cobaltstrike | 4d0dce3faf95db2387986052ccb62cd524bf6d3db2521d4f2021c2337b11833f

Analysis

max time kernel
128s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2025, 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

696ab6c1b4567a6c4822df063fe0a8bb
SHA1

05beb5f3e9b032ac2cf37668196998442868932c
SHA256

4d0dce3faf95db2387986052ccb62cd524bf6d3db2521d4f2021c2337b11833f
SHA512

d51a06fbf0d60763f3ce45acab4727e868cddc978bb6c0a47de62fd58ad6ff61a4ab04c998846d685bb02a8a7354d2e6063c9350c28ad454b170a04a791e04a4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lU:RWWBibf56utgpPFotBER/mQ32lUQ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 34 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023ff7-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240c8-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240cb-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240cf-50.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240d0-62.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240cc-57.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000240c5-82.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240d4-93.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240d3-90.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240d2-88.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240d1-86.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240ce-56.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240cd-44.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240ca-41.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240c9-40.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000240c7-19.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240db-143.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240d8-150.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240dc-159.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240dd-163.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240da-156.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240d9-155.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240d6-147.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240d5-136.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240d7-134.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240e1-183.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240e3-211.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240e6-210.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240e4-202.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240e0-197.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240df-193.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240de-191.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240e5-208.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240e2-186.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 54 IoCs

miner

resource	yara_rule
behavioral2/memory/4744-92-0x00007FF71EA90000-0x00007FF71EDE1000-memory.dmp	xmrig
behavioral2/memory/3572-98-0x00007FF7F9B70000-0x00007FF7F9EC1000-memory.dmp	xmrig
behavioral2/memory/1756-97-0x00007FF749690000-0x00007FF7499E1000-memory.dmp	xmrig
behavioral2/memory/3780-78-0x00007FF655660000-0x00007FF6559B1000-memory.dmp	xmrig
behavioral2/memory/2540-75-0x00007FF6A98F0000-0x00007FF6A9C41000-memory.dmp	xmrig
behavioral2/memory/4404-67-0x00007FF726C20000-0x00007FF726F71000-memory.dmp	xmrig
behavioral2/memory/3564-55-0x00007FF6B8D50000-0x00007FF6B90A1000-memory.dmp	xmrig
behavioral2/memory/2748-109-0x00007FF7BD1E0000-0x00007FF7BD531000-memory.dmp	xmrig
behavioral2/memory/1680-118-0x00007FF680F70000-0x00007FF6812C1000-memory.dmp	xmrig
behavioral2/memory/3676-161-0x00007FF620D80000-0x00007FF6210D1000-memory.dmp	xmrig
behavioral2/memory/3144-160-0x00007FF643AA0000-0x00007FF643DF1000-memory.dmp	xmrig
behavioral2/memory/1880-116-0x00007FF7E5680000-0x00007FF7E59D1000-memory.dmp	xmrig
behavioral2/memory/1740-115-0x00007FF7132A0000-0x00007FF7135F1000-memory.dmp	xmrig
behavioral2/memory/5116-111-0x00007FF62A680000-0x00007FF62A9D1000-memory.dmp	xmrig
behavioral2/memory/4648-107-0x00007FF7D78C0000-0x00007FF7D7C11000-memory.dmp	xmrig
behavioral2/memory/4168-102-0x00007FF710A60000-0x00007FF710DB1000-memory.dmp	xmrig
behavioral2/memory/3488-104-0x00007FF708610000-0x00007FF708961000-memory.dmp	xmrig
behavioral2/memory/468-101-0x00007FF6AF1E0000-0x00007FF6AF531000-memory.dmp	xmrig
behavioral2/memory/2372-99-0x00007FF607840000-0x00007FF607B91000-memory.dmp	xmrig
behavioral2/memory/4080-206-0x00007FF7F9EB0000-0x00007FF7FA201000-memory.dmp	xmrig
behavioral2/memory/4544-485-0x00007FF749A30000-0x00007FF749D81000-memory.dmp	xmrig
behavioral2/memory/728-565-0x00007FF78F770000-0x00007FF78FAC1000-memory.dmp	xmrig
behavioral2/memory/1532-647-0x00007FF769790000-0x00007FF769AE1000-memory.dmp	xmrig
behavioral2/memory/2356-646-0x00007FF7CB7C0000-0x00007FF7CBB11000-memory.dmp	xmrig
behavioral2/memory/4968-645-0x00007FF7B9610000-0x00007FF7B9961000-memory.dmp	xmrig
behavioral2/memory/2408-730-0x00007FF79A500000-0x00007FF79A851000-memory.dmp	xmrig
behavioral2/memory/4764-816-0x00007FF63F3B0000-0x00007FF63F701000-memory.dmp	xmrig
behavioral2/memory/4064-998-0x00007FF69EC90000-0x00007FF69EFE1000-memory.dmp	xmrig
behavioral2/memory/1444-1000-0x00007FF7551E0000-0x00007FF755531000-memory.dmp	xmrig
behavioral2/memory/1200-999-0x00007FF65F930000-0x00007FF65FC81000-memory.dmp	xmrig
behavioral2/memory/4168-1785-0x00007FF710A60000-0x00007FF710DB1000-memory.dmp	xmrig
behavioral2/memory/1680-1936-0x00007FF680F70000-0x00007FF6812C1000-memory.dmp	xmrig
behavioral2/memory/1880-1931-0x00007FF7E5680000-0x00007FF7E59D1000-memory.dmp	xmrig
behavioral2/memory/3572-1930-0x00007FF7F9B70000-0x00007FF7F9EC1000-memory.dmp	xmrig
behavioral2/memory/1740-1925-0x00007FF7132A0000-0x00007FF7135F1000-memory.dmp	xmrig
behavioral2/memory/1756-1922-0x00007FF749690000-0x00007FF7499E1000-memory.dmp	xmrig
behavioral2/memory/4744-1915-0x00007FF71EA90000-0x00007FF71EDE1000-memory.dmp	xmrig
behavioral2/memory/3780-1903-0x00007FF655660000-0x00007FF6559B1000-memory.dmp	xmrig
behavioral2/memory/5116-1868-0x00007FF62A680000-0x00007FF62A9D1000-memory.dmp	xmrig
behavioral2/memory/2748-1876-0x00007FF7BD1E0000-0x00007FF7BD531000-memory.dmp	xmrig
behavioral2/memory/4648-1830-0x00007FF7D78C0000-0x00007FF7D7C11000-memory.dmp	xmrig
behavioral2/memory/3564-1826-0x00007FF6B8D50000-0x00007FF6B90A1000-memory.dmp	xmrig
behavioral2/memory/3488-1812-0x00007FF708610000-0x00007FF708961000-memory.dmp	xmrig
behavioral2/memory/4404-1811-0x00007FF726C20000-0x00007FF726F71000-memory.dmp	xmrig
behavioral2/memory/2540-1820-0x00007FF6A98F0000-0x00007FF6A9C41000-memory.dmp	xmrig
behavioral2/memory/468-1768-0x00007FF6AF1E0000-0x00007FF6AF531000-memory.dmp	xmrig
behavioral2/memory/728-2519-0x00007FF78F770000-0x00007FF78FAC1000-memory.dmp	xmrig
behavioral2/memory/2408-2542-0x00007FF79A500000-0x00007FF79A851000-memory.dmp	xmrig
behavioral2/memory/4764-2546-0x00007FF63F3B0000-0x00007FF63F701000-memory.dmp	xmrig
behavioral2/memory/1532-2544-0x00007FF769790000-0x00007FF769AE1000-memory.dmp	xmrig
behavioral2/memory/4968-2549-0x00007FF7B9610000-0x00007FF7B9961000-memory.dmp	xmrig
behavioral2/memory/4064-2575-0x00007FF69EC90000-0x00007FF69EFE1000-memory.dmp	xmrig
behavioral2/memory/1200-2573-0x00007FF65F930000-0x00007FF65FC81000-memory.dmp	xmrig
behavioral2/memory/1444-2571-0x00007FF7551E0000-0x00007FF755531000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
468	pYIDRqe.exe
4168	pFvEfiz.exe
3488	gIcJRdE.exe
3564	yVZMIqw.exe
4648	wCYWADs.exe
4404	hXmwhGz.exe
2748	JyYAxwo.exe
2540	gzIScVJ.exe
5116	JIJQTZI.exe
3780	ChlbcKy.exe
4744	FMrXMOH.exe
1756	wUpiaXR.exe
1740	fDQEuyo.exe
1880	FGAKJyy.exe
3572	fIueuYn.exe
1680	hZvUIIV.exe
4544	PKnXKIy.exe
728	ONSCDwR.exe
3144	UOyDwmR.exe
3676	OKzdtGg.exe
2408	TSrxOJs.exe
4968	KYworLq.exe
2356	jqvumDy.exe
1532	NVJjfqn.exe
4764	aEGzpgi.exe
4064	gUiUkru.exe
1200	caquovf.exe
1444	XqbvdrG.exe
4080	ECOZCEe.exe
2884	gTrXsBm.exe
396	BMQlIwX.exe
3300	UHxvDkO.exe
4796	TfRNndi.exe
2096	becLkyU.exe
2852	EPLufXj.exe
912	NLrcULH.exe
4752	gYoyiTR.exe
4496	qVYBUsk.exe
4872	jksfjAi.exe
4972	EEyoSuB.exe
3740	CfbwVpw.exe
3684	PUCGEin.exe
3084	fTOBfoi.exe
4036	YKBdvkI.exe
2688	VPQYRba.exe
212	xbdtFNJ.exe
3924	GFaNgUE.exe
2396	vctpTFX.exe
2368	ihISjYf.exe
1712	WAXHNOX.exe
2948	kjHuvgS.exe
352	fUNKWjt.exe
4452	XAenFLV.exe
4656	KFbMoBW.exe
4552	soKjwlI.exe
3212	TfcaJRo.exe
4792	QaKshsU.exe
4928	MKUjpLZ.exe
3604	xEeIfVg.exe
5044	TzlbJkT.exe
3844	nEvdZiw.exe
3900	khMaelM.exe
2500	EMXKSLt.exe
1732	CSWkQnm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2372-0-0x00007FF607840000-0x00007FF607B91000-memory.dmp	upx
behavioral2/files/0x000b000000023ff7-5.dat	upx
behavioral2/memory/468-11-0x00007FF6AF1E0000-0x00007FF6AF531000-memory.dmp	upx
behavioral2/files/0x00070000000240c8-30.dat	upx
behavioral2/files/0x00070000000240cb-35.dat	upx
behavioral2/files/0x00070000000240cf-50.dat	upx
behavioral2/files/0x00070000000240d0-62.dat	upx
behavioral2/files/0x00070000000240cc-57.dat	upx
behavioral2/files/0x00080000000240c5-82.dat	upx
behavioral2/memory/4744-92-0x00007FF71EA90000-0x00007FF71EDE1000-memory.dmp	upx
behavioral2/memory/3572-98-0x00007FF7F9B70000-0x00007FF7F9EC1000-memory.dmp	upx
behavioral2/memory/1756-97-0x00007FF749690000-0x00007FF7499E1000-memory.dmp	upx
behavioral2/files/0x00070000000240d4-93.dat	upx
behavioral2/files/0x00070000000240d3-90.dat	upx
behavioral2/files/0x00070000000240d2-88.dat	upx
behavioral2/files/0x00070000000240d1-86.dat	upx
behavioral2/memory/1680-85-0x00007FF680F70000-0x00007FF6812C1000-memory.dmp	upx
behavioral2/memory/1880-84-0x00007FF7E5680000-0x00007FF7E59D1000-memory.dmp	upx
behavioral2/memory/1740-83-0x00007FF7132A0000-0x00007FF7135F1000-memory.dmp	upx
behavioral2/memory/3780-78-0x00007FF655660000-0x00007FF6559B1000-memory.dmp	upx
behavioral2/memory/2540-75-0x00007FF6A98F0000-0x00007FF6A9C41000-memory.dmp	upx
behavioral2/memory/4404-67-0x00007FF726C20000-0x00007FF726F71000-memory.dmp	upx
behavioral2/memory/3564-55-0x00007FF6B8D50000-0x00007FF6B90A1000-memory.dmp	upx
behavioral2/memory/5116-54-0x00007FF62A680000-0x00007FF62A9D1000-memory.dmp	upx
behavioral2/files/0x00070000000240ce-56.dat	upx
behavioral2/memory/2748-45-0x00007FF7BD1E0000-0x00007FF7BD531000-memory.dmp	upx
behavioral2/files/0x00070000000240cd-44.dat	upx
behavioral2/files/0x00070000000240ca-41.dat	upx
behavioral2/files/0x00070000000240c9-40.dat	upx
behavioral2/memory/4648-31-0x00007FF7D78C0000-0x00007FF7D7C11000-memory.dmp	upx
behavioral2/memory/3488-26-0x00007FF708610000-0x00007FF708961000-memory.dmp	upx
behavioral2/files/0x00080000000240c7-19.dat	upx
behavioral2/memory/4168-17-0x00007FF710A60000-0x00007FF710DB1000-memory.dmp	upx
behavioral2/memory/2748-109-0x00007FF7BD1E0000-0x00007FF7BD531000-memory.dmp	upx
behavioral2/memory/1680-118-0x00007FF680F70000-0x00007FF6812C1000-memory.dmp	upx
behavioral2/memory/4544-131-0x00007FF749A30000-0x00007FF749D81000-memory.dmp	upx
behavioral2/files/0x00070000000240db-143.dat	upx
behavioral2/files/0x00070000000240d8-150.dat	upx
behavioral2/files/0x00070000000240dc-159.dat	upx
behavioral2/memory/3676-161-0x00007FF620D80000-0x00007FF6210D1000-memory.dmp	upx
behavioral2/memory/4764-164-0x00007FF63F3B0000-0x00007FF63F701000-memory.dmp	upx
behavioral2/files/0x00070000000240dd-163.dat	upx
behavioral2/memory/2408-162-0x00007FF79A500000-0x00007FF79A851000-memory.dmp	upx
behavioral2/memory/3144-160-0x00007FF643AA0000-0x00007FF643DF1000-memory.dmp	upx
behavioral2/files/0x00070000000240da-156.dat	upx
behavioral2/files/0x00070000000240d9-155.dat	upx
behavioral2/memory/1532-154-0x00007FF769790000-0x00007FF769AE1000-memory.dmp	upx
behavioral2/memory/2356-152-0x00007FF7CB7C0000-0x00007FF7CBB11000-memory.dmp	upx
behavioral2/files/0x00070000000240d6-147.dat	upx
behavioral2/memory/4968-146-0x00007FF7B9610000-0x00007FF7B9961000-memory.dmp	upx
behavioral2/memory/728-145-0x00007FF78F770000-0x00007FF78FAC1000-memory.dmp	upx
behavioral2/files/0x00070000000240d5-136.dat	upx
behavioral2/files/0x00070000000240d7-134.dat	upx
behavioral2/memory/1880-116-0x00007FF7E5680000-0x00007FF7E59D1000-memory.dmp	upx
behavioral2/memory/1740-115-0x00007FF7132A0000-0x00007FF7135F1000-memory.dmp	upx
behavioral2/memory/5116-111-0x00007FF62A680000-0x00007FF62A9D1000-memory.dmp	upx
behavioral2/memory/4648-107-0x00007FF7D78C0000-0x00007FF7D7C11000-memory.dmp	upx
behavioral2/memory/4168-102-0x00007FF710A60000-0x00007FF710DB1000-memory.dmp	upx
behavioral2/memory/3488-104-0x00007FF708610000-0x00007FF708961000-memory.dmp	upx
behavioral2/memory/468-101-0x00007FF6AF1E0000-0x00007FF6AF531000-memory.dmp	upx
behavioral2/memory/2372-99-0x00007FF607840000-0x00007FF607B91000-memory.dmp	upx
behavioral2/files/0x00070000000240e1-183.dat	upx
behavioral2/memory/4080-206-0x00007FF7F9EB0000-0x00007FF7FA201000-memory.dmp	upx
behavioral2/files/0x00070000000240e3-211.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\lVxvPad.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cAaNJfn.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CgmaVpv.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FMrXMOH.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nsaQvuq.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zzWfCZS.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FuIaNUu.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KtjwqdW.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BgCSuaR.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KNxnhJu.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KFFdjnK.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fDQEuyo.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yFqsTBG.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iExdOlw.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UKalUsp.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\alfvzkh.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eLNsfUa.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Nwohyub.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\staESxJ.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\paENsqs.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TDvPxDg.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CfbwVpw.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZMmlSbW.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mSLvShQ.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\idMweVZ.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tQOdWan.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JiCnUQq.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SlVHBcw.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zJQUItt.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rxMoJMU.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GmTMvzf.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TScnBdG.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XDwmyCQ.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZSuWmly.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TElFGnk.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FTBjKxQ.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lRaayQK.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vTTcDPT.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ddfZUYQ.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JflsJEj.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UKKYofe.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JcwWUCI.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TjGSNhs.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rbiIEwW.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NJocPEd.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vGCZiiL.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cjTABHQ.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fXLzDrp.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kEpIYlw.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LTLbagP.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UuCRsYv.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QHSnJJx.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GDZXpQP.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iazRXvG.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wMtghyd.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OpVzSYQ.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GrBfIUo.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bNVVSgS.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oSRrRyV.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VdIHSSX.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dVedHhO.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FiWTFYo.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JrQPXmn.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BwlrIJa.exe	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	14648	dwm.exe
Token: SeChangeNotifyPrivilege	14648	dwm.exe
Token: 33	14648	dwm.exe
Token: SeIncBasePriorityPrivilege	14648	dwm.exe
Token: SeShutdownPrivilege	14648	dwm.exe
Token: SeCreatePagefilePrivilege	14648	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 468	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2372 wrote to memory of 468	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2372 wrote to memory of 4168	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2372 wrote to memory of 4168	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2372 wrote to memory of 3488	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2372 wrote to memory of 3488	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2372 wrote to memory of 3564	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2372 wrote to memory of 3564	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2372 wrote to memory of 4648	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2372 wrote to memory of 4648	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2372 wrote to memory of 4404	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2372 wrote to memory of 4404	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2372 wrote to memory of 2748	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2372 wrote to memory of 2748	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2372 wrote to memory of 2540	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2372 wrote to memory of 2540	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2372 wrote to memory of 5116	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2372 wrote to memory of 5116	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2372 wrote to memory of 3780	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2372 wrote to memory of 3780	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2372 wrote to memory of 4744	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2372 wrote to memory of 4744	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2372 wrote to memory of 1756	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2372 wrote to memory of 1756	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2372 wrote to memory of 1740	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2372 wrote to memory of 1740	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2372 wrote to memory of 1880	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2372 wrote to memory of 1880	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2372 wrote to memory of 3572	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2372 wrote to memory of 3572	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2372 wrote to memory of 1680	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2372 wrote to memory of 1680	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2372 wrote to memory of 4544	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2372 wrote to memory of 4544	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2372 wrote to memory of 728	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2372 wrote to memory of 728	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2372 wrote to memory of 3144	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2372 wrote to memory of 3144	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2372 wrote to memory of 3676	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2372 wrote to memory of 3676	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2372 wrote to memory of 2408	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2372 wrote to memory of 2408	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2372 wrote to memory of 4968	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2372 wrote to memory of 4968	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2372 wrote to memory of 2356	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2372 wrote to memory of 2356	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2372 wrote to memory of 1532	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2372 wrote to memory of 1532	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2372 wrote to memory of 4764	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2372 wrote to memory of 4764	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2372 wrote to memory of 4064	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 2372 wrote to memory of 4064	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 2372 wrote to memory of 1200	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 2372 wrote to memory of 1200	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 2372 wrote to memory of 1444	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 2372 wrote to memory of 1444	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 2372 wrote to memory of 4080	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 2372 wrote to memory of 4080	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 2372 wrote to memory of 2884	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 2372 wrote to memory of 2884	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 2372 wrote to memory of 396	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	117
PID 2372 wrote to memory of 396	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	117
PID 2372 wrote to memory of 3300	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	118
PID 2372 wrote to memory of 3300	2372	2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe	118

C:\Users\Admin\AppData\Local\Temp\2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-21_696ab6c1b4567a6c4822df063fe0a8bb_amadey_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\System\pYIDRqe.exe
  C:\Windows\System\pYIDRqe.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\pFvEfiz.exe
  C:\Windows\System\pFvEfiz.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\gIcJRdE.exe
  C:\Windows\System\gIcJRdE.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System\yVZMIqw.exe
  C:\Windows\System\yVZMIqw.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\wCYWADs.exe
  C:\Windows\System\wCYWADs.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\hXmwhGz.exe
  C:\Windows\System\hXmwhGz.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\JyYAxwo.exe
  C:\Windows\System\JyYAxwo.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\gzIScVJ.exe
  C:\Windows\System\gzIScVJ.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\JIJQTZI.exe
  C:\Windows\System\JIJQTZI.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\ChlbcKy.exe
  C:\Windows\System\ChlbcKy.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System\FMrXMOH.exe
  C:\Windows\System\FMrXMOH.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\wUpiaXR.exe
  C:\Windows\System\wUpiaXR.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System\fDQEuyo.exe
  C:\Windows\System\fDQEuyo.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\FGAKJyy.exe
  C:\Windows\System\FGAKJyy.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\fIueuYn.exe
  C:\Windows\System\fIueuYn.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System\hZvUIIV.exe
  C:\Windows\System\hZvUIIV.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\PKnXKIy.exe
  C:\Windows\System\PKnXKIy.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\ONSCDwR.exe
  C:\Windows\System\ONSCDwR.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System\UOyDwmR.exe
  C:\Windows\System\UOyDwmR.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\OKzdtGg.exe
  C:\Windows\System\OKzdtGg.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\TSrxOJs.exe
  C:\Windows\System\TSrxOJs.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\KYworLq.exe
  C:\Windows\System\KYworLq.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\jqvumDy.exe
  C:\Windows\System\jqvumDy.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\NVJjfqn.exe
  C:\Windows\System\NVJjfqn.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\aEGzpgi.exe
  C:\Windows\System\aEGzpgi.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\gUiUkru.exe
  C:\Windows\System\gUiUkru.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\caquovf.exe
  C:\Windows\System\caquovf.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System\XqbvdrG.exe
  C:\Windows\System\XqbvdrG.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\ECOZCEe.exe
  C:\Windows\System\ECOZCEe.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System\gTrXsBm.exe
  C:\Windows\System\gTrXsBm.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\BMQlIwX.exe
  C:\Windows\System\BMQlIwX.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\UHxvDkO.exe
  C:\Windows\System\UHxvDkO.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System\TfRNndi.exe
  C:\Windows\System\TfRNndi.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\becLkyU.exe
  C:\Windows\System\becLkyU.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\EPLufXj.exe
  C:\Windows\System\EPLufXj.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\NLrcULH.exe
  C:\Windows\System\NLrcULH.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System\gYoyiTR.exe
  C:\Windows\System\gYoyiTR.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\qVYBUsk.exe
  C:\Windows\System\qVYBUsk.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\jksfjAi.exe
  C:\Windows\System\jksfjAi.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\EEyoSuB.exe
  C:\Windows\System\EEyoSuB.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\CfbwVpw.exe
  C:\Windows\System\CfbwVpw.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\PUCGEin.exe
  C:\Windows\System\PUCGEin.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\fTOBfoi.exe
  C:\Windows\System\fTOBfoi.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\YKBdvkI.exe
  C:\Windows\System\YKBdvkI.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\VPQYRba.exe
  C:\Windows\System\VPQYRba.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\xbdtFNJ.exe
  C:\Windows\System\xbdtFNJ.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\GFaNgUE.exe
  C:\Windows\System\GFaNgUE.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\vctpTFX.exe
  C:\Windows\System\vctpTFX.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\ihISjYf.exe
  C:\Windows\System\ihISjYf.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\WAXHNOX.exe
  C:\Windows\System\WAXHNOX.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\kjHuvgS.exe
  C:\Windows\System\kjHuvgS.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\KFbMoBW.exe
  C:\Windows\System\KFbMoBW.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\fUNKWjt.exe
  C:\Windows\System\fUNKWjt.exe
  2⤵
  - Executes dropped EXE
  PID:352
- C:\Windows\System\XAenFLV.exe
  C:\Windows\System\XAenFLV.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\soKjwlI.exe
  C:\Windows\System\soKjwlI.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\TfcaJRo.exe
  C:\Windows\System\TfcaJRo.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System\QaKshsU.exe
  C:\Windows\System\QaKshsU.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\MKUjpLZ.exe
  C:\Windows\System\MKUjpLZ.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\xEeIfVg.exe
  C:\Windows\System\xEeIfVg.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System\TzlbJkT.exe
  C:\Windows\System\TzlbJkT.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\EMXKSLt.exe
  C:\Windows\System\EMXKSLt.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\nEvdZiw.exe
  C:\Windows\System\nEvdZiw.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System\khMaelM.exe
  C:\Windows\System\khMaelM.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System\CSWkQnm.exe
  C:\Windows\System\CSWkQnm.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\DeAPLfN.exe
  C:\Windows\System\DeAPLfN.exe
  2⤵
  PID:2820
- C:\Windows\System\XqnpMfh.exe
  C:\Windows\System\XqnpMfh.exe
  2⤵
  PID:4428
- C:\Windows\System\iNlOjkl.exe
  C:\Windows\System\iNlOjkl.exe
  2⤵
  PID:4932
- C:\Windows\System\mngNajm.exe
  C:\Windows\System\mngNajm.exe
  2⤵
  PID:1256
- C:\Windows\System\ZMmlSbW.exe
  C:\Windows\System\ZMmlSbW.exe
  2⤵
  PID:1216
- C:\Windows\System\MWQDVWJ.exe
  C:\Windows\System\MWQDVWJ.exe
  2⤵
  PID:1904
- C:\Windows\System\FKJlhSi.exe
  C:\Windows\System\FKJlhSi.exe
  2⤵
  PID:1464
- C:\Windows\System\ALsonen.exe
  C:\Windows\System\ALsonen.exe
  2⤵
  PID:3188
- C:\Windows\System\VUlLhBM.exe
  C:\Windows\System\VUlLhBM.exe
  2⤵
  PID:3560
- C:\Windows\System\sazubAF.exe
  C:\Windows\System\sazubAF.exe
  2⤵
  PID:3288
- C:\Windows\System\tQOdWan.exe
  C:\Windows\System\tQOdWan.exe
  2⤵
  PID:4868
- C:\Windows\System\sYrVdzt.exe
  C:\Windows\System\sYrVdzt.exe
  2⤵
  PID:3280
- C:\Windows\System\BLLwmuf.exe
  C:\Windows\System\BLLwmuf.exe
  2⤵
  PID:4376
- C:\Windows\System\QGVPokQ.exe
  C:\Windows\System\QGVPokQ.exe
  2⤵
  PID:4768
- C:\Windows\System\vdSQHlF.exe
  C:\Windows\System\vdSQHlF.exe
  2⤵
  PID:4716
- C:\Windows\System\gzwOZYg.exe
  C:\Windows\System\gzwOZYg.exe
  2⤵
  PID:3012
- C:\Windows\System\MuCBXxB.exe
  C:\Windows\System\MuCBXxB.exe
  2⤵
  PID:3552
- C:\Windows\System\fvScvLn.exe
  C:\Windows\System\fvScvLn.exe
  2⤵
  PID:3680
- C:\Windows\System\YZpKTSJ.exe
  C:\Windows\System\YZpKTSJ.exe
  2⤵
  PID:4328
- C:\Windows\System\KvIeTdF.exe
  C:\Windows\System\KvIeTdF.exe
  2⤵
  PID:216
- C:\Windows\System\CuTHhna.exe
  C:\Windows\System\CuTHhna.exe
  2⤵
  PID:3448
- C:\Windows\System\TElFGnk.exe
  C:\Windows\System\TElFGnk.exe
  2⤵
  PID:652
- C:\Windows\System\DQVuxHV.exe
  C:\Windows\System\DQVuxHV.exe
  2⤵
  PID:2648
- C:\Windows\System\XBitRai.exe
  C:\Windows\System\XBitRai.exe
  2⤵
  PID:1572
- C:\Windows\System\inrBvmH.exe
  C:\Windows\System\inrBvmH.exe
  2⤵
  PID:376
- C:\Windows\System\BqAYnoC.exe
  C:\Windows\System\BqAYnoC.exe
  2⤵
  PID:1840
- C:\Windows\System\weSKRyU.exe
  C:\Windows\System\weSKRyU.exe
  2⤵
  PID:4172
- C:\Windows\System\qxBhYVU.exe
  C:\Windows\System\qxBhYVU.exe
  2⤵
  PID:2600
- C:\Windows\System\EOwomOZ.exe
  C:\Windows\System\EOwomOZ.exe
  2⤵
  PID:2668
- C:\Windows\System\SeQCmUg.exe
  C:\Windows\System\SeQCmUg.exe
  2⤵
  PID:224
- C:\Windows\System\DKPUkNc.exe
  C:\Windows\System\DKPUkNc.exe
  2⤵
  PID:1320
- C:\Windows\System\FTBjKxQ.exe
  C:\Windows\System\FTBjKxQ.exe
  2⤵
  PID:400
- C:\Windows\System\MGeXJQT.exe
  C:\Windows\System\MGeXJQT.exe
  2⤵
  PID:4444
- C:\Windows\System\kWqXJKp.exe
  C:\Windows\System\kWqXJKp.exe
  2⤵
  PID:2696
- C:\Windows\System\GaiSJpT.exe
  C:\Windows\System\GaiSJpT.exe
  2⤵
  PID:32
- C:\Windows\System\AyEHOmn.exe
  C:\Windows\System\AyEHOmn.exe
  2⤵
  PID:4736
- C:\Windows\System\GuayOwQ.exe
  C:\Windows\System\GuayOwQ.exe
  2⤵
  PID:4960
- C:\Windows\System\EgSyfWo.exe
  C:\Windows\System\EgSyfWo.exe
  2⤵
  PID:2088
- C:\Windows\System\sYELXLp.exe
  C:\Windows\System\sYELXLp.exe
  2⤵
  PID:2592
- C:\Windows\System\sTchlCb.exe
  C:\Windows\System\sTchlCb.exe
  2⤵
  PID:4940
- C:\Windows\System\frHakyA.exe
  C:\Windows\System\frHakyA.exe
  2⤵
  PID:4048
- C:\Windows\System\HRnWpJH.exe
  C:\Windows\System\HRnWpJH.exe
  2⤵
  PID:2708
- C:\Windows\System\AvpEzcO.exe
  C:\Windows\System\AvpEzcO.exe
  2⤵
  PID:2240
- C:\Windows\System\kNusUUk.exe
  C:\Windows\System\kNusUUk.exe
  2⤵
  PID:3728
- C:\Windows\System\GxBmGuI.exe
  C:\Windows\System\GxBmGuI.exe
  2⤵
  PID:1936
- C:\Windows\System\uCoahIL.exe
  C:\Windows\System\uCoahIL.exe
  2⤵
  PID:5140
- C:\Windows\System\UnWFVWj.exe
  C:\Windows\System\UnWFVWj.exe
  2⤵
  PID:5168
- C:\Windows\System\oGCTTVS.exe
  C:\Windows\System\oGCTTVS.exe
  2⤵
  PID:5204
- C:\Windows\System\hitmbjU.exe
  C:\Windows\System\hitmbjU.exe
  2⤵
  PID:5224
- C:\Windows\System\SvCLRxd.exe
  C:\Windows\System\SvCLRxd.exe
  2⤵
  PID:5256
- C:\Windows\System\rLYIGPx.exe
  C:\Windows\System\rLYIGPx.exe
  2⤵
  PID:5280
- C:\Windows\System\NoxTqXM.exe
  C:\Windows\System\NoxTqXM.exe
  2⤵
  PID:5300
- C:\Windows\System\HAmxUxX.exe
  C:\Windows\System\HAmxUxX.exe
  2⤵
  PID:5320
- C:\Windows\System\OakRWpx.exe
  C:\Windows\System\OakRWpx.exe
  2⤵
  PID:5344
- C:\Windows\System\jSvWEMD.exe
  C:\Windows\System\jSvWEMD.exe
  2⤵
  PID:5376
- C:\Windows\System\JiCnUQq.exe
  C:\Windows\System\JiCnUQq.exe
  2⤵
  PID:5408
- C:\Windows\System\vcWtZSY.exe
  C:\Windows\System\vcWtZSY.exe
  2⤵
  PID:5432
- C:\Windows\System\nsaQvuq.exe
  C:\Windows\System\nsaQvuq.exe
  2⤵
  PID:5472
- C:\Windows\System\yFqsTBG.exe
  C:\Windows\System\yFqsTBG.exe
  2⤵
  PID:5504
- C:\Windows\System\iExdOlw.exe
  C:\Windows\System\iExdOlw.exe
  2⤵
  PID:5528
- C:\Windows\System\ouPAqNQ.exe
  C:\Windows\System\ouPAqNQ.exe
  2⤵
  PID:5556
- C:\Windows\System\SyfAVdv.exe
  C:\Windows\System\SyfAVdv.exe
  2⤵
  PID:5584
- C:\Windows\System\gQIjZTA.exe
  C:\Windows\System\gQIjZTA.exe
  2⤵
  PID:5612
- C:\Windows\System\pnKpmlR.exe
  C:\Windows\System\pnKpmlR.exe
  2⤵
  PID:5644
- C:\Windows\System\FiWTFYo.exe
  C:\Windows\System\FiWTFYo.exe
  2⤵
  PID:5668
- C:\Windows\System\zgwkprh.exe
  C:\Windows\System\zgwkprh.exe
  2⤵
  PID:5696
- C:\Windows\System\QaxVhNM.exe
  C:\Windows\System\QaxVhNM.exe
  2⤵
  PID:5728
- C:\Windows\System\jbNxXck.exe
  C:\Windows\System\jbNxXck.exe
  2⤵
  PID:5752
- C:\Windows\System\YNshUJB.exe
  C:\Windows\System\YNshUJB.exe
  2⤵
  PID:5784
- C:\Windows\System\gDvZjia.exe
  C:\Windows\System\gDvZjia.exe
  2⤵
  PID:5816
- C:\Windows\System\WpwljRh.exe
  C:\Windows\System\WpwljRh.exe
  2⤵
  PID:5856
- C:\Windows\System\ffAfQZn.exe
  C:\Windows\System\ffAfQZn.exe
  2⤵
  PID:5876
- C:\Windows\System\iLHceav.exe
  C:\Windows\System\iLHceav.exe
  2⤵
  PID:5904
- C:\Windows\System\lwUrHMW.exe
  C:\Windows\System\lwUrHMW.exe
  2⤵
  PID:5936
- C:\Windows\System\kUVyYDY.exe
  C:\Windows\System\kUVyYDY.exe
  2⤵
  PID:5960
- C:\Windows\System\JCerMQp.exe
  C:\Windows\System\JCerMQp.exe
  2⤵
  PID:5992
- C:\Windows\System\RjRgTgU.exe
  C:\Windows\System\RjRgTgU.exe
  2⤵
  PID:6016
- C:\Windows\System\xIznFvx.exe
  C:\Windows\System\xIznFvx.exe
  2⤵
  PID:6036
- C:\Windows\System\wknUXVW.exe
  C:\Windows\System\wknUXVW.exe
  2⤵
  PID:6064
- C:\Windows\System\CQkwTJJ.exe
  C:\Windows\System\CQkwTJJ.exe
  2⤵
  PID:6092
- C:\Windows\System\JkvefKo.exe
  C:\Windows\System\JkvefKo.exe
  2⤵
  PID:6124
- C:\Windows\System\SFSrEVv.exe
  C:\Windows\System\SFSrEVv.exe
  2⤵
  PID:5152
- C:\Windows\System\ubEryrr.exe
  C:\Windows\System\ubEryrr.exe
  2⤵
  PID:5192
- C:\Windows\System\TjGSNhs.exe
  C:\Windows\System\TjGSNhs.exe
  2⤵
  PID:5268
- C:\Windows\System\bTsuKjV.exe
  C:\Windows\System\bTsuKjV.exe
  2⤵
  PID:5332
- C:\Windows\System\FyvpLbK.exe
  C:\Windows\System\FyvpLbK.exe
  2⤵
  PID:5368
- C:\Windows\System\euIhyiN.exe
  C:\Windows\System\euIhyiN.exe
  2⤵
  PID:5440
- C:\Windows\System\MhatcsK.exe
  C:\Windows\System\MhatcsK.exe
  2⤵
  PID:5512
- C:\Windows\System\pYuBYsE.exe
  C:\Windows\System\pYuBYsE.exe
  2⤵
  PID:5572
- C:\Windows\System\CEWePsl.exe
  C:\Windows\System\CEWePsl.exe
  2⤵
  PID:5652
- C:\Windows\System\HbqzEnj.exe
  C:\Windows\System\HbqzEnj.exe
  2⤵
  PID:5708
- C:\Windows\System\FddzSit.exe
  C:\Windows\System\FddzSit.exe
  2⤵
  PID:5768
- C:\Windows\System\DOXxGCf.exe
  C:\Windows\System\DOXxGCf.exe
  2⤵
  PID:5844
- C:\Windows\System\mKLdoAP.exe
  C:\Windows\System\mKLdoAP.exe
  2⤵
  PID:5916
- C:\Windows\System\GDEDfNV.exe
  C:\Windows\System\GDEDfNV.exe
  2⤵
  PID:6012
- C:\Windows\System\dAkBvxs.exe
  C:\Windows\System\dAkBvxs.exe
  2⤵
  PID:6052
- C:\Windows\System\tzgriYU.exe
  C:\Windows\System\tzgriYU.exe
  2⤵
  PID:5124
- C:\Windows\System\cewAfxg.exe
  C:\Windows\System\cewAfxg.exe
  2⤵
  PID:5236
- C:\Windows\System\bgobYCx.exe
  C:\Windows\System\bgobYCx.exe
  2⤵
  PID:5364
- C:\Windows\System\UUuNqxn.exe
  C:\Windows\System\UUuNqxn.exe
  2⤵
  PID:5540
- C:\Windows\System\fXLzDrp.exe
  C:\Windows\System\fXLzDrp.exe
  2⤵
  PID:5680
- C:\Windows\System\dGSWBcQ.exe
  C:\Windows\System\dGSWBcQ.exe
  2⤵
  PID:5832
- C:\Windows\System\cKmvPqz.exe
  C:\Windows\System\cKmvPqz.exe
  2⤵
  PID:5928
- C:\Windows\System\lRaayQK.exe
  C:\Windows\System\lRaayQK.exe
  2⤵
  PID:6140
- C:\Windows\System\ItMAjnr.exe
  C:\Windows\System\ItMAjnr.exe
  2⤵
  PID:5548
- C:\Windows\System\xzADfCJ.exe
  C:\Windows\System\xzADfCJ.exe
  2⤵
  PID:5824
- C:\Windows\System\EznBHbB.exe
  C:\Windows\System\EznBHbB.exe
  2⤵
  PID:6080
- C:\Windows\System\ZOTuIhs.exe
  C:\Windows\System\ZOTuIhs.exe
  2⤵
  PID:5424
- C:\Windows\System\yjJBrzE.exe
  C:\Windows\System\yjJBrzE.exe
  2⤵
  PID:6188
- C:\Windows\System\CQShULM.exe
  C:\Windows\System\CQShULM.exe
  2⤵
  PID:6220
- C:\Windows\System\brknYdu.exe
  C:\Windows\System\brknYdu.exe
  2⤵
  PID:6244
- C:\Windows\System\DLmqLQs.exe
  C:\Windows\System\DLmqLQs.exe
  2⤵
  PID:6260
- C:\Windows\System\MkXEyqV.exe
  C:\Windows\System\MkXEyqV.exe
  2⤵
  PID:6304
- C:\Windows\System\VrExepI.exe
  C:\Windows\System\VrExepI.exe
  2⤵
  PID:6328
- C:\Windows\System\YEEQmbx.exe
  C:\Windows\System\YEEQmbx.exe
  2⤵
  PID:6360
- C:\Windows\System\RFscHYC.exe
  C:\Windows\System\RFscHYC.exe
  2⤵
  PID:6376
- C:\Windows\System\qtqpHaf.exe
  C:\Windows\System\qtqpHaf.exe
  2⤵
  PID:6420
- C:\Windows\System\eVbPLDM.exe
  C:\Windows\System\eVbPLDM.exe
  2⤵
  PID:6448
- C:\Windows\System\YaZRrcS.exe
  C:\Windows\System\YaZRrcS.exe
  2⤵
  PID:6492
- C:\Windows\System\FAcBDBp.exe
  C:\Windows\System\FAcBDBp.exe
  2⤵
  PID:6508
- C:\Windows\System\rIjdDgp.exe
  C:\Windows\System\rIjdDgp.exe
  2⤵
  PID:6532
- C:\Windows\System\RjIbNXF.exe
  C:\Windows\System\RjIbNXF.exe
  2⤵
  PID:6556
- C:\Windows\System\iaiOUDx.exe
  C:\Windows\System\iaiOUDx.exe
  2⤵
  PID:6580
- C:\Windows\System\iYTqJHd.exe
  C:\Windows\System\iYTqJHd.exe
  2⤵
  PID:6608
- C:\Windows\System\ykgvOIo.exe
  C:\Windows\System\ykgvOIo.exe
  2⤵
  PID:6640
- C:\Windows\System\CmMaHJR.exe
  C:\Windows\System\CmMaHJR.exe
  2⤵
  PID:6668
- C:\Windows\System\tWabvCq.exe
  C:\Windows\System\tWabvCq.exe
  2⤵
  PID:6700
- C:\Windows\System\twRUQti.exe
  C:\Windows\System\twRUQti.exe
  2⤵
  PID:6736
- C:\Windows\System\tEtJsKW.exe
  C:\Windows\System\tEtJsKW.exe
  2⤵
  PID:6760
- C:\Windows\System\PWogHMG.exe
  C:\Windows\System\PWogHMG.exe
  2⤵
  PID:6796
- C:\Windows\System\UKalUsp.exe
  C:\Windows\System\UKalUsp.exe
  2⤵
  PID:6824
- C:\Windows\System\pNMhuNZ.exe
  C:\Windows\System\pNMhuNZ.exe
  2⤵
  PID:6864
- C:\Windows\System\nfRTuWb.exe
  C:\Windows\System\nfRTuWb.exe
  2⤵
  PID:6884
- C:\Windows\System\oOPzZew.exe
  C:\Windows\System\oOPzZew.exe
  2⤵
  PID:6900
- C:\Windows\System\nKRAHAb.exe
  C:\Windows\System\nKRAHAb.exe
  2⤵
  PID:6920
- C:\Windows\System\nwYfQzN.exe
  C:\Windows\System\nwYfQzN.exe
  2⤵
  PID:6952
- C:\Windows\System\jkLFKzP.exe
  C:\Windows\System\jkLFKzP.exe
  2⤵
  PID:6988
- C:\Windows\System\cFgkLLs.exe
  C:\Windows\System\cFgkLLs.exe
  2⤵
  PID:7028
- C:\Windows\System\ZUfnfLT.exe
  C:\Windows\System\ZUfnfLT.exe
  2⤵
  PID:7064
- C:\Windows\System\meaJpUN.exe
  C:\Windows\System\meaJpUN.exe
  2⤵
  PID:7100
- C:\Windows\System\gvwWhYT.exe
  C:\Windows\System\gvwWhYT.exe
  2⤵
  PID:7136
- C:\Windows\System\mpHOlqu.exe
  C:\Windows\System\mpHOlqu.exe
  2⤵
  PID:7164
- C:\Windows\System\NJeYqWv.exe
  C:\Windows\System\NJeYqWv.exe
  2⤵
  PID:6172
- C:\Windows\System\fmMUiRj.exe
  C:\Windows\System\fmMUiRj.exe
  2⤵
  PID:6212
- C:\Windows\System\asuSVDv.exe
  C:\Windows\System\asuSVDv.exe
  2⤵
  PID:6276
- C:\Windows\System\QHSnJJx.exe
  C:\Windows\System\QHSnJJx.exe
  2⤵
  PID:6412
- C:\Windows\System\qumBHbG.exe
  C:\Windows\System\qumBHbG.exe
  2⤵
  PID:6440
- C:\Windows\System\hNLVtEI.exe
  C:\Windows\System\hNLVtEI.exe
  2⤵
  PID:6504
- C:\Windows\System\HsMPrgB.exe
  C:\Windows\System\HsMPrgB.exe
  2⤵
  PID:6548
- C:\Windows\System\vTTcDPT.exe
  C:\Windows\System\vTTcDPT.exe
  2⤵
  PID:6648
- C:\Windows\System\vtRHGGg.exe
  C:\Windows\System\vtRHGGg.exe
  2⤵
  PID:5456
- C:\Windows\System\IiJdMPI.exe
  C:\Windows\System\IiJdMPI.exe
  2⤵
  PID:6744
- C:\Windows\System\OkOJHWs.exe
  C:\Windows\System\OkOJHWs.exe
  2⤵
  PID:6804
- C:\Windows\System\VjkVMWk.exe
  C:\Windows\System\VjkVMWk.exe
  2⤵
  PID:6844
- C:\Windows\System\owaCXyY.exe
  C:\Windows\System\owaCXyY.exe
  2⤵
  PID:6960
- C:\Windows\System\JkqrvkK.exe
  C:\Windows\System\JkqrvkK.exe
  2⤵
  PID:6976
- C:\Windows\System\wyZrXlW.exe
  C:\Windows\System\wyZrXlW.exe
  2⤵
  PID:7076
- C:\Windows\System\alfvzkh.exe
  C:\Windows\System\alfvzkh.exe
  2⤵
  PID:6076
- C:\Windows\System\lmSUgqa.exe
  C:\Windows\System\lmSUgqa.exe
  2⤵
  PID:6324
- C:\Windows\System\DRLszqe.exe
  C:\Windows\System\DRLszqe.exe
  2⤵
  PID:6564
- C:\Windows\System\SigPBnM.exe
  C:\Windows\System\SigPBnM.exe
  2⤵
  PID:6660
- C:\Windows\System\TBmzZNk.exe
  C:\Windows\System\TBmzZNk.exe
  2⤵
  PID:6820
- C:\Windows\System\CLGlXgl.exe
  C:\Windows\System\CLGlXgl.exe
  2⤵
  PID:6840
- C:\Windows\System\kbZVAgP.exe
  C:\Windows\System\kbZVAgP.exe
  2⤵
  PID:7040
- C:\Windows\System\nlwFUZn.exe
  C:\Windows\System\nlwFUZn.exe
  2⤵
  PID:6284
- C:\Windows\System\YSfpmKL.exe
  C:\Windows\System\YSfpmKL.exe
  2⤵
  PID:6912
- C:\Windows\System\CxNOgIB.exe
  C:\Windows\System\CxNOgIB.exe
  2⤵
  PID:6488
- C:\Windows\System\RYbNbgC.exe
  C:\Windows\System\RYbNbgC.exe
  2⤵
  PID:1032
- C:\Windows\System\NVqAIYK.exe
  C:\Windows\System\NVqAIYK.exe
  2⤵
  PID:7148
- C:\Windows\System\pEsyeaU.exe
  C:\Windows\System\pEsyeaU.exe
  2⤵
  PID:6876
- C:\Windows\System\fbGrcAV.exe
  C:\Windows\System\fbGrcAV.exe
  2⤵
  PID:7196
- C:\Windows\System\mSLvShQ.exe
  C:\Windows\System\mSLvShQ.exe
  2⤵
  PID:7240
- C:\Windows\System\EplOtmu.exe
  C:\Windows\System\EplOtmu.exe
  2⤵
  PID:7268
- C:\Windows\System\kXhIORR.exe
  C:\Windows\System\kXhIORR.exe
  2⤵
  PID:7300
- C:\Windows\System\yqAFWck.exe
  C:\Windows\System\yqAFWck.exe
  2⤵
  PID:7336
- C:\Windows\System\BlCWcZH.exe
  C:\Windows\System\BlCWcZH.exe
  2⤵
  PID:7372
- C:\Windows\System\INOOcZx.exe
  C:\Windows\System\INOOcZx.exe
  2⤵
  PID:7416
- C:\Windows\System\GrBfIUo.exe
  C:\Windows\System\GrBfIUo.exe
  2⤵
  PID:7460
- C:\Windows\System\kpckziX.exe
  C:\Windows\System\kpckziX.exe
  2⤵
  PID:7492
- C:\Windows\System\dvFpaJT.exe
  C:\Windows\System\dvFpaJT.exe
  2⤵
  PID:7524
- C:\Windows\System\fyKGKJo.exe
  C:\Windows\System\fyKGKJo.exe
  2⤵
  PID:7556
- C:\Windows\System\PzAkONT.exe
  C:\Windows\System\PzAkONT.exe
  2⤵
  PID:7588
- C:\Windows\System\gNwbBoN.exe
  C:\Windows\System\gNwbBoN.exe
  2⤵
  PID:7624
- C:\Windows\System\gfyQoUW.exe
  C:\Windows\System\gfyQoUW.exe
  2⤵
  PID:7660
- C:\Windows\System\ofmEoSd.exe
  C:\Windows\System\ofmEoSd.exe
  2⤵
  PID:7688
- C:\Windows\System\NypakiK.exe
  C:\Windows\System\NypakiK.exe
  2⤵
  PID:7716
- C:\Windows\System\YLNtJgX.exe
  C:\Windows\System\YLNtJgX.exe
  2⤵
  PID:7744
- C:\Windows\System\PuXuXdu.exe
  C:\Windows\System\PuXuXdu.exe
  2⤵
  PID:7796
- C:\Windows\System\rWMkbJC.exe
  C:\Windows\System\rWMkbJC.exe
  2⤵
  PID:7832
- C:\Windows\System\XooosBC.exe
  C:\Windows\System\XooosBC.exe
  2⤵
  PID:7848
- C:\Windows\System\jWlqLtR.exe
  C:\Windows\System\jWlqLtR.exe
  2⤵
  PID:7864
- C:\Windows\System\BNHTHjM.exe
  C:\Windows\System\BNHTHjM.exe
  2⤵
  PID:7884
- C:\Windows\System\dtCGzzd.exe
  C:\Windows\System\dtCGzzd.exe
  2⤵
  PID:7912
- C:\Windows\System\kYXVqYB.exe
  C:\Windows\System\kYXVqYB.exe
  2⤵
  PID:7948
- C:\Windows\System\mzimgdD.exe
  C:\Windows\System\mzimgdD.exe
  2⤵
  PID:7984
- C:\Windows\System\bxhnYvv.exe
  C:\Windows\System\bxhnYvv.exe
  2⤵
  PID:8016
- C:\Windows\System\bNVVSgS.exe
  C:\Windows\System\bNVVSgS.exe
  2⤵
  PID:8048
- C:\Windows\System\FLmPIyt.exe
  C:\Windows\System\FLmPIyt.exe
  2⤵
  PID:8084
- C:\Windows\System\RFjTCnc.exe
  C:\Windows\System\RFjTCnc.exe
  2⤵
  PID:8120
- C:\Windows\System\DpLAqqQ.exe
  C:\Windows\System\DpLAqqQ.exe
  2⤵
  PID:8148
- C:\Windows\System\pblZZBq.exe
  C:\Windows\System\pblZZBq.exe
  2⤵
  PID:8172
- C:\Windows\System\OrtzYTc.exe
  C:\Windows\System\OrtzYTc.exe
  2⤵
  PID:1956
- C:\Windows\System\JcCZjJg.exe
  C:\Windows\System\JcCZjJg.exe
  2⤵
  PID:7176
- C:\Windows\System\rJNhcJx.exe
  C:\Windows\System\rJNhcJx.exe
  2⤵
  PID:7276
- C:\Windows\System\hLJpvWc.exe
  C:\Windows\System\hLJpvWc.exe
  2⤵
  PID:7320
- C:\Windows\System\TDNcEBr.exe
  C:\Windows\System\TDNcEBr.exe
  2⤵
  PID:7424
- C:\Windows\System\GsPYzGT.exe
  C:\Windows\System\GsPYzGT.exe
  2⤵
  PID:7468
- C:\Windows\System\SgzdtXj.exe
  C:\Windows\System\SgzdtXj.exe
  2⤵
  PID:7584
- C:\Windows\System\UinNihB.exe
  C:\Windows\System\UinNihB.exe
  2⤵
  PID:7680
- C:\Windows\System\wJWkDnN.exe
  C:\Windows\System\wJWkDnN.exe
  2⤵
  PID:7740
- C:\Windows\System\qBopvta.exe
  C:\Windows\System\qBopvta.exe
  2⤵
  PID:7792
- C:\Windows\System\ItoHjov.exe
  C:\Windows\System\ItoHjov.exe
  2⤵
  PID:7824
- C:\Windows\System\ddfZUYQ.exe
  C:\Windows\System\ddfZUYQ.exe
  2⤵
  PID:8004
- C:\Windows\System\WJVahcY.exe
  C:\Windows\System\WJVahcY.exe
  2⤵
  PID:8108
- C:\Windows\System\oufUxKG.exe
  C:\Windows\System\oufUxKG.exe
  2⤵
  PID:8188
- C:\Windows\System\OrZbhtw.exe
  C:\Windows\System\OrZbhtw.exe
  2⤵
  PID:7232
- C:\Windows\System\rxMoJMU.exe
  C:\Windows\System\rxMoJMU.exe
  2⤵
  PID:7292
- C:\Windows\System\OShBJKq.exe
  C:\Windows\System\OShBJKq.exe
  2⤵
  PID:7580
- C:\Windows\System\IWptTUS.exe
  C:\Windows\System\IWptTUS.exe
  2⤵
  PID:7736
- C:\Windows\System\aVkyyZa.exe
  C:\Windows\System\aVkyyZa.exe
  2⤵
  PID:7956
- C:\Windows\System\BrfmYFj.exe
  C:\Windows\System\BrfmYFj.exe
  2⤵
  PID:7844
- C:\Windows\System\vyOgice.exe
  C:\Windows\System\vyOgice.exe
  2⤵
  PID:7996
- C:\Windows\System\RTSlYqm.exe
  C:\Windows\System\RTSlYqm.exe
  2⤵
  PID:7964
- C:\Windows\System\UapUBlt.exe
  C:\Windows\System\UapUBlt.exe
  2⤵
  PID:7712
- C:\Windows\System\FAqyGSM.exe
  C:\Windows\System\FAqyGSM.exe
  2⤵
  PID:7980
- C:\Windows\System\wOrSkMK.exe
  C:\Windows\System\wOrSkMK.exe
  2⤵
  PID:7700
- C:\Windows\System\QyYVbwO.exe
  C:\Windows\System\QyYVbwO.exe
  2⤵
  PID:8200
- C:\Windows\System\cwymmIC.exe
  C:\Windows\System\cwymmIC.exe
  2⤵
  PID:8220
- C:\Windows\System\JflsJEj.exe
  C:\Windows\System\JflsJEj.exe
  2⤵
  PID:8256
- C:\Windows\System\LYObFRG.exe
  C:\Windows\System\LYObFRG.exe
  2⤵
  PID:8312
- C:\Windows\System\kLqERsK.exe
  C:\Windows\System\kLqERsK.exe
  2⤵
  PID:8332
- C:\Windows\System\cbVhhbc.exe
  C:\Windows\System\cbVhhbc.exe
  2⤵
  PID:8348
- C:\Windows\System\vXrIYRN.exe
  C:\Windows\System\vXrIYRN.exe
  2⤵
  PID:8368
- C:\Windows\System\RKIlJTN.exe
  C:\Windows\System\RKIlJTN.exe
  2⤵
  PID:8396
- C:\Windows\System\ZDLWqHu.exe
  C:\Windows\System\ZDLWqHu.exe
  2⤵
  PID:8416
- C:\Windows\System\JrQPXmn.exe
  C:\Windows\System\JrQPXmn.exe
  2⤵
  PID:8448
- C:\Windows\System\dYRHPbh.exe
  C:\Windows\System\dYRHPbh.exe
  2⤵
  PID:8484
- C:\Windows\System\qBBuGAF.exe
  C:\Windows\System\qBBuGAF.exe
  2⤵
  PID:8532
- C:\Windows\System\CKVVbSO.exe
  C:\Windows\System\CKVVbSO.exe
  2⤵
  PID:8568
- C:\Windows\System\GDZXpQP.exe
  C:\Windows\System\GDZXpQP.exe
  2⤵
  PID:8592
- C:\Windows\System\kQrPcNd.exe
  C:\Windows\System\kQrPcNd.exe
  2⤵
  PID:8620
- C:\Windows\System\KPPbKNT.exe
  C:\Windows\System\KPPbKNT.exe
  2⤵
  PID:8656
- C:\Windows\System\HCIewHP.exe
  C:\Windows\System\HCIewHP.exe
  2⤵
  PID:8676
- C:\Windows\System\GQEdYvE.exe
  C:\Windows\System\GQEdYvE.exe
  2⤵
  PID:8708
- C:\Windows\System\ffVcSaE.exe
  C:\Windows\System\ffVcSaE.exe
  2⤵
  PID:8728
- C:\Windows\System\UKKYofe.exe
  C:\Windows\System\UKKYofe.exe
  2⤵
  PID:8760
- C:\Windows\System\CpyPlQP.exe
  C:\Windows\System\CpyPlQP.exe
  2⤵
  PID:8776
- C:\Windows\System\OavlcxZ.exe
  C:\Windows\System\OavlcxZ.exe
  2⤵
  PID:8796
- C:\Windows\System\ljXXfAM.exe
  C:\Windows\System\ljXXfAM.exe
  2⤵
  PID:8840
- C:\Windows\System\AwSLfPo.exe
  C:\Windows\System\AwSLfPo.exe
  2⤵
  PID:8864
- C:\Windows\System\uIMCPCy.exe
  C:\Windows\System\uIMCPCy.exe
  2⤵
  PID:8900
- C:\Windows\System\MmtVcSO.exe
  C:\Windows\System\MmtVcSO.exe
  2⤵
  PID:8928
- C:\Windows\System\GsPJBNC.exe
  C:\Windows\System\GsPJBNC.exe
  2⤵
  PID:8956
- C:\Windows\System\kEpIYlw.exe
  C:\Windows\System\kEpIYlw.exe
  2⤵
  PID:8984
- C:\Windows\System\tQxxXrz.exe
  C:\Windows\System\tQxxXrz.exe
  2⤵
  PID:9020
- C:\Windows\System\HiOwnsE.exe
  C:\Windows\System\HiOwnsE.exe
  2⤵
  PID:9048
- C:\Windows\System\BwlrIJa.exe
  C:\Windows\System\BwlrIJa.exe
  2⤵
  PID:9088
- C:\Windows\System\pOCTRJS.exe
  C:\Windows\System\pOCTRJS.exe
  2⤵
  PID:9108
- C:\Windows\System\DgRMsZL.exe
  C:\Windows\System\DgRMsZL.exe
  2⤵
  PID:9144
- C:\Windows\System\OsCRlYL.exe
  C:\Windows\System\OsCRlYL.exe
  2⤵
  PID:9168
- C:\Windows\System\XLOoWdy.exe
  C:\Windows\System\XLOoWdy.exe
  2⤵
  PID:9200
- C:\Windows\System\muFjfSF.exe
  C:\Windows\System\muFjfSF.exe
  2⤵
  PID:7816
- C:\Windows\System\gBWkoiO.exe
  C:\Windows\System\gBWkoiO.exe
  2⤵
  PID:8252
- C:\Windows\System\hhCzIjp.exe
  C:\Windows\System\hhCzIjp.exe
  2⤵
  PID:8276
- C:\Windows\System\MYIQmag.exe
  C:\Windows\System\MYIQmag.exe
  2⤵
  PID:8380
- C:\Windows\System\ixYHeyW.exe
  C:\Windows\System\ixYHeyW.exe
  2⤵
  PID:8364
- C:\Windows\System\kcnpDhz.exe
  C:\Windows\System\kcnpDhz.exe
  2⤵
  PID:8408
- C:\Windows\System\OxJRGCE.exe
  C:\Windows\System\OxJRGCE.exe
  2⤵
  PID:8520
- C:\Windows\System\Ffbgyam.exe
  C:\Windows\System\Ffbgyam.exe
  2⤵
  PID:8612
- C:\Windows\System\aAVtWkn.exe
  C:\Windows\System\aAVtWkn.exe
  2⤵
  PID:8684
- C:\Windows\System\lqBCrzH.exe
  C:\Windows\System\lqBCrzH.exe
  2⤵
  PID:8740
- C:\Windows\System\QCXHFDU.exe
  C:\Windows\System\QCXHFDU.exe
  2⤵
  PID:8820
- C:\Windows\System\zSNDuuW.exe
  C:\Windows\System\zSNDuuW.exe
  2⤵
  PID:8880
- C:\Windows\System\rzFHtHi.exe
  C:\Windows\System\rzFHtHi.exe
  2⤵
  PID:8964
- C:\Windows\System\bQxxVhd.exe
  C:\Windows\System\bQxxVhd.exe
  2⤵
  PID:9012
- C:\Windows\System\THwptXy.exe
  C:\Windows\System\THwptXy.exe
  2⤵
  PID:9084
- C:\Windows\System\mOfEWvY.exe
  C:\Windows\System\mOfEWvY.exe
  2⤵
  PID:9156
- C:\Windows\System\mOksegl.exe
  C:\Windows\System\mOksegl.exe
  2⤵
  PID:9208
- C:\Windows\System\ayzAfGM.exe
  C:\Windows\System\ayzAfGM.exe
  2⤵
  PID:8280
- C:\Windows\System\vMoCKtR.exe
  C:\Windows\System\vMoCKtR.exe
  2⤵
  PID:8504
- C:\Windows\System\stchCXz.exe
  C:\Windows\System\stchCXz.exe
  2⤵
  PID:8580
- C:\Windows\System\OJeunYV.exe
  C:\Windows\System\OJeunYV.exe
  2⤵
  PID:8672
- C:\Windows\System\ebHmrXK.exe
  C:\Windows\System\ebHmrXK.exe
  2⤵
  PID:7940
- C:\Windows\System\kcBtAzC.exe
  C:\Windows\System\kcBtAzC.exe
  2⤵
  PID:9028
- C:\Windows\System\XfMCCMa.exe
  C:\Windows\System\XfMCCMa.exe
  2⤵
  PID:9188
- C:\Windows\System\UmpcjAf.exe
  C:\Windows\System\UmpcjAf.exe
  2⤵
  PID:8304
- C:\Windows\System\iazRXvG.exe
  C:\Windows\System\iazRXvG.exe
  2⤵
  PID:8696
- C:\Windows\System\fjYVXbC.exe
  C:\Windows\System\fjYVXbC.exe
  2⤵
  PID:8944
- C:\Windows\System\EIyknes.exe
  C:\Windows\System\EIyknes.exe
  2⤵
  PID:8212
- C:\Windows\System\cKobYUh.exe
  C:\Windows\System\cKobYUh.exe
  2⤵
  PID:8600
- C:\Windows\System\MJRyUDR.exe
  C:\Windows\System\MJRyUDR.exe
  2⤵
  PID:9240
- C:\Windows\System\SEhVejg.exe
  C:\Windows\System\SEhVejg.exe
  2⤵
  PID:9272
- C:\Windows\System\aBZAneg.exe
  C:\Windows\System\aBZAneg.exe
  2⤵
  PID:9304
- C:\Windows\System\Llnwubg.exe
  C:\Windows\System\Llnwubg.exe
  2⤵
  PID:9332
- C:\Windows\System\XzAdkPr.exe
  C:\Windows\System\XzAdkPr.exe
  2⤵
  PID:9360
- C:\Windows\System\OhlSbwY.exe
  C:\Windows\System\OhlSbwY.exe
  2⤵
  PID:9388
- C:\Windows\System\WTtvKjj.exe
  C:\Windows\System\WTtvKjj.exe
  2⤵
  PID:9412
- C:\Windows\System\eActRHr.exe
  C:\Windows\System\eActRHr.exe
  2⤵
  PID:9452
- C:\Windows\System\ZQlWVIB.exe
  C:\Windows\System\ZQlWVIB.exe
  2⤵
  PID:9480
- C:\Windows\System\PTHrjrq.exe
  C:\Windows\System\PTHrjrq.exe
  2⤵
  PID:9524
- C:\Windows\System\IqUFeGO.exe
  C:\Windows\System\IqUFeGO.exe
  2⤵
  PID:9544
- C:\Windows\System\YEfftwR.exe
  C:\Windows\System\YEfftwR.exe
  2⤵
  PID:9576
- C:\Windows\System\noIJCNQ.exe
  C:\Windows\System\noIJCNQ.exe
  2⤵
  PID:9604
- C:\Windows\System\hxEuERJ.exe
  C:\Windows\System\hxEuERJ.exe
  2⤵
  PID:9632
- C:\Windows\System\JaOyfVB.exe
  C:\Windows\System\JaOyfVB.exe
  2⤵
  PID:9660
- C:\Windows\System\sbrwllO.exe
  C:\Windows\System\sbrwllO.exe
  2⤵
  PID:9688
- C:\Windows\System\UPHFiSc.exe
  C:\Windows\System\UPHFiSc.exe
  2⤵
  PID:9716
- C:\Windows\System\DAMsVco.exe
  C:\Windows\System\DAMsVco.exe
  2⤵
  PID:9744
- C:\Windows\System\tgwHmtI.exe
  C:\Windows\System\tgwHmtI.exe
  2⤵
  PID:9760
- C:\Windows\System\iEnPoOw.exe
  C:\Windows\System\iEnPoOw.exe
  2⤵
  PID:9792
- C:\Windows\System\sEUXXMl.exe
  C:\Windows\System\sEUXXMl.exe
  2⤵
  PID:9828
- C:\Windows\System\GZDCmYt.exe
  C:\Windows\System\GZDCmYt.exe
  2⤵
  PID:9856
- C:\Windows\System\zaRgdzs.exe
  C:\Windows\System\zaRgdzs.exe
  2⤵
  PID:9880
- C:\Windows\System\tzrhruU.exe
  C:\Windows\System\tzrhruU.exe
  2⤵
  PID:9908
- C:\Windows\System\luWjyjS.exe
  C:\Windows\System\luWjyjS.exe
  2⤵
  PID:9932
- C:\Windows\System\SIkrDkG.exe
  C:\Windows\System\SIkrDkG.exe
  2⤵
  PID:9964
- C:\Windows\System\YPzYPPP.exe
  C:\Windows\System\YPzYPPP.exe
  2⤵
  PID:9992
- C:\Windows\System\NjLsPVh.exe
  C:\Windows\System\NjLsPVh.exe
  2⤵
  PID:10024
- C:\Windows\System\cYMeRKE.exe
  C:\Windows\System\cYMeRKE.exe
  2⤵
  PID:10052
- C:\Windows\System\cLfxrba.exe
  C:\Windows\System\cLfxrba.exe
  2⤵
  PID:10080
- C:\Windows\System\PMhKnao.exe
  C:\Windows\System\PMhKnao.exe
  2⤵
  PID:10108
- C:\Windows\System\oIdGVxs.exe
  C:\Windows\System\oIdGVxs.exe
  2⤵
  PID:10128
- C:\Windows\System\nhcLZHJ.exe
  C:\Windows\System\nhcLZHJ.exe
  2⤵
  PID:10156
- C:\Windows\System\qxipQmA.exe
  C:\Windows\System\qxipQmA.exe
  2⤵
  PID:10180
- C:\Windows\System\pZCduYh.exe
  C:\Windows\System\pZCduYh.exe
  2⤵
  PID:10212
- C:\Windows\System\gLDyAzO.exe
  C:\Windows\System\gLDyAzO.exe
  2⤵
  PID:9140
- C:\Windows\System\bRoVBtm.exe
  C:\Windows\System\bRoVBtm.exe
  2⤵
  PID:9256
- C:\Windows\System\aytuyvU.exe
  C:\Windows\System\aytuyvU.exe
  2⤵
  PID:9320
- C:\Windows\System\bDxntzq.exe
  C:\Windows\System\bDxntzq.exe
  2⤵
  PID:9372
- C:\Windows\System\hPocETR.exe
  C:\Windows\System\hPocETR.exe
  2⤵
  PID:9440
- C:\Windows\System\idhNIff.exe
  C:\Windows\System\idhNIff.exe
  2⤵
  PID:9536
- C:\Windows\System\hAaIvfq.exe
  C:\Windows\System\hAaIvfq.exe
  2⤵
  PID:9596
- C:\Windows\System\cEMxhUd.exe
  C:\Windows\System\cEMxhUd.exe
  2⤵
  PID:9684
- C:\Windows\System\ZXyuCTL.exe
  C:\Windows\System\ZXyuCTL.exe
  2⤵
  PID:9740
- C:\Windows\System\UqofFQu.exe
  C:\Windows\System\UqofFQu.exe
  2⤵
  PID:9820
- C:\Windows\System\QxxmJdr.exe
  C:\Windows\System\QxxmJdr.exe
  2⤵
  PID:9868
- C:\Windows\System\nEwlgYk.exe
  C:\Windows\System\nEwlgYk.exe
  2⤵
  PID:9972
- C:\Windows\System\JpzSgpc.exe
  C:\Windows\System\JpzSgpc.exe
  2⤵
  PID:10044
- C:\Windows\System\kryejLN.exe
  C:\Windows\System\kryejLN.exe
  2⤵
  PID:10092
- C:\Windows\System\TPpNZbA.exe
  C:\Windows\System\TPpNZbA.exe
  2⤵
  PID:10152
- C:\Windows\System\GLCvtzC.exe
  C:\Windows\System\GLCvtzC.exe
  2⤵
  PID:10220
- C:\Windows\System\yBxQewB.exe
  C:\Windows\System\yBxQewB.exe
  2⤵
  PID:9260
- C:\Windows\System\cnJEPjy.exe
  C:\Windows\System\cnJEPjy.exe
  2⤵
  PID:9420
- C:\Windows\System\upWZEzM.exe
  C:\Windows\System\upWZEzM.exe
  2⤵
  PID:9400
- C:\Windows\System\ujBrlhS.exe
  C:\Windows\System\ujBrlhS.exe
  2⤵
  PID:9572
- C:\Windows\System\NACBdVF.exe
  C:\Windows\System\NACBdVF.exe
  2⤵
  PID:9736
- C:\Windows\System\LgZUQVP.exe
  C:\Windows\System\LgZUQVP.exe
  2⤵
  PID:9560
- C:\Windows\System\ytXqptt.exe
  C:\Windows\System\ytXqptt.exe
  2⤵
  PID:10076
- C:\Windows\System\BfuwkFi.exe
  C:\Windows\System\BfuwkFi.exe
  2⤵
  PID:10200
- C:\Windows\System\ufzrHgg.exe
  C:\Windows\System\ufzrHgg.exe
  2⤵
  PID:9816
- C:\Windows\System\rbiIEwW.exe
  C:\Windows\System\rbiIEwW.exe
  2⤵
  PID:9920
- C:\Windows\System\VkRAdDk.exe
  C:\Windows\System\VkRAdDk.exe
  2⤵
  PID:10260
- C:\Windows\System\XZLJZyP.exe
  C:\Windows\System\XZLJZyP.exe
  2⤵
  PID:10280
- C:\Windows\System\imtVIfK.exe
  C:\Windows\System\imtVIfK.exe
  2⤵
  PID:10304
- C:\Windows\System\zQuHNIZ.exe
  C:\Windows\System\zQuHNIZ.exe
  2⤵
  PID:10336
- C:\Windows\System\fiJjgni.exe
  C:\Windows\System\fiJjgni.exe
  2⤵
  PID:10376
- C:\Windows\System\Nwohyub.exe
  C:\Windows\System\Nwohyub.exe
  2⤵
  PID:10400
- C:\Windows\System\LzJxLhK.exe
  C:\Windows\System\LzJxLhK.exe
  2⤵
  PID:10444
- C:\Windows\System\rZsFOaM.exe
  C:\Windows\System\rZsFOaM.exe
  2⤵
  PID:10476
- C:\Windows\System\WQmAieB.exe
  C:\Windows\System\WQmAieB.exe
  2⤵
  PID:10500
- C:\Windows\System\NJocPEd.exe
  C:\Windows\System\NJocPEd.exe
  2⤵
  PID:10536
- C:\Windows\System\DijrSNn.exe
  C:\Windows\System\DijrSNn.exe
  2⤵
  PID:10568
- C:\Windows\System\LkqrYzy.exe
  C:\Windows\System\LkqrYzy.exe
  2⤵
  PID:10600
- C:\Windows\System\eYLdFwY.exe
  C:\Windows\System\eYLdFwY.exe
  2⤵
  PID:10640
- C:\Windows\System\ukblWQg.exe
  C:\Windows\System\ukblWQg.exe
  2⤵
  PID:10668
- C:\Windows\System\jifvmPZ.exe
  C:\Windows\System\jifvmPZ.exe
  2⤵
  PID:10696
- C:\Windows\System\kBJYEAy.exe
  C:\Windows\System\kBJYEAy.exe
  2⤵
  PID:10732
- C:\Windows\System\qkHFmox.exe
  C:\Windows\System\qkHFmox.exe
  2⤵
  PID:10788
- C:\Windows\System\TRHtZAg.exe
  C:\Windows\System\TRHtZAg.exe
  2⤵
  PID:10820
- C:\Windows\System\JcwWUCI.exe
  C:\Windows\System\JcwWUCI.exe
  2⤵
  PID:10860
- C:\Windows\System\vAaFoUD.exe
  C:\Windows\System\vAaFoUD.exe
  2⤵
  PID:10892
- C:\Windows\System\JleqgOg.exe
  C:\Windows\System\JleqgOg.exe
  2⤵
  PID:10916
- C:\Windows\System\GmTMvzf.exe
  C:\Windows\System\GmTMvzf.exe
  2⤵
  PID:10944
- C:\Windows\System\hkcJfoC.exe
  C:\Windows\System\hkcJfoC.exe
  2⤵
  PID:10984
- C:\Windows\System\eExCtln.exe
  C:\Windows\System\eExCtln.exe
  2⤵
  PID:11000
- C:\Windows\System\ZYAEABj.exe
  C:\Windows\System\ZYAEABj.exe
  2⤵
  PID:11016
- C:\Windows\System\SfJZWdm.exe
  C:\Windows\System\SfJZWdm.exe
  2⤵
  PID:11036
- C:\Windows\System\mizPgrN.exe
  C:\Windows\System\mizPgrN.exe
  2⤵
  PID:11068
- C:\Windows\System\QDQFdqB.exe
  C:\Windows\System\QDQFdqB.exe
  2⤵
  PID:11104
- C:\Windows\System\wMtghyd.exe
  C:\Windows\System\wMtghyd.exe
  2⤵
  PID:11132
- C:\Windows\System\tRBwmvS.exe
  C:\Windows\System\tRBwmvS.exe
  2⤵
  PID:11164
- C:\Windows\System\IfcHohd.exe
  C:\Windows\System\IfcHohd.exe
  2⤵
  PID:11180
- C:\Windows\System\TScnBdG.exe
  C:\Windows\System\TScnBdG.exe
  2⤵
  PID:11196
- C:\Windows\System\DstAALN.exe
  C:\Windows\System\DstAALN.exe
  2⤵
  PID:11228
- C:\Windows\System\hXTtpQp.exe
  C:\Windows\System\hXTtpQp.exe
  2⤵
  PID:11260
- C:\Windows\System\CPnDGDE.exe
  C:\Windows\System\CPnDGDE.exe
  2⤵
  PID:10148
- C:\Windows\System\ZnLTnqw.exe
  C:\Windows\System\ZnLTnqw.exe
  2⤵
  PID:10300
- C:\Windows\System\OHjlWUY.exe
  C:\Windows\System\OHjlWUY.exe
  2⤵
  PID:6396
- C:\Windows\System\iwpfMNd.exe
  C:\Windows\System\iwpfMNd.exe
  2⤵
  PID:10412
- C:\Windows\System\fraIDXZ.exe
  C:\Windows\System\fraIDXZ.exe
  2⤵
  PID:7316
- C:\Windows\System\KyqRkFL.exe
  C:\Windows\System\KyqRkFL.exe
  2⤵
  PID:10456
- C:\Windows\System\CoDXORc.exe
  C:\Windows\System\CoDXORc.exe
  2⤵
  PID:10516
- C:\Windows\System\axbUApI.exe
  C:\Windows\System\axbUApI.exe
  2⤵
  PID:10596
- C:\Windows\System\bJjyTFe.exe
  C:\Windows\System\bJjyTFe.exe
  2⤵
  PID:10680
- C:\Windows\System\SlVHBcw.exe
  C:\Windows\System\SlVHBcw.exe
  2⤵
  PID:10780
- C:\Windows\System\gBdCPMA.exe
  C:\Windows\System\gBdCPMA.exe
  2⤵
  PID:10852
- C:\Windows\System\dYhkhFr.exe
  C:\Windows\System\dYhkhFr.exe
  2⤵
  PID:10952
- C:\Windows\System\oIsZtzf.exe
  C:\Windows\System\oIsZtzf.exe
  2⤵
  PID:11028
- C:\Windows\System\zzWfCZS.exe
  C:\Windows\System\zzWfCZS.exe
  2⤵
  PID:3852
- C:\Windows\System\XDwmyCQ.exe
  C:\Windows\System\XDwmyCQ.exe
  2⤵
  PID:11188
- C:\Windows\System\vouhJCt.exe
  C:\Windows\System\vouhJCt.exe
  2⤵
  PID:11220
- C:\Windows\System\NzyfsaZ.exe
  C:\Windows\System\NzyfsaZ.exe
  2⤵
  PID:9592
- C:\Windows\System\TnPtSzG.exe
  C:\Windows\System\TnPtSzG.exe
  2⤵
  PID:10328
- C:\Windows\System\TJTZXPi.exe
  C:\Windows\System\TJTZXPi.exe
  2⤵
  PID:6656
- C:\Windows\System\dsYgsVR.exe
  C:\Windows\System\dsYgsVR.exe
  2⤵
  PID:10716
- C:\Windows\System\bSAYMZI.exe
  C:\Windows\System\bSAYMZI.exe
  2⤵
  PID:10832
- C:\Windows\System\DnkrCrf.exe
  C:\Windows\System\DnkrCrf.exe
  2⤵
  PID:10996
- C:\Windows\System\JGYSqUN.exe
  C:\Windows\System\JGYSqUN.exe
  2⤵
  PID:11120
- C:\Windows\System\hbMzPcN.exe
  C:\Windows\System\hbMzPcN.exe
  2⤵
  PID:11208
- C:\Windows\System\TTKQwLQ.exe
  C:\Windows\System\TTKQwLQ.exe
  2⤵
  PID:10364
- C:\Windows\System\vmzjxxa.exe
  C:\Windows\System\vmzjxxa.exe
  2⤵
  PID:6148
- C:\Windows\System\tpSHUns.exe
  C:\Windows\System\tpSHUns.exe
  2⤵
  PID:10636
- C:\Windows\System\hYeWMEv.exe
  C:\Windows\System\hYeWMEv.exe
  2⤵
  PID:9980
- C:\Windows\System\tfOyZxh.exe
  C:\Windows\System\tfOyZxh.exe
  2⤵
  PID:10244
- C:\Windows\System\MOzfkFZ.exe
  C:\Windows\System\MOzfkFZ.exe
  2⤵
  PID:11292
- C:\Windows\System\aWDfYIg.exe
  C:\Windows\System\aWDfYIg.exe
  2⤵
  PID:11324
- C:\Windows\System\jRyynyS.exe
  C:\Windows\System\jRyynyS.exe
  2⤵
  PID:11360
- C:\Windows\System\zmRQJIF.exe
  C:\Windows\System\zmRQJIF.exe
  2⤵
  PID:11392
- C:\Windows\System\JIjOjCz.exe
  C:\Windows\System\JIjOjCz.exe
  2⤵
  PID:11424
- C:\Windows\System\CqbIFTk.exe
  C:\Windows\System\CqbIFTk.exe
  2⤵
  PID:11452
- C:\Windows\System\ruoLmwU.exe
  C:\Windows\System\ruoLmwU.exe
  2⤵
  PID:11492
- C:\Windows\System\IPxgSgA.exe
  C:\Windows\System\IPxgSgA.exe
  2⤵
  PID:11524
- C:\Windows\System\PaStKlU.exe
  C:\Windows\System\PaStKlU.exe
  2⤵
  PID:11552
- C:\Windows\System\lkqAVno.exe
  C:\Windows\System\lkqAVno.exe
  2⤵
  PID:11584
- C:\Windows\System\hixNPuL.exe
  C:\Windows\System\hixNPuL.exe
  2⤵
  PID:11612
- C:\Windows\System\SoCCbph.exe
  C:\Windows\System\SoCCbph.exe
  2⤵
  PID:11640
- C:\Windows\System\BlztIYx.exe
  C:\Windows\System\BlztIYx.exe
  2⤵
  PID:11668
- C:\Windows\System\aYpzlxO.exe
  C:\Windows\System\aYpzlxO.exe
  2⤵
  PID:11696
- C:\Windows\System\zzuOujt.exe
  C:\Windows\System\zzuOujt.exe
  2⤵
  PID:11724
- C:\Windows\System\LuxuimA.exe
  C:\Windows\System\LuxuimA.exe
  2⤵
  PID:11752
- C:\Windows\System\ygLiYvX.exe
  C:\Windows\System\ygLiYvX.exe
  2⤵
  PID:11776
- C:\Windows\System\PiNqilD.exe
  C:\Windows\System\PiNqilD.exe
  2⤵
  PID:11792
- C:\Windows\System\ZGJsdcD.exe
  C:\Windows\System\ZGJsdcD.exe
  2⤵
  PID:11856
- C:\Windows\System\dwcRwRL.exe
  C:\Windows\System\dwcRwRL.exe
  2⤵
  PID:11872
- C:\Windows\System\COISTLH.exe
  C:\Windows\System\COISTLH.exe
  2⤵
  PID:11900
- C:\Windows\System\QAhPGkA.exe
  C:\Windows\System\QAhPGkA.exe
  2⤵
  PID:11928
- C:\Windows\System\CnZdpur.exe
  C:\Windows\System\CnZdpur.exe
  2⤵
  PID:11956
- C:\Windows\System\waoWJjA.exe
  C:\Windows\System\waoWJjA.exe
  2⤵
  PID:11984
- C:\Windows\System\FbzhRVI.exe
  C:\Windows\System\FbzhRVI.exe
  2⤵
  PID:12016
- C:\Windows\System\SvsUXUm.exe
  C:\Windows\System\SvsUXUm.exe
  2⤵
  PID:12044
- C:\Windows\System\tmrcNkl.exe
  C:\Windows\System\tmrcNkl.exe
  2⤵
  PID:12072
- C:\Windows\System\sGjIRXF.exe
  C:\Windows\System\sGjIRXF.exe
  2⤵
  PID:12100
- C:\Windows\System\ZBWtJuZ.exe
  C:\Windows\System\ZBWtJuZ.exe
  2⤵
  PID:12128
- C:\Windows\System\fPvwpJg.exe
  C:\Windows\System\fPvwpJg.exe
  2⤵
  PID:12156
- C:\Windows\System\MIsRZta.exe
  C:\Windows\System\MIsRZta.exe
  2⤵
  PID:12176
- C:\Windows\System\baBhvSG.exe
  C:\Windows\System\baBhvSG.exe
  2⤵
  PID:12204
- C:\Windows\System\zOtDAhD.exe
  C:\Windows\System\zOtDAhD.exe
  2⤵
  PID:12260
- C:\Windows\System\hKmAOqW.exe
  C:\Windows\System\hKmAOqW.exe
  2⤵
  PID:10928
- C:\Windows\System\zUzPmSq.exe
  C:\Windows\System\zUzPmSq.exe
  2⤵
  PID:11276
- C:\Windows\System\aVREbjh.exe
  C:\Windows\System\aVREbjh.exe
  2⤵
  PID:11288
- C:\Windows\System\SEtpJcV.exe
  C:\Windows\System\SEtpJcV.exe
  2⤵
  PID:11340
- C:\Windows\System\jQmMSuo.exe
  C:\Windows\System\jQmMSuo.exe
  2⤵
  PID:11376
- C:\Windows\System\FuIaNUu.exe
  C:\Windows\System\FuIaNUu.exe
  2⤵
  PID:11488
- C:\Windows\System\WMflegN.exe
  C:\Windows\System\WMflegN.exe
  2⤵
  PID:11512
- C:\Windows\System\fZXQRMn.exe
  C:\Windows\System\fZXQRMn.exe
  2⤵
  PID:10960
- C:\Windows\System\kRJddZC.exe
  C:\Windows\System\kRJddZC.exe
  2⤵
  PID:11660
- C:\Windows\System\TYDFpXp.exe
  C:\Windows\System\TYDFpXp.exe
  2⤵
  PID:11716
- C:\Windows\System\wUKeiqB.exe
  C:\Windows\System\wUKeiqB.exe
  2⤵
  PID:11760
- C:\Windows\System\cyyinSk.exe
  C:\Windows\System\cyyinSk.exe
  2⤵
  PID:11808
- C:\Windows\System\wDCfNNu.exe
  C:\Windows\System\wDCfNNu.exe
  2⤵
  PID:11868
- C:\Windows\System\JhJTWHu.exe
  C:\Windows\System\JhJTWHu.exe
  2⤵
  PID:11920
- C:\Windows\System\gfAEuaO.exe
  C:\Windows\System\gfAEuaO.exe
  2⤵
  PID:12012
- C:\Windows\System\YfxbOHI.exe
  C:\Windows\System\YfxbOHI.exe
  2⤵
  PID:12084
- C:\Windows\System\BJSfUkW.exe
  C:\Windows\System\BJSfUkW.exe
  2⤵
  PID:12152
- C:\Windows\System\rPlhBUN.exe
  C:\Windows\System\rPlhBUN.exe
  2⤵
  PID:12220
- C:\Windows\System\wOHhUAT.exe
  C:\Windows\System\wOHhUAT.exe
  2⤵
  PID:12280
- C:\Windows\System\FKPpJGK.exe
  C:\Windows\System\FKPpJGK.exe
  2⤵
  PID:12256
- C:\Windows\System\ECQMgHT.exe
  C:\Windows\System\ECQMgHT.exe
  2⤵
  PID:11460
- C:\Windows\System\yqCfwOa.exe
  C:\Windows\System\yqCfwOa.exe
  2⤵
  PID:11368
- C:\Windows\System\EVETxOo.exe
  C:\Windows\System\EVETxOo.exe
  2⤵
  PID:11572
- C:\Windows\System\SVxEfjB.exe
  C:\Windows\System\SVxEfjB.exe
  2⤵
  PID:11812
- C:\Windows\System\JjKNleH.exe
  C:\Windows\System\JjKNleH.exe
  2⤵
  PID:11912
- C:\Windows\System\dZEikeX.exe
  C:\Windows\System\dZEikeX.exe
  2⤵
  PID:11896
- C:\Windows\System\XmGdIzQ.exe
  C:\Windows\System\XmGdIzQ.exe
  2⤵
  PID:12228
- C:\Windows\System\pQdronj.exe
  C:\Windows\System\pQdronj.exe
  2⤵
  PID:10388
- C:\Windows\System\wmLHKKb.exe
  C:\Windows\System\wmLHKKb.exe
  2⤵
  PID:11508
- C:\Windows\System\zBfefBj.exe
  C:\Windows\System\zBfefBj.exe
  2⤵
  PID:11412
- C:\Windows\System\ogqzqNV.exe
  C:\Windows\System\ogqzqNV.exe
  2⤵
  PID:4324
- C:\Windows\System\nvBIKTX.exe
  C:\Windows\System\nvBIKTX.exe
  2⤵
  PID:12316
- C:\Windows\System\RTsAUMC.exe
  C:\Windows\System\RTsAUMC.exe
  2⤵
  PID:12344
- C:\Windows\System\IXyVvyI.exe
  C:\Windows\System\IXyVvyI.exe
  2⤵
  PID:12384
- C:\Windows\System\zLRwfzB.exe
  C:\Windows\System\zLRwfzB.exe
  2⤵
  PID:12460
- C:\Windows\System\pLjCdjH.exe
  C:\Windows\System\pLjCdjH.exe
  2⤵
  PID:12484
- C:\Windows\System\FoHplXy.exe
  C:\Windows\System\FoHplXy.exe
  2⤵
  PID:12504
- C:\Windows\System\UcXHaIu.exe
  C:\Windows\System\UcXHaIu.exe
  2⤵
  PID:12528
- C:\Windows\System\aSXzjbR.exe
  C:\Windows\System\aSXzjbR.exe
  2⤵
  PID:12556
- C:\Windows\System\LARzddI.exe
  C:\Windows\System\LARzddI.exe
  2⤵
  PID:12572
- C:\Windows\System\ifqYKmd.exe
  C:\Windows\System\ifqYKmd.exe
  2⤵
  PID:12588
- C:\Windows\System\qosRlcQ.exe
  C:\Windows\System\qosRlcQ.exe
  2⤵
  PID:12608
- C:\Windows\System\gzBSBrw.exe
  C:\Windows\System\gzBSBrw.exe
  2⤵
  PID:12640
- C:\Windows\System\QNHIYYp.exe
  C:\Windows\System\QNHIYYp.exe
  2⤵
  PID:12656
- C:\Windows\System\zeRHVfI.exe
  C:\Windows\System\zeRHVfI.exe
  2⤵
  PID:12672
- C:\Windows\System\SKsrXlO.exe
  C:\Windows\System\SKsrXlO.exe
  2⤵
  PID:12688
- C:\Windows\System\gVMMlyT.exe
  C:\Windows\System\gVMMlyT.exe
  2⤵
  PID:12704
- C:\Windows\System\IhTPILf.exe
  C:\Windows\System\IhTPILf.exe
  2⤵
  PID:12736
- C:\Windows\System\KtjwqdW.exe
  C:\Windows\System\KtjwqdW.exe
  2⤵
  PID:12772
- C:\Windows\System\MOVxcoV.exe
  C:\Windows\System\MOVxcoV.exe
  2⤵
  PID:12796
- C:\Windows\System\nFYtBzg.exe
  C:\Windows\System\nFYtBzg.exe
  2⤵
  PID:12812
- C:\Windows\System\vfOovsZ.exe
  C:\Windows\System\vfOovsZ.exe
  2⤵
  PID:12840
- C:\Windows\System\AKCzyqI.exe
  C:\Windows\System\AKCzyqI.exe
  2⤵
  PID:12860
- C:\Windows\System\UFzYjkZ.exe
  C:\Windows\System\UFzYjkZ.exe
  2⤵
  PID:12880
- C:\Windows\System\oSRrRyV.exe
  C:\Windows\System\oSRrRyV.exe
  2⤵
  PID:12900
- C:\Windows\System\pIvKIWJ.exe
  C:\Windows\System\pIvKIWJ.exe
  2⤵
  PID:12928
- C:\Windows\System\yWLlSCD.exe
  C:\Windows\System\yWLlSCD.exe
  2⤵
  PID:12964
- C:\Windows\System\NPyTzTf.exe
  C:\Windows\System\NPyTzTf.exe
  2⤵
  PID:12996
- C:\Windows\System\qxShLBh.exe
  C:\Windows\System\qxShLBh.exe
  2⤵
  PID:13036
- C:\Windows\System\EKDtdJa.exe
  C:\Windows\System\EKDtdJa.exe
  2⤵
  PID:13068
- C:\Windows\System\XDLoMLa.exe
  C:\Windows\System\XDLoMLa.exe
  2⤵
  PID:13104
- C:\Windows\System\aDynepF.exe
  C:\Windows\System\aDynepF.exe
  2⤵
  PID:13124
- C:\Windows\System\uKJmKai.exe
  C:\Windows\System\uKJmKai.exe
  2⤵
  PID:13144
- C:\Windows\System\EZwGqEv.exe
  C:\Windows\System\EZwGqEv.exe
  2⤵
  PID:13172
- C:\Windows\System\mzTBQbV.exe
  C:\Windows\System\mzTBQbV.exe
  2⤵
  PID:13208
- C:\Windows\System\WLMEKIm.exe
  C:\Windows\System\WLMEKIm.exe
  2⤵
  PID:13236
- C:\Windows\System\FonjtBx.exe
  C:\Windows\System\FonjtBx.exe
  2⤵
  PID:13252
- C:\Windows\System\eFHXccX.exe
  C:\Windows\System\eFHXccX.exe
  2⤵
  PID:13268
- C:\Windows\System\RnzuSgf.exe
  C:\Windows\System\RnzuSgf.exe
  2⤵
  PID:13284
- C:\Windows\System\HFzyEpZ.exe
  C:\Windows\System\HFzyEpZ.exe
  2⤵
  PID:13304
- C:\Windows\System\isFVvlU.exe
  C:\Windows\System\isFVvlU.exe
  2⤵
  PID:12004
- C:\Windows\System\UbhyeoH.exe
  C:\Windows\System\UbhyeoH.exe
  2⤵
  PID:12116
- C:\Windows\System\gabEiLF.exe
  C:\Windows\System\gabEiLF.exe
  2⤵
  PID:12436
- C:\Windows\System\kihAEwr.exe
  C:\Windows\System\kihAEwr.exe
  2⤵
  PID:12376
- C:\Windows\System\zqwSKix.exe
  C:\Windows\System\zqwSKix.exe
  2⤵
  PID:12268
- C:\Windows\System\NbeGOyI.exe
  C:\Windows\System\NbeGOyI.exe
  2⤵
  PID:12564
- C:\Windows\System\dVBYGuE.exe
  C:\Windows\System\dVBYGuE.exe
  2⤵
  PID:12332
- C:\Windows\System\EOVvXoG.exe
  C:\Windows\System\EOVvXoG.exe
  2⤵
  PID:12872
- C:\Windows\System\BgCSuaR.exe
  C:\Windows\System\BgCSuaR.exe
  2⤵
  PID:12412
- C:\Windows\System\YVBGJkn.exe
  C:\Windows\System\YVBGJkn.exe
  2⤵
  PID:12428
- C:\Windows\System\BwUdeYO.exe
  C:\Windows\System\BwUdeYO.exe
  2⤵
  PID:12452
- C:\Windows\System\EUNkvmW.exe
  C:\Windows\System\EUNkvmW.exe
  2⤵
  PID:12728
- C:\Windows\System\KNxnhJu.exe
  C:\Windows\System\KNxnhJu.exe
  2⤵
  PID:13012
- C:\Windows\System\xZPOhmK.exe
  C:\Windows\System\xZPOhmK.exe
  2⤵
  PID:12596
- C:\Windows\System\akZWkLl.exe
  C:\Windows\System\akZWkLl.exe
  2⤵
  PID:1976
- C:\Windows\System\xbcOJhQ.exe
  C:\Windows\System\xbcOJhQ.exe
  2⤵
  PID:12868
- C:\Windows\System\eeeJtTf.exe
  C:\Windows\System\eeeJtTf.exe
  2⤵
  PID:12920
- C:\Windows\System\yNIlrQB.exe
  C:\Windows\System\yNIlrQB.exe
  2⤵
  PID:12788
- C:\Windows\System\xwLgVHH.exe
  C:\Windows\System\xwLgVHH.exe
  2⤵
  PID:12984
- C:\Windows\System\VdWUfZR.exe
  C:\Windows\System\VdWUfZR.exe
  2⤵
  PID:2108
- C:\Windows\System\ZuFnMWB.exe
  C:\Windows\System\ZuFnMWB.exe
  2⤵
  PID:12828
- C:\Windows\System\OFComHR.exe
  C:\Windows\System\OFComHR.exe
  2⤵
  PID:12368
- C:\Windows\System\gWCqSgy.exe
  C:\Windows\System\gWCqSgy.exe
  2⤵
  PID:12896
- C:\Windows\System\QmuGUIg.exe
  C:\Windows\System\QmuGUIg.exe
  2⤵
  PID:12724
- C:\Windows\System\oYFQGeo.exe
  C:\Windows\System\oYFQGeo.exe
  2⤵
  PID:13216
- C:\Windows\System\eLNsfUa.exe
  C:\Windows\System\eLNsfUa.exe
  2⤵
  PID:13320
- C:\Windows\System\TNgJJqi.exe
  C:\Windows\System\TNgJJqi.exe
  2⤵
  PID:13344
- C:\Windows\System\qIkMyGf.exe
  C:\Windows\System\qIkMyGf.exe
  2⤵
  PID:13364
- C:\Windows\System\RQoBZsD.exe
  C:\Windows\System\RQoBZsD.exe
  2⤵
  PID:13396
- C:\Windows\System\IDrTArQ.exe
  C:\Windows\System\IDrTArQ.exe
  2⤵
  PID:13628
- C:\Windows\System\NcsBYrf.exe
  C:\Windows\System\NcsBYrf.exe
  2⤵
  PID:13644
- C:\Windows\System\vLdDHSa.exe
  C:\Windows\System\vLdDHSa.exe
  2⤵
  PID:13676
- C:\Windows\System\AvCkwCK.exe
  C:\Windows\System\AvCkwCK.exe
  2⤵
  PID:13700
- C:\Windows\System\pNiNLQc.exe
  C:\Windows\System\pNiNLQc.exe
  2⤵
  PID:13716
- C:\Windows\System\mKRqOPz.exe
  C:\Windows\System\mKRqOPz.exe
  2⤵
  PID:13732
- C:\Windows\System\nBZZmtx.exe
  C:\Windows\System\nBZZmtx.exe
  2⤵
  PID:13768
- C:\Windows\System\QpnPHTx.exe
  C:\Windows\System\QpnPHTx.exe
  2⤵
  PID:13784
- C:\Windows\System\PuXtNWf.exe
  C:\Windows\System\PuXtNWf.exe
  2⤵
  PID:13800
- C:\Windows\System\MiSDnQN.exe
  C:\Windows\System\MiSDnQN.exe
  2⤵
  PID:13816
- C:\Windows\System\IJaWFAi.exe
  C:\Windows\System\IJaWFAi.exe
  2⤵
  PID:13832
- C:\Windows\System\RpUqSZW.exe
  C:\Windows\System\RpUqSZW.exe
  2⤵
  PID:13848
- C:\Windows\System\UcEbpyr.exe
  C:\Windows\System\UcEbpyr.exe
  2⤵
  PID:13864
- C:\Windows\System\LTozyvz.exe
  C:\Windows\System\LTozyvz.exe
  2⤵
  PID:13880
- C:\Windows\System\YoitVcz.exe
  C:\Windows\System\YoitVcz.exe
  2⤵
  PID:13896
- C:\Windows\System\kNTHuTW.exe
  C:\Windows\System\kNTHuTW.exe
  2⤵
  PID:13912
- C:\Windows\System\bdQwjEV.exe
  C:\Windows\System\bdQwjEV.exe
  2⤵
  PID:13944
- C:\Windows\System\bZxXOoD.exe
  C:\Windows\System\bZxXOoD.exe
  2⤵
  PID:13972
- C:\Windows\System\JOVUOYQ.exe
  C:\Windows\System\JOVUOYQ.exe
  2⤵
  PID:14212
- C:\Windows\System\YZDWsgm.exe
  C:\Windows\System\YZDWsgm.exe
  2⤵
  PID:14260
- C:\Windows\System\KHEulKN.exe
  C:\Windows\System\KHEulKN.exe
  2⤵
  PID:14300
- C:\Windows\System\ZSuWmly.exe
  C:\Windows\System\ZSuWmly.exe
  2⤵
  PID:12620
- C:\Windows\System\JmTZoiF.exe
  C:\Windows\System\JmTZoiF.exe
  2⤵
  PID:2812
- C:\Windows\System\OpVzSYQ.exe
  C:\Windows\System\OpVzSYQ.exe
  2⤵
  PID:13132
- C:\Windows\System\qkYnjLp.exe
  C:\Windows\System\qkYnjLp.exe
  2⤵
  PID:13160
- C:\Windows\System\rOlWyxl.exe
  C:\Windows\System\rOlWyxl.exe
  2⤵
  PID:12664
- C:\Windows\System\amEaKjI.exe
  C:\Windows\System\amEaKjI.exe
  2⤵
  PID:10912
- C:\Windows\System\XxyqHHN.exe
  C:\Windows\System\XxyqHHN.exe
  2⤵
  PID:4756
- C:\Windows\System\xtNQuTj.exe
  C:\Windows\System\xtNQuTj.exe
  2⤵
  PID:936
- C:\Windows\System\JdLsDCt.exe
  C:\Windows\System\JdLsDCt.exe
  2⤵
  PID:768
- C:\Windows\System\aYyUcSu.exe
  C:\Windows\System\aYyUcSu.exe
  2⤵
  PID:12940
- C:\Windows\System\nDcSDBV.exe
  C:\Windows\System\nDcSDBV.exe
  2⤵
  PID:13552
- C:\Windows\System\MfVLDWU.exe
  C:\Windows\System\MfVLDWU.exe
  2⤵
  PID:13436
- C:\Windows\System\zYFMPCS.exe
  C:\Windows\System\zYFMPCS.exe
  2⤵
  PID:4012
- C:\Windows\System\QnyfHgy.exe
  C:\Windows\System\QnyfHgy.exe
  2⤵
  PID:13244
- C:\Windows\System\vGCZiiL.exe
  C:\Windows\System\vGCZiiL.exe
  2⤵
  PID:836
- C:\Windows\System\CCxLpLy.exe
  C:\Windows\System\CCxLpLy.exe
  2⤵
  PID:13472
- C:\Windows\System\MQcgbvH.exe
  C:\Windows\System\MQcgbvH.exe
  2⤵
  PID:13004
- C:\Windows\System\VdIHSSX.exe
  C:\Windows\System\VdIHSSX.exe
  2⤵
  PID:13796
- C:\Windows\System\AImwDjW.exe
  C:\Windows\System\AImwDjW.exe
  2⤵
  PID:13856
- C:\Windows\System\poyLZNv.exe
  C:\Windows\System\poyLZNv.exe
  2⤵
  PID:13564
- C:\Windows\System\HoNDRAV.exe
  C:\Windows\System\HoNDRAV.exe
  2⤵
  PID:13596
- C:\Windows\System\tfllNac.exe
  C:\Windows\System\tfllNac.exe
  2⤵
  PID:13568
- C:\Windows\System\uHmXVRH.exe
  C:\Windows\System\uHmXVRH.exe
  2⤵
  PID:13964
- C:\Windows\System\idMweVZ.exe
  C:\Windows\System\idMweVZ.exe
  2⤵
  PID:13728
- C:\Windows\System\cfphdXU.exe
  C:\Windows\System\cfphdXU.exe
  2⤵
  PID:13888
- C:\Windows\System\GWfVEUm.exe
  C:\Windows\System\GWfVEUm.exe
  2⤵
  PID:14016
- C:\Windows\System\mLaTzcU.exe
  C:\Windows\System\mLaTzcU.exe
  2⤵
  PID:12444
- C:\Windows\System\staESxJ.exe
  C:\Windows\System\staESxJ.exe
  2⤵
  PID:14196
- C:\Windows\System\EhRTPXe.exe
  C:\Windows\System\EhRTPXe.exe
  2⤵
  PID:13120
- C:\Windows\System\MhlmCVI.exe
  C:\Windows\System\MhlmCVI.exe
  2⤵
  PID:13096
- C:\Windows\System\dxBKTLF.exe
  C:\Windows\System\dxBKTLF.exe
  2⤵
  PID:4200
- C:\Windows\System\LLkRZVR.exe
  C:\Windows\System\LLkRZVR.exe
  2⤵
  PID:13356
- C:\Windows\System\jSgoFlo.exe
  C:\Windows\System\jSgoFlo.exe
  2⤵
  PID:13936
- C:\Windows\System\ObGWBMP.exe
  C:\Windows\System\ObGWBMP.exe
  2⤵
  PID:13844
- C:\Windows\System\ndoGRTY.exe
  C:\Windows\System\ndoGRTY.exe
  2⤵
  PID:5016
- C:\Windows\System\RLmLetJ.exe
  C:\Windows\System\RLmLetJ.exe
  2⤵
  PID:11992
- C:\Windows\System\cjTABHQ.exe
  C:\Windows\System\cjTABHQ.exe
  2⤵
  PID:14232
- C:\Windows\System\cXKohlu.exe
  C:\Windows\System\cXKohlu.exe
  2⤵
  PID:14316
- C:\Windows\System\ZGFYQOw.exe
  C:\Windows\System\ZGFYQOw.exe
  2⤵
  PID:13560
- C:\Windows\System\VxHIzeQ.exe
  C:\Windows\System\VxHIzeQ.exe
  2⤵
  PID:4424
- C:\Windows\System\AXVEaPW.exe
  C:\Windows\System\AXVEaPW.exe
  2⤵
  PID:2256
- C:\Windows\System\gubRLKM.exe
  C:\Windows\System\gubRLKM.exe
  2⤵
  PID:13052
- C:\Windows\System\morTYPn.exe
  C:\Windows\System\morTYPn.exe
  2⤵
  PID:2220
- C:\Windows\System\GqGmwsL.exe
  C:\Windows\System\GqGmwsL.exe
  2⤵
  PID:13672
- C:\Windows\System\lKfnpPg.exe
  C:\Windows\System\lKfnpPg.exe
  2⤵
  PID:13744
- C:\Windows\System\paENsqs.exe
  C:\Windows\System\paENsqs.exe
  2⤵
  PID:12712
- C:\Windows\System\rOzNOde.exe
  C:\Windows\System\rOzNOde.exe
  2⤵
  PID:13376
- C:\Windows\System\vPJdLMv.exe
  C:\Windows\System\vPJdLMv.exe
  2⤵
  PID:2272
- C:\Windows\System\FKkIcmT.exe
  C:\Windows\System\FKkIcmT.exe
  2⤵
  PID:13928
- C:\Windows\System\ZETbxLd.exe
  C:\Windows\System\ZETbxLd.exe
  2⤵
  PID:13908
- C:\Windows\System\XohZeVk.exe
  C:\Windows\System\XohZeVk.exe
  2⤵
  PID:1772
- C:\Windows\System\EzjTSFC.exe
  C:\Windows\System\EzjTSFC.exe
  2⤵
  PID:14372
- C:\Windows\System\GpVacpW.exe
  C:\Windows\System\GpVacpW.exe
  2⤵
  PID:14400
- C:\Windows\System\oIbzvmL.exe
  C:\Windows\System\oIbzvmL.exe
  2⤵
  PID:14424
- C:\Windows\System\CvvuShQ.exe
  C:\Windows\System\CvvuShQ.exe
  2⤵
  PID:14456
- C:\Windows\System\fJrzCKL.exe
  C:\Windows\System\fJrzCKL.exe
  2⤵
  PID:14476
- C:\Windows\System\ICWXgil.exe
  C:\Windows\System\ICWXgil.exe
  2⤵
  PID:14512
- C:\Windows\System\gsllapp.exe
  C:\Windows\System\gsllapp.exe
  2⤵
  PID:14540
- C:\Windows\System\QGCNMYi.exe
  C:\Windows\System\QGCNMYi.exe
  2⤵
  PID:14568
- C:\Windows\System\JPxAYaG.exe
  C:\Windows\System\JPxAYaG.exe
  2⤵
  PID:14596
- C:\Windows\System\cTBJbXd.exe
  C:\Windows\System\cTBJbXd.exe
  2⤵
  PID:14624
- C:\Windows\System\NcuBZNd.exe
  C:\Windows\System\NcuBZNd.exe
  2⤵
  PID:14652
- C:\Windows\System\NZYhFEO.exe
  C:\Windows\System\NZYhFEO.exe
  2⤵
  PID:14672
- C:\Windows\System\bQPStXR.exe
  C:\Windows\System\bQPStXR.exe
  2⤵
  PID:14696
- C:\Windows\System\KFFdjnK.exe
  C:\Windows\System\KFFdjnK.exe
  2⤵
  PID:14712
- C:\Windows\System\qYSOXxq.exe
  C:\Windows\System\qYSOXxq.exe
  2⤵
  PID:14744
- C:\Windows\System\EAQmZCc.exe
  C:\Windows\System\EAQmZCc.exe
  2⤵
  PID:14836
- C:\Windows\System\LepCUiy.exe
  C:\Windows\System\LepCUiy.exe
  2⤵
  PID:14860
- C:\Windows\System\gbEYWAS.exe
  C:\Windows\System\gbEYWAS.exe
  2⤵
  PID:14876
- C:\Windows\System\iZZzAHq.exe
  C:\Windows\System\iZZzAHq.exe
  2⤵
  PID:14896
- C:\Windows\System\LaVtuss.exe
  C:\Windows\System\LaVtuss.exe
  2⤵
  PID:14912
- C:\Windows\System\jgMBZjD.exe
  C:\Windows\System\jgMBZjD.exe
  2⤵
  PID:14928
- C:\Windows\System\LTLbagP.exe
  C:\Windows\System\LTLbagP.exe
  2⤵
  PID:14952
- C:\Windows\System\KYXTRhy.exe
  C:\Windows\System\KYXTRhy.exe
  2⤵
  PID:14976
- C:\Windows\System\LpJTmjs.exe
  C:\Windows\System\LpJTmjs.exe
  2⤵
  PID:14996
- C:\Windows\System\NpGILLt.exe
  C:\Windows\System\NpGILLt.exe
  2⤵
  PID:15020
- C:\Windows\System\JQcwwMQ.exe
  C:\Windows\System\JQcwwMQ.exe
  2⤵
  PID:15052
- C:\Windows\System\jOMZPZU.exe
  C:\Windows\System\jOMZPZU.exe
  2⤵
  PID:15092
- C:\Windows\System\MKbXEPN.exe
  C:\Windows\System\MKbXEPN.exe
  2⤵
  PID:15120
- C:\Windows\System\UoCPWzJ.exe
  C:\Windows\System\UoCPWzJ.exe
  2⤵
  PID:15152
- C:\Windows\System\GFtdtxx.exe
  C:\Windows\System\GFtdtxx.exe
  2⤵
  PID:15196
- C:\Windows\System\DbZBDlb.exe
  C:\Windows\System\DbZBDlb.exe
  2⤵
  PID:15224
- C:\Windows\System\BzMmBGq.exe
  C:\Windows\System\BzMmBGq.exe
  2⤵
  PID:15256
- C:\Windows\System\IdFtBuD.exe
  C:\Windows\System\IdFtBuD.exe
  2⤵
  PID:15292
- C:\Windows\System\dVedHhO.exe
  C:\Windows\System\dVedHhO.exe
  2⤵
  PID:15324
- C:\Windows\System\tQovfXo.exe
  C:\Windows\System\tQovfXo.exe
  2⤵
  PID:12580
- C:\Windows\System\ExbzStZ.exe
  C:\Windows\System\ExbzStZ.exe
  2⤵
  PID:14388
- C:\Windows\System\UfvZlTn.exe
  C:\Windows\System\UfvZlTn.exe
  2⤵
  PID:14412
- C:\Windows\System\KialFwX.exe
  C:\Windows\System\KialFwX.exe
  2⤵
  PID:2964
- C:\Windows\System\rDpumeM.exe
  C:\Windows\System\rDpumeM.exe
  2⤵
  PID:7308

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BMQlIwX.exe

Filesize
5.2MB

MD5
bcf69f14802c1813579fea696a74b2ca

SHA1
2edee9f535360529badac7b751bf74b2e7f2034d

SHA256
800bbfaeb3a4cc9fb0232422ebebdbb65333703c4ef1073a4f4627a1b7823cd0

SHA512
d1f277742bb17d6f9d199596e33630a83eaac1bf56c582e32c6e86d80bc3589a343f434037e24b22c51347efeb582877016522fcd901a53cb43924c7fb920fc5

Download Submit
C:\Windows\System\ChlbcKy.exe

Filesize
5.2MB

MD5
e270d6481ab1a4ebbae994cd205dd354

SHA1
55d7198bbe35fe6913e12f48d8c4d515575fabc8

SHA256
73bd10c08857fc169f7e065fe0656a1559d6a28503b0de9e2afd86b8d51be78f

SHA512
8f2ae976efb722cda44959020aed26e28ce14b5b5576233984c9d690e6c7cc9818effd1335d80f34b49c861cd4a3b6bfce2966a68632b5b8b720b3d489517a4c

Download Submit
C:\Windows\System\ECOZCEe.exe

Filesize
5.2MB

MD5
e0c5789479e7f7711a8d20ac361043fa

SHA1
5155059115c23d34ca44f61837540dfc90be3a06

SHA256
d655e4c4318bb0a2c552d4eb325f129d7bad4cb5dc7ac1426e39cddff38fb09e

SHA512
061db6172f67d04b8faffa97edc4e910c472f7d77808f61d6718dfd304487bced76659fd8d4f232b7295ed09f83516fe7de309f6544bab138ef361d450666d62

Download Submit
C:\Windows\System\FGAKJyy.exe

Filesize
5.2MB

MD5
7084ae1562847b4f468efc484cd1a1eb

SHA1
4c11e673dc250778ec76856577e4c2109d1c0d3f

SHA256
b096ab6d98d6375c52ff713052def623cee76c5aa21d881fa02b928778672ee8

SHA512
5be94dae20c9c9ce793d33332f808770afe08282de4b0b54f5a4b1e5abc0d3b06eedf319f56ad281377edc81c1175b662a58fded7c5349437939b8f145a13161

Download Submit
C:\Windows\System\FMrXMOH.exe

Filesize
5.2MB

MD5
fddc8e6c9a9b7b044dcc8fbee6882450

SHA1
8b402a100d0e9546406adef0ddd2efe1ab786f1a

SHA256
8cfe806a3a8e49fa99310254b05710ee0e813d4abc75cbe311c05826e068010e

SHA512
89770fedff778dcd2b89371ddd7a185c43c5b43d6f70d23f72b29f859122018888ab04967405e57bd6aa13ca51b483623925bbe133635b6ff85493a4dadb41bd

Download Submit
C:\Windows\System\JIJQTZI.exe

Filesize
5.2MB

MD5
abfedda801edfd407672d3a85e095a4b

SHA1
90c138be89cb90d4e3aacca27a3acd392fa1a8da

SHA256
774befdf2a4699388ada1dc0f8057cd223c0cc2ee12c48c1441719ec89f6056b

SHA512
096100b3c264c793a14031b7029d7446c1dc12429b1b21f480711b291560b9b2092f768ce423e05a180db458fdfa5f53f534c4068330387db5010ae4821cacb0

Download Submit
C:\Windows\System\JyYAxwo.exe

Filesize
5.2MB

MD5
8a6184574d97a14adcc534a4585ce76d

SHA1
9158d170cef5d23d14ec3ee6ad11ea877d0d0f68

SHA256
14eaf8e2d761a924d2d12a237dcb859291bf511b92d95d3f1c8e1c7cfb75cb46

SHA512
4b461d07198746bf533d78aa6c2c8f554bc5c1e2f8053b33dbb3c6199f435a7cbc74da8d3352b7d79d4f5b3726e398b82caa1d6f52f034e84554125fe196f001

Download Submit
C:\Windows\System\KYworLq.exe

Filesize
5.2MB

MD5
d9f0b49aa015a4d48cf181d4b4e0e838

SHA1
2e63958e5fa30ebe54d04ae1ac9ef5e9012a5874

SHA256
409b1ef424c1d13ab80c143d7fb1cc35607883b57e91b53a065d4c291378dced

SHA512
d1f5d8833265935a1e0516c9e49b5e90a34940d5883ecab149e2a16597af8b142a5b34611fedd196c5ec35c1229ef6c98f31379df44289dd9627fc09592fa74c

Download Submit
C:\Windows\System\NVJjfqn.exe

Filesize
5.2MB

MD5
5bea3a4a427d0c2813cd4278a740aebb

SHA1
dc2359851098090f2290a9bc78ce042609894547

SHA256
f3ca0bd21300b25c07a5744fb934c65ba34c3022a26564e846dfc768227a19d5

SHA512
9d50a115bca0ef476de55838a605913cb8be3272d2a8275a110ce3f428df93d8d3df313170a7859d7a13bcb0714908e17670ee01f3d4a7812a395db053321344

Download Submit
C:\Windows\System\OKzdtGg.exe

Filesize
5.2MB

MD5
e08f70db62be8492ce2837cec98066f2

SHA1
b540f87817044d243cf03d4e3a42805ef8e7f668

SHA256
c334d952220c06fc28cd68778256ad08ac4b89f7809632f932f0a600980cc51d

SHA512
d450a5d6a975a0ed44f2ba3c360066a64a914615863aace5f5585070319966fa2221bb3b0248e24dcfd73c5450f018ff790e928e2a5b1ec95dd95955cfb60993

Download Submit
C:\Windows\System\ONSCDwR.exe

Filesize
5.2MB

MD5
4304ed9a77cc2a1409d183c2978c7a5a

SHA1
8919371e7b3eea77cd65225a000d65a8616eea69

SHA256
c7f34f8a948a173efa17e210110ef9fd7846f2160a033c05f39bc11e4b96f5b8

SHA512
72ab3c5e3218cf95cb3fe13b3c1542e7adefb71a923ebf080b4406a043451b1e51f2f38248ead16392e818657fd6de9197d1c59a4ee0207b91472b5098f65e2d

Download Submit
C:\Windows\System\PKnXKIy.exe

Filesize
5.2MB

MD5
90750323b4ff40931774730580563bac

SHA1
30415242a4a59a95b99d20b74d9e809d44df5469

SHA256
f05d352e5b6dbff1cb4b923499d848e37f31623ba456cb3bb9324c3ac152a7a9

SHA512
2d8fec4d38895093f3c1b5a222f1697ce3e4fb1e5a4cd4f75648802c9077ea8b44f58192f599a590c287321152a50ef42b8503ba9fcd9e9f45be6dab2124b751

Download Submit
C:\Windows\System\TSrxOJs.exe

Filesize
5.2MB

MD5
389eff51e348db5c9f99e9a846f47541

SHA1
b58df99cd81ba37488a940338987c1a9c8224071

SHA256
906e331f5adbd5e4e91b77c80f591c2c6f9bbf9eb48b198be26420b9115b3b1f

SHA512
0bcbdf66cc54ded3c3f9c06d5448d0e9c09ffa1dcc4d0e62ffcff084b07f98eb93b65c4b6911a69ca789bb24351a8335971cb4d30f59f8ca9190a17d0818d08e

Download Submit
C:\Windows\System\TfRNndi.exe

Filesize
5.2MB

MD5
bdeac4c143555565f62c934d4823e659

SHA1
2f13d85c42cc8b98142344fcb46990e50b89e506

SHA256
7d8d4f327dc5ce94afc245483010e405dd898db543e24a57d0049d6687dacd32

SHA512
cbbd05d79918e60bf35a5666575878ee1c3e1d96704cffba9b6540b761aac7c7eb9bd0d3717b5311d5a1a2ae98bec67834a17cba4e2c4e475139d0eb59e5deb5

Download Submit
C:\Windows\System\UHxvDkO.exe

Filesize
5.2MB

MD5
e7933f0f018f1f5530834fb91cbf10b4

SHA1
1f34c231285ba7e727c417d585bd02ac5d11e895

SHA256
535380b24711ac586ef3999b1ec441c3ee5247bff5086c0a3b2506c3d65cd653

SHA512
f35c7c6717d78b2cf23f5dd727c6c967a43993dc2909dc5ce0679e70efe45e7af8e638c4b3e40be98a9c99aa379733d0ce0c236ff2032b74368f75d169611ad1

Download Submit
C:\Windows\System\UOyDwmR.exe

Filesize
5.2MB

MD5
db735fe796521613fe9c3217290cfbe3

SHA1
cc09745643f26c8b8ea573adfa59b747534889da

SHA256
764685078aed93c75405e6becc18ef3e086a43a24caa2cf9cfac498ca4729969

SHA512
de4230f703457db9778c72550bfb3951534d46eab23f3a157c19f19fdb23ba88bb3bb32fcb514df6f94c37e3c6264f4066f0ff26099765478eac44a1ac3a71d2

Download Submit
C:\Windows\System\XqbvdrG.exe

Filesize
5.2MB

MD5
55e1d26ee374f7775bca3fa1eba365a8

SHA1
efd5b6fd2d3637d40afce442aac0912e4c40f19e

SHA256
7f1372f3025a4c4f25f1461a5adffb08431342c7af88d6e819f99b81178932bb

SHA512
804c0e1da864ca82f2e55c03bacd7e0c304292d703c70dca28f6268b85511a2746c300c1aea297c375e43c4b270b893d1b2c5394c36b634a3c5a1fe5db2064b3

Download Submit
C:\Windows\System\aEGzpgi.exe

Filesize
5.2MB

MD5
280aa9a5ae193a688ddf363d809b7112

SHA1
7b298d77608a6590903317c5e9dfd37aad28235c

SHA256
8fd7e4047f44e5f1ec39894db40d96fdc3772b926a5be8f48e502bd6fd516a58

SHA512
a36e1b1b1c013aa8a920f2efc40d7da99f7c2bf8d424dd27536ba9a83a971619095d3b379f8784a314e600372f25f2f4fd829dd65e7b8f45360a27280ca4f69d

Download Submit
C:\Windows\System\becLkyU.exe

Filesize
5.2MB

MD5
564b7dd4770b1c5e6ae4f6e55deb0e08

SHA1
9470972b17d45b6533af49f28e0437fee6483520

SHA256
7b1bf93abffe53b038efe4851d82cfe1d443ceb1eb444eda2fe1404000eb67cc

SHA512
cf241fa95797a4e631fe991f3c40650cea1bc0e60022587adc604d8299e429ede142aa8b39b03aa26771c9b9dd6bafc564ff999d082a967df666818cfe549948

Download Submit
C:\Windows\System\caquovf.exe

Filesize
5.2MB

MD5
26255f06c576859e2d006ce1eebd9c00

SHA1
f7ec6822bc2036ebe070d30560587de30194460b

SHA256
8ed172d2340afbaff71acd45e8ef498175adaac45d4ff1dd27e4ac9d7b00c1e2

SHA512
f58d4259eaa11f49fbfb40bc626116f2fc08a677ea27fbebf825fc4e9d0423262211d0597a310c038a753c676332289874074bb73f8b1bbd1030eb5303f05906

Download Submit
C:\Windows\System\fDQEuyo.exe

Filesize
5.2MB

MD5
d7a94209b146e18206e5d26a4dbd7611

SHA1
44bb6307abfb33aa691a8d6e33418ced0e94ba39

SHA256
11ae01aea577fe1bb57d29f358decbee4f8b3ffd40d314c4b87781bb02283797

SHA512
32546664014e1bab1c41185b4a5cabad31721bf3cd7d71e8362ce04d73481c7d185a1db784e807be4712b3259efdf8033b26da15f4d1b13a9affc9519789fc6f

Download Submit
C:\Windows\System\fIueuYn.exe

Filesize
5.2MB

MD5
9c09f62681c6b98f7c73f28cd14b63ee

SHA1
a21d6a27cefc14db3cf444a69f167b857d3247d1

SHA256
f6af0307dda2a03cd769c072e28a5946f3798ab06a58722d2a6f3580c5445e7c

SHA512
431ed42973302210016fbc3d144477611972d4c58679a9f48c45639d251dc32df641cff70ed2951d01153d77a45e5c36ac50ba42c548ce58c8c80cbb8e0a5a8d

Download Submit
C:\Windows\System\gIcJRdE.exe

Filesize
5.2MB

MD5
099d3ac964b15ee91bfdb32ad3c1e4f6

SHA1
bd40d90deb80f0fffdb706c0461467e1294a6179

SHA256
56da067ec0ee5fe210ecae8add663420c8b4e02f303ad1aebf08745e92fa5fb5

SHA512
64aec99ac5c359487968fb9d77770f22e19d71b13296a3b6e4c4273115dbf7260e2bc6dfe28ac0a71c169b4690e304ccff8099f4a5bf105d28c6ed143ec5dee3

Download Submit
C:\Windows\System\gTrXsBm.exe

Filesize
5.2MB

MD5
e25ae5dad61bd2af725691ec30688d39

SHA1
ca0af6b51cdfe62333fd4bc03fbc83afdc51ad2d

SHA256
f3892515dba8cd1df40dd44e552b8c1815def4e467f9c47a8927c0f1a324013d

SHA512
b10d423408e87ec4bfe3d388d0448e5307b4b75106bbef42ce07ca923cbe592740493d37f315644ce039d3f439f3e0ca4c1a31de860824cf89b0dcf03edd0032

Download Submit
C:\Windows\System\gUiUkru.exe

Filesize
5.2MB

MD5
109aa685034916c0d58ef67298f6955e

SHA1
5a586d5d07c24c03a719a8859925e30475b8eed4

SHA256
8f91fd045b835a795669caf58aafe676e75fea347e97604efa78ea99d4b26749

SHA512
452ec28138bd57ce5f1fbb85fc54678592207293e8d9803ba541da36ae697a92e589659974506783f3b34ec7d2f56a0105b18c2c9d73136c63b24e6fe0131853

Download Submit
C:\Windows\System\gzIScVJ.exe

Filesize
5.2MB

MD5
30eaed329513672d05b7a98472297e9e

SHA1
f93402839954966e2e38ab7effbb17f61e219749

SHA256
d4f050123bec4b386cef55886c2327a9f956a21d6fa3fb443d8747d22ac76e9a

SHA512
d2e71eb5f99661ddaf46431c2885df69cdfa6adc431fff2f81e6044ad2ca8cc068e7896f0d0007b67902962c6046b8e8b558128085c26fbff0039faa55c8db82

Download Submit
C:\Windows\System\hXmwhGz.exe

Filesize
5.2MB

MD5
7e2d3ca9a51f719902674a16e937dcd0

SHA1
9e4be0ed25a1b971c65f2c440c2090ffba425c59

SHA256
031725067109fe70abae4d5da9acb73a3cb668d9e3d931f4ec7c106b1380e2d5

SHA512
2ef3967a6daf1d737dd233a98d2051313a403fa2dce9f35c981399abacb2c7ba619b06a4aee4b353e6e3e3d527645822d5cac14b514c15d9f52f88d1adda655c

Download Submit
C:\Windows\System\hZvUIIV.exe

Filesize
5.2MB

MD5
c84d010c4407b9f721f43430d7ee54bb

SHA1
0a7eb3a377105c2d777254540638658b38ff3f13

SHA256
17716bc01fbbbf117d8db736db86ca31d297f1c3ea1c95616b9f9b06a7e61637

SHA512
7d8f472963e2ae44ebd1a9fb1ddcefeba987733cda3194225c595a398d5e3df923b87f5612c1c86c85296fa5e6c574f57dc25f466a5d3c5754df10c5b6d2a7be

Download Submit
C:\Windows\System\jqvumDy.exe

Filesize
5.2MB

MD5
3c6cb6649f0ae6ce226cad01e1376c93

SHA1
03cdf6db5fbfda14b2c61b63a405f41f5d6e9a81

SHA256
e5ac5f167b92c6b49cb7850ef487ba30102f2334bb1349726b8cc9934a18d84c

SHA512
50380dd016778254e9f4b534283f798cf1528f9fa7d02d4278d0574875102fdbf2abca1da753e110e11bd60b38a92a644b1ccdde6aa4070bcd9907391e39aeba

Download Submit
C:\Windows\System\pFvEfiz.exe

Filesize
5.2MB

MD5
a2ad958943fa477f07631da8277954c0

SHA1
23c2bfee1ed6ff21483599fe178212d31c13cba4

SHA256
edf4f125143891b7027e4c06eccef97d4d667cb94d4f6afa2bb7d1d11b600010

SHA512
756cc21542351cefb6be45587a2016e04b707add2d861022372ae5e397614ac8ce7f0ad667cda83a26771590057db1b4c1d51f3805bfe33dbafc2de97ee80e1e

Download Submit
C:\Windows\System\pYIDRqe.exe

Filesize
5.2MB

MD5
12ef9b901484405b9d89955d927a0dff

SHA1
bf449cf75bce6b682afa9a2c35b1325b0737291b

SHA256
740a1f490b61eca39162ef49de2e0b13400b1b24ee096079058aaa4aef01bf8b

SHA512
739690be0f3669337e790733452c19e829bfe0124aad2a63347477cfccad906ee86f9ae01469b4e82d3acbeac128d5a901dae3c4d8e8e338147b36d28f8db41b

Download Submit
C:\Windows\System\wCYWADs.exe

Filesize
5.2MB

MD5
5f647179716d600d3f16f5e6bbf43412

SHA1
e0f88931341f8c81c491d3b6b97544c4e9cd4de5

SHA256
10cbe9d42a37ba20ead74c9b0bd17bc6516ca79d3a20e882b7e027635662a636

SHA512
b4ad35e3e1843e09e732d0bb11b49de67124f9e17c6e1bb6e10f1e1c168988ae3aced63ad1933cac38a131873b0e591d7257ff56f110bde99ec7fd17b5625e55

Download Submit
C:\Windows\System\wUpiaXR.exe

Filesize
5.2MB

MD5
b0e5855639093078df7a7895dd3732b9

SHA1
98f26a75b0fd2ea73ab42221b9fe55bae730476e

SHA256
7cef82e98db623f6b9148bae9d9724ae3431d5a496001ad0b0e88527b8a53c28

SHA512
614665b44e120f7883e82b3dc4c8e203620598865c94633171e458e85eb7641fec39580eea7e9565356710d6fbc39c7f66903d0d3f21bf985033a13be61b4220

Download Submit
C:\Windows\System\yVZMIqw.exe

Filesize
5.2MB

MD5
5c787909f389e6a44d2ae431ec57e5af

SHA1
0c585e7447f5fb9349a84daa1c7680e0ab599a06

SHA256
fe6404ef68d7e636902815dd426f49e40b65fbd121016c51267dbc18c78bab29

SHA512
94350ddc4cc6d88cadb8a6e9fe011055c0a01a4f292329b53049c5c088405709689a1ec5c14e085a5b2bd73dcbfd743505310420da76150fb481dc497eadd1cb

Download Submit
memory/468-101-0x00007FF6AF1E0000-0x00007FF6AF531000-memory.dmp

Filesize
3.3MB

Download
memory/468-11-0x00007FF6AF1E0000-0x00007FF6AF531000-memory.dmp

Filesize
3.3MB

Download
memory/468-1768-0x00007FF6AF1E0000-0x00007FF6AF531000-memory.dmp

Filesize
3.3MB

Download
memory/728-2519-0x00007FF78F770000-0x00007FF78FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/728-565-0x00007FF78F770000-0x00007FF78FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/728-145-0x00007FF78F770000-0x00007FF78FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/1200-2573-0x00007FF65F930000-0x00007FF65FC81000-memory.dmp

Filesize
3.3MB

Download
memory/1200-203-0x00007FF65F930000-0x00007FF65FC81000-memory.dmp

Filesize
3.3MB

Download
memory/1200-999-0x00007FF65F930000-0x00007FF65FC81000-memory.dmp

Filesize
3.3MB

Download
memory/1444-204-0x00007FF7551E0000-0x00007FF755531000-memory.dmp

Filesize
3.3MB

Download
memory/1444-1000-0x00007FF7551E0000-0x00007FF755531000-memory.dmp

Filesize
3.3MB

Download
memory/1444-2571-0x00007FF7551E0000-0x00007FF755531000-memory.dmp

Filesize
3.3MB

Download
memory/1532-154-0x00007FF769790000-0x00007FF769AE1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-647-0x00007FF769790000-0x00007FF769AE1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-2544-0x00007FF769790000-0x00007FF769AE1000-memory.dmp

Filesize
3.3MB

Download
memory/1680-85-0x00007FF680F70000-0x00007FF6812C1000-memory.dmp

Filesize
3.3MB

Download
memory/1680-1936-0x00007FF680F70000-0x00007FF6812C1000-memory.dmp

Filesize
3.3MB

Download
memory/1680-118-0x00007FF680F70000-0x00007FF6812C1000-memory.dmp

Filesize
3.3MB

Download
memory/1740-115-0x00007FF7132A0000-0x00007FF7135F1000-memory.dmp

Filesize
3.3MB

Download
memory/1740-83-0x00007FF7132A0000-0x00007FF7135F1000-memory.dmp

Filesize
3.3MB

Download
memory/1740-1925-0x00007FF7132A0000-0x00007FF7135F1000-memory.dmp

Filesize
3.3MB

Download
memory/1756-97-0x00007FF749690000-0x00007FF7499E1000-memory.dmp

Filesize
3.3MB

Download
memory/1756-1922-0x00007FF749690000-0x00007FF7499E1000-memory.dmp

Filesize
3.3MB

Download
memory/1880-116-0x00007FF7E5680000-0x00007FF7E59D1000-memory.dmp

Filesize
3.3MB

Download
memory/1880-1931-0x00007FF7E5680000-0x00007FF7E59D1000-memory.dmp

Filesize
3.3MB

Download
memory/1880-84-0x00007FF7E5680000-0x00007FF7E59D1000-memory.dmp

Filesize
3.3MB

Download
memory/2356-152-0x00007FF7CB7C0000-0x00007FF7CBB11000-memory.dmp

Filesize
3.3MB

Download
memory/2356-646-0x00007FF7CB7C0000-0x00007FF7CBB11000-memory.dmp

Filesize
3.3MB

Download
memory/2372-99-0x00007FF607840000-0x00007FF607B91000-memory.dmp

Filesize
3.3MB

Download
memory/2372-0-0x00007FF607840000-0x00007FF607B91000-memory.dmp

Filesize
3.3MB

Download
memory/2372-1-0x0000024A56FD0000-0x0000024A56FE0000-memory.dmp

Filesize
64KB

Download
memory/2408-730-0x00007FF79A500000-0x00007FF79A851000-memory.dmp

Filesize
3.3MB

Download
memory/2408-162-0x00007FF79A500000-0x00007FF79A851000-memory.dmp

Filesize
3.3MB

Download
memory/2408-2542-0x00007FF79A500000-0x00007FF79A851000-memory.dmp

Filesize
3.3MB

Download
memory/2540-75-0x00007FF6A98F0000-0x00007FF6A9C41000-memory.dmp

Filesize
3.3MB

Download
memory/2540-1820-0x00007FF6A98F0000-0x00007FF6A9C41000-memory.dmp

Filesize
3.3MB

Download
memory/2748-1876-0x00007FF7BD1E0000-0x00007FF7BD531000-memory.dmp

Filesize
3.3MB

Download
memory/2748-45-0x00007FF7BD1E0000-0x00007FF7BD531000-memory.dmp

Filesize
3.3MB

Download
memory/2748-109-0x00007FF7BD1E0000-0x00007FF7BD531000-memory.dmp

Filesize
3.3MB

Download
memory/3144-160-0x00007FF643AA0000-0x00007FF643DF1000-memory.dmp

Filesize
3.3MB

Download
memory/3488-26-0x00007FF708610000-0x00007FF708961000-memory.dmp

Filesize
3.3MB

Download
memory/3488-1812-0x00007FF708610000-0x00007FF708961000-memory.dmp

Filesize
3.3MB

Download
memory/3488-104-0x00007FF708610000-0x00007FF708961000-memory.dmp

Filesize
3.3MB

Download
memory/3564-1826-0x00007FF6B8D50000-0x00007FF6B90A1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-55-0x00007FF6B8D50000-0x00007FF6B90A1000-memory.dmp

Filesize
3.3MB

Download
memory/3572-98-0x00007FF7F9B70000-0x00007FF7F9EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3572-1930-0x00007FF7F9B70000-0x00007FF7F9EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3676-161-0x00007FF620D80000-0x00007FF6210D1000-memory.dmp

Filesize
3.3MB

Download
memory/3780-78-0x00007FF655660000-0x00007FF6559B1000-memory.dmp

Filesize
3.3MB

Download
memory/3780-1903-0x00007FF655660000-0x00007FF6559B1000-memory.dmp

Filesize
3.3MB

Download
memory/4064-2575-0x00007FF69EC90000-0x00007FF69EFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4064-998-0x00007FF69EC90000-0x00007FF69EFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4064-189-0x00007FF69EC90000-0x00007FF69EFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4080-206-0x00007FF7F9EB0000-0x00007FF7FA201000-memory.dmp

Filesize
3.3MB

Download
memory/4168-17-0x00007FF710A60000-0x00007FF710DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4168-1785-0x00007FF710A60000-0x00007FF710DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4168-102-0x00007FF710A60000-0x00007FF710DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4404-1811-0x00007FF726C20000-0x00007FF726F71000-memory.dmp

Filesize
3.3MB

Download
memory/4404-67-0x00007FF726C20000-0x00007FF726F71000-memory.dmp

Filesize
3.3MB

Download
memory/4544-485-0x00007FF749A30000-0x00007FF749D81000-memory.dmp

Filesize
3.3MB

Download
memory/4544-131-0x00007FF749A30000-0x00007FF749D81000-memory.dmp

Filesize
3.3MB

Download
memory/4648-31-0x00007FF7D78C0000-0x00007FF7D7C11000-memory.dmp

Filesize
3.3MB

Download
memory/4648-107-0x00007FF7D78C0000-0x00007FF7D7C11000-memory.dmp

Filesize
3.3MB

Download
memory/4648-1830-0x00007FF7D78C0000-0x00007FF7D7C11000-memory.dmp

Filesize
3.3MB

Download
memory/4744-92-0x00007FF71EA90000-0x00007FF71EDE1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-1915-0x00007FF71EA90000-0x00007FF71EDE1000-memory.dmp

Filesize
3.3MB

Download
memory/4764-2546-0x00007FF63F3B0000-0x00007FF63F701000-memory.dmp

Filesize
3.3MB

Download
memory/4764-816-0x00007FF63F3B0000-0x00007FF63F701000-memory.dmp

Filesize
3.3MB

Download
memory/4764-164-0x00007FF63F3B0000-0x00007FF63F701000-memory.dmp

Filesize
3.3MB

Download
memory/4968-645-0x00007FF7B9610000-0x00007FF7B9961000-memory.dmp

Filesize
3.3MB

Download
memory/4968-2549-0x00007FF7B9610000-0x00007FF7B9961000-memory.dmp

Filesize
3.3MB

Download
memory/4968-146-0x00007FF7B9610000-0x00007FF7B9961000-memory.dmp

Filesize
3.3MB

Download
memory/5116-54-0x00007FF62A680000-0x00007FF62A9D1000-memory.dmp

Filesize
3.3MB

Download
memory/5116-1868-0x00007FF62A680000-0x00007FF62A9D1000-memory.dmp

Filesize
3.3MB

Download
memory/5116-111-0x00007FF62A680000-0x00007FF62A9D1000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads