cobaltstrike | 7fa00ab48e93100645103e9c85dcbedea3bd9193f391357043ab05bcbd51116f

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f5cfef41d76531560750b775d56b8387
SHA1

df46a21a1718046f43079893e1fc22893f6d9736
SHA256

7fa00ab48e93100645103e9c85dcbedea3bd9193f391357043ab05bcbd51116f
SHA512

219b426ee5be06779fb05e9bfd7f00063c2aaa32c73a88e782404595565dd1dc08ede7bc0b15188d3640479d2019f560a7bdaa860b47eba0d09cfdac0c72d273
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lA:RWWBibf56utgpPFotBER/mQ32lUc

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 32 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b71-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b76-17.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b77-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-30.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-32.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-67.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-69.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-92.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-113.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-125.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-134.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-147.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-138.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-129.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-118.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-107.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b72-97.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-79.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-62.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-53.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b75-13.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-151.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-155.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-168.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-186.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b92-188.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b91-187.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-178.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-173.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 56 IoCs

miner

resource	yara_rule
behavioral2/memory/3140-16-0x00007FF7629B0000-0x00007FF762D01000-memory.dmp	xmrig
behavioral2/memory/1388-143-0x00007FF72E0A0000-0x00007FF72E3F1000-memory.dmp	xmrig
behavioral2/memory/4680-146-0x00007FF6FB630000-0x00007FF6FB981000-memory.dmp	xmrig
behavioral2/memory/3480-144-0x00007FF690B20000-0x00007FF690E71000-memory.dmp	xmrig
behavioral2/memory/4804-142-0x00007FF6AD5A0000-0x00007FF6AD8F1000-memory.dmp	xmrig
behavioral2/memory/4860-141-0x00007FF70EF10000-0x00007FF70F261000-memory.dmp	xmrig
behavioral2/memory/4264-140-0x00007FF799620000-0x00007FF799971000-memory.dmp	xmrig
behavioral2/memory/760-131-0x00007FF78D760000-0x00007FF78DAB1000-memory.dmp	xmrig
behavioral2/memory/3512-124-0x00007FF7D68F0000-0x00007FF7D6C41000-memory.dmp	xmrig
behavioral2/memory/4300-101-0x00007FF6E30D0000-0x00007FF6E3421000-memory.dmp	xmrig
behavioral2/memory/5880-100-0x00007FF748610000-0x00007FF748961000-memory.dmp	xmrig
behavioral2/memory/3920-190-0x00007FF6094A0000-0x00007FF6097F1000-memory.dmp	xmrig
behavioral2/memory/4232-189-0x00007FF633A10000-0x00007FF633D61000-memory.dmp	xmrig
behavioral2/memory/3396-183-0x00007FF67ED10000-0x00007FF67F061000-memory.dmp	xmrig
behavioral2/memory/3568-170-0x00007FF7F1230000-0x00007FF7F1581000-memory.dmp	xmrig
behavioral2/memory/1876-167-0x00007FF655430000-0x00007FF655781000-memory.dmp	xmrig
behavioral2/memory/2780-166-0x00007FF6A2DB0000-0x00007FF6A3101000-memory.dmp	xmrig
behavioral2/memory/2416-163-0x00007FF647F40000-0x00007FF648291000-memory.dmp	xmrig
behavioral2/memory/1244-158-0x00007FF6D7070000-0x00007FF6D73C1000-memory.dmp	xmrig
behavioral2/memory/4256-210-0x00007FF61C440000-0x00007FF61C791000-memory.dmp	xmrig
behavioral2/memory/3264-207-0x00007FF62F3F0000-0x00007FF62F741000-memory.dmp	xmrig
behavioral2/memory/3540-200-0x00007FF67F8B0000-0x00007FF67FC01000-memory.dmp	xmrig
behavioral2/memory/4024-203-0x00007FF63F900000-0x00007FF63FC51000-memory.dmp	xmrig
behavioral2/memory/2756-288-0x00007FF6D12C0000-0x00007FF6D1611000-memory.dmp	xmrig
behavioral2/memory/4268-266-0x00007FF6B8820000-0x00007FF6B8B71000-memory.dmp	xmrig
behavioral2/memory/2132-374-0x00007FF743830000-0x00007FF743B81000-memory.dmp	xmrig
behavioral2/memory/4308-371-0x00007FF6906F0000-0x00007FF690A41000-memory.dmp	xmrig
behavioral2/memory/4828-518-0x00007FF7F68D0000-0x00007FF7F6C21000-memory.dmp	xmrig
behavioral2/memory/1788-673-0x00007FF60A930000-0x00007FF60AC81000-memory.dmp	xmrig
behavioral2/memory/3932-752-0x00007FF784E20000-0x00007FF785171000-memory.dmp	xmrig
behavioral2/memory/1876-2356-0x00007FF655430000-0x00007FF655781000-memory.dmp	xmrig
behavioral2/memory/3568-2360-0x00007FF7F1230000-0x00007FF7F1581000-memory.dmp	xmrig
behavioral2/memory/3396-2358-0x00007FF67ED10000-0x00007FF67F061000-memory.dmp	xmrig
behavioral2/memory/3540-2362-0x00007FF67F8B0000-0x00007FF67FC01000-memory.dmp	xmrig
behavioral2/memory/3920-2364-0x00007FF6094A0000-0x00007FF6097F1000-memory.dmp	xmrig
behavioral2/memory/5880-2366-0x00007FF748610000-0x00007FF748961000-memory.dmp	xmrig
behavioral2/memory/4024-2386-0x00007FF63F900000-0x00007FF63FC51000-memory.dmp	xmrig
behavioral2/memory/4300-2388-0x00007FF6E30D0000-0x00007FF6E3421000-memory.dmp	xmrig
behavioral2/memory/3264-2392-0x00007FF62F3F0000-0x00007FF62F741000-memory.dmp	xmrig
behavioral2/memory/4268-2391-0x00007FF6B8820000-0x00007FF6B8B71000-memory.dmp	xmrig
behavioral2/memory/4264-2394-0x00007FF799620000-0x00007FF799971000-memory.dmp	xmrig
behavioral2/memory/4256-2396-0x00007FF61C440000-0x00007FF61C791000-memory.dmp	xmrig
behavioral2/memory/4308-2398-0x00007FF6906F0000-0x00007FF690A41000-memory.dmp	xmrig
behavioral2/memory/760-2402-0x00007FF78D760000-0x00007FF78DAB1000-memory.dmp	xmrig
behavioral2/memory/2756-2401-0x00007FF6D12C0000-0x00007FF6D1611000-memory.dmp	xmrig
behavioral2/memory/3512-2404-0x00007FF7D68F0000-0x00007FF7D6C41000-memory.dmp	xmrig
behavioral2/memory/2132-2406-0x00007FF743830000-0x00007FF743B81000-memory.dmp	xmrig
behavioral2/memory/4860-2412-0x00007FF70EF10000-0x00007FF70F261000-memory.dmp	xmrig
behavioral2/memory/4804-2411-0x00007FF6AD5A0000-0x00007FF6AD8F1000-memory.dmp	xmrig
behavioral2/memory/1388-2409-0x00007FF72E0A0000-0x00007FF72E3F1000-memory.dmp	xmrig
behavioral2/memory/4828-2425-0x00007FF7F68D0000-0x00007FF7F6C21000-memory.dmp	xmrig
behavioral2/memory/2780-2485-0x00007FF6A2DB0000-0x00007FF6A3101000-memory.dmp	xmrig
behavioral2/memory/2416-2487-0x00007FF647F40000-0x00007FF648291000-memory.dmp	xmrig
behavioral2/memory/1788-2489-0x00007FF60A930000-0x00007FF60AC81000-memory.dmp	xmrig
behavioral2/memory/4232-2491-0x00007FF633A10000-0x00007FF633D61000-memory.dmp	xmrig
behavioral2/memory/3932-2493-0x00007FF784E20000-0x00007FF785171000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4680	myIcVAk.exe
3140	PZMstBv.exe
1244	kFcpYgm.exe
1876	XHycFwt.exe
3396	tfAsjUp.exe
3568	LAInbzp.exe
3540	UwYoJJI.exe
4268	oNiGeoy.exe
5880	chjooTf.exe
4024	CfuqZZe.exe
4300	uWmwFdN.exe
3920	gXgskat.exe
2756	nsqljmp.exe
3264	OPsvZHP.exe
4308	BaLFDAr.exe
4256	mvvzMYS.exe
4264	lqmoBNI.exe
3512	lxMazcp.exe
760	hcfTNGQ.exe
4860	LudshQk.exe
4804	dDMEtfw.exe
1388	WSTpawn.exe
2132	JqbbtzL.exe
4828	NKaFTWs.exe
2416	aEJgmeR.exe
2780	LGHVaNN.exe
1788	fHljoYQ.exe
3932	PKJFjmo.exe
4232	gfkQgSO.exe
2232	JluPEfi.exe
4332	RVlNTzX.exe
2300	mRrjPDZ.exe
5892	gkezafc.exe
2116	rMywuUu.exe
5448	bHgCBxH.exe
3672	iAjuEWz.exe
4452	TTOLocU.exe
6136	Pqjghdc.exe
3272	hHmQGXR.exe
2180	BQweXaA.exe
4084	zPWYBKs.exe
2952	IhrjfVe.exe
216	OzYxOTf.exe
5548	kNMWAif.exe
4692	MzTTCMa.exe
3968	PCzybDL.exe
1752	VrItDwr.exe
564	RRybpdt.exe
5572	ibYKIox.exe
6016	skNwcPM.exe
4696	jdHLVuX.exe
1316	MPqabaI.exe
2052	OsdonEu.exe
4776	BaGVCyA.exe
5604	pPqdBcy.exe
4864	QaqEyod.exe
1948	yJfUEXS.exe
6028	KyZuIJu.exe
5944	MFjtRxD.exe
5860	yDooMXy.exe
4076	AGPxMOi.exe
2868	yhmBNSJ.exe
3132	VpuDNEQ.exe
5092	AKjrupq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3480-0-0x00007FF690B20000-0x00007FF690E71000-memory.dmp	upx
behavioral2/files/0x000b000000023b71-5.dat	upx
behavioral2/memory/3140-16-0x00007FF7629B0000-0x00007FF762D01000-memory.dmp	upx
behavioral2/memory/1244-20-0x00007FF6D7070000-0x00007FF6D73C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-17.dat	upx
behavioral2/files/0x000a000000023b77-23.dat	upx
behavioral2/files/0x000a000000023b79-30.dat	upx
behavioral2/memory/3396-35-0x00007FF67ED10000-0x00007FF67F061000-memory.dmp	upx
behavioral2/memory/3568-36-0x00007FF7F1230000-0x00007FF7F1581000-memory.dmp	upx
behavioral2/memory/1876-33-0x00007FF655430000-0x00007FF655781000-memory.dmp	upx
behavioral2/files/0x000a000000023b78-32.dat	upx
behavioral2/memory/3540-49-0x00007FF67F8B0000-0x00007FF67FC01000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-54.dat	upx
behavioral2/files/0x000a000000023b7b-67.dat	upx
behavioral2/files/0x000a000000023b80-69.dat	upx
behavioral2/memory/3920-76-0x00007FF6094A0000-0x00007FF6097F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-92.dat	upx
behavioral2/files/0x000a000000023b81-113.dat	upx
behavioral2/files/0x000a000000023b88-125.dat	upx
behavioral2/files/0x000a000000023b86-134.dat	upx
behavioral2/memory/1388-143-0x00007FF72E0A0000-0x00007FF72E3F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-147.dat	upx
behavioral2/memory/4680-146-0x00007FF6FB630000-0x00007FF6FB981000-memory.dmp	upx
behavioral2/memory/4828-145-0x00007FF7F68D0000-0x00007FF7F6C21000-memory.dmp	upx
behavioral2/memory/3480-144-0x00007FF690B20000-0x00007FF690E71000-memory.dmp	upx
behavioral2/memory/4804-142-0x00007FF6AD5A0000-0x00007FF6AD8F1000-memory.dmp	upx
behavioral2/memory/4860-141-0x00007FF70EF10000-0x00007FF70F261000-memory.dmp	upx
behavioral2/memory/4264-140-0x00007FF799620000-0x00007FF799971000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-138.dat	upx
behavioral2/memory/2132-132-0x00007FF743830000-0x00007FF743B81000-memory.dmp	upx
behavioral2/memory/760-131-0x00007FF78D760000-0x00007FF78DAB1000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-129.dat	upx
behavioral2/memory/3512-124-0x00007FF7D68F0000-0x00007FF7D6C41000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-119.dat	upx
behavioral2/files/0x000a000000023b84-118.dat	upx
behavioral2/memory/4308-111-0x00007FF6906F0000-0x00007FF690A41000-memory.dmp	upx
behavioral2/memory/2756-110-0x00007FF6D12C0000-0x00007FF6D1611000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-107.dat	upx
behavioral2/memory/4300-101-0x00007FF6E30D0000-0x00007FF6E3421000-memory.dmp	upx
behavioral2/memory/5880-100-0x00007FF748610000-0x00007FF748961000-memory.dmp	upx
behavioral2/files/0x000b000000023b72-97.dat	upx
behavioral2/memory/4256-90-0x00007FF61C440000-0x00007FF61C791000-memory.dmp	upx
behavioral2/memory/3264-89-0x00007FF62F3F0000-0x00007FF62F741000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-70.dat	upx
behavioral2/files/0x000a000000023b7e-79.dat	upx
behavioral2/files/0x000a000000023b7c-62.dat	upx
behavioral2/memory/4024-64-0x00007FF63F900000-0x00007FF63FC51000-memory.dmp	upx
behavioral2/memory/4268-55-0x00007FF6B8820000-0x00007FF6B8B71000-memory.dmp	upx
behavioral2/files/0x000a000000023b7a-53.dat	upx
behavioral2/files/0x000a000000023b75-13.dat	upx
behavioral2/memory/4680-9-0x00007FF6FB630000-0x00007FF6FB981000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-151.dat	upx
behavioral2/files/0x000a000000023b8c-155.dat	upx
behavioral2/files/0x000a000000023b8e-168.dat	upx
behavioral2/memory/1788-169-0x00007FF60A930000-0x00007FF60AC81000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-186.dat	upx
behavioral2/memory/3920-190-0x00007FF6094A0000-0x00007FF6097F1000-memory.dmp	upx
behavioral2/memory/4232-189-0x00007FF633A10000-0x00007FF633D61000-memory.dmp	upx
behavioral2/files/0x000b000000023b92-188.dat	upx
behavioral2/files/0x000b000000023b91-187.dat	upx
behavioral2/memory/3396-183-0x00007FF67ED10000-0x00007FF67F061000-memory.dmp	upx
behavioral2/memory/3932-180-0x00007FF784E20000-0x00007FF785171000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-178.dat	upx
behavioral2/files/0x000a000000023b8d-173.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\eHXOcVt.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OdKpqna.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oJsbJQH.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zDlFJxZ.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QjwsWoT.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RKHwmXT.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EZnGIqD.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZUuTeZT.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZYSAVxy.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\clDEMEf.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EtUrjkf.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WqVYeej.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IKSEmNl.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NVdtNIl.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SioMpep.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nbEEMOp.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GOsElai.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EqGRFDd.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oNiGeoy.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sFvfdKo.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mrZcggV.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SWqWpSa.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nGaMMYy.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QCYdFZF.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NTKFqCQ.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lxbuqqN.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FcivVnZ.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zHYihrv.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OfmjctF.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QjGRFqI.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IQKxUDN.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XxwgVJl.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RmtmGtZ.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LyfCxRi.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\muTjYgy.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qkljGWl.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bihRMaR.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YBGmlNP.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GDuqxLH.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CFToicu.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gsXrLIS.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CMXpajg.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vahAlKT.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yJfUEXS.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fwofZKq.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\apPbHhJ.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\woymBjN.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tmbJySt.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QpZmWpW.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tQeBgtK.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Ykjywzj.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lfobovb.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iaxmvEg.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AxTGwfh.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MPqabaI.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dNousXF.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NnhGQQF.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LBHodXR.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JxoqGmB.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sWqrimh.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PgXZckl.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uwMOVHz.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lqmoBNI.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dDMEtfw.exe	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	14640	dwm.exe
Token: SeChangeNotifyPrivilege	14640	dwm.exe
Token: 33	14640	dwm.exe
Token: SeIncBasePriorityPrivilege	14640	dwm.exe
Token: SeShutdownPrivilege	14640	dwm.exe
Token: SeCreatePagefilePrivilege	14640	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 4680	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3480 wrote to memory of 4680	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3480 wrote to memory of 3140	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3480 wrote to memory of 3140	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3480 wrote to memory of 1244	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3480 wrote to memory of 1244	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3480 wrote to memory of 1876	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3480 wrote to memory of 1876	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3480 wrote to memory of 3396	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3480 wrote to memory of 3396	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3480 wrote to memory of 3568	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3480 wrote to memory of 3568	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3480 wrote to memory of 3540	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3480 wrote to memory of 3540	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3480 wrote to memory of 4268	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3480 wrote to memory of 4268	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3480 wrote to memory of 5880	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3480 wrote to memory of 5880	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3480 wrote to memory of 4024	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3480 wrote to memory of 4024	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3480 wrote to memory of 4300	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3480 wrote to memory of 4300	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3480 wrote to memory of 3920	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3480 wrote to memory of 3920	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3480 wrote to memory of 2756	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3480 wrote to memory of 2756	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3480 wrote to memory of 3264	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3480 wrote to memory of 3264	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3480 wrote to memory of 4308	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3480 wrote to memory of 4308	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3480 wrote to memory of 4256	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3480 wrote to memory of 4256	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3480 wrote to memory of 4264	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3480 wrote to memory of 4264	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3480 wrote to memory of 3512	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3480 wrote to memory of 3512	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3480 wrote to memory of 760	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3480 wrote to memory of 760	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3480 wrote to memory of 4804	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3480 wrote to memory of 4804	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3480 wrote to memory of 4860	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3480 wrote to memory of 4860	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3480 wrote to memory of 1388	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3480 wrote to memory of 1388	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3480 wrote to memory of 2132	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3480 wrote to memory of 2132	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3480 wrote to memory of 4828	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3480 wrote to memory of 4828	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3480 wrote to memory of 2416	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 3480 wrote to memory of 2416	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 3480 wrote to memory of 2780	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 3480 wrote to memory of 2780	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 3480 wrote to memory of 1788	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 3480 wrote to memory of 1788	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 3480 wrote to memory of 3932	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 3480 wrote to memory of 3932	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 3480 wrote to memory of 4232	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 3480 wrote to memory of 4232	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 3480 wrote to memory of 2232	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 3480 wrote to memory of 2232	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 3480 wrote to memory of 4332	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 3480 wrote to memory of 4332	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 3480 wrote to memory of 2300	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	117
PID 3480 wrote to memory of 2300	3480	2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe	117

C:\Users\Admin\AppData\Local\Temp\2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-28_f5cfef41d76531560750b775d56b8387_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\System\myIcVAk.exe
  C:\Windows\System\myIcVAk.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\PZMstBv.exe
  C:\Windows\System\PZMstBv.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System\kFcpYgm.exe
  C:\Windows\System\kFcpYgm.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System\XHycFwt.exe
  C:\Windows\System\XHycFwt.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\tfAsjUp.exe
  C:\Windows\System\tfAsjUp.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System\LAInbzp.exe
  C:\Windows\System\LAInbzp.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\UwYoJJI.exe
  C:\Windows\System\UwYoJJI.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\oNiGeoy.exe
  C:\Windows\System\oNiGeoy.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\chjooTf.exe
  C:\Windows\System\chjooTf.exe
  2⤵
  - Executes dropped EXE
  PID:5880
- C:\Windows\System\CfuqZZe.exe
  C:\Windows\System\CfuqZZe.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\uWmwFdN.exe
  C:\Windows\System\uWmwFdN.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\gXgskat.exe
  C:\Windows\System\gXgskat.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System\nsqljmp.exe
  C:\Windows\System\nsqljmp.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\OPsvZHP.exe
  C:\Windows\System\OPsvZHP.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\BaLFDAr.exe
  C:\Windows\System\BaLFDAr.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System\mvvzMYS.exe
  C:\Windows\System\mvvzMYS.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System\lqmoBNI.exe
  C:\Windows\System\lqmoBNI.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System\lxMazcp.exe
  C:\Windows\System\lxMazcp.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\hcfTNGQ.exe
  C:\Windows\System\hcfTNGQ.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System\dDMEtfw.exe
  C:\Windows\System\dDMEtfw.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\LudshQk.exe
  C:\Windows\System\LudshQk.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\WSTpawn.exe
  C:\Windows\System\WSTpawn.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\JqbbtzL.exe
  C:\Windows\System\JqbbtzL.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\NKaFTWs.exe
  C:\Windows\System\NKaFTWs.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\aEJgmeR.exe
  C:\Windows\System\aEJgmeR.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\LGHVaNN.exe
  C:\Windows\System\LGHVaNN.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\fHljoYQ.exe
  C:\Windows\System\fHljoYQ.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System\PKJFjmo.exe
  C:\Windows\System\PKJFjmo.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\gfkQgSO.exe
  C:\Windows\System\gfkQgSO.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System\JluPEfi.exe
  C:\Windows\System\JluPEfi.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System\RVlNTzX.exe
  C:\Windows\System\RVlNTzX.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System\mRrjPDZ.exe
  C:\Windows\System\mRrjPDZ.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\gkezafc.exe
  C:\Windows\System\gkezafc.exe
  2⤵
  - Executes dropped EXE
  PID:5892
- C:\Windows\System\bHgCBxH.exe
  C:\Windows\System\bHgCBxH.exe
  2⤵
  - Executes dropped EXE
  PID:5448
- C:\Windows\System\rMywuUu.exe
  C:\Windows\System\rMywuUu.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\iAjuEWz.exe
  C:\Windows\System\iAjuEWz.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\TTOLocU.exe
  C:\Windows\System\TTOLocU.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\Pqjghdc.exe
  C:\Windows\System\Pqjghdc.exe
  2⤵
  - Executes dropped EXE
  PID:6136
- C:\Windows\System\hHmQGXR.exe
  C:\Windows\System\hHmQGXR.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\BQweXaA.exe
  C:\Windows\System\BQweXaA.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\zPWYBKs.exe
  C:\Windows\System\zPWYBKs.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System\IhrjfVe.exe
  C:\Windows\System\IhrjfVe.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\OzYxOTf.exe
  C:\Windows\System\OzYxOTf.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\kNMWAif.exe
  C:\Windows\System\kNMWAif.exe
  2⤵
  - Executes dropped EXE
  PID:5548
- C:\Windows\System\MzTTCMa.exe
  C:\Windows\System\MzTTCMa.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\PCzybDL.exe
  C:\Windows\System\PCzybDL.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System\VrItDwr.exe
  C:\Windows\System\VrItDwr.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\RRybpdt.exe
  C:\Windows\System\RRybpdt.exe
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\System\ibYKIox.exe
  C:\Windows\System\ibYKIox.exe
  2⤵
  - Executes dropped EXE
  PID:5572
- C:\Windows\System\skNwcPM.exe
  C:\Windows\System\skNwcPM.exe
  2⤵
  - Executes dropped EXE
  PID:6016
- C:\Windows\System\jdHLVuX.exe
  C:\Windows\System\jdHLVuX.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\MPqabaI.exe
  C:\Windows\System\MPqabaI.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System\OsdonEu.exe
  C:\Windows\System\OsdonEu.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\BaGVCyA.exe
  C:\Windows\System\BaGVCyA.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\pPqdBcy.exe
  C:\Windows\System\pPqdBcy.exe
  2⤵
  - Executes dropped EXE
  PID:5604
- C:\Windows\System\QaqEyod.exe
  C:\Windows\System\QaqEyod.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\yJfUEXS.exe
  C:\Windows\System\yJfUEXS.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\KyZuIJu.exe
  C:\Windows\System\KyZuIJu.exe
  2⤵
  - Executes dropped EXE
  PID:6028
- C:\Windows\System\MFjtRxD.exe
  C:\Windows\System\MFjtRxD.exe
  2⤵
  - Executes dropped EXE
  PID:5944
- C:\Windows\System\yDooMXy.exe
  C:\Windows\System\yDooMXy.exe
  2⤵
  - Executes dropped EXE
  PID:5860
- C:\Windows\System\AGPxMOi.exe
  C:\Windows\System\AGPxMOi.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System\yhmBNSJ.exe
  C:\Windows\System\yhmBNSJ.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\VpuDNEQ.exe
  C:\Windows\System\VpuDNEQ.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\AKjrupq.exe
  C:\Windows\System\AKjrupq.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\wtqlQYT.exe
  C:\Windows\System\wtqlQYT.exe
  2⤵
  PID:4384
- C:\Windows\System\arUENcG.exe
  C:\Windows\System\arUENcG.exe
  2⤵
  PID:1320
- C:\Windows\System\LtbWoAw.exe
  C:\Windows\System\LtbWoAw.exe
  2⤵
  PID:2456
- C:\Windows\System\gmEbsOM.exe
  C:\Windows\System\gmEbsOM.exe
  2⤵
  PID:3056
- C:\Windows\System\wJggpax.exe
  C:\Windows\System\wJggpax.exe
  2⤵
  PID:3448
- C:\Windows\System\PNTFJdQ.exe
  C:\Windows\System\PNTFJdQ.exe
  2⤵
  PID:3972
- C:\Windows\System\YYZLUqU.exe
  C:\Windows\System\YYZLUqU.exe
  2⤵
  PID:4080
- C:\Windows\System\xLUbWGP.exe
  C:\Windows\System\xLUbWGP.exe
  2⤵
  PID:1656
- C:\Windows\System\WosYZsT.exe
  C:\Windows\System\WosYZsT.exe
  2⤵
  PID:4088
- C:\Windows\System\sbBNaxS.exe
  C:\Windows\System\sbBNaxS.exe
  2⤵
  PID:5676
- C:\Windows\System\byRGavb.exe
  C:\Windows\System\byRGavb.exe
  2⤵
  PID:4236
- C:\Windows\System\IIUzRzM.exe
  C:\Windows\System\IIUzRzM.exe
  2⤵
  PID:5476
- C:\Windows\System\XxwgVJl.exe
  C:\Windows\System\XxwgVJl.exe
  2⤵
  PID:1592
- C:\Windows\System\NQcTsap.exe
  C:\Windows\System\NQcTsap.exe
  2⤵
  PID:2880
- C:\Windows\System\mcZJnVF.exe
  C:\Windows\System\mcZJnVF.exe
  2⤵
  PID:2120
- C:\Windows\System\Xvbzfey.exe
  C:\Windows\System\Xvbzfey.exe
  2⤵
  PID:2796
- C:\Windows\System\ExKemYI.exe
  C:\Windows\System\ExKemYI.exe
  2⤵
  PID:2352
- C:\Windows\System\WjELTfj.exe
  C:\Windows\System\WjELTfj.exe
  2⤵
  PID:5512
- C:\Windows\System\lVRoUfr.exe
  C:\Windows\System\lVRoUfr.exe
  2⤵
  PID:1672
- C:\Windows\System\EzbuwSS.exe
  C:\Windows\System\EzbuwSS.exe
  2⤵
  PID:5480
- C:\Windows\System\gaNYDoL.exe
  C:\Windows\System\gaNYDoL.exe
  2⤵
  PID:1812
- C:\Windows\System\aLQbqBf.exe
  C:\Windows\System\aLQbqBf.exe
  2⤵
  PID:4836
- C:\Windows\System\SusQksB.exe
  C:\Windows\System\SusQksB.exe
  2⤵
  PID:2060
- C:\Windows\System\prmHsgs.exe
  C:\Windows\System\prmHsgs.exe
  2⤵
  PID:6008
- C:\Windows\System\tQeBgtK.exe
  C:\Windows\System\tQeBgtK.exe
  2⤵
  PID:4684
- C:\Windows\System\JbJSayx.exe
  C:\Windows\System\JbJSayx.exe
  2⤵
  PID:208
- C:\Windows\System\UHyLczv.exe
  C:\Windows\System\UHyLczv.exe
  2⤵
  PID:5408
- C:\Windows\System\NnhGQQF.exe
  C:\Windows\System\NnhGQQF.exe
  2⤵
  PID:4468
- C:\Windows\System\MHjorwe.exe
  C:\Windows\System\MHjorwe.exe
  2⤵
  PID:4824
- C:\Windows\System\BmyFvDr.exe
  C:\Windows\System\BmyFvDr.exe
  2⤵
  PID:4044
- C:\Windows\System\rGxZyLS.exe
  C:\Windows\System\rGxZyLS.exe
  2⤵
  PID:5520
- C:\Windows\System\Scfajps.exe
  C:\Windows\System\Scfajps.exe
  2⤵
  PID:5492
- C:\Windows\System\Ykjywzj.exe
  C:\Windows\System\Ykjywzj.exe
  2⤵
  PID:1360
- C:\Windows\System\ySPOZCb.exe
  C:\Windows\System\ySPOZCb.exe
  2⤵
  PID:2164
- C:\Windows\System\xUddaaQ.exe
  C:\Windows\System\xUddaaQ.exe
  2⤵
  PID:2192
- C:\Windows\System\pXIYmEC.exe
  C:\Windows\System\pXIYmEC.exe
  2⤵
  PID:3424
- C:\Windows\System\vgYwUpU.exe
  C:\Windows\System\vgYwUpU.exe
  2⤵
  PID:2536
- C:\Windows\System\GEUVOXY.exe
  C:\Windows\System\GEUVOXY.exe
  2⤵
  PID:1100
- C:\Windows\System\hZpofam.exe
  C:\Windows\System\hZpofam.exe
  2⤵
  PID:3720
- C:\Windows\System\xTXvHTm.exe
  C:\Windows\System\xTXvHTm.exe
  2⤵
  PID:1708
- C:\Windows\System\FBUkwHu.exe
  C:\Windows\System\FBUkwHu.exe
  2⤵
  PID:1532
- C:\Windows\System\zYscLRl.exe
  C:\Windows\System\zYscLRl.exe
  2⤵
  PID:2744
- C:\Windows\System\RmtmGtZ.exe
  C:\Windows\System\RmtmGtZ.exe
  2⤵
  PID:1380
- C:\Windows\System\lwiufvg.exe
  C:\Windows\System\lwiufvg.exe
  2⤵
  PID:988
- C:\Windows\System\YBGmlNP.exe
  C:\Windows\System\YBGmlNP.exe
  2⤵
  PID:4640
- C:\Windows\System\yeADcJU.exe
  C:\Windows\System\yeADcJU.exe
  2⤵
  PID:4136
- C:\Windows\System\JilTHCF.exe
  C:\Windows\System\JilTHCF.exe
  2⤵
  PID:6048
- C:\Windows\System\NIBYHQk.exe
  C:\Windows\System\NIBYHQk.exe
  2⤵
  PID:1944
- C:\Windows\System\nGwyFoR.exe
  C:\Windows\System\nGwyFoR.exe
  2⤵
  PID:3076
- C:\Windows\System\lGNEtIz.exe
  C:\Windows\System\lGNEtIz.exe
  2⤵
  PID:1192
- C:\Windows\System\WblbNeT.exe
  C:\Windows\System\WblbNeT.exe
  2⤵
  PID:1284
- C:\Windows\System\WobfmeW.exe
  C:\Windows\System\WobfmeW.exe
  2⤵
  PID:2212
- C:\Windows\System\IAOZQdI.exe
  C:\Windows\System\IAOZQdI.exe
  2⤵
  PID:3428
- C:\Windows\System\kcCaKpN.exe
  C:\Windows\System\kcCaKpN.exe
  2⤵
  PID:3492
- C:\Windows\System\bRgrGoV.exe
  C:\Windows\System\bRgrGoV.exe
  2⤵
  PID:4400
- C:\Windows\System\gEBqTkr.exe
  C:\Windows\System\gEBqTkr.exe
  2⤵
  PID:4048
- C:\Windows\System\fvlunFm.exe
  C:\Windows\System\fvlunFm.exe
  2⤵
  PID:4348
- C:\Windows\System\BakxTOC.exe
  C:\Windows\System\BakxTOC.exe
  2⤵
  PID:2056
- C:\Windows\System\KcqHMcG.exe
  C:\Windows\System\KcqHMcG.exe
  2⤵
  PID:5032
- C:\Windows\System\QiVJLFl.exe
  C:\Windows\System\QiVJLFl.exe
  2⤵
  PID:4996
- C:\Windows\System\jImVNIf.exe
  C:\Windows\System\jImVNIf.exe
  2⤵
  PID:2716
- C:\Windows\System\nYPHOhk.exe
  C:\Windows\System\nYPHOhk.exe
  2⤵
  PID:3788
- C:\Windows\System\ZyWTQCn.exe
  C:\Windows\System\ZyWTQCn.exe
  2⤵
  PID:4028
- C:\Windows\System\xTydIrs.exe
  C:\Windows\System\xTydIrs.exe
  2⤵
  PID:4016
- C:\Windows\System\ItazdVH.exe
  C:\Windows\System\ItazdVH.exe
  2⤵
  PID:116
- C:\Windows\System\LrbQlAm.exe
  C:\Windows\System\LrbQlAm.exe
  2⤵
  PID:1128
- C:\Windows\System\EGOwoIM.exe
  C:\Windows\System\EGOwoIM.exe
  2⤵
  PID:3440
- C:\Windows\System\WqVYeej.exe
  C:\Windows\System\WqVYeej.exe
  2⤵
  PID:3896
- C:\Windows\System\mtHvfIE.exe
  C:\Windows\System\mtHvfIE.exe
  2⤵
  PID:5552
- C:\Windows\System\sEsEBJc.exe
  C:\Windows\System\sEsEBJc.exe
  2⤵
  PID:6044
- C:\Windows\System\dQwvndo.exe
  C:\Windows\System\dQwvndo.exe
  2⤵
  PID:1036
- C:\Windows\System\dfPACcq.exe
  C:\Windows\System\dfPACcq.exe
  2⤵
  PID:1808
- C:\Windows\System\RZblqhK.exe
  C:\Windows\System\RZblqhK.exe
  2⤵
  PID:3680
- C:\Windows\System\VFFYheQ.exe
  C:\Windows\System\VFFYheQ.exe
  2⤵
  PID:4184
- C:\Windows\System\HkYIlGU.exe
  C:\Windows\System\HkYIlGU.exe
  2⤵
  PID:2608
- C:\Windows\System\RKHwmXT.exe
  C:\Windows\System\RKHwmXT.exe
  2⤵
  PID:5688
- C:\Windows\System\PEfHZMM.exe
  C:\Windows\System\PEfHZMM.exe
  2⤵
  PID:4120
- C:\Windows\System\dGPwLsg.exe
  C:\Windows\System\dGPwLsg.exe
  2⤵
  PID:3224
- C:\Windows\System\NzdPXQf.exe
  C:\Windows\System\NzdPXQf.exe
  2⤵
  PID:5848
- C:\Windows\System\dZsPkdh.exe
  C:\Windows\System\dZsPkdh.exe
  2⤵
  PID:6112
- C:\Windows\System\UQpErhM.exe
  C:\Windows\System\UQpErhM.exe
  2⤵
  PID:3144
- C:\Windows\System\zaUEpjP.exe
  C:\Windows\System\zaUEpjP.exe
  2⤵
  PID:2812
- C:\Windows\System\rxXYQWQ.exe
  C:\Windows\System\rxXYQWQ.exe
  2⤵
  PID:4688
- C:\Windows\System\EIcprgA.exe
  C:\Windows\System\EIcprgA.exe
  2⤵
  PID:6148
- C:\Windows\System\MdBrKml.exe
  C:\Windows\System\MdBrKml.exe
  2⤵
  PID:6176
- C:\Windows\System\zcfjeBU.exe
  C:\Windows\System\zcfjeBU.exe
  2⤵
  PID:6204
- C:\Windows\System\InTqPYD.exe
  C:\Windows\System\InTqPYD.exe
  2⤵
  PID:6240
- C:\Windows\System\YXJJyjn.exe
  C:\Windows\System\YXJJyjn.exe
  2⤵
  PID:6268
- C:\Windows\System\SccAoOs.exe
  C:\Windows\System\SccAoOs.exe
  2⤵
  PID:6296
- C:\Windows\System\hyinjAY.exe
  C:\Windows\System\hyinjAY.exe
  2⤵
  PID:6348
- C:\Windows\System\sFvfdKo.exe
  C:\Windows\System\sFvfdKo.exe
  2⤵
  PID:6380
- C:\Windows\System\UdbBAdd.exe
  C:\Windows\System\UdbBAdd.exe
  2⤵
  PID:6420
- C:\Windows\System\iKjsQsA.exe
  C:\Windows\System\iKjsQsA.exe
  2⤵
  PID:6460
- C:\Windows\System\agEcZVf.exe
  C:\Windows\System\agEcZVf.exe
  2⤵
  PID:6480
- C:\Windows\System\igsvsGB.exe
  C:\Windows\System\igsvsGB.exe
  2⤵
  PID:6524
- C:\Windows\System\dNousXF.exe
  C:\Windows\System\dNousXF.exe
  2⤵
  PID:6544
- C:\Windows\System\nMuglyW.exe
  C:\Windows\System\nMuglyW.exe
  2⤵
  PID:6572
- C:\Windows\System\fTbqWkc.exe
  C:\Windows\System\fTbqWkc.exe
  2⤵
  PID:6604
- C:\Windows\System\GbYivZN.exe
  C:\Windows\System\GbYivZN.exe
  2⤵
  PID:6628
- C:\Windows\System\pHHbrmt.exe
  C:\Windows\System\pHHbrmt.exe
  2⤵
  PID:6652
- C:\Windows\System\vsKNOwB.exe
  C:\Windows\System\vsKNOwB.exe
  2⤵
  PID:6680
- C:\Windows\System\xSUjORn.exe
  C:\Windows\System\xSUjORn.exe
  2⤵
  PID:6712
- C:\Windows\System\iUJJLME.exe
  C:\Windows\System\iUJJLME.exe
  2⤵
  PID:6732
- C:\Windows\System\RAGrkkP.exe
  C:\Windows\System\RAGrkkP.exe
  2⤵
  PID:6768
- C:\Windows\System\NkpauOn.exe
  C:\Windows\System\NkpauOn.exe
  2⤵
  PID:6800
- C:\Windows\System\SGuZlqO.exe
  C:\Windows\System\SGuZlqO.exe
  2⤵
  PID:6832
- C:\Windows\System\vjexzIh.exe
  C:\Windows\System\vjexzIh.exe
  2⤵
  PID:6864
- C:\Windows\System\TIdwRCN.exe
  C:\Windows\System\TIdwRCN.exe
  2⤵
  PID:6896
- C:\Windows\System\gmAgljj.exe
  C:\Windows\System\gmAgljj.exe
  2⤵
  PID:6932
- C:\Windows\System\fxoeUaF.exe
  C:\Windows\System\fxoeUaF.exe
  2⤵
  PID:6960
- C:\Windows\System\GFZQaHL.exe
  C:\Windows\System\GFZQaHL.exe
  2⤵
  PID:6988
- C:\Windows\System\nWYmfjJ.exe
  C:\Windows\System\nWYmfjJ.exe
  2⤵
  PID:7020
- C:\Windows\System\VepgVjJ.exe
  C:\Windows\System\VepgVjJ.exe
  2⤵
  PID:7048
- C:\Windows\System\ZruZUus.exe
  C:\Windows\System\ZruZUus.exe
  2⤵
  PID:7088
- C:\Windows\System\YbXbirO.exe
  C:\Windows\System\YbXbirO.exe
  2⤵
  PID:7120
- C:\Windows\System\UFDYYmB.exe
  C:\Windows\System\UFDYYmB.exe
  2⤵
  PID:7164
- C:\Windows\System\OuUWZqc.exe
  C:\Windows\System\OuUWZqc.exe
  2⤵
  PID:6172
- C:\Windows\System\EBERdKB.exe
  C:\Windows\System\EBERdKB.exe
  2⤵
  PID:6220
- C:\Windows\System\tcINavt.exe
  C:\Windows\System\tcINavt.exe
  2⤵
  PID:6284
- C:\Windows\System\eFhPilS.exe
  C:\Windows\System\eFhPilS.exe
  2⤵
  PID:3900
- C:\Windows\System\QCYdFZF.exe
  C:\Windows\System\QCYdFZF.exe
  2⤵
  PID:6492
- C:\Windows\System\fsQMjgo.exe
  C:\Windows\System\fsQMjgo.exe
  2⤵
  PID:6564
- C:\Windows\System\seFYfJa.exe
  C:\Windows\System\seFYfJa.exe
  2⤵
  PID:6636
- C:\Windows\System\bWsMcRT.exe
  C:\Windows\System\bWsMcRT.exe
  2⤵
  PID:6700
- C:\Windows\System\BQOxqNu.exe
  C:\Windows\System\BQOxqNu.exe
  2⤵
  PID:6740
- C:\Windows\System\owmzujK.exe
  C:\Windows\System\owmzujK.exe
  2⤵
  PID:6788
- C:\Windows\System\CAgAGea.exe
  C:\Windows\System\CAgAGea.exe
  2⤵
  PID:6848
- C:\Windows\System\JotCAVT.exe
  C:\Windows\System\JotCAVT.exe
  2⤵
  PID:6928
- C:\Windows\System\sKUTueO.exe
  C:\Windows\System\sKUTueO.exe
  2⤵
  PID:7008
- C:\Windows\System\guerTkJ.exe
  C:\Windows\System\guerTkJ.exe
  2⤵
  PID:7104
- C:\Windows\System\ZTecOpi.exe
  C:\Windows\System\ZTecOpi.exe
  2⤵
  PID:4372
- C:\Windows\System\hubKfNH.exe
  C:\Windows\System\hubKfNH.exe
  2⤵
  PID:6228
- C:\Windows\System\YUXiLKk.exe
  C:\Windows\System\YUXiLKk.exe
  2⤵
  PID:6388
- C:\Windows\System\GDuqxLH.exe
  C:\Windows\System\GDuqxLH.exe
  2⤵
  PID:6532
- C:\Windows\System\LJeSAOb.exe
  C:\Windows\System\LJeSAOb.exe
  2⤵
  PID:6752
- C:\Windows\System\JKOcdsE.exe
  C:\Windows\System\JKOcdsE.exe
  2⤵
  PID:6944
- C:\Windows\System\aSwQCgO.exe
  C:\Windows\System\aSwQCgO.exe
  2⤵
  PID:7160
- C:\Windows\System\FTUfCLo.exe
  C:\Windows\System\FTUfCLo.exe
  2⤵
  PID:6320
- C:\Windows\System\zUvuJpj.exe
  C:\Windows\System\zUvuJpj.exe
  2⤵
  PID:6924
- C:\Windows\System\fwofZKq.exe
  C:\Windows\System\fwofZKq.exe
  2⤵
  PID:6196
- C:\Windows\System\qKSOWUR.exe
  C:\Windows\System\qKSOWUR.exe
  2⤵
  PID:7184
- C:\Windows\System\CIcMVQH.exe
  C:\Windows\System\CIcMVQH.exe
  2⤵
  PID:7204
- C:\Windows\System\MvwOKHp.exe
  C:\Windows\System\MvwOKHp.exe
  2⤵
  PID:7228
- C:\Windows\System\ByZWSNx.exe
  C:\Windows\System\ByZWSNx.exe
  2⤵
  PID:7252
- C:\Windows\System\okepOtZ.exe
  C:\Windows\System\okepOtZ.exe
  2⤵
  PID:7284
- C:\Windows\System\udxMEHV.exe
  C:\Windows\System\udxMEHV.exe
  2⤵
  PID:7316
- C:\Windows\System\BTichlE.exe
  C:\Windows\System\BTichlE.exe
  2⤵
  PID:7336
- C:\Windows\System\qKuJcwv.exe
  C:\Windows\System\qKuJcwv.exe
  2⤵
  PID:7372
- C:\Windows\System\DOluGDc.exe
  C:\Windows\System\DOluGDc.exe
  2⤵
  PID:7412
- C:\Windows\System\eGhJYPk.exe
  C:\Windows\System\eGhJYPk.exe
  2⤵
  PID:7428
- C:\Windows\System\LIUNAio.exe
  C:\Windows\System\LIUNAio.exe
  2⤵
  PID:7460
- C:\Windows\System\bCReCHA.exe
  C:\Windows\System\bCReCHA.exe
  2⤵
  PID:7484
- C:\Windows\System\MtNkQRu.exe
  C:\Windows\System\MtNkQRu.exe
  2⤵
  PID:7512
- C:\Windows\System\lEEYeaN.exe
  C:\Windows\System\lEEYeaN.exe
  2⤵
  PID:7552
- C:\Windows\System\bXwzbXo.exe
  C:\Windows\System\bXwzbXo.exe
  2⤵
  PID:7588
- C:\Windows\System\ffsxrEb.exe
  C:\Windows\System\ffsxrEb.exe
  2⤵
  PID:7628
- C:\Windows\System\QIfUPQZ.exe
  C:\Windows\System\QIfUPQZ.exe
  2⤵
  PID:7656
- C:\Windows\System\VeUAPWo.exe
  C:\Windows\System\VeUAPWo.exe
  2⤵
  PID:7688
- C:\Windows\System\GfZDqEI.exe
  C:\Windows\System\GfZDqEI.exe
  2⤵
  PID:7720
- C:\Windows\System\bIFJjao.exe
  C:\Windows\System\bIFJjao.exe
  2⤵
  PID:7744
- C:\Windows\System\uCnuZoe.exe
  C:\Windows\System\uCnuZoe.exe
  2⤵
  PID:7776
- C:\Windows\System\YDGdsDY.exe
  C:\Windows\System\YDGdsDY.exe
  2⤵
  PID:7812
- C:\Windows\System\mJTrqIs.exe
  C:\Windows\System\mJTrqIs.exe
  2⤵
  PID:7836
- C:\Windows\System\fwFYYak.exe
  C:\Windows\System\fwFYYak.exe
  2⤵
  PID:7864
- C:\Windows\System\lCMaEjR.exe
  C:\Windows\System\lCMaEjR.exe
  2⤵
  PID:7896
- C:\Windows\System\KhSPNRX.exe
  C:\Windows\System\KhSPNRX.exe
  2⤵
  PID:7928
- C:\Windows\System\JPXAedG.exe
  C:\Windows\System\JPXAedG.exe
  2⤵
  PID:7976
- C:\Windows\System\gElEnNh.exe
  C:\Windows\System\gElEnNh.exe
  2⤵
  PID:7996
- C:\Windows\System\eHXOcVt.exe
  C:\Windows\System\eHXOcVt.exe
  2⤵
  PID:8020
- C:\Windows\System\bXMlgYG.exe
  C:\Windows\System\bXMlgYG.exe
  2⤵
  PID:8044
- C:\Windows\System\HnrlKMz.exe
  C:\Windows\System\HnrlKMz.exe
  2⤵
  PID:8080
- C:\Windows\System\CFToicu.exe
  C:\Windows\System\CFToicu.exe
  2⤵
  PID:8108
- C:\Windows\System\apPbHhJ.exe
  C:\Windows\System\apPbHhJ.exe
  2⤵
  PID:8156
- C:\Windows\System\VGKOUmO.exe
  C:\Windows\System\VGKOUmO.exe
  2⤵
  PID:8172
- C:\Windows\System\woymBjN.exe
  C:\Windows\System\woymBjN.exe
  2⤵
  PID:7200
- C:\Windows\System\NyznXPx.exe
  C:\Windows\System\NyznXPx.exe
  2⤵
  PID:7224
- C:\Windows\System\xWVfAMm.exe
  C:\Windows\System\xWVfAMm.exe
  2⤵
  PID:7312
- C:\Windows\System\MPyNztv.exe
  C:\Windows\System\MPyNztv.exe
  2⤵
  PID:7332
- C:\Windows\System\hvGvbQu.exe
  C:\Windows\System\hvGvbQu.exe
  2⤵
  PID:7420
- C:\Windows\System\wDlExTL.exe
  C:\Windows\System\wDlExTL.exe
  2⤵
  PID:7524
- C:\Windows\System\efKCskH.exe
  C:\Windows\System\efKCskH.exe
  2⤵
  PID:7192
- C:\Windows\System\JQhendW.exe
  C:\Windows\System\JQhendW.exe
  2⤵
  PID:7664
- C:\Windows\System\drKylAZ.exe
  C:\Windows\System\drKylAZ.exe
  2⤵
  PID:7736
- C:\Windows\System\EtGpink.exe
  C:\Windows\System\EtGpink.exe
  2⤵
  PID:7764
- C:\Windows\System\KCCKLQp.exe
  C:\Windows\System\KCCKLQp.exe
  2⤵
  PID:7844
- C:\Windows\System\EZnGIqD.exe
  C:\Windows\System\EZnGIqD.exe
  2⤵
  PID:7916
- C:\Windows\System\YvUWAZR.exe
  C:\Windows\System\YvUWAZR.exe
  2⤵
  PID:7952
- C:\Windows\System\wvWJtwb.exe
  C:\Windows\System\wvWJtwb.exe
  2⤵
  PID:8012
- C:\Windows\System\KvRMVok.exe
  C:\Windows\System\KvRMVok.exe
  2⤵
  PID:8104
- C:\Windows\System\LBHodXR.exe
  C:\Windows\System\LBHodXR.exe
  2⤵
  PID:8128
- C:\Windows\System\NrkWjtm.exe
  C:\Windows\System\NrkWjtm.exe
  2⤵
  PID:7196
- C:\Windows\System\NCELlxW.exe
  C:\Windows\System\NCELlxW.exe
  2⤵
  PID:7396
- C:\Windows\System\yjEdKdu.exe
  C:\Windows\System\yjEdKdu.exe
  2⤵
  PID:7564
- C:\Windows\System\UvKeGRq.exe
  C:\Windows\System\UvKeGRq.exe
  2⤵
  PID:7732
- C:\Windows\System\ZCBVlqK.exe
  C:\Windows\System\ZCBVlqK.exe
  2⤵
  PID:7820
- C:\Windows\System\tHIqDia.exe
  C:\Windows\System\tHIqDia.exe
  2⤵
  PID:7984
- C:\Windows\System\kdDMERj.exe
  C:\Windows\System\kdDMERj.exe
  2⤵
  PID:8152
- C:\Windows\System\ZmTlgJf.exe
  C:\Windows\System\ZmTlgJf.exe
  2⤵
  PID:7356
- C:\Windows\System\FzxqNGz.exe
  C:\Windows\System\FzxqNGz.exe
  2⤵
  PID:7680
- C:\Windows\System\cnptoQH.exe
  C:\Windows\System\cnptoQH.exe
  2⤵
  PID:8052
- C:\Windows\System\HAwoZVR.exe
  C:\Windows\System\HAwoZVR.exe
  2⤵
  PID:6408
- C:\Windows\System\UWEVLli.exe
  C:\Windows\System\UWEVLli.exe
  2⤵
  PID:7964
- C:\Windows\System\NPmDelk.exe
  C:\Windows\System\NPmDelk.exe
  2⤵
  PID:8200
- C:\Windows\System\zPnTUUJ.exe
  C:\Windows\System\zPnTUUJ.exe
  2⤵
  PID:8228
- C:\Windows\System\oPwgAZA.exe
  C:\Windows\System\oPwgAZA.exe
  2⤵
  PID:8260
- C:\Windows\System\IjzAlPy.exe
  C:\Windows\System\IjzAlPy.exe
  2⤵
  PID:8288
- C:\Windows\System\lfobovb.exe
  C:\Windows\System\lfobovb.exe
  2⤵
  PID:8312
- C:\Windows\System\gJaphto.exe
  C:\Windows\System\gJaphto.exe
  2⤵
  PID:8344
- C:\Windows\System\mgkbdUV.exe
  C:\Windows\System\mgkbdUV.exe
  2⤵
  PID:8364
- C:\Windows\System\NupQoAd.exe
  C:\Windows\System\NupQoAd.exe
  2⤵
  PID:8396
- C:\Windows\System\FEErUIt.exe
  C:\Windows\System\FEErUIt.exe
  2⤵
  PID:8428
- C:\Windows\System\QcocNjF.exe
  C:\Windows\System\QcocNjF.exe
  2⤵
  PID:8456
- C:\Windows\System\ZmlskOh.exe
  C:\Windows\System\ZmlskOh.exe
  2⤵
  PID:8484
- C:\Windows\System\dhgoSsx.exe
  C:\Windows\System\dhgoSsx.exe
  2⤵
  PID:8504
- C:\Windows\System\PafzlDu.exe
  C:\Windows\System\PafzlDu.exe
  2⤵
  PID:8540
- C:\Windows\System\MzSDOHD.exe
  C:\Windows\System\MzSDOHD.exe
  2⤵
  PID:8564
- C:\Windows\System\jPQGyYT.exe
  C:\Windows\System\jPQGyYT.exe
  2⤵
  PID:8592
- C:\Windows\System\AIirptT.exe
  C:\Windows\System\AIirptT.exe
  2⤵
  PID:8624
- C:\Windows\System\RidOSgB.exe
  C:\Windows\System\RidOSgB.exe
  2⤵
  PID:8652
- C:\Windows\System\QKTemGc.exe
  C:\Windows\System\QKTemGc.exe
  2⤵
  PID:8680
- C:\Windows\System\ZUuTeZT.exe
  C:\Windows\System\ZUuTeZT.exe
  2⤵
  PID:8712
- C:\Windows\System\EhnHUCR.exe
  C:\Windows\System\EhnHUCR.exe
  2⤵
  PID:8740
- C:\Windows\System\rSwovlD.exe
  C:\Windows\System\rSwovlD.exe
  2⤵
  PID:8772
- C:\Windows\System\IKSEmNl.exe
  C:\Windows\System\IKSEmNl.exe
  2⤵
  PID:8828
- C:\Windows\System\qvXDFwR.exe
  C:\Windows\System\qvXDFwR.exe
  2⤵
  PID:8856
- C:\Windows\System\nWODIyO.exe
  C:\Windows\System\nWODIyO.exe
  2⤵
  PID:8880
- C:\Windows\System\tlfnNQV.exe
  C:\Windows\System\tlfnNQV.exe
  2⤵
  PID:8896
- C:\Windows\System\iFwTsRM.exe
  C:\Windows\System\iFwTsRM.exe
  2⤵
  PID:8916
- C:\Windows\System\bHuyQCr.exe
  C:\Windows\System\bHuyQCr.exe
  2⤵
  PID:8948
- C:\Windows\System\ctqZQLL.exe
  C:\Windows\System\ctqZQLL.exe
  2⤵
  PID:8988
- C:\Windows\System\EHMNNhA.exe
  C:\Windows\System\EHMNNhA.exe
  2⤵
  PID:9032
- C:\Windows\System\fjkwjwW.exe
  C:\Windows\System\fjkwjwW.exe
  2⤵
  PID:9060
- C:\Windows\System\FDbfImr.exe
  C:\Windows\System\FDbfImr.exe
  2⤵
  PID:9092
- C:\Windows\System\wGKlPuD.exe
  C:\Windows\System\wGKlPuD.exe
  2⤵
  PID:9120
- C:\Windows\System\wtUQxQv.exe
  C:\Windows\System\wtUQxQv.exe
  2⤵
  PID:9148
- C:\Windows\System\iaslKBL.exe
  C:\Windows\System\iaslKBL.exe
  2⤵
  PID:9176
- C:\Windows\System\bPStFId.exe
  C:\Windows\System\bPStFId.exe
  2⤵
  PID:9200
- C:\Windows\System\nnufiYb.exe
  C:\Windows\System\nnufiYb.exe
  2⤵
  PID:8236
- C:\Windows\System\oVWFqtr.exe
  C:\Windows\System\oVWFqtr.exe
  2⤵
  PID:8272
- C:\Windows\System\eROXNAq.exe
  C:\Windows\System\eROXNAq.exe
  2⤵
  PID:8352
- C:\Windows\System\ZDXQGoW.exe
  C:\Windows\System\ZDXQGoW.exe
  2⤵
  PID:8448
- C:\Windows\System\eJjosxc.exe
  C:\Windows\System\eJjosxc.exe
  2⤵
  PID:8528
- C:\Windows\System\JxoqGmB.exe
  C:\Windows\System\JxoqGmB.exe
  2⤵
  PID:8612
- C:\Windows\System\NVdtNIl.exe
  C:\Windows\System\NVdtNIl.exe
  2⤵
  PID:8732
- C:\Windows\System\OeYjczP.exe
  C:\Windows\System\OeYjczP.exe
  2⤵
  PID:8812
- C:\Windows\System\PXXoAjn.exe
  C:\Windows\System\PXXoAjn.exe
  2⤵
  PID:8800
- C:\Windows\System\eDaUvVp.exe
  C:\Windows\System\eDaUvVp.exe
  2⤵
  PID:8808
- C:\Windows\System\VjOVrGF.exe
  C:\Windows\System\VjOVrGF.exe
  2⤵
  PID:8928
- C:\Windows\System\RiiVjFx.exe
  C:\Windows\System\RiiVjFx.exe
  2⤵
  PID:8996
- C:\Windows\System\VlPMGax.exe
  C:\Windows\System\VlPMGax.exe
  2⤵
  PID:9080
- C:\Windows\System\geTPKKG.exe
  C:\Windows\System\geTPKKG.exe
  2⤵
  PID:9132
- C:\Windows\System\ZYSAVxy.exe
  C:\Windows\System\ZYSAVxy.exe
  2⤵
  PID:9192
- C:\Windows\System\rhlnNHz.exe
  C:\Windows\System\rhlnNHz.exe
  2⤵
  PID:8372
- C:\Windows\System\TKzXbuY.exe
  C:\Windows\System\TKzXbuY.exe
  2⤵
  PID:8804
- C:\Windows\System\JHGWYjp.exe
  C:\Windows\System\JHGWYjp.exe
  2⤵
  PID:8836
- C:\Windows\System\gsXrLIS.exe
  C:\Windows\System\gsXrLIS.exe
  2⤵
  PID:9012
- C:\Windows\System\FRXgtyh.exe
  C:\Windows\System\FRXgtyh.exe
  2⤵
  PID:9168
- C:\Windows\System\grllqKF.exe
  C:\Windows\System\grllqKF.exe
  2⤵
  PID:8276
- C:\Windows\System\cQIxZog.exe
  C:\Windows\System\cQIxZog.exe
  2⤵
  PID:8500
- C:\Windows\System\eJmTyqV.exe
  C:\Windows\System\eJmTyqV.exe
  2⤵
  PID:9112
- C:\Windows\System\PBTCzJk.exe
  C:\Windows\System\PBTCzJk.exe
  2⤵
  PID:8332
- C:\Windows\System\GGSdRFb.exe
  C:\Windows\System\GGSdRFb.exe
  2⤵
  PID:9140
- C:\Windows\System\OFfPBpX.exe
  C:\Windows\System\OFfPBpX.exe
  2⤵
  PID:8252
- C:\Windows\System\mrZcggV.exe
  C:\Windows\System\mrZcggV.exe
  2⤵
  PID:9236
- C:\Windows\System\KSlaXtd.exe
  C:\Windows\System\KSlaXtd.exe
  2⤵
  PID:9280
- C:\Windows\System\flwepXD.exe
  C:\Windows\System\flwepXD.exe
  2⤵
  PID:9312
- C:\Windows\System\XJZMQRo.exe
  C:\Windows\System\XJZMQRo.exe
  2⤵
  PID:9336
- C:\Windows\System\wGkpWMs.exe
  C:\Windows\System\wGkpWMs.exe
  2⤵
  PID:9364
- C:\Windows\System\VSnyvCV.exe
  C:\Windows\System\VSnyvCV.exe
  2⤵
  PID:9396
- C:\Windows\System\TzAnFYF.exe
  C:\Windows\System\TzAnFYF.exe
  2⤵
  PID:9432
- C:\Windows\System\jzvllDB.exe
  C:\Windows\System\jzvllDB.exe
  2⤵
  PID:9464
- C:\Windows\System\nMLjNSU.exe
  C:\Windows\System\nMLjNSU.exe
  2⤵
  PID:9492
- C:\Windows\System\FhxqbRi.exe
  C:\Windows\System\FhxqbRi.exe
  2⤵
  PID:9524
- C:\Windows\System\bVSHqSA.exe
  C:\Windows\System\bVSHqSA.exe
  2⤵
  PID:9548
- C:\Windows\System\tPCWvJx.exe
  C:\Windows\System\tPCWvJx.exe
  2⤵
  PID:9588
- C:\Windows\System\cXXzFJg.exe
  C:\Windows\System\cXXzFJg.exe
  2⤵
  PID:9616
- C:\Windows\System\KFVmitF.exe
  C:\Windows\System\KFVmitF.exe
  2⤵
  PID:9644
- C:\Windows\System\OdKpqna.exe
  C:\Windows\System\OdKpqna.exe
  2⤵
  PID:9664
- C:\Windows\System\hEECUSw.exe
  C:\Windows\System\hEECUSw.exe
  2⤵
  PID:9700
- C:\Windows\System\dnCYkAw.exe
  C:\Windows\System\dnCYkAw.exe
  2⤵
  PID:9728
- C:\Windows\System\byNKUpZ.exe
  C:\Windows\System\byNKUpZ.exe
  2⤵
  PID:9756
- C:\Windows\System\SUYviwo.exe
  C:\Windows\System\SUYviwo.exe
  2⤵
  PID:9784
- C:\Windows\System\OBGQqtR.exe
  C:\Windows\System\OBGQqtR.exe
  2⤵
  PID:9812
- C:\Windows\System\eGfunDJ.exe
  C:\Windows\System\eGfunDJ.exe
  2⤵
  PID:9840
- C:\Windows\System\NTKFqCQ.exe
  C:\Windows\System\NTKFqCQ.exe
  2⤵
  PID:9868
- C:\Windows\System\NBDPzsj.exe
  C:\Windows\System\NBDPzsj.exe
  2⤵
  PID:9896
- C:\Windows\System\VOCXqEC.exe
  C:\Windows\System\VOCXqEC.exe
  2⤵
  PID:9924
- C:\Windows\System\QHHuWNI.exe
  C:\Windows\System\QHHuWNI.exe
  2⤵
  PID:9952
- C:\Windows\System\zSIljHB.exe
  C:\Windows\System\zSIljHB.exe
  2⤵
  PID:9980
- C:\Windows\System\OHdqoWG.exe
  C:\Windows\System\OHdqoWG.exe
  2⤵
  PID:10020
- C:\Windows\System\kMWLWQl.exe
  C:\Windows\System\kMWLWQl.exe
  2⤵
  PID:10048
- C:\Windows\System\WXSbCGD.exe
  C:\Windows\System\WXSbCGD.exe
  2⤵
  PID:10076
- C:\Windows\System\smwWpev.exe
  C:\Windows\System\smwWpev.exe
  2⤵
  PID:10104
- C:\Windows\System\HekMxlr.exe
  C:\Windows\System\HekMxlr.exe
  2⤵
  PID:10132
- C:\Windows\System\xwLDuLW.exe
  C:\Windows\System\xwLDuLW.exe
  2⤵
  PID:10164
- C:\Windows\System\ENbrguh.exe
  C:\Windows\System\ENbrguh.exe
  2⤵
  PID:10212
- C:\Windows\System\gYeSopl.exe
  C:\Windows\System\gYeSopl.exe
  2⤵
  PID:10232
- C:\Windows\System\IIAdEkm.exe
  C:\Windows\System\IIAdEkm.exe
  2⤵
  PID:9224
- C:\Windows\System\HyVqSNG.exe
  C:\Windows\System\HyVqSNG.exe
  2⤵
  PID:9300
- C:\Windows\System\YACwGcQ.exe
  C:\Windows\System\YACwGcQ.exe
  2⤵
  PID:9352
- C:\Windows\System\MUxedrf.exe
  C:\Windows\System\MUxedrf.exe
  2⤵
  PID:9392
- C:\Windows\System\LpcvQMM.exe
  C:\Windows\System\LpcvQMM.exe
  2⤵
  PID:9480
- C:\Windows\System\wWgnbVi.exe
  C:\Windows\System\wWgnbVi.exe
  2⤵
  PID:9544
- C:\Windows\System\yOtwHRq.exe
  C:\Windows\System\yOtwHRq.exe
  2⤵
  PID:9632
- C:\Windows\System\DQLyrLD.exe
  C:\Windows\System\DQLyrLD.exe
  2⤵
  PID:9696
- C:\Windows\System\sKoMSRo.exe
  C:\Windows\System\sKoMSRo.exe
  2⤵
  PID:9776
- C:\Windows\System\cqzhWgK.exe
  C:\Windows\System\cqzhWgK.exe
  2⤵
  PID:9852
- C:\Windows\System\PcocJXs.exe
  C:\Windows\System\PcocJXs.exe
  2⤵
  PID:9916
- C:\Windows\System\tsTSxyi.exe
  C:\Windows\System\tsTSxyi.exe
  2⤵
  PID:9992
- C:\Windows\System\COsgkws.exe
  C:\Windows\System\COsgkws.exe
  2⤵
  PID:10060
- C:\Windows\System\UsoIUrB.exe
  C:\Windows\System\UsoIUrB.exe
  2⤵
  PID:10124
- C:\Windows\System\epOulZf.exe
  C:\Windows\System\epOulZf.exe
  2⤵
  PID:10192
- C:\Windows\System\ifYlWBV.exe
  C:\Windows\System\ifYlWBV.exe
  2⤵
  PID:9244
- C:\Windows\System\JkfxdNt.exe
  C:\Windows\System\JkfxdNt.exe
  2⤵
  PID:9388
- C:\Windows\System\DHKXZcU.exe
  C:\Windows\System\DHKXZcU.exe
  2⤵
  PID:9608
- C:\Windows\System\bOnswNN.exe
  C:\Windows\System\bOnswNN.exe
  2⤵
  PID:9748
- C:\Windows\System\eBtqaWh.exe
  C:\Windows\System\eBtqaWh.exe
  2⤵
  PID:9944
- C:\Windows\System\RkgoRbA.exe
  C:\Windows\System\RkgoRbA.exe
  2⤵
  PID:8580
- C:\Windows\System\lrmQLrQ.exe
  C:\Windows\System\lrmQLrQ.exe
  2⤵
  PID:8784
- C:\Windows\System\hYKISNc.exe
  C:\Windows\System\hYKISNc.exe
  2⤵
  PID:9532
- C:\Windows\System\lonljvZ.exe
  C:\Windows\System\lonljvZ.exe
  2⤵
  PID:10016
- C:\Windows\System\mNJzjJC.exe
  C:\Windows\System\mNJzjJC.exe
  2⤵
  PID:9576
- C:\Windows\System\qYkxrPs.exe
  C:\Windows\System\qYkxrPs.exe
  2⤵
  PID:10200
- C:\Windows\System\MvbeItp.exe
  C:\Windows\System\MvbeItp.exe
  2⤵
  PID:10252
- C:\Windows\System\uEoMCuz.exe
  C:\Windows\System\uEoMCuz.exe
  2⤵
  PID:10280
- C:\Windows\System\HnPjePP.exe
  C:\Windows\System\HnPjePP.exe
  2⤵
  PID:10308
- C:\Windows\System\XIHqQPz.exe
  C:\Windows\System\XIHqQPz.exe
  2⤵
  PID:10336
- C:\Windows\System\SioMpep.exe
  C:\Windows\System\SioMpep.exe
  2⤵
  PID:10352
- C:\Windows\System\WxtOwUd.exe
  C:\Windows\System\WxtOwUd.exe
  2⤵
  PID:10384
- C:\Windows\System\ECQoxGp.exe
  C:\Windows\System\ECQoxGp.exe
  2⤵
  PID:10412
- C:\Windows\System\DpsAjyh.exe
  C:\Windows\System\DpsAjyh.exe
  2⤵
  PID:10436
- C:\Windows\System\GWYQDjX.exe
  C:\Windows\System\GWYQDjX.exe
  2⤵
  PID:10484
- C:\Windows\System\JImTPsM.exe
  C:\Windows\System\JImTPsM.exe
  2⤵
  PID:10508
- C:\Windows\System\YPvXJoE.exe
  C:\Windows\System\YPvXJoE.exe
  2⤵
  PID:10540
- C:\Windows\System\CEgGtJE.exe
  C:\Windows\System\CEgGtJE.exe
  2⤵
  PID:10564
- C:\Windows\System\QcUdrUb.exe
  C:\Windows\System\QcUdrUb.exe
  2⤵
  PID:10588
- C:\Windows\System\CvQHXdv.exe
  C:\Windows\System\CvQHXdv.exe
  2⤵
  PID:10620
- C:\Windows\System\UnXKQkI.exe
  C:\Windows\System\UnXKQkI.exe
  2⤵
  PID:10652
- C:\Windows\System\oxZtXdr.exe
  C:\Windows\System\oxZtXdr.exe
  2⤵
  PID:10696
- C:\Windows\System\UWgpodS.exe
  C:\Windows\System\UWgpodS.exe
  2⤵
  PID:10724
- C:\Windows\System\GnRUuwy.exe
  C:\Windows\System\GnRUuwy.exe
  2⤵
  PID:10752
- C:\Windows\System\gMBsamr.exe
  C:\Windows\System\gMBsamr.exe
  2⤵
  PID:10788
- C:\Windows\System\vrfebsT.exe
  C:\Windows\System\vrfebsT.exe
  2⤵
  PID:10808
- C:\Windows\System\gZWEupg.exe
  C:\Windows\System\gZWEupg.exe
  2⤵
  PID:10836
- C:\Windows\System\oJsbJQH.exe
  C:\Windows\System\oJsbJQH.exe
  2⤵
  PID:10860
- C:\Windows\System\AlSOkpg.exe
  C:\Windows\System\AlSOkpg.exe
  2⤵
  PID:10884
- C:\Windows\System\DmnvgrX.exe
  C:\Windows\System\DmnvgrX.exe
  2⤵
  PID:10920
- C:\Windows\System\ReKfcfC.exe
  C:\Windows\System\ReKfcfC.exe
  2⤵
  PID:10944
- C:\Windows\System\owyckEK.exe
  C:\Windows\System\owyckEK.exe
  2⤵
  PID:10968
- C:\Windows\System\vNqoigc.exe
  C:\Windows\System\vNqoigc.exe
  2⤵
  PID:10996
- C:\Windows\System\VShYVRi.exe
  C:\Windows\System\VShYVRi.exe
  2⤵
  PID:11032
- C:\Windows\System\nbEEMOp.exe
  C:\Windows\System\nbEEMOp.exe
  2⤵
  PID:11068
- C:\Windows\System\ChwANtJ.exe
  C:\Windows\System\ChwANtJ.exe
  2⤵
  PID:11108
- C:\Windows\System\ALpACWo.exe
  C:\Windows\System\ALpACWo.exe
  2⤵
  PID:11152
- C:\Windows\System\tiifIxq.exe
  C:\Windows\System\tiifIxq.exe
  2⤵
  PID:11184
- C:\Windows\System\LCOpken.exe
  C:\Windows\System\LCOpken.exe
  2⤵
  PID:11224
- C:\Windows\System\VsKFbLx.exe
  C:\Windows\System\VsKFbLx.exe
  2⤵
  PID:8768
- C:\Windows\System\XjAhCEn.exe
  C:\Windows\System\XjAhCEn.exe
  2⤵
  PID:10304
- C:\Windows\System\XlwfjkY.exe
  C:\Windows\System\XlwfjkY.exe
  2⤵
  PID:10344
- C:\Windows\System\lxbuqqN.exe
  C:\Windows\System\lxbuqqN.exe
  2⤵
  PID:10392
- C:\Windows\System\INmvbfz.exe
  C:\Windows\System\INmvbfz.exe
  2⤵
  PID:10428
- C:\Windows\System\TwuMqMg.exe
  C:\Windows\System\TwuMqMg.exe
  2⤵
  PID:10532
- C:\Windows\System\NafNbGW.exe
  C:\Windows\System\NafNbGW.exe
  2⤵
  PID:10596
- C:\Windows\System\KGOYsau.exe
  C:\Windows\System\KGOYsau.exe
  2⤵
  PID:10684
- C:\Windows\System\knIMaXL.exe
  C:\Windows\System\knIMaXL.exe
  2⤵
  PID:10772
- C:\Windows\System\EfcYcEh.exe
  C:\Windows\System\EfcYcEh.exe
  2⤵
  PID:10832
- C:\Windows\System\aDDGadU.exe
  C:\Windows\System\aDDGadU.exe
  2⤵
  PID:10876
- C:\Windows\System\dGYALno.exe
  C:\Windows\System\dGYALno.exe
  2⤵
  PID:10964
- C:\Windows\System\iaxmvEg.exe
  C:\Windows\System\iaxmvEg.exe
  2⤵
  PID:11056
- C:\Windows\System\VKIidNd.exe
  C:\Windows\System\VKIidNd.exe
  2⤵
  PID:11116
- C:\Windows\System\vZtbrcF.exe
  C:\Windows\System\vZtbrcF.exe
  2⤵
  PID:11208
- C:\Windows\System\rIUAnor.exe
  C:\Windows\System\rIUAnor.exe
  2⤵
  PID:10320
- C:\Windows\System\jZJSLaO.exe
  C:\Windows\System\jZJSLaO.exe
  2⤵
  PID:10504
- C:\Windows\System\jfKRkgx.exe
  C:\Windows\System\jfKRkgx.exe
  2⤵
  PID:10680
- C:\Windows\System\nBFlpZJ.exe
  C:\Windows\System\nBFlpZJ.exe
  2⤵
  PID:10828
- C:\Windows\System\lorOogH.exe
  C:\Windows\System\lorOogH.exe
  2⤵
  PID:10932
- C:\Windows\System\wEUbZkZ.exe
  C:\Windows\System\wEUbZkZ.exe
  2⤵
  PID:11100
- C:\Windows\System\jVUeden.exe
  C:\Windows\System\jVUeden.exe
  2⤵
  PID:11244
- C:\Windows\System\FcivVnZ.exe
  C:\Windows\System\FcivVnZ.exe
  2⤵
  PID:10584
- C:\Windows\System\fhfavsF.exe
  C:\Windows\System\fhfavsF.exe
  2⤵
  PID:10988
- C:\Windows\System\pMxYUnA.exe
  C:\Windows\System\pMxYUnA.exe
  2⤵
  PID:10408
- C:\Windows\System\zHYihrv.exe
  C:\Windows\System\zHYihrv.exe
  2⤵
  PID:10264
- C:\Windows\System\XXpTCyo.exe
  C:\Windows\System\XXpTCyo.exe
  2⤵
  PID:11292
- C:\Windows\System\SPJHKuc.exe
  C:\Windows\System\SPJHKuc.exe
  2⤵
  PID:11328
- C:\Windows\System\OfmjctF.exe
  C:\Windows\System\OfmjctF.exe
  2⤵
  PID:11356
- C:\Windows\System\PzNVpnl.exe
  C:\Windows\System\PzNVpnl.exe
  2⤵
  PID:11384
- C:\Windows\System\bTQUtWz.exe
  C:\Windows\System\bTQUtWz.exe
  2⤵
  PID:11412
- C:\Windows\System\sWqrimh.exe
  C:\Windows\System\sWqrimh.exe
  2⤵
  PID:11440
- C:\Windows\System\AWYGCPo.exe
  C:\Windows\System\AWYGCPo.exe
  2⤵
  PID:11472
- C:\Windows\System\KRSbfkz.exe
  C:\Windows\System\KRSbfkz.exe
  2⤵
  PID:11500
- C:\Windows\System\VMdbWrM.exe
  C:\Windows\System\VMdbWrM.exe
  2⤵
  PID:11528
- C:\Windows\System\TAzHgnL.exe
  C:\Windows\System\TAzHgnL.exe
  2⤵
  PID:11556
- C:\Windows\System\vZyvEGC.exe
  C:\Windows\System\vZyvEGC.exe
  2⤵
  PID:11584
- C:\Windows\System\pqQZRqe.exe
  C:\Windows\System\pqQZRqe.exe
  2⤵
  PID:11612
- C:\Windows\System\bgIYjEt.exe
  C:\Windows\System\bgIYjEt.exe
  2⤵
  PID:11640
- C:\Windows\System\UjpqXMD.exe
  C:\Windows\System\UjpqXMD.exe
  2⤵
  PID:11668
- C:\Windows\System\QIaUlCt.exe
  C:\Windows\System\QIaUlCt.exe
  2⤵
  PID:11700
- C:\Windows\System\FXsdnLb.exe
  C:\Windows\System\FXsdnLb.exe
  2⤵
  PID:11728
- C:\Windows\System\niXLcRS.exe
  C:\Windows\System\niXLcRS.exe
  2⤵
  PID:11756
- C:\Windows\System\NAZDJaI.exe
  C:\Windows\System\NAZDJaI.exe
  2⤵
  PID:11792
- C:\Windows\System\TuGinkQ.exe
  C:\Windows\System\TuGinkQ.exe
  2⤵
  PID:11812
- C:\Windows\System\xcMJAPL.exe
  C:\Windows\System\xcMJAPL.exe
  2⤵
  PID:11848
- C:\Windows\System\KNIntXb.exe
  C:\Windows\System\KNIntXb.exe
  2⤵
  PID:11876
- C:\Windows\System\aSwkGgB.exe
  C:\Windows\System\aSwkGgB.exe
  2⤵
  PID:11892
- C:\Windows\System\qnWVaxm.exe
  C:\Windows\System\qnWVaxm.exe
  2⤵
  PID:11908
- C:\Windows\System\rtTMRaY.exe
  C:\Windows\System\rtTMRaY.exe
  2⤵
  PID:11924
- C:\Windows\System\zDlFJxZ.exe
  C:\Windows\System\zDlFJxZ.exe
  2⤵
  PID:11964
- C:\Windows\System\TeLACPx.exe
  C:\Windows\System\TeLACPx.exe
  2⤵
  PID:11996
- C:\Windows\System\ytRqhGS.exe
  C:\Windows\System\ytRqhGS.exe
  2⤵
  PID:12028
- C:\Windows\System\kSQhjFl.exe
  C:\Windows\System\kSQhjFl.exe
  2⤵
  PID:12052
- C:\Windows\System\etVVyav.exe
  C:\Windows\System\etVVyav.exe
  2⤵
  PID:12080
- C:\Windows\System\ZHbFkBs.exe
  C:\Windows\System\ZHbFkBs.exe
  2⤵
  PID:12116
- C:\Windows\System\qITeqKT.exe
  C:\Windows\System\qITeqKT.exe
  2⤵
  PID:12152
- C:\Windows\System\aObjUcx.exe
  C:\Windows\System\aObjUcx.exe
  2⤵
  PID:12184
- C:\Windows\System\ZrauHua.exe
  C:\Windows\System\ZrauHua.exe
  2⤵
  PID:12212
- C:\Windows\System\KtZeLYt.exe
  C:\Windows\System\KtZeLYt.exe
  2⤵
  PID:12240
- C:\Windows\System\xIRKZdZ.exe
  C:\Windows\System\xIRKZdZ.exe
  2⤵
  PID:12268
- C:\Windows\System\hBJxJbI.exe
  C:\Windows\System\hBJxJbI.exe
  2⤵
  PID:10800
- C:\Windows\System\aCiCLzO.exe
  C:\Windows\System\aCiCLzO.exe
  2⤵
  PID:11352
- C:\Windows\System\JVUMdUn.exe
  C:\Windows\System\JVUMdUn.exe
  2⤵
  PID:11424
- C:\Windows\System\ElJluNJ.exe
  C:\Windows\System\ElJluNJ.exe
  2⤵
  PID:11492
- C:\Windows\System\MVeEdLb.exe
  C:\Windows\System\MVeEdLb.exe
  2⤵
  PID:11552
- C:\Windows\System\WLHdCrW.exe
  C:\Windows\System\WLHdCrW.exe
  2⤵
  PID:11632
- C:\Windows\System\QjGRFqI.exe
  C:\Windows\System\QjGRFqI.exe
  2⤵
  PID:11740
- C:\Windows\System\OTFlFQd.exe
  C:\Windows\System\OTFlFQd.exe
  2⤵
  PID:11784
- C:\Windows\System\NrcquoM.exe
  C:\Windows\System\NrcquoM.exe
  2⤵
  PID:11804
- C:\Windows\System\OEUKCIZ.exe
  C:\Windows\System\OEUKCIZ.exe
  2⤵
  PID:2624
- C:\Windows\System\pFpyGnb.exe
  C:\Windows\System\pFpyGnb.exe
  2⤵
  PID:11884
- C:\Windows\System\PgXZckl.exe
  C:\Windows\System\PgXZckl.exe
  2⤵
  PID:12004
- C:\Windows\System\yrSWEKT.exe
  C:\Windows\System\yrSWEKT.exe
  2⤵
  PID:11984
- C:\Windows\System\dpJKtrT.exe
  C:\Windows\System\dpJKtrT.exe
  2⤵
  PID:12100
- C:\Windows\System\rVHbYdc.exe
  C:\Windows\System\rVHbYdc.exe
  2⤵
  PID:12144
- C:\Windows\System\qVagPEt.exe
  C:\Windows\System\qVagPEt.exe
  2⤵
  PID:12204
- C:\Windows\System\skNxpyl.exe
  C:\Windows\System\skNxpyl.exe
  2⤵
  PID:12236
- C:\Windows\System\grglVbm.exe
  C:\Windows\System\grglVbm.exe
  2⤵
  PID:11316
- C:\Windows\System\XMPmZIx.exe
  C:\Windows\System\XMPmZIx.exe
  2⤵
  PID:11468
- C:\Windows\System\oMDZHjp.exe
  C:\Windows\System\oMDZHjp.exe
  2⤵
  PID:11748
- C:\Windows\System\UMfIeqS.exe
  C:\Windows\System\UMfIeqS.exe
  2⤵
  PID:11860
- C:\Windows\System\vnLcIxG.exe
  C:\Windows\System\vnLcIxG.exe
  2⤵
  PID:12016
- C:\Windows\System\LyfCxRi.exe
  C:\Windows\System\LyfCxRi.exe
  2⤵
  PID:2904
- C:\Windows\System\neHXfCd.exe
  C:\Windows\System\neHXfCd.exe
  2⤵
  PID:12264
- C:\Windows\System\BlELnPs.exe
  C:\Windows\System\BlELnPs.exe
  2⤵
  PID:11684
- C:\Windows\System\ezhvmKs.exe
  C:\Windows\System\ezhvmKs.exe
  2⤵
  PID:1724
- C:\Windows\System\cIldwBU.exe
  C:\Windows\System\cIldwBU.exe
  2⤵
  PID:1356
- C:\Windows\System\yVWFnvy.exe
  C:\Windows\System\yVWFnvy.exe
  2⤵
  PID:11820
- C:\Windows\System\SWqWpSa.exe
  C:\Windows\System\SWqWpSa.exe
  2⤵
  PID:12060
- C:\Windows\System\CZtwPYb.exe
  C:\Windows\System\CZtwPYb.exe
  2⤵
  PID:12316
- C:\Windows\System\iUQjXzf.exe
  C:\Windows\System\iUQjXzf.exe
  2⤵
  PID:12344
- C:\Windows\System\ELbfNXp.exe
  C:\Windows\System\ELbfNXp.exe
  2⤵
  PID:12372
- C:\Windows\System\sedOBrS.exe
  C:\Windows\System\sedOBrS.exe
  2⤵
  PID:12400
- C:\Windows\System\XknvZyz.exe
  C:\Windows\System\XknvZyz.exe
  2⤵
  PID:12432
- C:\Windows\System\tmbJySt.exe
  C:\Windows\System\tmbJySt.exe
  2⤵
  PID:12460
- C:\Windows\System\hqUecAY.exe
  C:\Windows\System\hqUecAY.exe
  2⤵
  PID:12492
- C:\Windows\System\SvYMeQv.exe
  C:\Windows\System\SvYMeQv.exe
  2⤵
  PID:12520
- C:\Windows\System\MwNpzNY.exe
  C:\Windows\System\MwNpzNY.exe
  2⤵
  PID:12540
- C:\Windows\System\mjPpomn.exe
  C:\Windows\System\mjPpomn.exe
  2⤵
  PID:12576
- C:\Windows\System\pFuyYiW.exe
  C:\Windows\System\pFuyYiW.exe
  2⤵
  PID:12604
- C:\Windows\System\tUNJvCB.exe
  C:\Windows\System\tUNJvCB.exe
  2⤵
  PID:12632
- C:\Windows\System\GOsElai.exe
  C:\Windows\System\GOsElai.exe
  2⤵
  PID:12664
- C:\Windows\System\poNgeMj.exe
  C:\Windows\System\poNgeMj.exe
  2⤵
  PID:12716
- C:\Windows\System\rLpBztQ.exe
  C:\Windows\System\rLpBztQ.exe
  2⤵
  PID:12740
- C:\Windows\System\clDEMEf.exe
  C:\Windows\System\clDEMEf.exe
  2⤵
  PID:12756
- C:\Windows\System\YdYrSJV.exe
  C:\Windows\System\YdYrSJV.exe
  2⤵
  PID:12776
- C:\Windows\System\JyaURZr.exe
  C:\Windows\System\JyaURZr.exe
  2⤵
  PID:12792
- C:\Windows\System\qZBvWpN.exe
  C:\Windows\System\qZBvWpN.exe
  2⤵
  PID:12820
- C:\Windows\System\oUJLoDw.exe
  C:\Windows\System\oUJLoDw.exe
  2⤵
  PID:12864
- C:\Windows\System\bBvpsJB.exe
  C:\Windows\System\bBvpsJB.exe
  2⤵
  PID:12892
- C:\Windows\System\ZbNtkew.exe
  C:\Windows\System\ZbNtkew.exe
  2⤵
  PID:12920
- C:\Windows\System\tdmmUdQ.exe
  C:\Windows\System\tdmmUdQ.exe
  2⤵
  PID:12964
- C:\Windows\System\nqzGzyp.exe
  C:\Windows\System\nqzGzyp.exe
  2⤵
  PID:12996
- C:\Windows\System\QjwsWoT.exe
  C:\Windows\System\QjwsWoT.exe
  2⤵
  PID:13028
- C:\Windows\System\ZqErfix.exe
  C:\Windows\System\ZqErfix.exe
  2⤵
  PID:13056
- C:\Windows\System\hVtOFzc.exe
  C:\Windows\System\hVtOFzc.exe
  2⤵
  PID:13092
- C:\Windows\System\fFHovrc.exe
  C:\Windows\System\fFHovrc.exe
  2⤵
  PID:13120
- C:\Windows\System\RcPWiKN.exe
  C:\Windows\System\RcPWiKN.exe
  2⤵
  PID:13164
- C:\Windows\System\jgmxjpe.exe
  C:\Windows\System\jgmxjpe.exe
  2⤵
  PID:13184
- C:\Windows\System\TrjDWGm.exe
  C:\Windows\System\TrjDWGm.exe
  2⤵
  PID:13220
- C:\Windows\System\qfmQiSf.exe
  C:\Windows\System\qfmQiSf.exe
  2⤵
  PID:13240
- C:\Windows\System\bVyyZNB.exe
  C:\Windows\System\bVyyZNB.exe
  2⤵
  PID:13272
- C:\Windows\System\wZbfrhO.exe
  C:\Windows\System\wZbfrhO.exe
  2⤵
  PID:13300
- C:\Windows\System\SIVIxYR.exe
  C:\Windows\System\SIVIxYR.exe
  2⤵
  PID:12352
- C:\Windows\System\xGVWNFb.exe
  C:\Windows\System\xGVWNFb.exe
  2⤵
  PID:12408
- C:\Windows\System\CRxpTZD.exe
  C:\Windows\System\CRxpTZD.exe
  2⤵
  PID:12484
- C:\Windows\System\QNAKNuP.exe
  C:\Windows\System\QNAKNuP.exe
  2⤵
  PID:12588
- C:\Windows\System\uErLCLk.exe
  C:\Windows\System\uErLCLk.exe
  2⤵
  PID:12680
- C:\Windows\System\vDToIEL.exe
  C:\Windows\System\vDToIEL.exe
  2⤵
  PID:12764
- C:\Windows\System\atsgpJB.exe
  C:\Windows\System\atsgpJB.exe
  2⤵
  PID:12828
- C:\Windows\System\DMKzVPC.exe
  C:\Windows\System\DMKzVPC.exe
  2⤵
  PID:12888
- C:\Windows\System\YuqNijY.exe
  C:\Windows\System\YuqNijY.exe
  2⤵
  PID:12912
- C:\Windows\System\fNyBmYy.exe
  C:\Windows\System\fNyBmYy.exe
  2⤵
  PID:12952
- C:\Windows\System\PJecyOB.exe
  C:\Windows\System\PJecyOB.exe
  2⤵
  PID:13040
- C:\Windows\System\CNdlLOF.exe
  C:\Windows\System\CNdlLOF.exe
  2⤵
  PID:4744
- C:\Windows\System\hReZTpu.exe
  C:\Windows\System\hReZTpu.exe
  2⤵
  PID:13180
- C:\Windows\System\aiPifvE.exe
  C:\Windows\System\aiPifvE.exe
  2⤵
  PID:13236
- C:\Windows\System\wklYXzt.exe
  C:\Windows\System\wklYXzt.exe
  2⤵
  PID:13292
- C:\Windows\System\puPyiJq.exe
  C:\Windows\System\puPyiJq.exe
  2⤵
  PID:12452
- C:\Windows\System\bgMbWKi.exe
  C:\Windows\System\bgMbWKi.exe
  2⤵
  PID:12560
- C:\Windows\System\jxfrWUH.exe
  C:\Windows\System\jxfrWUH.exe
  2⤵
  PID:776
- C:\Windows\System\RrznRAl.exe
  C:\Windows\System\RrznRAl.exe
  2⤵
  PID:12848
- C:\Windows\System\hNDdyvA.exe
  C:\Windows\System\hNDdyvA.exe
  2⤵
  PID:13016
- C:\Windows\System\AGuYjoi.exe
  C:\Windows\System\AGuYjoi.exe
  2⤵
  PID:13204
- C:\Windows\System\DhCJkjv.exe
  C:\Windows\System\DhCJkjv.exe
  2⤵
  PID:13268
- C:\Windows\System\UmshDnC.exe
  C:\Windows\System\UmshDnC.exe
  2⤵
  PID:12648
- C:\Windows\System\NfItSyu.exe
  C:\Windows\System\NfItSyu.exe
  2⤵
  PID:12988
- C:\Windows\System\eNfIwOq.exe
  C:\Windows\System\eNfIwOq.exe
  2⤵
  PID:13260
- C:\Windows\System\yXIzFBq.exe
  C:\Windows\System\yXIzFBq.exe
  2⤵
  PID:12928
- C:\Windows\System\XEdGEqe.exe
  C:\Windows\System\XEdGEqe.exe
  2⤵
  PID:13284
- C:\Windows\System\KwuChVI.exe
  C:\Windows\System\KwuChVI.exe
  2⤵
  PID:13368
- C:\Windows\System\PpOfbZu.exe
  C:\Windows\System\PpOfbZu.exe
  2⤵
  PID:13396
- C:\Windows\System\HuisDDe.exe
  C:\Windows\System\HuisDDe.exe
  2⤵
  PID:13420
- C:\Windows\System\rHsjIoT.exe
  C:\Windows\System\rHsjIoT.exe
  2⤵
  PID:13440
- C:\Windows\System\moASWmg.exe
  C:\Windows\System\moASWmg.exe
  2⤵
  PID:13460
- C:\Windows\System\IQKxUDN.exe
  C:\Windows\System\IQKxUDN.exe
  2⤵
  PID:13476
- C:\Windows\System\kNBPBnS.exe
  C:\Windows\System\kNBPBnS.exe
  2⤵
  PID:13512
- C:\Windows\System\fhrKlbu.exe
  C:\Windows\System\fhrKlbu.exe
  2⤵
  PID:13556
- C:\Windows\System\HaqZaMB.exe
  C:\Windows\System\HaqZaMB.exe
  2⤵
  PID:13584
- C:\Windows\System\RkhvPbp.exe
  C:\Windows\System\RkhvPbp.exe
  2⤵
  PID:13604
- C:\Windows\System\zRbsMen.exe
  C:\Windows\System\zRbsMen.exe
  2⤵
  PID:13620
- C:\Windows\System\xszhEbF.exe
  C:\Windows\System\xszhEbF.exe
  2⤵
  PID:13636
- C:\Windows\System\cybMcll.exe
  C:\Windows\System\cybMcll.exe
  2⤵
  PID:13652
- C:\Windows\System\AOoDCwO.exe
  C:\Windows\System\AOoDCwO.exe
  2⤵
  PID:13668
- C:\Windows\System\jJFpyfm.exe
  C:\Windows\System\jJFpyfm.exe
  2⤵
  PID:13692
- C:\Windows\System\sCHvLda.exe
  C:\Windows\System\sCHvLda.exe
  2⤵
  PID:13720
- C:\Windows\System\aqOlIqK.exe
  C:\Windows\System\aqOlIqK.exe
  2⤵
  PID:13752
- C:\Windows\System\hVMljVa.exe
  C:\Windows\System\hVMljVa.exe
  2⤵
  PID:13780
- C:\Windows\System\MXJBNwz.exe
  C:\Windows\System\MXJBNwz.exe
  2⤵
  PID:13816
- C:\Windows\System\mErQEXs.exe
  C:\Windows\System\mErQEXs.exe
  2⤵
  PID:13856
- C:\Windows\System\svoVpgE.exe
  C:\Windows\System\svoVpgE.exe
  2⤵
  PID:13892
- C:\Windows\System\tgaZtxm.exe
  C:\Windows\System\tgaZtxm.exe
  2⤵
  PID:13920
- C:\Windows\System\mWSlyDT.exe
  C:\Windows\System\mWSlyDT.exe
  2⤵
  PID:13952
- C:\Windows\System\vqWzQkV.exe
  C:\Windows\System\vqWzQkV.exe
  2⤵
  PID:13988
- C:\Windows\System\pUFzAyv.exe
  C:\Windows\System\pUFzAyv.exe
  2⤵
  PID:14032
- C:\Windows\System\qfTWbDA.exe
  C:\Windows\System\qfTWbDA.exe
  2⤵
  PID:14072
- C:\Windows\System\EwdZIEX.exe
  C:\Windows\System\EwdZIEX.exe
  2⤵
  PID:14096
- C:\Windows\System\hUmuGeG.exe
  C:\Windows\System\hUmuGeG.exe
  2⤵
  PID:14124
- C:\Windows\System\WYcfxNP.exe
  C:\Windows\System\WYcfxNP.exe
  2⤵
  PID:14144
- C:\Windows\System\aSqkzme.exe
  C:\Windows\System\aSqkzme.exe
  2⤵
  PID:14168
- C:\Windows\System\GbNuEBu.exe
  C:\Windows\System\GbNuEBu.exe
  2⤵
  PID:14204
- C:\Windows\System\HJEMjmh.exe
  C:\Windows\System\HJEMjmh.exe
  2⤵
  PID:14232
- C:\Windows\System\RSTXpAf.exe
  C:\Windows\System\RSTXpAf.exe
  2⤵
  PID:14300
- C:\Windows\System\vwnkrCP.exe
  C:\Windows\System\vwnkrCP.exe
  2⤵
  PID:14316
- C:\Windows\System\DunOKmM.exe
  C:\Windows\System\DunOKmM.exe
  2⤵
  PID:14332
- C:\Windows\System\yHsnZah.exe
  C:\Windows\System\yHsnZah.exe
  2⤵
  PID:13336
- C:\Windows\System\QVQssoO.exe
  C:\Windows\System\QVQssoO.exe
  2⤵
  PID:13436
- C:\Windows\System\oZfFYpF.exe
  C:\Windows\System\oZfFYpF.exe
  2⤵
  PID:13392
- C:\Windows\System\EminGrr.exe
  C:\Windows\System\EminGrr.exe
  2⤵
  PID:13348
- C:\Windows\System\BrdzIgT.exe
  C:\Windows\System\BrdzIgT.exe
  2⤵
  PID:13472
- C:\Windows\System\olqgUhb.exe
  C:\Windows\System\olqgUhb.exe
  2⤵
  PID:13496
- C:\Windows\System\QimqvBc.exe
  C:\Windows\System\QimqvBc.exe
  2⤵
  PID:13628
- C:\Windows\System\qCZimEQ.exe
  C:\Windows\System\qCZimEQ.exe
  2⤵
  PID:13660
- C:\Windows\System\XVfRPmY.exe
  C:\Windows\System\XVfRPmY.exe
  2⤵
  PID:13704
- C:\Windows\System\ZoutWAd.exe
  C:\Windows\System\ZoutWAd.exe
  2⤵
  PID:13808
- C:\Windows\System\QpZmWpW.exe
  C:\Windows\System\QpZmWpW.exe
  2⤵
  PID:13728
- C:\Windows\System\bVhXbZa.exe
  C:\Windows\System\bVhXbZa.exe
  2⤵
  PID:13944
- C:\Windows\System\mxclXmQ.exe
  C:\Windows\System\mxclXmQ.exe
  2⤵
  PID:13976
- C:\Windows\System\EtUrjkf.exe
  C:\Windows\System\EtUrjkf.exe
  2⤵
  PID:14104
- C:\Windows\System\GsKlXDs.exe
  C:\Windows\System\GsKlXDs.exe
  2⤵
  PID:14196
- C:\Windows\System\KPVQlqC.exe
  C:\Windows\System\KPVQlqC.exe
  2⤵
  PID:14224
- C:\Windows\System\agkYcfI.exe
  C:\Windows\System\agkYcfI.exe
  2⤵
  PID:14288
- C:\Windows\System\lCyFiQq.exe
  C:\Windows\System\lCyFiQq.exe
  2⤵
  PID:13416
- C:\Windows\System\BAdEoDX.exe
  C:\Windows\System\BAdEoDX.exe
  2⤵
  PID:14272
- C:\Windows\System\NggBsPv.exe
  C:\Windows\System\NggBsPv.exe
  2⤵
  PID:13540
- C:\Windows\System\JmCkNti.exe
  C:\Windows\System\JmCkNti.exe
  2⤵
  PID:13804
- C:\Windows\System\rzWmqhA.exe
  C:\Windows\System\rzWmqhA.exe
  2⤵
  PID:13528
- C:\Windows\System\XbhCRyZ.exe
  C:\Windows\System\XbhCRyZ.exe
  2⤵
  PID:14052
- C:\Windows\System\rLbXMyJ.exe
  C:\Windows\System\rLbXMyJ.exe
  2⤵
  PID:956
- C:\Windows\System\DFbzQlP.exe
  C:\Windows\System\DFbzQlP.exe
  2⤵
  PID:14260
- C:\Windows\System\lvBIFvR.exe
  C:\Windows\System\lvBIFvR.exe
  2⤵
  PID:5704
- C:\Windows\System\wIKDXEy.exe
  C:\Windows\System\wIKDXEy.exe
  2⤵
  PID:13356
- C:\Windows\System\rQBbBPj.exe
  C:\Windows\System\rQBbBPj.exe
  2⤵
  PID:13448
- C:\Windows\System\ypNRrad.exe
  C:\Windows\System\ypNRrad.exe
  2⤵
  PID:13980
- C:\Windows\System\xgYtATk.exe
  C:\Windows\System\xgYtATk.exe
  2⤵
  PID:3500
- C:\Windows\System\rIboNbA.exe
  C:\Windows\System\rIboNbA.exe
  2⤵
  PID:1700
- C:\Windows\System\xGEDtbu.exe
  C:\Windows\System\xGEDtbu.exe
  2⤵
  PID:14216
- C:\Windows\System\UtVnoHf.exe
  C:\Windows\System\UtVnoHf.exe
  2⤵
  PID:14356
- C:\Windows\System\QXHEhxa.exe
  C:\Windows\System\QXHEhxa.exe
  2⤵
  PID:14372
- C:\Windows\System\YlDcPSZ.exe
  C:\Windows\System\YlDcPSZ.exe
  2⤵
  PID:14388
- C:\Windows\System\iOmonnb.exe
  C:\Windows\System\iOmonnb.exe
  2⤵
  PID:14404
- C:\Windows\System\ZTYsDkz.exe
  C:\Windows\System\ZTYsDkz.exe
  2⤵
  PID:14420
- C:\Windows\System\RKQfpxt.exe
  C:\Windows\System\RKQfpxt.exe
  2⤵
  PID:14440
- C:\Windows\System\EpGPjiB.exe
  C:\Windows\System\EpGPjiB.exe
  2⤵
  PID:14456
- C:\Windows\System\xFVQubg.exe
  C:\Windows\System\xFVQubg.exe
  2⤵
  PID:14480
- C:\Windows\System\TSDfDXl.exe
  C:\Windows\System\TSDfDXl.exe
  2⤵
  PID:14504
- C:\Windows\System\RnjduBB.exe
  C:\Windows\System\RnjduBB.exe
  2⤵
  PID:14528
- C:\Windows\System\cDARMCf.exe
  C:\Windows\System\cDARMCf.exe
  2⤵
  PID:14548
- C:\Windows\System\ZFipCkh.exe
  C:\Windows\System\ZFipCkh.exe
  2⤵
  PID:14580
- C:\Windows\System\xNHybpU.exe
  C:\Windows\System\xNHybpU.exe
  2⤵
  PID:14608
- C:\Windows\System\URGvKgq.exe
  C:\Windows\System\URGvKgq.exe
  2⤵
  PID:14648
- C:\Windows\System\dRQFHxF.exe
  C:\Windows\System\dRQFHxF.exe
  2⤵
  PID:14688
- C:\Windows\System\hdQEwLW.exe
  C:\Windows\System\hdQEwLW.exe
  2⤵
  PID:14728
- C:\Windows\System\uwMOVHz.exe
  C:\Windows\System\uwMOVHz.exe
  2⤵
  PID:14772
- C:\Windows\System\eqOqfIY.exe
  C:\Windows\System\eqOqfIY.exe
  2⤵
  PID:14808
- C:\Windows\System\yJqcezr.exe
  C:\Windows\System\yJqcezr.exe
  2⤵
  PID:14840
- C:\Windows\System\EzAaVEU.exe
  C:\Windows\System\EzAaVEU.exe
  2⤵
  PID:14872
- C:\Windows\System\SHBslTQ.exe
  C:\Windows\System\SHBslTQ.exe
  2⤵
  PID:14900
- C:\Windows\System\muTjYgy.exe
  C:\Windows\System\muTjYgy.exe
  2⤵
  PID:14940
- C:\Windows\System\zLwKztO.exe
  C:\Windows\System\zLwKztO.exe
  2⤵
  PID:14968
- C:\Windows\System\PzpKIlM.exe
  C:\Windows\System\PzpKIlM.exe
  2⤵
  PID:14996
- C:\Windows\System\EqGRFDd.exe
  C:\Windows\System\EqGRFDd.exe
  2⤵
  PID:15032
- C:\Windows\System\uxtpltK.exe
  C:\Windows\System\uxtpltK.exe
  2⤵
  PID:15056
- C:\Windows\System\fcuEBwp.exe
  C:\Windows\System\fcuEBwp.exe
  2⤵
  PID:15088
- C:\Windows\System\sXMgGnF.exe
  C:\Windows\System\sXMgGnF.exe
  2⤵
  PID:15124
- C:\Windows\System\osSEVzc.exe
  C:\Windows\System\osSEVzc.exe
  2⤵
  PID:15148
- C:\Windows\System\FFznKup.exe
  C:\Windows\System\FFznKup.exe
  2⤵
  PID:15180
- C:\Windows\System\HkgxVWa.exe
  C:\Windows\System\HkgxVWa.exe
  2⤵
  PID:15196
- C:\Windows\System\hYWeFSC.exe
  C:\Windows\System\hYWeFSC.exe
  2⤵
  PID:15224
- C:\Windows\System\lOvusKN.exe
  C:\Windows\System\lOvusKN.exe
  2⤵
  PID:15256
- C:\Windows\System\czuYOzg.exe
  C:\Windows\System\czuYOzg.exe
  2⤵
  PID:15276
- C:\Windows\System\jPfbPNt.exe
  C:\Windows\System\jPfbPNt.exe
  2⤵
  PID:15304
- C:\Windows\System\fECUoqy.exe
  C:\Windows\System\fECUoqy.exe
  2⤵
  PID:15324
- C:\Windows\System\jXydyAp.exe
  C:\Windows\System\jXydyAp.exe
  2⤵
  PID:13376
- C:\Windows\System\Gejhzgb.exe
  C:\Windows\System\Gejhzgb.exe
  2⤵
  PID:14464
- C:\Windows\System\sPBMZJb.exe
  C:\Windows\System\sPBMZJb.exe
  2⤵
  PID:14380
- C:\Windows\System\HRiijKg.exe
  C:\Windows\System\HRiijKg.exe
  2⤵
  PID:14540
- C:\Windows\System\ZEAUElK.exe
  C:\Windows\System\ZEAUElK.exe
  2⤵
  PID:14568
- C:\Windows\System\mTuXxGO.exe
  C:\Windows\System\mTuXxGO.exe
  2⤵
  PID:14796
- C:\Windows\System\BxyFFKJ.exe
  C:\Windows\System\BxyFFKJ.exe
  2⤵
  PID:14716
- C:\Windows\System\CMXpajg.exe
  C:\Windows\System\CMXpajg.exe
  2⤵
  PID:14888
- C:\Windows\System\pjSGZGl.exe
  C:\Windows\System\pjSGZGl.exe
  2⤵
  PID:14852
- C:\Windows\System\jeFJaxV.exe
  C:\Windows\System\jeFJaxV.exe
  2⤵
  PID:14980
- C:\Windows\System\CNeFAqx.exe
  C:\Windows\System\CNeFAqx.exe
  2⤵
  PID:15072
- C:\Windows\System\YviECws.exe
  C:\Windows\System\YviECws.exe
  2⤵
  PID:15048
- C:\Windows\System\kYQShwH.exe
  C:\Windows\System\kYQShwH.exe
  2⤵
  PID:15176
- C:\Windows\System\JVyzuJF.exe
  C:\Windows\System\JVyzuJF.exe
  2⤵
  PID:15244
- C:\Windows\System\AxTGwfh.exe
  C:\Windows\System\AxTGwfh.exe
  2⤵
  PID:1928
- C:\Windows\System\iSZyMmJ.exe
  C:\Windows\System\iSZyMmJ.exe
  2⤵
  PID:14448
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 14448 -s 256
    3⤵
    PID:1712
- C:\Windows\System\kUJFPDG.exe
  C:\Windows\System\kUJFPDG.exe
  2⤵
  PID:14492

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BaLFDAr.exe

Filesize
5.2MB

MD5
c60795cf2cf18378b19a550434d2b69f

SHA1
05f2d6929a14a055fb55de3397c4549483f6d5a5

SHA256
cd7a0635804d0520768849a23ff76fdba6f3250153fd6a65866f12800e4cf25e

SHA512
11b1883435c38b2619040133d07c51fcede017552635f9cbf14191211178de9b6fa29f8d4fd6015f5a32ce82752bd60350386a8bc8dc23197d4d2131ad9ebb33

Download Submit
C:\Windows\System\CfuqZZe.exe

Filesize
5.2MB

MD5
b01006a15deb582fa79edee1d3143c51

SHA1
113a1c3bc9e07ace191caef82a64de06a7d72b76

SHA256
14c3ea8859376740e6ee7f6eefb65547d3a281692f2658c04ce53e1e96de9d13

SHA512
a92d2f77880412776885a44d4f156ea6ce17b30097bfde2e6bcb81a9f6ce0d75ac79eb6d6573759d207cc14c23d733b4717dfcdb9bd940cae33d00e94895b52f

Download Submit
C:\Windows\System\JluPEfi.exe

Filesize
5.2MB

MD5
9b967c2484c905c2b8982a8e1b39b3d4

SHA1
805d5aef8f6f66679623feb58720adc8255c08f5

SHA256
03878392e281e4e7d8d05440bc64b2d269b51dbe4a44bebfe65b334cc1ef5298

SHA512
78c2e7d00dc213cd4d14826c4fe62d3d75b5ffa4c9afa2cf9718df2dfe7a293e9a5167077d5e17449226744a3e2c5b7631a8bb7ad1b000a1dd9fd12e5c1142ae

Download Submit
C:\Windows\System\JqbbtzL.exe

Filesize
5.2MB

MD5
07e27197dee5cb7fb8ab3510921cfee0

SHA1
cd8d8f161c103183de2190977564f3213685d3c5

SHA256
ef09d0d4096d962bdcf349a1de2eb7fc5a5c1ce778bdf5ab584f9b7f0b8704dd

SHA512
4cf450c16e8fd5bf5f0e5f3deb6ecd50b05ca031d73c5b80974a556e8b4063587345593d2d386b0c8834f8b181baaa1391f600d68d5e5ae9576380105919b647

Download Submit
C:\Windows\System\LAInbzp.exe

Filesize
5.2MB

MD5
a2acea4265371d0736a6f158f710993b

SHA1
34aa280eba86293970c2608f200e9080615f91db

SHA256
9abdbcc3cc15a302c8c0d11ec14904e2718f16696ac5bb6fd7dab4b352e45737

SHA512
37aadc8053f48eb4bded193d473e9b80b1e19c0f9362a3f298665d69f192dfdb24af0bc7f8370b00ec80f0c62440ddd13daa91f98b58c8e6d1c667f043995cd6

Download Submit
C:\Windows\System\LGHVaNN.exe

Filesize
5.2MB

MD5
558fbdf7e7ce90526714a608de5b9233

SHA1
f6764f9266df49671157b3bb63fd8efece18b79d

SHA256
8b4f123efe33db51ce1bdc7f7d644aa35a7fe6b53b40baa2a5fb2a94c1883e79

SHA512
b93aa083e9dfae48ce2d1846e80b7477004eca85517a44c5deb6aae7d97ffd7c20234778dc6fe52c57a23da6a95119366ecc48f76943f81ff0583a589e992b68

Download Submit
C:\Windows\System\LudshQk.exe

Filesize
5.2MB

MD5
ff0ac8e99297aea68edf4d68203d08bf

SHA1
c5a89ff0cf90aaa0dd5f5dac2af6c4473bc4a0d7

SHA256
3ca14f7075ad0b4f6ae3792ca9e5afedbb2a5513243582332c2a1784572ac1c8

SHA512
c0ebe899e25c4fd8941a7a5c5a7c2a095cc17f0e2bf32bb00cb5592aedd07b6b15b303f7b3ce2369bf3c60ff8f53b2cf28042b36cd395b22ed72f31b532c18e7

Download Submit
C:\Windows\System\NKaFTWs.exe

Filesize
5.2MB

MD5
b86f9f180e7c4ea73a6239926e0c4e2b

SHA1
7283e989773e7fb30c61a6ba90f18c603cf502a7

SHA256
1c0d513cf38a30476bd055e147ce6e93f6dd5f7147cbd9426d5014514cc8dd9d

SHA512
c9c53d3574d13c102a100cfb1351a99193cb1280640f9214a1b6728f9d836666b15fb62f6d867ff2d6fa55a33accd82c41b91237f44c0c21f64c1e8a9288c2fb

Download Submit
C:\Windows\System\OPsvZHP.exe

Filesize
5.2MB

MD5
48e933017781500c18290b1b2573935d

SHA1
866ed9155df491a4579c01a915aa784aa40880c4

SHA256
365100a5b3ccf155d279b420c3959d39bcd1cc274b8738e42d1e2ceff05a29d6

SHA512
99c031c3a5b39baf555c64d333a56d72e735424dfb979b913b177a4e98f1af5678bc2ba490ef8f993f2a93a23a99bdb0c24348119de1e157ff53a68826ce7aa1

Download Submit
C:\Windows\System\PKJFjmo.exe

Filesize
5.2MB

MD5
339f788a0e2400d734a427f36f537fce

SHA1
26636eca26d9ad4a8ab7b2e7b230913ba4a3c8cb

SHA256
4f40fe26d072fdf9975124b50d3a871de48aa8a17b22b502b62ed9560173e198

SHA512
429cc0ab7991bfc82e5ad9c6f879ed30381492d4b9e878e088b0187ae7652ce8c8b33033fc65b6dba563372c8a291f9b35054be9dd3e408bff0658871ec8b1bb

Download Submit
C:\Windows\System\PZMstBv.exe

Filesize
5.2MB

MD5
8d12df3022bc810dabf51ffaa30f19df

SHA1
010626dd4b2c1a94a7eb94272090abfa2b692abf

SHA256
c721a4c9c2c66d0c4e6cf889b1a101b62ba4e11f765db0cee5f9bc2c58ea9a32

SHA512
166966f0f838dcef5ad1926d163b039a1cfa95c6cf1ca923307461c82eed00f37ca79e6bee2a4af413f341910b939b6903e908bfca35118e68e2c60ca73e2216

Download Submit
C:\Windows\System\RVlNTzX.exe

Filesize
5.2MB

MD5
50fbae40e7b116015be2e010dddee9a9

SHA1
7154b7a200e234bb6c87d4f7d927b2e32c55dde0

SHA256
e26d9e7a8b0a08e263325dadba5cc97837e20e781473f612f4190a44a0d23fd3

SHA512
664f0d3ccc12bbc463c4b0bd55c8f4d60b11b13e4077fda9d61309491e3a7fecbab0cf9d3a59fbb96c1d6b6909f91bfd44424727876610db72fcc476ea80cc5e

Download Submit
C:\Windows\System\UwYoJJI.exe

Filesize
5.2MB

MD5
dea2a70d0892b0d344e6aa50e81f4398

SHA1
8f94b0b52e95133db4a7f9a8f06745f197176439

SHA256
dd6845c9bb3a9d13164ef0833b450320242fb51b2c2dc4735b0d8dd30f5a94e7

SHA512
5219bc0d7054f91854524ee2637d2d155f350f91a7f4cf1b880167302679210deeafb580f9c058d88436d1e0bd5fda71c3ef28da08b7b1f94420935b1d1b05d2

Download Submit
C:\Windows\System\WSTpawn.exe

Filesize
5.2MB

MD5
961693b15a21fc9e040d9ac6dace63f5

SHA1
4b9445a3935fc44078583a9c5992de1542eac26f

SHA256
10ea3fd965b2456dd4bc3faa81d171e1e1ab6184f2f7852812f8aa892162e42f

SHA512
771e5ab36644208cc31b7e0fa68c43270afa489f408ba6bb3235ab000227636bc4045f6877586f847ff9101193b727f30ba9e44b230f567e918b326af5bd00cc

Download Submit
C:\Windows\System\XHycFwt.exe

Filesize
5.2MB

MD5
e9c41b4f5a6c3da633c5d398fbf2b2a1

SHA1
2ab3f27f4fece6ff0a2b611609b285e460247c83

SHA256
a767420a9e016b9b796e23507559443282a8470be4ece59f900d81a7a1084bb4

SHA512
32f8b4bc7fd8300ad5a2a6159f4ba1aef328d7f592ceaa5c64d151e55c7392192e084bbd93123e7bf5954d66d447973c5448871140063135e737810a5644e050

Download Submit
C:\Windows\System\aEJgmeR.exe

Filesize
5.2MB

MD5
ad40206c5151e4135d9828df2415c7ff

SHA1
e75b41d051e25cb1a67881182581980bc6710f33

SHA256
2669a9bc1d9a945fc4e9125494e2749c4ab98981626c643d88e5eb9a6d268f00

SHA512
ea81eb913612e519e40f1462b62e8469b00b57a16900597292efde4eb914273d95e4b898a909bb7efd413558953348760469b802ee87fc003b62df43c35092ce

Download Submit
C:\Windows\System\chjooTf.exe

Filesize
5.2MB

MD5
91601c5ac72b1d4552740377dbb7234f

SHA1
6d1c924770c483b708687770a76391c4338586f9

SHA256
c58c7571c850fc4719efb5e5c9fdd9b831a95ebfa852ae0290fb7a2e16ccbb86

SHA512
6af5c4718c1b7b326604a62e06a7c758110ef19e424726a10106cb5729845a8569e82623a5cacc5fa24aca219a1a554d752dffab365eb69b97092a86bcbf1acd

Download Submit
C:\Windows\System\dDMEtfw.exe

Filesize
5.2MB

MD5
51c97053584255798c52729b1352526d

SHA1
a06c609b9d658585e91cc3d917eca4be7af8c70e

SHA256
840189b8135e423949b2ae8b24c7cfd51629d2221cb0e6cfe9acfc77a3f7c513

SHA512
03fc662f64cfbea400b4f15a2f27ed027890d918ad1755c62b5025b94457c9e6da5d6110b7676cb81bf919e5320a1aea975ad1deae5140d6fbc5c47c5d9e848d

Download Submit
C:\Windows\System\fHljoYQ.exe

Filesize
5.2MB

MD5
18a6ec50e2018877dc3c354416323570

SHA1
4f26cd6dcfff401912d8b75a6d75b0bfda55d71c

SHA256
5ced1eb92ab7fa5424b31983243893008e209bfd581089163c01d5bdb6fe2a94

SHA512
eff053243bfc86906e8c7dcc764234c8572d57c79fde1eb1efb644178ad4800e9943461c75ca54b8fc415b6503aefd536b393e8737ae40b456d10c0bf6e8b024

Download Submit
C:\Windows\System\gXgskat.exe

Filesize
5.2MB

MD5
6a1ad336903976a74e10c4495f941cdd

SHA1
dc89c75cd1891cb6a502a6d91ae7adbdb5cf2b55

SHA256
bfefe391e9443abd1513fc89d4e93a43f86eae6e50598d4a6da8050616c08c08

SHA512
e5300f459ffbc2c8141157ad3d64bdced4b5a3b26c357c6fce63f0cce99fd9cc7308ecb8c00422bd9b32913648a03ec32deb14330748736710aedd23404de002

Download Submit
C:\Windows\System\gfkQgSO.exe

Filesize
5.2MB

MD5
326a075df3fbac27640169aebe068d43

SHA1
d5804855d2303ff96ba354d2f1fe0a52c05facd3

SHA256
529ff68b56682c3ed4c9f1455dd5b993aaed6fc795dd81e0fd19bb848750b487

SHA512
c10f974bb1dd8b3903ff319b2f3b6faefb1d595e696af17ddb26b71acc4e97c34985fac89fe306767370afdd6d2b29fa3664202f7b6e76be42f6b3cf76a415c5

Download Submit
C:\Windows\System\hcfTNGQ.exe

Filesize
5.2MB

MD5
4081977ba7b70e85f9a4dcbdac5e8427

SHA1
1b2e6ffb4b3e2e5e1c580800a0f1982373ba5ba4

SHA256
64f0ca24035bd18b9c8449002d5d7c0f00d681f8daa38bb2ccc2fb0513e2d7ea

SHA512
eb682222693831290f6d6a4b44234b9afe81d88ee4cd17fd39b61806dcc339c19eda49b7232596a39cbe39a7b8426512ee4133171cb32690c38b264ac50aab61

Download Submit
C:\Windows\System\kFcpYgm.exe

Filesize
5.2MB

MD5
68e2d5023ac860bc6f1238cce8224f32

SHA1
f91c388b21a90b7b32e557313996d64ba0bdbc11

SHA256
f3813afe3d89e919a25bfe76e2dbc44ec19c27f224d765bfc41c525f4968772b

SHA512
e14d8ab3c4242ee46fc65e91e641a2b25c9fa2fc2be288db40de0c03be149f601b2d6dd5d2122f82b8e3729cf572eeadbc22934e8ff481ee9b52e75f464e1b9d

Download Submit
C:\Windows\System\lqmoBNI.exe

Filesize
5.2MB

MD5
c7b0705ff327bc407f658fb095c74fdc

SHA1
7b24e383ac4c7bbe682adf453aa05461831de122

SHA256
062ebc8c1e1cbe9ce6b85166a08dca06ea81b3a4b8472bf0b934ead9d7cbd151

SHA512
4d0e4b79b697fd3f5cd3fa176328323e54e1a937b425ab1fb38911e6427122953417dae94563c931d834bbf844dfead15c34acc13681f231400ac904079092d5

Download Submit
C:\Windows\System\lxMazcp.exe

Filesize
5.2MB

MD5
fcddeb300116b5cc7dc1eb47d6760ad7

SHA1
a577252c23bd6c12c0d0033a0694f6b14d57f71b

SHA256
96c46414848263a482aeb0daf05e0e4303fbbb3bf4be9647ef41500def38522d

SHA512
762870a05deedf42d2674702afa4f51afd07e69ee8e609097e6b8e843f69523a2a183951639636303b30aa43965e15ece77f27155dec4a01cbe4d5c3d0b57c86

Download Submit
C:\Windows\System\mRrjPDZ.exe

Filesize
5.2MB

MD5
edcc2a995df7b77fa88be0c31190a10b

SHA1
6c5236433872a421ec71e692ee3ae8d9c7bd36fd

SHA256
be58ac99be060e949a92a9f0bf33ce9070bd753c3e26bd396281bef2bd8cc97e

SHA512
47170b9d9f6eafe5abc8fcc0f7621ec3f4b7abc974f7608598b37d90f0029a1e7c1e04e0e602edf236d70d30ee24f67bda2253ef85defea633908a9262d012d2

Download Submit
C:\Windows\System\mvvzMYS.exe

Filesize
5.2MB

MD5
079c371905e04583b0a050c02d9119d1

SHA1
1dec600113f1c7598305d4e8719f08794b006cdc

SHA256
bc0fbca9ca6d0ed5560addc30ee910c75bd4e0647c34add2c504562fa805eff4

SHA512
a8652c2640bf17c42d2082740d3bfede64b462e2a6798d88d8a1f530af357b177afbe57781c7eb86343db45f1ad4933d16a485b955c7630cd24420fec6479453

Download Submit
C:\Windows\System\myIcVAk.exe

Filesize
5.2MB

MD5
e67048be37cb8f442712e2b07db8cf2a

SHA1
d3179714c4d6e23928982088f5e4de3ca19cb46b

SHA256
1e760e0b925fb300d62dbe90a9e5626e6ef39f175307bde552b0ada7c83dbe8a

SHA512
48e3feb60d8ad3659629b441e896e6a48a4d53dbf8f1ce9ca5e26b01f8158ceb62866c9177875a3bc554b52dce5297724eac45dcf00c3885044c5d437da9bce3

Download Submit
C:\Windows\System\nsqljmp.exe

Filesize
5.2MB

MD5
2917e63180f7acec1cd0a0722159092e

SHA1
5fca1f1363ff1776b04693953b90c7b3967e9bd5

SHA256
af93c22c685fafe6a23a6622d70af09802803dc677282ceb64f91e7987127cbc

SHA512
4822b4bee393e063affa0fd5ad00cc3d51b5ca836433a1b5bb3481f09499b9c7e4be152f754c2d408b0ec56a4e722ead36a10f707d3400c5c40f45f700296b19

Download Submit
C:\Windows\System\oNiGeoy.exe

Filesize
5.2MB

MD5
fc8ae990e295999792fcb0261dc5ccf7

SHA1
4a0729b5e0e69913b97fb31ea7cc81d332272f09

SHA256
831fc4999650f95919255884b80a743d877a5d55f94f32ad55b50c2178a92693

SHA512
0a832de168df741bf5aaaf47fc01a43cf512eb96db66be9332f75b4fea2f337c57a4bd307ac243c9723368b47b3bad80fbe9ce6d83f36d1ae3d55a4e8fd82072

Download Submit
C:\Windows\System\tfAsjUp.exe

Filesize
5.2MB

MD5
f470ed6c62dd3192461b7424048b7a93

SHA1
430080eff732c7f792279979b6b4c3d2fcb09685

SHA256
7a3e073c413c9d2e6961b2b8bff694217c731e94938f9984fd3f29288530f845

SHA512
e37bb7ab0e9d3d21ce52499edc71a35dc743defb0f1ee2f0b815589ef4e67a52d36f335b369b59bc9f2ffc0818e9ac4b96951b7d15f5f62eeae1411869d37739

Download Submit
C:\Windows\System\uWmwFdN.exe

Filesize
5.2MB

MD5
e3a18cf17ed99ff7b92e42738adfffd3

SHA1
10f0160d52f99e7e86257fc66d75b343f3af2e14

SHA256
6553f2a6ff85f4c473292c0acc7de2e16a20150f50d8d482b07de5893458c8ce

SHA512
55cad84c77216899e596385ca55f96293a9c07dc534b67b5b73b5b39a4b4d0586f00fbc1b84d21e6f8ead0741c47aeaac89b431ed6d640675e4ea40ac62da589

Download Submit
memory/760-2402-0x00007FF78D760000-0x00007FF78DAB1000-memory.dmp

Filesize
3.3MB

Download
memory/760-131-0x00007FF78D760000-0x00007FF78DAB1000-memory.dmp

Filesize
3.3MB

Download
memory/1244-20-0x00007FF6D7070000-0x00007FF6D73C1000-memory.dmp

Filesize
3.3MB

Download
memory/1244-158-0x00007FF6D7070000-0x00007FF6D73C1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-143-0x00007FF72E0A0000-0x00007FF72E3F1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-2409-0x00007FF72E0A0000-0x00007FF72E3F1000-memory.dmp

Filesize
3.3MB

Download
memory/1788-2489-0x00007FF60A930000-0x00007FF60AC81000-memory.dmp

Filesize
3.3MB

Download
memory/1788-169-0x00007FF60A930000-0x00007FF60AC81000-memory.dmp

Filesize
3.3MB

Download
memory/1788-673-0x00007FF60A930000-0x00007FF60AC81000-memory.dmp

Filesize
3.3MB

Download
memory/1876-167-0x00007FF655430000-0x00007FF655781000-memory.dmp

Filesize
3.3MB

Download
memory/1876-33-0x00007FF655430000-0x00007FF655781000-memory.dmp

Filesize
3.3MB

Download
memory/1876-2356-0x00007FF655430000-0x00007FF655781000-memory.dmp

Filesize
3.3MB

Download
memory/2132-374-0x00007FF743830000-0x00007FF743B81000-memory.dmp

Filesize
3.3MB

Download
memory/2132-2406-0x00007FF743830000-0x00007FF743B81000-memory.dmp

Filesize
3.3MB

Download
memory/2132-132-0x00007FF743830000-0x00007FF743B81000-memory.dmp

Filesize
3.3MB

Download
memory/2416-163-0x00007FF647F40000-0x00007FF648291000-memory.dmp

Filesize
3.3MB

Download
memory/2416-2487-0x00007FF647F40000-0x00007FF648291000-memory.dmp

Filesize
3.3MB

Download
memory/2756-288-0x00007FF6D12C0000-0x00007FF6D1611000-memory.dmp

Filesize
3.3MB

Download
memory/2756-2401-0x00007FF6D12C0000-0x00007FF6D1611000-memory.dmp

Filesize
3.3MB

Download
memory/2756-110-0x00007FF6D12C0000-0x00007FF6D1611000-memory.dmp

Filesize
3.3MB

Download
memory/2780-2485-0x00007FF6A2DB0000-0x00007FF6A3101000-memory.dmp

Filesize
3.3MB

Download
memory/2780-166-0x00007FF6A2DB0000-0x00007FF6A3101000-memory.dmp

Filesize
3.3MB

Download
memory/3140-16-0x00007FF7629B0000-0x00007FF762D01000-memory.dmp

Filesize
3.3MB

Download
memory/3264-89-0x00007FF62F3F0000-0x00007FF62F741000-memory.dmp

Filesize
3.3MB

Download
memory/3264-207-0x00007FF62F3F0000-0x00007FF62F741000-memory.dmp

Filesize
3.3MB

Download
memory/3264-2392-0x00007FF62F3F0000-0x00007FF62F741000-memory.dmp

Filesize
3.3MB

Download
memory/3396-2358-0x00007FF67ED10000-0x00007FF67F061000-memory.dmp

Filesize
3.3MB

Download
memory/3396-35-0x00007FF67ED10000-0x00007FF67F061000-memory.dmp

Filesize
3.3MB

Download
memory/3396-183-0x00007FF67ED10000-0x00007FF67F061000-memory.dmp

Filesize
3.3MB

Download
memory/3480-1-0x000002101B900000-0x000002101B910000-memory.dmp

Filesize
64KB

Download
memory/3480-144-0x00007FF690B20000-0x00007FF690E71000-memory.dmp

Filesize
3.3MB

Download
memory/3480-0-0x00007FF690B20000-0x00007FF690E71000-memory.dmp

Filesize
3.3MB

Download
memory/3512-124-0x00007FF7D68F0000-0x00007FF7D6C41000-memory.dmp

Filesize
3.3MB

Download
memory/3512-2404-0x00007FF7D68F0000-0x00007FF7D6C41000-memory.dmp

Filesize
3.3MB

Download
memory/3540-200-0x00007FF67F8B0000-0x00007FF67FC01000-memory.dmp

Filesize
3.3MB

Download
memory/3540-2362-0x00007FF67F8B0000-0x00007FF67FC01000-memory.dmp

Filesize
3.3MB

Download
memory/3540-49-0x00007FF67F8B0000-0x00007FF67FC01000-memory.dmp

Filesize
3.3MB

Download
memory/3568-2360-0x00007FF7F1230000-0x00007FF7F1581000-memory.dmp

Filesize
3.3MB

Download
memory/3568-170-0x00007FF7F1230000-0x00007FF7F1581000-memory.dmp

Filesize
3.3MB

Download
memory/3568-36-0x00007FF7F1230000-0x00007FF7F1581000-memory.dmp

Filesize
3.3MB

Download
memory/3920-190-0x00007FF6094A0000-0x00007FF6097F1000-memory.dmp

Filesize
3.3MB

Download
memory/3920-76-0x00007FF6094A0000-0x00007FF6097F1000-memory.dmp

Filesize
3.3MB

Download
memory/3920-2364-0x00007FF6094A0000-0x00007FF6097F1000-memory.dmp

Filesize
3.3MB

Download
memory/3932-180-0x00007FF784E20000-0x00007FF785171000-memory.dmp

Filesize
3.3MB

Download
memory/3932-752-0x00007FF784E20000-0x00007FF785171000-memory.dmp

Filesize
3.3MB

Download
memory/3932-2493-0x00007FF784E20000-0x00007FF785171000-memory.dmp

Filesize
3.3MB

Download
memory/4024-203-0x00007FF63F900000-0x00007FF63FC51000-memory.dmp

Filesize
3.3MB

Download
memory/4024-64-0x00007FF63F900000-0x00007FF63FC51000-memory.dmp

Filesize
3.3MB

Download
memory/4024-2386-0x00007FF63F900000-0x00007FF63FC51000-memory.dmp

Filesize
3.3MB

Download
memory/4232-189-0x00007FF633A10000-0x00007FF633D61000-memory.dmp

Filesize
3.3MB

Download
memory/4232-2491-0x00007FF633A10000-0x00007FF633D61000-memory.dmp

Filesize
3.3MB

Download
memory/4256-210-0x00007FF61C440000-0x00007FF61C791000-memory.dmp

Filesize
3.3MB

Download
memory/4256-2396-0x00007FF61C440000-0x00007FF61C791000-memory.dmp

Filesize
3.3MB

Download
memory/4256-90-0x00007FF61C440000-0x00007FF61C791000-memory.dmp

Filesize
3.3MB

Download
memory/4264-140-0x00007FF799620000-0x00007FF799971000-memory.dmp

Filesize
3.3MB

Download
memory/4264-2394-0x00007FF799620000-0x00007FF799971000-memory.dmp

Filesize
3.3MB

Download
memory/4268-55-0x00007FF6B8820000-0x00007FF6B8B71000-memory.dmp

Filesize
3.3MB

Download
memory/4268-2391-0x00007FF6B8820000-0x00007FF6B8B71000-memory.dmp

Filesize
3.3MB

Download
memory/4268-266-0x00007FF6B8820000-0x00007FF6B8B71000-memory.dmp

Filesize
3.3MB

Download
memory/4300-101-0x00007FF6E30D0000-0x00007FF6E3421000-memory.dmp

Filesize
3.3MB

Download
memory/4300-2388-0x00007FF6E30D0000-0x00007FF6E3421000-memory.dmp

Filesize
3.3MB

Download
memory/4308-371-0x00007FF6906F0000-0x00007FF690A41000-memory.dmp

Filesize
3.3MB

Download
memory/4308-2398-0x00007FF6906F0000-0x00007FF690A41000-memory.dmp

Filesize
3.3MB

Download
memory/4308-111-0x00007FF6906F0000-0x00007FF690A41000-memory.dmp

Filesize
3.3MB

Download
memory/4680-146-0x00007FF6FB630000-0x00007FF6FB981000-memory.dmp

Filesize
3.3MB

Download
memory/4680-9-0x00007FF6FB630000-0x00007FF6FB981000-memory.dmp

Filesize
3.3MB

Download
memory/4804-2411-0x00007FF6AD5A0000-0x00007FF6AD8F1000-memory.dmp

Filesize
3.3MB

Download
memory/4804-142-0x00007FF6AD5A0000-0x00007FF6AD8F1000-memory.dmp

Filesize
3.3MB

Download
memory/4828-518-0x00007FF7F68D0000-0x00007FF7F6C21000-memory.dmp

Filesize
3.3MB

Download
memory/4828-145-0x00007FF7F68D0000-0x00007FF7F6C21000-memory.dmp

Filesize
3.3MB

Download
memory/4828-2425-0x00007FF7F68D0000-0x00007FF7F6C21000-memory.dmp

Filesize
3.3MB

Download
memory/4860-141-0x00007FF70EF10000-0x00007FF70F261000-memory.dmp

Filesize
3.3MB

Download
memory/4860-2412-0x00007FF70EF10000-0x00007FF70F261000-memory.dmp

Filesize
3.3MB

Download
memory/5880-100-0x00007FF748610000-0x00007FF748961000-memory.dmp

Filesize
3.3MB

Download
memory/5880-2366-0x00007FF748610000-0x00007FF748961000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads