kpot | 20e9724916866c0576cb32d0047bbeab30e572fff68e0c464e531fb4c2ecfa62

Analysis

max time kernel
138s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
Size

2.0MB
MD5

d20426c9b7984b346bd02b293f768010
SHA1

e2455fc7c5ef5f51429a7b54a492d8162a80fa26
SHA256

20e9724916866c0576cb32d0047bbeab30e572fff68e0c464e531fb4c2ecfa62
SHA512

6dce270cdadf64eef174a40154858457f9b70f4a72830b069a813c1d972c1f030c37db219cb9d1c810ab72c51099f0d34ae8afde699c5826db2e6e72a5b50a79
SSDEEP

49152:GezaTF8FcNkNdfE0pZ9oztFwIi5aIwC+Agr6S/FYqOc2X:GemTLkNdfE0pZaQv

Score

10^/10

kpot xmrig miner stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 32 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000122ec-2.dat	family_kpot
behavioral1/files/0x0037000000016c7a-6.dat	family_kpot
behavioral1/files/0x0008000000016d2c-9.dat	family_kpot
behavioral1/files/0x0007000000016d3d-17.dat	family_kpot
behavioral1/files/0x0007000000016d45-22.dat	family_kpot
behavioral1/files/0x0007000000016d4e-27.dat	family_kpot
behavioral1/files/0x0008000000016d65-31.dat	family_kpot
behavioral1/files/0x0037000000016cc3-37.dat	family_kpot
behavioral1/files/0x0007000000016d69-42.dat	family_kpot
behavioral1/files/0x00070000000186e6-46.dat	family_kpot
behavioral1/files/0x00050000000186f1-52.dat	family_kpot
behavioral1/files/0x00050000000186ff-58.dat	family_kpot
behavioral1/files/0x0005000000018739-64.dat	family_kpot
behavioral1/files/0x0005000000018787-74.dat	family_kpot
behavioral1/files/0x000500000001878d-79.dat	family_kpot
behavioral1/files/0x0006000000018bf0-84.dat	family_kpot
behavioral1/files/0x0005000000019228-89.dat	family_kpot
behavioral1/files/0x000500000001923b-94.dat	family_kpot
behavioral1/files/0x0005000000019275-107.dat	family_kpot
behavioral1/files/0x00050000000193a5-139.dat	family_kpot
behavioral1/files/0x0005000000019457-159.dat	family_kpot
behavioral1/files/0x000500000001943e-154.dat	family_kpot
behavioral1/files/0x0005000000019433-149.dat	family_kpot
behavioral1/files/0x00050000000193b1-144.dat	family_kpot
behavioral1/files/0x000500000001939f-134.dat	family_kpot
behavioral1/files/0x0005000000019381-129.dat	family_kpot
behavioral1/files/0x000500000001933a-124.dat	family_kpot
behavioral1/files/0x0005000000019283-119.dat	family_kpot
behavioral1/files/0x0005000000019277-114.dat	family_kpot
behavioral1/files/0x0005000000019260-104.dat	family_kpot
behavioral1/files/0x000500000001925d-99.dat	family_kpot
behavioral1/files/0x000500000001873f-69.dat	family_kpot

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 32 IoCs

miner

resource	yara_rule
behavioral1/files/0x000a0000000122ec-2.dat	xmrig
behavioral1/files/0x0037000000016c7a-6.dat	xmrig
behavioral1/files/0x0008000000016d2c-9.dat	xmrig
behavioral1/files/0x0007000000016d3d-17.dat	xmrig
behavioral1/files/0x0007000000016d45-22.dat	xmrig
behavioral1/files/0x0007000000016d4e-27.dat	xmrig
behavioral1/files/0x0008000000016d65-31.dat	xmrig
behavioral1/files/0x0037000000016cc3-37.dat	xmrig
behavioral1/files/0x0007000000016d69-42.dat	xmrig
behavioral1/files/0x00070000000186e6-46.dat	xmrig
behavioral1/files/0x00050000000186f1-52.dat	xmrig
behavioral1/files/0x00050000000186ff-58.dat	xmrig
behavioral1/files/0x0005000000018739-64.dat	xmrig
behavioral1/files/0x0005000000018787-74.dat	xmrig
behavioral1/files/0x000500000001878d-79.dat	xmrig
behavioral1/files/0x0006000000018bf0-84.dat	xmrig
behavioral1/files/0x0005000000019228-89.dat	xmrig
behavioral1/files/0x000500000001923b-94.dat	xmrig
behavioral1/files/0x0005000000019275-107.dat	xmrig
behavioral1/files/0x00050000000193a5-139.dat	xmrig
behavioral1/files/0x0005000000019457-159.dat	xmrig
behavioral1/files/0x000500000001943e-154.dat	xmrig
behavioral1/files/0x0005000000019433-149.dat	xmrig
behavioral1/files/0x00050000000193b1-144.dat	xmrig
behavioral1/files/0x000500000001939f-134.dat	xmrig
behavioral1/files/0x0005000000019381-129.dat	xmrig
behavioral1/files/0x000500000001933a-124.dat	xmrig
behavioral1/files/0x0005000000019283-119.dat	xmrig
behavioral1/files/0x0005000000019277-114.dat	xmrig
behavioral1/files/0x0005000000019260-104.dat	xmrig
behavioral1/files/0x000500000001925d-99.dat	xmrig
behavioral1/files/0x000500000001873f-69.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1016	uZoYDiz.exe
2168	rRTYncZ.exe
812	OiZaZyc.exe
2848	DzWnZAx.exe
2176	QPKwdqa.exe
2900	sACqvEO.exe
2728	IUUgRlJ.exe
2536	QowOFnp.exe
2808	zhZgvEX.exe
2860	tMbPmuP.exe
2668	cZtZkeT.exe
2532	JlkIsJN.exe
2596	LrmCTaS.exe
3064	rwGBgNr.exe
3048	HDvzQlV.exe
2768	SfCdZzm.exe
2968	UHhZmHv.exe
2972	dYjuCaq.exe
3036	CMPAvMo.exe
1496	wJaMAMJ.exe
296	desndCh.exe
348	lUBGMjZ.exe
1588	dtYNpre.exe
1936	JhBjTSA.exe
1628	PMCBtvy.exe
2764	CQbIOQM.exe
536	fVSCjLo.exe
824	CFSIevr.exe
1488	LWbqKuH.exe
320	tZAwuOh.exe
1036	zVdgIWU.exe
2240	CifJIES.exe
468	mpKKkQz.exe
1996	GvAnCny.exe
828	GGqXpVb.exe
2920	olmECoc.exe
2112	avhbzuS.exe
996	uOPSpCE.exe
920	mImcINB.exe
580	tNZlFLo.exe
1812	zfZWSkG.exe
1848	SjcyqAF.exe
1556	ccIyGdx.exe
1132	IfQxVom.exe
1704	fzJKrqU.exe
2000	GqbXLFd.exe
1028	kvDKTkb.exe
1512	rRDWTUU.exe
1764	VXcuIEg.exe
1340	YRtsACK.exe
1040	lnzNPpr.exe
1780	nHVADPu.exe
1328	juLSLjP.exe
648	hyChvjh.exe
2136	pbqCdrs.exe
2424	fZIImiO.exe
1860	vyRPIVZ.exe
2308	GXXCkvT.exe
2932	ObGTEDc.exe
2316	origWxc.exe
876	PoEpJvL.exe
1944	adWfCft.exe
1688	ZtSUcjk.exe
2936	DjxuqDb.exe

Loads dropped DLL 64 IoCs

pid	Process
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\DjxuqDb.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\tvLfpSd.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\HUqbyOl.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\lNmnBKZ.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\DGBzdZm.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\znEnBxv.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\ptMCcGN.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\eujgvRT.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\hRKxChA.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\CXraqRg.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\cFsQsxp.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\fThNvUH.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\JlkIsJN.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\WnJptqX.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\cJdNWUQ.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\zXXIWJn.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\THUtYnH.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\HJaPluK.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\mImcINB.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\hyChvjh.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\YVvsLHd.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\gSKocLR.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\BKiwOio.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\TaHTPIH.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\CMPAvMo.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\zVdgIWU.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\GvAnCny.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\DhpmKdb.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\uMYMPDW.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\HaJYKhH.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\fwEooBd.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\EJUEqft.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\SfCdZzm.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\iQEZYcA.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\RiBqgec.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\xvloOcA.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\lKSXqXL.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\avhbzuS.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\nHVADPu.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\ZOZUZyZ.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\mhtUkXg.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\jZoQoJB.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\mgeVPas.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\fVSCjLo.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\FnoDiXq.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\XLMUGSo.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\GGqXpVb.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\lnzNPpr.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\KAktFRJ.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\sofBdKz.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\xWFMmkP.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\sACqvEO.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\qeIUVEu.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\ZxlEuWM.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\Zaezlfd.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\MeryoNU.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\mqZkOZE.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\OiZaZyc.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\SjcyqAF.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\sAGdBoU.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\JkJPCkn.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\desndCh.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\CifJIES.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
File created	C:\Windows\System\rRDWTUU.exe	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1016	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	29
PID 3052 wrote to memory of 1016	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	29
PID 3052 wrote to memory of 1016	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	29
PID 3052 wrote to memory of 2168	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	30
PID 3052 wrote to memory of 2168	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	30
PID 3052 wrote to memory of 2168	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	30
PID 3052 wrote to memory of 812	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	31
PID 3052 wrote to memory of 812	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	31
PID 3052 wrote to memory of 812	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	31
PID 3052 wrote to memory of 2848	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	32
PID 3052 wrote to memory of 2848	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	32
PID 3052 wrote to memory of 2848	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	32
PID 3052 wrote to memory of 2176	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	33
PID 3052 wrote to memory of 2176	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	33
PID 3052 wrote to memory of 2176	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	33
PID 3052 wrote to memory of 2900	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	34
PID 3052 wrote to memory of 2900	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	34
PID 3052 wrote to memory of 2900	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	34
PID 3052 wrote to memory of 2728	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	35
PID 3052 wrote to memory of 2728	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	35
PID 3052 wrote to memory of 2728	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	35
PID 3052 wrote to memory of 2536	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	36
PID 3052 wrote to memory of 2536	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	36
PID 3052 wrote to memory of 2536	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	36
PID 3052 wrote to memory of 2808	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	37
PID 3052 wrote to memory of 2808	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	37
PID 3052 wrote to memory of 2808	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	37
PID 3052 wrote to memory of 2860	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	38
PID 3052 wrote to memory of 2860	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	38
PID 3052 wrote to memory of 2860	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	38
PID 3052 wrote to memory of 2668	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	39
PID 3052 wrote to memory of 2668	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	39
PID 3052 wrote to memory of 2668	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	39
PID 3052 wrote to memory of 2532	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	40
PID 3052 wrote to memory of 2532	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	40
PID 3052 wrote to memory of 2532	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	40
PID 3052 wrote to memory of 2596	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	41
PID 3052 wrote to memory of 2596	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	41
PID 3052 wrote to memory of 2596	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	41
PID 3052 wrote to memory of 3064	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	42
PID 3052 wrote to memory of 3064	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	42
PID 3052 wrote to memory of 3064	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	42
PID 3052 wrote to memory of 3048	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	43
PID 3052 wrote to memory of 3048	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	43
PID 3052 wrote to memory of 3048	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	43
PID 3052 wrote to memory of 2768	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	44
PID 3052 wrote to memory of 2768	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	44
PID 3052 wrote to memory of 2768	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	44
PID 3052 wrote to memory of 2968	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	45
PID 3052 wrote to memory of 2968	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	45
PID 3052 wrote to memory of 2968	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	45
PID 3052 wrote to memory of 2972	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	46
PID 3052 wrote to memory of 2972	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	46
PID 3052 wrote to memory of 2972	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	46
PID 3052 wrote to memory of 3036	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	47
PID 3052 wrote to memory of 3036	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	47
PID 3052 wrote to memory of 3036	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	47
PID 3052 wrote to memory of 1496	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	48
PID 3052 wrote to memory of 1496	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	48
PID 3052 wrote to memory of 1496	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	48
PID 3052 wrote to memory of 296	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	49
PID 3052 wrote to memory of 296	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	49
PID 3052 wrote to memory of 296	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	49
PID 3052 wrote to memory of 348	3052	d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe	50

C:\Users\Admin\AppData\Local\Temp\d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d20426c9b7984b346bd02b293f768010_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\System\uZoYDiz.exe
  C:\Windows\System\uZoYDiz.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System\rRTYncZ.exe
  C:\Windows\System\rRTYncZ.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\OiZaZyc.exe
  C:\Windows\System\OiZaZyc.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System\DzWnZAx.exe
  C:\Windows\System\DzWnZAx.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\QPKwdqa.exe
  C:\Windows\System\QPKwdqa.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\sACqvEO.exe
  C:\Windows\System\sACqvEO.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\IUUgRlJ.exe
  C:\Windows\System\IUUgRlJ.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\QowOFnp.exe
  C:\Windows\System\QowOFnp.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\zhZgvEX.exe
  C:\Windows\System\zhZgvEX.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\tMbPmuP.exe
  C:\Windows\System\tMbPmuP.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\cZtZkeT.exe
  C:\Windows\System\cZtZkeT.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\JlkIsJN.exe
  C:\Windows\System\JlkIsJN.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\LrmCTaS.exe
  C:\Windows\System\LrmCTaS.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\rwGBgNr.exe
  C:\Windows\System\rwGBgNr.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\HDvzQlV.exe
  C:\Windows\System\HDvzQlV.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\SfCdZzm.exe
  C:\Windows\System\SfCdZzm.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\UHhZmHv.exe
  C:\Windows\System\UHhZmHv.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\dYjuCaq.exe
  C:\Windows\System\dYjuCaq.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\CMPAvMo.exe
  C:\Windows\System\CMPAvMo.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\wJaMAMJ.exe
  C:\Windows\System\wJaMAMJ.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\desndCh.exe
  C:\Windows\System\desndCh.exe
  2⤵
  - Executes dropped EXE
  PID:296
- C:\Windows\System\lUBGMjZ.exe
  C:\Windows\System\lUBGMjZ.exe
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Windows\System\dtYNpre.exe
  C:\Windows\System\dtYNpre.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\JhBjTSA.exe
  C:\Windows\System\JhBjTSA.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\PMCBtvy.exe
  C:\Windows\System\PMCBtvy.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\CQbIOQM.exe
  C:\Windows\System\CQbIOQM.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\fVSCjLo.exe
  C:\Windows\System\fVSCjLo.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\CFSIevr.exe
  C:\Windows\System\CFSIevr.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\LWbqKuH.exe
  C:\Windows\System\LWbqKuH.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\tZAwuOh.exe
  C:\Windows\System\tZAwuOh.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System\zVdgIWU.exe
  C:\Windows\System\zVdgIWU.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\CifJIES.exe
  C:\Windows\System\CifJIES.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\mpKKkQz.exe
  C:\Windows\System\mpKKkQz.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\GvAnCny.exe
  C:\Windows\System\GvAnCny.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\GGqXpVb.exe
  C:\Windows\System\GGqXpVb.exe
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\System\olmECoc.exe
  C:\Windows\System\olmECoc.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\avhbzuS.exe
  C:\Windows\System\avhbzuS.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System\uOPSpCE.exe
  C:\Windows\System\uOPSpCE.exe
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\System\mImcINB.exe
  C:\Windows\System\mImcINB.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System\tNZlFLo.exe
  C:\Windows\System\tNZlFLo.exe
  2⤵
  - Executes dropped EXE
  PID:580
- C:\Windows\System\zfZWSkG.exe
  C:\Windows\System\zfZWSkG.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\SjcyqAF.exe
  C:\Windows\System\SjcyqAF.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\ccIyGdx.exe
  C:\Windows\System\ccIyGdx.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\IfQxVom.exe
  C:\Windows\System\IfQxVom.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System\fzJKrqU.exe
  C:\Windows\System\fzJKrqU.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\GqbXLFd.exe
  C:\Windows\System\GqbXLFd.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\kvDKTkb.exe
  C:\Windows\System\kvDKTkb.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\rRDWTUU.exe
  C:\Windows\System\rRDWTUU.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\VXcuIEg.exe
  C:\Windows\System\VXcuIEg.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System\YRtsACK.exe
  C:\Windows\System\YRtsACK.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System\lnzNPpr.exe
  C:\Windows\System\lnzNPpr.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System\nHVADPu.exe
  C:\Windows\System\nHVADPu.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\juLSLjP.exe
  C:\Windows\System\juLSLjP.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\hyChvjh.exe
  C:\Windows\System\hyChvjh.exe
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Windows\System\pbqCdrs.exe
  C:\Windows\System\pbqCdrs.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System\fZIImiO.exe
  C:\Windows\System\fZIImiO.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\vyRPIVZ.exe
  C:\Windows\System\vyRPIVZ.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\GXXCkvT.exe
  C:\Windows\System\GXXCkvT.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\ObGTEDc.exe
  C:\Windows\System\ObGTEDc.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\origWxc.exe
  C:\Windows\System\origWxc.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\PoEpJvL.exe
  C:\Windows\System\PoEpJvL.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\adWfCft.exe
  C:\Windows\System\adWfCft.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\ZtSUcjk.exe
  C:\Windows\System\ZtSUcjk.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\DjxuqDb.exe
  C:\Windows\System\DjxuqDb.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\mVPWoIq.exe
  C:\Windows\System\mVPWoIq.exe
  2⤵
  PID:1568
- C:\Windows\System\jPBsNla.exe
  C:\Windows\System\jPBsNla.exe
  2⤵
  PID:1836
- C:\Windows\System\tvLfpSd.exe
  C:\Windows\System\tvLfpSd.exe
  2⤵
  PID:2420
- C:\Windows\System\RfFTqdi.exe
  C:\Windows\System\RfFTqdi.exe
  2⤵
  PID:2612
- C:\Windows\System\uHmceiQ.exe
  C:\Windows\System\uHmceiQ.exe
  2⤵
  PID:2712
- C:\Windows\System\JJxkdtr.exe
  C:\Windows\System\JJxkdtr.exe
  2⤵
  PID:2144
- C:\Windows\System\KAktFRJ.exe
  C:\Windows\System\KAktFRJ.exe
  2⤵
  PID:2660
- C:\Windows\System\mGhUKXL.exe
  C:\Windows\System\mGhUKXL.exe
  2⤵
  PID:2732
- C:\Windows\System\AfzUWCr.exe
  C:\Windows\System\AfzUWCr.exe
  2⤵
  PID:2664
- C:\Windows\System\ilmpAkm.exe
  C:\Windows\System\ilmpAkm.exe
  2⤵
  PID:2896
- C:\Windows\System\xHfVIhF.exe
  C:\Windows\System\xHfVIhF.exe
  2⤵
  PID:2552
- C:\Windows\System\REGrfje.exe
  C:\Windows\System\REGrfje.exe
  2⤵
  PID:2584
- C:\Windows\System\BLJADgw.exe
  C:\Windows\System\BLJADgw.exe
  2⤵
  PID:2560
- C:\Windows\System\qOHcmMA.exe
  C:\Windows\System\qOHcmMA.exe
  2⤵
  PID:3044
- C:\Windows\System\WGcInfT.exe
  C:\Windows\System\WGcInfT.exe
  2⤵
  PID:2864
- C:\Windows\System\fJaiMoD.exe
  C:\Windows\System\fJaiMoD.exe
  2⤵
  PID:3024
- C:\Windows\System\gKnmKrL.exe
  C:\Windows\System\gKnmKrL.exe
  2⤵
  PID:1288
- C:\Windows\System\sofBdKz.exe
  C:\Windows\System\sofBdKz.exe
  2⤵
  PID:1736
- C:\Windows\System\DhpmKdb.exe
  C:\Windows\System\DhpmKdb.exe
  2⤵
  PID:1596
- C:\Windows\System\FFHJXpB.exe
  C:\Windows\System\FFHJXpB.exe
  2⤵
  PID:352
- C:\Windows\System\BkodDrq.exe
  C:\Windows\System\BkodDrq.exe
  2⤵
  PID:380
- C:\Windows\System\jjCDlaM.exe
  C:\Windows\System\jjCDlaM.exe
  2⤵
  PID:1320
- C:\Windows\System\ZKIRMys.exe
  C:\Windows\System\ZKIRMys.exe
  2⤵
  PID:1724
- C:\Windows\System\nNAICwi.exe
  C:\Windows\System\nNAICwi.exe
  2⤵
  PID:1708
- C:\Windows\System\iQEZYcA.exe
  C:\Windows\System\iQEZYcA.exe
  2⤵
  PID:760
- C:\Windows\System\jJgKXSs.exe
  C:\Windows\System\jJgKXSs.exe
  2⤵
  PID:2056
- C:\Windows\System\srrLCqH.exe
  C:\Windows\System\srrLCqH.exe
  2⤵
  PID:2912
- C:\Windows\System\znEnBxv.exe
  C:\Windows\System\znEnBxv.exe
  2⤵
  PID:1668
- C:\Windows\System\YVvsLHd.exe
  C:\Windows\System\YVvsLHd.exe
  2⤵
  PID:1084
- C:\Windows\System\tysHgFA.exe
  C:\Windows\System\tysHgFA.exe
  2⤵
  PID:2628
- C:\Windows\System\DtFfqOU.exe
  C:\Windows\System\DtFfqOU.exe
  2⤵
  PID:1608
- C:\Windows\System\ZtPsgvK.exe
  C:\Windows\System\ZtPsgvK.exe
  2⤵
  PID:1604
- C:\Windows\System\hPZwTUP.exe
  C:\Windows\System\hPZwTUP.exe
  2⤵
  PID:2108
- C:\Windows\System\HYHnFEC.exe
  C:\Windows\System\HYHnFEC.exe
  2⤵
  PID:1348
- C:\Windows\System\CtRgGcO.exe
  C:\Windows\System\CtRgGcO.exe
  2⤵
  PID:1760
- C:\Windows\System\KiWfhDa.exe
  C:\Windows\System\KiWfhDa.exe
  2⤵
  PID:1856
- C:\Windows\System\LIHCkzL.exe
  C:\Windows\System\LIHCkzL.exe
  2⤵
  PID:1820
- C:\Windows\System\fJdMTdi.exe
  C:\Windows\System\fJdMTdi.exe
  2⤵
  PID:556
- C:\Windows\System\CXraqRg.exe
  C:\Windows\System\CXraqRg.exe
  2⤵
  PID:2504
- C:\Windows\System\gqjsTeg.exe
  C:\Windows\System\gqjsTeg.exe
  2⤵
  PID:780
- C:\Windows\System\KVtZkOJ.exe
  C:\Windows\System\KVtZkOJ.exe
  2⤵
  PID:2436
- C:\Windows\System\KZRzIoQ.exe
  C:\Windows\System\KZRzIoQ.exe
  2⤵
  PID:1740
- C:\Windows\System\WnJptqX.exe
  C:\Windows\System\WnJptqX.exe
  2⤵
  PID:868
- C:\Windows\System\FFdlybG.exe
  C:\Windows\System\FFdlybG.exe
  2⤵
  PID:1672
- C:\Windows\System\eatVgAP.exe
  C:\Windows\System\eatVgAP.exe
  2⤵
  PID:2456
- C:\Windows\System\ucyYHdl.exe
  C:\Windows\System\ucyYHdl.exe
  2⤵
  PID:2460
- C:\Windows\System\qbAmHBq.exe
  C:\Windows\System\qbAmHBq.exe
  2⤵
  PID:2884
- C:\Windows\System\nbJRieG.exe
  C:\Windows\System\nbJRieG.exe
  2⤵
  PID:2284
- C:\Windows\System\tTavlap.exe
  C:\Windows\System\tTavlap.exe
  2⤵
  PID:2796
- C:\Windows\System\MPWLxdS.exe
  C:\Windows\System\MPWLxdS.exe
  2⤵
  PID:1580
- C:\Windows\System\eOmDwtQ.exe
  C:\Windows\System\eOmDwtQ.exe
  2⤵
  PID:2528
- C:\Windows\System\bkBkzXD.exe
  C:\Windows\System\bkBkzXD.exe
  2⤵
  PID:2992
- C:\Windows\System\GkWzEKo.exe
  C:\Windows\System\GkWzEKo.exe
  2⤵
  PID:1592
- C:\Windows\System\LbzGEwV.exe
  C:\Windows\System\LbzGEwV.exe
  2⤵
  PID:2492
- C:\Windows\System\uMYMPDW.exe
  C:\Windows\System\uMYMPDW.exe
  2⤵
  PID:1652
- C:\Windows\System\FnoDiXq.exe
  C:\Windows\System\FnoDiXq.exe
  2⤵
  PID:2760
- C:\Windows\System\kyddSqW.exe
  C:\Windows\System\kyddSqW.exe
  2⤵
  PID:1304
- C:\Windows\System\qUwPdrr.exe
  C:\Windows\System\qUwPdrr.exe
  2⤵
  PID:672
- C:\Windows\System\RVlGiHv.exe
  C:\Windows\System\RVlGiHv.exe
  2⤵
  PID:2004
- C:\Windows\System\fgmofqP.exe
  C:\Windows\System\fgmofqP.exe
  2⤵
  PID:2924
- C:\Windows\System\JZRktPb.exe
  C:\Windows\System\JZRktPb.exe
  2⤵
  PID:1044
- C:\Windows\System\veUoPqD.exe
  C:\Windows\System\veUoPqD.exe
  2⤵
  PID:2280
- C:\Windows\System\wnSgLKx.exe
  C:\Windows\System\wnSgLKx.exe
  2⤵
  PID:2212
- C:\Windows\System\tuUvunQ.exe
  C:\Windows\System\tuUvunQ.exe
  2⤵
  PID:1748
- C:\Windows\System\MdGobWI.exe
  C:\Windows\System\MdGobWI.exe
  2⤵
  PID:1768
- C:\Windows\System\cJdNWUQ.exe
  C:\Windows\System\cJdNWUQ.exe
  2⤵
  PID:2128
- C:\Windows\System\loXBsYq.exe
  C:\Windows\System\loXBsYq.exe
  2⤵
  PID:752
- C:\Windows\System\ieIWtSe.exe
  C:\Windows\System\ieIWtSe.exe
  2⤵
  PID:2428
- C:\Windows\System\JkghGwJ.exe
  C:\Windows\System\JkghGwJ.exe
  2⤵
  PID:1800
- C:\Windows\System\JpbanGq.exe
  C:\Windows\System\JpbanGq.exe
  2⤵
  PID:1716
- C:\Windows\System\glXRRmf.exe
  C:\Windows\System\glXRRmf.exe
  2⤵
  PID:1788
- C:\Windows\System\WZwIysi.exe
  C:\Windows\System\WZwIysi.exe
  2⤵
  PID:2188
- C:\Windows\System\JQNwGUI.exe
  C:\Windows\System\JQNwGUI.exe
  2⤵
  PID:2224
- C:\Windows\System\YDrYuGd.exe
  C:\Windows\System\YDrYuGd.exe
  2⤵
  PID:2812
- C:\Windows\System\KmbXfnv.exe
  C:\Windows\System\KmbXfnv.exe
  2⤵
  PID:2832
- C:\Windows\System\IGQlOuN.exe
  C:\Windows\System\IGQlOuN.exe
  2⤵
  PID:2236
- C:\Windows\System\kFhJCZS.exe
  C:\Windows\System\kFhJCZS.exe
  2⤵
  PID:900
- C:\Windows\System\XnLPRsH.exe
  C:\Windows\System\XnLPRsH.exe
  2⤵
  PID:1600
- C:\Windows\System\ULQYrpw.exe
  C:\Windows\System\ULQYrpw.exe
  2⤵
  PID:2100
- C:\Windows\System\qTfvmfF.exe
  C:\Windows\System\qTfvmfF.exe
  2⤵
  PID:1260
- C:\Windows\System\nnxvIQe.exe
  C:\Windows\System\nnxvIQe.exe
  2⤵
  PID:1472
- C:\Windows\System\gFwOooB.exe
  C:\Windows\System\gFwOooB.exe
  2⤵
  PID:2036
- C:\Windows\System\tblRVYi.exe
  C:\Windows\System\tblRVYi.exe
  2⤵
  PID:2700
- C:\Windows\System\EzrMPPU.exe
  C:\Windows\System\EzrMPPU.exe
  2⤵
  PID:2296
- C:\Windows\System\GaeNPXi.exe
  C:\Windows\System\GaeNPXi.exe
  2⤵
  PID:892
- C:\Windows\System\YRcYruJ.exe
  C:\Windows\System\YRcYruJ.exe
  2⤵
  PID:1940
- C:\Windows\System\YzrFRKx.exe
  C:\Windows\System\YzrFRKx.exe
  2⤵
  PID:2120
- C:\Windows\System\GmxwAQd.exe
  C:\Windows\System\GmxwAQd.exe
  2⤵
  PID:2040
- C:\Windows\System\dwjpUZo.exe
  C:\Windows\System\dwjpUZo.exe
  2⤵
  PID:2640
- C:\Windows\System\ajTmjYE.exe
  C:\Windows\System\ajTmjYE.exe
  2⤵
  PID:2544
- C:\Windows\System\FZpRAvT.exe
  C:\Windows\System\FZpRAvT.exe
  2⤵
  PID:2260
- C:\Windows\System\PPPxIrZ.exe
  C:\Windows\System\PPPxIrZ.exe
  2⤵
  PID:3032
- C:\Windows\System\CtlUwjO.exe
  C:\Windows\System\CtlUwjO.exe
  2⤵
  PID:2756
- C:\Windows\System\YdlZDku.exe
  C:\Windows\System\YdlZDku.exe
  2⤵
  PID:3080
- C:\Windows\System\hsJuNHG.exe
  C:\Windows\System\hsJuNHG.exe
  2⤵
  PID:3100
- C:\Windows\System\GYAYXvX.exe
  C:\Windows\System\GYAYXvX.exe
  2⤵
  PID:3120
- C:\Windows\System\fToGWdh.exe
  C:\Windows\System\fToGWdh.exe
  2⤵
  PID:3144
- C:\Windows\System\sYAJLyx.exe
  C:\Windows\System\sYAJLyx.exe
  2⤵
  PID:3160
- C:\Windows\System\HUqbyOl.exe
  C:\Windows\System\HUqbyOl.exe
  2⤵
  PID:3184
- C:\Windows\System\eqRWMfC.exe
  C:\Windows\System\eqRWMfC.exe
  2⤵
  PID:3200
- C:\Windows\System\ptMCcGN.exe
  C:\Windows\System\ptMCcGN.exe
  2⤵
  PID:3220
- C:\Windows\System\XvAVKcD.exe
  C:\Windows\System\XvAVKcD.exe
  2⤵
  PID:3240
- C:\Windows\System\lclQJKV.exe
  C:\Windows\System\lclQJKV.exe
  2⤵
  PID:3260
- C:\Windows\System\sLPlcuB.exe
  C:\Windows\System\sLPlcuB.exe
  2⤵
  PID:3280
- C:\Windows\System\sJpHXgy.exe
  C:\Windows\System\sJpHXgy.exe
  2⤵
  PID:3300
- C:\Windows\System\nohhlvr.exe
  C:\Windows\System\nohhlvr.exe
  2⤵
  PID:3320
- C:\Windows\System\uaoyktZ.exe
  C:\Windows\System\uaoyktZ.exe
  2⤵
  PID:3344
- C:\Windows\System\RiBqgec.exe
  C:\Windows\System\RiBqgec.exe
  2⤵
  PID:3364
- C:\Windows\System\ZBuTxYT.exe
  C:\Windows\System\ZBuTxYT.exe
  2⤵
  PID:3384
- C:\Windows\System\NMEQhaK.exe
  C:\Windows\System\NMEQhaK.exe
  2⤵
  PID:3404
- C:\Windows\System\LmVqzlg.exe
  C:\Windows\System\LmVqzlg.exe
  2⤵
  PID:3424
- C:\Windows\System\gdehDXI.exe
  C:\Windows\System\gdehDXI.exe
  2⤵
  PID:3444
- C:\Windows\System\cFsQsxp.exe
  C:\Windows\System\cFsQsxp.exe
  2⤵
  PID:3464
- C:\Windows\System\ZOZUZyZ.exe
  C:\Windows\System\ZOZUZyZ.exe
  2⤵
  PID:3484
- C:\Windows\System\gSKocLR.exe
  C:\Windows\System\gSKocLR.exe
  2⤵
  PID:3504
- C:\Windows\System\bUmArjv.exe
  C:\Windows\System\bUmArjv.exe
  2⤵
  PID:3524
- C:\Windows\System\ymrydvB.exe
  C:\Windows\System\ymrydvB.exe
  2⤵
  PID:3544
- C:\Windows\System\oalOrmP.exe
  C:\Windows\System\oalOrmP.exe
  2⤵
  PID:3564
- C:\Windows\System\jfhJLjh.exe
  C:\Windows\System\jfhJLjh.exe
  2⤵
  PID:3584
- C:\Windows\System\lKSXqXL.exe
  C:\Windows\System\lKSXqXL.exe
  2⤵
  PID:3604
- C:\Windows\System\Ahpndkl.exe
  C:\Windows\System\Ahpndkl.exe
  2⤵
  PID:3624
- C:\Windows\System\PKeyBZP.exe
  C:\Windows\System\PKeyBZP.exe
  2⤵
  PID:3644
- C:\Windows\System\BfjbrCn.exe
  C:\Windows\System\BfjbrCn.exe
  2⤵
  PID:3664
- C:\Windows\System\FoWdxpU.exe
  C:\Windows\System\FoWdxpU.exe
  2⤵
  PID:3680
- C:\Windows\System\UHsRPGD.exe
  C:\Windows\System\UHsRPGD.exe
  2⤵
  PID:3700
- C:\Windows\System\gUTIhGw.exe
  C:\Windows\System\gUTIhGw.exe
  2⤵
  PID:3724
- C:\Windows\System\CnKjSNs.exe
  C:\Windows\System\CnKjSNs.exe
  2⤵
  PID:3744
- C:\Windows\System\IydGwJF.exe
  C:\Windows\System\IydGwJF.exe
  2⤵
  PID:3764
- C:\Windows\System\muVqHhL.exe
  C:\Windows\System\muVqHhL.exe
  2⤵
  PID:3784
- C:\Windows\System\yIvveSh.exe
  C:\Windows\System\yIvveSh.exe
  2⤵
  PID:3804
- C:\Windows\System\HaJYKhH.exe
  C:\Windows\System\HaJYKhH.exe
  2⤵
  PID:3824
- C:\Windows\System\mPcgRYD.exe
  C:\Windows\System\mPcgRYD.exe
  2⤵
  PID:3844
- C:\Windows\System\ZmscVhj.exe
  C:\Windows\System\ZmscVhj.exe
  2⤵
  PID:3864
- C:\Windows\System\hASPHgs.exe
  C:\Windows\System\hASPHgs.exe
  2⤵
  PID:3884
- C:\Windows\System\ZlzAzDb.exe
  C:\Windows\System\ZlzAzDb.exe
  2⤵
  PID:3904
- C:\Windows\System\WUFaRkR.exe
  C:\Windows\System\WUFaRkR.exe
  2⤵
  PID:3924
- C:\Windows\System\IXowDjs.exe
  C:\Windows\System\IXowDjs.exe
  2⤵
  PID:3944
- C:\Windows\System\IClpumk.exe
  C:\Windows\System\IClpumk.exe
  2⤵
  PID:3964
- C:\Windows\System\EFBDBgW.exe
  C:\Windows\System\EFBDBgW.exe
  2⤵
  PID:3984
- C:\Windows\System\tmDnvVn.exe
  C:\Windows\System\tmDnvVn.exe
  2⤵
  PID:4004
- C:\Windows\System\wfkjlRI.exe
  C:\Windows\System\wfkjlRI.exe
  2⤵
  PID:4024
- C:\Windows\System\YntBFRs.exe
  C:\Windows\System\YntBFRs.exe
  2⤵
  PID:4044
- C:\Windows\System\kndsoRP.exe
  C:\Windows\System\kndsoRP.exe
  2⤵
  PID:4064
- C:\Windows\System\lOiDbdr.exe
  C:\Windows\System\lOiDbdr.exe
  2⤵
  PID:4084
- C:\Windows\System\eujgvRT.exe
  C:\Windows\System\eujgvRT.exe
  2⤵
  PID:2644
- C:\Windows\System\qeIUVEu.exe
  C:\Windows\System\qeIUVEu.exe
  2⤵
  PID:2072
- C:\Windows\System\flraWuK.exe
  C:\Windows\System\flraWuK.exe
  2⤵
  PID:2348
- C:\Windows\System\fwEooBd.exe
  C:\Windows\System\fwEooBd.exe
  2⤵
  PID:2452
- C:\Windows\System\Rdaivar.exe
  C:\Windows\System\Rdaivar.exe
  2⤵
  PID:2340
- C:\Windows\System\BKiwOio.exe
  C:\Windows\System\BKiwOio.exe
  2⤵
  PID:2996
- C:\Windows\System\fivFzaj.exe
  C:\Windows\System\fivFzaj.exe
  2⤵
  PID:1660
- C:\Windows\System\eooFpvk.exe
  C:\Windows\System\eooFpvk.exe
  2⤵
  PID:3088
- C:\Windows\System\Oadtefu.exe
  C:\Windows\System\Oadtefu.exe
  2⤵
  PID:3132
- C:\Windows\System\mdQDWzc.exe
  C:\Windows\System\mdQDWzc.exe
  2⤵
  PID:3140
- C:\Windows\System\UDatQwe.exe
  C:\Windows\System\UDatQwe.exe
  2⤵
  PID:2512
- C:\Windows\System\bmBftZN.exe
  C:\Windows\System\bmBftZN.exe
  2⤵
  PID:3116
- C:\Windows\System\udFSRth.exe
  C:\Windows\System\udFSRth.exe
  2⤵
  PID:3216
- C:\Windows\System\PPWYwkF.exe
  C:\Windows\System\PPWYwkF.exe
  2⤵
  PID:3252
- C:\Windows\System\vGBpOsW.exe
  C:\Windows\System\vGBpOsW.exe
  2⤵
  PID:3288
- C:\Windows\System\UwQGdjA.exe
  C:\Windows\System\UwQGdjA.exe
  2⤵
  PID:3272
- C:\Windows\System\cyDAuWZ.exe
  C:\Windows\System\cyDAuWZ.exe
  2⤵
  PID:3312
- C:\Windows\System\nOrYFYA.exe
  C:\Windows\System\nOrYFYA.exe
  2⤵
  PID:3340
- C:\Windows\System\ZxlEuWM.exe
  C:\Windows\System\ZxlEuWM.exe
  2⤵
  PID:3336
- C:\Windows\System\mhtUkXg.exe
  C:\Windows\System\mhtUkXg.exe
  2⤵
  PID:2984
- C:\Windows\System\zXXIWJn.exe
  C:\Windows\System\zXXIWJn.exe
  2⤵
  PID:3376
- C:\Windows\System\WDLiCJN.exe
  C:\Windows\System\WDLiCJN.exe
  2⤵
  PID:3016
- C:\Windows\System\jruCygU.exe
  C:\Windows\System\jruCygU.exe
  2⤵
  PID:3432
- C:\Windows\System\lNmnBKZ.exe
  C:\Windows\System\lNmnBKZ.exe
  2⤵
  PID:3460
- C:\Windows\System\xvloOcA.exe
  C:\Windows\System\xvloOcA.exe
  2⤵
  PID:3492
- C:\Windows\System\FbnRxku.exe
  C:\Windows\System\FbnRxku.exe
  2⤵
  PID:3536
- C:\Windows\System\DdGUhnc.exe
  C:\Windows\System\DdGUhnc.exe
  2⤵
  PID:1012
- C:\Windows\System\wSRSHhZ.exe
  C:\Windows\System\wSRSHhZ.exe
  2⤵
  PID:3580
- C:\Windows\System\elyyZTz.exe
  C:\Windows\System\elyyZTz.exe
  2⤵
  PID:3616
- C:\Windows\System\THUtYnH.exe
  C:\Windows\System\THUtYnH.exe
  2⤵
  PID:3652
- C:\Windows\System\cTiShjI.exe
  C:\Windows\System\cTiShjI.exe
  2⤵
  PID:3640
- C:\Windows\System\agcMkCm.exe
  C:\Windows\System\agcMkCm.exe
  2⤵
  PID:2164
- C:\Windows\System\GySQHQz.exe
  C:\Windows\System\GySQHQz.exe
  2⤵
  PID:3712
- C:\Windows\System\XNqvESI.exe
  C:\Windows\System\XNqvESI.exe
  2⤵
  PID:3720
- C:\Windows\System\fThNvUH.exe
  C:\Windows\System\fThNvUH.exe
  2⤵
  PID:3756
- C:\Windows\System\Zaezlfd.exe
  C:\Windows\System\Zaezlfd.exe
  2⤵
  PID:3792
- C:\Windows\System\bRbOgHN.exe
  C:\Windows\System\bRbOgHN.exe
  2⤵
  PID:3816
- C:\Windows\System\IwXCGRP.exe
  C:\Windows\System\IwXCGRP.exe
  2⤵
  PID:3840
- C:\Windows\System\TaHTPIH.exe
  C:\Windows\System\TaHTPIH.exe
  2⤵
  PID:1500
- C:\Windows\System\xCmlYFP.exe
  C:\Windows\System\xCmlYFP.exe
  2⤵
  PID:3896
- C:\Windows\System\feiYhrn.exe
  C:\Windows\System\feiYhrn.exe
  2⤵
  PID:3912
- C:\Windows\System\hkuyXeT.exe
  C:\Windows\System\hkuyXeT.exe
  2⤵
  PID:3936
- C:\Windows\System\KWHKfkS.exe
  C:\Windows\System\KWHKfkS.exe
  2⤵
  PID:3960
- C:\Windows\System\iGjpdcr.exe
  C:\Windows\System\iGjpdcr.exe
  2⤵
  PID:3976
- C:\Windows\System\cBtrpDP.exe
  C:\Windows\System\cBtrpDP.exe
  2⤵
  PID:4020
- C:\Windows\System\kemQQeu.exe
  C:\Windows\System\kemQQeu.exe
  2⤵
  PID:4032
- C:\Windows\System\wmuJTpx.exe
  C:\Windows\System\wmuJTpx.exe
  2⤵
  PID:4036
- C:\Windows\System\lqHDOeC.exe
  C:\Windows\System\lqHDOeC.exe
  2⤵
  PID:4080
- C:\Windows\System\mvgrYFo.exe
  C:\Windows\System\mvgrYFo.exe
  2⤵
  PID:2384
- C:\Windows\System\akYzcbL.exe
  C:\Windows\System\akYzcbL.exe
  2⤵
  PID:1908
- C:\Windows\System\hRKxChA.exe
  C:\Windows\System\hRKxChA.exe
  2⤵
  PID:2432
- C:\Windows\System\proemPy.exe
  C:\Windows\System\proemPy.exe
  2⤵
  PID:1728
- C:\Windows\System\TMNtXZB.exe
  C:\Windows\System\TMNtXZB.exe
  2⤵
  PID:776
- C:\Windows\System\PuRYYnI.exe
  C:\Windows\System\PuRYYnI.exe
  2⤵
  PID:2480
- C:\Windows\System\dobYqld.exe
  C:\Windows\System\dobYqld.exe
  2⤵
  PID:852
- C:\Windows\System\QARxsnX.exe
  C:\Windows\System\QARxsnX.exe
  2⤵
  PID:2948
- C:\Windows\System\HJaPluK.exe
  C:\Windows\System\HJaPluK.exe
  2⤵
  PID:2648
- C:\Windows\System\pmyYmds.exe
  C:\Windows\System\pmyYmds.exe
  2⤵
  PID:3128
- C:\Windows\System\opSEqvs.exe
  C:\Windows\System\opSEqvs.exe
  2⤵
  PID:3208
- C:\Windows\System\GJZptRi.exe
  C:\Windows\System\GJZptRi.exe
  2⤵
  PID:2740
- C:\Windows\System\iVNHiTu.exe
  C:\Windows\System\iVNHiTu.exe
  2⤵
  PID:3420
- C:\Windows\System\YZubujX.exe
  C:\Windows\System\YZubujX.exe
  2⤵
  PID:3380
- C:\Windows\System\EmyvOVv.exe
  C:\Windows\System\EmyvOVv.exe
  2⤵
  PID:3612
- C:\Windows\System\SZkoDeN.exe
  C:\Windows\System\SZkoDeN.exe
  2⤵
  PID:1108
- C:\Windows\System\HQZUwra.exe
  C:\Windows\System\HQZUwra.exe
  2⤵
  PID:3632
- C:\Windows\System\UoCPaAc.exe
  C:\Windows\System\UoCPaAc.exe
  2⤵
  PID:3496
- C:\Windows\System\joTlnyV.exe
  C:\Windows\System\joTlnyV.exe
  2⤵
  PID:3688
- C:\Windows\System\tPVXiMw.exe
  C:\Windows\System\tPVXiMw.exe
  2⤵
  PID:3452
- C:\Windows\System\dwxFzrY.exe
  C:\Windows\System\dwxFzrY.exe
  2⤵
  PID:2772
- C:\Windows\System\EJUEqft.exe
  C:\Windows\System\EJUEqft.exe
  2⤵
  PID:2852
- C:\Windows\System\dHHsyso.exe
  C:\Windows\System\dHHsyso.exe
  2⤵
  PID:3796
- C:\Windows\System\DGBzdZm.exe
  C:\Windows\System\DGBzdZm.exe
  2⤵
  PID:3780
- C:\Windows\System\frfIhuL.exe
  C:\Windows\System\frfIhuL.exe
  2⤵
  PID:3852
- C:\Windows\System\rvkWIqQ.exe
  C:\Windows\System\rvkWIqQ.exe
  2⤵
  PID:3876
- C:\Windows\System\UqZvQve.exe
  C:\Windows\System\UqZvQve.exe
  2⤵
  PID:1900
- C:\Windows\System\BooVjkH.exe
  C:\Windows\System\BooVjkH.exe
  2⤵
  PID:4060
- C:\Windows\System\yJEVgKP.exe
  C:\Windows\System\yJEVgKP.exe
  2⤵
  PID:3920
- C:\Windows\System\UMwyZpX.exe
  C:\Windows\System\UMwyZpX.exe
  2⤵
  PID:2708
- C:\Windows\System\UqNXLWE.exe
  C:\Windows\System\UqNXLWE.exe
  2⤵
  PID:2124
- C:\Windows\System\zYuBidF.exe
  C:\Windows\System\zYuBidF.exe
  2⤵
  PID:1316
- C:\Windows\System\UwWRQgA.exe
  C:\Windows\System\UwWRQgA.exe
  2⤵
  PID:3112
- C:\Windows\System\rIJRdMs.exe
  C:\Windows\System\rIJRdMs.exe
  2⤵
  PID:3156
- C:\Windows\System\MeryoNU.exe
  C:\Windows\System\MeryoNU.exe
  2⤵
  PID:3176
- C:\Windows\System\EWtKOQp.exe
  C:\Windows\System\EWtKOQp.exe
  2⤵
  PID:584
- C:\Windows\System\jZoQoJB.exe
  C:\Windows\System\jZoQoJB.exe
  2⤵
  PID:3472
- C:\Windows\System\cKWDAKS.exe
  C:\Windows\System\cKWDAKS.exe
  2⤵
  PID:3400
- C:\Windows\System\BpozXHq.exe
  C:\Windows\System\BpozXHq.exe
  2⤵
  PID:448
- C:\Windows\System\fTCPxQy.exe
  C:\Windows\System\fTCPxQy.exe
  2⤵
  PID:2776
- C:\Windows\System\aFWRDLp.exe
  C:\Windows\System\aFWRDLp.exe
  2⤵
  PID:4012
- C:\Windows\System\IXXuIIK.exe
  C:\Windows\System\IXXuIIK.exe
  2⤵
  PID:4092
- C:\Windows\System\xWFMmkP.exe
  C:\Windows\System\xWFMmkP.exe
  2⤵
  PID:3476
- C:\Windows\System\bkuSQCH.exe
  C:\Windows\System\bkuSQCH.exe
  2⤵
  PID:1412
- C:\Windows\System\AicKIEk.exe
  C:\Windows\System\AicKIEk.exe
  2⤵
  PID:2608
- C:\Windows\System\lcDgkZV.exe
  C:\Windows\System\lcDgkZV.exe
  2⤵
  PID:3236
- C:\Windows\System\rnnFgJm.exe
  C:\Windows\System\rnnFgJm.exe
  2⤵
  PID:3556
- C:\Windows\System\lwpvMko.exe
  C:\Windows\System\lwpvMko.exe
  2⤵
  PID:3600
- C:\Windows\System\XdscgAD.exe
  C:\Windows\System\XdscgAD.exe
  2⤵
  PID:3760
- C:\Windows\System\mqZkOZE.exe
  C:\Windows\System\mqZkOZE.exe
  2⤵
  PID:3776
- C:\Windows\System\sAGdBoU.exe
  C:\Windows\System\sAGdBoU.exe
  2⤵
  PID:3480
- C:\Windows\System\nrnqkYR.exe
  C:\Windows\System\nrnqkYR.exe
  2⤵
  PID:3836
- C:\Windows\System\ZRsUDNK.exe
  C:\Windows\System\ZRsUDNK.exe
  2⤵
  PID:2276
- C:\Windows\System\jBhdnIF.exe
  C:\Windows\System\jBhdnIF.exe
  2⤵
  PID:1924
- C:\Windows\System\rSdclCL.exe
  C:\Windows\System\rSdclCL.exe
  2⤵
  PID:3256
- C:\Windows\System\XLMUGSo.exe
  C:\Windows\System\XLMUGSo.exe
  2⤵
  PID:3992
- C:\Windows\System\pmKJGWq.exe
  C:\Windows\System\pmKJGWq.exe
  2⤵
  PID:3520
- C:\Windows\System\lnRAxqQ.exe
  C:\Windows\System\lnRAxqQ.exe
  2⤵
  PID:4104
- C:\Windows\System\whJzfQq.exe
  C:\Windows\System\whJzfQq.exe
  2⤵
  PID:4120
- C:\Windows\System\ajrctbA.exe
  C:\Windows\System\ajrctbA.exe
  2⤵
  PID:4136
- C:\Windows\System\JkJPCkn.exe
  C:\Windows\System\JkJPCkn.exe
  2⤵
  PID:4156
- C:\Windows\System\DWOwUTT.exe
  C:\Windows\System\DWOwUTT.exe
  2⤵
  PID:4172
- C:\Windows\System\gbizRhc.exe
  C:\Windows\System\gbizRhc.exe
  2⤵
  PID:4192
- C:\Windows\System\aflNydz.exe
  C:\Windows\System\aflNydz.exe
  2⤵
  PID:4208
- C:\Windows\System\GaXMKtg.exe
  C:\Windows\System\GaXMKtg.exe
  2⤵
  PID:4228
- C:\Windows\System\mgeVPas.exe
  C:\Windows\System\mgeVPas.exe
  2⤵
  PID:4244
- C:\Windows\System\RIMcCvC.exe
  C:\Windows\System\RIMcCvC.exe
  2⤵
  PID:4260
- C:\Windows\System\jRogYaM.exe
  C:\Windows\System\jRogYaM.exe
  2⤵
  PID:4276
- C:\Windows\System\hndkZLf.exe
  C:\Windows\System\hndkZLf.exe
  2⤵
  PID:4292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CFSIevr.exe

Filesize
2.0MB

MD5
f4d2fdc2f2ffb683d9ae7b09a1733572

SHA1
9255797a23b9d844b995af5fadfd05f229c729b9

SHA256
e950dc73c98602e99086ef3a3998cbb98a9b1ae07bfe2d9d57eea03605b51b91

SHA512
8c84431c4ab90ab0256337023d9977b1f36292a35a8f581986bcf13bf6b0ca13877fedaffb07b4d4f10c77c63aa9a19ed8a69c244c6b1a83b5820dad65feddaf

Download Submit
C:\Windows\system\CMPAvMo.exe

Filesize
2.0MB

MD5
3d4b1aeecfb451eb4de1348a7fe69b57

SHA1
4579c2ece89a95ceb42442be53a9b1e55eb137c1

SHA256
a834ff3a980eade9a6671b1ca170e93631432568380739526d964aca4a7a19f1

SHA512
6c3bc9cd21d43daaba5ac9646d466e401ae9986bf60051f5d34b3d0039dbe693a1d307debd32449cf9ebdd84a0e15344f87f7aa17c453245378e8a51aedf2812

Download Submit
C:\Windows\system\CQbIOQM.exe

Filesize
2.0MB

MD5
d6f779375fc969c699125db4159c0b39

SHA1
d811ce4901a7fcc5c407574688d0a6569a82fa86

SHA256
4fc56cde5dc1d948e89ecbc347f7c82b7105b2931818bf95242bef49ff20d213

SHA512
77a609fa0fdbaf2221a9f7c5a6c140c6b6c0eb840526ea577986cd8a854b7391b5893f36aa0bb4e5edfdf3ecef994d9a949714c4170b98f1d60e999a92158da5

Download Submit
C:\Windows\system\CifJIES.exe

Filesize
2.0MB

MD5
3a043b683ae13f9a7d0b19c58181b303

SHA1
e29f35f66b2f1306ac6f4ae32bebb1773b9895d3

SHA256
c3ab5cbb729800efc21d50b5f9de11a84322f277b47de169c1ae25fa7c4e60dc

SHA512
3724e132cef1d95dc00de7340c81c1c43d4f0d5e459718e618dc43fcd7473c9ca793854132d4a504b8ccfc120520675c01e59e798cd25c38c22286e1987f4b3b

Download Submit
C:\Windows\system\HDvzQlV.exe

Filesize
2.0MB

MD5
81722ecf42ea6d5ce63f1d04a2537bb7

SHA1
dc6166e02f59e78ea5d040d560fa75afb53e28ae

SHA256
73384265b7f9213c0858e18d7549068d16e972fc845f291754b43553f6955d34

SHA512
77c9f419653c704cf5dc8f7674b311116856917858df9a41896ae624582d08549376fa5ce0ce6592734cf1a8c4b90dd50daa85283263360d00ce2737060fd0b9

Download Submit
C:\Windows\system\JhBjTSA.exe

Filesize
2.0MB

MD5
801ebdcefc6224c545a9c561ef5b9574

SHA1
79d21132d192828ba229fdcf37364a5c5d97c35b

SHA256
cf1738a784896f13e2bf3ef3931987a0fd9f8986e0f2e6f8abc3b07f2839859c

SHA512
93638213af8239569c770fb86cf3ff3a5a7e7fd8171ae1a5b0006685258bea925c8246e92d2531e6584298193d8024b37d2051b870eb6370a0f9381b10222dd3

Download Submit
C:\Windows\system\JlkIsJN.exe

Filesize
2.0MB

MD5
544cd91490c2188329c4b90951324e92

SHA1
e01e8e8846c6c7fa12985f3a61be452812dd9702

SHA256
e93f9f36e9f8dfcf4c15801c9f626c1afa508e309e4ef404352ed15afe69940a

SHA512
0433ba17a89b4b0cd4b177af686ba794e1741ca060ec76a316c592bdfaecab0ffe86a743efbb1bbe17b519d63f34d81df39663fef5c02b03fe046918f802ed08

Download Submit
C:\Windows\system\LWbqKuH.exe

Filesize
2.0MB

MD5
c57a514c7d49794c46077f6713490ac3

SHA1
a440e4efc3b6b0d8bb0e6972676e9a53999e34c3

SHA256
18bc218510055bf6a664138ee40ab00534454d5d1d871c9f5f4d361a9a89236b

SHA512
2362b458f5115e8fa7f6bba86f24c3d342179ed5c6155456720b0f16676e3784740e767a5e92bbcbc4b57cb24a651ebf63acc25a11d905ff06a455dfc0580a8b

Download Submit
C:\Windows\system\LrmCTaS.exe

Filesize
2.0MB

MD5
3b8aaa854f16038bd32c00fcad0a2b3a

SHA1
c52b181d552493eaafecf912a7cff333966c7b7d

SHA256
7726a98b49e26c7786e68a7e17b1581570aab2af52c28abc79d4fffd5d8ee5a1

SHA512
aaeebbb5885b1ba469dd7d93c4847d032ed49b365bbd3f7d93ae4be61ac9f3e1d43f820b2c019d34248de9de21b07e4a71d42ed735fdf72f451a5ad2b7182619

Download Submit
C:\Windows\system\OiZaZyc.exe

Filesize
2.0MB

MD5
0d9269c5928731d9266309b2398f5fa9

SHA1
3d5620bd4115c3cf77e4681e99693e53c996ba0e

SHA256
f0ca4d06a060ab06b57a5d0a907f795423dc7bd2ba18e5b13b140c91a05ba3dd

SHA512
269133755d0aa1013a228a5316efb204f32041bbe2e236b05b9ccd7b036ee07ea519b41d4032dc3b950d059afbc057217b03f36e53628ccc1a807789091f2b40

Download Submit
C:\Windows\system\PMCBtvy.exe

Filesize
2.0MB

MD5
fbd3e58f3f9f95e535526c56b05f6328

SHA1
bb8cc31131c7add24ffb2e8abeec277e06ae01fa

SHA256
0c0df23df51b097679348d03833d2c6a0e2fc807939d3f4a0165f5a4d2c7fdb8

SHA512
189a7152b7405cd11d708a8e74baeb768bc58c0ec3bc81d524250798e24777d31c612f1434b9ac8bf92f9fc3eba369c512a357c1dbc35cc2f65362097a3d38a2

Download Submit
C:\Windows\system\SfCdZzm.exe

Filesize
2.0MB

MD5
d0778357f7a21c1a740654d703d5cbfd

SHA1
203e6a6e0f3b7c21cf22bf3ba740872b1ae64fd5

SHA256
5f8c660b6053b5e1f14900d530b9f0d559f4e714e13e8c8243ea43b4103cdbc2

SHA512
4dc2914557d48f0507be55a0d6b049724193e962d85e3027bf6a8eed83e38415a14e8db900bc82b44b2176a39c0a27faf4f8a230846f0934ff07ff1b862361d0

Download Submit
C:\Windows\system\UHhZmHv.exe

Filesize
2.0MB

MD5
3350e7cceb18891e695c900c4e84710c

SHA1
445e0471900e8d99ee3bc795a2d76cfba22d2a8e

SHA256
3abf51270d8e4bd8ba134f46289a45b49d7368f8bad082a1d4eb20f7f5e32807

SHA512
95ca089682577ebdc1fda46a055de8e308a5e316e2860f0ece8bd3675c8ed38d520ad11f882a83d4f708b70074d63e92bcfd7506785bedfc9437cb274ffe05bf

Download Submit
C:\Windows\system\cZtZkeT.exe

Filesize
2.0MB

MD5
e1bfe60f5a71e3ecac45a54e898b89f0

SHA1
afe93ed2113e3c5bfeb1227820c260e7e61fbd38

SHA256
587bdb8fe4a418ce10152dfafab6c218e86f07fbc9a5781f0d7f8f49ade12d4e

SHA512
77b2798c19b4e6376a231390ac068a1941fd53f722f656652d1e9fb12a9b60e4b977905eb49525e85afb6b8026aceee0e1d9a035470aedc8bdb1b1d8cb43ac57

Download Submit
C:\Windows\system\dYjuCaq.exe

Filesize
2.0MB

MD5
62aa0d93f6457f5bde9569077785bbf7

SHA1
12916e8bf97df707258a314e9ac4931f2b9a0a02

SHA256
11e1e129aba15d99933a1b0f9730b9b2c1aaf7c9c68ac368cd9b02222c7ee82e

SHA512
026c887ed508ee830c073c6b5074d50924304b6575a9381c6f6706ce80038de0a1216d1c60b886b847e78dbbb6153b5dd3add0b92a5aa39f7584dd01dc3b4853

Download Submit
C:\Windows\system\desndCh.exe

Filesize
2.0MB

MD5
bc4fcebbf3fcae964f5b37c1a7d9b8ca

SHA1
307ce2af75ac96cfa6b6845079624f65196f4b94

SHA256
af445b61fda5d86463d5b480b293c45455d9f730fb253a8a469bf2478354dd9d

SHA512
63ca5e890c65f91ce9ffd4b8eef0196cb65e53e9fec618ac5f3a9064665bcb9af5114b6a422c0e035ee0608cd0e0e2ed17ef8cf1960e9018f4dbfa237a600143

Download Submit
C:\Windows\system\dtYNpre.exe

Filesize
2.0MB

MD5
1d24882c6679abb2649a64872a51655a

SHA1
ad3b2a31b1c8d597258efc4308509e8f4820fa4c

SHA256
7a6c2e6ecf6471e3e31aa9982d3c30118e2510fbd5580dfc69826dbbe883a96d

SHA512
169236121f9c9833d92bb80cad9a0a9a0f00df6ff57ec144def43cb89a9e3e33565b2bc1fc28744774fee4045f3725fbdafa626aa95e821b00a1b59fcf65ceb1

Download Submit
C:\Windows\system\fVSCjLo.exe

Filesize
2.0MB

MD5
7669ce0b922a78a0a09c34e9baf901ee

SHA1
c5d8d252e9a7e1cc1d3a6502d32c6c8036c8697d

SHA256
ba509d351cc0d0ecf5418b9b75460ff4f367906b754ebc51a78bd4e45198ee88

SHA512
36c2e67434d93f46a1a8fcee5cfd924df9e242ca240de4dc612e4fb244680b8e6779b83a7b65e3b807aa05df1cebc94ff696b5b5fe79f0e6c7eec949df0fe99f

Download Submit
C:\Windows\system\rwGBgNr.exe

Filesize
2.0MB

MD5
746d11d0e6d1ee6e8ab4898b6c6039d0

SHA1
e15f544f6cb32ee6812e07ce323012ecb27678b2

SHA256
00f51d8c1aa827af89e4df1fa185b717cb1ad7c2f5bb4e57c176e7ac569e9e72

SHA512
4e7a5f2ca57ae007ee6add531945ab06990707a542e87e0f747c47a44081e58d026a30e17b122539c9c204621436cec4cf8316621254102cfeb331298edca8ef

Download Submit
C:\Windows\system\tZAwuOh.exe

Filesize
2.0MB

MD5
ccb7d65934d02740a5ecdc372abbf3d1

SHA1
1e3bb00a883e818ef1882010be46dfd1779a52dd

SHA256
c0c2f37ad901aea1e903d74fc638283b90871e2b056011c1037a22096f835b22

SHA512
b3b8c460f7e05f8527988e24454ee7b924ca5bf59b8c83cca8ff02a3bf2edf92922541ef127d303ce16fba1d6f35468b06afb1116914a8d89655b884cc9ab3c2

Download Submit
C:\Windows\system\wJaMAMJ.exe

Filesize
2.0MB

MD5
9364476380f69caffe4010fb94a543f3

SHA1
6dac2e798582488e324ae2266ddee7a8c8a7df82

SHA256
bcacf79c6a5ef00b521d08380bf7bcbf2f8b4ab30f36f4ba46a8396db45eec28

SHA512
67f4e3ba5b61410161ffd684292a1d1f04b5cff82b532b3a55e9b9bbeb7b3a342171d33ee8240b7d12fddbb8aac735a1f4f0ad4db62df5724c30e826a190a050

Download Submit
C:\Windows\system\zVdgIWU.exe

Filesize
2.0MB

MD5
34e0fc1172e82e47c5a28bcc0ed169ba

SHA1
6e71e5dcb31195ceed1d000045a829356d3b77f7

SHA256
23a24bb3fc1844ad66c06cc1eba21602eaedf79e15004e4c97f0acfe5f46b554

SHA512
83c4e7fcc682d465641bffeb5d6b114676b865c8f60a66f31d2b7a4a6ffc4a91b827865e7d75ed9608bab3ac94ec3d7d2847f54766988e01e5a3dc88ecbe9457

Download Submit
\Windows\system\DzWnZAx.exe

Filesize
2.0MB

MD5
fae252e316eba305480abe9313f3535d

SHA1
26561f40f9cc8ce9d0890eee75282f58f8164374

SHA256
089fc1be701ba370904dba9cf5a39838ab5c085e611db407c50d3e61ff683877

SHA512
f069aafed49e9be7521122533230e84f1b711fa17b0a6a5e64af3f407abc08f69c943d6690f5a8cb20d4595e02ce586373ca7cdafa576040168a1193e29ee7d3

Download Submit
\Windows\system\IUUgRlJ.exe

Filesize
2.0MB

MD5
5003d44d8c17b26652a7baf9ec129191

SHA1
116ed87df0b3f6a462b55a389e6715c6c3fffbcf

SHA256
d15c0e5fae91a83050e2248278cc1f6d483a79a5a16800c097c14187278c841a

SHA512
c9c040cc6ca78c34769f953dbd659ec7f9357c62e660883ede1df65546f212abf6097d17aa08224515a6d65070b903258f3f5bd9cea8f4abbd4c824ceebd7c68

Download Submit
\Windows\system\QPKwdqa.exe

Filesize
2.0MB

MD5
098c616e816e9e5aa0810cef458124f1

SHA1
1dce5ff78b6e29429214829da6aeea73f46fcd0b

SHA256
80c88b137701e1d60dbfe0d90414078b77b1c5a1d31400b9a451b1b0544d61a6

SHA512
47a5465a40c10e4d887d0e54cbde87352f09ec86b51499f116e43951ce8676e0fcd68bde3127e83b7c9fd736ebb003c5a8740c50ecdec325056f82f4eac0004f

Download Submit
\Windows\system\QowOFnp.exe

Filesize
2.0MB

MD5
77bd938b722264ed7797c791d29be771

SHA1
8f3166ad9e1042aa2fb425174f817f15829be706

SHA256
c0e2f2fa1b8521068be94d396cde0c49d968db234ac9ae59e067d29311e35f82

SHA512
87b08036c7f68c606c4c0d1a33e6128ffce91aa6db8c61901a13205cac9d12a59b21e02cbe3f05f0c8a3f1407789d6b772dd9c8d0804072eb4e985cc3b1fb685

Download Submit
\Windows\system\lUBGMjZ.exe

Filesize
2.0MB

MD5
5cfb5de090009648edfbd905b9082377

SHA1
79122065e341d9480d0243b51f437bd5e3077155

SHA256
8f0e674af9b95aae4a4e3da2db2ef79a5a67e16f941e7a86b4d203896fcfe621

SHA512
e7706c28d9ba0c1b1a42296c0a1d1c2a19faccef88d56b41a34203c2b84b40491eb202c70a8b112f8d0c5f8d51fbfd6c180866621a217b6b8196ae8ff803987c

Download Submit
\Windows\system\rRTYncZ.exe

Filesize
2.0MB

MD5
1ed9aee7a33237a1f38286b3b6c8cbf4

SHA1
6c4fb19e7f911a6092aac9df3a85da95a6141611

SHA256
287c888cb6ece1c9597a2cc0e7c9bb0a5e4605e626299a598a5ae85b4d9751df

SHA512
6f61fc3ef3b0e4c58b6ebe68be75d557899911ce41f5e3b65b87791bf1b382a663b32aa8b7fe9f6579bb664730d2ab71f40cef26363c7f260f463319e0f07227

Download Submit
\Windows\system\sACqvEO.exe

Filesize
2.0MB

MD5
be3e0575e96a8691d93a80763194ef46

SHA1
20f618c692ae65ffee903881af1c697b53849d90

SHA256
3e21444532aad3771012cb0996812044ad899530f67704be5c59be44063d22b5

SHA512
66e1ebeac0161c2d643e592c15cdcf7959e30e4f68d14ce9074a50c53e57cb0e323305f9426cfea9c7f79528ee6d52d455cb038d02140b6fcf3ca5bb0b0470a6

Download Submit
\Windows\system\tMbPmuP.exe

Filesize
2.0MB

MD5
193b268a6efadb0b255161a0263bf2e5

SHA1
f404cf917a0e425669ac70d0003fc661848b53ad

SHA256
3deef366d3c95dc597a6a46cafa9a77c440b1b0260e9fc79f80cbc492eeb22e7

SHA512
653cbd8875e7528190bfd9f7806d81888c1950d8061e3a1c36de1aeff63412e0384f0d6c4c13cf1d548d3d2978e48638474d215ab9294e83d77e52e9204a45b3

Download Submit
\Windows\system\uZoYDiz.exe

Filesize
2.0MB

MD5
c52c2f7f3cbcda1866e07396d0b11142

SHA1
47b661ccb8f538051704fd8c778263b4e566715a

SHA256
436470dde11c6d9d004924255a8a91e1a779a09d3b8df400a31621c18dcd7387

SHA512
e8b2237925adeb1c865b4032a9501797a6e080318213eaf70adcbb4bf8761b21c2783d3b7398f075133fa4f153108388e6923d515d384400f68ead78c6cbd9b5

Download Submit
\Windows\system\zhZgvEX.exe

Filesize
2.0MB

MD5
dac090e909ec5aef3f6d9947f0a4bccb

SHA1
b7ff2cb0755f7b498772a4107a91dfa333981540

SHA256
4b6f26036ac7c3293109dee1afd694df958860507aa274aaff606c7ed28aaefa

SHA512
c743248e31b1dc2042371504ceb459057581d428a0baea1b65412a846e3da28572cfd603591c5c31c6b8a409c50512330e6ddb112eeb189b1ec9bf1a4d378e56

Download Submit
memory/3052-0-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download