cobaltstrike | 8a5f65aceecb8df4511c22fd8cf3a2388fa471da8c5a1f20986ae0175166b086

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
Size

6.0MB
MD5

032d6c5c9071e2de5eb622e233afc902
SHA1

0be642a2fa5c7eabee169f9aedc54d7034499fbd
SHA256

8a5f65aceecb8df4511c22fd8cf3a2388fa471da8c5a1f20986ae0175166b086
SHA512

2b1b5497dfaa848dc43d4310e317bf53c4de4e3f16c1c9c4e585a40e5a9465076e8cf3d03e0308f504b7b3bd2fa5bcd71410e5b66e137165d0e1b68d97270caa
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUH:T+q56utgpPF8u/7H

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 33 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023ffc-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241ef-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241ee-17.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241f3-37.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241f2-42.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241f5-48.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241f7-58.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241f6-60.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241f4-51.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241f1-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241f0-28.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241f8-71.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241f9-77.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241fa-85.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241fb-91.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241fc-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024201-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024200-131.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241ff-129.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241fe-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000241fd-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024202-139.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024204-149.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024205-154.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024203-143.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024206-164.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024207-170.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002420c-200.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002420d-203.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002420e-205.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024209-193.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024208-180.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002420a-191.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4820-0-0x00007FF708620000-0x00007FF708974000-memory.dmp	xmrig
behavioral2/files/0x000d000000023ffc-5.dat	xmrig
behavioral2/memory/412-6-0x00007FF61BE10000-0x00007FF61C164000-memory.dmp	xmrig
behavioral2/files/0x00070000000241ef-10.dat	xmrig
behavioral2/files/0x00070000000241ee-17.dat	xmrig
behavioral2/files/0x00070000000241f3-37.dat	xmrig
behavioral2/files/0x00070000000241f2-42.dat	xmrig
behavioral2/files/0x00070000000241f5-48.dat	xmrig
behavioral2/files/0x00070000000241f7-58.dat	xmrig
behavioral2/memory/4704-62-0x00007FF6BC0C0000-0x00007FF6BC414000-memory.dmp	xmrig
behavioral2/memory/1036-67-0x00007FF73FF50000-0x00007FF7402A4000-memory.dmp	xmrig
behavioral2/memory/1004-66-0x00007FF61C4B0000-0x00007FF61C804000-memory.dmp	xmrig
behavioral2/memory/5924-63-0x00007FF73D760000-0x00007FF73DAB4000-memory.dmp	xmrig
behavioral2/files/0x00070000000241f6-60.dat	xmrig
behavioral2/memory/2280-59-0x00007FF643560000-0x00007FF6438B4000-memory.dmp	xmrig
behavioral2/memory/4808-53-0x00007FF7EEC30000-0x00007FF7EEF84000-memory.dmp	xmrig
behavioral2/files/0x00070000000241f4-51.dat	xmrig
behavioral2/memory/4108-40-0x00007FF7B91B0000-0x00007FF7B9504000-memory.dmp	xmrig
behavioral2/files/0x00070000000241f1-35.dat	xmrig
behavioral2/memory/816-33-0x00007FF7EC160000-0x00007FF7EC4B4000-memory.dmp	xmrig
behavioral2/memory/5084-25-0x00007FF73ACA0000-0x00007FF73AFF4000-memory.dmp	xmrig
behavioral2/files/0x00070000000241f0-28.dat	xmrig
behavioral2/memory/4068-14-0x00007FF7F97F0000-0x00007FF7F9B44000-memory.dmp	xmrig
behavioral2/files/0x00070000000241f8-71.dat	xmrig
behavioral2/memory/5432-72-0x00007FF70EF50000-0x00007FF70F2A4000-memory.dmp	xmrig
behavioral2/files/0x00070000000241f9-77.dat	xmrig
behavioral2/memory/2372-80-0x00007FF657E50000-0x00007FF6581A4000-memory.dmp	xmrig
behavioral2/files/0x00070000000241fa-85.dat	xmrig
behavioral2/memory/1572-84-0x00007FF710B80000-0x00007FF710ED4000-memory.dmp	xmrig
behavioral2/memory/4820-87-0x00007FF708620000-0x00007FF708974000-memory.dmp	xmrig
behavioral2/files/0x00070000000241fb-91.dat	xmrig
behavioral2/memory/412-92-0x00007FF61BE10000-0x00007FF61C164000-memory.dmp	xmrig
behavioral2/files/0x00070000000241fc-100.dat	xmrig
behavioral2/memory/5592-108-0x00007FF64DA20000-0x00007FF64DD74000-memory.dmp	xmrig
behavioral2/memory/532-124-0x00007FF6407D0000-0x00007FF640B24000-memory.dmp	xmrig
behavioral2/memory/4648-125-0x00007FF6EE8B0000-0x00007FF6EEC04000-memory.dmp	xmrig
behavioral2/memory/1848-128-0x00007FF7D49D0000-0x00007FF7D4D24000-memory.dmp	xmrig
behavioral2/files/0x0007000000024201-133.dat	xmrig
behavioral2/files/0x0007000000024200-131.dat	xmrig
behavioral2/files/0x00070000000241ff-129.dat	xmrig
behavioral2/memory/5924-127-0x00007FF73D760000-0x00007FF73DAB4000-memory.dmp	xmrig
behavioral2/memory/1304-126-0x00007FF6AFA10000-0x00007FF6AFD64000-memory.dmp	xmrig
behavioral2/memory/5016-119-0x00007FF7FF6D0000-0x00007FF7FFA24000-memory.dmp	xmrig
behavioral2/files/0x00070000000241fe-116.dat	xmrig
behavioral2/files/0x00070000000241fd-113.dat	xmrig
behavioral2/memory/816-104-0x00007FF7EC160000-0x00007FF7EC4B4000-memory.dmp	xmrig
behavioral2/memory/5084-103-0x00007FF73ACA0000-0x00007FF73AFF4000-memory.dmp	xmrig
behavioral2/memory/4068-98-0x00007FF7F97F0000-0x00007FF7F9B44000-memory.dmp	xmrig
behavioral2/memory/2660-94-0x00007FF7BA750000-0x00007FF7BAAA4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024202-139.dat	xmrig
behavioral2/memory/6040-141-0x00007FF7AC780000-0x00007FF7ACAD4000-memory.dmp	xmrig
behavioral2/memory/4884-142-0x00007FF6CA260000-0x00007FF6CA5B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024204-149.dat	xmrig
behavioral2/files/0x0007000000024205-154.dat	xmrig
behavioral2/memory/5512-156-0x00007FF6D5960000-0x00007FF6D5CB4000-memory.dmp	xmrig
behavioral2/memory/1572-155-0x00007FF710B80000-0x00007FF710ED4000-memory.dmp	xmrig
behavioral2/memory/3528-152-0x00007FF7B8930000-0x00007FF7B8C84000-memory.dmp	xmrig
behavioral2/memory/2372-151-0x00007FF657E50000-0x00007FF6581A4000-memory.dmp	xmrig
behavioral2/memory/5432-148-0x00007FF70EF50000-0x00007FF70F2A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024203-143.dat	xmrig
behavioral2/memory/4324-166-0x00007FF6DB710000-0x00007FF6DBA64000-memory.dmp	xmrig
behavioral2/files/0x0007000000024206-164.dat	xmrig
behavioral2/memory/2660-165-0x00007FF7BA750000-0x00007FF7BAAA4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024207-170.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
412	xImFMMS.exe
4068	YjonRAz.exe
5084	GQInvvI.exe
816	EQMzkQl.exe
4108	VuACHuZ.exe
4808	VBldpdq.exe
1004	cSqcmwA.exe
2280	jTttskE.exe
4704	qIWaIpC.exe
1036	AUvHIui.exe
5924	naRXdDl.exe
5432	UwxdhYZ.exe
2372	vzSJZpm.exe
1572	fddFrDo.exe
2660	LDerPvr.exe
5592	iNEiJHt.exe
5016	kLAcqVz.exe
1304	FaIxSeM.exe
532	rbAIVDG.exe
1848	znKdUxQ.exe
4648	ZpnzKzJ.exe
6040	PYcuYFo.exe
4884	qKpEGiT.exe
3528	axSJUDQ.exe
5512	OJVPlLF.exe
4324	dVZUNCb.exe
5336	eIEWbMi.exe
5072	ooBIjwq.exe
2076	dbLoUlh.exe
3136	muPyjFX.exe
5168	LEIEUlb.exe
4280	LCGZxfT.exe
2848	EYUtbez.exe
2888	CWTVRaF.exe
2228	meiMXzx.exe
5680	qwYVTnp.exe
2188	BqHtYOy.exe
5704	QyLATVn.exe
1116	gfjKvNe.exe
5952	tgyOLKj.exe
5628	xfHCBBc.exe
2500	EBbNOEq.exe
5560	SQcHwUn.exe
2328	iFPWrvS.exe
5420	QnIRKXK.exe
3492	yiNxnmZ.exe
1888	OCPaUth.exe
3168	YgmKIHF.exe
5236	gQKMlPJ.exe
3712	AFojWFY.exe
4300	zaliyuX.exe
6004	TpHkdFK.exe
4376	QqPduzU.exe
6052	DWphzwO.exe
5060	kLGlASX.exe
392	sDAqDLN.exe
5004	sWUvUUv.exe
4948	waVyJiA.exe
2140	LaWXwrZ.exe
932	mvaZzPr.exe
3332	rGroxVU.exe
1152	rTUBkaO.exe
4320	KYxzJja.exe
3308	YGVrrLt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4820-0-0x00007FF708620000-0x00007FF708974000-memory.dmp	upx
behavioral2/files/0x000d000000023ffc-5.dat	upx
behavioral2/memory/412-6-0x00007FF61BE10000-0x00007FF61C164000-memory.dmp	upx
behavioral2/files/0x00070000000241ef-10.dat	upx
behavioral2/files/0x00070000000241ee-17.dat	upx
behavioral2/files/0x00070000000241f3-37.dat	upx
behavioral2/files/0x00070000000241f2-42.dat	upx
behavioral2/files/0x00070000000241f5-48.dat	upx
behavioral2/files/0x00070000000241f7-58.dat	upx
behavioral2/memory/4704-62-0x00007FF6BC0C0000-0x00007FF6BC414000-memory.dmp	upx
behavioral2/memory/1036-67-0x00007FF73FF50000-0x00007FF7402A4000-memory.dmp	upx
behavioral2/memory/1004-66-0x00007FF61C4B0000-0x00007FF61C804000-memory.dmp	upx
behavioral2/memory/5924-63-0x00007FF73D760000-0x00007FF73DAB4000-memory.dmp	upx
behavioral2/files/0x00070000000241f6-60.dat	upx
behavioral2/memory/2280-59-0x00007FF643560000-0x00007FF6438B4000-memory.dmp	upx
behavioral2/memory/4808-53-0x00007FF7EEC30000-0x00007FF7EEF84000-memory.dmp	upx
behavioral2/files/0x00070000000241f4-51.dat	upx
behavioral2/memory/4108-40-0x00007FF7B91B0000-0x00007FF7B9504000-memory.dmp	upx
behavioral2/files/0x00070000000241f1-35.dat	upx
behavioral2/memory/816-33-0x00007FF7EC160000-0x00007FF7EC4B4000-memory.dmp	upx
behavioral2/memory/5084-25-0x00007FF73ACA0000-0x00007FF73AFF4000-memory.dmp	upx
behavioral2/files/0x00070000000241f0-28.dat	upx
behavioral2/memory/4068-14-0x00007FF7F97F0000-0x00007FF7F9B44000-memory.dmp	upx
behavioral2/files/0x00070000000241f8-71.dat	upx
behavioral2/memory/5432-72-0x00007FF70EF50000-0x00007FF70F2A4000-memory.dmp	upx
behavioral2/files/0x00070000000241f9-77.dat	upx
behavioral2/memory/2372-80-0x00007FF657E50000-0x00007FF6581A4000-memory.dmp	upx
behavioral2/files/0x00070000000241fa-85.dat	upx
behavioral2/memory/1572-84-0x00007FF710B80000-0x00007FF710ED4000-memory.dmp	upx
behavioral2/memory/4820-87-0x00007FF708620000-0x00007FF708974000-memory.dmp	upx
behavioral2/files/0x00070000000241fb-91.dat	upx
behavioral2/memory/412-92-0x00007FF61BE10000-0x00007FF61C164000-memory.dmp	upx
behavioral2/files/0x00070000000241fc-100.dat	upx
behavioral2/memory/5592-108-0x00007FF64DA20000-0x00007FF64DD74000-memory.dmp	upx
behavioral2/memory/532-124-0x00007FF6407D0000-0x00007FF640B24000-memory.dmp	upx
behavioral2/memory/4648-125-0x00007FF6EE8B0000-0x00007FF6EEC04000-memory.dmp	upx
behavioral2/memory/1848-128-0x00007FF7D49D0000-0x00007FF7D4D24000-memory.dmp	upx
behavioral2/files/0x0007000000024201-133.dat	upx
behavioral2/files/0x0007000000024200-131.dat	upx
behavioral2/files/0x00070000000241ff-129.dat	upx
behavioral2/memory/5924-127-0x00007FF73D760000-0x00007FF73DAB4000-memory.dmp	upx
behavioral2/memory/1304-126-0x00007FF6AFA10000-0x00007FF6AFD64000-memory.dmp	upx
behavioral2/memory/5016-119-0x00007FF7FF6D0000-0x00007FF7FFA24000-memory.dmp	upx
behavioral2/files/0x00070000000241fe-116.dat	upx
behavioral2/files/0x00070000000241fd-113.dat	upx
behavioral2/memory/816-104-0x00007FF7EC160000-0x00007FF7EC4B4000-memory.dmp	upx
behavioral2/memory/5084-103-0x00007FF73ACA0000-0x00007FF73AFF4000-memory.dmp	upx
behavioral2/memory/4068-98-0x00007FF7F97F0000-0x00007FF7F9B44000-memory.dmp	upx
behavioral2/memory/2660-94-0x00007FF7BA750000-0x00007FF7BAAA4000-memory.dmp	upx
behavioral2/files/0x0007000000024202-139.dat	upx
behavioral2/memory/6040-141-0x00007FF7AC780000-0x00007FF7ACAD4000-memory.dmp	upx
behavioral2/memory/4884-142-0x00007FF6CA260000-0x00007FF6CA5B4000-memory.dmp	upx
behavioral2/files/0x0007000000024204-149.dat	upx
behavioral2/files/0x0007000000024205-154.dat	upx
behavioral2/memory/5512-156-0x00007FF6D5960000-0x00007FF6D5CB4000-memory.dmp	upx
behavioral2/memory/1572-155-0x00007FF710B80000-0x00007FF710ED4000-memory.dmp	upx
behavioral2/memory/3528-152-0x00007FF7B8930000-0x00007FF7B8C84000-memory.dmp	upx
behavioral2/memory/2372-151-0x00007FF657E50000-0x00007FF6581A4000-memory.dmp	upx
behavioral2/memory/5432-148-0x00007FF70EF50000-0x00007FF70F2A4000-memory.dmp	upx
behavioral2/files/0x0007000000024203-143.dat	upx
behavioral2/memory/4324-166-0x00007FF6DB710000-0x00007FF6DBA64000-memory.dmp	upx
behavioral2/files/0x0007000000024206-164.dat	upx
behavioral2/memory/2660-165-0x00007FF7BA750000-0x00007FF7BAAA4000-memory.dmp	upx
behavioral2/files/0x0007000000024207-170.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\KAPpWFZ.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\OSoYdmG.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\eBiJIDH.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\kyjReZr.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\gPeXsoX.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\xfHCBBc.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\gqBpRTK.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\uCprwpb.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\ruDCDEk.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\fIjGDSV.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\fNwJasv.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\etBtBAH.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\szCmbKf.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\DuGMyWx.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\qtkPOkH.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\WovsOAq.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\MspjbSg.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\RGVlLWW.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\JLyYCaA.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\naRXdDl.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\gQKMlPJ.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\dbBMdDt.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\EpEyVcj.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\RNUqDCg.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\FKsMBgX.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\lolQfRG.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\zCvSjUO.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\QqPduzU.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\EaQqGna.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\pHQfiCr.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\MlGLqnZ.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\JffERBN.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\XOaefhH.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\BGFRjpj.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\LUYhOwi.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\xIBfynL.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\IFhjyWB.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\LEIEUlb.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\YGVrrLt.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\HeZzwFU.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\fmoUoXY.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\xXWGFWI.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\QoFmZDM.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\acRjVLs.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\mYRPOpw.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\TKaJClz.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\ZxPgYPw.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\xAivrAw.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\TtYSsbI.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\WNObPxS.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\iJDcWLp.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\cFdyBLL.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\wHqUtMJ.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\tPCoNFQ.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\vzSJZpm.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\axSJUDQ.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\sHlgcwu.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\DhvByTc.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\NoUAmpY.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\pwqnLAz.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\kcZiWgp.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\YNokzCe.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\VcBIjDh.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
File created	C:\Windows\System\cWycfvS.exe	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	924	dwm.exe
Token: SeChangeNotifyPrivilege	924	dwm.exe
Token: 33	924	dwm.exe
Token: SeIncBasePriorityPrivilege	924	dwm.exe
Token: SeShutdownPrivilege	924	dwm.exe
Token: SeCreatePagefilePrivilege	924	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 412	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	86
PID 4820 wrote to memory of 412	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	86
PID 4820 wrote to memory of 4068	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	87
PID 4820 wrote to memory of 4068	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	87
PID 4820 wrote to memory of 5084	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	88
PID 4820 wrote to memory of 5084	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	88
PID 4820 wrote to memory of 816	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	89
PID 4820 wrote to memory of 816	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	89
PID 4820 wrote to memory of 4108	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	90
PID 4820 wrote to memory of 4108	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	90
PID 4820 wrote to memory of 4808	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	91
PID 4820 wrote to memory of 4808	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	91
PID 4820 wrote to memory of 1004	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	92
PID 4820 wrote to memory of 1004	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	92
PID 4820 wrote to memory of 2280	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	93
PID 4820 wrote to memory of 2280	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	93
PID 4820 wrote to memory of 4704	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	94
PID 4820 wrote to memory of 4704	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	94
PID 4820 wrote to memory of 1036	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	95
PID 4820 wrote to memory of 1036	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	95
PID 4820 wrote to memory of 5924	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	96
PID 4820 wrote to memory of 5924	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	96
PID 4820 wrote to memory of 5432	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	97
PID 4820 wrote to memory of 5432	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	97
PID 4820 wrote to memory of 2372	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	98
PID 4820 wrote to memory of 2372	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	98
PID 4820 wrote to memory of 1572	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	99
PID 4820 wrote to memory of 1572	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	99
PID 4820 wrote to memory of 2660	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	100
PID 4820 wrote to memory of 2660	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	100
PID 4820 wrote to memory of 5592	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	102
PID 4820 wrote to memory of 5592	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	102
PID 4820 wrote to memory of 5016	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	103
PID 4820 wrote to memory of 5016	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	103
PID 4820 wrote to memory of 1304	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	104
PID 4820 wrote to memory of 1304	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	104
PID 4820 wrote to memory of 532	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	105
PID 4820 wrote to memory of 532	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	105
PID 4820 wrote to memory of 1848	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	106
PID 4820 wrote to memory of 1848	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	106
PID 4820 wrote to memory of 4648	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	107
PID 4820 wrote to memory of 4648	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	107
PID 4820 wrote to memory of 6040	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	108
PID 4820 wrote to memory of 6040	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	108
PID 4820 wrote to memory of 4884	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	110
PID 4820 wrote to memory of 4884	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	110
PID 4820 wrote to memory of 3528	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	111
PID 4820 wrote to memory of 3528	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	111
PID 4820 wrote to memory of 5512	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	112
PID 4820 wrote to memory of 5512	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	112
PID 4820 wrote to memory of 4324	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	115
PID 4820 wrote to memory of 4324	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	115
PID 4820 wrote to memory of 5336	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	118
PID 4820 wrote to memory of 5336	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	118
PID 4820 wrote to memory of 5072	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	119
PID 4820 wrote to memory of 5072	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	119
PID 4820 wrote to memory of 2076	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	120
PID 4820 wrote to memory of 2076	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	120
PID 4820 wrote to memory of 3136	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	121
PID 4820 wrote to memory of 3136	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	121
PID 4820 wrote to memory of 5168	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	122
PID 4820 wrote to memory of 5168	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	122
PID 4820 wrote to memory of 4280	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	123
PID 4820 wrote to memory of 4280	4820	2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe	123

C:\Users\Admin\AppData\Local\Temp\2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_032d6c5c9071e2de5eb622e233afc902_amadey_cobalt-strike_cobaltstrike_poet-rat_smoke-loader.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\System\xImFMMS.exe
  C:\Windows\System\xImFMMS.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System\YjonRAz.exe
  C:\Windows\System\YjonRAz.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\GQInvvI.exe
  C:\Windows\System\GQInvvI.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\EQMzkQl.exe
  C:\Windows\System\EQMzkQl.exe
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Windows\System\VuACHuZ.exe
  C:\Windows\System\VuACHuZ.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\VBldpdq.exe
  C:\Windows\System\VBldpdq.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\cSqcmwA.exe
  C:\Windows\System\cSqcmwA.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System\jTttskE.exe
  C:\Windows\System\jTttskE.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\qIWaIpC.exe
  C:\Windows\System\qIWaIpC.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\AUvHIui.exe
  C:\Windows\System\AUvHIui.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\naRXdDl.exe
  C:\Windows\System\naRXdDl.exe
  2⤵
  - Executes dropped EXE
  PID:5924
- C:\Windows\System\UwxdhYZ.exe
  C:\Windows\System\UwxdhYZ.exe
  2⤵
  - Executes dropped EXE
  PID:5432
- C:\Windows\System\vzSJZpm.exe
  C:\Windows\System\vzSJZpm.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\fddFrDo.exe
  C:\Windows\System\fddFrDo.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\LDerPvr.exe
  C:\Windows\System\LDerPvr.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\iNEiJHt.exe
  C:\Windows\System\iNEiJHt.exe
  2⤵
  - Executes dropped EXE
  PID:5592
- C:\Windows\System\kLAcqVz.exe
  C:\Windows\System\kLAcqVz.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\FaIxSeM.exe
  C:\Windows\System\FaIxSeM.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System\rbAIVDG.exe
  C:\Windows\System\rbAIVDG.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\znKdUxQ.exe
  C:\Windows\System\znKdUxQ.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\ZpnzKzJ.exe
  C:\Windows\System\ZpnzKzJ.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\PYcuYFo.exe
  C:\Windows\System\PYcuYFo.exe
  2⤵
  - Executes dropped EXE
  PID:6040
- C:\Windows\System\qKpEGiT.exe
  C:\Windows\System\qKpEGiT.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\axSJUDQ.exe
  C:\Windows\System\axSJUDQ.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\OJVPlLF.exe
  C:\Windows\System\OJVPlLF.exe
  2⤵
  - Executes dropped EXE
  PID:5512
- C:\Windows\System\dVZUNCb.exe
  C:\Windows\System\dVZUNCb.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System\eIEWbMi.exe
  C:\Windows\System\eIEWbMi.exe
  2⤵
  - Executes dropped EXE
  PID:5336
- C:\Windows\System\ooBIjwq.exe
  C:\Windows\System\ooBIjwq.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\dbLoUlh.exe
  C:\Windows\System\dbLoUlh.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System\muPyjFX.exe
  C:\Windows\System\muPyjFX.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\LEIEUlb.exe
  C:\Windows\System\LEIEUlb.exe
  2⤵
  - Executes dropped EXE
  PID:5168
- C:\Windows\System\LCGZxfT.exe
  C:\Windows\System\LCGZxfT.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\EYUtbez.exe
  C:\Windows\System\EYUtbez.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\CWTVRaF.exe
  C:\Windows\System\CWTVRaF.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\meiMXzx.exe
  C:\Windows\System\meiMXzx.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\qwYVTnp.exe
  C:\Windows\System\qwYVTnp.exe
  2⤵
  - Executes dropped EXE
  PID:5680
- C:\Windows\System\BqHtYOy.exe
  C:\Windows\System\BqHtYOy.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\QyLATVn.exe
  C:\Windows\System\QyLATVn.exe
  2⤵
  - Executes dropped EXE
  PID:5704
- C:\Windows\System\gfjKvNe.exe
  C:\Windows\System\gfjKvNe.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\tgyOLKj.exe
  C:\Windows\System\tgyOLKj.exe
  2⤵
  - Executes dropped EXE
  PID:5952
- C:\Windows\System\xfHCBBc.exe
  C:\Windows\System\xfHCBBc.exe
  2⤵
  - Executes dropped EXE
  PID:5628
- C:\Windows\System\EBbNOEq.exe
  C:\Windows\System\EBbNOEq.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\SQcHwUn.exe
  C:\Windows\System\SQcHwUn.exe
  2⤵
  - Executes dropped EXE
  PID:5560
- C:\Windows\System\iFPWrvS.exe
  C:\Windows\System\iFPWrvS.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\QnIRKXK.exe
  C:\Windows\System\QnIRKXK.exe
  2⤵
  - Executes dropped EXE
  PID:5420
- C:\Windows\System\yiNxnmZ.exe
  C:\Windows\System\yiNxnmZ.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\OCPaUth.exe
  C:\Windows\System\OCPaUth.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\YgmKIHF.exe
  C:\Windows\System\YgmKIHF.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\gQKMlPJ.exe
  C:\Windows\System\gQKMlPJ.exe
  2⤵
  - Executes dropped EXE
  PID:5236
- C:\Windows\System\AFojWFY.exe
  C:\Windows\System\AFojWFY.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System\zaliyuX.exe
  C:\Windows\System\zaliyuX.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\TpHkdFK.exe
  C:\Windows\System\TpHkdFK.exe
  2⤵
  - Executes dropped EXE
  PID:6004
- C:\Windows\System\QqPduzU.exe
  C:\Windows\System\QqPduzU.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\DWphzwO.exe
  C:\Windows\System\DWphzwO.exe
  2⤵
  - Executes dropped EXE
  PID:6052
- C:\Windows\System\kLGlASX.exe
  C:\Windows\System\kLGlASX.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\sDAqDLN.exe
  C:\Windows\System\sDAqDLN.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System\sWUvUUv.exe
  C:\Windows\System\sWUvUUv.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\waVyJiA.exe
  C:\Windows\System\waVyJiA.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\LaWXwrZ.exe
  C:\Windows\System\LaWXwrZ.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\mvaZzPr.exe
  C:\Windows\System\mvaZzPr.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System\rGroxVU.exe
  C:\Windows\System\rGroxVU.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\System\rTUBkaO.exe
  C:\Windows\System\rTUBkaO.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\KYxzJja.exe
  C:\Windows\System\KYxzJja.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\YGVrrLt.exe
  C:\Windows\System\YGVrrLt.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System\pwqnLAz.exe
  C:\Windows\System\pwqnLAz.exe
  2⤵
  PID:1660
- C:\Windows\System\WBwQZRZ.exe
  C:\Windows\System\WBwQZRZ.exe
  2⤵
  PID:5936
- C:\Windows\System\nwcmgXc.exe
  C:\Windows\System\nwcmgXc.exe
  2⤵
  PID:3460
- C:\Windows\System\eYCXAyw.exe
  C:\Windows\System\eYCXAyw.exe
  2⤵
  PID:1892
- C:\Windows\System\VJJqfXz.exe
  C:\Windows\System\VJJqfXz.exe
  2⤵
  PID:6068
- C:\Windows\System\GypFrZw.exe
  C:\Windows\System\GypFrZw.exe
  2⤵
  PID:5036
- C:\Windows\System\mnbksfb.exe
  C:\Windows\System\mnbksfb.exe
  2⤵
  PID:5460
- C:\Windows\System\rUoVMjh.exe
  C:\Windows\System\rUoVMjh.exe
  2⤵
  PID:1624
- C:\Windows\System\DvJoUym.exe
  C:\Windows\System\DvJoUym.exe
  2⤵
  PID:3760
- C:\Windows\System\jHslhbF.exe
  C:\Windows\System\jHslhbF.exe
  2⤵
  PID:4556
- C:\Windows\System\YBBzpAe.exe
  C:\Windows\System\YBBzpAe.exe
  2⤵
  PID:5200
- C:\Windows\System\PtZSpVV.exe
  C:\Windows\System\PtZSpVV.exe
  2⤵
  PID:5404
- C:\Windows\System\PkKiQtw.exe
  C:\Windows\System\PkKiQtw.exe
  2⤵
  PID:5672
- C:\Windows\System\NwHMRHE.exe
  C:\Windows\System\NwHMRHE.exe
  2⤵
  PID:4236
- C:\Windows\System\FmLEsiU.exe
  C:\Windows\System\FmLEsiU.exe
  2⤵
  PID:3520
- C:\Windows\System\JEFhTGU.exe
  C:\Windows\System\JEFhTGU.exe
  2⤵
  PID:5456
- C:\Windows\System\QDeffSU.exe
  C:\Windows\System\QDeffSU.exe
  2⤵
  PID:3972
- C:\Windows\System\ymhJLoM.exe
  C:\Windows\System\ymhJLoM.exe
  2⤵
  PID:4784
- C:\Windows\System\kPfTZHs.exe
  C:\Windows\System\kPfTZHs.exe
  2⤵
  PID:1832
- C:\Windows\System\HqolYbq.exe
  C:\Windows\System\HqolYbq.exe
  2⤵
  PID:5856
- C:\Windows\System\aMjoapm.exe
  C:\Windows\System\aMjoapm.exe
  2⤵
  PID:2524
- C:\Windows\System\sayIpSu.exe
  C:\Windows\System\sayIpSu.exe
  2⤵
  PID:2020
- C:\Windows\System\JhRXwTc.exe
  C:\Windows\System\JhRXwTc.exe
  2⤵
  PID:4472
- C:\Windows\System\UEyrZMM.exe
  C:\Windows\System\UEyrZMM.exe
  2⤵
  PID:3768
- C:\Windows\System\MCfDUfX.exe
  C:\Windows\System\MCfDUfX.exe
  2⤵
  PID:6084
- C:\Windows\System\bLfETBK.exe
  C:\Windows\System\bLfETBK.exe
  2⤵
  PID:224
- C:\Windows\System\etBtBAH.exe
  C:\Windows\System\etBtBAH.exe
  2⤵
  PID:5820
- C:\Windows\System\Aqgsavz.exe
  C:\Windows\System\Aqgsavz.exe
  2⤵
  PID:3656
- C:\Windows\System\zAXjosa.exe
  C:\Windows\System\zAXjosa.exe
  2⤵
  PID:5140
- C:\Windows\System\dbBMdDt.exe
  C:\Windows\System\dbBMdDt.exe
  2⤵
  PID:2388
- C:\Windows\System\ojAzHhw.exe
  C:\Windows\System\ojAzHhw.exe
  2⤵
  PID:2852
- C:\Windows\System\atDFbKQ.exe
  C:\Windows\System\atDFbKQ.exe
  2⤵
  PID:5912
- C:\Windows\System\NoithrO.exe
  C:\Windows\System\NoithrO.exe
  2⤵
  PID:4504
- C:\Windows\System\fdqcNkX.exe
  C:\Windows\System\fdqcNkX.exe
  2⤵
  PID:5340
- C:\Windows\System\tvlhUsC.exe
  C:\Windows\System\tvlhUsC.exe
  2⤵
  PID:4348
- C:\Windows\System\hQoPWOw.exe
  C:\Windows\System\hQoPWOw.exe
  2⤵
  PID:4056
- C:\Windows\System\dPxeCOy.exe
  C:\Windows\System\dPxeCOy.exe
  2⤵
  PID:4844
- C:\Windows\System\HeZzwFU.exe
  C:\Windows\System\HeZzwFU.exe
  2⤵
  PID:1692
- C:\Windows\System\GhghWHi.exe
  C:\Windows\System\GhghWHi.exe
  2⤵
  PID:5916
- C:\Windows\System\YWgkXLn.exe
  C:\Windows\System\YWgkXLn.exe
  2⤵
  PID:4400
- C:\Windows\System\aASLCMx.exe
  C:\Windows\System\aASLCMx.exe
  2⤵
  PID:2028
- C:\Windows\System\wrkfQXv.exe
  C:\Windows\System\wrkfQXv.exe
  2⤵
  PID:5108
- C:\Windows\System\HtgMmQH.exe
  C:\Windows\System\HtgMmQH.exe
  2⤵
  PID:2696
- C:\Windows\System\xszTDvS.exe
  C:\Windows\System\xszTDvS.exe
  2⤵
  PID:4268
- C:\Windows\System\eAWMFho.exe
  C:\Windows\System\eAWMFho.exe
  2⤵
  PID:2728
- C:\Windows\System\zmDsJMv.exe
  C:\Windows\System\zmDsJMv.exe
  2⤵
  PID:912
- C:\Windows\System\NjrxgQF.exe
  C:\Windows\System\NjrxgQF.exe
  2⤵
  PID:4408
- C:\Windows\System\LowiIRf.exe
  C:\Windows\System\LowiIRf.exe
  2⤵
  PID:5964
- C:\Windows\System\MAKBRUl.exe
  C:\Windows\System\MAKBRUl.exe
  2⤵
  PID:5528
- C:\Windows\System\XBvOfpl.exe
  C:\Windows\System\XBvOfpl.exe
  2⤵
  PID:3164
- C:\Windows\System\ntSvVDt.exe
  C:\Windows\System\ntSvVDt.exe
  2⤵
  PID:3224
- C:\Windows\System\osrpvzE.exe
  C:\Windows\System\osrpvzE.exe
  2⤵
  PID:6088
- C:\Windows\System\yncDsQX.exe
  C:\Windows\System\yncDsQX.exe
  2⤵
  PID:5892
- C:\Windows\System\eLyialv.exe
  C:\Windows\System\eLyialv.exe
  2⤵
  PID:5012
- C:\Windows\System\uDajitl.exe
  C:\Windows\System\uDajitl.exe
  2⤵
  PID:5412
- C:\Windows\System\pxDGcWN.exe
  C:\Windows\System\pxDGcWN.exe
  2⤵
  PID:4296
- C:\Windows\System\hwKLJRm.exe
  C:\Windows\System\hwKLJRm.exe
  2⤵
  PID:640
- C:\Windows\System\vCszcUt.exe
  C:\Windows\System\vCszcUt.exe
  2⤵
  PID:4284
- C:\Windows\System\kRUbnuQ.exe
  C:\Windows\System\kRUbnuQ.exe
  2⤵
  PID:976
- C:\Windows\System\tDRxLho.exe
  C:\Windows\System\tDRxLho.exe
  2⤵
  PID:3892
- C:\Windows\System\TYKNVZJ.exe
  C:\Windows\System\TYKNVZJ.exe
  2⤵
  PID:2272
- C:\Windows\System\RuZbuvl.exe
  C:\Windows\System\RuZbuvl.exe
  2⤵
  PID:3232
- C:\Windows\System\BmXwPTz.exe
  C:\Windows\System\BmXwPTz.exe
  2⤵
  PID:2316
- C:\Windows\System\VfHUaOR.exe
  C:\Windows\System\VfHUaOR.exe
  2⤵
  PID:5252
- C:\Windows\System\jHbUoJx.exe
  C:\Windows\System\jHbUoJx.exe
  2⤵
  PID:3064
- C:\Windows\System\eIrHhIv.exe
  C:\Windows\System\eIrHhIv.exe
  2⤵
  PID:1956
- C:\Windows\System\VFiWsSl.exe
  C:\Windows\System\VFiWsSl.exe
  2⤵
  PID:652
- C:\Windows\System\rPoXBdu.exe
  C:\Windows\System\rPoXBdu.exe
  2⤵
  PID:3040
- C:\Windows\System\eYknXGS.exe
  C:\Windows\System\eYknXGS.exe
  2⤵
  PID:4804
- C:\Windows\System\TKaJClz.exe
  C:\Windows\System\TKaJClz.exe
  2⤵
  PID:712
- C:\Windows\System\rqsPcio.exe
  C:\Windows\System\rqsPcio.exe
  2⤵
  PID:3268
- C:\Windows\System\wKyeIdS.exe
  C:\Windows\System\wKyeIdS.exe
  2⤵
  PID:3284
- C:\Windows\System\sJcRKwB.exe
  C:\Windows\System\sJcRKwB.exe
  2⤵
  PID:5076
- C:\Windows\System\bcurMuw.exe
  C:\Windows\System\bcurMuw.exe
  2⤵
  PID:6152
- C:\Windows\System\DRfVVUs.exe
  C:\Windows\System\DRfVVUs.exe
  2⤵
  PID:6180
- C:\Windows\System\IlNPmTC.exe
  C:\Windows\System\IlNPmTC.exe
  2⤵
  PID:6204
- C:\Windows\System\bRzkOVX.exe
  C:\Windows\System\bRzkOVX.exe
  2⤵
  PID:6236
- C:\Windows\System\ChRjkve.exe
  C:\Windows\System\ChRjkve.exe
  2⤵
  PID:6276
- C:\Windows\System\BGFRjpj.exe
  C:\Windows\System\BGFRjpj.exe
  2⤵
  PID:6348
- C:\Windows\System\ISEuJbI.exe
  C:\Windows\System\ISEuJbI.exe
  2⤵
  PID:6428
- C:\Windows\System\GDBiiIX.exe
  C:\Windows\System\GDBiiIX.exe
  2⤵
  PID:6456
- C:\Windows\System\EiESkRV.exe
  C:\Windows\System\EiESkRV.exe
  2⤵
  PID:6500
- C:\Windows\System\CTUTjVm.exe
  C:\Windows\System\CTUTjVm.exe
  2⤵
  PID:6528
- C:\Windows\System\tIiBtKX.exe
  C:\Windows\System\tIiBtKX.exe
  2⤵
  PID:6556
- C:\Windows\System\ULOTWVn.exe
  C:\Windows\System\ULOTWVn.exe
  2⤵
  PID:6584
- C:\Windows\System\EaQqGna.exe
  C:\Windows\System\EaQqGna.exe
  2⤵
  PID:6608
- C:\Windows\System\niBcPNW.exe
  C:\Windows\System\niBcPNW.exe
  2⤵
  PID:6640
- C:\Windows\System\DHXXqMk.exe
  C:\Windows\System\DHXXqMk.exe
  2⤵
  PID:6668
- C:\Windows\System\JFtPBbj.exe
  C:\Windows\System\JFtPBbj.exe
  2⤵
  PID:6696
- C:\Windows\System\nNPSQbZ.exe
  C:\Windows\System\nNPSQbZ.exe
  2⤵
  PID:6720
- C:\Windows\System\IOwHmaV.exe
  C:\Windows\System\IOwHmaV.exe
  2⤵
  PID:6752
- C:\Windows\System\OATYrkS.exe
  C:\Windows\System\OATYrkS.exe
  2⤵
  PID:6776
- C:\Windows\System\muhDXtY.exe
  C:\Windows\System\muhDXtY.exe
  2⤵
  PID:6808
- C:\Windows\System\rjetHBl.exe
  C:\Windows\System\rjetHBl.exe
  2⤵
  PID:6836
- C:\Windows\System\AQDKsZw.exe
  C:\Windows\System\AQDKsZw.exe
  2⤵
  PID:6860
- C:\Windows\System\TAljEIa.exe
  C:\Windows\System\TAljEIa.exe
  2⤵
  PID:6892
- C:\Windows\System\BWYwQEQ.exe
  C:\Windows\System\BWYwQEQ.exe
  2⤵
  PID:6920
- C:\Windows\System\lUvWsBQ.exe
  C:\Windows\System\lUvWsBQ.exe
  2⤵
  PID:6952
- C:\Windows\System\SoGkjgL.exe
  C:\Windows\System\SoGkjgL.exe
  2⤵
  PID:6980
- C:\Windows\System\DmUQxhE.exe
  C:\Windows\System\DmUQxhE.exe
  2⤵
  PID:7008
- C:\Windows\System\HtBIDVL.exe
  C:\Windows\System\HtBIDVL.exe
  2⤵
  PID:7032
- C:\Windows\System\llwRdFu.exe
  C:\Windows\System\llwRdFu.exe
  2⤵
  PID:7052
- C:\Windows\System\medgaZJ.exe
  C:\Windows\System\medgaZJ.exe
  2⤵
  PID:7084
- C:\Windows\System\YchgbOI.exe
  C:\Windows\System\YchgbOI.exe
  2⤵
  PID:7104
- C:\Windows\System\RDpgwld.exe
  C:\Windows\System\RDpgwld.exe
  2⤵
  PID:7132
- C:\Windows\System\VOwyhtE.exe
  C:\Windows\System\VOwyhtE.exe
  2⤵
  PID:6168
- C:\Windows\System\qrDWHPq.exe
  C:\Windows\System\qrDWHPq.exe
  2⤵
  PID:6232
- C:\Windows\System\eRbrtjk.exe
  C:\Windows\System\eRbrtjk.exe
  2⤵
  PID:6396
- C:\Windows\System\xljRbNn.exe
  C:\Windows\System\xljRbNn.exe
  2⤵
  PID:6444
- C:\Windows\System\EJVvBvS.exe
  C:\Windows\System\EJVvBvS.exe
  2⤵
  PID:6552
- C:\Windows\System\LfTbBvb.exe
  C:\Windows\System\LfTbBvb.exe
  2⤵
  PID:6620
- C:\Windows\System\PuwITKA.exe
  C:\Windows\System\PuwITKA.exe
  2⤵
  PID:6692
- C:\Windows\System\szCmbKf.exe
  C:\Windows\System\szCmbKf.exe
  2⤵
  PID:6784
- C:\Windows\System\zBhBuPN.exe
  C:\Windows\System\zBhBuPN.exe
  2⤵
  PID:6844
- C:\Windows\System\UyOzfyv.exe
  C:\Windows\System\UyOzfyv.exe
  2⤵
  PID:6916
- C:\Windows\System\kJzDvyD.exe
  C:\Windows\System\kJzDvyD.exe
  2⤵
  PID:6968
- C:\Windows\System\VBEPJLF.exe
  C:\Windows\System\VBEPJLF.exe
  2⤵
  PID:7044
- C:\Windows\System\kvSyiXy.exe
  C:\Windows\System\kvSyiXy.exe
  2⤵
  PID:4344
- C:\Windows\System\DuGMyWx.exe
  C:\Windows\System\DuGMyWx.exe
  2⤵
  PID:7144
- C:\Windows\System\rNsVATh.exe
  C:\Windows\System\rNsVATh.exe
  2⤵
  PID:6272
- C:\Windows\System\qtkPOkH.exe
  C:\Windows\System\qtkPOkH.exe
  2⤵
  PID:6508
- C:\Windows\System\zftiHxq.exe
  C:\Windows\System\zftiHxq.exe
  2⤵
  PID:6704
- C:\Windows\System\WlsVuso.exe
  C:\Windows\System\WlsVuso.exe
  2⤵
  PID:6832
- C:\Windows\System\fmoUoXY.exe
  C:\Windows\System\fmoUoXY.exe
  2⤵
  PID:6996
- C:\Windows\System\ArHZILT.exe
  C:\Windows\System\ArHZILT.exe
  2⤵
  PID:7120
- C:\Windows\System\nuaIUTy.exe
  C:\Windows\System\nuaIUTy.exe
  2⤵
  PID:6536
- C:\Windows\System\mHVFGTe.exe
  C:\Windows\System\mHVFGTe.exe
  2⤵
  PID:6880
- C:\Windows\System\SMOHZzY.exe
  C:\Windows\System\SMOHZzY.exe
  2⤵
  PID:7064
- C:\Windows\System\BMbduyu.exe
  C:\Windows\System\BMbduyu.exe
  2⤵
  PID:6440
- C:\Windows\System\SoPHfOA.exe
  C:\Windows\System\SoPHfOA.exe
  2⤵
  PID:7188
- C:\Windows\System\EGCUvLy.exe
  C:\Windows\System\EGCUvLy.exe
  2⤵
  PID:7216
- C:\Windows\System\yJaeyxC.exe
  C:\Windows\System\yJaeyxC.exe
  2⤵
  PID:7244
- C:\Windows\System\kcZiWgp.exe
  C:\Windows\System\kcZiWgp.exe
  2⤵
  PID:7272
- C:\Windows\System\KAPpWFZ.exe
  C:\Windows\System\KAPpWFZ.exe
  2⤵
  PID:7300
- C:\Windows\System\PlSBQjY.exe
  C:\Windows\System\PlSBQjY.exe
  2⤵
  PID:7328
- C:\Windows\System\WZFJHyv.exe
  C:\Windows\System\WZFJHyv.exe
  2⤵
  PID:7352
- C:\Windows\System\jNXpUXZ.exe
  C:\Windows\System\jNXpUXZ.exe
  2⤵
  PID:7384
- C:\Windows\System\RRSPjvj.exe
  C:\Windows\System\RRSPjvj.exe
  2⤵
  PID:7412
- C:\Windows\System\ORikYSe.exe
  C:\Windows\System\ORikYSe.exe
  2⤵
  PID:7436
- C:\Windows\System\BbOIIiF.exe
  C:\Windows\System\BbOIIiF.exe
  2⤵
  PID:7464
- C:\Windows\System\lyLHovF.exe
  C:\Windows\System\lyLHovF.exe
  2⤵
  PID:7492
- C:\Windows\System\CiANgYL.exe
  C:\Windows\System\CiANgYL.exe
  2⤵
  PID:7524
- C:\Windows\System\lObhSYB.exe
  C:\Windows\System\lObhSYB.exe
  2⤵
  PID:7560
- C:\Windows\System\RGtohfE.exe
  C:\Windows\System\RGtohfE.exe
  2⤵
  PID:7592
- C:\Windows\System\MJjtaXA.exe
  C:\Windows\System\MJjtaXA.exe
  2⤵
  PID:7616
- C:\Windows\System\PzFdjQq.exe
  C:\Windows\System\PzFdjQq.exe
  2⤵
  PID:7648
- C:\Windows\System\xXWGFWI.exe
  C:\Windows\System\xXWGFWI.exe
  2⤵
  PID:7676
- C:\Windows\System\noUwPkF.exe
  C:\Windows\System\noUwPkF.exe
  2⤵
  PID:7704
- C:\Windows\System\AruQtfn.exe
  C:\Windows\System\AruQtfn.exe
  2⤵
  PID:7728
- C:\Windows\System\AdLYFRg.exe
  C:\Windows\System\AdLYFRg.exe
  2⤵
  PID:7760
- C:\Windows\System\silmbXo.exe
  C:\Windows\System\silmbXo.exe
  2⤵
  PID:7788
- C:\Windows\System\ovkoCfc.exe
  C:\Windows\System\ovkoCfc.exe
  2⤵
  PID:7812
- C:\Windows\System\ZLTuTYJ.exe
  C:\Windows\System\ZLTuTYJ.exe
  2⤵
  PID:7844
- C:\Windows\System\QoFmZDM.exe
  C:\Windows\System\QoFmZDM.exe
  2⤵
  PID:7872
- C:\Windows\System\alhhnbO.exe
  C:\Windows\System\alhhnbO.exe
  2⤵
  PID:7900
- C:\Windows\System\AMvLsQT.exe
  C:\Windows\System\AMvLsQT.exe
  2⤵
  PID:7916
- C:\Windows\System\ChdxGoJ.exe
  C:\Windows\System\ChdxGoJ.exe
  2⤵
  PID:7944
- C:\Windows\System\QJfzSNL.exe
  C:\Windows\System\QJfzSNL.exe
  2⤵
  PID:7972
- C:\Windows\System\IZkMmeD.exe
  C:\Windows\System\IZkMmeD.exe
  2⤵
  PID:8000
- C:\Windows\System\pXuLlpI.exe
  C:\Windows\System\pXuLlpI.exe
  2⤵
  PID:8028
- C:\Windows\System\UibDsdD.exe
  C:\Windows\System\UibDsdD.exe
  2⤵
  PID:8060
- C:\Windows\System\hIihKgu.exe
  C:\Windows\System\hIihKgu.exe
  2⤵
  PID:8092
- C:\Windows\System\npehKys.exe
  C:\Windows\System\npehKys.exe
  2⤵
  PID:8116
- C:\Windows\System\RUsBBBQ.exe
  C:\Windows\System\RUsBBBQ.exe
  2⤵
  PID:8148
- C:\Windows\System\GLXJbeI.exe
  C:\Windows\System\GLXJbeI.exe
  2⤵
  PID:8180
- C:\Windows\System\izuKgqz.exe
  C:\Windows\System\izuKgqz.exe
  2⤵
  PID:7180
- C:\Windows\System\GyeWfPd.exe
  C:\Windows\System\GyeWfPd.exe
  2⤵
  PID:7252
- C:\Windows\System\BvgeVoC.exe
  C:\Windows\System\BvgeVoC.exe
  2⤵
  PID:7316
- C:\Windows\System\YNokzCe.exe
  C:\Windows\System\YNokzCe.exe
  2⤵
  PID:6928
- C:\Windows\System\bJlPtWJ.exe
  C:\Windows\System\bJlPtWJ.exe
  2⤵
  PID:7428
- C:\Windows\System\yakuHZS.exe
  C:\Windows\System\yakuHZS.exe
  2⤵
  PID:4464
- C:\Windows\System\vNQQsgt.exe
  C:\Windows\System\vNQQsgt.exe
  2⤵
  PID:2612
- C:\Windows\System\mjWLohx.exe
  C:\Windows\System\mjWLohx.exe
  2⤵
  PID:4940
- C:\Windows\System\YPAtSyk.exe
  C:\Windows\System\YPAtSyk.exe
  2⤵
  PID:7544
- C:\Windows\System\cGHCLvo.exe
  C:\Windows\System\cGHCLvo.exe
  2⤵
  PID:7608
- C:\Windows\System\NbuLNJa.exe
  C:\Windows\System\NbuLNJa.exe
  2⤵
  PID:7668
- C:\Windows\System\fgfzphf.exe
  C:\Windows\System\fgfzphf.exe
  2⤵
  PID:7740
- C:\Windows\System\NGlXxQW.exe
  C:\Windows\System\NGlXxQW.exe
  2⤵
  PID:7804
- C:\Windows\System\WPcgJFl.exe
  C:\Windows\System\WPcgJFl.exe
  2⤵
  PID:7860
- C:\Windows\System\XRvsjZZ.exe
  C:\Windows\System\XRvsjZZ.exe
  2⤵
  PID:7936
- C:\Windows\System\hHWoBRk.exe
  C:\Windows\System\hHWoBRk.exe
  2⤵
  PID:7996
- C:\Windows\System\VBDlbhz.exe
  C:\Windows\System\VBDlbhz.exe
  2⤵
  PID:8068
- C:\Windows\System\cXTyWuX.exe
  C:\Windows\System\cXTyWuX.exe
  2⤵
  PID:8140
- C:\Windows\System\eNrxPbp.exe
  C:\Windows\System\eNrxPbp.exe
  2⤵
  PID:7184
- C:\Windows\System\OcnKwza.exe
  C:\Windows\System\OcnKwza.exe
  2⤵
  PID:7364
- C:\Windows\System\EpEyVcj.exe
  C:\Windows\System\EpEyVcj.exe
  2⤵
  PID:8076
- C:\Windows\System\ZeKAsgA.exe
  C:\Windows\System\ZeKAsgA.exe
  2⤵
  PID:7476
- C:\Windows\System\pHQfiCr.exe
  C:\Windows\System\pHQfiCr.exe
  2⤵
  PID:7600
- C:\Windows\System\LiSKKUg.exe
  C:\Windows\System\LiSKKUg.exe
  2⤵
  PID:7768
- C:\Windows\System\syAFFpC.exe
  C:\Windows\System\syAFFpC.exe
  2⤵
  PID:7912
- C:\Windows\System\ruDlnEL.exe
  C:\Windows\System\ruDlnEL.exe
  2⤵
  PID:8052
- C:\Windows\System\pagrDLA.exe
  C:\Windows\System\pagrDLA.exe
  2⤵
  PID:7308
- C:\Windows\System\uUIdBEl.exe
  C:\Windows\System\uUIdBEl.exe
  2⤵
  PID:3364
- C:\Windows\System\IwitRvS.exe
  C:\Windows\System\IwitRvS.exe
  2⤵
  PID:7736
- C:\Windows\System\AINbhbn.exe
  C:\Windows\System\AINbhbn.exe
  2⤵
  PID:8128
- C:\Windows\System\aCwRNeg.exe
  C:\Windows\System\aCwRNeg.exe
  2⤵
  PID:7664
- C:\Windows\System\osYLEcA.exe
  C:\Windows\System\osYLEcA.exe
  2⤵
  PID:8024
- C:\Windows\System\ZxPgYPw.exe
  C:\Windows\System\ZxPgYPw.exe
  2⤵
  PID:8212
- C:\Windows\System\KSvzCga.exe
  C:\Windows\System\KSvzCga.exe
  2⤵
  PID:8240
- C:\Windows\System\aAvexCI.exe
  C:\Windows\System\aAvexCI.exe
  2⤵
  PID:8268
- C:\Windows\System\mwviMSk.exe
  C:\Windows\System\mwviMSk.exe
  2⤵
  PID:8296
- C:\Windows\System\gqBpRTK.exe
  C:\Windows\System\gqBpRTK.exe
  2⤵
  PID:8324
- C:\Windows\System\fGQBWvf.exe
  C:\Windows\System\fGQBWvf.exe
  2⤵
  PID:8352
- C:\Windows\System\CYGoMVT.exe
  C:\Windows\System\CYGoMVT.exe
  2⤵
  PID:8380
- C:\Windows\System\sNwVMzE.exe
  C:\Windows\System\sNwVMzE.exe
  2⤵
  PID:8412
- C:\Windows\System\aRiHFZu.exe
  C:\Windows\System\aRiHFZu.exe
  2⤵
  PID:8436
- C:\Windows\System\oECxPIx.exe
  C:\Windows\System\oECxPIx.exe
  2⤵
  PID:8472
- C:\Windows\System\jmoYZZM.exe
  C:\Windows\System\jmoYZZM.exe
  2⤵
  PID:8496
- C:\Windows\System\AJeoreM.exe
  C:\Windows\System\AJeoreM.exe
  2⤵
  PID:8520
- C:\Windows\System\PsQphjj.exe
  C:\Windows\System\PsQphjj.exe
  2⤵
  PID:8548
- C:\Windows\System\WEHduea.exe
  C:\Windows\System\WEHduea.exe
  2⤵
  PID:8584
- C:\Windows\System\szmnnsK.exe
  C:\Windows\System\szmnnsK.exe
  2⤵
  PID:8612
- C:\Windows\System\wwFmqcQ.exe
  C:\Windows\System\wwFmqcQ.exe
  2⤵
  PID:8632
- C:\Windows\System\SjiFoPs.exe
  C:\Windows\System\SjiFoPs.exe
  2⤵
  PID:8664
- C:\Windows\System\DFSXsKX.exe
  C:\Windows\System\DFSXsKX.exe
  2⤵
  PID:8688
- C:\Windows\System\iTSLQEc.exe
  C:\Windows\System\iTSLQEc.exe
  2⤵
  PID:8716
- C:\Windows\System\MkSaCtx.exe
  C:\Windows\System\MkSaCtx.exe
  2⤵
  PID:8744
- C:\Windows\System\BYlTwln.exe
  C:\Windows\System\BYlTwln.exe
  2⤵
  PID:8772
- C:\Windows\System\ekYRjTM.exe
  C:\Windows\System\ekYRjTM.exe
  2⤵
  PID:8800
- C:\Windows\System\lnSGDaW.exe
  C:\Windows\System\lnSGDaW.exe
  2⤵
  PID:8828
- C:\Windows\System\vwsBXHD.exe
  C:\Windows\System\vwsBXHD.exe
  2⤵
  PID:8856
- C:\Windows\System\FxZYHYr.exe
  C:\Windows\System\FxZYHYr.exe
  2⤵
  PID:8884
- C:\Windows\System\WrEiZzL.exe
  C:\Windows\System\WrEiZzL.exe
  2⤵
  PID:8912
- C:\Windows\System\sHlgcwu.exe
  C:\Windows\System\sHlgcwu.exe
  2⤵
  PID:8940
- C:\Windows\System\rSuRGPt.exe
  C:\Windows\System\rSuRGPt.exe
  2⤵
  PID:8968
- C:\Windows\System\RNUqDCg.exe
  C:\Windows\System\RNUqDCg.exe
  2⤵
  PID:9008
- C:\Windows\System\GcDnoPp.exe
  C:\Windows\System\GcDnoPp.exe
  2⤵
  PID:9040
- C:\Windows\System\prRSvmt.exe
  C:\Windows\System\prRSvmt.exe
  2⤵
  PID:9056
- C:\Windows\System\qdHqjeF.exe
  C:\Windows\System\qdHqjeF.exe
  2⤵
  PID:9084
- C:\Windows\System\XTBXkLJ.exe
  C:\Windows\System\XTBXkLJ.exe
  2⤵
  PID:9112
- C:\Windows\System\hMQcGLM.exe
  C:\Windows\System\hMQcGLM.exe
  2⤵
  PID:9140
- C:\Windows\System\LPQJTRv.exe
  C:\Windows\System\LPQJTRv.exe
  2⤵
  PID:9168
- C:\Windows\System\WRARjrm.exe
  C:\Windows\System\WRARjrm.exe
  2⤵
  PID:9196
- C:\Windows\System\Ghxedeu.exe
  C:\Windows\System\Ghxedeu.exe
  2⤵
  PID:8208
- C:\Windows\System\nVHczlm.exe
  C:\Windows\System\nVHczlm.exe
  2⤵
  PID:8292
- C:\Windows\System\mnQPwGw.exe
  C:\Windows\System\mnQPwGw.exe
  2⤵
  PID:8344
- C:\Windows\System\PKjrgjc.exe
  C:\Windows\System\PKjrgjc.exe
  2⤵
  PID:8404
- C:\Windows\System\rzuzEmY.exe
  C:\Windows\System\rzuzEmY.exe
  2⤵
  PID:1188
- C:\Windows\System\oQXjmgT.exe
  C:\Windows\System\oQXjmgT.exe
  2⤵
  PID:8532
- C:\Windows\System\zerQKfo.exe
  C:\Windows\System\zerQKfo.exe
  2⤵
  PID:8568
- C:\Windows\System\iwYLtEm.exe
  C:\Windows\System\iwYLtEm.exe
  2⤵
  PID:8628
- C:\Windows\System\LkDmvsr.exe
  C:\Windows\System\LkDmvsr.exe
  2⤵
  PID:8700
- C:\Windows\System\hMkCptT.exe
  C:\Windows\System\hMkCptT.exe
  2⤵
  PID:6000
- C:\Windows\System\RrcEZpx.exe
  C:\Windows\System\RrcEZpx.exe
  2⤵
  PID:8820
- C:\Windows\System\uCprwpb.exe
  C:\Windows\System\uCprwpb.exe
  2⤵
  PID:8880
- C:\Windows\System\FKsMBgX.exe
  C:\Windows\System\FKsMBgX.exe
  2⤵
  PID:9004
- C:\Windows\System\DfzuMUf.exe
  C:\Windows\System\DfzuMUf.exe
  2⤵
  PID:9096
- C:\Windows\System\OqgnKNy.exe
  C:\Windows\System\OqgnKNy.exe
  2⤵
  PID:9160
- C:\Windows\System\dOxFkDn.exe
  C:\Windows\System\dOxFkDn.exe
  2⤵
  PID:8204
- C:\Windows\System\nvdcuOM.exe
  C:\Windows\System\nvdcuOM.exe
  2⤵
  PID:8460
- C:\Windows\System\JzbluTg.exe
  C:\Windows\System\JzbluTg.exe
  2⤵
  PID:8620
- C:\Windows\System\pjHeOSz.exe
  C:\Windows\System\pjHeOSz.exe
  2⤵
  PID:8756
- C:\Windows\System\aBbYzQS.exe
  C:\Windows\System\aBbYzQS.exe
  2⤵
  PID:8876
- C:\Windows\System\AEpKeTz.exe
  C:\Windows\System\AEpKeTz.exe
  2⤵
  PID:1176
- C:\Windows\System\gkNQQGi.exe
  C:\Windows\System\gkNQQGi.exe
  2⤵
  PID:8196
- C:\Windows\System\EEYOEZw.exe
  C:\Windows\System\EEYOEZw.exe
  2⤵
  PID:8516
- C:\Windows\System\SjxdtTl.exe
  C:\Windows\System\SjxdtTl.exe
  2⤵
  PID:8848
- C:\Windows\System\vtCoGSg.exe
  C:\Windows\System\vtCoGSg.exe
  2⤵
  PID:1512
- C:\Windows\System\xDlcWtA.exe
  C:\Windows\System\xDlcWtA.exe
  2⤵
  PID:8656
- C:\Windows\System\MlGLqnZ.exe
  C:\Windows\System\MlGLqnZ.exe
  2⤵
  PID:1208
- C:\Windows\System\cFdyBLL.exe
  C:\Windows\System\cFdyBLL.exe
  2⤵
  PID:9076
- C:\Windows\System\vIEjuEO.exe
  C:\Windows\System\vIEjuEO.exe
  2⤵
  PID:9232
- C:\Windows\System\xtldBBZ.exe
  C:\Windows\System\xtldBBZ.exe
  2⤵
  PID:9260
- C:\Windows\System\WovsOAq.exe
  C:\Windows\System\WovsOAq.exe
  2⤵
  PID:9288
- C:\Windows\System\TGiVNah.exe
  C:\Windows\System\TGiVNah.exe
  2⤵
  PID:9316
- C:\Windows\System\nRNhSma.exe
  C:\Windows\System\nRNhSma.exe
  2⤵
  PID:9344
- C:\Windows\System\sXUffKx.exe
  C:\Windows\System\sXUffKx.exe
  2⤵
  PID:9372
- C:\Windows\System\tMTjQdT.exe
  C:\Windows\System\tMTjQdT.exe
  2⤵
  PID:9400
- C:\Windows\System\LjYEEjb.exe
  C:\Windows\System\LjYEEjb.exe
  2⤵
  PID:9428
- C:\Windows\System\cOhJwgn.exe
  C:\Windows\System\cOhJwgn.exe
  2⤵
  PID:9456
- C:\Windows\System\qFsQdlT.exe
  C:\Windows\System\qFsQdlT.exe
  2⤵
  PID:9484
- C:\Windows\System\NzaOoCM.exe
  C:\Windows\System\NzaOoCM.exe
  2⤵
  PID:9512
- C:\Windows\System\MtxyKxZ.exe
  C:\Windows\System\MtxyKxZ.exe
  2⤵
  PID:9540
- C:\Windows\System\kapbPHA.exe
  C:\Windows\System\kapbPHA.exe
  2⤵
  PID:9568
- C:\Windows\System\HiCjeMw.exe
  C:\Windows\System\HiCjeMw.exe
  2⤵
  PID:9596
- C:\Windows\System\MtMlfst.exe
  C:\Windows\System\MtMlfst.exe
  2⤵
  PID:9624
- C:\Windows\System\eRqyDoZ.exe
  C:\Windows\System\eRqyDoZ.exe
  2⤵
  PID:9652
- C:\Windows\System\MvtSdar.exe
  C:\Windows\System\MvtSdar.exe
  2⤵
  PID:9696
- C:\Windows\System\buqsiCg.exe
  C:\Windows\System\buqsiCg.exe
  2⤵
  PID:9720
- C:\Windows\System\IMiICHN.exe
  C:\Windows\System\IMiICHN.exe
  2⤵
  PID:9756
- C:\Windows\System\rPowCrE.exe
  C:\Windows\System\rPowCrE.exe
  2⤵
  PID:9780
- C:\Windows\System\oNfizfr.exe
  C:\Windows\System\oNfizfr.exe
  2⤵
  PID:9796
- C:\Windows\System\LUKbRZC.exe
  C:\Windows\System\LUKbRZC.exe
  2⤵
  PID:9828
- C:\Windows\System\xcSQTEs.exe
  C:\Windows\System\xcSQTEs.exe
  2⤵
  PID:9868
- C:\Windows\System\NAEessh.exe
  C:\Windows\System\NAEessh.exe
  2⤵
  PID:9892
- C:\Windows\System\kdOMJFd.exe
  C:\Windows\System\kdOMJFd.exe
  2⤵
  PID:9928
- C:\Windows\System\slQjFVl.exe
  C:\Windows\System\slQjFVl.exe
  2⤵
  PID:9956
- C:\Windows\System\MspjbSg.exe
  C:\Windows\System\MspjbSg.exe
  2⤵
  PID:9984
- C:\Windows\System\sQVjMWV.exe
  C:\Windows\System\sQVjMWV.exe
  2⤵
  PID:10012
- C:\Windows\System\SmkMoHe.exe
  C:\Windows\System\SmkMoHe.exe
  2⤵
  PID:10040
- C:\Windows\System\qHnrBru.exe
  C:\Windows\System\qHnrBru.exe
  2⤵
  PID:10072
- C:\Windows\System\NmRmajg.exe
  C:\Windows\System\NmRmajg.exe
  2⤵
  PID:10096
- C:\Windows\System\PVWdiMa.exe
  C:\Windows\System\PVWdiMa.exe
  2⤵
  PID:10124
- C:\Windows\System\OSoYdmG.exe
  C:\Windows\System\OSoYdmG.exe
  2⤵
  PID:10152
- C:\Windows\System\qpmGVvd.exe
  C:\Windows\System\qpmGVvd.exe
  2⤵
  PID:10180
- C:\Windows\System\aLDCMNY.exe
  C:\Windows\System\aLDCMNY.exe
  2⤵
  PID:10212
- C:\Windows\System\wkXAZCg.exe
  C:\Windows\System\wkXAZCg.exe
  2⤵
  PID:3060
- C:\Windows\System\ruDCDEk.exe
  C:\Windows\System\ruDCDEk.exe
  2⤵
  PID:9280
- C:\Windows\System\WdALVIy.exe
  C:\Windows\System\WdALVIy.exe
  2⤵
  PID:9364
- C:\Windows\System\xshvtYd.exe
  C:\Windows\System\xshvtYd.exe
  2⤵
  PID:9412
- C:\Windows\System\phptoXT.exe
  C:\Windows\System\phptoXT.exe
  2⤵
  PID:9468
- C:\Windows\System\RGVlLWW.exe
  C:\Windows\System\RGVlLWW.exe
  2⤵
  PID:9532
- C:\Windows\System\oQAFzFo.exe
  C:\Windows\System\oQAFzFo.exe
  2⤵
  PID:9588
- C:\Windows\System\mdduSja.exe
  C:\Windows\System\mdduSja.exe
  2⤵
  PID:9648
- C:\Windows\System\znBrGUW.exe
  C:\Windows\System\znBrGUW.exe
  2⤵
  PID:9716
- C:\Windows\System\neoLQeU.exe
  C:\Windows\System\neoLQeU.exe
  2⤵
  PID:9772
- C:\Windows\System\BamftZx.exe
  C:\Windows\System\BamftZx.exe
  2⤵
  PID:9852
- C:\Windows\System\LkkoAGO.exe
  C:\Windows\System\LkkoAGO.exe
  2⤵
  PID:9912
- C:\Windows\System\stXMTdK.exe
  C:\Windows\System\stXMTdK.exe
  2⤵
  PID:9968
- C:\Windows\System\EhNrBvY.exe
  C:\Windows\System\EhNrBvY.exe
  2⤵
  PID:10032
- C:\Windows\System\uyYXHia.exe
  C:\Windows\System\uyYXHia.exe
  2⤵
  PID:10092
- C:\Windows\System\UPkCTiC.exe
  C:\Windows\System\UPkCTiC.exe
  2⤵
  PID:10172
- C:\Windows\System\XHkkpDz.exe
  C:\Windows\System\XHkkpDz.exe
  2⤵
  PID:10232
- C:\Windows\System\SGkMbTW.exe
  C:\Windows\System\SGkMbTW.exe
  2⤵
  PID:9336
- C:\Windows\System\bdyQesU.exe
  C:\Windows\System\bdyQesU.exe
  2⤵
  PID:9496
- C:\Windows\System\BRXAmXN.exe
  C:\Windows\System\BRXAmXN.exe
  2⤵
  PID:3524
- C:\Windows\System\bCLkLaw.exe
  C:\Windows\System\bCLkLaw.exe
  2⤵
  PID:9792
- C:\Windows\System\nYLGYiW.exe
  C:\Windows\System\nYLGYiW.exe
  2⤵
  PID:9924
- C:\Windows\System\XhsQrsw.exe
  C:\Windows\System\XhsQrsw.exe
  2⤵
  PID:10088
- C:\Windows\System\dcyhkeh.exe
  C:\Windows\System\dcyhkeh.exe
  2⤵
  PID:9256
- C:\Windows\System\RQuxeGc.exe
  C:\Windows\System\RQuxeGc.exe
  2⤵
  PID:9616
- C:\Windows\System\vrleGki.exe
  C:\Windows\System\vrleGki.exe
  2⤵
  PID:9996
- C:\Windows\System\wagffGx.exe
  C:\Windows\System\wagffGx.exe
  2⤵
  PID:9560
- C:\Windows\System\RahKjsr.exe
  C:\Windows\System\RahKjsr.exe
  2⤵
  PID:9396
- C:\Windows\System\ebFSxRa.exe
  C:\Windows\System\ebFSxRa.exe
  2⤵
  PID:10256
- C:\Windows\System\wfFayzG.exe
  C:\Windows\System\wfFayzG.exe
  2⤵
  PID:10284
- C:\Windows\System\KwOrlvz.exe
  C:\Windows\System\KwOrlvz.exe
  2⤵
  PID:10316
- C:\Windows\System\wYRIPwb.exe
  C:\Windows\System\wYRIPwb.exe
  2⤵
  PID:10344
- C:\Windows\System\ISWlbCk.exe
  C:\Windows\System\ISWlbCk.exe
  2⤵
  PID:10372
- C:\Windows\System\MAQSefJ.exe
  C:\Windows\System\MAQSefJ.exe
  2⤵
  PID:10408
- C:\Windows\System\rGeDLxL.exe
  C:\Windows\System\rGeDLxL.exe
  2⤵
  PID:10436
- C:\Windows\System\jmPbWKV.exe
  C:\Windows\System\jmPbWKV.exe
  2⤵
  PID:10464
- C:\Windows\System\sbOgXQG.exe
  C:\Windows\System\sbOgXQG.exe
  2⤵
  PID:10492
- C:\Windows\System\SfbCbaB.exe
  C:\Windows\System\SfbCbaB.exe
  2⤵
  PID:10520
- C:\Windows\System\LgOMAvu.exe
  C:\Windows\System\LgOMAvu.exe
  2⤵
  PID:10548
- C:\Windows\System\OklFuKs.exe
  C:\Windows\System\OklFuKs.exe
  2⤵
  PID:10576
- C:\Windows\System\ruYwxux.exe
  C:\Windows\System\ruYwxux.exe
  2⤵
  PID:10604
- C:\Windows\System\ipwesLx.exe
  C:\Windows\System\ipwesLx.exe
  2⤵
  PID:10632
- C:\Windows\System\mdPGGZu.exe
  C:\Windows\System\mdPGGZu.exe
  2⤵
  PID:10660
- C:\Windows\System\rhLndNS.exe
  C:\Windows\System\rhLndNS.exe
  2⤵
  PID:10688
- C:\Windows\System\VHFoXTj.exe
  C:\Windows\System\VHFoXTj.exe
  2⤵
  PID:10716
- C:\Windows\System\BqQCzeL.exe
  C:\Windows\System\BqQCzeL.exe
  2⤵
  PID:10748
- C:\Windows\System\NKrwaDA.exe
  C:\Windows\System\NKrwaDA.exe
  2⤵
  PID:10776
- C:\Windows\System\QGJeLSd.exe
  C:\Windows\System\QGJeLSd.exe
  2⤵
  PID:10804
- C:\Windows\System\IxnPrmU.exe
  C:\Windows\System\IxnPrmU.exe
  2⤵
  PID:10832
- C:\Windows\System\RaTfJni.exe
  C:\Windows\System\RaTfJni.exe
  2⤵
  PID:10860
- C:\Windows\System\FQeHraQ.exe
  C:\Windows\System\FQeHraQ.exe
  2⤵
  PID:10888
- C:\Windows\System\EgWvUKr.exe
  C:\Windows\System\EgWvUKr.exe
  2⤵
  PID:10916
- C:\Windows\System\oRnVHDH.exe
  C:\Windows\System\oRnVHDH.exe
  2⤵
  PID:10944
- C:\Windows\System\reoxPGa.exe
  C:\Windows\System\reoxPGa.exe
  2⤵
  PID:10972
- C:\Windows\System\dRlUCgG.exe
  C:\Windows\System\dRlUCgG.exe
  2⤵
  PID:11000
- C:\Windows\System\eOIoYqi.exe
  C:\Windows\System\eOIoYqi.exe
  2⤵
  PID:11028
- C:\Windows\System\pQUxEWz.exe
  C:\Windows\System\pQUxEWz.exe
  2⤵
  PID:11056
- C:\Windows\System\FcakTWs.exe
  C:\Windows\System\FcakTWs.exe
  2⤵
  PID:11084
- C:\Windows\System\fOUBdiv.exe
  C:\Windows\System\fOUBdiv.exe
  2⤵
  PID:11116
- C:\Windows\System\gnmmBxm.exe
  C:\Windows\System\gnmmBxm.exe
  2⤵
  PID:11144
- C:\Windows\System\lNKWLqT.exe
  C:\Windows\System\lNKWLqT.exe
  2⤵
  PID:11184
- C:\Windows\System\tXLFnIx.exe
  C:\Windows\System\tXLFnIx.exe
  2⤵
  PID:11200
- C:\Windows\System\bxDHKrA.exe
  C:\Windows\System\bxDHKrA.exe
  2⤵
  PID:11228
- C:\Windows\System\aMQFvDO.exe
  C:\Windows\System\aMQFvDO.exe
  2⤵
  PID:11256
- C:\Windows\System\QCbwbQw.exe
  C:\Windows\System\QCbwbQw.exe
  2⤵
  PID:10280
- C:\Windows\System\wHqUtMJ.exe
  C:\Windows\System\wHqUtMJ.exe
  2⤵
  PID:10340
- C:\Windows\System\tZTUfZG.exe
  C:\Windows\System\tZTUfZG.exe
  2⤵
  PID:10420
- C:\Windows\System\bfquHrI.exe
  C:\Windows\System\bfquHrI.exe
  2⤵
  PID:10484
- C:\Windows\System\RpSsyyO.exe
  C:\Windows\System\RpSsyyO.exe
  2⤵
  PID:10544
- C:\Windows\System\PYcqfoW.exe
  C:\Windows\System\PYcqfoW.exe
  2⤵
  PID:10616
- C:\Windows\System\yKACETr.exe
  C:\Windows\System\yKACETr.exe
  2⤵
  PID:10680
- C:\Windows\System\PMZCqaV.exe
  C:\Windows\System\PMZCqaV.exe
  2⤵
  PID:10744
- C:\Windows\System\XAmnodd.exe
  C:\Windows\System\XAmnodd.exe
  2⤵
  PID:10816
- C:\Windows\System\QSippvi.exe
  C:\Windows\System\QSippvi.exe
  2⤵
  PID:10880
- C:\Windows\System\eBiJIDH.exe
  C:\Windows\System\eBiJIDH.exe
  2⤵
  PID:10940
- C:\Windows\System\vMZgoXG.exe
  C:\Windows\System\vMZgoXG.exe
  2⤵
  PID:11012
- C:\Windows\System\YhHeESW.exe
  C:\Windows\System\YhHeESW.exe
  2⤵
  PID:11076
- C:\Windows\System\HcGRRbg.exe
  C:\Windows\System\HcGRRbg.exe
  2⤵
  PID:11140
- C:\Windows\System\MfRbvgW.exe
  C:\Windows\System\MfRbvgW.exe
  2⤵
  PID:11212
- C:\Windows\System\yBJfYKP.exe
  C:\Windows\System\yBJfYKP.exe
  2⤵
  PID:10268
- C:\Windows\System\ACWeXYo.exe
  C:\Windows\System\ACWeXYo.exe
  2⤵
  PID:10404
- C:\Windows\System\jVZZueX.exe
  C:\Windows\System\jVZZueX.exe
  2⤵
  PID:10572
- C:\Windows\System\OwaApxc.exe
  C:\Windows\System\OwaApxc.exe
  2⤵
  PID:10708
- C:\Windows\System\cfPaIki.exe
  C:\Windows\System\cfPaIki.exe
  2⤵
  PID:10856
- C:\Windows\System\RrgKCvW.exe
  C:\Windows\System\RrgKCvW.exe
  2⤵
  PID:10992
- C:\Windows\System\FHlerdU.exe
  C:\Windows\System\FHlerdU.exe
  2⤵
  PID:11136
- C:\Windows\System\dMmWDXL.exe
  C:\Windows\System\dMmWDXL.exe
  2⤵
  PID:11252
- C:\Windows\System\HPWTPaF.exe
  C:\Windows\System\HPWTPaF.exe
  2⤵
  PID:10540
- C:\Windows\System\nALZkOR.exe
  C:\Windows\System\nALZkOR.exe
  2⤵
  PID:10936
- C:\Windows\System\AVeUFEN.exe
  C:\Windows\System\AVeUFEN.exe
  2⤵
  PID:11196
- C:\Windows\System\PaALOmX.exe
  C:\Windows\System\PaALOmX.exe
  2⤵
  PID:10844
- C:\Windows\System\hnDjhHU.exe
  C:\Windows\System\hnDjhHU.exe
  2⤵
  PID:11180
- C:\Windows\System\QdqjBqN.exe
  C:\Windows\System\QdqjBqN.exe
  2⤵
  PID:11284
- C:\Windows\System\JLyYCaA.exe
  C:\Windows\System\JLyYCaA.exe
  2⤵
  PID:11312
- C:\Windows\System\HJksTKT.exe
  C:\Windows\System\HJksTKT.exe
  2⤵
  PID:11340
- C:\Windows\System\HBdhKsV.exe
  C:\Windows\System\HBdhKsV.exe
  2⤵
  PID:11368
- C:\Windows\System\oRqAWft.exe
  C:\Windows\System\oRqAWft.exe
  2⤵
  PID:11396
- C:\Windows\System\SrJNVPA.exe
  C:\Windows\System\SrJNVPA.exe
  2⤵
  PID:11424
- C:\Windows\System\XULBCxJ.exe
  C:\Windows\System\XULBCxJ.exe
  2⤵
  PID:11452
- C:\Windows\System\BnQlhHt.exe
  C:\Windows\System\BnQlhHt.exe
  2⤵
  PID:11480
- C:\Windows\System\DTqqVlV.exe
  C:\Windows\System\DTqqVlV.exe
  2⤵
  PID:11508
- C:\Windows\System\beWXYKb.exe
  C:\Windows\System\beWXYKb.exe
  2⤵
  PID:11536
- C:\Windows\System\LaBeEpp.exe
  C:\Windows\System\LaBeEpp.exe
  2⤵
  PID:11564
- C:\Windows\System\PeHKPkc.exe
  C:\Windows\System\PeHKPkc.exe
  2⤵
  PID:11592
- C:\Windows\System\ljLBKTa.exe
  C:\Windows\System\ljLBKTa.exe
  2⤵
  PID:11620
- C:\Windows\System\lolQfRG.exe
  C:\Windows\System\lolQfRG.exe
  2⤵
  PID:11648
- C:\Windows\System\asbTocB.exe
  C:\Windows\System\asbTocB.exe
  2⤵
  PID:11676
- C:\Windows\System\VcBIjDh.exe
  C:\Windows\System\VcBIjDh.exe
  2⤵
  PID:11704
- C:\Windows\System\ZRKTWgo.exe
  C:\Windows\System\ZRKTWgo.exe
  2⤵
  PID:11732
- C:\Windows\System\NPPDSSy.exe
  C:\Windows\System\NPPDSSy.exe
  2⤵
  PID:11760
- C:\Windows\System\ypEsqwh.exe
  C:\Windows\System\ypEsqwh.exe
  2⤵
  PID:11776
- C:\Windows\System\dgFywnG.exe
  C:\Windows\System\dgFywnG.exe
  2⤵
  PID:11812
- C:\Windows\System\BuqhWNr.exe
  C:\Windows\System\BuqhWNr.exe
  2⤵
  PID:11844
- C:\Windows\System\GzqNmya.exe
  C:\Windows\System\GzqNmya.exe
  2⤵
  PID:11900
- C:\Windows\System\stHkoNu.exe
  C:\Windows\System\stHkoNu.exe
  2⤵
  PID:11936
- C:\Windows\System\DWSIWiV.exe
  C:\Windows\System\DWSIWiV.exe
  2⤵
  PID:11972
- C:\Windows\System\dmHeyZp.exe
  C:\Windows\System\dmHeyZp.exe
  2⤵
  PID:12000
- C:\Windows\System\oPSIznc.exe
  C:\Windows\System\oPSIznc.exe
  2⤵
  PID:12028
- C:\Windows\System\ZrpJFXo.exe
  C:\Windows\System\ZrpJFXo.exe
  2⤵
  PID:12056
- C:\Windows\System\kwGuBtx.exe
  C:\Windows\System\kwGuBtx.exe
  2⤵
  PID:12084
- C:\Windows\System\BrjqJKj.exe
  C:\Windows\System\BrjqJKj.exe
  2⤵
  PID:12112
- C:\Windows\System\ceimGXH.exe
  C:\Windows\System\ceimGXH.exe
  2⤵
  PID:12140
- C:\Windows\System\hjMwgHg.exe
  C:\Windows\System\hjMwgHg.exe
  2⤵
  PID:12168
- C:\Windows\System\qOmVGMV.exe
  C:\Windows\System\qOmVGMV.exe
  2⤵
  PID:12196
- C:\Windows\System\AhhRUBs.exe
  C:\Windows\System\AhhRUBs.exe
  2⤵
  PID:12224
- C:\Windows\System\nHWdzYv.exe
  C:\Windows\System\nHWdzYv.exe
  2⤵
  PID:12256
- C:\Windows\System\vnFgocN.exe
  C:\Windows\System\vnFgocN.exe
  2⤵
  PID:12284
- C:\Windows\System\DhvByTc.exe
  C:\Windows\System\DhvByTc.exe
  2⤵
  PID:11324
- C:\Windows\System\zCvSjUO.exe
  C:\Windows\System\zCvSjUO.exe
  2⤵
  PID:11388
- C:\Windows\System\XRQUiUX.exe
  C:\Windows\System\XRQUiUX.exe
  2⤵
  PID:11448
- C:\Windows\System\FmofwNq.exe
  C:\Windows\System\FmofwNq.exe
  2⤵
  PID:11520
- C:\Windows\System\syvxCyx.exe
  C:\Windows\System\syvxCyx.exe
  2⤵
  PID:11584
- C:\Windows\System\mFWxgYh.exe
  C:\Windows\System\mFWxgYh.exe
  2⤵
  PID:11644
- C:\Windows\System\XkLvchQ.exe
  C:\Windows\System\XkLvchQ.exe
  2⤵
  PID:11716
- C:\Windows\System\IkpyTRM.exe
  C:\Windows\System\IkpyTRM.exe
  2⤵
  PID:11772
- C:\Windows\System\lpYIUwr.exe
  C:\Windows\System\lpYIUwr.exe
  2⤵
  PID:11840
- C:\Windows\System\fIjGDSV.exe
  C:\Windows\System\fIjGDSV.exe
  2⤵
  PID:11952
- C:\Windows\System\atnRoSH.exe
  C:\Windows\System\atnRoSH.exe
  2⤵
  PID:8684
- C:\Windows\System\wAdESgq.exe
  C:\Windows\System\wAdESgq.exe
  2⤵
  PID:11984
- C:\Windows\System\PSdMuht.exe
  C:\Windows\System\PSdMuht.exe
  2⤵
  PID:12048
- C:\Windows\System\MOGeNLR.exe
  C:\Windows\System\MOGeNLR.exe
  2⤵
  PID:12108
- C:\Windows\System\AMnfPcR.exe
  C:\Windows\System\AMnfPcR.exe
  2⤵
  PID:2980
- C:\Windows\System\MPhDogx.exe
  C:\Windows\System\MPhDogx.exe
  2⤵
  PID:12188
- C:\Windows\System\CQVGzUP.exe
  C:\Windows\System\CQVGzUP.exe
  2⤵
  PID:3048
- C:\Windows\System\IsNUmSU.exe
  C:\Windows\System\IsNUmSU.exe
  2⤵
  PID:11280
- C:\Windows\System\lhxsckt.exe
  C:\Windows\System\lhxsckt.exe
  2⤵
  PID:11436
- C:\Windows\System\JTpGoDo.exe
  C:\Windows\System\JTpGoDo.exe
  2⤵
  PID:11576
- C:\Windows\System\dDjMCpQ.exe
  C:\Windows\System\dDjMCpQ.exe
  2⤵
  PID:11728
- C:\Windows\System\EEQhkqE.exe
  C:\Windows\System\EEQhkqE.exe
  2⤵
  PID:11888
- C:\Windows\System\iljyMRM.exe
  C:\Windows\System\iljyMRM.exe
  2⤵
  PID:11964
- C:\Windows\System\HyFFwzR.exe
  C:\Windows\System\HyFFwzR.exe
  2⤵
  PID:12104
- C:\Windows\System\yUAeCwV.exe
  C:\Windows\System\yUAeCwV.exe
  2⤵
  PID:2128
- C:\Windows\System\xewIvmV.exe
  C:\Windows\System\xewIvmV.exe
  2⤵
  PID:11380
- C:\Windows\System\ykZJrHH.exe
  C:\Windows\System\ykZJrHH.exe
  2⤵
  PID:11700
- C:\Windows\System\sXPdtUQ.exe
  C:\Windows\System\sXPdtUQ.exe
  2⤵
  PID:12020
- C:\Windows\System\lSiVpOm.exe
  C:\Windows\System\lSiVpOm.exe
  2⤵
  PID:12248
- C:\Windows\System\YEuDXxF.exe
  C:\Windows\System\YEuDXxF.exe
  2⤵
  PID:8336
- C:\Windows\System\kzvGAiA.exe
  C:\Windows\System\kzvGAiA.exe
  2⤵
  PID:11836
- C:\Windows\System\KMWUReG.exe
  C:\Windows\System\KMWUReG.exe
  2⤵
  PID:12304
- C:\Windows\System\XfjEYdy.exe
  C:\Windows\System\XfjEYdy.exe
  2⤵
  PID:12332
- C:\Windows\System\HTSHmdw.exe
  C:\Windows\System\HTSHmdw.exe
  2⤵
  PID:12360
- C:\Windows\System\JjQVXGU.exe
  C:\Windows\System\JjQVXGU.exe
  2⤵
  PID:12388
- C:\Windows\System\MEJoMhw.exe
  C:\Windows\System\MEJoMhw.exe
  2⤵
  PID:12416
- C:\Windows\System\ebVkhND.exe
  C:\Windows\System\ebVkhND.exe
  2⤵
  PID:12444
- C:\Windows\System\KEVSGAE.exe
  C:\Windows\System\KEVSGAE.exe
  2⤵
  PID:12472
- C:\Windows\System\rPNgGSi.exe
  C:\Windows\System\rPNgGSi.exe
  2⤵
  PID:12500
- C:\Windows\System\yfYVFsd.exe
  C:\Windows\System\yfYVFsd.exe
  2⤵
  PID:12528
- C:\Windows\System\RNOwbVp.exe
  C:\Windows\System\RNOwbVp.exe
  2⤵
  PID:12556
- C:\Windows\System\KamSzQS.exe
  C:\Windows\System\KamSzQS.exe
  2⤵
  PID:12584
- C:\Windows\System\yARLmGQ.exe
  C:\Windows\System\yARLmGQ.exe
  2⤵
  PID:12612
- C:\Windows\System\PfQpFab.exe
  C:\Windows\System\PfQpFab.exe
  2⤵
  PID:12640
- C:\Windows\System\eukaLli.exe
  C:\Windows\System\eukaLli.exe
  2⤵
  PID:12668
- C:\Windows\System\ywlQVLl.exe
  C:\Windows\System\ywlQVLl.exe
  2⤵
  PID:12696
- C:\Windows\System\UnuaGzi.exe
  C:\Windows\System\UnuaGzi.exe
  2⤵
  PID:12724
- C:\Windows\System\yatYgxl.exe
  C:\Windows\System\yatYgxl.exe
  2⤵
  PID:12752
- C:\Windows\System\QHUvrqz.exe
  C:\Windows\System\QHUvrqz.exe
  2⤵
  PID:12780
- C:\Windows\System\JNlahdo.exe
  C:\Windows\System\JNlahdo.exe
  2⤵
  PID:12808
- C:\Windows\System\sqeZyzR.exe
  C:\Windows\System\sqeZyzR.exe
  2⤵
  PID:12836
- C:\Windows\System\henHQvZ.exe
  C:\Windows\System\henHQvZ.exe
  2⤵
  PID:12864
- C:\Windows\System\EvKGpSQ.exe
  C:\Windows\System\EvKGpSQ.exe
  2⤵
  PID:12892
- C:\Windows\System\qgWgQub.exe
  C:\Windows\System\qgWgQub.exe
  2⤵
  PID:12920
- C:\Windows\System\JycUtKd.exe
  C:\Windows\System\JycUtKd.exe
  2⤵
  PID:12948
- C:\Windows\System\MBiiQTl.exe
  C:\Windows\System\MBiiQTl.exe
  2⤵
  PID:12976
- C:\Windows\System\ofRuBDX.exe
  C:\Windows\System\ofRuBDX.exe
  2⤵
  PID:13004
- C:\Windows\System\LVevLHy.exe
  C:\Windows\System\LVevLHy.exe
  2⤵
  PID:13032
- C:\Windows\System\dZcNHYV.exe
  C:\Windows\System\dZcNHYV.exe
  2⤵
  PID:13060
- C:\Windows\System\QrSMWuG.exe
  C:\Windows\System\QrSMWuG.exe
  2⤵
  PID:13088
- C:\Windows\System\XYvNcbz.exe
  C:\Windows\System\XYvNcbz.exe
  2⤵
  PID:13116
- C:\Windows\System\BvCRYwi.exe
  C:\Windows\System\BvCRYwi.exe
  2⤵
  PID:13144
- C:\Windows\System\caeMLIC.exe
  C:\Windows\System\caeMLIC.exe
  2⤵
  PID:13172
- C:\Windows\System\DEjNnKc.exe
  C:\Windows\System\DEjNnKc.exe
  2⤵
  PID:13200
- C:\Windows\System\qfQTQqZ.exe
  C:\Windows\System\qfQTQqZ.exe
  2⤵
  PID:13228
- C:\Windows\System\KZrdwcv.exe
  C:\Windows\System\KZrdwcv.exe
  2⤵
  PID:13268
- C:\Windows\System\GLwVxiB.exe
  C:\Windows\System\GLwVxiB.exe
  2⤵
  PID:13296
- C:\Windows\System\zkEPIAm.exe
  C:\Windows\System\zkEPIAm.exe
  2⤵
  PID:12296
- C:\Windows\System\hOQPvGs.exe
  C:\Windows\System\hOQPvGs.exe
  2⤵
  PID:12356
- C:\Windows\System\vyLwIJQ.exe
  C:\Windows\System\vyLwIJQ.exe
  2⤵
  PID:12428
- C:\Windows\System\LHKXyos.exe
  C:\Windows\System\LHKXyos.exe
  2⤵
  PID:12492
- C:\Windows\System\VkSSncf.exe
  C:\Windows\System\VkSSncf.exe
  2⤵
  PID:12552
- C:\Windows\System\IetnCoC.exe
  C:\Windows\System\IetnCoC.exe
  2⤵
  PID:12624
- C:\Windows\System\yCIhvUU.exe
  C:\Windows\System\yCIhvUU.exe
  2⤵
  PID:12692
- C:\Windows\System\dlJvbIA.exe
  C:\Windows\System\dlJvbIA.exe
  2⤵
  PID:12744
- C:\Windows\System\kcBxzHM.exe
  C:\Windows\System\kcBxzHM.exe
  2⤵
  PID:2920
- C:\Windows\System\uHOLUfx.exe
  C:\Windows\System\uHOLUfx.exe
  2⤵
  PID:3212
- C:\Windows\System\ywigpSx.exe
  C:\Windows\System\ywigpSx.exe
  2⤵
  PID:12912
- C:\Windows\System\NQQpRFF.exe
  C:\Windows\System\NQQpRFF.exe
  2⤵
  PID:12972
- C:\Windows\System\EyuieUO.exe
  C:\Windows\System\EyuieUO.exe
  2⤵
  PID:13044
- C:\Windows\System\TDSeyZs.exe
  C:\Windows\System\TDSeyZs.exe
  2⤵
  PID:13108
- C:\Windows\System\LUYhOwi.exe
  C:\Windows\System\LUYhOwi.exe
  2⤵
  PID:13168
- C:\Windows\System\kyjReZr.exe
  C:\Windows\System\kyjReZr.exe
  2⤵
  PID:13240
- C:\Windows\System\GbueWFw.exe
  C:\Windows\System\GbueWFw.exe
  2⤵
  PID:13308
- C:\Windows\System\ChTBqLh.exe
  C:\Windows\System\ChTBqLh.exe
  2⤵
  PID:12412
- C:\Windows\System\sfCGSoq.exe
  C:\Windows\System\sfCGSoq.exe
  2⤵
  PID:12580
- C:\Windows\System\uKtpZld.exe
  C:\Windows\System\uKtpZld.exe
  2⤵
  PID:12720
- C:\Windows\System\rboDqXd.exe
  C:\Windows\System\rboDqXd.exe
  2⤵
  PID:12848
- C:\Windows\System\yBMWHpy.exe
  C:\Windows\System\yBMWHpy.exe
  2⤵
  PID:13000
- C:\Windows\System\pjhaoLe.exe
  C:\Windows\System\pjhaoLe.exe
  2⤵
  PID:13156
- C:\Windows\System\ePGLIJO.exe
  C:\Windows\System\ePGLIJO.exe
  2⤵
  PID:13304
- C:\Windows\System\CsstzNK.exe
  C:\Windows\System\CsstzNK.exe
  2⤵
  PID:12652
- C:\Windows\System\MbteNdX.exe
  C:\Windows\System\MbteNdX.exe
  2⤵
  PID:12960
- C:\Windows\System\tQgkVeE.exe
  C:\Windows\System\tQgkVeE.exe
  2⤵
  PID:13280
- C:\Windows\System\uVtcXyD.exe
  C:\Windows\System\uVtcXyD.exe
  2⤵
  PID:13100
- C:\Windows\System\JaINQyC.exe
  C:\Windows\System\JaINQyC.exe
  2⤵
  PID:13316
- C:\Windows\System\sCfFmmQ.exe
  C:\Windows\System\sCfFmmQ.exe
  2⤵
  PID:13344
- C:\Windows\System\ZDKtMsm.exe
  C:\Windows\System\ZDKtMsm.exe
  2⤵
  PID:13372
- C:\Windows\System\acRjVLs.exe
  C:\Windows\System\acRjVLs.exe
  2⤵
  PID:13400
- C:\Windows\System\WQNFSjG.exe
  C:\Windows\System\WQNFSjG.exe
  2⤵
  PID:13432
- C:\Windows\System\dlqSSjv.exe
  C:\Windows\System\dlqSSjv.exe
  2⤵
  PID:13460
- C:\Windows\System\eJtnCmb.exe
  C:\Windows\System\eJtnCmb.exe
  2⤵
  PID:13492
- C:\Windows\System\yfQMRzr.exe
  C:\Windows\System\yfQMRzr.exe
  2⤵
  PID:13520
- C:\Windows\System\hWKfIPT.exe
  C:\Windows\System\hWKfIPT.exe
  2⤵
  PID:13556
- C:\Windows\System\kIcQuNm.exe
  C:\Windows\System\kIcQuNm.exe
  2⤵
  PID:13580
- C:\Windows\System\KshKWaw.exe
  C:\Windows\System\KshKWaw.exe
  2⤵
  PID:13648
- C:\Windows\System\TdLfQVl.exe
  C:\Windows\System\TdLfQVl.exe
  2⤵
  PID:13668
- C:\Windows\System\JoMtSrq.exe
  C:\Windows\System\JoMtSrq.exe
  2⤵
  PID:13696
- C:\Windows\System\HqHjUzN.exe
  C:\Windows\System\HqHjUzN.exe
  2⤵
  PID:13724
- C:\Windows\System\oAfOiGX.exe
  C:\Windows\System\oAfOiGX.exe
  2⤵
  PID:13752
- C:\Windows\System\viBqMRJ.exe
  C:\Windows\System\viBqMRJ.exe
  2⤵
  PID:13780
- C:\Windows\System\eyiPHjD.exe
  C:\Windows\System\eyiPHjD.exe
  2⤵
  PID:13808
- C:\Windows\System\zfFatNX.exe
  C:\Windows\System\zfFatNX.exe
  2⤵
  PID:13836
- C:\Windows\System\LvIgaGq.exe
  C:\Windows\System\LvIgaGq.exe
  2⤵
  PID:13864
- C:\Windows\System\glVClXR.exe
  C:\Windows\System\glVClXR.exe
  2⤵
  PID:13892
- C:\Windows\System\GsVzkYT.exe
  C:\Windows\System\GsVzkYT.exe
  2⤵
  PID:13920
- C:\Windows\System\xXWzxyW.exe
  C:\Windows\System\xXWzxyW.exe
  2⤵
  PID:13948
- C:\Windows\System\JffERBN.exe
  C:\Windows\System\JffERBN.exe
  2⤵
  PID:13976
- C:\Windows\System\xAivrAw.exe
  C:\Windows\System\xAivrAw.exe
  2⤵
  PID:14004
- C:\Windows\System\aJftVoE.exe
  C:\Windows\System\aJftVoE.exe
  2⤵
  PID:14032
- C:\Windows\System\Qyqbora.exe
  C:\Windows\System\Qyqbora.exe
  2⤵
  PID:14060
- C:\Windows\System\xVZbeoW.exe
  C:\Windows\System\xVZbeoW.exe
  2⤵
  PID:14088
- C:\Windows\System\TtYSsbI.exe
  C:\Windows\System\TtYSsbI.exe
  2⤵
  PID:14116
- C:\Windows\System\UBCnYtM.exe
  C:\Windows\System\UBCnYtM.exe
  2⤵
  PID:14144
- C:\Windows\System\zhIDgHT.exe
  C:\Windows\System\zhIDgHT.exe
  2⤵
  PID:14172
- C:\Windows\System\aIlrQlf.exe
  C:\Windows\System\aIlrQlf.exe
  2⤵
  PID:14200
- C:\Windows\System\czRUFJb.exe
  C:\Windows\System\czRUFJb.exe
  2⤵
  PID:14228
- C:\Windows\System\dzhlDsi.exe
  C:\Windows\System\dzhlDsi.exe
  2⤵
  PID:14256
- C:\Windows\System\VaUOCoL.exe
  C:\Windows\System\VaUOCoL.exe
  2⤵
  PID:14284
- C:\Windows\System\sqjHONx.exe
  C:\Windows\System\sqjHONx.exe
  2⤵
  PID:14312
- C:\Windows\System\XejEMSe.exe
  C:\Windows\System\XejEMSe.exe
  2⤵
  PID:12904
- C:\Windows\System\GWdlfVf.exe
  C:\Windows\System\GWdlfVf.exe
  2⤵
  PID:13412
- C:\Windows\System\EeRdJrV.exe
  C:\Windows\System\EeRdJrV.exe
  2⤵
  PID:13456
- C:\Windows\System\WYicswU.exe
  C:\Windows\System\WYicswU.exe
  2⤵
  PID:13504
- C:\Windows\System\xIBfynL.exe
  C:\Windows\System\xIBfynL.exe
  2⤵
  PID:13540
- C:\Windows\System\xWmSAwN.exe
  C:\Windows\System\xWmSAwN.exe
  2⤵
  PID:13588
- C:\Windows\System\kjwIXrU.exe
  C:\Windows\System\kjwIXrU.exe
  2⤵
  PID:208
- C:\Windows\System\LnFbUDp.exe
  C:\Windows\System\LnFbUDp.exe
  2⤵
  PID:5584
- C:\Windows\System\dqCCMVm.exe
  C:\Windows\System\dqCCMVm.exe
  2⤵
  PID:13660
- C:\Windows\System\VVwojRL.exe
  C:\Windows\System\VVwojRL.exe
  2⤵
  PID:13620
- C:\Windows\System\MHPFkGX.exe
  C:\Windows\System\MHPFkGX.exe
  2⤵
  PID:13736
- C:\Windows\System\leszcrg.exe
  C:\Windows\System\leszcrg.exe
  2⤵
  PID:13800
- C:\Windows\System\dGSGtrX.exe
  C:\Windows\System\dGSGtrX.exe
  2⤵
  PID:13860
- C:\Windows\System\cvoOSwk.exe
  C:\Windows\System\cvoOSwk.exe
  2⤵
  PID:13932
- C:\Windows\System\wLuIopV.exe
  C:\Windows\System\wLuIopV.exe
  2⤵
  PID:13988
- C:\Windows\System\GArWHva.exe
  C:\Windows\System\GArWHva.exe
  2⤵
  PID:14052
- C:\Windows\System\cnmXXMo.exe
  C:\Windows\System\cnmXXMo.exe
  2⤵
  PID:14112
- C:\Windows\System\QTJbXBh.exe
  C:\Windows\System\QTJbXBh.exe
  2⤵
  PID:14184
- C:\Windows\System\nCDaTew.exe
  C:\Windows\System\nCDaTew.exe
  2⤵
  PID:14276
- C:\Windows\System\RpudCBd.exe
  C:\Windows\System\RpudCBd.exe
  2⤵
  PID:14308
- C:\Windows\System\CtfQorV.exe
  C:\Windows\System\CtfQorV.exe
  2⤵
  PID:13340
- C:\Windows\System\nCrxNgH.exe
  C:\Windows\System\nCrxNgH.exe
  2⤵
  PID:13480
- C:\Windows\System\rPHlINr.exe
  C:\Windows\System\rPHlINr.exe
  2⤵
  PID:13568
- C:\Windows\System\ZnKRhNR.exe
  C:\Windows\System\ZnKRhNR.exe
  2⤵
  PID:4848
- C:\Windows\System\ibNXQJg.exe
  C:\Windows\System\ibNXQJg.exe
  2⤵
  PID:13692
- C:\Windows\System\Fyjygtk.exe
  C:\Windows\System\Fyjygtk.exe
  2⤵
  PID:13848
- C:\Windows\System\lzoizRO.exe
  C:\Windows\System\lzoizRO.exe
  2⤵
  PID:4220
- C:\Windows\System\nIAWpjk.exe
  C:\Windows\System\nIAWpjk.exe
  2⤵
  PID:3732
- C:\Windows\System\gGOpkHb.exe
  C:\Windows\System\gGOpkHb.exe
  2⤵
  PID:14080
- C:\Windows\System\XHGBZmU.exe
  C:\Windows\System\XHGBZmU.exe
  2⤵
  PID:14224
- C:\Windows\System\WNObPxS.exe
  C:\Windows\System\WNObPxS.exe
  2⤵
  PID:14332
- C:\Windows\System\uKeryfB.exe
  C:\Windows\System\uKeryfB.exe
  2⤵
  PID:4596
- C:\Windows\System\fpBPhfU.exe
  C:\Windows\System\fpBPhfU.exe
  2⤵
  PID:13792
- C:\Windows\System\pMAcOPo.exe
  C:\Windows\System\pMAcOPo.exe
  2⤵
  PID:1628
- C:\Windows\System\cSUAIKO.exe
  C:\Windows\System\cSUAIKO.exe
  2⤵
  PID:3904
- C:\Windows\System\IzbDKiP.exe
  C:\Windows\System\IzbDKiP.exe
  2⤵
  PID:13764
- C:\Windows\System\YOIMlAz.exe
  C:\Windows\System\YOIMlAz.exe
  2⤵
  PID:14212
- C:\Windows\System\ykptXHM.exe
  C:\Windows\System\ykptXHM.exe
  2⤵
  PID:13444
- C:\Windows\System\FssaJPa.exe
  C:\Windows\System\FssaJPa.exe
  2⤵
  PID:14364
- C:\Windows\System\mYRPOpw.exe
  C:\Windows\System\mYRPOpw.exe
  2⤵
  PID:14392
- C:\Windows\System\qSXVyjT.exe
  C:\Windows\System\qSXVyjT.exe
  2⤵
  PID:14420
- C:\Windows\System\IFhjyWB.exe
  C:\Windows\System\IFhjyWB.exe
  2⤵
  PID:14448
- C:\Windows\System\SFaHGrD.exe
  C:\Windows\System\SFaHGrD.exe
  2⤵
  PID:14476
- C:\Windows\System\wsyuXnd.exe
  C:\Windows\System\wsyuXnd.exe
  2⤵
  PID:14504
- C:\Windows\System\cTBpmLm.exe
  C:\Windows\System\cTBpmLm.exe
  2⤵
  PID:14532
- C:\Windows\System\lkjufev.exe
  C:\Windows\System\lkjufev.exe
  2⤵
  PID:14560
- C:\Windows\System\rnIPnNZ.exe
  C:\Windows\System\rnIPnNZ.exe
  2⤵
  PID:14588
- C:\Windows\System\pXPlkrM.exe
  C:\Windows\System\pXPlkrM.exe
  2⤵
  PID:14616
- C:\Windows\System\sAORDhF.exe
  C:\Windows\System\sAORDhF.exe
  2⤵
  PID:14644
- C:\Windows\System\Vftdanl.exe
  C:\Windows\System\Vftdanl.exe
  2⤵
  PID:14672
- C:\Windows\System\cWycfvS.exe
  C:\Windows\System\cWycfvS.exe
  2⤵
  PID:14700
- C:\Windows\System\BiiVtPo.exe
  C:\Windows\System\BiiVtPo.exe
  2⤵
  PID:14728
- C:\Windows\System\IEkuWEd.exe
  C:\Windows\System\IEkuWEd.exe
  2⤵
  PID:14756
- C:\Windows\System\rfYRDxx.exe
  C:\Windows\System\rfYRDxx.exe
  2⤵
  PID:14784
- C:\Windows\System\SmOfaCV.exe
  C:\Windows\System\SmOfaCV.exe
  2⤵
  PID:14812
- C:\Windows\System\XsNDaGN.exe
  C:\Windows\System\XsNDaGN.exe
  2⤵
  PID:14848
- C:\Windows\System\eaChYAP.exe
  C:\Windows\System\eaChYAP.exe
  2⤵
  PID:14880
- C:\Windows\System\afIbcqi.exe
  C:\Windows\System\afIbcqi.exe
  2⤵
  PID:14896
- C:\Windows\System\utBGEkd.exe
  C:\Windows\System\utBGEkd.exe
  2⤵
  PID:14936
- C:\Windows\System\lbiqCQV.exe
  C:\Windows\System\lbiqCQV.exe
  2⤵
  PID:14976
- C:\Windows\System\rLgDMen.exe
  C:\Windows\System\rLgDMen.exe
  2⤵
  PID:14992
- C:\Windows\System\HBQlwjV.exe
  C:\Windows\System\HBQlwjV.exe
  2⤵
  PID:15020
- C:\Windows\System\SppjeRh.exe
  C:\Windows\System\SppjeRh.exe
  2⤵
  PID:15048
- C:\Windows\System\AGTdNmi.exe
  C:\Windows\System\AGTdNmi.exe
  2⤵
  PID:15076
- C:\Windows\System\NCbgbBY.exe
  C:\Windows\System\NCbgbBY.exe
  2⤵
  PID:15104
- C:\Windows\System\qRtAhVb.exe
  C:\Windows\System\qRtAhVb.exe
  2⤵
  PID:15132
- C:\Windows\System\WAinbop.exe
  C:\Windows\System\WAinbop.exe
  2⤵
  PID:15160
- C:\Windows\System\uCsCrVD.exe
  C:\Windows\System\uCsCrVD.exe
  2⤵
  PID:15188
- C:\Windows\System\bMUbCHv.exe
  C:\Windows\System\bMUbCHv.exe
  2⤵
  PID:15216
- C:\Windows\System\wjnOykU.exe
  C:\Windows\System\wjnOykU.exe
  2⤵
  PID:15244
- C:\Windows\System\RNliDVr.exe
  C:\Windows\System\RNliDVr.exe
  2⤵
  PID:15272
- C:\Windows\System\YvTxHCU.exe
  C:\Windows\System\YvTxHCU.exe
  2⤵
  PID:15300
- C:\Windows\System\zMNTxQU.exe
  C:\Windows\System\zMNTxQU.exe
  2⤵
  PID:15328
- C:\Windows\System\GKgsmtq.exe
  C:\Windows\System\GKgsmtq.exe
  2⤵
  PID:15356
- C:\Windows\System\lRwsUek.exe
  C:\Windows\System\lRwsUek.exe
  2⤵
  PID:14388
- C:\Windows\System\xYBAqcU.exe
  C:\Windows\System\xYBAqcU.exe
  2⤵
  PID:14460
- C:\Windows\System\oufPGVH.exe
  C:\Windows\System\oufPGVH.exe
  2⤵
  PID:14516
- C:\Windows\System\SmZIaBN.exe
  C:\Windows\System\SmZIaBN.exe
  2⤵
  PID:14580
- C:\Windows\System\LvsPNXW.exe
  C:\Windows\System\LvsPNXW.exe
  2⤵
  PID:14640
- C:\Windows\System\HdTTpWw.exe
  C:\Windows\System\HdTTpWw.exe
  2⤵
  PID:14712
- C:\Windows\System\VdMDPmS.exe
  C:\Windows\System\VdMDPmS.exe
  2⤵
  PID:14776
- C:\Windows\System\LEKmaTR.exe
  C:\Windows\System\LEKmaTR.exe
  2⤵
  PID:2632
- C:\Windows\System\eyTPxiN.exe
  C:\Windows\System\eyTPxiN.exe
  2⤵
  PID:4092
- C:\Windows\System\fNwJasv.exe
  C:\Windows\System\fNwJasv.exe
  2⤵
  PID:5492
- C:\Windows\System\gPeXsoX.exe
  C:\Windows\System\gPeXsoX.exe
  2⤵
  PID:14836
- C:\Windows\System\CBLhIrU.exe
  C:\Windows\System\CBLhIrU.exe
  2⤵
  PID:1800
- C:\Windows\System\PRMLoXf.exe
  C:\Windows\System\PRMLoXf.exe
  2⤵
  PID:3544
- C:\Windows\System\AATUEIv.exe
  C:\Windows\System\AATUEIv.exe
  2⤵
  PID:5096
- C:\Windows\System\FIVpYvB.exe
  C:\Windows\System\FIVpYvB.exe
  2⤵
  PID:4508
- C:\Windows\System\OWbaGiH.exe
  C:\Windows\System\OWbaGiH.exe
  2⤵
  PID:3552
- C:\Windows\System\PJKyZps.exe
  C:\Windows\System\PJKyZps.exe
  2⤵
  PID:15200
- C:\Windows\System\JhsFxNG.exe
  C:\Windows\System\JhsFxNG.exe
  2⤵
  PID:15240
- C:\Windows\System\cbhQPcF.exe
  C:\Windows\System\cbhQPcF.exe
  2⤵
  PID:15292
- C:\Windows\System\JkenXnQ.exe
  C:\Windows\System\JkenXnQ.exe
  2⤵
  PID:2060

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AUvHIui.exe

Filesize
6.0MB

MD5
dd39339ba28669ab5ac413c2a5b51b7c

SHA1
175fe12ef1d07d602b64fc07ee98db685acd63a1

SHA256
75ad150effe8ff8478075f2d9fce5a9e38fa225b55c3a7f99265dde256d0349f

SHA512
6c8de2a6c0212abd1c44776a58fa6c631c5034ecaf90bd0d7b149213d5aa1d707c157445a2417a2bf5fc4cde6044ad40199b9099e110090f2b443be79d3db888

Download Submit
C:\Windows\System\EQMzkQl.exe

Filesize
6.0MB

MD5
337770baa144fa3d8a325caa01bc287c

SHA1
569a6002e75db5a7e960e58b8b194723855a6162

SHA256
5ffd61ff83ee0906f99f9700af8cf57f0c44a040f973ffff55505194ce6feb56

SHA512
75fb6888c1d221327e98c12e91798992ecbef2b1cddbe0220f312047448899310cbeeef8f12b17e82afd19e46807a269db7417310ba6353eb567e0af89bc82da

Download Submit
C:\Windows\System\EYUtbez.exe

Filesize
6.1MB

MD5
28542e2c7399fa8f929acb4a160501b9

SHA1
d858983b64c06a03ad5b5e9302bdb23a5129e833

SHA256
cc8d06de91f3f2ac2280f32b41dda8bec660f6a3fe1527f2f328317f31c14d80

SHA512
e079e828ed4eea90e6dc1b3d057ed95924bff8fb52a603baa8a00a96e55da76d986b93212e9033927fb5fd705936c734ba6c7c31ffec974177b3c2dac2bc1528

Download Submit
C:\Windows\System\FaIxSeM.exe

Filesize
6.0MB

MD5
351c9a5ced8d74babcfda7972870c83f

SHA1
c66b372ec41e2e6d9d7d2e2dff8499a2efd00119

SHA256
5a197f60f914b2dbf5c33d2839e91bcbe2ef2cbc258fca8d3e490265a60bf37b

SHA512
c9d32003b12dfb7f1090700366ea68996eb8a2a1ddaad1d6d9f93e3c6d2d0f851e439b24a3e6946d7f82bfb49e5ec81ff0c76279dd3c8586981af8f42f3684e9

Download Submit
C:\Windows\System\GQInvvI.exe

Filesize
6.0MB

MD5
b816f779c735e6dde5af9b6aed273b0d

SHA1
bcdf6a61dcbc33c032a9b9684db8bb47888c072d

SHA256
2549e59cb4cd28a849a2cae06c9101f318cf429e8417ac814e77c25e0c8b8441

SHA512
92a44d8f1b69fe8127e89252b79ac280dacd4407ec69e26b95e592e4841b2f1b58bb9205330fb76108a3e64f4c80aaa37a252231703a27224720c77860f59089

Download Submit
C:\Windows\System\LCGZxfT.exe

Filesize
6.1MB

MD5
0b0e9eaddc77cbb707e77d4695e086be

SHA1
862459edfeadd3554bc1d1ef26aff1f0e46bce9d

SHA256
e2e7816e4c03b50d48704272571eb9d6aaa5baf2883f8ec32d8e5240a13d9ce6

SHA512
bb10e2b98629b136c5ebb1ca58ce1f11e11062a5307f61c8ed1ff5559a0c36b1b5e3b497ee3c7854007303a7bf8342543cfabe8c2321b06eaa27da0698e27e1b

Download Submit
C:\Windows\System\LDerPvr.exe

Filesize
6.0MB

MD5
e56506bb600ca6379d857174c0bd4b1d

SHA1
5026e1ddb6d6f202655f469892acf10b46cd456e

SHA256
dbc9c7219cf25498c95f70f62a62590332fbcf299250f78f1a6bce6b09357259

SHA512
ea6b283f89afe5c39a1f971c2f60c2fc94e268f8eccdba906566cf61130936f38421d59cdf2f33b84ab3288b87a83dfe453e5729ddadb8e0ab38515742ebf97d

Download Submit
C:\Windows\System\LEIEUlb.exe

Filesize
6.1MB

MD5
f033272321e4ed2f9e1328e73833516c

SHA1
6577233b71a2104abc66dfcdb465aeeea5bdfb9c

SHA256
b64abd65121e010b08d981c8a6c51aabcd94c11c96ed5d7ec42dc65037e9726b

SHA512
802ac60a093f557e1c8484f7c564db8f49c1fdaa7435c433870d1ddb67390b300664c85022f9d42fb992437c61c4009f6e318661a726b2a01ec5eace689d9964

Download Submit
C:\Windows\System\OJVPlLF.exe

Filesize
6.1MB

MD5
241591492ef7e25ad65f0159c299898c

SHA1
a76f08414ed3f652a6108ecb7f634a2d555bea4a

SHA256
8d68419522e8ced0a467aa06b0da1d976a14b066ce2408ccb0fa09e14f12ef91

SHA512
7eacc4b1aa36821b69f7dc59dba9d4b02d603ae874890c2a68cf5882d79a9f19ea3cd97631b0a7f8d2adf01c756ba352f4c162434a75940ade999ac2f4efe811

Download Submit
C:\Windows\System\PYcuYFo.exe

Filesize
6.0MB

MD5
a1fbb74cc4a225a10ad37f25dcf70246

SHA1
5719b91422ac6450b6379d8d983dd13c566b1186

SHA256
c77bc0ed12fac9bce7a20d5e8727dd9db56ba0e271f340b1514c3d9b7de300be

SHA512
2b00f82fbb0f75da649ab4955fa16d277f52bd0743dcd297c5195ccffcc645728e1e6c1f51c699dff511ac080de5ee8cbf79ac6038f94fe985d7ded00110ea9d

Download Submit
C:\Windows\System\UwxdhYZ.exe

Filesize
6.0MB

MD5
b0f066b663d2dd71d9cbed328344951a

SHA1
3951f8419e23035b12c457312e9a3322d7bc096d

SHA256
36c3a0bd1f49a5c8973aafe67c3751760099b9a27c34f18ea56274c0a590e69a

SHA512
109ba2e1f1183ef181afd90807bff90ce0e6050be1d05d70cd35bcb08158ff2b2fcbfad56031e6c4e4bc466e7970dd0e606082b69df5b7050aa06b3e1c2b0715

Download Submit
C:\Windows\System\VBldpdq.exe

Filesize
6.0MB

MD5
029bf3bf45cfb00fe80a00ed8d99ba23

SHA1
34620f542d701d20fe9b9cf4e42e735d59cc2a46

SHA256
c5ea1b278704f03e2dd5812f964d7b27cec84358a7e24afb104096c55288d135

SHA512
27bd900f9a7c0f28259cd6f9bcbadcb101631b7f6e694e8ceaf494600088abbcf29577a54c018047b82b757a3b33902dd59afdf12e1d9bdc90a001c8db8465db

Download Submit
C:\Windows\System\VuACHuZ.exe

Filesize
6.0MB

MD5
5a65ba4f5110f2edefa37843c16f6750

SHA1
8cd649717c871241772f15dc5c513dac19a3abc2

SHA256
7389b6d434a0f516218f4b46400b7f69f7bb9306e4589d8413ca85e11fc04173

SHA512
5ab582f1861b432f4f442276b08df75eb64220629f8372bc890ac8f74a3b89f85f00bbc40c73d57758b9590467e6a859b55ea710aa04feb212a7c39806798806

Download Submit
C:\Windows\System\YjonRAz.exe

Filesize
6.0MB

MD5
968f746d5c7f63946f933c30efd83b94

SHA1
9945a660c2903de581b2260fde2af27259ccd798

SHA256
4f844fdf079d199a63449fd151604f9814854b826ff49b5c7e796e37e5aca295

SHA512
5f7ca5734dac66ffbb8248d4a4033f5bed6e7e1714dfe35ab3af53f29db38f80ed087afe37fb82186caa413eea980214bca78a670b60578bfcdbe9bbcb2b1651

Download Submit
C:\Windows\System\ZpnzKzJ.exe

Filesize
6.0MB

MD5
596d292a7a88af7e3144e2df4d96e8a8

SHA1
0672b06a5102531f4ee8fefd487cc6a56fe6bd0d

SHA256
39ec995b61e9b7bad465033e1c9bacfa82406347f88584d71e9a850c25071432

SHA512
66a5ce51c2cf7229988c2c22fb2e6f51210d1393d8ffbb55468782b00c6fab3bd5f5af9e8803fcaebb25a14a211e63933365c3709ff4f93a1fae23cf953e50cd

Download Submit
C:\Windows\System\axSJUDQ.exe

Filesize
6.1MB

MD5
fdc66629bccfedd4ddc0cacf826f4fdf

SHA1
a153b6e4e52482c16348b8a05aa7ab567621645a

SHA256
e02523137906beca84174073e188931414193fb5f4ccf3c3408e3da73163bd77

SHA512
afa91159b735f5c9166d48cdba58a63bc9dcafb2b4c73f1db1b6dc2159c10f69b082de878fa3265c3c4fd1d75530da098fd06fc68d4252d7b5aeb290a6513e82

Download Submit
C:\Windows\System\cSqcmwA.exe

Filesize
6.0MB

MD5
eebab057a4c51ac2299e13eb036d0859

SHA1
405a56d265cc58cdab5d5ce30f1fb659d28ba85a

SHA256
81d8869c70c6315b45dcb62620c81855ab0b33674a193729188f5353ff0b8047

SHA512
a241a510f68e5bf9f79444bb3ecb4a0d36e63cbd3a72d6cb2875258936735ec1be874c0bee361e535f6fa944e0eb1c1f36ca49f09e5540895005e25f3aae153e

Download Submit
C:\Windows\System\dVZUNCb.exe

Filesize
6.1MB

MD5
2ffe71a17f9a6eed176c9d6a668d3f7b

SHA1
9238a5bd8e8656adfbbc63448de14a4887787dd2

SHA256
5c293bb5b78193b697414191a8404481e0a0c1fce4e86bd070cc6a8d22dae7b6

SHA512
1e492d4549a73f8cd7391199d6127d1343d7489a8c258fdbf6a2ea301ba1e74b288343405de6c2f5933825fe48bbd7ab433b0565bacf5d40ac83f15732a1770a

Download Submit
C:\Windows\System\dbLoUlh.exe

Filesize
6.1MB

MD5
870b11df7f2247d989e48939300d18ee

SHA1
9ec3b21d899a22b652a9a1eccd488634ce0d5d95

SHA256
4e984183b9d850f70d74525465086fe3ecb1f90f1aeee49f78f831a978b28f2b

SHA512
76723e0150757b776e78ca8f0760376b6eecb99d0cb66593cfcedffa9a3b255f8023e0570580b7777fe28a7d18a3476fb036d7bd7b9469a2a61ef01d4aac29bd

Download Submit
C:\Windows\System\eIEWbMi.exe

Filesize
6.1MB

MD5
6c6847bdf20eb0adc4f1182839704b90

SHA1
93c327fcc1a50e76c65c83b74f4df64f715f3598

SHA256
162a3a4c78662535114a7f3112dfddd3211909d4255209a42b4d85d1e589cbba

SHA512
c40330859ee92e91aee68ca2054e3e4f662225e3446936d0c688f429cc881b42d55e8d26d2126c758dd9f43ce533d861e3c244bbaf34914846c03295362c2316

Download Submit
C:\Windows\System\fddFrDo.exe

Filesize
6.0MB

MD5
88bbfa8cfe1db2e5f12564718a1344d5

SHA1
2a9b90d7f9f7a3ebf13ca524253167a4457f0bd7

SHA256
e7877b4c76b5cfb7e122e833ce57905a3cd071adfd2647fff9d7ceed9657c8b2

SHA512
b33b718f31e3a302fc9ba5c9c05b37cf10c50f2a204e36c47c29c797d6df9f54b36361de53814820bdde1eee05c635887783740bd5bb03c9be7f26ee84166486

Download Submit
C:\Windows\System\iNEiJHt.exe

Filesize
6.0MB

MD5
d23487a3039b2a4c7b8a5c8ae531c947

SHA1
75d0a1179bfda5b082bbb4114cb1551cb3e4fd85

SHA256
bcfe7970b9b5f6531bd8456754fa8eddedb409c0ba401d8a97e997347931ccf7

SHA512
27304f22e38b74b6771c2ebd7073a0ed76ae69c6ebb40b8795a9e1ab19bf0ce143390ece4a79268c5d5d1157a5e9216bd8db27d31ee1d4d3797581b9ea953d18

Download Submit
C:\Windows\System\jTttskE.exe

Filesize
6.0MB

MD5
2d064379ff5b9340db6bfe349ce39852

SHA1
6c81b60129ad4d207655f6841d0691fcdf0fdcda

SHA256
0e0a12b06a07f63d69351e481951cc91252e55acade8fe7a1ea7741334abca7e

SHA512
5356456da93548eda5235d801ab0e11911cdf9dfeb7c76f6512db74b52f8fae3402c51a62dfdfad68958dcbac3362af5c0f182b6a6c6d1637803cbb9ea3924f6

Download Submit
C:\Windows\System\kLAcqVz.exe

Filesize
6.0MB

MD5
c830731350b701e6393b8e35e551abf2

SHA1
92812ccf5cbc20334d26621430d4fb01ecb97fed

SHA256
95fd5f6051219195b91b9a08c2485e51a1e206a538b9b598bccc95296360b4b1

SHA512
80402fc37a8873e08f48558a52773288519a87f26d730da1bd7079404bb6556691d67d723bda4ccd330413c1392c5fe95fa4e13417119cb9aa2e7b9c889207e4

Download Submit
C:\Windows\System\muPyjFX.exe

Filesize
6.1MB

MD5
a53613e4225d3d4fc51746b289918d4a

SHA1
aec8cd8c93319648330603f6695430e7dff5fcad

SHA256
794118c7ea2a9aaa52f01070fe3ab917334b2b0c344045b1eb6c5c3cfcdc72db

SHA512
2e0fca2e76c6d052dd885a243c3ccb03fde98f1ed4930f9d5c51d001a1987e4215533e4a5be3ceeb449381454391846828fc8c782ee4cea1f38317493d949f92

Download Submit
C:\Windows\System\naRXdDl.exe

Filesize
6.0MB

MD5
2e67453a2788fa3b6b80d720285a509d

SHA1
9f92b6f7a99d6e57f75a118ba347a0fe48be8e8f

SHA256
1fd3d479772bae795c4de7dc77731573ed7f5d40db021b7f56d80ecc6720f16b

SHA512
dd2b5bc9d1a35ffba0c6787a413288dbe510c7f4bcc0ddfc23d632fae92fa2d5e7ab5a99c9d390b16224a0a67ff1055dc7a624c05b34a521199cddf4842f10a5

Download Submit
C:\Windows\System\ooBIjwq.exe

Filesize
6.1MB

MD5
548a267f8680199658328bbad24b0092

SHA1
36bd610e901d408c83afcc1f861801dda7508328

SHA256
fc788b6c8fa540d6b84631c8b19d9a6496aafe7ed07fa6114a66e6401da9b61b

SHA512
02660ef6169abd0c862837c4b98f480d6ca16aad4f2d89da941e4dc665ed517960db6502c1d7bd31df7d8b22ff4786473766eb763b8af9fc6c8248aadf234622

Download Submit
C:\Windows\System\qIWaIpC.exe

Filesize
6.0MB

MD5
1f216c44229a2715bedd2d1615e970c6

SHA1
cde60d2e1cc813ce935e7308be3a7d2b89397951

SHA256
eca4031ad19fb99fdf006182498e39e734da04a93537d1dc77af327b50f41a04

SHA512
c9e6ceaa5d0d05ed4f5fd8b9255b7be573d44c4ae2ce9e49d627e545d029c4db511e6a234b7d0977c47d2a7ff56ca1c54401f908d0627aa53f4a38989af87188

Download Submit
C:\Windows\System\qKpEGiT.exe

Filesize
6.1MB

MD5
7b3f094cf2e839c727e01f5ab3ce5ffd

SHA1
33e7d0b88bfbab80e76019d12789bff29ed608a3

SHA256
b19a9ed863dde8b19763c0111a9565c4c145dcbb336c41dbefc14002b343c4c6

SHA512
b454dfb059c81e0acedde7d5661c2b5e5839a62e8e582f7a7f312af08d27f1fc122015f1d5e88acfd66f2a223c1e334cf2d0fb50f13543a10985abe6e2608653

Download Submit
C:\Windows\System\rbAIVDG.exe

Filesize
6.0MB

MD5
dae876c15e46d946776836e85e5366ee

SHA1
d540c959c69b939149dbfb2d9c70392f6277a326

SHA256
29842fdbd8ea9b64038b38cf7e8cb5d8f16d337b7ba9e0afbf838ad23beb48ed

SHA512
487073c53723e8d461582245bad855fae1187baaf45895ec33a92a80ccc770495b9ad72d9d686d81b2190bdec17a353ff19c20924f47a050f1f9f57a0ec8f0ff

Download Submit
C:\Windows\System\vzSJZpm.exe

Filesize
6.0MB

MD5
8e5ddb3e6109999b3a87b38e24db005a

SHA1
28212f9924003175b16fc5c8c64e17d324ca320a

SHA256
e9c5ed4f80a325439a9349348c4001c71e4de2bd6d11943c19cb8ed3d919e930

SHA512
78409dd258d5f69fc60c84c44445da7062c8449a1d735fff4da5066659c0945830680298edba0e6b486454d5e9a06fcc0aaaaa6560c5a198dec80560295aafd4

Download Submit
C:\Windows\System\xImFMMS.exe

Filesize
6.0MB

MD5
88acfdcdfa097610de6de4dd513f4ecf

SHA1
3ddcb2ccbcb08ffbfdc7234b7fc438e287fecae0

SHA256
7bb5be5313db1c0e7929c66926da117a77a510cd4c088f18f9b173be14b88b95

SHA512
7de3a62bd5116f50f1384e5c7f1f96053bf99af5a96897bab7184eb6448d1d2ffbeb21b4da49c5babd824a446932e688a4a28b4c1c677fe89b1206504835d41e

Download Submit
C:\Windows\System\znKdUxQ.exe

Filesize
6.0MB

MD5
960f1aa3d52ee46e03f8065145f1b4af

SHA1
5d3f95f965e31b2c8a553ed643b4b8c78eed9261

SHA256
0ddf394c511175e4d545b66406ccfa8de3afc01a051e72e484dc54d01b2c6a43

SHA512
d22b146261c774e658015188b08592f45e7d2938c5a4d3086f64737570b9560af8c2ed658a4f22739ea6a6d0d2b39b206a42a7c754b2e5f73e10ca36bc19af2b

Download Submit
memory/412-92-0x00007FF61BE10000-0x00007FF61C164000-memory.dmp

Filesize
3.3MB

Download
memory/412-6-0x00007FF61BE10000-0x00007FF61C164000-memory.dmp

Filesize
3.3MB

Download
memory/412-1874-0x00007FF61BE10000-0x00007FF61C164000-memory.dmp

Filesize
3.3MB

Download
memory/532-176-0x00007FF6407D0000-0x00007FF640B24000-memory.dmp

Filesize
3.3MB

Download
memory/532-124-0x00007FF6407D0000-0x00007FF640B24000-memory.dmp

Filesize
3.3MB

Download
memory/532-2242-0x00007FF6407D0000-0x00007FF640B24000-memory.dmp

Filesize
3.3MB

Download
memory/816-1887-0x00007FF7EC160000-0x00007FF7EC4B4000-memory.dmp

Filesize
3.3MB

Download
memory/816-104-0x00007FF7EC160000-0x00007FF7EC4B4000-memory.dmp

Filesize
3.3MB

Download
memory/816-33-0x00007FF7EC160000-0x00007FF7EC4B4000-memory.dmp

Filesize
3.3MB

Download
memory/1004-66-0x00007FF61C4B0000-0x00007FF61C804000-memory.dmp

Filesize
3.3MB

Download
memory/1004-1903-0x00007FF61C4B0000-0x00007FF61C804000-memory.dmp

Filesize
3.3MB

Download
memory/1036-67-0x00007FF73FF50000-0x00007FF7402A4000-memory.dmp

Filesize
3.3MB

Download
memory/1036-1900-0x00007FF73FF50000-0x00007FF7402A4000-memory.dmp

Filesize
3.3MB

Download
memory/1304-2236-0x00007FF6AFA10000-0x00007FF6AFD64000-memory.dmp

Filesize
3.3MB

Download
memory/1304-126-0x00007FF6AFA10000-0x00007FF6AFD64000-memory.dmp

Filesize
3.3MB

Download
memory/1572-84-0x00007FF710B80000-0x00007FF710ED4000-memory.dmp

Filesize
3.3MB

Download
memory/1572-155-0x00007FF710B80000-0x00007FF710ED4000-memory.dmp

Filesize
3.3MB

Download
memory/1572-2149-0x00007FF710B80000-0x00007FF710ED4000-memory.dmp

Filesize
3.3MB

Download
memory/1848-128-0x00007FF7D49D0000-0x00007FF7D4D24000-memory.dmp

Filesize
3.3MB

Download
memory/1848-223-0x00007FF7D49D0000-0x00007FF7D4D24000-memory.dmp

Filesize
3.3MB

Download
memory/1848-2250-0x00007FF7D49D0000-0x00007FF7D4D24000-memory.dmp

Filesize
3.3MB

Download
memory/2076-2320-0x00007FF61F160000-0x00007FF61F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2076-728-0x00007FF61F160000-0x00007FF61F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2076-198-0x00007FF61F160000-0x00007FF61F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2280-59-0x00007FF643560000-0x00007FF6438B4000-memory.dmp

Filesize
3.3MB

Download
memory/2280-1902-0x00007FF643560000-0x00007FF6438B4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-151-0x00007FF657E50000-0x00007FF6581A4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-2143-0x00007FF657E50000-0x00007FF6581A4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-80-0x00007FF657E50000-0x00007FF6581A4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-2229-0x00007FF7BA750000-0x00007FF7BAAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-94-0x00007FF7BA750000-0x00007FF7BAAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-165-0x00007FF7BA750000-0x00007FF7BAAA4000-memory.dmp

Filesize
3.3MB

Download
memory/3528-152-0x00007FF7B8930000-0x00007FF7B8C84000-memory.dmp

Filesize
3.3MB

Download
memory/3528-442-0x00007FF7B8930000-0x00007FF7B8C84000-memory.dmp

Filesize
3.3MB

Download
memory/4068-98-0x00007FF7F97F0000-0x00007FF7F9B44000-memory.dmp

Filesize
3.3MB

Download
memory/4068-14-0x00007FF7F97F0000-0x00007FF7F9B44000-memory.dmp

Filesize
3.3MB

Download
memory/4068-1879-0x00007FF7F97F0000-0x00007FF7F9B44000-memory.dmp

Filesize
3.3MB

Download
memory/4108-1891-0x00007FF7B91B0000-0x00007FF7B9504000-memory.dmp

Filesize
3.3MB

Download
memory/4108-40-0x00007FF7B91B0000-0x00007FF7B9504000-memory.dmp

Filesize
3.3MB

Download
memory/4324-2317-0x00007FF6DB710000-0x00007FF6DBA64000-memory.dmp

Filesize
3.3MB

Download
memory/4324-609-0x00007FF6DB710000-0x00007FF6DBA64000-memory.dmp

Filesize
3.3MB

Download
memory/4324-166-0x00007FF6DB710000-0x00007FF6DBA64000-memory.dmp

Filesize
3.3MB

Download
memory/4648-2244-0x00007FF6EE8B0000-0x00007FF6EEC04000-memory.dmp

Filesize
3.3MB

Download
memory/4648-196-0x00007FF6EE8B0000-0x00007FF6EEC04000-memory.dmp

Filesize
3.3MB

Download
memory/4648-125-0x00007FF6EE8B0000-0x00007FF6EEC04000-memory.dmp

Filesize
3.3MB

Download
memory/4704-1901-0x00007FF6BC0C0000-0x00007FF6BC414000-memory.dmp

Filesize
3.3MB

Download
memory/4704-62-0x00007FF6BC0C0000-0x00007FF6BC414000-memory.dmp

Filesize
3.3MB

Download
memory/4808-53-0x00007FF7EEC30000-0x00007FF7EEF84000-memory.dmp

Filesize
3.3MB

Download
memory/4808-1898-0x00007FF7EEC30000-0x00007FF7EEF84000-memory.dmp

Filesize
3.3MB

Download
memory/4820-1-0x0000016AC51D0000-0x0000016AC51E0000-memory.dmp

Filesize
64KB

Download
memory/4820-87-0x00007FF708620000-0x00007FF708974000-memory.dmp

Filesize
3.3MB

Download
memory/4820-0-0x00007FF708620000-0x00007FF708974000-memory.dmp

Filesize
3.3MB

Download
memory/4884-316-0x00007FF6CA260000-0x00007FF6CA5B4000-memory.dmp

Filesize
3.3MB

Download
memory/4884-142-0x00007FF6CA260000-0x00007FF6CA5B4000-memory.dmp

Filesize
3.3MB

Download
memory/5016-175-0x00007FF7FF6D0000-0x00007FF7FFA24000-memory.dmp

Filesize
3.3MB

Download
memory/5016-119-0x00007FF7FF6D0000-0x00007FF7FFA24000-memory.dmp

Filesize
3.3MB

Download
memory/5016-2239-0x00007FF7FF6D0000-0x00007FF7FFA24000-memory.dmp

Filesize
3.3MB

Download
memory/5072-189-0x00007FF693460000-0x00007FF6937B4000-memory.dmp

Filesize
3.3MB

Download
memory/5072-2318-0x00007FF693460000-0x00007FF6937B4000-memory.dmp

Filesize
3.3MB

Download
memory/5084-25-0x00007FF73ACA0000-0x00007FF73AFF4000-memory.dmp

Filesize
3.3MB

Download
memory/5084-1886-0x00007FF73ACA0000-0x00007FF73AFF4000-memory.dmp

Filesize
3.3MB

Download
memory/5084-103-0x00007FF73ACA0000-0x00007FF73AFF4000-memory.dmp

Filesize
3.3MB

Download
memory/5336-2319-0x00007FF614740000-0x00007FF614A94000-memory.dmp

Filesize
3.3MB

Download
memory/5336-610-0x00007FF614740000-0x00007FF614A94000-memory.dmp

Filesize
3.3MB

Download
memory/5336-187-0x00007FF614740000-0x00007FF614A94000-memory.dmp

Filesize
3.3MB

Download
memory/5432-72-0x00007FF70EF50000-0x00007FF70F2A4000-memory.dmp

Filesize
3.3MB

Download
memory/5432-148-0x00007FF70EF50000-0x00007FF70F2A4000-memory.dmp

Filesize
3.3MB

Download
memory/5432-2141-0x00007FF70EF50000-0x00007FF70F2A4000-memory.dmp

Filesize
3.3MB

Download
memory/5512-2316-0x00007FF6D5960000-0x00007FF6D5CB4000-memory.dmp

Filesize
3.3MB

Download
memory/5512-486-0x00007FF6D5960000-0x00007FF6D5CB4000-memory.dmp

Filesize
3.3MB

Download
memory/5512-156-0x00007FF6D5960000-0x00007FF6D5CB4000-memory.dmp

Filesize
3.3MB

Download
memory/5592-2232-0x00007FF64DA20000-0x00007FF64DD74000-memory.dmp

Filesize
3.3MB

Download
memory/5592-174-0x00007FF64DA20000-0x00007FF64DD74000-memory.dmp

Filesize
3.3MB

Download
memory/5592-108-0x00007FF64DA20000-0x00007FF64DD74000-memory.dmp

Filesize
3.3MB

Download
memory/5924-63-0x00007FF73D760000-0x00007FF73DAB4000-memory.dmp

Filesize
3.3MB

Download
memory/5924-127-0x00007FF73D760000-0x00007FF73DAB4000-memory.dmp

Filesize
3.3MB

Download
memory/5924-1899-0x00007FF73D760000-0x00007FF73DAB4000-memory.dmp

Filesize
3.3MB

Download
memory/6040-141-0x00007FF7AC780000-0x00007FF7ACAD4000-memory.dmp

Filesize
3.3MB

Download
memory/6040-315-0x00007FF7AC780000-0x00007FF7ACAD4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads