cobaltstrike | a0cfaecf198b61da659fba9d9eaf71bf9b6d7e6502f0282def84f2725b0ae362

Analysis

max time kernel
148s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
Size

5.2MB
MD5

8bfcb70f75ae001dae844ed7850464ef
SHA1

2f9619a98305ac676630eb35e43169ba8547f646
SHA256

a0cfaecf198b61da659fba9d9eaf71bf9b6d7e6502f0282def84f2725b0ae362
SHA512

7d7cd0a3b7648d671e705587c0eb20569fb1b3e42379fc011e4d01337a01f461c093aed2edaeb20187b64a83369a5951751d8845b0b66096aadcf0b984b28db4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l2:RWWBibf56utgpPFotBER/mQ32lUS

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 37 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023f08-4.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000024002-10.dat	cobalt_reflective_dll
behavioral2/files/0x0016000000024003-9.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002400d-24.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002401a-35.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002401b-44.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002401e-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002402d-104.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000024023-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024031-141.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024034-154.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024035-161.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024036-198.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002403f-197.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002403e-196.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002403d-195.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002403c-194.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002403b-193.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002403a-192.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024039-172.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024038-171.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024037-170.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024033-146.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024032-143.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024030-139.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002402f-135.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002402e-133.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002402c-118.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000024022-107.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000024021-91.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000024020-83.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023feb-81.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002401d-78.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002401c-69.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002401f-76.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000024019-52.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000024009-38.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 62 IoCs

miner

resource	yara_rule
behavioral2/memory/2420-80-0x00007FF7FCA90000-0x00007FF7FCDE1000-memory.dmp	xmrig
behavioral2/memory/4564-88-0x00007FF63EE60000-0x00007FF63F1B1000-memory.dmp	xmrig
behavioral2/memory/3528-130-0x00007FF6D2400000-0x00007FF6D2751000-memory.dmp	xmrig
behavioral2/memory/5108-148-0x00007FF7EEE00000-0x00007FF7EF151000-memory.dmp	xmrig
behavioral2/memory/888-270-0x00007FF60CE60000-0x00007FF60D1B1000-memory.dmp	xmrig
behavioral2/memory/2472-269-0x00007FF648100000-0x00007FF648451000-memory.dmp	xmrig
behavioral2/memory/2484-211-0x00007FF6EA4E0000-0x00007FF6EA831000-memory.dmp	xmrig
behavioral2/memory/1108-174-0x00007FF73AFC0000-0x00007FF73B311000-memory.dmp	xmrig
behavioral2/memory/3124-167-0x00007FF6B8DF0000-0x00007FF6B9141000-memory.dmp	xmrig
behavioral2/memory/1688-151-0x00007FF7B9F20000-0x00007FF7BA271000-memory.dmp	xmrig
behavioral2/memory/3464-150-0x00007FF7AEE90000-0x00007FF7AF1E1000-memory.dmp	xmrig
behavioral2/memory/1844-149-0x00007FF7BD900000-0x00007FF7BDC51000-memory.dmp	xmrig
behavioral2/memory/2740-138-0x00007FF767830000-0x00007FF767B81000-memory.dmp	xmrig
behavioral2/memory/3876-137-0x00007FF71F690000-0x00007FF71F9E1000-memory.dmp	xmrig
behavioral2/memory/2460-131-0x00007FF765400000-0x00007FF765751000-memory.dmp	xmrig
behavioral2/memory/1088-87-0x00007FF79C8D0000-0x00007FF79CC21000-memory.dmp	xmrig
behavioral2/memory/2636-75-0x00007FF7333E0000-0x00007FF733731000-memory.dmp	xmrig
behavioral2/memory/696-419-0x00007FF6823E0000-0x00007FF682731000-memory.dmp	xmrig
behavioral2/memory/1520-443-0x00007FF710520000-0x00007FF710871000-memory.dmp	xmrig
behavioral2/memory/4716-442-0x00007FF754650000-0x00007FF7549A1000-memory.dmp	xmrig
behavioral2/memory/1332-423-0x00007FF6D3C20000-0x00007FF6D3F71000-memory.dmp	xmrig
behavioral2/memory/2772-420-0x00007FF6307B0000-0x00007FF630B01000-memory.dmp	xmrig
behavioral2/memory/1108-13-0x00007FF73AFC0000-0x00007FF73B311000-memory.dmp	xmrig
behavioral2/memory/320-543-0x00007FF648540000-0x00007FF648891000-memory.dmp	xmrig
behavioral2/memory/1656-678-0x00007FF7E9C20000-0x00007FF7E9F71000-memory.dmp	xmrig
behavioral2/memory/2940-677-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp	xmrig
behavioral2/memory/3876-681-0x00007FF71F690000-0x00007FF71F9E1000-memory.dmp	xmrig
behavioral2/memory/2460-743-0x00007FF765400000-0x00007FF765751000-memory.dmp	xmrig
behavioral2/memory/3320-746-0x00007FF73D1A0000-0x00007FF73D4F1000-memory.dmp	xmrig
behavioral2/memory/4268-818-0x00007FF7AC910000-0x00007FF7ACC61000-memory.dmp	xmrig
behavioral2/memory/1408-988-0x00007FF717FE0000-0x00007FF718331000-memory.dmp	xmrig
behavioral2/memory/1940-991-0x00007FF63F4F0000-0x00007FF63F841000-memory.dmp	xmrig
behavioral2/memory/4428-1075-0x00007FF7F76C0000-0x00007FF7F7A11000-memory.dmp	xmrig
behavioral2/memory/1108-1838-0x00007FF73AFC0000-0x00007FF73B311000-memory.dmp	xmrig
behavioral2/memory/2484-1861-0x00007FF6EA4E0000-0x00007FF6EA831000-memory.dmp	xmrig
behavioral2/memory/2472-1876-0x00007FF648100000-0x00007FF648451000-memory.dmp	xmrig
behavioral2/memory/696-1939-0x00007FF6823E0000-0x00007FF682731000-memory.dmp	xmrig
behavioral2/memory/2636-1935-0x00007FF7333E0000-0x00007FF733731000-memory.dmp	xmrig
behavioral2/memory/1520-1993-0x00007FF710520000-0x00007FF710871000-memory.dmp	xmrig
behavioral2/memory/3528-2063-0x00007FF6D2400000-0x00007FF6D2751000-memory.dmp	xmrig
behavioral2/memory/5108-2083-0x00007FF7EEE00000-0x00007FF7EF151000-memory.dmp	xmrig
behavioral2/memory/1688-2082-0x00007FF7B9F20000-0x00007FF7BA271000-memory.dmp	xmrig
behavioral2/memory/3876-2081-0x00007FF71F690000-0x00007FF71F9E1000-memory.dmp	xmrig
behavioral2/memory/2740-2080-0x00007FF767830000-0x00007FF767B81000-memory.dmp	xmrig
behavioral2/memory/3464-2079-0x00007FF7AEE90000-0x00007FF7AF1E1000-memory.dmp	xmrig
behavioral2/memory/3320-2078-0x00007FF73D1A0000-0x00007FF73D4F1000-memory.dmp	xmrig
behavioral2/memory/1844-2092-0x00007FF7BD900000-0x00007FF7BDC51000-memory.dmp	xmrig
behavioral2/memory/1656-2040-0x00007FF7E9C20000-0x00007FF7E9F71000-memory.dmp	xmrig
behavioral2/memory/2940-1985-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp	xmrig
behavioral2/memory/320-1972-0x00007FF648540000-0x00007FF648891000-memory.dmp	xmrig
behavioral2/memory/1088-1969-0x00007FF79C8D0000-0x00007FF79CC21000-memory.dmp	xmrig
behavioral2/memory/4564-1983-0x00007FF63EE60000-0x00007FF63F1B1000-memory.dmp	xmrig
behavioral2/memory/2420-1945-0x00007FF7FCA90000-0x00007FF7FCDE1000-memory.dmp	xmrig
behavioral2/memory/1332-1941-0x00007FF6D3C20000-0x00007FF6D3F71000-memory.dmp	xmrig
behavioral2/memory/4716-1958-0x00007FF754650000-0x00007FF7549A1000-memory.dmp	xmrig
behavioral2/memory/2772-1910-0x00007FF6307B0000-0x00007FF630B01000-memory.dmp	xmrig
behavioral2/memory/888-1881-0x00007FF60CE60000-0x00007FF60D1B1000-memory.dmp	xmrig
behavioral2/memory/1408-2149-0x00007FF717FE0000-0x00007FF718331000-memory.dmp	xmrig
behavioral2/memory/1940-2165-0x00007FF63F4F0000-0x00007FF63F841000-memory.dmp	xmrig
behavioral2/memory/4428-2160-0x00007FF7F76C0000-0x00007FF7F7A11000-memory.dmp	xmrig
behavioral2/memory/2460-2121-0x00007FF765400000-0x00007FF765751000-memory.dmp	xmrig
behavioral2/memory/4268-2124-0x00007FF7AC910000-0x00007FF7ACC61000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1108	ZyttAsg.exe
2484	jhKOoiv.exe
2472	gaaifUO.exe
2772	zpgLAcc.exe
888	mHbzNkR.exe
1332	XgdTsIF.exe
696	uNMquqJ.exe
2636	rRoJbop.exe
2420	nzvUNlO.exe
320	RBWRuzz.exe
4716	rzezrpR.exe
1088	HnKyTRA.exe
1520	OazcFFp.exe
4564	YWBihJo.exe
2940	aRNiwPo.exe
1656	MpUbSlp.exe
1844	hpvBFgw.exe
3528	dccseNe.exe
2460	ulUhRgA.exe
3876	kDBHjOg.exe
2740	BEJHRbx.exe
3464	rWFcepb.exe
3320	YqWhgOD.exe
5108	NgIZshn.exe
1688	JjPwubF.exe
4268	nWiFESv.exe
1408	TiFfRGr.exe
4428	wjWcRfS.exe
1940	WrkSXne.exe
1696	kUdrVaJ.exe
3948	pNpYLkV.exe
4192	Agwbafx.exe
3248	cyrCuCg.exe
2352	MpniAZZ.exe
3884	ngkYjno.exe
676	ENBDCzI.exe
3544	OfdYZdd.exe
3040	dqaWFBa.exe
3996	iayjidb.exe
3280	nOoPhAb.exe
4188	zHYQGYA.exe
3548	IDLKqXs.exe
2404	geDpQWj.exe
4180	sgBzjkd.exe
1568	PFEUogm.exe
3132	sroPgQt.exe
3784	lfInspQ.exe
924	zrOVlzQ.exe
2340	WoPOibR.exe
4984	lDwyODb.exe
680	mepDPYe.exe
4024	vsToPHE.exe
3708	ZFSCuVH.exe
2828	EwPlLIg.exe
4464	ejNQYyu.exe
1780	dzFkLck.exe
2344	qhOrFrg.exe
1612	RGVcMVp.exe
5072	ubAHUqj.exe
1464	YxvoDhv.exe
4936	MvbQlNC.exe
4384	JjEBCKv.exe
4692	mKUPVdN.exe
3752	fKXNeJy.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3124-0-0x00007FF6B8DF0000-0x00007FF6B9141000-memory.dmp	upx
behavioral2/files/0x000d000000023f08-4.dat	upx
behavioral2/files/0x000b000000024002-10.dat	upx
behavioral2/files/0x0016000000024003-9.dat	upx
behavioral2/memory/2484-19-0x00007FF6EA4E0000-0x00007FF6EA831000-memory.dmp	upx
behavioral2/files/0x000800000002400d-24.dat	upx
behavioral2/files/0x000800000002401a-35.dat	upx
behavioral2/files/0x000800000002401b-44.dat	upx
behavioral2/memory/320-59-0x00007FF648540000-0x00007FF648891000-memory.dmp	upx
behavioral2/files/0x000800000002401e-72.dat	upx
behavioral2/memory/2420-80-0x00007FF7FCA90000-0x00007FF7FCDE1000-memory.dmp	upx
behavioral2/memory/4564-88-0x00007FF63EE60000-0x00007FF63F1B1000-memory.dmp	upx
behavioral2/files/0x000700000002402d-104.dat	upx
behavioral2/files/0x0008000000024023-114.dat	upx
behavioral2/memory/3528-130-0x00007FF6D2400000-0x00007FF6D2751000-memory.dmp	upx
behavioral2/files/0x0007000000024031-141.dat	upx
behavioral2/memory/5108-148-0x00007FF7EEE00000-0x00007FF7EF151000-memory.dmp	upx
behavioral2/files/0x0007000000024034-154.dat	upx
behavioral2/files/0x0007000000024035-161.dat	upx
behavioral2/memory/4428-200-0x00007FF7F76C0000-0x00007FF7F7A11000-memory.dmp	upx
behavioral2/memory/888-270-0x00007FF60CE60000-0x00007FF60D1B1000-memory.dmp	upx
behavioral2/memory/2472-269-0x00007FF648100000-0x00007FF648451000-memory.dmp	upx
behavioral2/memory/2484-211-0x00007FF6EA4E0000-0x00007FF6EA831000-memory.dmp	upx
behavioral2/memory/1940-199-0x00007FF63F4F0000-0x00007FF63F841000-memory.dmp	upx
behavioral2/files/0x0007000000024036-198.dat	upx
behavioral2/files/0x000700000002403f-197.dat	upx
behavioral2/files/0x000700000002403e-196.dat	upx
behavioral2/files/0x000700000002403d-195.dat	upx
behavioral2/files/0x000700000002403c-194.dat	upx
behavioral2/files/0x000700000002403b-193.dat	upx
behavioral2/files/0x000700000002403a-192.dat	upx
behavioral2/memory/1408-187-0x00007FF717FE0000-0x00007FF718331000-memory.dmp	upx
behavioral2/memory/1108-174-0x00007FF73AFC0000-0x00007FF73B311000-memory.dmp	upx
behavioral2/files/0x0007000000024039-172.dat	upx
behavioral2/files/0x0007000000024038-171.dat	upx
behavioral2/files/0x0007000000024037-170.dat	upx
behavioral2/memory/3124-167-0x00007FF6B8DF0000-0x00007FF6B9141000-memory.dmp	upx
behavioral2/memory/4268-165-0x00007FF7AC910000-0x00007FF7ACC61000-memory.dmp	upx
behavioral2/memory/1688-151-0x00007FF7B9F20000-0x00007FF7BA271000-memory.dmp	upx
behavioral2/memory/3464-150-0x00007FF7AEE90000-0x00007FF7AF1E1000-memory.dmp	upx
behavioral2/memory/1844-149-0x00007FF7BD900000-0x00007FF7BDC51000-memory.dmp	upx
behavioral2/files/0x0007000000024033-146.dat	upx
behavioral2/memory/3320-145-0x00007FF73D1A0000-0x00007FF73D4F1000-memory.dmp	upx
behavioral2/files/0x0007000000024032-143.dat	upx
behavioral2/files/0x0007000000024030-139.dat	upx
behavioral2/memory/2740-138-0x00007FF767830000-0x00007FF767B81000-memory.dmp	upx
behavioral2/memory/3876-137-0x00007FF71F690000-0x00007FF71F9E1000-memory.dmp	upx
behavioral2/files/0x000700000002402f-135.dat	upx
behavioral2/files/0x000700000002402e-133.dat	upx
behavioral2/memory/2460-131-0x00007FF765400000-0x00007FF765751000-memory.dmp	upx
behavioral2/memory/1656-123-0x00007FF7E9C20000-0x00007FF7E9F71000-memory.dmp	upx
behavioral2/files/0x000700000002402c-118.dat	upx
behavioral2/files/0x0008000000024022-107.dat	upx
behavioral2/files/0x0008000000024021-91.dat	upx
behavioral2/memory/2940-90-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp	upx
behavioral2/memory/1088-87-0x00007FF79C8D0000-0x00007FF79CC21000-memory.dmp	upx
behavioral2/files/0x0008000000024020-83.dat	upx
behavioral2/files/0x0009000000023feb-81.dat	upx
behavioral2/files/0x000800000002401d-78.dat	upx
behavioral2/memory/2636-75-0x00007FF7333E0000-0x00007FF733731000-memory.dmp	upx
behavioral2/memory/696-419-0x00007FF6823E0000-0x00007FF682731000-memory.dmp	upx
behavioral2/memory/1520-74-0x00007FF710520000-0x00007FF710871000-memory.dmp	upx
behavioral2/memory/1520-443-0x00007FF710520000-0x00007FF710871000-memory.dmp	upx
behavioral2/memory/4716-442-0x00007FF754650000-0x00007FF7549A1000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\Qicopwz.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\zOmrNnC.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\lGzpZIP.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\ckWrUEW.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\RNMxpZa.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\oqhcHPk.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\iXEeKWw.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\vPcNfOp.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\VsXdGiK.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\qDdZpig.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\qHIaOAf.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\AjojLkv.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\ULIWuis.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\ECMJvJX.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\nBgGBHm.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\dXAcglw.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\DUBBdvv.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\bbdfSSe.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\IEZvaTF.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\dnDcjlf.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\rpoVjYS.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\nFDUjii.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\VbHcaVF.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\sgBzjkd.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\iNDzHnN.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\RcRyawW.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\kAvPbdS.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\NLzcbPH.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\CWNfPZA.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\MYqmjQP.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\dccseNe.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\whWWGqm.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\qXqDaBd.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\TNRamjm.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\DbRGnBQ.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\RrEiQIm.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\rgquMPG.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\XArlbjD.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\BEwcktr.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\IQInQgl.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\bwUCfRW.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\iOnfzNI.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\CvBsgye.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\MoqNuYt.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\azPIETC.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\wwkYHWN.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\qISGuGh.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\vJHrIHK.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\wtCsVKh.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\UEIWVDS.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\yvQVufs.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\dQzuETg.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\lGndnLh.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\zHbGnnK.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\WoPOibR.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\MvbQlNC.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\auQWQaj.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\AVOuQzp.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\DcenuBB.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\VszdzQv.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\JjEBCKv.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\wyfygJt.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\wrCDOKC.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\AmtImYF.exe	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	6928	dwm.exe
Token: SeChangeNotifyPrivilege	6928	dwm.exe
Token: 33	6928	dwm.exe
Token: SeIncBasePriorityPrivilege	6928	dwm.exe
Token: SeShutdownPrivilege	6928	dwm.exe
Token: SeCreatePagefilePrivilege	6928	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 1108	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	87
PID 3124 wrote to memory of 1108	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	87
PID 3124 wrote to memory of 2484	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	88
PID 3124 wrote to memory of 2484	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	88
PID 3124 wrote to memory of 2472	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	89
PID 3124 wrote to memory of 2472	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	89
PID 3124 wrote to memory of 2772	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	90
PID 3124 wrote to memory of 2772	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	90
PID 3124 wrote to memory of 888	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	91
PID 3124 wrote to memory of 888	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	91
PID 3124 wrote to memory of 1332	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	92
PID 3124 wrote to memory of 1332	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	92
PID 3124 wrote to memory of 696	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	93
PID 3124 wrote to memory of 696	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	93
PID 3124 wrote to memory of 2636	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	94
PID 3124 wrote to memory of 2636	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	94
PID 3124 wrote to memory of 2420	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	95
PID 3124 wrote to memory of 2420	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	95
PID 3124 wrote to memory of 320	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	96
PID 3124 wrote to memory of 320	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	96
PID 3124 wrote to memory of 4716	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	97
PID 3124 wrote to memory of 4716	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	97
PID 3124 wrote to memory of 1088	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	98
PID 3124 wrote to memory of 1088	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	98
PID 3124 wrote to memory of 1520	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	99
PID 3124 wrote to memory of 1520	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	99
PID 3124 wrote to memory of 4564	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	100
PID 3124 wrote to memory of 4564	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	100
PID 3124 wrote to memory of 2940	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	101
PID 3124 wrote to memory of 2940	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	101
PID 3124 wrote to memory of 1656	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	102
PID 3124 wrote to memory of 1656	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	102
PID 3124 wrote to memory of 1844	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	103
PID 3124 wrote to memory of 1844	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	103
PID 3124 wrote to memory of 3528	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	104
PID 3124 wrote to memory of 3528	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	104
PID 3124 wrote to memory of 2460	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	105
PID 3124 wrote to memory of 2460	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	105
PID 3124 wrote to memory of 3876	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	106
PID 3124 wrote to memory of 3876	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	106
PID 3124 wrote to memory of 2740	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	107
PID 3124 wrote to memory of 2740	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	107
PID 3124 wrote to memory of 3464	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	108
PID 3124 wrote to memory of 3464	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	108
PID 3124 wrote to memory of 3320	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	109
PID 3124 wrote to memory of 3320	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	109
PID 3124 wrote to memory of 5108	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	110
PID 3124 wrote to memory of 5108	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	110
PID 3124 wrote to memory of 1688	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	111
PID 3124 wrote to memory of 1688	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	111
PID 3124 wrote to memory of 4268	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	112
PID 3124 wrote to memory of 4268	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	112
PID 3124 wrote to memory of 1408	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	113
PID 3124 wrote to memory of 1408	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	113
PID 3124 wrote to memory of 3544	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	114
PID 3124 wrote to memory of 3544	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	114
PID 3124 wrote to memory of 4428	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	115
PID 3124 wrote to memory of 4428	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	115
PID 3124 wrote to memory of 1940	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	116
PID 3124 wrote to memory of 1940	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	116
PID 3124 wrote to memory of 1696	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	117
PID 3124 wrote to memory of 1696	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	117
PID 3124 wrote to memory of 3948	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	118
PID 3124 wrote to memory of 3948	3124	2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	118

C:\Users\Admin\AppData\Local\Temp\2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_8bfcb70f75ae001dae844ed7850464ef_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\System\ZyttAsg.exe
  C:\Windows\System\ZyttAsg.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\jhKOoiv.exe
  C:\Windows\System\jhKOoiv.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\gaaifUO.exe
  C:\Windows\System\gaaifUO.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\zpgLAcc.exe
  C:\Windows\System\zpgLAcc.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\mHbzNkR.exe
  C:\Windows\System\mHbzNkR.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\System\XgdTsIF.exe
  C:\Windows\System\XgdTsIF.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\uNMquqJ.exe
  C:\Windows\System\uNMquqJ.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System\rRoJbop.exe
  C:\Windows\System\rRoJbop.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\nzvUNlO.exe
  C:\Windows\System\nzvUNlO.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\RBWRuzz.exe
  C:\Windows\System\RBWRuzz.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System\rzezrpR.exe
  C:\Windows\System\rzezrpR.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\HnKyTRA.exe
  C:\Windows\System\HnKyTRA.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\OazcFFp.exe
  C:\Windows\System\OazcFFp.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\YWBihJo.exe
  C:\Windows\System\YWBihJo.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\aRNiwPo.exe
  C:\Windows\System\aRNiwPo.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\MpUbSlp.exe
  C:\Windows\System\MpUbSlp.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\hpvBFgw.exe
  C:\Windows\System\hpvBFgw.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\dccseNe.exe
  C:\Windows\System\dccseNe.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\ulUhRgA.exe
  C:\Windows\System\ulUhRgA.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\kDBHjOg.exe
  C:\Windows\System\kDBHjOg.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System\BEJHRbx.exe
  C:\Windows\System\BEJHRbx.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\rWFcepb.exe
  C:\Windows\System\rWFcepb.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\YqWhgOD.exe
  C:\Windows\System\YqWhgOD.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\NgIZshn.exe
  C:\Windows\System\NgIZshn.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\JjPwubF.exe
  C:\Windows\System\JjPwubF.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\nWiFESv.exe
  C:\Windows\System\nWiFESv.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\TiFfRGr.exe
  C:\Windows\System\TiFfRGr.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\OfdYZdd.exe
  C:\Windows\System\OfdYZdd.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\wjWcRfS.exe
  C:\Windows\System\wjWcRfS.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\WrkSXne.exe
  C:\Windows\System\WrkSXne.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\kUdrVaJ.exe
  C:\Windows\System\kUdrVaJ.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\pNpYLkV.exe
  C:\Windows\System\pNpYLkV.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\Agwbafx.exe
  C:\Windows\System\Agwbafx.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System\cyrCuCg.exe
  C:\Windows\System\cyrCuCg.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System\MpniAZZ.exe
  C:\Windows\System\MpniAZZ.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\ngkYjno.exe
  C:\Windows\System\ngkYjno.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\ENBDCzI.exe
  C:\Windows\System\ENBDCzI.exe
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\System\dqaWFBa.exe
  C:\Windows\System\dqaWFBa.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\iayjidb.exe
  C:\Windows\System\iayjidb.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\nOoPhAb.exe
  C:\Windows\System\nOoPhAb.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\zHYQGYA.exe
  C:\Windows\System\zHYQGYA.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System\IDLKqXs.exe
  C:\Windows\System\IDLKqXs.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System\geDpQWj.exe
  C:\Windows\System\geDpQWj.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\sgBzjkd.exe
  C:\Windows\System\sgBzjkd.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\PFEUogm.exe
  C:\Windows\System\PFEUogm.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\sroPgQt.exe
  C:\Windows\System\sroPgQt.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\lfInspQ.exe
  C:\Windows\System\lfInspQ.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\zrOVlzQ.exe
  C:\Windows\System\zrOVlzQ.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\WoPOibR.exe
  C:\Windows\System\WoPOibR.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\lDwyODb.exe
  C:\Windows\System\lDwyODb.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\mepDPYe.exe
  C:\Windows\System\mepDPYe.exe
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\System\vsToPHE.exe
  C:\Windows\System\vsToPHE.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\ZFSCuVH.exe
  C:\Windows\System\ZFSCuVH.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\EwPlLIg.exe
  C:\Windows\System\EwPlLIg.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\ejNQYyu.exe
  C:\Windows\System\ejNQYyu.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\dzFkLck.exe
  C:\Windows\System\dzFkLck.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\qhOrFrg.exe
  C:\Windows\System\qhOrFrg.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\RGVcMVp.exe
  C:\Windows\System\RGVcMVp.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\ubAHUqj.exe
  C:\Windows\System\ubAHUqj.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\YxvoDhv.exe
  C:\Windows\System\YxvoDhv.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\MvbQlNC.exe
  C:\Windows\System\MvbQlNC.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\JjEBCKv.exe
  C:\Windows\System\JjEBCKv.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\mKUPVdN.exe
  C:\Windows\System\mKUPVdN.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\fKXNeJy.exe
  C:\Windows\System\fKXNeJy.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System\kxMBRtz.exe
  C:\Windows\System\kxMBRtz.exe
  2⤵
  PID:2944
- C:\Windows\System\pkctgHZ.exe
  C:\Windows\System\pkctgHZ.exe
  2⤵
  PID:5096
- C:\Windows\System\wRbpjbx.exe
  C:\Windows\System\wRbpjbx.exe
  2⤵
  PID:2680
- C:\Windows\System\QCOIWZk.exe
  C:\Windows\System\QCOIWZk.exe
  2⤵
  PID:4200
- C:\Windows\System\wyfygJt.exe
  C:\Windows\System\wyfygJt.exe
  2⤵
  PID:1716
- C:\Windows\System\xTSmemI.exe
  C:\Windows\System\xTSmemI.exe
  2⤵
  PID:4500
- C:\Windows\System\uSymdEB.exe
  C:\Windows\System\uSymdEB.exe
  2⤵
  PID:5368
- C:\Windows\System\iNDzHnN.exe
  C:\Windows\System\iNDzHnN.exe
  2⤵
  PID:5440
- C:\Windows\System\azPIETC.exe
  C:\Windows\System\azPIETC.exe
  2⤵
  PID:5456
- C:\Windows\System\tJkfGpV.exe
  C:\Windows\System\tJkfGpV.exe
  2⤵
  PID:5472
- C:\Windows\System\sEfmSzT.exe
  C:\Windows\System\sEfmSzT.exe
  2⤵
  PID:5488
- C:\Windows\System\xSEBbNw.exe
  C:\Windows\System\xSEBbNw.exe
  2⤵
  PID:5504
- C:\Windows\System\snOWqEv.exe
  C:\Windows\System\snOWqEv.exe
  2⤵
  PID:5520
- C:\Windows\System\PMuZUwj.exe
  C:\Windows\System\PMuZUwj.exe
  2⤵
  PID:5540
- C:\Windows\System\IVSNftW.exe
  C:\Windows\System\IVSNftW.exe
  2⤵
  PID:5636
- C:\Windows\System\vtlfMWL.exe
  C:\Windows\System\vtlfMWL.exe
  2⤵
  PID:5664
- C:\Windows\System\GVKAeJo.exe
  C:\Windows\System\GVKAeJo.exe
  2⤵
  PID:5684
- C:\Windows\System\McHIyzU.exe
  C:\Windows\System\McHIyzU.exe
  2⤵
  PID:5700
- C:\Windows\System\NShuSbl.exe
  C:\Windows\System\NShuSbl.exe
  2⤵
  PID:5716
- C:\Windows\System\auQWQaj.exe
  C:\Windows\System\auQWQaj.exe
  2⤵
  PID:5732
- C:\Windows\System\CPlVmss.exe
  C:\Windows\System\CPlVmss.exe
  2⤵
  PID:5836
- C:\Windows\System\cQdjFxY.exe
  C:\Windows\System\cQdjFxY.exe
  2⤵
  PID:5852
- C:\Windows\System\rdsOFHO.exe
  C:\Windows\System\rdsOFHO.exe
  2⤵
  PID:5872
- C:\Windows\System\iZFXAac.exe
  C:\Windows\System\iZFXAac.exe
  2⤵
  PID:5904
- C:\Windows\System\kYTdTCP.exe
  C:\Windows\System\kYTdTCP.exe
  2⤵
  PID:5936
- C:\Windows\System\SEzERTV.exe
  C:\Windows\System\SEzERTV.exe
  2⤵
  PID:5956
- C:\Windows\System\LBoDETm.exe
  C:\Windows\System\LBoDETm.exe
  2⤵
  PID:5972
- C:\Windows\System\Iofsiab.exe
  C:\Windows\System\Iofsiab.exe
  2⤵
  PID:6000
- C:\Windows\System\Pdumdkc.exe
  C:\Windows\System\Pdumdkc.exe
  2⤵
  PID:6028
- C:\Windows\System\YGJiRsX.exe
  C:\Windows\System\YGJiRsX.exe
  2⤵
  PID:6052
- C:\Windows\System\NIBCJgt.exe
  C:\Windows\System\NIBCJgt.exe
  2⤵
  PID:6092
- C:\Windows\System\sRfYbtB.exe
  C:\Windows\System\sRfYbtB.exe
  2⤵
  PID:6124
- C:\Windows\System\lGndnLh.exe
  C:\Windows\System\lGndnLh.exe
  2⤵
  PID:4740
- C:\Windows\System\ypmwwLg.exe
  C:\Windows\System\ypmwwLg.exe
  2⤵
  PID:2788
- C:\Windows\System\sUtntdV.exe
  C:\Windows\System\sUtntdV.exe
  2⤵
  PID:4468
- C:\Windows\System\UvVGIAk.exe
  C:\Windows\System\UvVGIAk.exe
  2⤵
  PID:3644
- C:\Windows\System\TyjHIjs.exe
  C:\Windows\System\TyjHIjs.exe
  2⤵
  PID:5192
- C:\Windows\System\zHbGnnK.exe
  C:\Windows\System\zHbGnnK.exe
  2⤵
  PID:4392
- C:\Windows\System\SIefyKi.exe
  C:\Windows\System\SIefyKi.exe
  2⤵
  PID:624
- C:\Windows\System\WOBwXFt.exe
  C:\Windows\System\WOBwXFt.exe
  2⤵
  PID:4148
- C:\Windows\System\IUSkDra.exe
  C:\Windows\System\IUSkDra.exe
  2⤵
  PID:4092
- C:\Windows\System\vlUtZkS.exe
  C:\Windows\System\vlUtZkS.exe
  2⤵
  PID:668
- C:\Windows\System\Exqlabp.exe
  C:\Windows\System\Exqlabp.exe
  2⤵
  PID:4272
- C:\Windows\System\DTIVVyz.exe
  C:\Windows\System\DTIVVyz.exe
  2⤵
  PID:408
- C:\Windows\System\pdjoatK.exe
  C:\Windows\System\pdjoatK.exe
  2⤵
  PID:4696
- C:\Windows\System\ISXVGZD.exe
  C:\Windows\System\ISXVGZD.exe
  2⤵
  PID:3832
- C:\Windows\System\upoQXfr.exe
  C:\Windows\System\upoQXfr.exe
  2⤵
  PID:3328
- C:\Windows\System\whWWGqm.exe
  C:\Windows\System\whWWGqm.exe
  2⤵
  PID:4540
- C:\Windows\System\KyQjgZK.exe
  C:\Windows\System\KyQjgZK.exe
  2⤵
  PID:2812
- C:\Windows\System\pDMQbSS.exe
  C:\Windows\System\pDMQbSS.exe
  2⤵
  PID:4660
- C:\Windows\System\hvqGuzx.exe
  C:\Windows\System\hvqGuzx.exe
  2⤵
  PID:1124
- C:\Windows\System\oqhcHPk.exe
  C:\Windows\System\oqhcHPk.exe
  2⤵
  PID:1264
- C:\Windows\System\ImhYOxR.exe
  C:\Windows\System\ImhYOxR.exe
  2⤵
  PID:4844
- C:\Windows\System\omipynW.exe
  C:\Windows\System\omipynW.exe
  2⤵
  PID:1432
- C:\Windows\System\qWBAvtz.exe
  C:\Windows\System\qWBAvtz.exe
  2⤵
  PID:5356
- C:\Windows\System\SYWhIqy.exe
  C:\Windows\System\SYWhIqy.exe
  2⤵
  PID:5436
- C:\Windows\System\SHAUAwY.exe
  C:\Windows\System\SHAUAwY.exe
  2⤵
  PID:5468
- C:\Windows\System\dSEAbAr.exe
  C:\Windows\System\dSEAbAr.exe
  2⤵
  PID:5500
- C:\Windows\System\EwyczBl.exe
  C:\Windows\System\EwyczBl.exe
  2⤵
  PID:5420
- C:\Windows\System\XPLfaVQ.exe
  C:\Windows\System\XPLfaVQ.exe
  2⤵
  PID:5236
- C:\Windows\System\DgoxyWO.exe
  C:\Windows\System\DgoxyWO.exe
  2⤵
  PID:5392
- C:\Windows\System\QkGUasD.exe
  C:\Windows\System\QkGUasD.exe
  2⤵
  PID:5584
- C:\Windows\System\mRgLRUu.exe
  C:\Windows\System\mRgLRUu.exe
  2⤵
  PID:5260
- C:\Windows\System\EUPhWYC.exe
  C:\Windows\System\EUPhWYC.exe
  2⤵
  PID:5680
- C:\Windows\System\wqfnOpf.exe
  C:\Windows\System\wqfnOpf.exe
  2⤵
  PID:5796
- C:\Windows\System\DLvOOJG.exe
  C:\Windows\System\DLvOOJG.exe
  2⤵
  PID:5752
- C:\Windows\System\ovyQlgQ.exe
  C:\Windows\System\ovyQlgQ.exe
  2⤵
  PID:5812
- C:\Windows\System\QYGnTah.exe
  C:\Windows\System\QYGnTah.exe
  2⤵
  PID:5848
- C:\Windows\System\ZhruxUR.exe
  C:\Windows\System\ZhruxUR.exe
  2⤵
  PID:6140
- C:\Windows\System\OaeAMZl.exe
  C:\Windows\System\OaeAMZl.exe
  2⤵
  PID:5184
- C:\Windows\System\XArlbjD.exe
  C:\Windows\System\XArlbjD.exe
  2⤵
  PID:1636
- C:\Windows\System\FhMuuUl.exe
  C:\Windows\System\FhMuuUl.exe
  2⤵
  PID:3680
- C:\Windows\System\wJbzLIT.exe
  C:\Windows\System\wJbzLIT.exe
  2⤵
  PID:2768
- C:\Windows\System\yVEPgVe.exe
  C:\Windows\System\yVEPgVe.exe
  2⤵
  PID:628
- C:\Windows\System\mRlCnHk.exe
  C:\Windows\System\mRlCnHk.exe
  2⤵
  PID:3420
- C:\Windows\System\qXqDaBd.exe
  C:\Windows\System\qXqDaBd.exe
  2⤵
  PID:2300
- C:\Windows\System\THqSdJI.exe
  C:\Windows\System\THqSdJI.exe
  2⤵
  PID:4928
- C:\Windows\System\vYCmYjT.exe
  C:\Windows\System\vYCmYjT.exe
  2⤵
  PID:4124
- C:\Windows\System\wrCDOKC.exe
  C:\Windows\System\wrCDOKC.exe
  2⤵
  PID:1368
- C:\Windows\System\aGYNAwQ.exe
  C:\Windows\System\aGYNAwQ.exe
  2⤵
  PID:5480
- C:\Windows\System\pmfjsau.exe
  C:\Windows\System\pmfjsau.exe
  2⤵
  PID:5592
- C:\Windows\System\TYEBcHV.exe
  C:\Windows\System\TYEBcHV.exe
  2⤵
  PID:5264
- C:\Windows\System\kHePSnt.exe
  C:\Windows\System\kHePSnt.exe
  2⤵
  PID:5408
- C:\Windows\System\aDFLEiP.exe
  C:\Windows\System\aDFLEiP.exe
  2⤵
  PID:5612
- C:\Windows\System\TWmMqwW.exe
  C:\Windows\System\TWmMqwW.exe
  2⤵
  PID:5788
- C:\Windows\System\fVrMZkS.exe
  C:\Windows\System\fVrMZkS.exe
  2⤵
  PID:6064
- C:\Windows\System\TNRamjm.exe
  C:\Windows\System\TNRamjm.exe
  2⤵
  PID:5208
- C:\Windows\System\eSwampn.exe
  C:\Windows\System\eSwampn.exe
  2⤵
  PID:4284
- C:\Windows\System\dDHNcVy.exe
  C:\Windows\System\dDHNcVy.exe
  2⤵
  PID:1424
- C:\Windows\System\ECMJvJX.exe
  C:\Windows\System\ECMJvJX.exe
  2⤵
  PID:5832
- C:\Windows\System\jkxUxhQ.exe
  C:\Windows\System\jkxUxhQ.exe
  2⤵
  PID:6020
- C:\Windows\System\MWpmrIO.exe
  C:\Windows\System\MWpmrIO.exe
  2⤵
  PID:4780
- C:\Windows\System\KqjmYHJ.exe
  C:\Windows\System\KqjmYHJ.exe
  2⤵
  PID:6008
- C:\Windows\System\YvNMCcC.exe
  C:\Windows\System\YvNMCcC.exe
  2⤵
  PID:5724
- C:\Windows\System\sOwLxjC.exe
  C:\Windows\System\sOwLxjC.exe
  2⤵
  PID:5512
- C:\Windows\System\oiukeXZ.exe
  C:\Windows\System\oiukeXZ.exe
  2⤵
  PID:6160
- C:\Windows\System\hNVsUnq.exe
  C:\Windows\System\hNVsUnq.exe
  2⤵
  PID:6184
- C:\Windows\System\BEJjnKb.exe
  C:\Windows\System\BEJjnKb.exe
  2⤵
  PID:6216
- C:\Windows\System\YGXBXHp.exe
  C:\Windows\System\YGXBXHp.exe
  2⤵
  PID:6240
- C:\Windows\System\Scpzqxa.exe
  C:\Windows\System\Scpzqxa.exe
  2⤵
  PID:6268
- C:\Windows\System\ySHXcFv.exe
  C:\Windows\System\ySHXcFv.exe
  2⤵
  PID:6304
- C:\Windows\System\KZKhCmo.exe
  C:\Windows\System\KZKhCmo.exe
  2⤵
  PID:6324
- C:\Windows\System\gLsSzKi.exe
  C:\Windows\System\gLsSzKi.exe
  2⤵
  PID:6352
- C:\Windows\System\aOuNWbC.exe
  C:\Windows\System\aOuNWbC.exe
  2⤵
  PID:6380
- C:\Windows\System\nGvGgCx.exe
  C:\Windows\System\nGvGgCx.exe
  2⤵
  PID:6408
- C:\Windows\System\hLCkaie.exe
  C:\Windows\System\hLCkaie.exe
  2⤵
  PID:6436
- C:\Windows\System\QXPBOee.exe
  C:\Windows\System\QXPBOee.exe
  2⤵
  PID:6460
- C:\Windows\System\tpfaOba.exe
  C:\Windows\System\tpfaOba.exe
  2⤵
  PID:6484
- C:\Windows\System\EpICGLJ.exe
  C:\Windows\System\EpICGLJ.exe
  2⤵
  PID:6508
- C:\Windows\System\RfUqbBx.exe
  C:\Windows\System\RfUqbBx.exe
  2⤵
  PID:6564
- C:\Windows\System\yFYPSYQ.exe
  C:\Windows\System\yFYPSYQ.exe
  2⤵
  PID:6600
- C:\Windows\System\lbzwBXW.exe
  C:\Windows\System\lbzwBXW.exe
  2⤵
  PID:6628
- C:\Windows\System\EWZXaRY.exe
  C:\Windows\System\EWZXaRY.exe
  2⤵
  PID:6648
- C:\Windows\System\UOBTGKt.exe
  C:\Windows\System\UOBTGKt.exe
  2⤵
  PID:6672
- C:\Windows\System\RcRyawW.exe
  C:\Windows\System\RcRyawW.exe
  2⤵
  PID:6688
- C:\Windows\System\AVOuQzp.exe
  C:\Windows\System\AVOuQzp.exe
  2⤵
  PID:6728
- C:\Windows\System\Qicopwz.exe
  C:\Windows\System\Qicopwz.exe
  2⤵
  PID:6764
- C:\Windows\System\upcsRWA.exe
  C:\Windows\System\upcsRWA.exe
  2⤵
  PID:6800
- C:\Windows\System\MXLjCnW.exe
  C:\Windows\System\MXLjCnW.exe
  2⤵
  PID:6832
- C:\Windows\System\uktqrFf.exe
  C:\Windows\System\uktqrFf.exe
  2⤵
  PID:6884
- C:\Windows\System\BLuHjNe.exe
  C:\Windows\System\BLuHjNe.exe
  2⤵
  PID:6912
- C:\Windows\System\WykcxJM.exe
  C:\Windows\System\WykcxJM.exe
  2⤵
  PID:6932
- C:\Windows\System\adJBnqj.exe
  C:\Windows\System\adJBnqj.exe
  2⤵
  PID:6956
- C:\Windows\System\AmtImYF.exe
  C:\Windows\System\AmtImYF.exe
  2⤵
  PID:6984
- C:\Windows\System\mBhvylF.exe
  C:\Windows\System\mBhvylF.exe
  2⤵
  PID:7020
- C:\Windows\System\xGExeDs.exe
  C:\Windows\System\xGExeDs.exe
  2⤵
  PID:7052
- C:\Windows\System\nKTaROH.exe
  C:\Windows\System\nKTaROH.exe
  2⤵
  PID:7080
- C:\Windows\System\KOtCvCl.exe
  C:\Windows\System\KOtCvCl.exe
  2⤵
  PID:7100
- C:\Windows\System\DYZsHol.exe
  C:\Windows\System\DYZsHol.exe
  2⤵
  PID:7128
- C:\Windows\System\GVULrsL.exe
  C:\Windows\System\GVULrsL.exe
  2⤵
  PID:7148
- C:\Windows\System\wEdlBKN.exe
  C:\Windows\System\wEdlBKN.exe
  2⤵
  PID:6196
- C:\Windows\System\CQiZZXz.exe
  C:\Windows\System\CQiZZXz.exe
  2⤵
  PID:6260
- C:\Windows\System\mfFukZX.exe
  C:\Windows\System\mfFukZX.exe
  2⤵
  PID:6312
- C:\Windows\System\QcVcjmn.exe
  C:\Windows\System\QcVcjmn.exe
  2⤵
  PID:6344
- C:\Windows\System\esjfOYx.exe
  C:\Windows\System\esjfOYx.exe
  2⤵
  PID:6424
- C:\Windows\System\YYWyTbI.exe
  C:\Windows\System\YYWyTbI.exe
  2⤵
  PID:6504
- C:\Windows\System\EoCNSlZ.exe
  C:\Windows\System\EoCNSlZ.exe
  2⤵
  PID:6612
- C:\Windows\System\ypVOUCi.exe
  C:\Windows\System\ypVOUCi.exe
  2⤵
  PID:6644
- C:\Windows\System\UhsmucR.exe
  C:\Windows\System\UhsmucR.exe
  2⤵
  PID:6772
- C:\Windows\System\MVOPRov.exe
  C:\Windows\System\MVOPRov.exe
  2⤵
  PID:2548
- C:\Windows\System\pDSdOYl.exe
  C:\Windows\System\pDSdOYl.exe
  2⤵
  PID:6468
- C:\Windows\System\mVxGAVl.exe
  C:\Windows\System\mVxGAVl.exe
  2⤵
  PID:6968
- C:\Windows\System\TWCUhMX.exe
  C:\Windows\System\TWCUhMX.exe
  2⤵
  PID:7044
- C:\Windows\System\mCsfZgE.exe
  C:\Windows\System\mCsfZgE.exe
  2⤵
  PID:7116
- C:\Windows\System\WAYASfN.exe
  C:\Windows\System\WAYASfN.exe
  2⤵
  PID:4228
- C:\Windows\System\XLJmosZ.exe
  C:\Windows\System\XLJmosZ.exe
  2⤵
  PID:6320
- C:\Windows\System\DbRGnBQ.exe
  C:\Windows\System\DbRGnBQ.exe
  2⤵
  PID:6404
- C:\Windows\System\xBmGhah.exe
  C:\Windows\System\xBmGhah.exe
  2⤵
  PID:6668
- C:\Windows\System\BEwcktr.exe
  C:\Windows\System\BEwcktr.exe
  2⤵
  PID:6712
- C:\Windows\System\QHFIgjt.exe
  C:\Windows\System\QHFIgjt.exe
  2⤵
  PID:7028
- C:\Windows\System\iiZhSTX.exe
  C:\Windows\System\iiZhSTX.exe
  2⤵
  PID:5332
- C:\Windows\System\CeHCnVa.exe
  C:\Windows\System\CeHCnVa.exe
  2⤵
  PID:6252
- C:\Windows\System\RURzVQS.exe
  C:\Windows\System\RURzVQS.exe
  2⤵
  PID:6820
- C:\Windows\System\HMzqsIv.exe
  C:\Windows\System\HMzqsIv.exe
  2⤵
  PID:6924
- C:\Windows\System\PKmehxK.exe
  C:\Windows\System\PKmehxK.exe
  2⤵
  PID:6208
- C:\Windows\System\iyhqRta.exe
  C:\Windows\System\iyhqRta.exe
  2⤵
  PID:7204
- C:\Windows\System\JzSVJvt.exe
  C:\Windows\System\JzSVJvt.exe
  2⤵
  PID:7240
- C:\Windows\System\qyYUAIh.exe
  C:\Windows\System\qyYUAIh.exe
  2⤵
  PID:7264
- C:\Windows\System\FlGbJVx.exe
  C:\Windows\System\FlGbJVx.exe
  2⤵
  PID:7296
- C:\Windows\System\bBexmkk.exe
  C:\Windows\System\bBexmkk.exe
  2⤵
  PID:7328
- C:\Windows\System\zGKHVyc.exe
  C:\Windows\System\zGKHVyc.exe
  2⤵
  PID:7344
- C:\Windows\System\LSeuhXd.exe
  C:\Windows\System\LSeuhXd.exe
  2⤵
  PID:7380
- C:\Windows\System\FHbvxOY.exe
  C:\Windows\System\FHbvxOY.exe
  2⤵
  PID:7416
- C:\Windows\System\HPNeAJZ.exe
  C:\Windows\System\HPNeAJZ.exe
  2⤵
  PID:7444
- C:\Windows\System\OWPgisp.exe
  C:\Windows\System\OWPgisp.exe
  2⤵
  PID:7472
- C:\Windows\System\AOxrsPi.exe
  C:\Windows\System\AOxrsPi.exe
  2⤵
  PID:7500
- C:\Windows\System\pQqzseX.exe
  C:\Windows\System\pQqzseX.exe
  2⤵
  PID:7528
- C:\Windows\System\pNFDQSr.exe
  C:\Windows\System\pNFDQSr.exe
  2⤵
  PID:7556
- C:\Windows\System\QaIPRpC.exe
  C:\Windows\System\QaIPRpC.exe
  2⤵
  PID:7584
- C:\Windows\System\kctFVKC.exe
  C:\Windows\System\kctFVKC.exe
  2⤵
  PID:7612
- C:\Windows\System\cmxakKZ.exe
  C:\Windows\System\cmxakKZ.exe
  2⤵
  PID:7640
- C:\Windows\System\MAFpkUn.exe
  C:\Windows\System\MAFpkUn.exe
  2⤵
  PID:7656
- C:\Windows\System\OpRAYyP.exe
  C:\Windows\System\OpRAYyP.exe
  2⤵
  PID:7676
- C:\Windows\System\FtlJdlN.exe
  C:\Windows\System\FtlJdlN.exe
  2⤵
  PID:7708
- C:\Windows\System\HPfBtZN.exe
  C:\Windows\System\HPfBtZN.exe
  2⤵
  PID:7744
- C:\Windows\System\nFiiimi.exe
  C:\Windows\System\nFiiimi.exe
  2⤵
  PID:7776
- C:\Windows\System\kMlZUKM.exe
  C:\Windows\System\kMlZUKM.exe
  2⤵
  PID:7808
- C:\Windows\System\DGvWrYW.exe
  C:\Windows\System\DGvWrYW.exe
  2⤵
  PID:7836
- C:\Windows\System\AVIjNjf.exe
  C:\Windows\System\AVIjNjf.exe
  2⤵
  PID:7864
- C:\Windows\System\Rqqbkmb.exe
  C:\Windows\System\Rqqbkmb.exe
  2⤵
  PID:7888
- C:\Windows\System\XuNIeIf.exe
  C:\Windows\System\XuNIeIf.exe
  2⤵
  PID:7920
- C:\Windows\System\uiixJpM.exe
  C:\Windows\System\uiixJpM.exe
  2⤵
  PID:7956
- C:\Windows\System\QpZlMYd.exe
  C:\Windows\System\QpZlMYd.exe
  2⤵
  PID:7996
- C:\Windows\System\PMBoBez.exe
  C:\Windows\System\PMBoBez.exe
  2⤵
  PID:8044
- C:\Windows\System\pkapjSx.exe
  C:\Windows\System\pkapjSx.exe
  2⤵
  PID:8080
- C:\Windows\System\bdmdsHl.exe
  C:\Windows\System\bdmdsHl.exe
  2⤵
  PID:8104
- C:\Windows\System\AJRjqBw.exe
  C:\Windows\System\AJRjqBw.exe
  2⤵
  PID:8148
- C:\Windows\System\vWPgdLw.exe
  C:\Windows\System\vWPgdLw.exe
  2⤵
  PID:8184
- C:\Windows\System\aicZIim.exe
  C:\Windows\System\aicZIim.exe
  2⤵
  PID:6992
- C:\Windows\System\gtINSki.exe
  C:\Windows\System\gtINSki.exe
  2⤵
  PID:7280
- C:\Windows\System\AcAfqwW.exe
  C:\Windows\System\AcAfqwW.exe
  2⤵
  PID:3940
- C:\Windows\System\rojHihY.exe
  C:\Windows\System\rojHihY.exe
  2⤵
  PID:7428
- C:\Windows\System\kMaMUkU.exe
  C:\Windows\System\kMaMUkU.exe
  2⤵
  PID:7496
- C:\Windows\System\MHVoiCy.exe
  C:\Windows\System\MHVoiCy.exe
  2⤵
  PID:7576
- C:\Windows\System\ZSGdvCh.exe
  C:\Windows\System\ZSGdvCh.exe
  2⤵
  PID:7636
- C:\Windows\System\StJGPLa.exe
  C:\Windows\System\StJGPLa.exe
  2⤵
  PID:7692
- C:\Windows\System\IEZvaTF.exe
  C:\Windows\System\IEZvaTF.exe
  2⤵
  PID:7796
- C:\Windows\System\tLXTmgm.exe
  C:\Windows\System\tLXTmgm.exe
  2⤵
  PID:7848
- C:\Windows\System\UaOQpqJ.exe
  C:\Windows\System\UaOQpqJ.exe
  2⤵
  PID:7928
- C:\Windows\System\YDByKoq.exe
  C:\Windows\System\YDByKoq.exe
  2⤵
  PID:3652
- C:\Windows\System\aVshdmA.exe
  C:\Windows\System\aVshdmA.exe
  2⤵
  PID:8036
- C:\Windows\System\DcenuBB.exe
  C:\Windows\System\DcenuBB.exe
  2⤵
  PID:8096
- C:\Windows\System\LBBjLzY.exe
  C:\Windows\System\LBBjLzY.exe
  2⤵
  PID:8168
- C:\Windows\System\dhOlxnK.exe
  C:\Windows\System\dhOlxnK.exe
  2⤵
  PID:7256
- C:\Windows\System\zzIylwZ.exe
  C:\Windows\System\zzIylwZ.exe
  2⤵
  PID:7468
- C:\Windows\System\TcssMyf.exe
  C:\Windows\System\TcssMyf.exe
  2⤵
  PID:7768
- C:\Windows\System\DCoHwcR.exe
  C:\Windows\System\DCoHwcR.exe
  2⤵
  PID:7832
- C:\Windows\System\tZJJyBP.exe
  C:\Windows\System\tZJJyBP.exe
  2⤵
  PID:7952
- C:\Windows\System\utfHozp.exe
  C:\Windows\System\utfHozp.exe
  2⤵
  PID:7992
- C:\Windows\System\aSkgeTk.exe
  C:\Windows\System\aSkgeTk.exe
  2⤵
  PID:8144
- C:\Windows\System\zoJFjUe.exe
  C:\Windows\System\zoJFjUe.exe
  2⤵
  PID:7356
- C:\Windows\System\xZiEKBb.exe
  C:\Windows\System\xZiEKBb.exe
  2⤵
  PID:7540
- C:\Windows\System\fRwAEsH.exe
  C:\Windows\System\fRwAEsH.exe
  2⤵
  PID:8196
- C:\Windows\System\kyOOAhB.exe
  C:\Windows\System\kyOOAhB.exe
  2⤵
  PID:8232
- C:\Windows\System\gBUeDjl.exe
  C:\Windows\System\gBUeDjl.exe
  2⤵
  PID:8268
- C:\Windows\System\zKTGlnQ.exe
  C:\Windows\System\zKTGlnQ.exe
  2⤵
  PID:8304
- C:\Windows\System\eufMvzv.exe
  C:\Windows\System\eufMvzv.exe
  2⤵
  PID:8336
- C:\Windows\System\WpTXvBH.exe
  C:\Windows\System\WpTXvBH.exe
  2⤵
  PID:8380
- C:\Windows\System\DclYvmi.exe
  C:\Windows\System\DclYvmi.exe
  2⤵
  PID:8412
- C:\Windows\System\iXEeKWw.exe
  C:\Windows\System\iXEeKWw.exe
  2⤵
  PID:8448
- C:\Windows\System\YnhiUEZ.exe
  C:\Windows\System\YnhiUEZ.exe
  2⤵
  PID:8484
- C:\Windows\System\bLKDGMC.exe
  C:\Windows\System\bLKDGMC.exe
  2⤵
  PID:8520
- C:\Windows\System\AaMWKbE.exe
  C:\Windows\System\AaMWKbE.exe
  2⤵
  PID:8552
- C:\Windows\System\GRUjgqy.exe
  C:\Windows\System\GRUjgqy.exe
  2⤵
  PID:8608
- C:\Windows\System\fdzkCZX.exe
  C:\Windows\System\fdzkCZX.exe
  2⤵
  PID:8628
- C:\Windows\System\ewQiFlC.exe
  C:\Windows\System\ewQiFlC.exe
  2⤵
  PID:8652
- C:\Windows\System\JMRCoHe.exe
  C:\Windows\System\JMRCoHe.exe
  2⤵
  PID:8676
- C:\Windows\System\qXPoWdE.exe
  C:\Windows\System\qXPoWdE.exe
  2⤵
  PID:8712
- C:\Windows\System\ZSFRrue.exe
  C:\Windows\System\ZSFRrue.exe
  2⤵
  PID:8752
- C:\Windows\System\kAvPbdS.exe
  C:\Windows\System\kAvPbdS.exe
  2⤵
  PID:8800
- C:\Windows\System\cvTrFVe.exe
  C:\Windows\System\cvTrFVe.exe
  2⤵
  PID:8824
- C:\Windows\System\RrEiQIm.exe
  C:\Windows\System\RrEiQIm.exe
  2⤵
  PID:8840
- C:\Windows\System\HgDLbfv.exe
  C:\Windows\System\HgDLbfv.exe
  2⤵
  PID:8856
- C:\Windows\System\vpZdnEI.exe
  C:\Windows\System\vpZdnEI.exe
  2⤵
  PID:8872
- C:\Windows\System\IQInQgl.exe
  C:\Windows\System\IQInQgl.exe
  2⤵
  PID:8892
- C:\Windows\System\yBPzphA.exe
  C:\Windows\System\yBPzphA.exe
  2⤵
  PID:8908
- C:\Windows\System\MsIDxvx.exe
  C:\Windows\System\MsIDxvx.exe
  2⤵
  PID:8940
- C:\Windows\System\zRprXJi.exe
  C:\Windows\System\zRprXJi.exe
  2⤵
  PID:8976
- C:\Windows\System\nHVtlyA.exe
  C:\Windows\System\nHVtlyA.exe
  2⤵
  PID:9004
- C:\Windows\System\guBwdSA.exe
  C:\Windows\System\guBwdSA.exe
  2⤵
  PID:9040
- C:\Windows\System\zrxSGSI.exe
  C:\Windows\System\zrxSGSI.exe
  2⤵
  PID:9072
- C:\Windows\System\zUCyCIH.exe
  C:\Windows\System\zUCyCIH.exe
  2⤵
  PID:9100
- C:\Windows\System\vtMIJTT.exe
  C:\Windows\System\vtMIJTT.exe
  2⤵
  PID:9136
- C:\Windows\System\RdRWRJe.exe
  C:\Windows\System\RdRWRJe.exe
  2⤵
  PID:9168
- C:\Windows\System\juHUZNr.exe
  C:\Windows\System\juHUZNr.exe
  2⤵
  PID:9200
- C:\Windows\System\JUqldPN.exe
  C:\Windows\System\JUqldPN.exe
  2⤵
  PID:7988
- C:\Windows\System\mdJeQOy.exe
  C:\Windows\System\mdJeQOy.exe
  2⤵
  PID:7648
- C:\Windows\System\vLmjstP.exe
  C:\Windows\System\vLmjstP.exe
  2⤵
  PID:8260
- C:\Windows\System\gjRVWqN.exe
  C:\Windows\System\gjRVWqN.exe
  2⤵
  PID:8376
- C:\Windows\System\wMgfOTA.exe
  C:\Windows\System\wMgfOTA.exe
  2⤵
  PID:8348
- C:\Windows\System\mJSGHtM.exe
  C:\Windows\System\mJSGHtM.exe
  2⤵
  PID:8492
- C:\Windows\System\kwcfRxU.exe
  C:\Windows\System\kwcfRxU.exe
  2⤵
  PID:8604
- C:\Windows\System\tSQcYFj.exe
  C:\Windows\System\tSQcYFj.exe
  2⤵
  PID:8696
- C:\Windows\System\eXMfWWZ.exe
  C:\Windows\System\eXMfWWZ.exe
  2⤵
  PID:8736
- C:\Windows\System\OYxfSpO.exe
  C:\Windows\System\OYxfSpO.exe
  2⤵
  PID:8868
- C:\Windows\System\ENLloyh.exe
  C:\Windows\System\ENLloyh.exe
  2⤵
  PID:9032
- C:\Windows\System\LpeXtfL.exe
  C:\Windows\System\LpeXtfL.exe
  2⤵
  PID:9064
- C:\Windows\System\rBjfftN.exe
  C:\Windows\System\rBjfftN.exe
  2⤵
  PID:9196
- C:\Windows\System\FvYDXst.exe
  C:\Windows\System\FvYDXst.exe
  2⤵
  PID:7188
- C:\Windows\System\sQHtVnD.exe
  C:\Windows\System\sQHtVnD.exe
  2⤵
  PID:8292
- C:\Windows\System\mKplRzl.exe
  C:\Windows\System\mKplRzl.exe
  2⤵
  PID:8548
- C:\Windows\System\YcodQRe.exe
  C:\Windows\System\YcodQRe.exe
  2⤵
  PID:8812
- C:\Windows\System\QNFLIPa.exe
  C:\Windows\System\QNFLIPa.exe
  2⤵
  PID:8796
- C:\Windows\System\EBlObWj.exe
  C:\Windows\System\EBlObWj.exe
  2⤵
  PID:8884
- C:\Windows\System\yDpQNOk.exe
  C:\Windows\System\yDpQNOk.exe
  2⤵
  PID:8956
- C:\Windows\System\AXdISVX.exe
  C:\Windows\System\AXdISVX.exe
  2⤵
  PID:8328
- C:\Windows\System\tNXtaIn.exe
  C:\Windows\System\tNXtaIn.exe
  2⤵
  PID:8904
- C:\Windows\System\rXMLBBG.exe
  C:\Windows\System\rXMLBBG.exe
  2⤵
  PID:9056
- C:\Windows\System\qKcXbWX.exe
  C:\Windows\System\qKcXbWX.exe
  2⤵
  PID:8776
- C:\Windows\System\aJxRwwy.exe
  C:\Windows\System\aJxRwwy.exe
  2⤵
  PID:9240
- C:\Windows\System\KluAXhR.exe
  C:\Windows\System\KluAXhR.exe
  2⤵
  PID:9268
- C:\Windows\System\gEToogh.exe
  C:\Windows\System\gEToogh.exe
  2⤵
  PID:9296
- C:\Windows\System\nOuVOnC.exe
  C:\Windows\System\nOuVOnC.exe
  2⤵
  PID:9328
- C:\Windows\System\aJLyjDb.exe
  C:\Windows\System\aJLyjDb.exe
  2⤵
  PID:9360
- C:\Windows\System\uAqQpdQ.exe
  C:\Windows\System\uAqQpdQ.exe
  2⤵
  PID:9388
- C:\Windows\System\IrtRDfb.exe
  C:\Windows\System\IrtRDfb.exe
  2⤵
  PID:9416
- C:\Windows\System\MnMRygL.exe
  C:\Windows\System\MnMRygL.exe
  2⤵
  PID:9452
- C:\Windows\System\xLOcgDP.exe
  C:\Windows\System\xLOcgDP.exe
  2⤵
  PID:9488
- C:\Windows\System\rGeuZCY.exe
  C:\Windows\System\rGeuZCY.exe
  2⤵
  PID:9516
- C:\Windows\System\wZlfubF.exe
  C:\Windows\System\wZlfubF.exe
  2⤵
  PID:9544
- C:\Windows\System\mmUYAle.exe
  C:\Windows\System\mmUYAle.exe
  2⤵
  PID:9572
- C:\Windows\System\sCUWQcq.exe
  C:\Windows\System\sCUWQcq.exe
  2⤵
  PID:9608
- C:\Windows\System\HqRvaVN.exe
  C:\Windows\System\HqRvaVN.exe
  2⤵
  PID:9644
- C:\Windows\System\ECbgYGe.exe
  C:\Windows\System\ECbgYGe.exe
  2⤵
  PID:9660
- C:\Windows\System\YPFzhoX.exe
  C:\Windows\System\YPFzhoX.exe
  2⤵
  PID:9684
- C:\Windows\System\dFXVMXI.exe
  C:\Windows\System\dFXVMXI.exe
  2⤵
  PID:9724
- C:\Windows\System\FRAfCQh.exe
  C:\Windows\System\FRAfCQh.exe
  2⤵
  PID:9752
- C:\Windows\System\WISdRZD.exe
  C:\Windows\System\WISdRZD.exe
  2⤵
  PID:9784
- C:\Windows\System\VpeQgAg.exe
  C:\Windows\System\VpeQgAg.exe
  2⤵
  PID:9816
- C:\Windows\System\EujWPZO.exe
  C:\Windows\System\EujWPZO.exe
  2⤵
  PID:9844
- C:\Windows\System\aNHWRhD.exe
  C:\Windows\System\aNHWRhD.exe
  2⤵
  PID:9876
- C:\Windows\System\kdtJQQZ.exe
  C:\Windows\System\kdtJQQZ.exe
  2⤵
  PID:9908
- C:\Windows\System\ldIHRUW.exe
  C:\Windows\System\ldIHRUW.exe
  2⤵
  PID:9936
- C:\Windows\System\ynnWudu.exe
  C:\Windows\System\ynnWudu.exe
  2⤵
  PID:9964
- C:\Windows\System\UPHpSMB.exe
  C:\Windows\System\UPHpSMB.exe
  2⤵
  PID:9992
- C:\Windows\System\ZpldynF.exe
  C:\Windows\System\ZpldynF.exe
  2⤵
  PID:10020
- C:\Windows\System\ATqBENq.exe
  C:\Windows\System\ATqBENq.exe
  2⤵
  PID:10048
- C:\Windows\System\SqSLybK.exe
  C:\Windows\System\SqSLybK.exe
  2⤵
  PID:10076
- C:\Windows\System\JJQtGHX.exe
  C:\Windows\System\JJQtGHX.exe
  2⤵
  PID:10104
- C:\Windows\System\dnDcjlf.exe
  C:\Windows\System\dnDcjlf.exe
  2⤵
  PID:10136
- C:\Windows\System\bvIOUOd.exe
  C:\Windows\System\bvIOUOd.exe
  2⤵
  PID:10164
- C:\Windows\System\XGsjZIY.exe
  C:\Windows\System\XGsjZIY.exe
  2⤵
  PID:10192
- C:\Windows\System\ZcCQMaA.exe
  C:\Windows\System\ZcCQMaA.exe
  2⤵
  PID:10220
- C:\Windows\System\WziQqgO.exe
  C:\Windows\System\WziQqgO.exe
  2⤵
  PID:8780
- C:\Windows\System\DwvlZBa.exe
  C:\Windows\System\DwvlZBa.exe
  2⤵
  PID:9276
- C:\Windows\System\PDTzApz.exe
  C:\Windows\System\PDTzApz.exe
  2⤵
  PID:9304
- C:\Windows\System\LcuCAVR.exe
  C:\Windows\System\LcuCAVR.exe
  2⤵
  PID:9384
- C:\Windows\System\HdMFaPq.exe
  C:\Windows\System\HdMFaPq.exe
  2⤵
  PID:9444
- C:\Windows\System\TxmhCIm.exe
  C:\Windows\System\TxmhCIm.exe
  2⤵
  PID:9540
- C:\Windows\System\pUSDxVj.exe
  C:\Windows\System\pUSDxVj.exe
  2⤵
  PID:9652
- C:\Windows\System\WTlZjjn.exe
  C:\Windows\System\WTlZjjn.exe
  2⤵
  PID:9676
- C:\Windows\System\IGwSqtl.exe
  C:\Windows\System\IGwSqtl.exe
  2⤵
  PID:9732
- C:\Windows\System\QokYCyC.exe
  C:\Windows\System\QokYCyC.exe
  2⤵
  PID:9804
- C:\Windows\System\cPwmKFP.exe
  C:\Windows\System\cPwmKFP.exe
  2⤵
  PID:9868
- C:\Windows\System\BYtFeTD.exe
  C:\Windows\System\BYtFeTD.exe
  2⤵
  PID:3668
- C:\Windows\System\bQcsdsZ.exe
  C:\Windows\System\bQcsdsZ.exe
  2⤵
  PID:9976
- C:\Windows\System\FeJHKZk.exe
  C:\Windows\System\FeJHKZk.exe
  2⤵
  PID:10040
- C:\Windows\System\NdflSji.exe
  C:\Windows\System\NdflSji.exe
  2⤵
  PID:10096
- C:\Windows\System\iNZKymH.exe
  C:\Windows\System\iNZKymH.exe
  2⤵
  PID:10176
- C:\Windows\System\eGMUsku.exe
  C:\Windows\System\eGMUsku.exe
  2⤵
  PID:8536
- C:\Windows\System\wMhIupA.exe
  C:\Windows\System\wMhIupA.exe
  2⤵
  PID:9356
- C:\Windows\System\OuPVpRm.exe
  C:\Windows\System\OuPVpRm.exe
  2⤵
  PID:9432
- C:\Windows\System\aLipWvr.exe
  C:\Windows\System\aLipWvr.exe
  2⤵
  PID:9632
- C:\Windows\System\MlcPDmE.exe
  C:\Windows\System\MlcPDmE.exe
  2⤵
  PID:9840
- C:\Windows\System\gvizjBJ.exe
  C:\Windows\System\gvizjBJ.exe
  2⤵
  PID:9948
- C:\Windows\System\hqpxnib.exe
  C:\Windows\System\hqpxnib.exe
  2⤵
  PID:10088
- C:\Windows\System\aeaFrEs.exe
  C:\Windows\System\aeaFrEs.exe
  2⤵
  PID:2060
- C:\Windows\System\kXvgymb.exe
  C:\Windows\System\kXvgymb.exe
  2⤵
  PID:9620
- C:\Windows\System\AHmetqB.exe
  C:\Windows\System\AHmetqB.exe
  2⤵
  PID:9920
- C:\Windows\System\VmBqJvF.exe
  C:\Windows\System\VmBqJvF.exe
  2⤵
  PID:10216
- C:\Windows\System\jQJrkqR.exe
  C:\Windows\System\jQJrkqR.exe
  2⤵
  PID:10060
- C:\Windows\System\UiyKInw.exe
  C:\Windows\System\UiyKInw.exe
  2⤵
  PID:10248
- C:\Windows\System\wwkYHWN.exe
  C:\Windows\System\wwkYHWN.exe
  2⤵
  PID:10268
- C:\Windows\System\bHOZcpL.exe
  C:\Windows\System\bHOZcpL.exe
  2⤵
  PID:10288
- C:\Windows\System\zpmxTxt.exe
  C:\Windows\System\zpmxTxt.exe
  2⤵
  PID:10312
- C:\Windows\System\sHWsIdf.exe
  C:\Windows\System\sHWsIdf.exe
  2⤵
  PID:10348
- C:\Windows\System\fqAuNCM.exe
  C:\Windows\System\fqAuNCM.exe
  2⤵
  PID:10384
- C:\Windows\System\GLopdtE.exe
  C:\Windows\System\GLopdtE.exe
  2⤵
  PID:10408
- C:\Windows\System\mzQUZIo.exe
  C:\Windows\System\mzQUZIo.exe
  2⤵
  PID:10460
- C:\Windows\System\dqrdQBf.exe
  C:\Windows\System\dqrdQBf.exe
  2⤵
  PID:10500
- C:\Windows\System\qISGuGh.exe
  C:\Windows\System\qISGuGh.exe
  2⤵
  PID:10516
- C:\Windows\System\lCiQcVV.exe
  C:\Windows\System\lCiQcVV.exe
  2⤵
  PID:10536
- C:\Windows\System\AkXgWow.exe
  C:\Windows\System\AkXgWow.exe
  2⤵
  PID:10556
- C:\Windows\System\xEXRZsV.exe
  C:\Windows\System\xEXRZsV.exe
  2⤵
  PID:10576
- C:\Windows\System\vssuKKh.exe
  C:\Windows\System\vssuKKh.exe
  2⤵
  PID:10600
- C:\Windows\System\AqOsPll.exe
  C:\Windows\System\AqOsPll.exe
  2⤵
  PID:10632
- C:\Windows\System\IzuPcew.exe
  C:\Windows\System\IzuPcew.exe
  2⤵
  PID:10664
- C:\Windows\System\UXkIuaC.exe
  C:\Windows\System\UXkIuaC.exe
  2⤵
  PID:10692
- C:\Windows\System\ULDRYRh.exe
  C:\Windows\System\ULDRYRh.exe
  2⤵
  PID:10724
- C:\Windows\System\KNrCCKj.exe
  C:\Windows\System\KNrCCKj.exe
  2⤵
  PID:10764
- C:\Windows\System\JlcTjZm.exe
  C:\Windows\System\JlcTjZm.exe
  2⤵
  PID:10804
- C:\Windows\System\NyCsIuz.exe
  C:\Windows\System\NyCsIuz.exe
  2⤵
  PID:10824
- C:\Windows\System\xvVmteZ.exe
  C:\Windows\System\xvVmteZ.exe
  2⤵
  PID:10852
- C:\Windows\System\bbbAbKJ.exe
  C:\Windows\System\bbbAbKJ.exe
  2⤵
  PID:10884
- C:\Windows\System\ypOjdhL.exe
  C:\Windows\System\ypOjdhL.exe
  2⤵
  PID:10908
- C:\Windows\System\rlSUKDr.exe
  C:\Windows\System\rlSUKDr.exe
  2⤵
  PID:10928
- C:\Windows\System\BAUiKFO.exe
  C:\Windows\System\BAUiKFO.exe
  2⤵
  PID:10956
- C:\Windows\System\ewXblOk.exe
  C:\Windows\System\ewXblOk.exe
  2⤵
  PID:10980
- C:\Windows\System\rgquMPG.exe
  C:\Windows\System\rgquMPG.exe
  2⤵
  PID:11016
- C:\Windows\System\NLzcbPH.exe
  C:\Windows\System\NLzcbPH.exe
  2⤵
  PID:11048
- C:\Windows\System\DooSuvW.exe
  C:\Windows\System\DooSuvW.exe
  2⤵
  PID:11080
- C:\Windows\System\piBdUID.exe
  C:\Windows\System\piBdUID.exe
  2⤵
  PID:11128
- C:\Windows\System\teuIXkY.exe
  C:\Windows\System\teuIXkY.exe
  2⤵
  PID:11156
- C:\Windows\System\rzWDhpz.exe
  C:\Windows\System\rzWDhpz.exe
  2⤵
  PID:11180
- C:\Windows\System\FuNiImV.exe
  C:\Windows\System\FuNiImV.exe
  2⤵
  PID:11208
- C:\Windows\System\hVKDcHP.exe
  C:\Windows\System\hVKDcHP.exe
  2⤵
  PID:11248
- C:\Windows\System\VHaWweR.exe
  C:\Windows\System\VHaWweR.exe
  2⤵
  PID:10276
- C:\Windows\System\vkAshPf.exe
  C:\Windows\System\vkAshPf.exe
  2⤵
  PID:10328
- C:\Windows\System\CWNfPZA.exe
  C:\Windows\System\CWNfPZA.exe
  2⤵
  PID:10456
- C:\Windows\System\mpgYzcq.exe
  C:\Windows\System\mpgYzcq.exe
  2⤵
  PID:10524
- C:\Windows\System\nAEMVhT.exe
  C:\Windows\System\nAEMVhT.exe
  2⤵
  PID:10624
- C:\Windows\System\yHVdwpn.exe
  C:\Windows\System\yHVdwpn.exe
  2⤵
  PID:10772
- C:\Windows\System\HYPXpFg.exe
  C:\Windows\System\HYPXpFg.exe
  2⤵
  PID:10752
- C:\Windows\System\wmtIJee.exe
  C:\Windows\System\wmtIJee.exe
  2⤵
  PID:10876
- C:\Windows\System\BGMXuny.exe
  C:\Windows\System\BGMXuny.exe
  2⤵
  PID:10916
- C:\Windows\System\plHSKHH.exe
  C:\Windows\System\plHSKHH.exe
  2⤵
  PID:10976
- C:\Windows\System\bqtSxBs.exe
  C:\Windows\System\bqtSxBs.exe
  2⤵
  PID:10988
- C:\Windows\System\WhdRUYc.exe
  C:\Windows\System\WhdRUYc.exe
  2⤵
  PID:11056
- C:\Windows\System\vPcNfOp.exe
  C:\Windows\System\vPcNfOp.exe
  2⤵
  PID:11164
- C:\Windows\System\ouTgMpj.exe
  C:\Windows\System\ouTgMpj.exe
  2⤵
  PID:11200
- C:\Windows\System\EFrDGXn.exe
  C:\Windows\System\EFrDGXn.exe
  2⤵
  PID:10244
- C:\Windows\System\jetcaEn.exe
  C:\Windows\System\jetcaEn.exe
  2⤵
  PID:10404
- C:\Windows\System\hsofLXa.exe
  C:\Windows\System\hsofLXa.exe
  2⤵
  PID:10480
- C:\Windows\System\MiKzSYG.exe
  C:\Windows\System\MiKzSYG.exe
  2⤵
  PID:7972
- C:\Windows\System\vJHrIHK.exe
  C:\Windows\System\vJHrIHK.exe
  2⤵
  PID:7940
- C:\Windows\System\MDrVvPb.exe
  C:\Windows\System\MDrVvPb.exe
  2⤵
  PID:10872
- C:\Windows\System\HTanqQd.exe
  C:\Windows\System\HTanqQd.exe
  2⤵
  PID:5288
- C:\Windows\System\rrdLddf.exe
  C:\Windows\System\rrdLddf.exe
  2⤵
  PID:11144
- C:\Windows\System\xUhGbIg.exe
  C:\Windows\System\xUhGbIg.exe
  2⤵
  PID:10416
- C:\Windows\System\AKIQuSy.exe
  C:\Windows\System\AKIQuSy.exe
  2⤵
  PID:8616
- C:\Windows\System\uZDBzZv.exe
  C:\Windows\System\uZDBzZv.exe
  2⤵
  PID:10900
- C:\Windows\System\AdxOkDD.exe
  C:\Windows\System\AdxOkDD.exe
  2⤵
  PID:10564
- C:\Windows\System\EVZiwRg.exe
  C:\Windows\System\EVZiwRg.exe
  2⤵
  PID:11168
- C:\Windows\System\ikSkmfZ.exe
  C:\Windows\System\ikSkmfZ.exe
  2⤵
  PID:11272
- C:\Windows\System\qjNqXad.exe
  C:\Windows\System\qjNqXad.exe
  2⤵
  PID:11300
- C:\Windows\System\rbXhohi.exe
  C:\Windows\System\rbXhohi.exe
  2⤵
  PID:11328
- C:\Windows\System\vXpKIjm.exe
  C:\Windows\System\vXpKIjm.exe
  2⤵
  PID:11356
- C:\Windows\System\KXycIxB.exe
  C:\Windows\System\KXycIxB.exe
  2⤵
  PID:11384
- C:\Windows\System\iyWYexb.exe
  C:\Windows\System\iyWYexb.exe
  2⤵
  PID:11412
- C:\Windows\System\MBzwCvr.exe
  C:\Windows\System\MBzwCvr.exe
  2⤵
  PID:11456
- C:\Windows\System\tTZxrdP.exe
  C:\Windows\System\tTZxrdP.exe
  2⤵
  PID:11472
- C:\Windows\System\BpmNWRh.exe
  C:\Windows\System\BpmNWRh.exe
  2⤵
  PID:11500
- C:\Windows\System\umHxLcU.exe
  C:\Windows\System\umHxLcU.exe
  2⤵
  PID:11528
- C:\Windows\System\oOMfpXB.exe
  C:\Windows\System\oOMfpXB.exe
  2⤵
  PID:11544
- C:\Windows\System\QsRkMKX.exe
  C:\Windows\System\QsRkMKX.exe
  2⤵
  PID:11564
- C:\Windows\System\qWMKUqh.exe
  C:\Windows\System\qWMKUqh.exe
  2⤵
  PID:11600
- C:\Windows\System\EUYBPLa.exe
  C:\Windows\System\EUYBPLa.exe
  2⤵
  PID:11624
- C:\Windows\System\qmTDubU.exe
  C:\Windows\System\qmTDubU.exe
  2⤵
  PID:11656
- C:\Windows\System\TzHDQAe.exe
  C:\Windows\System\TzHDQAe.exe
  2⤵
  PID:11684
- C:\Windows\System\jWqosjO.exe
  C:\Windows\System\jWqosjO.exe
  2⤵
  PID:11724
- C:\Windows\System\QIoPsQy.exe
  C:\Windows\System\QIoPsQy.exe
  2⤵
  PID:11752
- C:\Windows\System\fldXIiT.exe
  C:\Windows\System\fldXIiT.exe
  2⤵
  PID:11784
- C:\Windows\System\zOmrNnC.exe
  C:\Windows\System\zOmrNnC.exe
  2⤵
  PID:11808
- C:\Windows\System\lGzpZIP.exe
  C:\Windows\System\lGzpZIP.exe
  2⤵
  PID:11836
- C:\Windows\System\SLaGvtJ.exe
  C:\Windows\System\SLaGvtJ.exe
  2⤵
  PID:11872
- C:\Windows\System\BRmstRC.exe
  C:\Windows\System\BRmstRC.exe
  2⤵
  PID:11904
- C:\Windows\System\HnPbikc.exe
  C:\Windows\System\HnPbikc.exe
  2⤵
  PID:11932
- C:\Windows\System\yYwZVBc.exe
  C:\Windows\System\yYwZVBc.exe
  2⤵
  PID:11972
- C:\Windows\System\HljfevK.exe
  C:\Windows\System\HljfevK.exe
  2⤵
  PID:11996
- C:\Windows\System\wCaZsyO.exe
  C:\Windows\System\wCaZsyO.exe
  2⤵
  PID:12028
- C:\Windows\System\RKxddzw.exe
  C:\Windows\System\RKxddzw.exe
  2⤵
  PID:12076
- C:\Windows\System\sPvrgGf.exe
  C:\Windows\System\sPvrgGf.exe
  2⤵
  PID:12100
- C:\Windows\System\kMwCFpQ.exe
  C:\Windows\System\kMwCFpQ.exe
  2⤵
  PID:12140
- C:\Windows\System\tpOFBdz.exe
  C:\Windows\System\tpOFBdz.exe
  2⤵
  PID:12180
- C:\Windows\System\ESxeAEH.exe
  C:\Windows\System\ESxeAEH.exe
  2⤵
  PID:12216
- C:\Windows\System\wmULvLv.exe
  C:\Windows\System\wmULvLv.exe
  2⤵
  PID:12260
- C:\Windows\System\urcLlHx.exe
  C:\Windows\System\urcLlHx.exe
  2⤵
  PID:11284
- C:\Windows\System\rVBhPwA.exe
  C:\Windows\System\rVBhPwA.exe
  2⤵
  PID:11380
- C:\Windows\System\MYqmjQP.exe
  C:\Windows\System\MYqmjQP.exe
  2⤵
  PID:11464
- C:\Windows\System\huAsyNw.exe
  C:\Windows\System\huAsyNw.exe
  2⤵
  PID:11496
- C:\Windows\System\PDuCfJL.exe
  C:\Windows\System\PDuCfJL.exe
  2⤵
  PID:11520
- C:\Windows\System\VszdzQv.exe
  C:\Windows\System\VszdzQv.exe
  2⤵
  PID:11636
- C:\Windows\System\fGVYCzw.exe
  C:\Windows\System\fGVYCzw.exe
  2⤵
  PID:11676
- C:\Windows\System\maGWRIc.exe
  C:\Windows\System\maGWRIc.exe
  2⤵
  PID:11744
- C:\Windows\System\PaoDIGV.exe
  C:\Windows\System\PaoDIGV.exe
  2⤵
  PID:11820
- C:\Windows\System\IzqhtPy.exe
  C:\Windows\System\IzqhtPy.exe
  2⤵
  PID:11888
- C:\Windows\System\DiIVXoW.exe
  C:\Windows\System\DiIVXoW.exe
  2⤵
  PID:11940
- C:\Windows\System\EZPopHS.exe
  C:\Windows\System\EZPopHS.exe
  2⤵
  PID:12020
- C:\Windows\System\JPCjtfi.exe
  C:\Windows\System\JPCjtfi.exe
  2⤵
  PID:12092
- C:\Windows\System\CMjPADX.exe
  C:\Windows\System\CMjPADX.exe
  2⤵
  PID:12168
- C:\Windows\System\wKKuFNv.exe
  C:\Windows\System\wKKuFNv.exe
  2⤵
  PID:12284
- C:\Windows\System\THiBFNl.exe
  C:\Windows\System\THiBFNl.exe
  2⤵
  PID:11408
- C:\Windows\System\applqHi.exe
  C:\Windows\System\applqHi.exe
  2⤵
  PID:11608
- C:\Windows\System\QRqeonH.exe
  C:\Windows\System\QRqeonH.exe
  2⤵
  PID:11764
- C:\Windows\System\wtCsVKh.exe
  C:\Windows\System\wtCsVKh.exe
  2⤵
  PID:12052
- C:\Windows\System\nEqbbwu.exe
  C:\Windows\System\nEqbbwu.exe
  2⤵
  PID:12236
- C:\Windows\System\JNebcfF.exe
  C:\Windows\System\JNebcfF.exe
  2⤵
  PID:11692
- C:\Windows\System\Zuufudo.exe
  C:\Windows\System\Zuufudo.exe
  2⤵
  PID:12176
- C:\Windows\System\ZPUyhld.exe
  C:\Windows\System\ZPUyhld.exe
  2⤵
  PID:12316
- C:\Windows\System\LwJJiPn.exe
  C:\Windows\System\LwJJiPn.exe
  2⤵
  PID:12364
- C:\Windows\System\YTzzJam.exe
  C:\Windows\System\YTzzJam.exe
  2⤵
  PID:12380
- C:\Windows\System\zksGHrW.exe
  C:\Windows\System\zksGHrW.exe
  2⤵
  PID:12408
- C:\Windows\System\QEACclW.exe
  C:\Windows\System\QEACclW.exe
  2⤵
  PID:12436
- C:\Windows\System\WkDRhSJ.exe
  C:\Windows\System\WkDRhSJ.exe
  2⤵
  PID:12460
- C:\Windows\System\UxfQiZT.exe
  C:\Windows\System\UxfQiZT.exe
  2⤵
  PID:12480
- C:\Windows\System\USpNjOt.exe
  C:\Windows\System\USpNjOt.exe
  2⤵
  PID:12508
- C:\Windows\System\XIghgoX.exe
  C:\Windows\System\XIghgoX.exe
  2⤵
  PID:12540
- C:\Windows\System\PWAjYIV.exe
  C:\Windows\System\PWAjYIV.exe
  2⤵
  PID:12572
- C:\Windows\System\JlKiZbe.exe
  C:\Windows\System\JlKiZbe.exe
  2⤵
  PID:12600
- C:\Windows\System\IZXuQeW.exe
  C:\Windows\System\IZXuQeW.exe
  2⤵
  PID:12624
- C:\Windows\System\ONgloWL.exe
  C:\Windows\System\ONgloWL.exe
  2⤵
  PID:12660
- C:\Windows\System\bpQFJxc.exe
  C:\Windows\System\bpQFJxc.exe
  2⤵
  PID:12724
- C:\Windows\System\vZFtmYZ.exe
  C:\Windows\System\vZFtmYZ.exe
  2⤵
  PID:12740
- C:\Windows\System\QzkFTnT.exe
  C:\Windows\System\QzkFTnT.exe
  2⤵
  PID:12756
- C:\Windows\System\hylHyMA.exe
  C:\Windows\System\hylHyMA.exe
  2⤵
  PID:12776
- C:\Windows\System\tiltsux.exe
  C:\Windows\System\tiltsux.exe
  2⤵
  PID:12796
- C:\Windows\System\KtIfPSu.exe
  C:\Windows\System\KtIfPSu.exe
  2⤵
  PID:12816
- C:\Windows\System\JZMEOVY.exe
  C:\Windows\System\JZMEOVY.exe
  2⤵
  PID:12840
- C:\Windows\System\eQhfdLo.exe
  C:\Windows\System\eQhfdLo.exe
  2⤵
  PID:12880
- C:\Windows\System\icJPAXa.exe
  C:\Windows\System\icJPAXa.exe
  2⤵
  PID:12912
- C:\Windows\System\pivldBI.exe
  C:\Windows\System\pivldBI.exe
  2⤵
  PID:12948
- C:\Windows\System\nBgGBHm.exe
  C:\Windows\System\nBgGBHm.exe
  2⤵
  PID:12976
- C:\Windows\System\FzWiZUs.exe
  C:\Windows\System\FzWiZUs.exe
  2⤵
  PID:13008
- C:\Windows\System\SOyQzGS.exe
  C:\Windows\System\SOyQzGS.exe
  2⤵
  PID:13044
- C:\Windows\System\BcDHHou.exe
  C:\Windows\System\BcDHHou.exe
  2⤵
  PID:13076
- C:\Windows\System\HZtRmdY.exe
  C:\Windows\System\HZtRmdY.exe
  2⤵
  PID:13108
- C:\Windows\System\btVCNLK.exe
  C:\Windows\System\btVCNLK.exe
  2⤵
  PID:13136
- C:\Windows\System\NByGbOY.exe
  C:\Windows\System\NByGbOY.exe
  2⤵
  PID:13168
- C:\Windows\System\KDozQKB.exe
  C:\Windows\System\KDozQKB.exe
  2⤵
  PID:13200
- C:\Windows\System\dXAcglw.exe
  C:\Windows\System\dXAcglw.exe
  2⤵
  PID:13240
- C:\Windows\System\UIYTwSL.exe
  C:\Windows\System\UIYTwSL.exe
  2⤵
  PID:13260
- C:\Windows\System\hcjUJWZ.exe
  C:\Windows\System\hcjUJWZ.exe
  2⤵
  PID:13276
- C:\Windows\System\sJMNWyx.exe
  C:\Windows\System\sJMNWyx.exe
  2⤵
  PID:13296
- C:\Windows\System\wdNCqFT.exe
  C:\Windows\System\wdNCqFT.exe
  2⤵
  PID:12120
- C:\Windows\System\VsXdGiK.exe
  C:\Windows\System\VsXdGiK.exe
  2⤵
  PID:12304
- C:\Windows\System\ZEJSPun.exe
  C:\Windows\System\ZEJSPun.exe
  2⤵
  PID:12344
- C:\Windows\System\UpigDbi.exe
  C:\Windows\System\UpigDbi.exe
  2⤵
  PID:12428
- C:\Windows\System\dimmmhn.exe
  C:\Windows\System\dimmmhn.exe
  2⤵
  PID:12456
- C:\Windows\System\EmdwytB.exe
  C:\Windows\System\EmdwytB.exe
  2⤵
  PID:12592
- C:\Windows\System\XixPFjO.exe
  C:\Windows\System\XixPFjO.exe
  2⤵
  PID:12736
- C:\Windows\System\OjjLSjc.exe
  C:\Windows\System\OjjLSjc.exe
  2⤵
  PID:12764
- C:\Windows\System\tMzZhvy.exe
  C:\Windows\System\tMzZhvy.exe
  2⤵
  PID:12900
- C:\Windows\System\PSCXIQZ.exe
  C:\Windows\System\PSCXIQZ.exe
  2⤵
  PID:12968
- C:\Windows\System\UcAhFzt.exe
  C:\Windows\System\UcAhFzt.exe
  2⤵
  PID:12992
- C:\Windows\System\rpoVjYS.exe
  C:\Windows\System\rpoVjYS.exe
  2⤵
  PID:13028
- C:\Windows\System\bUvWmLm.exe
  C:\Windows\System\bUvWmLm.exe
  2⤵
  PID:13068
- C:\Windows\System\artLMOB.exe
  C:\Windows\System\artLMOB.exe
  2⤵
  PID:13144
- C:\Windows\System\SYyVZai.exe
  C:\Windows\System\SYyVZai.exe
  2⤵
  PID:13120
- C:\Windows\System\nBdHmlJ.exe
  C:\Windows\System\nBdHmlJ.exe
  2⤵
  PID:13196
- C:\Windows\System\YISPmEh.exe
  C:\Windows\System\YISPmEh.exe
  2⤵
  PID:13220
- C:\Windows\System\vcPACIO.exe
  C:\Windows\System\vcPACIO.exe
  2⤵
  PID:13236
- C:\Windows\System\jeIvFoc.exe
  C:\Windows\System\jeIvFoc.exe
  2⤵
  PID:11804
- C:\Windows\System\ABnCpHn.exe
  C:\Windows\System\ABnCpHn.exe
  2⤵
  PID:5032
- C:\Windows\System\bKxsMwb.exe
  C:\Windows\System\bKxsMwb.exe
  2⤵
  PID:4976
- C:\Windows\System\zjSxRfY.exe
  C:\Windows\System\zjSxRfY.exe
  2⤵
  PID:12832
- C:\Windows\System\skNBLfN.exe
  C:\Windows\System\skNBLfN.exe
  2⤵
  PID:12548
- C:\Windows\System\hEvyXmi.exe
  C:\Windows\System\hEvyXmi.exe
  2⤵
  PID:12864
- C:\Windows\System\RtXoBcT.exe
  C:\Windows\System\RtXoBcT.exe
  2⤵
  PID:13180
- C:\Windows\System\cbLuJzD.exe
  C:\Windows\System\cbLuJzD.exe
  2⤵
  PID:12696
- C:\Windows\System\FMygvUN.exe
  C:\Windows\System\FMygvUN.exe
  2⤵
  PID:12788
- C:\Windows\System\UEIWVDS.exe
  C:\Windows\System\UEIWVDS.exe
  2⤵
  PID:12896
- C:\Windows\System\jmGrwNa.exe
  C:\Windows\System\jmGrwNa.exe
  2⤵
  PID:13324
- C:\Windows\System\MrBPfXy.exe
  C:\Windows\System\MrBPfXy.exe
  2⤵
  PID:13348
- C:\Windows\System\bwUCfRW.exe
  C:\Windows\System\bwUCfRW.exe
  2⤵
  PID:13380
- C:\Windows\System\trSPOXy.exe
  C:\Windows\System\trSPOXy.exe
  2⤵
  PID:13408
- C:\Windows\System\uhXYauf.exe
  C:\Windows\System\uhXYauf.exe
  2⤵
  PID:13436
- C:\Windows\System\SwZWoXn.exe
  C:\Windows\System\SwZWoXn.exe
  2⤵
  PID:13452
- C:\Windows\System\VzxRpyK.exe
  C:\Windows\System\VzxRpyK.exe
  2⤵
  PID:13476
- C:\Windows\System\srWKqEV.exe
  C:\Windows\System\srWKqEV.exe
  2⤵
  PID:13504
- C:\Windows\System\MzqEpbT.exe
  C:\Windows\System\MzqEpbT.exe
  2⤵
  PID:13536
- C:\Windows\System\LhZDICA.exe
  C:\Windows\System\LhZDICA.exe
  2⤵
  PID:13560
- C:\Windows\System\ZnYmlLP.exe
  C:\Windows\System\ZnYmlLP.exe
  2⤵
  PID:13584
- C:\Windows\System\zwwGFHJ.exe
  C:\Windows\System\zwwGFHJ.exe
  2⤵
  PID:13600
- C:\Windows\System\zmjKlvy.exe
  C:\Windows\System\zmjKlvy.exe
  2⤵
  PID:13620
- C:\Windows\System\NasZGCK.exe
  C:\Windows\System\NasZGCK.exe
  2⤵
  PID:13640
- C:\Windows\System\DIeEVlU.exe
  C:\Windows\System\DIeEVlU.exe
  2⤵
  PID:13660
- C:\Windows\System\mmvlGrh.exe
  C:\Windows\System\mmvlGrh.exe
  2⤵
  PID:13868
- C:\Windows\System\XBLrtxe.exe
  C:\Windows\System\XBLrtxe.exe
  2⤵
  PID:13884
- C:\Windows\System\LOMgRiV.exe
  C:\Windows\System\LOMgRiV.exe
  2⤵
  PID:13900
- C:\Windows\System\OztaphA.exe
  C:\Windows\System\OztaphA.exe
  2⤵
  PID:13916
- C:\Windows\System\qDdZpig.exe
  C:\Windows\System\qDdZpig.exe
  2⤵
  PID:13940
- C:\Windows\System\cZLXoqA.exe
  C:\Windows\System\cZLXoqA.exe
  2⤵
  PID:13956
- C:\Windows\System\QgCeDqA.exe
  C:\Windows\System\QgCeDqA.exe
  2⤵
  PID:13972
- C:\Windows\System\IwGLoXA.exe
  C:\Windows\System\IwGLoXA.exe
  2⤵
  PID:14164
- C:\Windows\System\txuDaSM.exe
  C:\Windows\System\txuDaSM.exe
  2⤵
  PID:14184
- C:\Windows\System\UmiRiFP.exe
  C:\Windows\System\UmiRiFP.exe
  2⤵
  PID:14212
- C:\Windows\System\tWjBfVP.exe
  C:\Windows\System\tWjBfVP.exe
  2⤵
  PID:14228
- C:\Windows\System\JZAJYUu.exe
  C:\Windows\System\JZAJYUu.exe
  2⤵
  PID:14244
- C:\Windows\System\GMvFrCq.exe
  C:\Windows\System\GMvFrCq.exe
  2⤵
  PID:14288
- C:\Windows\System\WGMGAMH.exe
  C:\Windows\System\WGMGAMH.exe
  2⤵
  PID:14304
- C:\Windows\System\fjCCiZx.exe
  C:\Windows\System\fjCCiZx.exe
  2⤵
  PID:14320
- C:\Windows\System\wFPnKoa.exe
  C:\Windows\System\wFPnKoa.exe
  2⤵
  PID:13284
- C:\Windows\System\ngpDhpq.exe
  C:\Windows\System\ngpDhpq.exe
  2⤵
  PID:13104
- C:\Windows\System\pYHBtPG.exe
  C:\Windows\System\pYHBtPG.exe
  2⤵
  PID:3092
- C:\Windows\System\yvQVufs.exe
  C:\Windows\System\yvQVufs.exe
  2⤵
  PID:11368
- C:\Windows\System\ckWrUEW.exe
  C:\Windows\System\ckWrUEW.exe
  2⤵
  PID:13376
- C:\Windows\System\VcrfcXC.exe
  C:\Windows\System\VcrfcXC.exe
  2⤵
  PID:12720
- C:\Windows\System\SBTtdTE.exe
  C:\Windows\System\SBTtdTE.exe
  2⤵
  PID:13444
- C:\Windows\System\tyvFlof.exe
  C:\Windows\System\tyvFlof.exe
  2⤵
  PID:532
- C:\Windows\System\jmGzqKg.exe
  C:\Windows\System\jmGzqKg.exe
  2⤵
  PID:12668
- C:\Windows\System\pQWVcdm.exe
  C:\Windows\System\pQWVcdm.exe
  2⤵
  PID:13652
- C:\Windows\System\trPjEfP.exe
  C:\Windows\System\trPjEfP.exe
  2⤵
  PID:12676
- C:\Windows\System\RMQFUVY.exe
  C:\Windows\System\RMQFUVY.exe
  2⤵
  PID:13292
- C:\Windows\System\jxLiRoN.exe
  C:\Windows\System\jxLiRoN.exe
  2⤵
  PID:13316
- C:\Windows\System\PrwQdlv.exe
  C:\Windows\System\PrwQdlv.exe
  2⤵
  PID:13792
- C:\Windows\System\BVPgHmW.exe
  C:\Windows\System\BVPgHmW.exe
  2⤵
  PID:13552
- C:\Windows\System\izOFjRi.exe
  C:\Windows\System\izOFjRi.exe
  2⤵
  PID:13580
- C:\Windows\System\AoXQLRc.exe
  C:\Windows\System\AoXQLRc.exe
  2⤵
  PID:13696
- C:\Windows\System\VZmCnfu.exe
  C:\Windows\System\VZmCnfu.exe
  2⤵
  PID:13724
- C:\Windows\System\dLkckkB.exe
  C:\Windows\System\dLkckkB.exe
  2⤵
  PID:13752
- C:\Windows\System\PjwNvUD.exe
  C:\Windows\System\PjwNvUD.exe
  2⤵
  PID:2372
- C:\Windows\System\nFDUjii.exe
  C:\Windows\System\nFDUjii.exe
  2⤵
  PID:13892
- C:\Windows\System\TjXoRBk.exe
  C:\Windows\System\TjXoRBk.exe
  2⤵
  PID:14280
- C:\Windows\System\nPhMctC.exe
  C:\Windows\System\nPhMctC.exe
  2⤵
  PID:12888
- C:\Windows\System\zyuoAlq.exe
  C:\Windows\System\zyuoAlq.exe
  2⤵
  PID:3296
- C:\Windows\System\sYIAOpe.exe
  C:\Windows\System\sYIAOpe.exe
  2⤵
  PID:14108
- C:\Windows\System\VGYIhOq.exe
  C:\Windows\System\VGYIhOq.exe
  2⤵
  PID:14312
- C:\Windows\System\BPDmuLq.exe
  C:\Windows\System\BPDmuLq.exe
  2⤵
  PID:14240
- C:\Windows\System\wzRyVyd.exe
  C:\Windows\System\wzRyVyd.exe
  2⤵
  PID:14264
- C:\Windows\System\qlWqvHs.exe
  C:\Windows\System\qlWqvHs.exe
  2⤵
  PID:13740
- C:\Windows\System\AWCAKHq.exe
  C:\Windows\System\AWCAKHq.exe
  2⤵
  PID:13948
- C:\Windows\System\dsoftcd.exe
  C:\Windows\System\dsoftcd.exe
  2⤵
  PID:14348
- C:\Windows\System\UiwDgif.exe
  C:\Windows\System\UiwDgif.exe
  2⤵
  PID:14372
- C:\Windows\System\ttBXcfC.exe
  C:\Windows\System\ttBXcfC.exe
  2⤵
  PID:14416
- C:\Windows\System\tYsrJDn.exe
  C:\Windows\System\tYsrJDn.exe
  2⤵
  PID:14432
- C:\Windows\System\NNjkQlH.exe
  C:\Windows\System\NNjkQlH.exe
  2⤵
  PID:14464
- C:\Windows\System\KdJSBsz.exe
  C:\Windows\System\KdJSBsz.exe
  2⤵
  PID:14480
- C:\Windows\System\SAUrPQZ.exe
  C:\Windows\System\SAUrPQZ.exe
  2⤵
  PID:14496
- C:\Windows\System\euZbUwt.exe
  C:\Windows\System\euZbUwt.exe
  2⤵
  PID:14516
- C:\Windows\System\fYtYkoZ.exe
  C:\Windows\System\fYtYkoZ.exe
  2⤵
  PID:14536
- C:\Windows\System\wznHvzk.exe
  C:\Windows\System\wznHvzk.exe
  2⤵
  PID:14556
- C:\Windows\System\fwmsshv.exe
  C:\Windows\System\fwmsshv.exe
  2⤵
  PID:14572
- C:\Windows\System\qHIaOAf.exe
  C:\Windows\System\qHIaOAf.exe
  2⤵
  PID:14588
- C:\Windows\System\YogUBVr.exe
  C:\Windows\System\YogUBVr.exe
  2⤵
  PID:14640
- C:\Windows\System\awavcBG.exe
  C:\Windows\System\awavcBG.exe
  2⤵
  PID:14680
- C:\Windows\System\aoofMzl.exe
  C:\Windows\System\aoofMzl.exe
  2⤵
  PID:14696
- C:\Windows\System\yZnnDXL.exe
  C:\Windows\System\yZnnDXL.exe
  2⤵
  PID:14720
- C:\Windows\System\sXNsVYU.exe
  C:\Windows\System\sXNsVYU.exe
  2⤵
  PID:14736
- C:\Windows\System\wsUpSks.exe
  C:\Windows\System\wsUpSks.exe
  2⤵
  PID:14768
- C:\Windows\System\UxrzmRZ.exe
  C:\Windows\System\UxrzmRZ.exe
  2⤵
  PID:14872
- C:\Windows\System\woYAqtO.exe
  C:\Windows\System\woYAqtO.exe
  2⤵
  PID:14912
- C:\Windows\System\oOCpSAg.exe
  C:\Windows\System\oOCpSAg.exe
  2⤵
  PID:14940
- C:\Windows\System\jEzjzUI.exe
  C:\Windows\System\jEzjzUI.exe
  2⤵
  PID:14988
- C:\Windows\System\yknjYJK.exe
  C:\Windows\System\yknjYJK.exe
  2⤵
  PID:15016
- C:\Windows\System\KhAvGfN.exe
  C:\Windows\System\KhAvGfN.exe
  2⤵
  PID:15064
- C:\Windows\System\xPKNWzm.exe
  C:\Windows\System\xPKNWzm.exe
  2⤵
  PID:15088
- C:\Windows\System\vQkyAOf.exe
  C:\Windows\System\vQkyAOf.exe
  2⤵
  PID:15148
- C:\Windows\System\QVGlZkX.exe
  C:\Windows\System\QVGlZkX.exe
  2⤵
  PID:15184
- C:\Windows\System\jeYEUoZ.exe
  C:\Windows\System\jeYEUoZ.exe
  2⤵
  PID:15224
- C:\Windows\System\JwZplFQ.exe
  C:\Windows\System\JwZplFQ.exe
  2⤵
  PID:15260
- C:\Windows\System\buglSdD.exe
  C:\Windows\System\buglSdD.exe
  2⤵
  PID:15292
- C:\Windows\System\dQzuETg.exe
  C:\Windows\System\dQzuETg.exe
  2⤵
  PID:15328
- C:\Windows\System\nQtLlhJ.exe
  C:\Windows\System\nQtLlhJ.exe
  2⤵
  PID:3224
- C:\Windows\System\fJGNfmY.exe
  C:\Windows\System\fJGNfmY.exe
  2⤵
  PID:13336
- C:\Windows\System\rmYyOZT.exe
  C:\Windows\System\rmYyOZT.exe
  2⤵
  PID:13132
- C:\Windows\System\RMIqFli.exe
  C:\Windows\System\RMIqFli.exe
  2⤵
  PID:3360
- C:\Windows\System\DzBKKNU.exe
  C:\Windows\System\DzBKKNU.exe
  2⤵
  PID:13616
- C:\Windows\System\VdLKoXz.exe
  C:\Windows\System\VdLKoXz.exe
  2⤵
  PID:12324
- C:\Windows\System\HHvGQUW.exe
  C:\Windows\System\HHvGQUW.exe
  2⤵
  PID:13592
- C:\Windows\System\rYnqkIy.exe
  C:\Windows\System\rYnqkIy.exe
  2⤵
  PID:13548
- C:\Windows\System\OHHCkej.exe
  C:\Windows\System\OHHCkej.exe
  2⤵
  PID:13980
- C:\Windows\System\pDQGPEz.exe
  C:\Windows\System\pDQGPEz.exe
  2⤵
  PID:1540
- C:\Windows\System\Kzviuae.exe
  C:\Windows\System\Kzviuae.exe
  2⤵
  PID:1816
- C:\Windows\System\otvnyJH.exe
  C:\Windows\System\otvnyJH.exe
  2⤵
  PID:100
- C:\Windows\System\wgKhOaD.exe
  C:\Windows\System\wgKhOaD.exe
  2⤵
  PID:13164
- C:\Windows\System\lLqGROR.exe
  C:\Windows\System\lLqGROR.exe
  2⤵
  PID:14360
- C:\Windows\System\VbHcaVF.exe
  C:\Windows\System\VbHcaVF.exe
  2⤵
  PID:14384
- C:\Windows\System\uoejnMG.exe
  C:\Windows\System\uoejnMG.exe
  2⤵
  PID:14404
- C:\Windows\System\wLGpKtZ.exe
  C:\Windows\System\wLGpKtZ.exe
  2⤵
  PID:14452
- C:\Windows\System\YgzCSwK.exe
  C:\Windows\System\YgzCSwK.exe
  2⤵
  PID:14504
- C:\Windows\System\NsjcIoW.exe
  C:\Windows\System\NsjcIoW.exe
  2⤵
  PID:14552
- C:\Windows\System\DOeVWGT.exe
  C:\Windows\System\DOeVWGT.exe
  2⤵
  PID:14608
- C:\Windows\System\iOnfzNI.exe
  C:\Windows\System\iOnfzNI.exe
  2⤵
  PID:14660
- C:\Windows\System\rmKSICG.exe
  C:\Windows\System\rmKSICG.exe
  2⤵
  PID:14996
- C:\Windows\System\WTWqeyj.exe
  C:\Windows\System\WTWqeyj.exe
  2⤵
  PID:14900
- C:\Windows\System\DxdYXzy.exe
  C:\Windows\System\DxdYXzy.exe
  2⤵
  PID:15116
- C:\Windows\System\rdixTfD.exe
  C:\Windows\System\rdixTfD.exe
  2⤵
  PID:14864
- C:\Windows\System\DoPnReM.exe
  C:\Windows\System\DoPnReM.exe
  2⤵
  PID:15028
- C:\Windows\System\LrPYUFs.exe
  C:\Windows\System\LrPYUFs.exe
  2⤵
  PID:4132
- C:\Windows\System\YEfnqBi.exe
  C:\Windows\System\YEfnqBi.exe
  2⤵
  PID:13964
- C:\Windows\System\wTjkZqh.exe
  C:\Windows\System\wTjkZqh.exe
  2⤵
  PID:3892
- C:\Windows\System\GQPcTjk.exe
  C:\Windows\System\GQPcTjk.exe
  2⤵
  PID:4868
- C:\Windows\System\nnrmBMQ.exe
  C:\Windows\System\nnrmBMQ.exe
  2⤵
  PID:5220
- C:\Windows\System\HyPIKVm.exe
  C:\Windows\System\HyPIKVm.exe
  2⤵
  PID:15252
- C:\Windows\System\LfWGoEJ.exe
  C:\Windows\System\LfWGoEJ.exe
  2⤵
  PID:13784
- C:\Windows\System\nUUeBlU.exe
  C:\Windows\System\nUUeBlU.exe
  2⤵
  PID:3020
- C:\Windows\System\UsfGcaj.exe
  C:\Windows\System\UsfGcaj.exe
  2⤵
  PID:13952
- C:\Windows\System\XQsKkOE.exe
  C:\Windows\System\XQsKkOE.exe
  2⤵
  PID:3276
- C:\Windows\System\oNkLjqi.exe
  C:\Windows\System\oNkLjqi.exe
  2⤵
  PID:13704
- C:\Windows\System\MsyOSso.exe
  C:\Windows\System\MsyOSso.exe
  2⤵
  PID:952
- C:\Windows\System\yIrsrYa.exe
  C:\Windows\System\yIrsrYa.exe
  2⤵
  PID:14392
- C:\Windows\System\pHBlkFS.exe
  C:\Windows\System\pHBlkFS.exe
  2⤵
  PID:14568
- C:\Windows\System\PAVUpwr.exe
  C:\Windows\System\PAVUpwr.exe
  2⤵
  PID:15100
- C:\Windows\System\OZhbPlw.exe
  C:\Windows\System\OZhbPlw.exe
  2⤵
  PID:432
- C:\Windows\System\WOSgPJv.exe
  C:\Windows\System\WOSgPJv.exe
  2⤵
  PID:15240
- C:\Windows\System\OuiJMkO.exe
  C:\Windows\System\OuiJMkO.exe
  2⤵
  PID:15316
- C:\Windows\System\DUBBdvv.exe
  C:\Windows\System\DUBBdvv.exe
  2⤵
  PID:5228
- C:\Windows\System\RoPICtj.exe
  C:\Windows\System\RoPICtj.exe
  2⤵
  PID:13632
- C:\Windows\System\HIuicDp.exe
  C:\Windows\System\HIuicDp.exe
  2⤵
  PID:4724
- C:\Windows\System\ABCvVye.exe
  C:\Windows\System\ABCvVye.exe
  2⤵
  PID:3108
- C:\Windows\System\xfUJPeY.exe
  C:\Windows\System\xfUJPeY.exe
  2⤵
  PID:14368
- C:\Windows\System\MPKBJQP.exe
  C:\Windows\System\MPKBJQP.exe
  2⤵
  PID:14716
- C:\Windows\System\bsimJUW.exe
  C:\Windows\System\bsimJUW.exe
  2⤵
  PID:13728
- C:\Windows\System\AjojLkv.exe
  C:\Windows\System\AjojLkv.exe
  2⤵
  PID:12496
- C:\Windows\System\vddGePI.exe
  C:\Windows\System\vddGePI.exe
  2⤵
  PID:14124
- C:\Windows\System\gLLEVlF.exe
  C:\Windows\System\gLLEVlF.exe
  2⤵
  PID:2876
- C:\Windows\System\lsINSqc.exe
  C:\Windows\System\lsINSqc.exe
  2⤵
  PID:1672
- C:\Windows\System\qQFxVHX.exe
  C:\Windows\System\qQFxVHX.exe
  2⤵
  PID:14604
- C:\Windows\System\OPPLgOl.exe
  C:\Windows\System\OPPLgOl.exe
  2⤵
  PID:13864
- C:\Windows\System\dOTlvXs.exe
  C:\Windows\System\dOTlvXs.exe
  2⤵
  PID:15256
- C:\Windows\System\tnDfPcZ.exe
  C:\Windows\System\tnDfPcZ.exe
  2⤵
  PID:1624
- C:\Windows\System\aUVGNrP.exe
  C:\Windows\System\aUVGNrP.exe
  2⤵
  PID:436
- C:\Windows\System\jVZzyMr.exe
  C:\Windows\System\jVZzyMr.exe
  2⤵
  PID:3656
- C:\Windows\System\vBVqrGf.exe
  C:\Windows\System\vBVqrGf.exe
  2⤵
  PID:3400
- C:\Windows\System\sbvdMJA.exe
  C:\Windows\System\sbvdMJA.exe
  2⤵
  PID:4208
- C:\Windows\System\dfmQSLG.exe
  C:\Windows\System\dfmQSLG.exe
  2⤵
  PID:11324
- C:\Windows\System\ULIWuis.exe
  C:\Windows\System\ULIWuis.exe
  2⤵
  PID:14136
- C:\Windows\System\uGkqNUt.exe
  C:\Windows\System\uGkqNUt.exe
  2⤵
  PID:14932
- C:\Windows\System\sPgjIeQ.exe
  C:\Windows\System\sPgjIeQ.exe
  2⤵
  PID:14896
- C:\Windows\System\pcUbjuG.exe
  C:\Windows\System\pcUbjuG.exe
  2⤵
  PID:5196
- C:\Windows\System\xvkPbgw.exe
  C:\Windows\System\xvkPbgw.exe
  2⤵
  PID:5296
- C:\Windows\System\JaEoSQS.exe
  C:\Windows\System\JaEoSQS.exe
  2⤵
  PID:5028
- C:\Windows\System\ClRdOMF.exe
  C:\Windows\System\ClRdOMF.exe
  2⤵
  PID:5284
- C:\Windows\System\rzULfCV.exe
  C:\Windows\System\rzULfCV.exe
  2⤵
  PID:13676
- C:\Windows\System\kuwOWaD.exe
  C:\Windows\System\kuwOWaD.exe
  2⤵
  PID:14128
- C:\Windows\System\bbdfSSe.exe
  C:\Windows\System\bbdfSSe.exe
  2⤵
  PID:5276
- C:\Windows\System\qklgBXl.exe
  C:\Windows\System\qklgBXl.exe
  2⤵
  PID:1936
- C:\Windows\System\mXiOeHi.exe
  C:\Windows\System\mXiOeHi.exe
  2⤵
  PID:15372
- C:\Windows\System\CyJnIGy.exe
  C:\Windows\System\CyJnIGy.exe
  2⤵
  PID:15404
- C:\Windows\System\CvBsgye.exe
  C:\Windows\System\CvBsgye.exe
  2⤵
  PID:15428
- C:\Windows\System\fdcmwpG.exe
  C:\Windows\System\fdcmwpG.exe
  2⤵
  PID:15464
- C:\Windows\System\SaSMrpf.exe
  C:\Windows\System\SaSMrpf.exe
  2⤵
  PID:15504
- C:\Windows\System\BChTdiq.exe
  C:\Windows\System\BChTdiq.exe
  2⤵
  PID:15544
- C:\Windows\System\wUmSsOs.exe
  C:\Windows\System\wUmSsOs.exe
  2⤵
  PID:15580
- C:\Windows\System\RBSjckZ.exe
  C:\Windows\System\RBSjckZ.exe
  2⤵
  PID:15604
- C:\Windows\System\INcNZbk.exe
  C:\Windows\System\INcNZbk.exe
  2⤵
  PID:15636
- C:\Windows\System\UJjlnHD.exe
  C:\Windows\System\UJjlnHD.exe
  2⤵
  PID:15656

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\Agwbafx.exe

Filesize
5.2MB

MD5
37a47a76f984632430b4c69e2f90c6e3

SHA1
f1f66a86db8451d335d155943a5a030b90d4574d

SHA256
26cff5867f567a8994f533ad5cc34a5f4cb625a10ffcaae1eb859e3a292de46e

SHA512
7c24545a682dd8cf3924e6bd027878e08f51371e70b28a78f2ef4e6e10027822fec09dd4d38cc89e8abb3a286b96e286b6d0b5bf71692acf280951baa4b146ad

Download Submit
C:\Windows\System\BEJHRbx.exe

Filesize
5.2MB

MD5
e8fe6c47e000fe73628b4a4c2daef3e9

SHA1
818c8e3419149ccba34ffb0ba717f24fb09b50db

SHA256
6491125301403c81953c2d6345f30242a73088fb6aca3166c1952daf806c2c56

SHA512
f8595817838cfacdb930803f8692b258a49dc06b2b5c221eaec8b59bc46dea34c52665c5d8790e24e7166d1fddff5971080ed844861e5424f7f158992b4519de

Download Submit
C:\Windows\System\ENBDCzI.exe

Filesize
5.2MB

MD5
156a1da404bedb9fcd92358fe47e19ad

SHA1
2c702cbaf09ee4df5b04966bbab97ec3fa1b19da

SHA256
14e0fcc07526ab32933ad29b7844fc6b20c7ffce26fc41028e1153db93308bb2

SHA512
be1bcd77b44685fa33a05dbbb2579f28fb670b37dac0d82d6a9665ba00e22f7b39144ad64a75c75ede176903041ac7b2cbe45fb3eaa9f5f99c93930b6fcdd1c7

Download Submit
C:\Windows\System\HnKyTRA.exe

Filesize
5.2MB

MD5
7c921d2ec6cf28ee2c875f95f1793a1f

SHA1
226402fd262cf5a6a22142c821f927f05a28e742

SHA256
186ed2000263340f5e5a6f4e208d0574cc9bb01801b82c69223df192cf131224

SHA512
5c9653e732e60cdac06f735a9c09a9a25c9079a0def9756ed8d0649870beba4fd70cd2f4821a671b57ec1fcb004591038031e367f6df069f0c9de56748ad9c7d

Download Submit
C:\Windows\System\JjPwubF.exe

Filesize
5.2MB

MD5
88ed1598a4df3334495bf7553bb819d6

SHA1
ec0e38936b8772bec015b9158b95c6ab297a5656

SHA256
bec91df5360dbdefca0655f4bc044ca2f0ed616d1e5f4678358e636536c7d6d9

SHA512
d712e91a7a4be38a4add513529f900f8b1c480fd37875c7380f79f2dcb29929ed05292131a92019ff93738cb6f331ff78e97a8f9c71c6f5a4a6b257a6cfba407

Download Submit
C:\Windows\System\MpUbSlp.exe

Filesize
5.2MB

MD5
56cb32b137a2e6afb23f94f84e97351d

SHA1
383739637383241d3f22c14bc7965cd414f6992b

SHA256
1804196293655afe8760e9e20c25bb95bad5950ca1153b09407b8796e962d5d4

SHA512
bfdaf29e5802843bffeb10009d94376b68e83224e7d8f6af133c966b5c948bfd030bbd0309a3a3d5d617f7e2c2c4f2fce285290a504ad204f36e7a11f39f574f

Download Submit
C:\Windows\System\MpniAZZ.exe

Filesize
5.2MB

MD5
49d7cfa5af9bb97400bd51dee87abbf6

SHA1
358b3e28a9300cf79ba9bc856f33551cd50ad9ad

SHA256
c63c2f304a61a98d54d007dcdc1a9f844be47f1a5e928682e9c6cfff45a67c5d

SHA512
68935c8a6d289d4f77819a60b31003ba592369ae5c467cc78c6f322f4e0b6304e0fa8b3896946a77ba0811cbda26f63f770a3eb65f0f7327448e21cc48a25c4c

Download Submit
C:\Windows\System\NgIZshn.exe

Filesize
5.2MB

MD5
a2a496a34bac4a4be4efe9b2d6cb5486

SHA1
dc31feac26e6dd5feec1aa7c0c8a966fa85ff1a9

SHA256
30c2852d206b4ca0c738105539f4195bd6924c65d26cc1ccdd567dbbe0faf2cf

SHA512
a14b0bf1b1de39b0d0c18c98b98cff0dbac621e1326ab3c9a40bc44e5c8e10daca8dd0f59b07a262f5c3974c37e847a310bc58a59082434d95db60829aa67381

Download Submit
C:\Windows\System\OazcFFp.exe

Filesize
5.2MB

MD5
6f5681817f4f13ec578a7a0eddd72b4d

SHA1
4d63ab7d1e5a15aef8fef612fa8c7ac8217e37f3

SHA256
8a09bbedc2b3ff3f099d1bc8bc8e9f06a643acfbe925b384c9b9aafedbbe054b

SHA512
6dbd07e9de6c142805b2a853ae7a5d5e80725e15a57632cf74a2bcd83e7e63037a7058df83b73bc35072707e1185488dfc48b3be42b1bf615ecf72dcf77c5f42

Download Submit
C:\Windows\System\OfdYZdd.exe

Filesize
5.2MB

MD5
32320cd04d1e9e47c958f6a54bb06206

SHA1
235677da47451fdba019c91a8787143e48c2fb70

SHA256
83239be9025021f51b5bf2aa67ac8229359f83dedf30d7a3cc2426f7ad00adc0

SHA512
810a4ec213564df3e5c8d9505720fffca059b1eb20d16ee129fec9a492a28f347f54ea3d96f336ee236c2c0870bb5b4ea14965795ae2f321a243a73fcdcacd0b

Download Submit
C:\Windows\System\RBWRuzz.exe

Filesize
5.2MB

MD5
24c012c16f3acdf3e1ca3b63058afcea

SHA1
9c6649ef027b80093fec012d89f1f4b9f2eafd2e

SHA256
bf332d6fd6845ce5483ef634b463f11094ce0f6ee32d6899b8a05795e2b60f95

SHA512
1d700eeef25016e2f58dbb3d26c8b9583c7eddef575add860ebb8877d27e525ff39643fb5bdc0b20cc2d39236d2d76862a9a4e4bdf97163c2b4ad47d13744807

Download Submit
C:\Windows\System\TiFfRGr.exe

Filesize
5.2MB

MD5
a050ee49786547af0a7f43abba19d6fd

SHA1
3b746432cfb43ef07c564d6261eedbf5e6605211

SHA256
8aba8247afca5e0a3f1b29fb05c5455d0c47ae4c3a69f85303e2fe506ba24e33

SHA512
dce87b825018d258c00f115a743a5121852b5e245daad707b8f8ee3fc044c378af5c8377e3975ac891633b0b362c06300633767d0b717e24e1c497ef71b9bb75

Download Submit
C:\Windows\System\WrkSXne.exe

Filesize
5.2MB

MD5
b37e8474cb3c7b1a76d740c1ede99377

SHA1
a67c2c4bf2afef6d526480731c4e9e36fc1e8bac

SHA256
1c2cfb19a8778684a12d85b9e5e89fae1e27bfd0bac4faf699de8f92a970907c

SHA512
e575fc504146ac9299aa27458d66bf929e7192d659233c032789a5fd1c4f32c8df9c5bc8733d0e5ee1be8d7495fefcbce390f181cda758fe1fd331059b63926a

Download Submit
C:\Windows\System\XgdTsIF.exe

Filesize
5.2MB

MD5
481eadad0d753f4beac56076e7e5b9ee

SHA1
d54c3ee45943c651fc90410690970dd6b1dc82ee

SHA256
6dd635b8f711bacb3cdd015437f0b2bfb794b09c85cb12fe0c0c15731f1909b1

SHA512
88604ad786c9d137a4b879e24d8b90c003f48a4c724678a2dd6146aa9eb511f09a5ca287283b1ad67af5bf434d95a59255d45d628b30afc0ce842d8892cbe22c

Download Submit
C:\Windows\System\YWBihJo.exe

Filesize
5.2MB

MD5
80db487374bf777bd32a51d98ce2c7f9

SHA1
381e1de9f708806462e5cca1e294022d15660179

SHA256
2c740076e354bc30f960022b2b0ce763147b82d132907bb2eaf4a0918cbb8250

SHA512
cabd9d046dffc31fe3039b2b87589991bee284c57d5bc5e50fbbfae749422dd9f9b481a5a6175fb34f58243d21881bd18f838717a71098a2fd7bf10e07477f40

Download Submit
C:\Windows\System\YqWhgOD.exe

Filesize
5.2MB

MD5
d46ca946e21eac819fdd5de2dba83c86

SHA1
00fad7bc83aa49360d6b57f735df50669b49e356

SHA256
a54b972d5d9256e5e60fb5f670b34467813e660dbf07dc46996e0c98d059ed86

SHA512
916073a18c2913d4b9f8c5715948ae8d6a826e2166f0b1d4dd0b629ab316508a8ec2e60a18dce2d90fb18692e1ba73c73ad5c5c81e596b497be8c1ce8ecf495e

Download Submit
C:\Windows\System\ZyttAsg.exe

Filesize
5.2MB

MD5
43f2590194f27fd079975e6e230e9bd6

SHA1
587379eaeec27112ae8b969c22b9bd6daf56678f

SHA256
de2c3091e3acb95d4c744d2b2b9f7dc2a9eebf0c9b2bd413861cbf81d364463c

SHA512
924194b3a025c9ced8ef8d0cc01a89230f65d353b2fa07f87751775e9fa74f1c9a66ac5c75af8bc4b49255066fe09fe98d449412d9fbaa1536f6cef4f7602794

Download Submit
C:\Windows\System\aRNiwPo.exe

Filesize
5.2MB

MD5
5df9bc7df463fbe07e2738552657919e

SHA1
d9e13ba9e5cccdd2f8b1d8fea2103b81eacd689f

SHA256
5a5c72049ae2b56dd30c8a11abcfd5af8a2cc3f71c3885dd06b817f6fb0a6764

SHA512
2299a41dec48be2a201a428b5a1e6c2414b8b66b66df7d8e99e9d544e0026c8db13bac8ee827e4dad19edcd18931bf3a243778175d4b988b0525755ae2486b4d

Download Submit
C:\Windows\System\cyrCuCg.exe

Filesize
5.2MB

MD5
e179b45b93cc502bf0fd771ab69435ce

SHA1
f53e38c7cb8416dc6396171d80d3e088b331d179

SHA256
0038d073ccb6849e9f7a4a82ef0f53ac362af13df6fe6a9f4b126e243eb58ec8

SHA512
ad3d6e1696c087b528dc0c8ade00feb9daadabf882816cce5becf841c243d07cb7f23506d75bdf978916de4905d938689420bd4d3cb167e03d57c981dcc20352

Download Submit
C:\Windows\System\dccseNe.exe

Filesize
5.2MB

MD5
e95a2378240f2461e09fd584ac96b563

SHA1
c0234ded45fa5749340e8af166d15888b12c3807

SHA256
b846aa051e363bc8af71c506337ffdb1c326a7e32f79d52425a0bf85e4b3f862

SHA512
bb7fdca592ae1f696fd85490c5b09baeb6d14cd3f6dda31738287e5e504c558a5417e9dbadcea350835b918309668451844905ca74570a31ec0d19fe6d1c0860

Download Submit
C:\Windows\System\gaaifUO.exe

Filesize
5.2MB

MD5
615e65a569921fa38467bedfd51470a9

SHA1
3cf4c104247e7d93247056f72cc7e89033f782f2

SHA256
356053f0246fd5f6c9d7ce7073fa02037489a3a7d82ab0d28b2a299b365984a3

SHA512
112ee3b21a0d68ab177f9bd66c47256132252d0c45f6cde7b9c7931e2b7b164ba0ec84f5eeec759ecb736c476f445b8818255f413fc9a9e55be869a2eb434003

Download Submit
C:\Windows\System\hpvBFgw.exe

Filesize
5.2MB

MD5
fcfdead2ef183ff58a74fe49afe3987b

SHA1
a4836dc04d3f086620858ea74ef94cbb670c4132

SHA256
2a9f7bf473692ddcb47464e4815c8b9cc5a8e773c8e22444d0fb3f64ab3873f1

SHA512
2c448b5965eabb6311d7c18dc7d11d055b799fd5bef9f43e099fbdea4258d322bbf5aa73caece78736b7d9e0fee55cd3bf5d22ad15c0f40f599253adb69320bc

Download Submit
C:\Windows\System\jhKOoiv.exe

Filesize
5.2MB

MD5
00f6d7f32a7eca9bd1fb33f2d3713d63

SHA1
ff44254d5a894fa3507be739fa862820f34c8dc5

SHA256
bd3c4bcf87e271e4503e2b61f63d3b5e6e118a0998fa94ed97a00e8bfaad0b3d

SHA512
6a0d1722efd5a6593aed792b0e678589cc3a3553aeba9a4c410170a4e4ce1255b6df2bcc69ec64eb104efa43d6e4888b19878cd10b0340d58f9f4e888298be69

Download Submit
C:\Windows\System\kDBHjOg.exe

Filesize
5.2MB

MD5
cd7d2b7da41501be6fd378af89965ebe

SHA1
b69ab013793e2d5f802343149164bea1456fb55c

SHA256
2936da0cf6ffe5b7bd328eded03d78aec303bf36cdba707ca5e57ab110ef3140

SHA512
d560116646602c2112916b5761784c51dea0e1ce65eeb2cd10f565ca7f7204acab9ccefed68fc711d04ac7c0db97112935cd93f5dee1987814c16a6930b356af

Download Submit
C:\Windows\System\kUdrVaJ.exe

Filesize
5.2MB

MD5
24ee9172cfe4eb0bc79872c77250d8c7

SHA1
5bc287ebb975fe5e13278051f27be19e1f999905

SHA256
80226ecfb9bb8e7fc56c43eb8774f2c37f79673472c9501b164e166fb755dac8

SHA512
93c5e8826964112bc64230a0a22d9fccf5922f977823697c17c493e55937ed6fcc2468ce7bb22cdfdfb17f447da9fcb4364148109a7921586d12c27eee595889

Download Submit
C:\Windows\System\mHbzNkR.exe

Filesize
5.2MB

MD5
948304a5a3721f90fbcc6fd93c5f3674

SHA1
fc1ba229f6b3976ad4b3b4ba758ef8db5c6e89b7

SHA256
d2266d191a5f0c8757e09acd6510838000983792913151c7162c51f416f2ca3e

SHA512
06bdf9518cf6f2858b7ac73e498e7df4d226890fa4c65d4936b28c2ca5d64f4d8a0bc59c9fff0ed48c6da2a301ec628ac49799b3b4f29c2f476c42bf70905e44

Download Submit
C:\Windows\System\nWiFESv.exe

Filesize
5.2MB

MD5
5cb42127416476d10d4763a9138f9ce1

SHA1
5b91d6865f52552cd9e49beaf7386a23c58bd0bf

SHA256
eca3da8d4e2ef6a94085a4e5e9a84985917df30567016de41da17a44501e8394

SHA512
212a74024a7771b6e67a8411ed3199c4d1da0173108cde039354f1b09ffb8adb9126b2729cb35eed4a1a5287292af963068e2224ab78a85faf8d5a8e6e5f4d87

Download Submit
C:\Windows\System\ngkYjno.exe

Filesize
5.2MB

MD5
cdfe649ddd820a3461febf57a97e7c3e

SHA1
498dc945da108a149a9518cc2e70fc3bbe731cec

SHA256
c55303fae0e4bee8f0dfa9e1c0c84b002e1c19182d4dc3380c98b5b2ac97a217

SHA512
4db465fd833f1b421f04457dee5cc0d05cdd539ebe0749de4172a6df55349b9b2e04795d2a9a40ffef4c0666551a79727bde2eaf1194f67806f4cd25da0aea34

Download Submit
C:\Windows\System\nzvUNlO.exe

Filesize
5.2MB

MD5
03571debd9bc7a409af40ee95dca16e2

SHA1
1d7734802910d3da83125af381de039320b23125

SHA256
7def6c88c3f990478956337d44afe32bf4c161f637936656ceff9d3764db504a

SHA512
291708b359a584619e82cc0a28f1f40a9e1aedf99154bc6a7f51e74c407641073c1388b5b4182b3af3639a869c6477b974dc3ba768a53bd8631dc3aebbc050a9

Download Submit
C:\Windows\System\pNpYLkV.exe

Filesize
5.2MB

MD5
e93b96fcceea3bd263a637c134d867b3

SHA1
8680b218c69a46bf54130d01287a934bdc64ce2e

SHA256
6658a8df0a0490b5eb73b298aa96b2819934326a487fd9f24734408a230feb5b

SHA512
46bfd8cdc0f5f22cf3e97172486ab944bc9c3ba760d767763e0bafe9bbd6972b1d5d6e248132429cf867aa12789d539aac6c26da9235c245c826aa6c35eeb895

Download Submit
C:\Windows\System\rRoJbop.exe

Filesize
5.2MB

MD5
e57898fe0ff066968e0bd23c7d33c44e

SHA1
e4e7eb27b723d4867c2d73ec44a68ff28e6c3233

SHA256
fcb39f8b92f405075cbd97f470e56ff7f3d8b68b55eccf58ad60b42205a48e7f

SHA512
97958877d837c3658f7ec9b1eec00fd1c1e3335555ab524415581f87633b71670e0a8816c61904d5b5d891441bb500438cfc2e4d2ded5c3ff82f139cf998284f

Download Submit
C:\Windows\System\rWFcepb.exe

Filesize
5.2MB

MD5
bfa82b2fc1ae86cd39395b87b7c17930

SHA1
77264d27b48ca95841cab96ecba612bb5cb36178

SHA256
48719ae5e77b589235c5670272519426284e6d8057ad4d1bec4b78a5eb6be29e

SHA512
0dc12f882eb05844edafc208c171c68ac10483676b2a263e261f612e6718c81a9ef2906cf00154062b0bb11d2cd5b1cebbb0b533e02a13e4662efcaf5cfd03d8

Download Submit
C:\Windows\System\rzezrpR.exe

Filesize
5.2MB

MD5
6152ad28ea7d9c7a601e7230a224eb69

SHA1
03da6128d0e18ce8aa73ee827ad3dc0d5db771f9

SHA256
852f3eb06db1405ea5735f676e6f8a3beea52b31f094044c74af23c0b8c1f5aa

SHA512
48b7228a4342b8dfe2093087283702121453d562cac5ff10f0ca7b5140ad4a4b6b7b923fa823704a23f6c601bed2d816cd1dd7e14fa248f8c8eaa24510fb67d5

Download Submit
C:\Windows\System\uNMquqJ.exe

Filesize
5.2MB

MD5
5aac57322b4aabfa7ced9b38c308ece9

SHA1
136b675b9f7376ab06ead198797af18b33120d2e

SHA256
db13889dd6181e8f4c3fafed5c01b276e4950ec512e1a70b8fcc901c23f4b095

SHA512
f1142499f22e877fe9b09ea8c0e71a893e30582ebf404dcfb77a287c1142a6472717bb4c894d367b39970378a29303b16cd6e717e9d71006765de6ddc206c457

Download Submit
C:\Windows\System\ulUhRgA.exe

Filesize
5.2MB

MD5
f613ffca5e01e0032d0fc0b1001247bd

SHA1
18a27301e51340baeccd3cbe520917dd8117098f

SHA256
b1d47bc35e09c6274c00e4ae9db75002315ec1becbe49d0bdf094a041f904f82

SHA512
0495762442658060db572dac4dd5b92a94720efce829352804cf610c3780510c47ba00cf39cabec0dd2c9e95691fc0ef66f27eb86f66e6600f4861fec8a44d66

Download Submit
C:\Windows\System\wjWcRfS.exe

Filesize
5.2MB

MD5
c594b133f99d8569a4f8720e0f704af6

SHA1
57ef104bee23cf7f0b269c28c2952beb178807f5

SHA256
ae91a74de27ce869ad249979483b13f2d86fb1869ef1c381c01396d2b64f76cf

SHA512
ebc6f654f643384ac15e72c9bdd74694772654099417b2c81732146e33d48c46713b1c46d622a31a5b29e686bad1be131e53ddf3ab158a8b3e5f583533bab461

Download Submit
C:\Windows\System\zpgLAcc.exe

Filesize
5.2MB

MD5
acdb48afc6cc830987530d6f418e2263

SHA1
aaa2902fa93d17ffb7c5231fa42c5bc651b6196a

SHA256
39431cea57020e563d1a1b4bea709dd5760761d4223de3a08beb8ee89dcfeacf

SHA512
07c3eda2cd201fe6f5816c2b8c193502a26d88d9844167d81060f6a02197ce1fbba147c97b995089077cc2e76451f411491a3e588daf08df90a5dcd40a8d5998

Download Submit
memory/320-59-0x00007FF648540000-0x00007FF648891000-memory.dmp

Filesize
3.3MB

Download
memory/320-1972-0x00007FF648540000-0x00007FF648891000-memory.dmp

Filesize
3.3MB

Download
memory/320-543-0x00007FF648540000-0x00007FF648891000-memory.dmp

Filesize
3.3MB

Download
memory/696-1939-0x00007FF6823E0000-0x00007FF682731000-memory.dmp

Filesize
3.3MB

Download
memory/696-39-0x00007FF6823E0000-0x00007FF682731000-memory.dmp

Filesize
3.3MB

Download
memory/696-419-0x00007FF6823E0000-0x00007FF682731000-memory.dmp

Filesize
3.3MB

Download
memory/888-270-0x00007FF60CE60000-0x00007FF60D1B1000-memory.dmp

Filesize
3.3MB

Download
memory/888-37-0x00007FF60CE60000-0x00007FF60D1B1000-memory.dmp

Filesize
3.3MB

Download
memory/888-1881-0x00007FF60CE60000-0x00007FF60D1B1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-1969-0x00007FF79C8D0000-0x00007FF79CC21000-memory.dmp

Filesize
3.3MB

Download
memory/1088-87-0x00007FF79C8D0000-0x00007FF79CC21000-memory.dmp

Filesize
3.3MB

Download
memory/1108-174-0x00007FF73AFC0000-0x00007FF73B311000-memory.dmp

Filesize
3.3MB

Download
memory/1108-13-0x00007FF73AFC0000-0x00007FF73B311000-memory.dmp

Filesize
3.3MB

Download
memory/1108-1838-0x00007FF73AFC0000-0x00007FF73B311000-memory.dmp

Filesize
3.3MB

Download
memory/1332-49-0x00007FF6D3C20000-0x00007FF6D3F71000-memory.dmp

Filesize
3.3MB

Download
memory/1332-1941-0x00007FF6D3C20000-0x00007FF6D3F71000-memory.dmp

Filesize
3.3MB

Download
memory/1332-423-0x00007FF6D3C20000-0x00007FF6D3F71000-memory.dmp

Filesize
3.3MB

Download
memory/1408-988-0x00007FF717FE0000-0x00007FF718331000-memory.dmp

Filesize
3.3MB

Download
memory/1408-2149-0x00007FF717FE0000-0x00007FF718331000-memory.dmp

Filesize
3.3MB

Download
memory/1408-187-0x00007FF717FE0000-0x00007FF718331000-memory.dmp

Filesize
3.3MB

Download
memory/1520-74-0x00007FF710520000-0x00007FF710871000-memory.dmp

Filesize
3.3MB

Download
memory/1520-1993-0x00007FF710520000-0x00007FF710871000-memory.dmp

Filesize
3.3MB

Download
memory/1520-443-0x00007FF710520000-0x00007FF710871000-memory.dmp

Filesize
3.3MB

Download
memory/1656-678-0x00007FF7E9C20000-0x00007FF7E9F71000-memory.dmp

Filesize
3.3MB

Download
memory/1656-123-0x00007FF7E9C20000-0x00007FF7E9F71000-memory.dmp

Filesize
3.3MB

Download
memory/1656-2040-0x00007FF7E9C20000-0x00007FF7E9F71000-memory.dmp

Filesize
3.3MB

Download
memory/1688-151-0x00007FF7B9F20000-0x00007FF7BA271000-memory.dmp

Filesize
3.3MB

Download
memory/1688-2082-0x00007FF7B9F20000-0x00007FF7BA271000-memory.dmp

Filesize
3.3MB

Download
memory/1844-149-0x00007FF7BD900000-0x00007FF7BDC51000-memory.dmp

Filesize
3.3MB

Download
memory/1844-2092-0x00007FF7BD900000-0x00007FF7BDC51000-memory.dmp

Filesize
3.3MB

Download
memory/1940-199-0x00007FF63F4F0000-0x00007FF63F841000-memory.dmp

Filesize
3.3MB

Download
memory/1940-2165-0x00007FF63F4F0000-0x00007FF63F841000-memory.dmp

Filesize
3.3MB

Download
memory/1940-991-0x00007FF63F4F0000-0x00007FF63F841000-memory.dmp

Filesize
3.3MB

Download
memory/2420-80-0x00007FF7FCA90000-0x00007FF7FCDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-1945-0x00007FF7FCA90000-0x00007FF7FCDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2460-2121-0x00007FF765400000-0x00007FF765751000-memory.dmp

Filesize
3.3MB

Download
memory/2460-743-0x00007FF765400000-0x00007FF765751000-memory.dmp

Filesize
3.3MB

Download
memory/2460-131-0x00007FF765400000-0x00007FF765751000-memory.dmp

Filesize
3.3MB

Download
memory/2472-1876-0x00007FF648100000-0x00007FF648451000-memory.dmp

Filesize
3.3MB

Download
memory/2472-269-0x00007FF648100000-0x00007FF648451000-memory.dmp

Filesize
3.3MB

Download
memory/2472-26-0x00007FF648100000-0x00007FF648451000-memory.dmp

Filesize
3.3MB

Download
memory/2484-211-0x00007FF6EA4E0000-0x00007FF6EA831000-memory.dmp

Filesize
3.3MB

Download
memory/2484-19-0x00007FF6EA4E0000-0x00007FF6EA831000-memory.dmp

Filesize
3.3MB

Download
memory/2484-1861-0x00007FF6EA4E0000-0x00007FF6EA831000-memory.dmp

Filesize
3.3MB

Download
memory/2636-1935-0x00007FF7333E0000-0x00007FF733731000-memory.dmp

Filesize
3.3MB

Download
memory/2636-75-0x00007FF7333E0000-0x00007FF733731000-memory.dmp

Filesize
3.3MB

Download
memory/2740-2080-0x00007FF767830000-0x00007FF767B81000-memory.dmp

Filesize
3.3MB

Download
memory/2740-138-0x00007FF767830000-0x00007FF767B81000-memory.dmp

Filesize
3.3MB

Download
memory/2772-47-0x00007FF6307B0000-0x00007FF630B01000-memory.dmp

Filesize
3.3MB

Download
memory/2772-1910-0x00007FF6307B0000-0x00007FF630B01000-memory.dmp

Filesize
3.3MB

Download
memory/2772-420-0x00007FF6307B0000-0x00007FF630B01000-memory.dmp

Filesize
3.3MB

Download
memory/2940-677-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp

Filesize
3.3MB

Download
memory/2940-90-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp

Filesize
3.3MB

Download
memory/2940-1985-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp

Filesize
3.3MB

Download
memory/3124-167-0x00007FF6B8DF0000-0x00007FF6B9141000-memory.dmp

Filesize
3.3MB

Download
memory/3124-0-0x00007FF6B8DF0000-0x00007FF6B9141000-memory.dmp

Filesize
3.3MB

Download
memory/3124-1-0x00000267ABCD0000-0x00000267ABCE0000-memory.dmp

Filesize
64KB

Download
memory/3320-746-0x00007FF73D1A0000-0x00007FF73D4F1000-memory.dmp

Filesize
3.3MB

Download
memory/3320-2078-0x00007FF73D1A0000-0x00007FF73D4F1000-memory.dmp

Filesize
3.3MB

Download
memory/3320-145-0x00007FF73D1A0000-0x00007FF73D4F1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-150-0x00007FF7AEE90000-0x00007FF7AF1E1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-2079-0x00007FF7AEE90000-0x00007FF7AF1E1000-memory.dmp

Filesize
3.3MB

Download
memory/3528-130-0x00007FF6D2400000-0x00007FF6D2751000-memory.dmp

Filesize
3.3MB

Download
memory/3528-2063-0x00007FF6D2400000-0x00007FF6D2751000-memory.dmp

Filesize
3.3MB

Download
memory/3876-2081-0x00007FF71F690000-0x00007FF71F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/3876-681-0x00007FF71F690000-0x00007FF71F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/3876-137-0x00007FF71F690000-0x00007FF71F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/4268-165-0x00007FF7AC910000-0x00007FF7ACC61000-memory.dmp

Filesize
3.3MB

Download
memory/4268-818-0x00007FF7AC910000-0x00007FF7ACC61000-memory.dmp

Filesize
3.3MB

Download
memory/4268-2124-0x00007FF7AC910000-0x00007FF7ACC61000-memory.dmp

Filesize
3.3MB

Download
memory/4428-1075-0x00007FF7F76C0000-0x00007FF7F7A11000-memory.dmp

Filesize
3.3MB

Download
memory/4428-200-0x00007FF7F76C0000-0x00007FF7F7A11000-memory.dmp

Filesize
3.3MB

Download
memory/4428-2160-0x00007FF7F76C0000-0x00007FF7F7A11000-memory.dmp

Filesize
3.3MB

Download
memory/4564-1983-0x00007FF63EE60000-0x00007FF63F1B1000-memory.dmp

Filesize
3.3MB

Download
memory/4564-88-0x00007FF63EE60000-0x00007FF63F1B1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-68-0x00007FF754650000-0x00007FF7549A1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-442-0x00007FF754650000-0x00007FF7549A1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-1958-0x00007FF754650000-0x00007FF7549A1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-2083-0x00007FF7EEE00000-0x00007FF7EF151000-memory.dmp

Filesize
3.3MB

Download
memory/5108-148-0x00007FF7EEE00000-0x00007FF7EF151000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads