\System\gGJwfVC.exe
  2⤵
  PID:9792
- C:\Windows\System\EXzMkHE.exe
  C:\Windows\System\EXzMkHE.exe
  2⤵
  PID:9852
- C:\Windows\System\yYMFLPu.exe
  C:\Windows\System\yYMFLPu.exe
  2⤵
  PID:9892
- C:\Windows\System\MmFsPZf.exe
  C:\Windows\System\MmFsPZf.exe
  2⤵
  PID:9924
- C:\Windows\System\CCBzHxl.exe
  C:\Windows\System\CCBzHxl.exe
  2⤵
  PID:9956
- C:\Windows\System\qDzSMlW.exe
  C:\Windows\System\qDzSMlW.exe
  2⤵
  PID:9984
- C:\Windows\System\nBLeftY.exe
  C:\Windows\System\nBLeftY.exe
  2⤵
  PID:10012
- C:\Windows\System\NODEMmq.exe
  C:\Windows\System\NODEMmq.exe
  2⤵
  PID:10040
- C:\Windows\System\waxxKhk.exe
  C:\Windows\System\waxxKhk.exe
  2⤵
  PID:10072
- C:\Windows\System\otOPRTp.exe
  C:\Windows\System\otOPRTp.exe
  2⤵
  PID:10100
- C:\Windows\System\XFLUAJj.exe
  C:\Windows\System\XFLUAJj.exe
  2⤵
  PID:10128
- C:\Windows\System\SutwbNl.exe
  C:\Windows\System\SutwbNl.exe
  2⤵
  PID:10156
- C:\Windows\System\cOoKGBs.exe
  C:\Windows\System\cOoKGBs.exe
  2⤵
  PID:10188
- C:\Windows\System\hSlrPqN.exe
  C:\Windows\System\hSlrPqN.exe
  2⤵
  PID:10216
- C:\Windows\System\jBvgZwV.exe
  C:\Windows\System\jBvgZwV.exe
  2⤵
  PID:9224
- C:\Windows\System\hTdNaSW.exe
  C:\Windows\System\hTdNaSW.exe
  2⤵
  PID:9280
- C:\Windows\System\kChfLRH.exe
  C:\Windows\System\kChfLRH.exe
  2⤵
  PID:9340
- C:\Windows\System\fnLSgFW.exe
  C:\Windows\System\fnLSgFW.exe
  2⤵
  PID:9412
- C:\Windows\System\EcEaueh.exe
  C:\Windows\System\EcEaueh.exe
  2⤵
  PID:9480
- C:\Windows\System\HZcibQp.exe
  C:\Windows\System\HZcibQp.exe
  2⤵
  PID:9556
- C:\Windows\System\GHkATJt.exe
  C:\Windows\System\GHkATJt.exe
  2⤵
  PID:1584
- C:\Windows\System\zZsTNmg.exe
  C:\Windows\System\zZsTNmg.exe
  2⤵
  PID:3564
- C:\Windows\System\nJMchhZ.exe
  C:\Windows\System\nJMchhZ.exe
  2⤵
  PID:9704
- C:\Windows\System\uPCgpsL.exe
  C:\Windows\System\uPCgpsL.exe
  2⤵
  PID:9884
- C:\Windows\System\RVFYiDC.exe
  C:\Windows\System\RVFYiDC.exe
  2⤵
  PID:824
- C:\Windows\System\ItjRtTR.exe
  C:\Windows\System\ItjRtTR.exe
  2⤵
  PID:4460
- C:\Windows\System\ZxItzXA.exe
  C:\Windows\System\ZxItzXA.exe
  2⤵
  PID:10068
- C:\Windows\System\imprVNs.exe
  C:\Windows\System\imprVNs.exe
  2⤵
  PID:10124
- C:\Windows\System\hSaiVSp.exe
  C:\Windows\System\hSaiVSp.exe
  2⤵
  PID:4940
- C:\Windows\System\XcGsfbO.exe
  C:\Windows\System\XcGsfbO.exe
  2⤵
  PID:10228
- C:\Windows\System\WCzWdzC.exe
  C:\Windows\System\WCzWdzC.exe
  2⤵
  PID:9328
- C:\Windows\System\tezJGWp.exe
  C:\Windows\System\tezJGWp.exe
  2⤵
  PID:9476
- C:\Windows\System\eBxGPwk.exe
  C:\Windows\System\eBxGPwk.exe
  2⤵
  PID:9612
- C:\Windows\System\TwwbmWL.exe
  C:\Windows\System\TwwbmWL.exe
  2⤵
  PID:9700
- C:\Windows\System\ApSnyuO.exe
  C:\Windows\System\ApSnyuO.exe
  2⤵
  PID:3968
- C:\Windows\System\jPOxJcS.exe
  C:\Windows\System\jPOxJcS.exe
  2⤵
  PID:9996
- C:\Windows\System\YisAxTo.exe
  C:\Windows\System\YisAxTo.exe
  2⤵
  PID:3976
- C:\Windows\System\FFFgaQz.exe
  C:\Windows\System\FFFgaQz.exe
  2⤵
  PID:10168
- C:\Windows\System\dvriCcu.exe
  C:\Windows\System\dvriCcu.exe
  2⤵
  PID:9308
- C:\Windows\System\DDsOhQl.exe
  C:\Windows\System\DDsOhQl.exe
  2⤵
  PID:9632
- C:\Windows\System\mmqsSZB.exe
  C:\Windows\System\mmqsSZB.exe
  2⤵
  PID:4748
- C:\Windows\System\abtSxFg.exe
  C:\Windows\System\abtSxFg.exe
  2⤵
  PID:10152
- C:\Windows\System\bVUimPc.exe
  C:\Windows\System\bVUimPc.exe
  2⤵
  PID:9584
- C:\Windows\System\VGFyLbq.exe
  C:\Windows\System\VGFyLbq.exe
  2⤵
  PID:10140
- C:\Windows\System\rHywVGv.exe
  C:\Windows\System\rHywVGv.exe
  2⤵
  PID:9468
- C:\Windows\System\WeUJDMt.exe
  C:\Windows\System\WeUJDMt.exe
  2⤵
  PID:10256
- C:\Windows\System\HwGdYHG.exe
  C:\Windows\System\HwGdYHG.exe
  2⤵
  PID:10284
- C:\Windows\System\bBpnBrI.exe
  C:\Windows\System\bBpnBrI.exe
  2⤵
  PID:10312
- C:\Windows\System\JNJKksV.exe
  C:\Windows\System\JNJKksV.exe
  2⤵
  PID:10340
- C:\Windows\System\mIbYFtp.exe
  C:\Windows\System\mIbYFtp.exe
  2⤵
  PID:10368
- C:\Windows\System\JJtbejU.exe
  C:\Windows\System\JJtbejU.exe
  2⤵
  PID:10396
- C:\Windows\System\PafsBcy.exe
  C:\Windows\System\PafsBcy.exe
  2⤵
  PID:10424
- C:\Windows\System\vBFjPvO.exe
  C:\Windows\System\vBFjPvO.exe
  2⤵
  PID:10456
- C:\Windows\System\NLfzUlK.exe
  C:\Windows\System\NLfzUlK.exe
  2⤵
  PID:10484
- C:\Windows\System\itQvnZr.exe
  C:\Windows\System\itQvnZr.exe
  2⤵
  PID:10512
- C:\Windows\System\JiOXlAp.exe
  C:\Windows\System\JiOXlAp.exe
  2⤵
  PID:10540
- C:\Windows\System\jMMrmvI.exe
  C:\Windows\System\jMMrmvI.exe
  2⤵
  PID:10568
- C:\Windows\System\KMKZIbE.exe
  C:\Windows\System\KMKZIbE.exe
  2⤵
  PID:10596
- C:\Windows\System\EMdcmWh.exe
  C:\Windows\System\EMdcmWh.exe
  2⤵
  PID:10624
- C:\Windows\System\GzrErRq.exe
  C:\Windows\System\GzrErRq.exe
  2⤵
  PID:10652
- C:\Windows\System\TRBrgwK.exe
  C:\Windows\System\TRBrgwK.exe
  2⤵
  PID:10680
- C:\Windows\System\mdYBYXK.exe
  C:\Windows\System\mdYBYXK.exe
  2⤵
  PID:10708
- C:\Windows\System\NtoiSkY.exe
  C:\Windows\System\NtoiSkY.exe
  2⤵
  PID:10736
- C:\Windows\System\xlwsSKB.exe
  C:\Windows\System\xlwsSKB.exe
  2⤵
  PID:10764
- C:\Windows\System\BlgBoeB.exe
  C:\Windows\System\BlgBoeB.exe
  2⤵
  PID:10780
- C:\Windows\System\HVnpWbL.exe
  C:\Windows\System\HVnpWbL.exe
  2⤵
  PID:10796
- C:\Windows\System\YHQEHNS.exe
  C:\Windows\System\YHQEHNS.exe
  2⤵
  PID:10836
- C:\Windows\System\XhtcBbs.exe
  C:\Windows\System\XhtcBbs.exe
  2⤵
  PID:10876
- C:\Windows\System\LlxoOMa.exe
  C:\Windows\System\LlxoOMa.exe
  2⤵
  PID:10904
- C:\Windows\System\FcGbIFH.exe
  C:\Windows\System\FcGbIFH.exe
  2⤵
  PID:10932
- C:\Windows\System\RLvuLdc.exe
  C:\Windows\System\RLvuLdc.exe
  2⤵
  PID:10960
- C:\Windows\System\eqKezqB.exe
  C:\Windows\System\eqKezqB.exe
  2⤵
  PID:10988
- C:\Windows\System\IKVbLoU.exe
  C:\Windows\System\IKVbLoU.exe
  2⤵
  PID:11016
- C:\Windows\System\KpEpguT.exe
  C:\Windows\System\KpEpguT.exe
  2⤵
  PID:11060
- C:\Windows\System\CXCezrG.exe
  C:\Windows\System\CXCezrG.exe
  2⤵
  PID:11076
- C:\Windows\System\BiYlgkW.exe
  C:\Windows\System\BiYlgkW.exe
  2⤵
  PID:11104
- C:\Windows\System\ThKgJUU.exe
  C:\Windows\System\ThKgJUU.exe
  2⤵
  PID:11132
- C:\Windows\System\pVbdGOR.exe
  C:\Windows\System\pVbdGOR.exe
  2⤵
  PID:11160
- C:\Windows\System\OnhOAiA.exe
  C:\Windows\System\OnhOAiA.exe
  2⤵
  PID:11188
- C:\Windows\System\Mxaexog.exe
  C:\Windows\System\Mxaexog.exe
  2⤵
  PID:11216
- C:\Windows\System\ClGrssv.exe
  C:\Windows\System\ClGrssv.exe
  2⤵
  PID:11244
- C:\Windows\System\BFzXWky.exe
  C:\Windows\System\BFzXWky.exe
  2⤵
  PID:10252
- C:\Windows\System\KdgniFN.exe
  C:\Windows\System\KdgniFN.exe
  2⤵
  PID:10324
- C:\Windows\System\vFvLfhe.exe
  C:\Windows\System\vFvLfhe.exe
  2⤵
  PID:10388
- C:\Windows\System\YtmrHsx.exe
  C:\Windows\System\YtmrHsx.exe
  2⤵
  PID:10444
- C:\Windows\System\voOezmV.exe
  C:\Windows\System\voOezmV.exe
  2⤵
  PID:10508
- C:\Windows\System\oDkwAsS.exe
  C:\Windows\System\oDkwAsS.exe
  2⤵
  PID:10580
- C:\Windows\System\DYifoTE.exe
  C:\Windows\System\DYifoTE.exe
  2⤵
  PID:10644
- C:\Windows\System\goiQfny.exe
  C:\Windows\System\goiQfny.exe
  2⤵
  PID:10704
- C:\Windows\System\RejcstQ.exe
  C:\Windows\System\RejcstQ.exe
  2⤵
  PID:10760
- C:\Windows\System\MLZfXHN.exe
  C:\Windows\System\MLZfXHN.exe
  2⤵
  PID:10816
- C:\Windows\System\FeJYauS.exe
  C:\Windows\System\FeJYauS.exe
  2⤵
  PID:10896
- C:\Windows\System\IJhhvtm.exe
  C:\Windows\System\IJhhvtm.exe
  2⤵
  PID:9688
- C:\Windows\System\ldgFiIs.exe
  C:\Windows\System\ldgFiIs.exe
  2⤵
  PID:9680
- C:\Windows\System\dSuBxty.exe
  C:\Windows\System\dSuBxty.exe
  2⤵
  PID:10984
- C:\Windows\System\nMQmJfk.exe
  C:\Windows\System\nMQmJfk.exe
  2⤵
  PID:11040
- C:\Windows\System\mqOEjHY.exe
  C:\Windows\System\mqOEjHY.exe
  2⤵
  PID:11128
- C:\Windows\System\GxRPZRZ.exe
  C:\Windows\System\GxRPZRZ.exe
  2⤵
  PID:11172
- C:\Windows\System\jbVqUkq.exe
  C:\Windows\System\jbVqUkq.exe
  2⤵
  PID:11236
- C:\Windows\System\mFsUkuD.exe
  C:\Windows\System\mFsUkuD.exe
  2⤵
  PID:10308
- C:\Windows\System\gjNblpM.exe
  C:\Windows\System\gjNblpM.exe
  2⤵
  PID:10436
- C:\Windows\System\lExTFSK.exe
  C:\Windows\System\lExTFSK.exe
  2⤵
  PID:10608
- C:\Windows\System\OrRcCzm.exe
  C:\Windows\System\OrRcCzm.exe
  2⤵
  PID:10748
- C:\Windows\System\CHeAelB.exe
  C:\Windows\System\CHeAelB.exe
  2⤵
  PID:10888
- C:\Windows\System\emOdZlY.exe
  C:\Windows\System\emOdZlY.exe
  2⤵
  PID:10952
- C:\Windows\System\JLEbKlz.exe
  C:\Windows\System\JLEbKlz.exe
  2⤵
  PID:11088
- C:\Windows\System\RIEqkDA.exe
  C:\Windows\System\RIEqkDA.exe
  2⤵
  PID:11228
- C:\Windows\System\qfpMSwg.exe
  C:\Windows\System\qfpMSwg.exe
  2⤵
  PID:10504
- C:\Windows\System\HpreKTD.exe
  C:\Windows\System\HpreKTD.exe
  2⤵
  PID:10864
- C:\Windows\System\BwxzAna.exe
  C:\Windows\System\BwxzAna.exe
  2⤵
  PID:11052
- C:\Windows\System\njInKvS.exe
  C:\Windows\System\njInKvS.exe
  2⤵
  PID:10420
- C:\Windows\System\pJUyJxx.exe
  C:\Windows\System\pJUyJxx.exe
  2⤵
  PID:11200
- C:\Windows\System\VEbUgeH.exe
  C:\Windows\System\VEbUgeH.exe
  2⤵
  PID:11012
- C:\Windows\System\AgssDCQ.exe
  C:\Windows\System\AgssDCQ.exe
  2⤵
  PID:11308
- C:\Windows\System\DhVkTGR.exe
  C:\Windows\System\DhVkTGR.exe
  2⤵
  PID:11324
- C:\Windows\System\rdghWAv.exe
  C:\Windows\System\rdghWAv.exe
  2⤵
  PID:11352
- C:\Windows\System\RZQZbFF.exe
  C:\Windows\System\RZQZbFF.exe
  2⤵
  PID:11380
- C:\Windows\System\kPaTCMp.exe
  C:\Windows\System\kPaTCMp.exe
  2⤵
  PID:11408
- C:\Windows\System\qlmtieL.exe
  C:\Windows\System\qlmtieL.exe
  2⤵
  PID:11436
- C:\Windows\System\PrdSPED.exe
  C:\Windows\System\PrdSPED.exe
  2⤵
  PID:11464
- C:\Windows\System\bJsjsjQ.exe
  C:\Windows\System\bJsjsjQ.exe
  2⤵
  PID:11492
- C:\Windows\System\cpFIODU.exe
  C:\Windows\System\cpFIODU.exe
  2⤵
  PID:11520
- C:\Windows\System\izPXVMr.exe
  C:\Windows\System\izPXVMr.exe
  2⤵
  PID:11548
- C:\Windows\System\rnUiQte.exe
  C:\Windows\System\rnUiQte.exe
  2⤵
  PID:11576
- C:\Windows\System\DFAryEU.exe
  C:\Windows\System\DFAryEU.exe
  2⤵
  PID:11604
- C:\Windows\System\hJRmIHP.exe
  C:\Windows\System\hJRmIHP.exe
  2⤵
  PID:11632
- C:\Windows\System\hZWaUjZ.exe
  C:\Windows\System\hZWaUjZ.exe
  2⤵
  PID:11660
- C:\Windows\System\HZzMdSK.exe
  C:\Windows\System\HZzMdSK.exe
  2⤵
  PID:11688
- C:\Windows\System\XvWMsLz.exe
  C:\Windows\System\XvWMsLz.exe
  2⤵
  PID:11716
- C:\Windows\System\NTmHmcf.exe
  C:\Windows\System\NTmHmcf.exe
  2⤵
  PID:11744
- C:\Windows\System\soemXDt.exe
  C:\Windows\System\soemXDt.exe
  2⤵
  PID:11772
- C:\Windows\System\frfHasW.exe
  C:\Windows\System\frfHasW.exe
  2⤵
  PID:11800
- C:\Windows\System\TkomtAd.exe
  C:\Windows\System\TkomtAd.exe
  2⤵
  PID:11828
- C:\Windows\System\kIenDeE.exe
  C:\Windows\System\kIenDeE.exe
  2⤵
  PID:11856
- C:\Windows\System\mVfegbP.exe
  C:\Windows\System\mVfegbP.exe
  2⤵
  PID:11884
- C:\Windows\System\umUImIS.exe
  C:\Windows\System\umUImIS.exe
  2⤵
  PID:11912
- C:\Windows\System\AxUnXUf.exe
  C:\Windows\System\AxUnXUf.exe
  2⤵
  PID:11940
- C:\Windows\System\qRbDoDj.exe
  C:\Windows\System\qRbDoDj.exe
  2⤵
  PID:11968
- C:\Windows\System\OXXUVNk.exe
  C:\Windows\System\OXXUVNk.exe
  2⤵
  PID:11996
- C:\Windows\System\AgwJrTe.exe
  C:\Windows\System\AgwJrTe.exe
  2⤵
  PID:12024
- C:\Windows\System\McjXQit.exe
  C:\Windows\System\McjXQit.exe
  2⤵
  PID:12052
- C:\Windows\System\sCKzMdy.exe
  C:\Windows\System\sCKzMdy.exe
  2⤵
  PID:12080
- C:\Windows\System\MSOFvyw.exe
  C:\Windows\System\MSOFvyw.exe
  2⤵
  PID:12108
- C:\Windows\System\KujAZVk.exe
  C:\Windows\System\KujAZVk.exe
  2⤵
  PID:12136
- C:\Windows\System\EKdScYX.exe
  C:\Windows\System\EKdScYX.exe
  2⤵
  PID:12168
- C:\Windows\System\CwCuYUv.exe
  C:\Windows\System\CwCuYUv.exe
  2⤵
  PID:12196
- C:\Windows\System\gBSstse.exe
  C:\Windows\System\gBSstse.exe
  2⤵
  PID:12224
- C:\Windows\System\bzDXqWa.exe
  C:\Windows\System\bzDXqWa.exe
  2⤵
  PID:12252
- C:\Windows\System\lOPnkCO.exe
  C:\Windows\System\lOPnkCO.exe
  2⤵
  PID:12280
- C:\Windows\System\cNSYpDq.exe
  C:\Windows\System\cNSYpDq.exe
  2⤵
  PID:11316
- C:\Windows\System\rxcwYll.exe
  C:\Windows\System\rxcwYll.exe
  2⤵
  PID:11376
- C:\Windows\System\KRhuUou.exe
  C:\Windows\System\KRhuUou.exe
  2⤵
  PID:11448
- C:\Windows\System\bZpLzzq.exe
  C:\Windows\System\bZpLzzq.exe
  2⤵
  PID:11512
- C:\Windows\System\VXuDQBV.exe
  C:\Windows\System\VXuDQBV.exe
  2⤵
  PID:11572
- C:\Windows\System\ELbQVMl.exe
  C:\Windows\System\ELbQVMl.exe
  2⤵
  PID:11644
- C:\Windows\System\JPrYpck.exe
  C:\Windows\System\JPrYpck.exe
  2⤵
  PID:11708
- C:\Windows\System\dZbWrqZ.exe
  C:\Windows\System\dZbWrqZ.exe
  2⤵
  PID:11768
- C:\Windows\System\EgsazsV.exe
  C:\Windows\System\EgsazsV.exe
  2⤵
  PID:11820
- C:\Windows\System\SaQKopb.exe
  C:\Windows\System\SaQKopb.exe
  2⤵
  PID:11880
- C:\Windows\System\QSgREvs.exe
  C:\Windows\System\QSgREvs.exe
  2⤵
  PID:11936
- C:\Windows\System\WIMJCWE.exe
  C:\Windows\System\WIMJCWE.exe
  2⤵
  PID:12008
- C:\Windows\System\PlGYJqh.exe
  C:\Windows\System\PlGYJqh.exe
  2⤵
  PID:12072
- C:\Windows\System\vTOwESB.exe
  C:\Windows\System\vTOwESB.exe
  2⤵
  PID:12132
- C:\Windows\System\KWtrLvI.exe
  C:\Windows\System\KWtrLvI.exe
  2⤵
  PID:12208
- C:\Windows\System\oJCoUtN.exe
  C:\Windows\System\oJCoUtN.exe
  2⤵
  PID:12272
- C:\Windows\System\vASwLRQ.exe
  C:\Windows\System\vASwLRQ.exe
  2⤵
  PID:11364
- C:\Windows\System\yHfHHJX.exe
  C:\Windows\System\yHfHHJX.exe
  2⤵
  PID:11540
- C:\Windows\System\rfwqQrW.exe
  C:\Windows\System\rfwqQrW.exe
  2⤵
  PID:11684
- C:\Windows\System\PzHhOMz.exe
  C:\Windows\System\PzHhOMz.exe
  2⤵
  PID:11812
- C:\Windows\System\ybRKJLr.exe
  C:\Windows\System\ybRKJLr.exe
  2⤵
  PID:11932
- C:\Windows\System\LZSQVgV.exe
  C:\Windows\System\LZSQVgV.exe
  2⤵
  PID:3424
- C:\Windows\System\vuOaNii.exe
  C:\Windows\System\vuOaNii.exe
  2⤵
  PID:12236
- C:\Windows\System\eIlOwBR.exe
  C:\Windows\System\eIlOwBR.exe
  2⤵
  PID:1800
- C:\Windows\System\GIbcLfK.exe
  C:\Windows\System\GIbcLfK.exe
  2⤵
  PID:11672
- C:\Windows\System\CiljYsr.exe
  C:\Windows\System\CiljYsr.exe
  2⤵
  PID:11908
- C:\Windows\System\nRPXJRI.exe
  C:\Windows\System\nRPXJRI.exe
  2⤵
  PID:12192
- C:\Windows\System\iaHQsbs.exe
  C:\Windows\System\iaHQsbs.exe
  2⤵
  PID:1536
- C:\Windows\System\MYNhamH.exe
  C:\Windows\System\MYNhamH.exe
  2⤵
  PID:11756
- C:\Windows\System\OMugnJA.exe
  C:\Windows\System\OMugnJA.exe
  2⤵
  PID:12304
- C:\Windows\System\UKfkaxT.exe
  C:\Windows\System\UKfkaxT.exe
  2⤵
  PID:12332
- C:\Windows\System\NoXHASp.exe
  C:\Windows\System\NoXHASp.exe
  2⤵
  PID:12360
- C:\Windows\System\ElabfrD.exe
  C:\Windows\System\ElabfrD.exe
  2⤵
  PID:12388
- C:\Windows\System\MhntybM.exe
  C:\Windows\System\MhntybM.exe
  2⤵
  PID:12416
- C:\Windows\System\skYOhbW.exe
  C:\Windows\System\skYOhbW.exe
  2⤵
  PID:12444
- C:\Windows\System\qtNqBYg.exe
  C:\Windows\System\qtNqBYg.exe
  2⤵
  PID:12472
- C:\Windows\System\dGAUEIW.exe
  C:\Windows\System\dGAUEIW.exe
  2⤵
  PID:12500
- C:\Windows\System\sACCHeW.exe
  C:\Windows\System\sACCHeW.exe
  2⤵
  PID:12528
- C:\Windows\System\NminDIq.exe
  C:\Windows\System\NminDIq.exe
  2⤵
  PID:12556
- C:\Windows\System\hJmkHav.exe
  C:\Windows\System\hJmkHav.exe
  2⤵
  PID:12584
- C:\Windows\System\AEsWjDk.exe
  C:\Windows\System\AEsWjDk.exe
  2⤵
  PID:12612
- C:\Windows\System\ktcDaMQ.exe
  C:\Windows\System\ktcDaMQ.exe
  2⤵
  PID:12640
- C:\Windows\System\XdBhIRB.exe
  C:\Windows\System\XdBhIRB.exe
  2⤵
  PID:12668
- C:\Windows\System\SyBOmgs.exe
  C:\Windows\System\SyBOmgs.exe
  2⤵
  PID:12704
- C:\Windows\System\mGVXeda.exe
  C:\Windows\System\mGVXeda.exe
  2⤵
  PID:12724
- C:\Windows\System\kEJjEZc.exe
  C:\Windows\System\kEJjEZc.exe
  2⤵
  PID:12752
- C:\Windows\System\jPOpiuP.exe
  C:\Windows\System\jPOpiuP.exe
  2⤵
  PID:12780
- C:\Windows\System\SUvBiTB.exe
  C:\Windows\System\SUvBiTB.exe
  2⤵
  PID:12808
- C:\Windows\System\HlAWMDQ.exe
  C:\Windows\System\HlAWMDQ.exe
  2⤵
  PID:12836
- C:\Windows\System\JbCUBAe.exe
  C:\Windows\System\JbCUBAe.exe
  2⤵
  PID:12864
- C:\Windows\System\JmZXSwZ.exe
  C:\Windows\System\JmZXSwZ.exe
  2⤵
  PID:12892
- C:\Windows\System\pZgLCzO.exe
  C:\Windows\System\pZgLCzO.exe
  2⤵
  PID:12920
- C:\Windows\System\NdYyEig.exe
  C:\Windows\System\NdYyEig.exe
  2⤵
  PID:12948
- C:\Windows\System\fSpgFcu.exe
  C:\Windows\System\fSpgFcu.exe
  2⤵
  PID:12976
- C:\Windows\System\kEGAUvO.exe
  C:\Windows\System\kEGAUvO.exe
  2⤵
  PID:13016
- C:\Windows\System\YzkAwFM.exe
  C:\Windows\System\YzkAwFM.exe
  2⤵
  PID:13032
- C:\Windows\System\lVYIEty.exe
  C:\Windows\System\lVYIEty.exe
  2⤵
  PID:13060
- C:\Windows\System\IZPtody.exe
  C:\Windows\System\IZPtody.exe
  2⤵
  PID:13088
- C:\Windows\System\rsvzRAN.exe
  C:\Windows\System\rsvzRAN.exe
  2⤵
  PID:13120
- C:\Windows\System\HFRBPnb.exe
  C:\Windows\System\HFRBPnb.exe
  2⤵
  PID:13148
- C:\Windows\System\BCJGErt.exe
  C:\Windows\System\BCJGErt.exe
  2⤵
  PID:13176
- C:\Windows\System\MHScCQF.exe
  C:\Windows\System\MHScCQF.exe
  2⤵
  PID:13212
- C:\Windows\System\RwJSDTO.exe
  C:\Windows\System\RwJSDTO.exe
  2⤵
  PID:13252
- C:\Windows\System\IQcRFZJ.exe
  C:\Windows\System\IQcRFZJ.exe
  2⤵
  PID:13268
- C:\Windows\System\aATpkse.exe
  C:\Windows\System\aATpkse.exe
  2⤵
  PID:13296
- C:\Windows\System\tbDiQQN.exe
  C:\Windows\System\tbDiQQN.exe
  2⤵
  PID:12316
- C:\Windows\System\pbrfIYm.exe
  C:\Windows\System\pbrfIYm.exe
  2⤵
  PID:12380
- C:\Windows\System\kcZChoO.exe
  C:\Windows\System\kcZChoO.exe
  2⤵
  PID:12440
- C:\Windows\System\DsgwNYI.exe
  C:\Windows\System\DsgwNYI.exe
  2⤵
  PID:12512
- C:\Windows\System\FhDEyQd.exe
  C:\Windows\System\FhDEyQd.exe
  2⤵
  PID:12576
- C:\Windows\System\NDeeMyC.exe
  C:\Windows\System\NDeeMyC.exe
  2⤵
  PID:12636
- C:\Windows\System\hVJQbJC.exe
  C:\Windows\System\hVJQbJC.exe
  2⤵
  PID:12712
- C:\Windows\System\IqWlLxe.exe
  C:\Windows\System\IqWlLxe.exe
  2⤵
  PID:12772
- C:\Windows\System\eBmzJLu.exe
  C:\Windows\System\eBmzJLu.exe
  2⤵
  PID:12832
- C:\Windows\System\rYBgjkq.exe
  C:\Windows\System\rYBgjkq.exe
  2⤵
  PID:12888
- C:\Windows\System\nlohbtb.exe
  C:\Windows\System\nlohbtb.exe
  2⤵
  PID:12960
- C:\Windows\System\XqbKpVe.exe
  C:\Windows\System\XqbKpVe.exe
  2⤵
  PID:13024
- C:\Windows\System\rCQMPRr.exe
  C:\Windows\System\rCQMPRr.exe
  2⤵
  PID:13084
- C:\Windows\System\DdrVTNp.exe
  C:\Windows\System\DdrVTNp.exe
  2⤵
  PID:13188
- C:\Windows\System\eyTCdbN.exe
  C:\Windows\System\eyTCdbN.exe
  2⤵
  PID:13232
- C:\Windows\System\hnUtzwy.exe
  C:\Windows\System\hnUtzwy.exe
  2⤵
  PID:13236
- C:\Windows\System\tTcXgBV.exe
  C:\Windows\System\tTcXgBV.exe
  2⤵
  PID:13308
- C:\Windows\System\jbxmWJZ.exe
  C:\Windows\System\jbxmWJZ.exe
  2⤵
  PID:12436
- C:\Windows\System\kTugSga.exe
  C:\Windows\System\kTugSga.exe
  2⤵
  PID:12604
- C:\Windows\System\qLHyLPl.exe
  C:\Windows\System\qLHyLPl.exe
  2⤵
  PID:12736
- C:\Windows\System\BBBylAR.exe
  C:\Windows\System\BBBylAR.exe
  2⤵
  PID:12860
- C:\Windows\System\SbsuyLM.exe
  C:\Windows\System\SbsuyLM.exe
  2⤵
  PID:12988
- C:\Windows\System\QXlvuul.exe
  C:\Windows\System\QXlvuul.exe
  2⤵
  PID:13140
- C:\Windows\System\SKnFEuF.exe
  C:\Windows\System\SKnFEuF.exe
  2⤵
  PID:1224
- C:\Windows\System\IkCYGgZ.exe
  C:\Windows\System\IkCYGgZ.exe
  2⤵
  PID:12496
- C:\Windows\System\rtJxang.exe
  C:\Windows\System\rtJxang.exe
  2⤵
  PID:12820
- C:\Windows\System\bWUseoW.exe
  C:\Windows\System\bWUseoW.exe
  2⤵
  PID:13116
- C:\Windows\System\KtyXuDR.exe
  C:\Windows\System\KtyXuDR.exe
  2⤵
  PID:12632
- C:\Windows\System\JBgoeMg.exe
  C:\Windows\System\JBgoeMg.exe
  2⤵
  PID:2320
- C:\Windows\System\OREXNyT.exe
  C:\Windows\System\OREXNyT.exe
  2⤵
  PID:13080
- C:\Windows\System\bwVLyYa.exe
  C:\Windows\System\bwVLyYa.exe
  2⤵
  PID:13336
- C:\Windows\System\IdUBKOl.exe
  C:\Windows\System\IdUBKOl.exe
  2⤵
  PID:13364
- C:\Windows\System\RVcdKZU.exe
  C:\Windows\System\RVcdKZU.exe
  2⤵
  PID:13392
- C:\Windows\System\cdmMvzy.exe
  C:\Windows\System\cdmMvzy.exe
  2⤵
  PID:13420
- C:\Windows\System\LwdsJUo.exe
  C:\Windows\System\LwdsJUo.exe
  2⤵
  PID:13448
- C:\Windows\System\FQnyPgZ.exe
  C:\Windows\System\FQnyPgZ.exe
  2⤵
  PID:13476
- C:\Windows\System\DvSHzdv.exe
  C:\Windows\System\DvSHzdv.exe
  2⤵
  PID:13504
- C:\Windows\System\cHqgMAS.exe
  C:\Windows\System\cHqgMAS.exe
  2⤵
  PID:13532
- C:\Windows\System\vpoTiiE.exe
  C:\Windows\System\vpoTiiE.exe
  2⤵
  PID:13560
- C:\Windows\System\kcBNUkJ.exe
  C:\Windows\System\kcBNUkJ.exe
  2⤵
  PID:13588
- C:\Windows\System\BwaixvM.exe
  C:\Windows\System\BwaixvM.exe
  2⤵
  PID:13616
- C:\Windows\System\ixPjsaO.exe
  C:\Windows\System\ixPjsaO.exe
  2⤵
  PID:13644
- C:\Windows\System\lMpEyFJ.exe
  C:\Windows\System\lMpEyFJ.exe
  2⤵
  PID:13672
- C:\Windows\System\BwwkrvB.exe
  C:\Windows\System\BwwkrvB.exe
  2⤵
  PID:13700
- C:\Windows\System\lVWflMm.exe
  C:\Windows\System\lVWflMm.exe
  2⤵
  PID:13732
- C:\Windows\System\kITbMQT.exe
  C:\Windows\System\kITbMQT.exe
  2⤵
  PID:13760
- C:\Windows\System\DMxpeoH.exe
  C:\Windows\System\DMxpeoH.exe
  2⤵
  PID:13788
- C:\Windows\System\LpfoUYA.exe
  C:\Windows\System\LpfoUYA.exe
  2⤵
  PID:13820
- C:\Windows\System\TBlWOPY.exe
  C:\Windows\System\TBlWOPY.exe
  2⤵
  PID:13848
- C:\Windows\System\afLsDKF.exe
  C:\Windows\System\afLsDKF.exe
  2⤵
  PID:13876
- C:\Windows\System\LoZtTPw.exe
  C:\Windows\System\LoZtTPw.exe
  2⤵
  PID:13904
- C:\Windows\System\CKqLSjT.exe
  C:\Windows\System\CKqLSjT.exe
  2⤵
  PID:13932
- C:\Windows\System\EWNAgus.exe
  C:\Windows\System\EWNAgus.exe
  2⤵
  PID:13960
- C:\Windows\System\ZCNGFzR.exe
  C:\Windows\System\ZCNGFzR.exe
  2⤵
  PID:13988
- C:\Windows\System\LWNNVHx.exe
  C:\Windows\System\LWNNVHx.exe
  2⤵
  PID:14020
- C:\Windows\System\mKPwzsF.exe
  C:\Windows\System\mKPwzsF.exe
  2⤵
  PID:14048
- C:\Windows\System\fksHlat.exe
  C:\Windows\System\fksHlat.exe
  2⤵
  PID:14076
- C:\Windows\System\jrDQLRE.exe
  C:\Windows\System\jrDQLRE.exe
  2⤵
  PID:14104
- C:\Windows\System\KaPCIWi.exe
  C:\Windows\System\KaPCIWi.exe
  2⤵
  PID:14132
- C:\Windows\System\jVMOQTW.exe
  C:\Windows\System\jVMOQTW.exe
  2⤵
  PID:14160
- C:\Windows\System\LPQzyvB.exe
  C:\Windows\System\LPQzyvB.exe
  2⤵
  PID:14188
- C:\Windows\System\fyAsHAZ.exe
  C:\Windows\System\fyAsHAZ.exe
  2⤵
  PID:14216
- C:\Windows\System\WVAvnPJ.exe
  C:\Windows\System\WVAvnPJ.exe
  2⤵
  PID:14244
- C:\Windows\System\QVytnYS.exe
  C:\Windows\System\QVytnYS.exe
  2⤵
  PID:14276
- C:\Windows\System\FJOxRtL.exe
  C:\Windows\System\FJOxRtL.exe
  2⤵
  PID:14304
- C:\Windows\System\CQyhtOz.exe
  C:\Windows\System\CQyhtOz.exe
  2⤵
  PID:2668
- C:\Windows\System\MhDjqFt.exe
  C:\Windows\System\MhDjqFt.exe
  2⤵
  PID:13376
- C:\Windows\System\IyPqmto.exe
  C:\Windows\System\IyPqmto.exe
  2⤵
  PID:13440
- C:\Windows\System\mRMDChd.exe
  C:\Windows\System\mRMDChd.exe
  2⤵
  PID:13500
- C:\Windows\System\WRDkhvf.exe
  C:\Windows\System\WRDkhvf.exe
  2⤵
  PID:13572
- C:\Windows\System\XliOsuf.exe
  C:\Windows\System\XliOsuf.exe
  2⤵
  PID:13628
- C:\Windows\System\ISdcSlO.exe
  C:\Windows\System\ISdcSlO.exe
  2⤵
  PID:13668
- C:\Windows\System\VVQiOPT.exe
  C:\Windows\System\VVQiOPT.exe
  2⤵
  PID:1612
- C:\Windows\System\OqlFMwF.exe
  C:\Windows\System\OqlFMwF.exe
  2⤵
  PID:13728
- C:\Windows\System\hXxorlW.exe
  C:\Windows\System\hXxorlW.exe
  2⤵
  PID:13800
- C:\Windows\System\GiIJqCB.exe
  C:\Windows\System\GiIJqCB.exe
  2⤵
  PID:13868
- C:\Windows\System\gacYxDF.exe
  C:\Windows\System\gacYxDF.exe
  2⤵
  PID:13944
- C:\Windows\System\QOviDbi.exe
  C:\Windows\System\QOviDbi.exe
  2⤵
  PID:3196
- C:\Windows\System\eAXAaHO.exe
  C:\Windows\System\eAXAaHO.exe
  2⤵
  PID:14016
- C:\Windows\System\XjJJHrU.exe
  C:\Windows\System\XjJJHrU.exe
  2⤵
  PID:14096
- C:\Windows\System\OvZYuqC.exe
  C:\Windows\System\OvZYuqC.exe
  2⤵
  PID:14156
- C:\Windows\System\KUywRAu.exe
  C:\Windows\System\KUywRAu.exe
  2⤵
  PID:14208
- C:\Windows\System\acieBUs.exe
  C:\Windows\System\acieBUs.exe
  2⤵
  PID:3396
- C:\Windows\System\NcQvbxV.exe
  C:\Windows\System\NcQvbxV.exe
  2⤵
  PID:14320
- C:\Windows\System\RymvrFc.exe
  C:\Windows\System\RymvrFc.exe
  2⤵
  PID:13488
- C:\Windows\System\puFOFtt.exe
  C:\Windows\System\puFOFtt.exe
  2⤵
  PID:13612
- C:\Windows\System\EqWmJgz.exe
  C:\Windows\System\EqWmJgz.exe
  2⤵
  PID:5100
- C:\Windows\System\kzJMVal.exe
  C:\Windows\System\kzJMVal.exe
  2⤵
  PID:1096
- C:\Windows\System\QXKeyuq.exe
  C:\Windows\System\QXKeyuq.exe
  2⤵
  PID:9764
- C:\Windows\System\CVfELLe.exe
  C:\Windows\System\CVfELLe.exe
  2⤵
  PID:1092
- C:\Windows\System\gpHHuWv.exe
  C:\Windows\System\gpHHuWv.exe
  2⤵
  PID:4628
- C:\Windows\System\bCWXWjM.exe
  C:\Windows\System\bCWXWjM.exe
  2⤵
  PID:14072
- C:\Windows\System\aksPPIX.exe
  C:\Windows\System\aksPPIX.exe
  2⤵
  PID:14172
- C:\Windows\System\oLaZSHy.exe
  C:\Windows\System\oLaZSHy.exe
  2⤵
  PID:4656
- C:\Windows\System\lcUEMVa.exe
  C:\Windows\System\lcUEMVa.exe
  2⤵
  PID:13356
- C:\Windows\System\cDoHkRn.exe
  C:\Windows\System\cDoHkRn.exe
  2⤵
  PID:1564
- C:\Windows\System\pCFrjxw.exe
  C:\Windows\System\pCFrjxw.exe
  2⤵
  PID:184
- C:\Windows\System\GPsaCWp.exe
  C:\Windows\System\GPsaCWp.exe
  2⤵
  PID:812
- C:\Windows\System\EUVtHhn.exe
  C:\Windows\System\EUVtHhn.exe
  2⤵
  PID:14236
- C:\Windows\System\PlFommW.exe
  C:\Windows\System\PlFommW.exe
  2⤵
  PID:13664
- C:\Windows\System\yMMkuMp.exe
  C:\Windows\System\yMMkuMp.exe
  2⤵
  PID:14312
- C:\Windows\System\riwrQoZ.exe
  C:\Windows\System\riwrQoZ.exe
  2⤵
  PID:1684
- C:\Windows\System\udJCVNv.exe
  C:\Windows\System\udJCVNv.exe
  2⤵
  PID:9752
- C:\Windows\System\NXHPoBx.exe
  C:\Windows\System\NXHPoBx.exe
  2⤵
  PID:4448
- C:\Windows\System\dBclYAF.exe
  C:\Windows\System\dBclYAF.exe
  2⤵
  PID:13840
- C:\Windows\System\zaBaFIE.exe
  C:\Windows\System\zaBaFIE.exe
  2⤵
  PID:14372
- C:\Windows\System\psItOrq.exe
  C:\Windows\System\psItOrq.exe
  2⤵
  PID:14400
- C:\Windows\System\TXadcXD.exe
  C:\Windows\System\TXadcXD.exe
  2⤵
  PID:14428
- C:\Windows\System\CFJDAGo.exe
  C:\Windows\System\CFJDAGo.exe
  2⤵
  PID:14456
- C:\Windows\System\KkmDlGc.exe
  C:\Windows\System\KkmDlGc.exe
  2⤵
  PID:14484
- C:\Windows\System\zoDvsQb.exe
  C:\Windows\System\zoDvsQb.exe
  2⤵
  PID:14512
- C:\Windows\System\EnoKnFz.exe
  C:\Windows\System\EnoKnFz.exe
  2⤵
  PID:14544
- C:\Windows\System\DoTCsTL.exe
  C:\Windows\System\DoTCsTL.exe
  2⤵
  PID:14572
- C:\Windows\System\uHwWUKu.exe
  C:\Windows\System\uHwWUKu.exe
  2⤵
  PID:14604
- C:\Windows\System\Rdlzbjy.exe
  C:\Windows\System\Rdlzbjy.exe
  2⤵
  PID:14632
- C:\Windows\System\uWTgPKX.exe
  C:\Windows\System\uWTgPKX.exe
  2⤵
  PID:14664
- C:\Windows\System\ttnOCJt.exe
  C:\Windows\System\ttnOCJt.exe
  2⤵
  PID:14700
- C:\Windows\System\GPuPkHk.exe
  C:\Windows\System\GPuPkHk.exe
  2⤵
  PID:14728
- C:\Windows\System\ddlcuej.exe
  C:\Windows\System\ddlcuej.exe
  2⤵
  PID:14756
- C:\Windows\System\kdPTJUA.exe
  C:\Windows\System\kdPTJUA.exe
  2⤵
  PID:14784
- C:\Windows\System\IXEGGcW.exe
  C:\Windows\System\IXEGGcW.exe
  2⤵
  PID:14812
- C:\Windows\System\lZbBkFR.exe
  C:\Windows\System\lZbBkFR.exe
  2⤵
  PID:14840
- C:\Windows\System\KCPHwyt.exe
  C:\Windows\System\KCPHwyt.exe
  2⤵
  PID:14868
- C:\Windows\System\QMWsMSg.exe
  C:\Windows\System\QMWsMSg.exe
  2⤵
  PID:14896
- C:\Windows\System\QBPKBXU.exe
  C:\Windows\System\QBPKBXU.exe
  2⤵
  PID:14924
- C:\Windows\System\qTVVZhk.exe
  C:\Windows\System\qTVVZhk.exe
  2⤵
  PID:14952
- C:\Windows\System\XbgDqLj.exe
  C:\Windows\System\XbgDqLj.exe
  2⤵
  PID:14992
- C:\Windows\System\oUKQQiZ.exe
  C:\Windows\System\oUKQQiZ.exe
  2⤵
  PID:15020
- C:\Windows\System\QjRpaUr.exe
  C:\Windows\System\QjRpaUr.exe
  2⤵
  PID:15048
- C:\Windows\System\GyTkvBW.exe
  C:\Windows\System\GyTkvBW.exe
  2⤵
  PID:15076
- C:\Windows\System\eoPAWGM.exe
  C:\Windows\System\eoPAWGM.exe
  2⤵
  PID:15096
- C:\Windows\System\IjZUAke.exe
  C:\Windows\System\IjZUAke.exe
  2⤵
  PID:15132
- C:\Windows\System\gvjycOA.exe
  C:\Windows\System\gvjycOA.exe
  2⤵
  PID:15160

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BhKLOHf.exe

Filesize
6.0MB

MD5
23b3c3672b2e0ef3dd96c56369d85824

SHA1
30efb2d8aae12b0fe23df72cda29ca4c090c9154

SHA256
193f8f1869bb6cd9ad0218ba40740b91a5ce691a6d6f7b8bdc4ddfe78dbcac7f

SHA512
06be376ea0c7d8b62f879d596694b1670ec2f01d3dc6e7e7c917ac10467cb7d4184f5e81dd814352290dc64e1cdd32819ac1eee15683d4cd5f6b650501b061ca

Download Submit
C:\Windows\System\CUxXYzq.exe

Filesize
6.0MB

MD5
f596cb76e626ca7f745305824ab0377d

SHA1
1c729da34d054ed4d677e89d68b389fc7905dbfc

SHA256
aac74dacc53eef2e4bf462444c7bcba73aadebe58f9b63357f3f923fbf3501d1

SHA512
deff0f6cc0894653e433d4875eb50417ae898118d6f2893ba0648afd431ef09699a4de48ca9c3d00faf69f9a4cbb20814c8c53531b98325bc8529d7b323c3d3f

Download Submit
C:\Windows\System\DeVsJTQ.exe

Filesize
6.0MB

MD5
e09d89d3751948866d4993c1b371dfe2

SHA1
9b92db723e17545c517cf7aef6325b4d0c86c821

SHA256
02124bb3debf615926bf5adfe68c9a398bd51350f7aeb6243a7001bfa14e9d67

SHA512
29e567885fd588879c44c85e4b5df286dcc0b936ebac50752d8b5784cfe05530b51c722df370bbb5b687cf266bbf74577ab8ac477b9a01a4a2d880cf443b607a

Download Submit
C:\Windows\System\GgdEoQk.exe

Filesize
6.0MB

MD5
6a187f21f192b31314bf116d242afe4d

SHA1
75e58ed703e71522af868f6a8e6cbb5d474db683

SHA256
f76ba64cf607c2088495251d3fd8393434a036bab084229a003b5226f5d361e1

SHA512
1a490245c1e8ed1f3eed910c2cd7f0c93c71ac1c847384081efe4e92fedd24a79a4aaa54fd280ef0890f5293be1ea3ae4776588c1360c799315abcdf5c736fc5

Download Submit
C:\Windows\System\IBHfiJr.exe

Filesize
6.0MB

MD5
64992d0d39c240f02239635254784cc0

SHA1
bdb8b2ef9bedb643b64b1b25a7391f37d7e322c0

SHA256
3a846a9e3a3459903059a496869bf44106a9e568a8eca071fea30268c34000a5

SHA512
dd621c6f4b7d078df63559da6033a2e828d741f8a4f92413ea1b45ea20a29066d8457f6300b75b2e79bc637756bea2629828e40576a718ace7e144aabcdb090b

Download Submit
C:\Windows\System\ImLJjYp.exe

Filesize
6.0MB

MD5
a7366a047589d31a8d0f6cae77895469

SHA1
879eb462ca7e74221cfa63291c1443a7539afe88

SHA256
4043963ab26831e208910df84ca9b0ccad019349f4c9e24e5ab7383f751b6d19

SHA512
eddfec5a71f882792d30fe834d6b0ab12f67b2b4d47acf78e26bd98ccae707902c8cc0e8a33c30a59d474f5a1de8c9f6fa1a69f323168ca671e68ef882009618

Download Submit
C:\Windows\System\IpxGQxu.exe

Filesize
6.0MB

MD5
f2d9f11114b9ae6d7b10d26ffb4475ea

SHA1
256628ecfd768564279ff37f7a2e10130fc61b8e

SHA256
236f146832ee7c123beef9a965e31f5b2e5fe26ccb7b55942ea873c8423207df

SHA512
829808d78ac1d8c2a2e129b80889659fa996b5f49e2f5433276c0459d08c0f8329f86fa4b0c9cfa94554a7fcdc6bf0ab50ab778b690a9624483950f8ca7b5071

Download Submit
C:\Windows\System\KJyieAa.exe

Filesize
6.0MB

MD5
766475c8c339ec13933615f8cc2be1a6

SHA1
27fdb7204b2f356e3dbf9c2ea7f570e29fced8be

SHA256
26847390bc421d8ef7c7d1f4e98296c802236aba6834691d33f5b8e70f8614ce

SHA512
0faab964e8e4d457185eb8f5fc370005791aefc6c6121d24aa14b00e90a8eab663fd7d912bdf685c7bfa986d3939acd12403f69cd915ed5e66223d9c23a04412

Download Submit
C:\Windows\System\OsheCkt.exe

Filesize
6.0MB

MD5
13b553ac3bc582575a629c45c20ae0cd

SHA1
98b7906b4bd20517919c6f5b905c7408c1179f45

SHA256
8265a68fb99f0f825cc11da7ce7e44055bbf31267bc8e5645424e1096bc5a35a

SHA512
0d5a112d7cd812b5916fa252afb85c1235409a357c0ad7c024d0b53348cafc950435ae1a073957d10fed17d3faa85fbf3e65affcb31e054e32b0f0f9cc5b6299

Download Submit
C:\Windows\System\PAjLkwQ.exe

Filesize
6.0MB

MD5
13c7d7bd76d2c76dddea8d3bc8ac6806

SHA1
c257e4b2324cd3e6beec315f6e3aaa7d070bac4c

SHA256
c7f0315e15fd93d2e198f99333b797f02246fff12c8c74fb46cb1bd86524a57f

SHA512
326e5f057eff5c73ddfd654b2c6993ed5614368da315e1ae0bd3e0904e12bca67678c9fc510b54cf5fe03966b44180b38ccd410ba269b3c77c80d563ebd5c28a

Download Submit
C:\Windows\System\PjHMNsZ.exe

Filesize
6.0MB

MD5
f0a557cc02fcec85fb38833065b968be

SHA1
33ab01f97743c9b80e29b86d8151a0d12a9dc011

SHA256
e7ae37b5cdeed765e533914c8fe6d1829d898be5a019dea3ef13375104f0a5de

SHA512
783fea1c6b4cce641741c1718997741c05ac169c8cf202189eead6befa58f25214573d7c0ebe556868b2c3601091c05d133a3bb87488e7a4be7da588948d876f

Download Submit
C:\Windows\System\QpogxuJ.exe

Filesize
6.0MB

MD5
0ca60b9915f5aad3146b957fb7b030c8

SHA1
07084a9a5756bccc3664aebd20defca6e51d2c51

SHA256
f0d912255a4c10334000e0a03115d5c7285650293a6c99b5e0ee3dbdbf260951

SHA512
bf85934bf0e43adbf66b0eca6a0eaba25072a7fc9acaa93a54f6f640f22b37058613e367c4be513e8e830bee426f06de3d0e28688778a6a9380fb7c8fee3b4f0

Download Submit
C:\Windows\System\SoUjfpB.exe

Filesize
6.0MB

MD5
6e3219e90beda7fa0922d469e484909d

SHA1
68daa26aad8e2285a7d42e5998e8977ba1b5d30e

SHA256
0e197923f0103f3e8eb0107e6e04a81dbe55a6d3c3daaa0f1b9527f92414fc7d

SHA512
2adfb8865060e55930375232489129349958974d558411317a28083cbceb96f6127bf7c8f564797ee281e5df2d57e3210513944d4a23b8eab0a7bc614b490267

Download Submit
C:\Windows\System\ToPmMRR.exe

Filesize
6.0MB

MD5
52e8bd5e870d0229132a41d6c9603ed6

SHA1
9ed28a08783ae795b31a0bf6c49e0ee586211210

SHA256
6a3a093e51869deda6f17d0de26b60e8ca83293a5b870c64abd1f93ec0901d6a

SHA512
24b3de3762e28070033ac2d62bc2bb1b5258710371b6a9e7e5f47a541a00f595a6050f41a4308542a68cccdd1e961ad3bcae5d719df5860d6ea90d8d96af45c7

Download Submit
C:\Windows\System\VqnSVTS.exe

Filesize
6.0MB

MD5
84b6624e5b872ad74e0832e5cb0c8a8e

SHA1
8108f28c461106f865b50dbac5702137f757f9b6

SHA256
730501509bf28ad5af74eb07f28e8cf86295871892e56c82794ca778fe476c4f

SHA512
443ccab8a54a2cd8b6265c803aa6ca111bf926e61a31b688e2e61d500ee07234308afaf14464118dd81f28aef0ffdd096dd8c8083c5ecdfb8d7f01d3b1108e4b

Download Submit
C:\Windows\System\YreEEWl.exe

Filesize
6.0MB

MD5
a16682be53a6197007df1bc19ef56f62

SHA1
1ef8f986697c8301e67c93a7905fe53d5ac9cea9

SHA256
62d46f22dac0db30352e2187657a1317aba744ffc3c0c75d6d75efab8979dfd4

SHA512
c38fe9a3bca0cf2256a5b4c050161312edfc405da40ad0ebbdcef8a45141c0ba4e777437395a9a39168fe6f1f65f25883247f05c27a6de2f43a682fa7c93c5a2

Download Submit
C:\Windows\System\awSxIQu.exe

Filesize
6.0MB

MD5
5ab9b88639470ee17674543a5292d75c

SHA1
2d71c437766a5cca2a1fa44113d1ccc8672c205e

SHA256
d836689d60c052fe2ba6f122753220a908c39242f6ca740b4fede5e89374e826

SHA512
8e417737fc4e7eef9ea388188f9432f95878cea9b43236b5c4688528d7e79bb58c01e7816f175661ed60cfc8adc9f5b6d60bacb423d6a27c0c0d40fee03572f0

Download Submit
C:\Windows\System\doYlhPb.exe

Filesize
6.0MB

MD5
67757d69e456f0054767cea976c5e714

SHA1
7d5633c24c838baeadd1cc77b1da498efb8fae59

SHA256
4272bbc0c76c251eaf575be2476f3500bb3e7d5ff5443ebce0b6c9504579920e

SHA512
ed4e7ddac703ac1c16e6dda0ce4b5f69cd989804c8784f7328d62456683d95e3d7cc8c2e200f119698752db8c26cbd145f1278ffe08c7a63b1e1734d993e0bf7

Download Submit
C:\Windows\System\ekzDVnm.exe

Filesize
6.0MB

MD5
d3e7bec78a18fdb4bd5851925c7fc6bc

SHA1
76607eaf80ab4adae4ac086443a9076c9b08d54f

SHA256
5ace1478cbf4bd9e8ca862a04732843b3397f2ab8c9a0b3d41e7c9264b51fec7

SHA512
5e934342c0275cb511752e0093390b1b3c30c319aec14b0550947e57a2e942404b8de1c703c6c4b39bfe5a808bd36832f06a093a17b31f1a175d00a8e2500c5a

Download Submit
C:\Windows\System\knlANwM.exe

Filesize
6.0MB

MD5
7007fc4a578883b97510c0eefce3523d

SHA1
f1d40d22124ec761a52237f8030859568cb88399

SHA256
39ad01d8a5d2643b7c62336235630492d7705f8932d363005b2224e8e74c223e

SHA512
a08a4b09f41e4fe3dbc136571258b520383eb21222c064b7edc53e0578bfe4b64620b86dac24127d58b9df572531bfe554467e01c251e4fc6eddc5e07690a5fe

Download Submit
C:\Windows\System\mZeEAVq.exe

Filesize
6.0MB

MD5
f2adaab9c9701a9541d8be86ce7d78be

SHA1
60cac17c6e47163a15116a793ce164dc7e55e75e

SHA256
98e20319e4620b2ef4cac74afe0a3147956a58dae961b2b7c21554657a147a69

SHA512
104344fbd162f5dc803029e7a70ad902e88f898f127f16562b48c45a0e39ceb17bb55a31093450c24cebd2234c59dddb586e5e3833d1e8b855b871cab9e002c4

Download Submit
C:\Windows\System\nqIKKAo.exe

Filesize
6.0MB

MD5
05f582ae650cfb386861b746ce25cd91

SHA1
59b9ffa53625164bb59485f26fe64cd7c4bd8820

SHA256
7c7a3745ded9e4f6b2ebae6b8e2bc31fba9fd27312cf42d5aae7fb8761da53a4

SHA512
b1ef923681e6409a8ebc454747fe22e228baba9bf087806590c3deddf6447a4e1025dd6ba42306d1c77a334f23c3d913df5bf397fe4be6dce4b3ead551357961

Download Submit
C:\Windows\System\pWuFIbW.exe

Filesize
6.0MB

MD5
6aa94dc6396881f97760e04c4fff9669

SHA1
db89028cbc088d19b1c1e5678161295268e29a2d

SHA256
8f257ece13426be051d36f5f080ce616100cce78e1fc570ba67fa701133d663f

SHA512
2319bbf2e7ab6999dd288bb3e01422beee82237bede54924c9cde928cfe4825d49487af2d278017f98dd20191ce77a8a45022cd8213593d433af628bea1f72d5

Download Submit
C:\Windows\System\pZFZXLb.exe

Filesize
6.0MB

MD5
22672e01d95fbfa7e47ce2a188f6b9da

SHA1
d52b993f7e6365a3f07402ec26e8881dad2c0a6f

SHA256
ae439906421e49de842314359d4e6ee56000aa5507b7ef48b69e979b2e9cca9d

SHA512
64f0e500ee282713c5458ae354677840c5af73d5bb0e970a0cc99c76fe451c452d8bace2763de3236bf02407b89b7c386b46a8750dddccb89db0c68416a9c065

Download Submit
C:\Windows\System\piwhcul.exe

Filesize
6.0MB

MD5
71e3e82b77d755a886b6431a194e4d7b

SHA1
0ff2c0ad8a5684dac8f09f21d2415d7a584f7996

SHA256
8d4f377a7fa5e8a2e53085b201833434c50acedf9ae4f3ab530bbe4c0fb42d06

SHA512
93657d514fb6fae72361e68b0e1261532cc47c83c84783b2110e26943d85837961580e6438512f8239c377124d37405e7c537518f5ced465227ebbe664e4e229

Download Submit
C:\Windows\System\sECtqRg.exe

Filesize
6.0MB

MD5
2a1028ce5adc05d3edbc746260e703c2

SHA1
2eb7a24a0c875867d1b274e7a07f780dd91e5e32

SHA256
c899343b110e67213bf90d528b20197a410863388606ef868223960d858b181d

SHA512
c79ae4f90cc31031193098a82d948e7d46e500b4338ed065d6cd2748af91ff6d4c8c6c14648cfca1723a590486de766466d7dc8332e87681dc3c96bf1a5fce02

Download Submit
C:\Windows\System\scHRIlj.exe

Filesize
6.0MB

MD5
f17bdf2b58e5c961e3b328fe03f567e2

SHA1
a6780358264678b98a8aa36a3cff9f7fa78d70a7

SHA256
9aadab33c4822059bd2d8b3c41d157997c4798e7c124dc5752ff001ba7b528e4

SHA512
74b74c7a9421b3c02949bf4e76f39e9bbbfab80cc2523ea33e184c9b5110479797fb601dd7f1ca81f2df14c77473011e1d0f7befeab6eb2d691cc3f749989e87

Download Submit
C:\Windows\System\tWAbfJI.exe

Filesize
6.0MB

MD5
682a4b0db22a6c80809da1d79e7f8706

SHA1
7def477ffebf3d927434b7586283e2198dc29999

SHA256
5db31f0a412475e23e29dd45e9a8d09dec2cf29aa77ac8b600734c926e5a8fc1

SHA512
90aa74ee1833ba84f97a550f4e059f2306c2c923c25ecc359cd677e4058609085fbddd14b40415931fff1461d0162f8df90cefd82a11ad1d6b11ee5c696472aa

Download Submit
C:\Windows\System\wpkAVNR.exe

Filesize
6.0MB

MD5
754338a5d0beafdb88dd312a67050b1e

SHA1
ac42e2ff0b152245dc309b1e985bd3f0b169dd39

SHA256
d1fbe0923d5704bf8dc85b8a1ba3bc9278aa08e0541d9382e1c7c8dfbd264c75

SHA512
43de85813f80a95273282e0df5b85ee8505e923ccc00dd15b2352845b0d7ab691e75219ff4e9552cc2fc6df44e0f4c8cdb3c65f51802b5615fb3b1a64a98906f

Download Submit
C:\Windows\System\yrLxPkA.exe

Filesize
6.0MB

MD5
1f9d2b73f1a741306664ae3389427f03

SHA1
d80467685ebfd262145eb43ff5f5e5d426083196

SHA256
db5e21843b417b80002c3a91c796fffe36e9897fef9fa49bd06499ba77b45fcc

SHA512
34a6f635d9a84a67a7028187ee274d5963ccd8b191d042edd1867bf65d6cbd08f019c9327eb4d652717bf878ca8167ce9bcfab85ba2eb99d4305e38bb6bfc965

Download Submit
C:\Windows\System\zeDWbXV.exe

Filesize
6.0MB

MD5
c324df037fb403469f7a9b9942a257ca

SHA1
dcd312b0e407377661cd7ca6e9edfccbd2c86554

SHA256
c6a6dd6b912c843f2c6323c6547232d0ae4feacdbf4c55290ef60aa5f89a352e

SHA512
055fd8c19a7e84d529754a19bef58d48141d9f0ac894641eed8f29c392a9adfb3e52e6dac8486df43cf4941a06f21fe390037458620e0a409a3b013f992bac55

Download Submit
C:\Windows\System\zghbFVt.exe

Filesize
6.0MB

MD5
3544cbf7395c465217dfdac2195950e6

SHA1
716840ca17dc217203388dcba8e87caacade1c84

SHA256
c28f2c39da3a654a075443492dabf3d23df08679152f7215efafaf63962f0207

SHA512
fe122ad5e6bde7fdec30621b7625931e4a5c3bd7d8bd4e8171fe0eae88715849238f149c2afee258e19f5967a1218abcc5f0063f37cb837c000fcd8b9caa5124

Download Submit
memory/908-55-0x00007FF618F10000-0x00007FF619264000-memory.dmp

Filesize
3.3MB

Download
memory/908-2119-0x00007FF618F10000-0x00007FF619264000-memory.dmp

Filesize
3.3MB

Download
memory/908-117-0x00007FF618F10000-0x00007FF619264000-memory.dmp

Filesize
3.3MB

Download
memory/964-342-0x00007FF638BD0000-0x00007FF638F24000-memory.dmp

Filesize
3.3MB

Download
memory/964-167-0x00007FF638BD0000-0x00007FF638F24000-memory.dmp

Filesize
3.3MB

Download
memory/964-2328-0x00007FF638BD0000-0x00007FF638F24000-memory.dmp

Filesize
3.3MB

Download
memory/996-2321-0x00007FF7BB0F0000-0x00007FF7BB444000-memory.dmp

Filesize
3.3MB

Download
memory/996-120-0x00007FF7BB0F0000-0x00007FF7BB444000-memory.dmp

Filesize
3.3MB

Download
memory/1488-2319-0x00007FF7025E0000-0x00007FF702934000-memory.dmp

Filesize
3.3MB

Download
memory/1488-102-0x00007FF7025E0000-0x00007FF702934000-memory.dmp

Filesize
3.3MB

Download
memory/1488-159-0x00007FF7025E0000-0x00007FF702934000-memory.dmp

Filesize
3.3MB

Download
memory/1540-2082-0x00007FF6F42F0000-0x00007FF6F4644000-memory.dmp

Filesize
3.3MB

Download
memory/1540-26-0x00007FF6F42F0000-0x00007FF6F4644000-memory.dmp

Filesize
3.3MB

Download
memory/1540-81-0x00007FF6F42F0000-0x00007FF6F4644000-memory.dmp

Filesize
3.3MB

Download
memory/2216-101-0x00007FF77AB60000-0x00007FF77AEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2216-2093-0x00007FF77AB60000-0x00007FF77AEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2216-41-0x00007FF77AB60000-0x00007FF77AEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-2327-0x00007FF788080000-0x00007FF7883D4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-161-0x00007FF788080000-0x00007FF7883D4000-memory.dmp

Filesize
3.3MB

Download
memory/2800-2318-0x00007FF759640000-0x00007FF759994000-memory.dmp

Filesize
3.3MB

Download
memory/2800-95-0x00007FF759640000-0x00007FF759994000-memory.dmp

Filesize
3.3MB

Download
memory/2800-155-0x00007FF759640000-0x00007FF759994000-memory.dmp

Filesize
3.3MB

Download
memory/2828-218-0x00007FF733C70000-0x00007FF733FC4000-memory.dmp

Filesize
3.3MB

Download
memory/2828-137-0x00007FF733C70000-0x00007FF733FC4000-memory.dmp

Filesize
3.3MB

Download
memory/2828-2324-0x00007FF733C70000-0x00007FF733FC4000-memory.dmp

Filesize
3.3MB

Download
memory/2920-2322-0x00007FF7B5150000-0x00007FF7B54A4000-memory.dmp

Filesize
3.3MB

Download
memory/2920-123-0x00007FF7B5150000-0x00007FF7B54A4000-memory.dmp

Filesize
3.3MB

Download
memory/2920-177-0x00007FF7B5150000-0x00007FF7B54A4000-memory.dmp

Filesize
3.3MB

Download
memory/3080-60-0x00007FF73FE50000-0x00007FF7401A4000-memory.dmp

Filesize
3.3MB

Download
memory/3080-1-0x000001657D7C0000-0x000001657D7D0000-memory.dmp

Filesize
64KB

Download
memory/3080-0-0x00007FF73FE50000-0x00007FF7401A4000-memory.dmp

Filesize
3.3MB

Download
memory/3288-126-0x00007FF715120000-0x00007FF715474000-memory.dmp

Filesize
3.3MB

Download
memory/3288-68-0x00007FF715120000-0x00007FF715474000-memory.dmp

Filesize
3.3MB

Download
memory/3288-2127-0x00007FF715120000-0x00007FF715474000-memory.dmp

Filesize
3.3MB

Download
memory/3304-2326-0x00007FF7A38F0000-0x00007FF7A3C44000-memory.dmp

Filesize
3.3MB

Download
memory/3304-249-0x00007FF7A38F0000-0x00007FF7A3C44000-memory.dmp

Filesize
3.3MB

Download
memory/3304-150-0x00007FF7A38F0000-0x00007FF7A3C44000-memory.dmp

Filesize
3.3MB

Download
memory/3648-2325-0x00007FF6FD9D0000-0x00007FF6FDD24000-memory.dmp

Filesize
3.3MB

Download
memory/3648-234-0x00007FF6FD9D0000-0x00007FF6FDD24000-memory.dmp

Filesize
3.3MB

Download
memory/3648-143-0x00007FF6FD9D0000-0x00007FF6FDD24000-memory.dmp

Filesize
3.3MB

Download
memory/3668-2053-0x00007FF775D20000-0x00007FF776074000-memory.dmp

Filesize
3.3MB

Download
memory/3668-12-0x00007FF775D20000-0x00007FF776074000-memory.dmp

Filesize
3.3MB

Download
memory/3668-76-0x00007FF775D20000-0x00007FF776074000-memory.dmp

Filesize
3.3MB

Download
memory/3784-2330-0x00007FF7B7470000-0x00007FF7B77C4000-memory.dmp

Filesize
3.3MB

Download
memory/3784-180-0x00007FF7B7470000-0x00007FF7B77C4000-memory.dmp

Filesize
3.3MB

Download
memory/3788-2112-0x00007FF7E8EB0000-0x00007FF7E9204000-memory.dmp

Filesize
3.3MB

Download
memory/3788-105-0x00007FF7E8EB0000-0x00007FF7E9204000-memory.dmp

Filesize
3.3MB

Download
memory/3788-50-0x00007FF7E8EB0000-0x00007FF7E9204000-memory.dmp

Filesize
3.3MB

Download
memory/3964-175-0x00007FF77E8F0000-0x00007FF77EC44000-memory.dmp

Filesize
3.3MB

Download
memory/3964-2329-0x00007FF77E8F0000-0x00007FF77EC44000-memory.dmp

Filesize
3.3MB

Download
memory/3964-392-0x00007FF77E8F0000-0x00007FF77EC44000-memory.dmp

Filesize
3.3MB

Download
memory/4324-71-0x00007FF6A22D0000-0x00007FF6A2624000-memory.dmp

Filesize
3.3MB

Download
memory/4324-2128-0x00007FF6A22D0000-0x00007FF6A2624000-memory.dmp

Filesize
3.3MB

Download
memory/4324-127-0x00007FF6A22D0000-0x00007FF6A2624000-memory.dmp

Filesize
3.3MB

Download
memory/4344-193-0x00007FF6A35C0000-0x00007FF6A3914000-memory.dmp

Filesize
3.3MB

Download
memory/4344-2332-0x00007FF6A35C0000-0x00007FF6A3914000-memory.dmp

Filesize
3.3MB

Download
memory/4492-166-0x00007FF66B550000-0x00007FF66B8A4000-memory.dmp

Filesize
3.3MB

Download
memory/4492-2320-0x00007FF66B550000-0x00007FF66B8A4000-memory.dmp

Filesize
3.3MB

Download
memory/4492-107-0x00007FF66B550000-0x00007FF66B8A4000-memory.dmp

Filesize
3.3MB

Download
memory/4556-37-0x00007FF6F9BC0000-0x00007FF6F9F14000-memory.dmp

Filesize
3.3MB

Download
memory/4556-2101-0x00007FF6F9BC0000-0x00007FF6F9F14000-memory.dmp

Filesize
3.3MB

Download
memory/4556-94-0x00007FF6F9BC0000-0x00007FF6F9F14000-memory.dmp

Filesize
3.3MB

Download
memory/4632-84-0x00007FF652B20000-0x00007FF652E74000-memory.dmp

Filesize
3.3MB

Download
memory/4752-90-0x00007FF653E10000-0x00007FF654164000-memory.dmp

Filesize
3.3MB

Download
memory/4924-2075-0x00007FF66AD20000-0x00007FF66B074000-memory.dmp

Filesize
3.3MB

Download
memory/4924-20-0x00007FF66AD20000-0x00007FF66B074000-memory.dmp

Filesize
3.3MB

Download
memory/4928-122-0x00007FF614750000-0x00007FF614AA4000-memory.dmp

Filesize
3.3MB

Download
memory/4928-2124-0x00007FF614750000-0x00007FF614AA4000-memory.dmp

Filesize
3.3MB

Download
memory/4928-62-0x00007FF614750000-0x00007FF614AA4000-memory.dmp

Filesize
3.3MB

Download
memory/5012-7-0x00007FF760F20000-0x00007FF761274000-memory.dmp

Filesize
3.3MB

Download
memory/5012-2046-0x00007FF760F20000-0x00007FF761274000-memory.dmp

Filesize
3.3MB

Download
memory/5012-67-0x00007FF760F20000-0x00007FF761274000-memory.dmp

Filesize
3.3MB

Download
memory/5024-2323-0x00007FF6C0140000-0x00007FF6C0494000-memory.dmp

Filesize
3.3MB

Download
memory/5024-131-0x00007FF6C0140000-0x00007FF6C0494000-memory.dmp

Filesize
3.3MB

Download
memory/5024-191-0x00007FF6C0140000-0x00007FF6C0494000-memory.dmp

Filesize
3.3MB

Download
memory/5112-183-0x00007FF7B1500000-0x00007FF7B1854000-memory.dmp

Filesize
3.3MB

Download
memory/5112-570-0x00007FF7B1500000-0x00007FF7B1854000-memory.dmp

Filesize
3.3MB

Download
memory/5112-2331-0x00007FF7B1500000-0x00007FF7B1854000-memory.dmp

Filesize
3.3MB

Download
memory/5116-32-0x00007FF6B8B70000-0x00007FF6B8EC4000-memory.dmp

Filesize
3.3MB

Download
memory/5116-2087-0x00007FF6B8B70000-0x00007FF6B8EC4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads