kpot | 15e4a3593d451a8d6c71458278e82f62c7ac139e43c86b9912dc50d4f5c7e512

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
Size

2.1MB
MD5

1c5037373500af7ccfd37b4a9e140ce0
SHA1

82900d9787bffef1f8b5c28391019a72d6bc6695
SHA256

15e4a3593d451a8d6c71458278e82f62c7ac139e43c86b9912dc50d4f5c7e512
SHA512

4596aa89bea900a2c049309b0e48c83b67241471f2e3140d74fc5d193eabc1276ca0f748a4166ee905cbe5d4a119d0b81efded6721732a06fcd15ddcf418a43b
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wIC5aIwC+Agr6StVEnmcI+2IAU:BemTLkNdfE0pZrwP

Score

10^/10

kpot xmrig miner stealer trojan upx

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023410-5.dat	family_kpot
behavioral2/files/0x0007000000023420-75.dat	family_kpot
behavioral2/files/0x000700000002342e-177.dat	family_kpot
behavioral2/files/0x000700000002342f-172.dat	family_kpot
behavioral2/files/0x0007000000023433-185.dat	family_kpot
behavioral2/files/0x000700000002342c-156.dat	family_kpot
behavioral2/files/0x0007000000023427-136.dat	family_kpot
behavioral2/files/0x000700000002342a-125.dat	family_kpot
behavioral2/files/0x0007000000023428-120.dat	family_kpot
behavioral2/files/0x000700000002341c-69.dat	family_kpot
behavioral2/files/0x000700000002341e-61.dat	family_kpot
behavioral2/files/0x0008000000023410-6.dat	family_kpot

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 51 IoCs

miner

resource	yara_rule
behavioral2/memory/1212-0-0x00007FF7BAEF0000-0x00007FF7BB244000-memory.dmp	xmrig
behavioral2/files/0x0008000000023410-5.dat	xmrig
behavioral2/memory/464-77-0x00007FF711400000-0x00007FF711754000-memory.dmp	xmrig
behavioral2/files/0x0007000000023420-75.dat	xmrig
behavioral2/memory/4616-217-0x00007FF60FCF0000-0x00007FF610044000-memory.dmp	xmrig
behavioral2/memory/1212-1070-0x00007FF7BAEF0000-0x00007FF7BB244000-memory.dmp	xmrig
behavioral2/memory/4488-236-0x00007FF6757C0000-0x00007FF675B14000-memory.dmp	xmrig
behavioral2/memory/1740-233-0x00007FF7BEF50000-0x00007FF7BF2A4000-memory.dmp	xmrig
behavioral2/memory/3612-219-0x00007FF74D800000-0x00007FF74DB54000-memory.dmp	xmrig
behavioral2/memory/1112-218-0x00007FF792E30000-0x00007FF793184000-memory.dmp	xmrig
behavioral2/memory/2096-205-0x00007FF79A4B0000-0x00007FF79A804000-memory.dmp	xmrig
behavioral2/memory/4940-188-0x00007FF7206B0000-0x00007FF720A04000-memory.dmp	xmrig
behavioral2/memory/404-181-0x00007FF6C8D90000-0x00007FF6C90E4000-memory.dmp	xmrig
behavioral2/memory/4024-180-0x00007FF7D0720000-0x00007FF7D0A74000-memory.dmp	xmrig
behavioral2/files/0x0008000000023411-179.dat	xmrig
behavioral2/files/0x000700000002342e-177.dat	xmrig
behavioral2/files/0x000700000002342f-172.dat	xmrig
behavioral2/files/0x0007000000023433-185.dat	xmrig
behavioral2/files/0x000700000002342c-156.dat	xmrig
behavioral2/memory/1704-153-0x00007FF6BCE80000-0x00007FF6BD1D4000-memory.dmp	xmrig
behavioral2/memory/3084-148-0x00007FF640A40000-0x00007FF640D94000-memory.dmp	xmrig
behavioral2/files/0x0007000000023427-136.dat	xmrig
behavioral2/files/0x000700000002342a-125.dat	xmrig
behavioral2/files/0x0007000000023428-120.dat	xmrig
behavioral2/memory/2512-127-0x00007FF7F34D0000-0x00007FF7F3824000-memory.dmp	xmrig
behavioral2/memory/4324-114-0x00007FF7F0C80000-0x00007FF7F0FD4000-memory.dmp	xmrig
behavioral2/memory/1904-1072-0x00007FF7F23E0000-0x00007FF7F2734000-memory.dmp	xmrig
behavioral2/memory/3528-1073-0x00007FF66E180000-0x00007FF66E4D4000-memory.dmp	xmrig
behavioral2/memory/3700-99-0x00007FF7BA730000-0x00007FF7BAA84000-memory.dmp	xmrig
behavioral2/memory/4308-89-0x00007FF6B1630000-0x00007FF6B1984000-memory.dmp	xmrig
behavioral2/files/0x000700000002341c-69.dat	xmrig
behavioral2/memory/3296-65-0x00007FF7644B0000-0x00007FF764804000-memory.dmp	xmrig
behavioral2/memory/5036-56-0x00007FF656BD0000-0x00007FF656F24000-memory.dmp	xmrig
behavioral2/files/0x000700000002341e-61.dat	xmrig
behavioral2/memory/396-44-0x00007FF6D1F00000-0x00007FF6D2254000-memory.dmp	xmrig
behavioral2/memory/464-1075-0x00007FF711400000-0x00007FF711754000-memory.dmp	xmrig
behavioral2/memory/3296-1074-0x00007FF7644B0000-0x00007FF764804000-memory.dmp	xmrig
behavioral2/files/0x0008000000023410-6.dat	xmrig
behavioral2/memory/4844-1076-0x00007FF6630F0000-0x00007FF663444000-memory.dmp	xmrig
behavioral2/memory/3296-1086-0x00007FF7644B0000-0x00007FF764804000-memory.dmp	xmrig
behavioral2/memory/3084-1089-0x00007FF640A40000-0x00007FF640D94000-memory.dmp	xmrig
behavioral2/memory/2512-1090-0x00007FF7F34D0000-0x00007FF7F3824000-memory.dmp	xmrig
behavioral2/memory/1112-1091-0x00007FF792E30000-0x00007FF793184000-memory.dmp	xmrig
behavioral2/memory/404-1094-0x00007FF6C8D90000-0x00007FF6C90E4000-memory.dmp	xmrig
behavioral2/memory/1116-1096-0x00007FF778C80000-0x00007FF778FD4000-memory.dmp	xmrig
behavioral2/memory/1488-1101-0x00007FF7AE830000-0x00007FF7AEB84000-memory.dmp	xmrig
behavioral2/memory/4292-1100-0x00007FF655D10000-0x00007FF656064000-memory.dmp	xmrig
behavioral2/memory/4488-1103-0x00007FF6757C0000-0x00007FF675B14000-memory.dmp	xmrig
behavioral2/memory/464-1088-0x00007FF711400000-0x00007FF711754000-memory.dmp	xmrig
behavioral2/memory/4308-1087-0x00007FF6B1630000-0x00007FF6B1984000-memory.dmp	xmrig
behavioral2/memory/456-1077-0x00007FF6402E0000-0x00007FF640634000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
456	qzfAyQA.exe
1904	XJlaRYo.exe
436	hiezrci.exe
396	MhJTdAl.exe
3528	osVBfKH.exe
4844	igZegBR.exe
5036	sftjkxU.exe
3700	bZYkTlX.exe
4324	mtapdbd.exe
3296	iRTINzy.exe
2512	rDRERqO.exe
464	fpFJUCf.exe
3084	kIVzOkM.exe
4308	zexNvsv.exe
1704	wiVaZkz.exe
1112	aUsajPK.exe
4592	QuILPxt.exe
4024	qpPvFkt.exe
404	UaDPzWe.exe
3612	jdBxiaO.exe
1116	NjcJwsi.exe
4940	HYiKWsr.exe
3596	nwpGppX.exe
4292	MRXTVKI.exe
1740	VUFxqtG.exe
2096	FNmxVRm.exe
1488	dAJhnEO.exe
4616	mUyWVRk.exe
4488	RbzYWAD.exe
4492	sdGwpTE.exe
1356	KOESBbe.exe
4688	cLIRnql.exe
892	mQQbVwL.exe
4856	WIBrQUe.exe
4496	frDmREg.exe
1844	lHLszty.exe
5104	eEOcFxE.exe
4704	INSpTFi.exe
4116	KDWCEpL.exe
4904	tBPKOdA.exe
1364	BJdgxMG.exe
3152	eltGtAs.exe
1520	RaVQAaR.exe
4224	qTRFvFn.exe
3960	xuBXBUI.exe
2756	jkRYJIA.exe
3056	ctzhiOb.exe
4772	RbajihE.exe
1020	bPkuaOu.exe
4536	RTOqQMB.exe
3144	nuJVJab.exe
1596	OevaeIC.exe
340	OaKigLC.exe
3212	iqxlKea.exe
3800	ReFLQLa.exe
2760	jfNnvPY.exe
1088	mRWBAjm.exe
836	fYeYqeb.exe
3796	YgJSwVr.exe
4744	JGryggs.exe
764	ZFglFfH.exe
1788	wTaVRSq.exe
4512	AuekfYI.exe
4956	YCEvZAi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1212-0-0x00007FF7BAEF0000-0x00007FF7BB244000-memory.dmp	upx
behavioral2/files/0x0008000000023410-5.dat	upx
behavioral2/memory/456-11-0x00007FF6402E0000-0x00007FF640634000-memory.dmp	upx
behavioral2/files/0x0007000000023419-40.dat	upx
behavioral2/memory/464-77-0x00007FF711400000-0x00007FF711754000-memory.dmp	upx
behavioral2/files/0x0007000000023420-75.dat	upx
behavioral2/memory/4292-202-0x00007FF655D10000-0x00007FF656064000-memory.dmp	upx
behavioral2/memory/4616-217-0x00007FF60FCF0000-0x00007FF610044000-memory.dmp	upx
behavioral2/memory/1116-225-0x00007FF778C80000-0x00007FF778FD4000-memory.dmp	upx
behavioral2/memory/456-1071-0x00007FF6402E0000-0x00007FF640634000-memory.dmp	upx
behavioral2/memory/1212-1070-0x00007FF7BAEF0000-0x00007FF7BB244000-memory.dmp	upx
behavioral2/memory/4488-236-0x00007FF6757C0000-0x00007FF675B14000-memory.dmp	upx
behavioral2/memory/1740-233-0x00007FF7BEF50000-0x00007FF7BF2A4000-memory.dmp	upx
behavioral2/memory/3612-219-0x00007FF74D800000-0x00007FF74DB54000-memory.dmp	upx
behavioral2/memory/1112-218-0x00007FF792E30000-0x00007FF793184000-memory.dmp	upx
behavioral2/memory/1488-215-0x00007FF7AE830000-0x00007FF7AEB84000-memory.dmp	upx
behavioral2/memory/2096-205-0x00007FF79A4B0000-0x00007FF79A804000-memory.dmp	upx
behavioral2/memory/3596-194-0x00007FF7536C0000-0x00007FF753A14000-memory.dmp	upx
behavioral2/memory/4940-188-0x00007FF7206B0000-0x00007FF720A04000-memory.dmp	upx
behavioral2/memory/404-181-0x00007FF6C8D90000-0x00007FF6C90E4000-memory.dmp	upx
behavioral2/memory/4024-180-0x00007FF7D0720000-0x00007FF7D0A74000-memory.dmp	upx
behavioral2/files/0x0008000000023411-179.dat	upx
behavioral2/files/0x000700000002342e-177.dat	upx
behavioral2/files/0x000700000002342f-172.dat	upx
behavioral2/files/0x0007000000023433-185.dat	upx
behavioral2/memory/4592-164-0x00007FF7285B0000-0x00007FF728904000-memory.dmp	upx
behavioral2/files/0x000700000002342c-156.dat	upx
behavioral2/memory/1704-153-0x00007FF6BCE80000-0x00007FF6BD1D4000-memory.dmp	upx
behavioral2/memory/3084-148-0x00007FF640A40000-0x00007FF640D94000-memory.dmp	upx
behavioral2/files/0x0007000000023427-136.dat	upx
behavioral2/files/0x000700000002342a-125.dat	upx
behavioral2/files/0x0007000000023428-120.dat	upx
behavioral2/memory/2512-127-0x00007FF7F34D0000-0x00007FF7F3824000-memory.dmp	upx
behavioral2/memory/4324-114-0x00007FF7F0C80000-0x00007FF7F0FD4000-memory.dmp	upx
behavioral2/memory/1904-1072-0x00007FF7F23E0000-0x00007FF7F2734000-memory.dmp	upx
behavioral2/memory/3528-1073-0x00007FF66E180000-0x00007FF66E4D4000-memory.dmp	upx
behavioral2/memory/3700-99-0x00007FF7BA730000-0x00007FF7BAA84000-memory.dmp	upx
behavioral2/memory/4308-89-0x00007FF6B1630000-0x00007FF6B1984000-memory.dmp	upx
behavioral2/files/0x000700000002341c-69.dat	upx
behavioral2/memory/3296-65-0x00007FF7644B0000-0x00007FF764804000-memory.dmp	upx
behavioral2/memory/5036-56-0x00007FF656BD0000-0x00007FF656F24000-memory.dmp	upx
behavioral2/files/0x000700000002341e-61.dat	upx
behavioral2/memory/4844-47-0x00007FF6630F0000-0x00007FF663444000-memory.dmp	upx
behavioral2/memory/396-44-0x00007FF6D1F00000-0x00007FF6D2254000-memory.dmp	upx
behavioral2/memory/3528-36-0x00007FF66E180000-0x00007FF66E4D4000-memory.dmp	upx
behavioral2/memory/436-28-0x00007FF7A2130000-0x00007FF7A2484000-memory.dmp	upx
behavioral2/memory/464-1075-0x00007FF711400000-0x00007FF711754000-memory.dmp	upx
behavioral2/memory/3296-1074-0x00007FF7644B0000-0x00007FF764804000-memory.dmp	upx
behavioral2/memory/1904-14-0x00007FF7F23E0000-0x00007FF7F2734000-memory.dmp	upx
behavioral2/files/0x0008000000023410-6.dat	upx
behavioral2/memory/4844-1076-0x00007FF6630F0000-0x00007FF663444000-memory.dmp	upx
behavioral2/memory/1904-1078-0x00007FF7F23E0000-0x00007FF7F2734000-memory.dmp	upx
behavioral2/memory/3528-1081-0x00007FF66E180000-0x00007FF66E4D4000-memory.dmp	upx
behavioral2/memory/5036-1082-0x00007FF656BD0000-0x00007FF656F24000-memory.dmp	upx
behavioral2/memory/3700-1083-0x00007FF7BA730000-0x00007FF7BAA84000-memory.dmp	upx
behavioral2/memory/4844-1084-0x00007FF6630F0000-0x00007FF663444000-memory.dmp	upx
behavioral2/memory/3296-1086-0x00007FF7644B0000-0x00007FF764804000-memory.dmp	upx
behavioral2/memory/3084-1089-0x00007FF640A40000-0x00007FF640D94000-memory.dmp	upx
behavioral2/memory/2512-1090-0x00007FF7F34D0000-0x00007FF7F3824000-memory.dmp	upx
behavioral2/memory/1112-1091-0x00007FF792E30000-0x00007FF793184000-memory.dmp	upx
behavioral2/memory/4592-1093-0x00007FF7285B0000-0x00007FF728904000-memory.dmp	upx
behavioral2/memory/404-1094-0x00007FF6C8D90000-0x00007FF6C90E4000-memory.dmp	upx
behavioral2/memory/1116-1096-0x00007FF778C80000-0x00007FF778FD4000-memory.dmp	upx
behavioral2/memory/3596-1099-0x00007FF7536C0000-0x00007FF753A14000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\KWdlanq.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\eGiyRKD.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\QoJImZU.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\fqryiQL.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\DjIZEAu.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\HXrTlYw.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\nnorFDD.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\sdGwpTE.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\iqxlKea.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\YSvBmjL.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\XYCNPZq.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\yPhempX.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\RocgnWL.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\HKyoezS.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\lthQBvY.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\OcpBZLz.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\vPsLiEO.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\XJlaRYo.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\jLmnFCW.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\UDOTaoV.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\LvQCfBt.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\WdyLTfd.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\CrWauOs.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\IAhzpXO.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\ZqJWCjL.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\maEJVmf.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\VtaYDuk.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\JCrzUkl.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\BJdgxMG.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\jfNnvPY.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\VbRedXO.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\CzlCuay.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\veVFQkq.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\HYiKWsr.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\mRWBAjm.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\ZNnXgXz.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\VMlpLrq.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\VRttSbh.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\KuXvhlB.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\Moylktg.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\FesZvbN.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\EkwCXQq.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\FqzTwKW.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\wIFzXJF.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\ynYQqUl.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\JGryggs.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\sOuoHmW.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\ilrWdaR.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\uBgqxbT.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\ueieBuJ.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\iRTINzy.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\IDDgaiG.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\puDcTXp.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\FPQzZjv.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\gzJIzbz.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\fseHxmC.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\rPCnhUR.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\mQQbVwL.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\VgFyMpw.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\lxAxENn.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\uAJkNuj.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\ksOyDfL.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\QDszvtp.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
File created	C:\Windows\System\itryBbh.exe	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 456	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	82
PID 1212 wrote to memory of 456	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	82
PID 1212 wrote to memory of 1904	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	83
PID 1212 wrote to memory of 1904	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	83
PID 1212 wrote to memory of 436	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	84
PID 1212 wrote to memory of 436	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	84
PID 1212 wrote to memory of 396	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	85
PID 1212 wrote to memory of 396	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	85
PID 1212 wrote to memory of 3528	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	86
PID 1212 wrote to memory of 3528	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	86
PID 1212 wrote to memory of 4844	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	87
PID 1212 wrote to memory of 4844	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	87
PID 1212 wrote to memory of 5036	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	88
PID 1212 wrote to memory of 5036	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	88
PID 1212 wrote to memory of 3700	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	90
PID 1212 wrote to memory of 3700	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	90
PID 1212 wrote to memory of 4324	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	91
PID 1212 wrote to memory of 4324	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	91
PID 1212 wrote to memory of 3296	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	92
PID 1212 wrote to memory of 3296	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	92
PID 1212 wrote to memory of 2512	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	93
PID 1212 wrote to memory of 2512	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	93
PID 1212 wrote to memory of 464	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	94
PID 1212 wrote to memory of 464	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	94
PID 1212 wrote to memory of 3084	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	95
PID 1212 wrote to memory of 3084	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	95
PID 1212 wrote to memory of 4308	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	96
PID 1212 wrote to memory of 4308	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	96
PID 1212 wrote to memory of 4592	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	97
PID 1212 wrote to memory of 4592	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	97
PID 1212 wrote to memory of 1704	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	98
PID 1212 wrote to memory of 1704	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	98
PID 1212 wrote to memory of 1112	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	99
PID 1212 wrote to memory of 1112	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	99
PID 1212 wrote to memory of 4024	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	100
PID 1212 wrote to memory of 4024	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	100
PID 1212 wrote to memory of 404	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	101
PID 1212 wrote to memory of 404	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	101
PID 1212 wrote to memory of 3612	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	102
PID 1212 wrote to memory of 3612	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	102
PID 1212 wrote to memory of 3596	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	103
PID 1212 wrote to memory of 3596	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	103
PID 1212 wrote to memory of 1116	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	104
PID 1212 wrote to memory of 1116	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	104
PID 1212 wrote to memory of 4940	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	105
PID 1212 wrote to memory of 4940	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	105
PID 1212 wrote to memory of 4292	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	106
PID 1212 wrote to memory of 4292	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	106
PID 1212 wrote to memory of 1740	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	107
PID 1212 wrote to memory of 1740	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	107
PID 1212 wrote to memory of 1488	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	108
PID 1212 wrote to memory of 1488	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	108
PID 1212 wrote to memory of 2096	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	109
PID 1212 wrote to memory of 2096	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	109
PID 1212 wrote to memory of 4616	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	110
PID 1212 wrote to memory of 4616	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	110
PID 1212 wrote to memory of 4488	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	111
PID 1212 wrote to memory of 4488	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	111
PID 1212 wrote to memory of 4492	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	112
PID 1212 wrote to memory of 4492	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	112
PID 1212 wrote to memory of 1356	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	113
PID 1212 wrote to memory of 1356	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	113
PID 1212 wrote to memory of 4688	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	114
PID 1212 wrote to memory of 4688	1212	1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1c5037373500af7ccfd37b4a9e140ce0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\System\qzfAyQA.exe
  C:\Windows\System\qzfAyQA.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\XJlaRYo.exe
  C:\Windows\System\XJlaRYo.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\hiezrci.exe
  C:\Windows\System\hiezrci.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\MhJTdAl.exe
  C:\Windows\System\MhJTdAl.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\osVBfKH.exe
  C:\Windows\System\osVBfKH.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\igZegBR.exe
  C:\Windows\System\igZegBR.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\sftjkxU.exe
  C:\Windows\System\sftjkxU.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\bZYkTlX.exe
  C:\Windows\System\bZYkTlX.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System\mtapdbd.exe
  C:\Windows\System\mtapdbd.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System\iRTINzy.exe
  C:\Windows\System\iRTINzy.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System\rDRERqO.exe
  C:\Windows\System\rDRERqO.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\fpFJUCf.exe
  C:\Windows\System\fpFJUCf.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\kIVzOkM.exe
  C:\Windows\System\kIVzOkM.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\zexNvsv.exe
  C:\Windows\System\zexNvsv.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System\QuILPxt.exe
  C:\Windows\System\QuILPxt.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\wiVaZkz.exe
  C:\Windows\System\wiVaZkz.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\aUsajPK.exe
  C:\Windows\System\aUsajPK.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\qpPvFkt.exe
  C:\Windows\System\qpPvFkt.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\UaDPzWe.exe
  C:\Windows\System\UaDPzWe.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System\jdBxiaO.exe
  C:\Windows\System\jdBxiaO.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\nwpGppX.exe
  C:\Windows\System\nwpGppX.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\NjcJwsi.exe
  C:\Windows\System\NjcJwsi.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\HYiKWsr.exe
  C:\Windows\System\HYiKWsr.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\MRXTVKI.exe
  C:\Windows\System\MRXTVKI.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System\VUFxqtG.exe
  C:\Windows\System\VUFxqtG.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\dAJhnEO.exe
  C:\Windows\System\dAJhnEO.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\FNmxVRm.exe
  C:\Windows\System\FNmxVRm.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\mUyWVRk.exe
  C:\Windows\System\mUyWVRk.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\RbzYWAD.exe
  C:\Windows\System\RbzYWAD.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\sdGwpTE.exe
  C:\Windows\System\sdGwpTE.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\KOESBbe.exe
  C:\Windows\System\KOESBbe.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\cLIRnql.exe
  C:\Windows\System\cLIRnql.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\mQQbVwL.exe
  C:\Windows\System\mQQbVwL.exe
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\System\WIBrQUe.exe
  C:\Windows\System\WIBrQUe.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\frDmREg.exe
  C:\Windows\System\frDmREg.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\lHLszty.exe
  C:\Windows\System\lHLszty.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\eEOcFxE.exe
  C:\Windows\System\eEOcFxE.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\INSpTFi.exe
  C:\Windows\System\INSpTFi.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\KDWCEpL.exe
  C:\Windows\System\KDWCEpL.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System\tBPKOdA.exe
  C:\Windows\System\tBPKOdA.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\BJdgxMG.exe
  C:\Windows\System\BJdgxMG.exe
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\System\eltGtAs.exe
  C:\Windows\System\eltGtAs.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\RaVQAaR.exe
  C:\Windows\System\RaVQAaR.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\qTRFvFn.exe
  C:\Windows\System\qTRFvFn.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System\ctzhiOb.exe
  C:\Windows\System\ctzhiOb.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\xuBXBUI.exe
  C:\Windows\System\xuBXBUI.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System\jkRYJIA.exe
  C:\Windows\System\jkRYJIA.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\bPkuaOu.exe
  C:\Windows\System\bPkuaOu.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\RbajihE.exe
  C:\Windows\System\RbajihE.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\RTOqQMB.exe
  C:\Windows\System\RTOqQMB.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\OevaeIC.exe
  C:\Windows\System\OevaeIC.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\nuJVJab.exe
  C:\Windows\System\nuJVJab.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\OaKigLC.exe
  C:\Windows\System\OaKigLC.exe
  2⤵
  - Executes dropped EXE
  PID:340
- C:\Windows\System\iqxlKea.exe
  C:\Windows\System\iqxlKea.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System\jfNnvPY.exe
  C:\Windows\System\jfNnvPY.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\ReFLQLa.exe
  C:\Windows\System\ReFLQLa.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System\fYeYqeb.exe
  C:\Windows\System\fYeYqeb.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\mRWBAjm.exe
  C:\Windows\System\mRWBAjm.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\YgJSwVr.exe
  C:\Windows\System\YgJSwVr.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System\JGryggs.exe
  C:\Windows\System\JGryggs.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\ZFglFfH.exe
  C:\Windows\System\ZFglFfH.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\wTaVRSq.exe
  C:\Windows\System\wTaVRSq.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System\AuekfYI.exe
  C:\Windows\System\AuekfYI.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\YCEvZAi.exe
  C:\Windows\System\YCEvZAi.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\tSvHsdC.exe
  C:\Windows\System\tSvHsdC.exe
  2⤵
  PID:4588
- C:\Windows\System\tccCMqh.exe
  C:\Windows\System\tccCMqh.exe
  2⤵
  PID:3968
- C:\Windows\System\IdqbUTR.exe
  C:\Windows\System\IdqbUTR.exe
  2⤵
  PID:4700
- C:\Windows\System\VbRedXO.exe
  C:\Windows\System\VbRedXO.exe
  2⤵
  PID:1532
- C:\Windows\System\Ycqseoz.exe
  C:\Windows\System\Ycqseoz.exe
  2⤵
  PID:2964
- C:\Windows\System\VPwUKKC.exe
  C:\Windows\System\VPwUKKC.exe
  2⤵
  PID:4240
- C:\Windows\System\isUAWZJ.exe
  C:\Windows\System\isUAWZJ.exe
  2⤵
  PID:3628
- C:\Windows\System\sOuoHmW.exe
  C:\Windows\System\sOuoHmW.exe
  2⤵
  PID:976
- C:\Windows\System\gzJxNWI.exe
  C:\Windows\System\gzJxNWI.exe
  2⤵
  PID:1196
- C:\Windows\System\PnzxPEX.exe
  C:\Windows\System\PnzxPEX.exe
  2⤵
  PID:3284
- C:\Windows\System\OxPSjhO.exe
  C:\Windows\System\OxPSjhO.exe
  2⤵
  PID:4328
- C:\Windows\System\ECJIZXO.exe
  C:\Windows\System\ECJIZXO.exe
  2⤵
  PID:3040
- C:\Windows\System\AuPRdqc.exe
  C:\Windows\System\AuPRdqc.exe
  2⤵
  PID:5072
- C:\Windows\System\EENXbmw.exe
  C:\Windows\System\EENXbmw.exe
  2⤵
  PID:2452
- C:\Windows\System\jxLyVap.exe
  C:\Windows\System\jxLyVap.exe
  2⤵
  PID:1812
- C:\Windows\System\PHYlcEB.exe
  C:\Windows\System\PHYlcEB.exe
  2⤵
  PID:1636
- C:\Windows\System\ZWgqeRI.exe
  C:\Windows\System\ZWgqeRI.exe
  2⤵
  PID:952
- C:\Windows\System\eGiyRKD.exe
  C:\Windows\System\eGiyRKD.exe
  2⤵
  PID:4672
- C:\Windows\System\KlhhYrI.exe
  C:\Windows\System\KlhhYrI.exe
  2⤵
  PID:4044
- C:\Windows\System\ucnTlMV.exe
  C:\Windows\System\ucnTlMV.exe
  2⤵
  PID:5152
- C:\Windows\System\ztoOBaT.exe
  C:\Windows\System\ztoOBaT.exe
  2⤵
  PID:5176
- C:\Windows\System\oZDsnjQ.exe
  C:\Windows\System\oZDsnjQ.exe
  2⤵
  PID:5212
- C:\Windows\System\zlVdxDV.exe
  C:\Windows\System\zlVdxDV.exe
  2⤵
  PID:5240
- C:\Windows\System\CrWauOs.exe
  C:\Windows\System\CrWauOs.exe
  2⤵
  PID:5268
- C:\Windows\System\gyZWFyu.exe
  C:\Windows\System\gyZWFyu.exe
  2⤵
  PID:5304
- C:\Windows\System\VgFyMpw.exe
  C:\Windows\System\VgFyMpw.exe
  2⤵
  PID:5328
- C:\Windows\System\DsRLNJI.exe
  C:\Windows\System\DsRLNJI.exe
  2⤵
  PID:5344
- C:\Windows\System\VQTfAtg.exe
  C:\Windows\System\VQTfAtg.exe
  2⤵
  PID:5360
- C:\Windows\System\KBOibqI.exe
  C:\Windows\System\KBOibqI.exe
  2⤵
  PID:5388
- C:\Windows\System\GXLAwYj.exe
  C:\Windows\System\GXLAwYj.exe
  2⤵
  PID:5412
- C:\Windows\System\SrbmcOB.exe
  C:\Windows\System\SrbmcOB.exe
  2⤵
  PID:5448
- C:\Windows\System\zoLuqlm.exe
  C:\Windows\System\zoLuqlm.exe
  2⤵
  PID:5472
- C:\Windows\System\IzqiyNM.exe
  C:\Windows\System\IzqiyNM.exe
  2⤵
  PID:5504
- C:\Windows\System\txePQsD.exe
  C:\Windows\System\txePQsD.exe
  2⤵
  PID:5536
- C:\Windows\System\irBzTcX.exe
  C:\Windows\System\irBzTcX.exe
  2⤵
  PID:5552
- C:\Windows\System\wIFzXJF.exe
  C:\Windows\System\wIFzXJF.exe
  2⤵
  PID:5584
- C:\Windows\System\IjfpnSq.exe
  C:\Windows\System\IjfpnSq.exe
  2⤵
  PID:5616
- C:\Windows\System\lIGoJfG.exe
  C:\Windows\System\lIGoJfG.exe
  2⤵
  PID:5644
- C:\Windows\System\FWwArxA.exe
  C:\Windows\System\FWwArxA.exe
  2⤵
  PID:5676
- C:\Windows\System\pWIOqfa.exe
  C:\Windows\System\pWIOqfa.exe
  2⤵
  PID:5708
- C:\Windows\System\ntImLRu.exe
  C:\Windows\System\ntImLRu.exe
  2⤵
  PID:5740
- C:\Windows\System\uGZuKIy.exe
  C:\Windows\System\uGZuKIy.exe
  2⤵
  PID:5776
- C:\Windows\System\iColUZe.exe
  C:\Windows\System\iColUZe.exe
  2⤵
  PID:5804
- C:\Windows\System\cBcymci.exe
  C:\Windows\System\cBcymci.exe
  2⤵
  PID:5832
- C:\Windows\System\IDDgaiG.exe
  C:\Windows\System\IDDgaiG.exe
  2⤵
  PID:5860
- C:\Windows\System\LhhnXOt.exe
  C:\Windows\System\LhhnXOt.exe
  2⤵
  PID:5892
- C:\Windows\System\pGaKjqC.exe
  C:\Windows\System\pGaKjqC.exe
  2⤵
  PID:5916
- C:\Windows\System\QDszvtp.exe
  C:\Windows\System\QDszvtp.exe
  2⤵
  PID:5944
- C:\Windows\System\zZvXgHJ.exe
  C:\Windows\System\zZvXgHJ.exe
  2⤵
  PID:5972
- C:\Windows\System\EoXGZtK.exe
  C:\Windows\System\EoXGZtK.exe
  2⤵
  PID:6004
- C:\Windows\System\wRUlTqX.exe
  C:\Windows\System\wRUlTqX.exe
  2⤵
  PID:6032
- C:\Windows\System\ZFxHIRE.exe
  C:\Windows\System\ZFxHIRE.exe
  2⤵
  PID:6068
- C:\Windows\System\URPuTgw.exe
  C:\Windows\System\URPuTgw.exe
  2⤵
  PID:6088
- C:\Windows\System\YwRVdBK.exe
  C:\Windows\System\YwRVdBK.exe
  2⤵
  PID:6120
- C:\Windows\System\oGYooca.exe
  C:\Windows\System\oGYooca.exe
  2⤵
  PID:3704
- C:\Windows\System\SpGvVJp.exe
  C:\Windows\System\SpGvVJp.exe
  2⤵
  PID:5164
- C:\Windows\System\QoJImZU.exe
  C:\Windows\System\QoJImZU.exe
  2⤵
  PID:5280
- C:\Windows\System\vAfhEEp.exe
  C:\Windows\System\vAfhEEp.exe
  2⤵
  PID:5336
- C:\Windows\System\DyZbDhG.exe
  C:\Windows\System\DyZbDhG.exe
  2⤵
  PID:5404
- C:\Windows\System\MYXhlOk.exe
  C:\Windows\System\MYXhlOk.exe
  2⤵
  PID:5492
- C:\Windows\System\RocgnWL.exe
  C:\Windows\System\RocgnWL.exe
  2⤵
  PID:5572
- C:\Windows\System\KuXvhlB.exe
  C:\Windows\System\KuXvhlB.exe
  2⤵
  PID:5628
- C:\Windows\System\HKyoezS.exe
  C:\Windows\System\HKyoezS.exe
  2⤵
  PID:5700
- C:\Windows\System\dVnyijd.exe
  C:\Windows\System\dVnyijd.exe
  2⤵
  PID:5764
- C:\Windows\System\ilrWdaR.exe
  C:\Windows\System\ilrWdaR.exe
  2⤵
  PID:5844
- C:\Windows\System\QlvjYEU.exe
  C:\Windows\System\QlvjYEU.exe
  2⤵
  PID:5908
- C:\Windows\System\fqryiQL.exe
  C:\Windows\System\fqryiQL.exe
  2⤵
  PID:6016
- C:\Windows\System\DgYJBXL.exe
  C:\Windows\System\DgYJBXL.exe
  2⤵
  PID:6048
- C:\Windows\System\zWLQsqX.exe
  C:\Windows\System\zWLQsqX.exe
  2⤵
  PID:6112
- C:\Windows\System\dKaLQwV.exe
  C:\Windows\System\dKaLQwV.exe
  2⤵
  PID:5236
- C:\Windows\System\qJxcuvO.exe
  C:\Windows\System\qJxcuvO.exe
  2⤵
  PID:5376
- C:\Windows\System\Moylktg.exe
  C:\Windows\System\Moylktg.exe
  2⤵
  PID:5532
- C:\Windows\System\fheQymY.exe
  C:\Windows\System\fheQymY.exe
  2⤵
  PID:5768
- C:\Windows\System\puDcTXp.exe
  C:\Windows\System\puDcTXp.exe
  2⤵
  PID:5900
- C:\Windows\System\uvuRqQV.exe
  C:\Windows\System\uvuRqQV.exe
  2⤵
  PID:5548
- C:\Windows\System\fFYrqph.exe
  C:\Windows\System\fFYrqph.exe
  2⤵
  PID:6104
- C:\Windows\System\rQKaXgr.exe
  C:\Windows\System\rQKaXgr.exe
  2⤵
  PID:5468
- C:\Windows\System\eNotviq.exe
  C:\Windows\System\eNotviq.exe
  2⤵
  PID:1288
- C:\Windows\System\kOhZDUE.exe
  C:\Windows\System\kOhZDUE.exe
  2⤵
  PID:5148
- C:\Windows\System\eEEJQzZ.exe
  C:\Windows\System\eEEJQzZ.exe
  2⤵
  PID:5996
- C:\Windows\System\Wzragjn.exe
  C:\Windows\System\Wzragjn.exe
  2⤵
  PID:4756
- C:\Windows\System\NAZbrQP.exe
  C:\Windows\System\NAZbrQP.exe
  2⤵
  PID:6176
- C:\Windows\System\gIAKdSt.exe
  C:\Windows\System\gIAKdSt.exe
  2⤵
  PID:6192
- C:\Windows\System\GVfhsYI.exe
  C:\Windows\System\GVfhsYI.exe
  2⤵
  PID:6232
- C:\Windows\System\inJxyOS.exe
  C:\Windows\System\inJxyOS.exe
  2⤵
  PID:6260
- C:\Windows\System\dvsQlmO.exe
  C:\Windows\System\dvsQlmO.exe
  2⤵
  PID:6288
- C:\Windows\System\ZNnXgXz.exe
  C:\Windows\System\ZNnXgXz.exe
  2⤵
  PID:6316
- C:\Windows\System\jLmnFCW.exe
  C:\Windows\System\jLmnFCW.exe
  2⤵
  PID:6348
- C:\Windows\System\ZPTQDcb.exe
  C:\Windows\System\ZPTQDcb.exe
  2⤵
  PID:6372
- C:\Windows\System\RGfKrpt.exe
  C:\Windows\System\RGfKrpt.exe
  2⤵
  PID:6392
- C:\Windows\System\wFZfLJs.exe
  C:\Windows\System\wFZfLJs.exe
  2⤵
  PID:6428
- C:\Windows\System\RPmAaFM.exe
  C:\Windows\System\RPmAaFM.exe
  2⤵
  PID:6452
- C:\Windows\System\uBgqxbT.exe
  C:\Windows\System\uBgqxbT.exe
  2⤵
  PID:6500
- C:\Windows\System\aXjUFWi.exe
  C:\Windows\System\aXjUFWi.exe
  2⤵
  PID:6528
- C:\Windows\System\LvQCfBt.exe
  C:\Windows\System\LvQCfBt.exe
  2⤵
  PID:6564
- C:\Windows\System\KWdlanq.exe
  C:\Windows\System\KWdlanq.exe
  2⤵
  PID:6584
- C:\Windows\System\vhShDbN.exe
  C:\Windows\System\vhShDbN.exe
  2⤵
  PID:6612
- C:\Windows\System\PKbOVju.exe
  C:\Windows\System\PKbOVju.exe
  2⤵
  PID:6648
- C:\Windows\System\kNoLiPU.exe
  C:\Windows\System\kNoLiPU.exe
  2⤵
  PID:6676
- C:\Windows\System\xldnHiA.exe
  C:\Windows\System\xldnHiA.exe
  2⤵
  PID:6692
- C:\Windows\System\VMlpLrq.exe
  C:\Windows\System\VMlpLrq.exe
  2⤵
  PID:6708
- C:\Windows\System\kCVaGmz.exe
  C:\Windows\System\kCVaGmz.exe
  2⤵
  PID:6728
- C:\Windows\System\mYkfFlV.exe
  C:\Windows\System\mYkfFlV.exe
  2⤵
  PID:6744
- C:\Windows\System\dVlhkBv.exe
  C:\Windows\System\dVlhkBv.exe
  2⤵
  PID:6768
- C:\Windows\System\IAhzpXO.exe
  C:\Windows\System\IAhzpXO.exe
  2⤵
  PID:6796
- C:\Windows\System\dIBZVjK.exe
  C:\Windows\System\dIBZVjK.exe
  2⤵
  PID:6828
- C:\Windows\System\snXMrYa.exe
  C:\Windows\System\snXMrYa.exe
  2⤵
  PID:6852
- C:\Windows\System\ceaLYhG.exe
  C:\Windows\System\ceaLYhG.exe
  2⤵
  PID:6876
- C:\Windows\System\bKMyMAk.exe
  C:\Windows\System\bKMyMAk.exe
  2⤵
  PID:6912
- C:\Windows\System\SHsvAQo.exe
  C:\Windows\System\SHsvAQo.exe
  2⤵
  PID:6952
- C:\Windows\System\xXhFpRk.exe
  C:\Windows\System\xXhFpRk.exe
  2⤵
  PID:6992
- C:\Windows\System\VPAvygn.exe
  C:\Windows\System\VPAvygn.exe
  2⤵
  PID:7024
- C:\Windows\System\HVTIuGK.exe
  C:\Windows\System\HVTIuGK.exe
  2⤵
  PID:7048
- C:\Windows\System\DjIZEAu.exe
  C:\Windows\System\DjIZEAu.exe
  2⤵
  PID:7068
- C:\Windows\System\ZqJWCjL.exe
  C:\Windows\System\ZqJWCjL.exe
  2⤵
  PID:7088
- C:\Windows\System\luqhqNR.exe
  C:\Windows\System\luqhqNR.exe
  2⤵
  PID:7116
- C:\Windows\System\lOLAfTM.exe
  C:\Windows\System\lOLAfTM.exe
  2⤵
  PID:7144
- C:\Windows\System\AZslfeL.exe
  C:\Windows\System\AZslfeL.exe
  2⤵
  PID:6172
- C:\Windows\System\yDFAFPU.exe
  C:\Windows\System\yDFAFPU.exe
  2⤵
  PID:6216
- C:\Windows\System\bBEtlqv.exe
  C:\Windows\System\bBEtlqv.exe
  2⤵
  PID:6300
- C:\Windows\System\Zjznitl.exe
  C:\Windows\System\Zjznitl.exe
  2⤵
  PID:6360
- C:\Windows\System\BYJUhkz.exe
  C:\Windows\System\BYJUhkz.exe
  2⤵
  PID:6408
- C:\Windows\System\OtteYkw.exe
  C:\Windows\System\OtteYkw.exe
  2⤵
  PID:6488
- C:\Windows\System\FlWAttp.exe
  C:\Windows\System\FlWAttp.exe
  2⤵
  PID:6548
- C:\Windows\System\RRaFGNq.exe
  C:\Windows\System\RRaFGNq.exe
  2⤵
  PID:6664
- C:\Windows\System\rRmBNiR.exe
  C:\Windows\System\rRmBNiR.exe
  2⤵
  PID:6736
- C:\Windows\System\rWpEdrc.exe
  C:\Windows\System\rWpEdrc.exe
  2⤵
  PID:6872
- C:\Windows\System\aOCAaMq.exe
  C:\Windows\System\aOCAaMq.exe
  2⤵
  PID:6904
- C:\Windows\System\YmghGsQ.exe
  C:\Windows\System\YmghGsQ.exe
  2⤵
  PID:6984
- C:\Windows\System\ibnHKlH.exe
  C:\Windows\System\ibnHKlH.exe
  2⤵
  PID:7012
- C:\Windows\System\xAMbiVg.exe
  C:\Windows\System\xAMbiVg.exe
  2⤵
  PID:7108
- C:\Windows\System\fwZIwAl.exe
  C:\Windows\System\fwZIwAl.exe
  2⤵
  PID:6284
- C:\Windows\System\CBVneuY.exe
  C:\Windows\System\CBVneuY.exe
  2⤵
  PID:6328
- C:\Windows\System\jsauxwk.exe
  C:\Windows\System\jsauxwk.exe
  2⤵
  PID:6624
- C:\Windows\System\Isxxziv.exe
  C:\Windows\System\Isxxziv.exe
  2⤵
  PID:6792
- C:\Windows\System\gYqZfRw.exe
  C:\Windows\System\gYqZfRw.exe
  2⤵
  PID:6724
- C:\Windows\System\xuPkyGU.exe
  C:\Windows\System\xuPkyGU.exe
  2⤵
  PID:6884
- C:\Windows\System\maEJVmf.exe
  C:\Windows\System\maEJVmf.exe
  2⤵
  PID:7136
- C:\Windows\System\RHOzLJO.exe
  C:\Windows\System\RHOzLJO.exe
  2⤵
  PID:6228
- C:\Windows\System\zASmisx.exe
  C:\Windows\System\zASmisx.exe
  2⤵
  PID:4560
- C:\Windows\System\ioJEtwN.exe
  C:\Windows\System\ioJEtwN.exe
  2⤵
  PID:6760
- C:\Windows\System\WdyLTfd.exe
  C:\Windows\System\WdyLTfd.exe
  2⤵
  PID:7140
- C:\Windows\System\nnpoFzp.exe
  C:\Windows\System\nnpoFzp.exe
  2⤵
  PID:7036
- C:\Windows\System\NEYoeVg.exe
  C:\Windows\System\NEYoeVg.exe
  2⤵
  PID:7220
- C:\Windows\System\FPQzZjv.exe
  C:\Windows\System\FPQzZjv.exe
  2⤵
  PID:7240
- C:\Windows\System\QTpqfpu.exe
  C:\Windows\System\QTpqfpu.exe
  2⤵
  PID:7280
- C:\Windows\System\VBTEZMs.exe
  C:\Windows\System\VBTEZMs.exe
  2⤵
  PID:7304
- C:\Windows\System\JuKgqks.exe
  C:\Windows\System\JuKgqks.exe
  2⤵
  PID:7332
- C:\Windows\System\Bqaidhb.exe
  C:\Windows\System\Bqaidhb.exe
  2⤵
  PID:7356
- C:\Windows\System\PLogDvN.exe
  C:\Windows\System\PLogDvN.exe
  2⤵
  PID:7388
- C:\Windows\System\EkwCXQq.exe
  C:\Windows\System\EkwCXQq.exe
  2⤵
  PID:7420
- C:\Windows\System\oPyyhlL.exe
  C:\Windows\System\oPyyhlL.exe
  2⤵
  PID:7448
- C:\Windows\System\EoYRxHx.exe
  C:\Windows\System\EoYRxHx.exe
  2⤵
  PID:7464
- C:\Windows\System\EQxMXZg.exe
  C:\Windows\System\EQxMXZg.exe
  2⤵
  PID:7480
- C:\Windows\System\FnaRGPj.exe
  C:\Windows\System\FnaRGPj.exe
  2⤵
  PID:7512
- C:\Windows\System\CqUJgqx.exe
  C:\Windows\System\CqUJgqx.exe
  2⤵
  PID:7580
- C:\Windows\System\OCYoxfl.exe
  C:\Windows\System\OCYoxfl.exe
  2⤵
  PID:7604
- C:\Windows\System\TbOAzde.exe
  C:\Windows\System\TbOAzde.exe
  2⤵
  PID:7632
- C:\Windows\System\CzlCuay.exe
  C:\Windows\System\CzlCuay.exe
  2⤵
  PID:7672
- C:\Windows\System\FNVClPR.exe
  C:\Windows\System\FNVClPR.exe
  2⤵
  PID:7704
- C:\Windows\System\oKRdgen.exe
  C:\Windows\System\oKRdgen.exe
  2⤵
  PID:7744
- C:\Windows\System\gcifYmL.exe
  C:\Windows\System\gcifYmL.exe
  2⤵
  PID:7772
- C:\Windows\System\SPvpvtc.exe
  C:\Windows\System\SPvpvtc.exe
  2⤵
  PID:7800
- C:\Windows\System\sUYmyso.exe
  C:\Windows\System\sUYmyso.exe
  2⤵
  PID:7828
- C:\Windows\System\itryBbh.exe
  C:\Windows\System\itryBbh.exe
  2⤵
  PID:7844
- C:\Windows\System\VXqpLyU.exe
  C:\Windows\System\VXqpLyU.exe
  2⤵
  PID:7896
- C:\Windows\System\ohcOkrX.exe
  C:\Windows\System\ohcOkrX.exe
  2⤵
  PID:7916
- C:\Windows\System\lxAxENn.exe
  C:\Windows\System\lxAxENn.exe
  2⤵
  PID:7932
- C:\Windows\System\mqcdTLm.exe
  C:\Windows\System\mqcdTLm.exe
  2⤵
  PID:7956
- C:\Windows\System\YqutBFU.exe
  C:\Windows\System\YqutBFU.exe
  2⤵
  PID:7984
- C:\Windows\System\QZrsmFF.exe
  C:\Windows\System\QZrsmFF.exe
  2⤵
  PID:8004
- C:\Windows\System\dKvoyLW.exe
  C:\Windows\System\dKvoyLW.exe
  2⤵
  PID:8040
- C:\Windows\System\NyWSnqJ.exe
  C:\Windows\System\NyWSnqJ.exe
  2⤵
  PID:8060
- C:\Windows\System\eBpzWvP.exe
  C:\Windows\System\eBpzWvP.exe
  2⤵
  PID:8092
- C:\Windows\System\ODfwLBb.exe
  C:\Windows\System\ODfwLBb.exe
  2⤵
  PID:8128
- C:\Windows\System\qRIYXSz.exe
  C:\Windows\System\qRIYXSz.exe
  2⤵
  PID:8148
- C:\Windows\System\VtaYDuk.exe
  C:\Windows\System\VtaYDuk.exe
  2⤵
  PID:8176
- C:\Windows\System\uOXdYGI.exe
  C:\Windows\System\uOXdYGI.exe
  2⤵
  PID:7188
- C:\Windows\System\CniSOze.exe
  C:\Windows\System\CniSOze.exe
  2⤵
  PID:7260
- C:\Windows\System\umjwtiv.exe
  C:\Windows\System\umjwtiv.exe
  2⤵
  PID:7316
- C:\Windows\System\uAJkNuj.exe
  C:\Windows\System\uAJkNuj.exe
  2⤵
  PID:7380
- C:\Windows\System\lthQBvY.exe
  C:\Windows\System\lthQBvY.exe
  2⤵
  PID:7440
- C:\Windows\System\OcpBZLz.exe
  C:\Windows\System\OcpBZLz.exe
  2⤵
  PID:7508
- C:\Windows\System\YSvBmjL.exe
  C:\Windows\System\YSvBmjL.exe
  2⤵
  PID:7596
- C:\Windows\System\lFHXabr.exe
  C:\Windows\System\lFHXabr.exe
  2⤵
  PID:7688
- C:\Windows\System\ZdTVwHT.exe
  C:\Windows\System\ZdTVwHT.exe
  2⤵
  PID:7768
- C:\Windows\System\JWOImaU.exe
  C:\Windows\System\JWOImaU.exe
  2⤵
  PID:7824
- C:\Windows\System\URbrJNO.exe
  C:\Windows\System\URbrJNO.exe
  2⤵
  PID:7884
- C:\Windows\System\FiTETPb.exe
  C:\Windows\System\FiTETPb.exe
  2⤵
  PID:7976
- C:\Windows\System\JCrzUkl.exe
  C:\Windows\System\JCrzUkl.exe
  2⤵
  PID:8028
- C:\Windows\System\NFfAndj.exe
  C:\Windows\System\NFfAndj.exe
  2⤵
  PID:8072
- C:\Windows\System\XYCNPZq.exe
  C:\Windows\System\XYCNPZq.exe
  2⤵
  PID:8120
- C:\Windows\System\oHFAuQF.exe
  C:\Windows\System\oHFAuQF.exe
  2⤵
  PID:8184
- C:\Windows\System\PujlGGM.exe
  C:\Windows\System\PujlGGM.exe
  2⤵
  PID:2448
- C:\Windows\System\biGCYAk.exe
  C:\Windows\System\biGCYAk.exe
  2⤵
  PID:7348
- C:\Windows\System\gzJIzbz.exe
  C:\Windows\System\gzJIzbz.exe
  2⤵
  PID:3956
- C:\Windows\System\ZFUXTth.exe
  C:\Windows\System\ZFUXTth.exe
  2⤵
  PID:7728
- C:\Windows\System\rAVwyZP.exe
  C:\Windows\System\rAVwyZP.exe
  2⤵
  PID:7928
- C:\Windows\System\TjEabSO.exe
  C:\Windows\System\TjEabSO.exe
  2⤵
  PID:7996
- C:\Windows\System\ksOyDfL.exe
  C:\Windows\System\ksOyDfL.exe
  2⤵
  PID:8144
- C:\Windows\System\wiafhAJ.exe
  C:\Windows\System\wiafhAJ.exe
  2⤵
  PID:7248
- C:\Windows\System\bIJNUMj.exe
  C:\Windows\System\bIJNUMj.exe
  2⤵
  PID:7412
- C:\Windows\System\fseHxmC.exe
  C:\Windows\System\fseHxmC.exe
  2⤵
  PID:7792
- C:\Windows\System\puidmdm.exe
  C:\Windows\System\puidmdm.exe
  2⤵
  PID:8000
- C:\Windows\System\VRttSbh.exe
  C:\Windows\System\VRttSbh.exe
  2⤵
  PID:3372
- C:\Windows\System\rgjdqtw.exe
  C:\Windows\System\rgjdqtw.exe
  2⤵
  PID:7968
- C:\Windows\System\vPsLiEO.exe
  C:\Windows\System\vPsLiEO.exe
  2⤵
  PID:8204
- C:\Windows\System\sUVIVeK.exe
  C:\Windows\System\sUVIVeK.exe
  2⤵
  PID:8232
- C:\Windows\System\FjoDnXX.exe
  C:\Windows\System\FjoDnXX.exe
  2⤵
  PID:8296
- C:\Windows\System\GEmsMhA.exe
  C:\Windows\System\GEmsMhA.exe
  2⤵
  PID:8328
- C:\Windows\System\yIHgOGG.exe
  C:\Windows\System\yIHgOGG.exe
  2⤵
  PID:8368
- C:\Windows\System\QiomouE.exe
  C:\Windows\System\QiomouE.exe
  2⤵
  PID:8396
- C:\Windows\System\MiUOejv.exe
  C:\Windows\System\MiUOejv.exe
  2⤵
  PID:8428
- C:\Windows\System\nnXnZdt.exe
  C:\Windows\System\nnXnZdt.exe
  2⤵
  PID:8464
- C:\Windows\System\wXLtFXt.exe
  C:\Windows\System\wXLtFXt.exe
  2⤵
  PID:8488
- C:\Windows\System\VlPHrPT.exe
  C:\Windows\System\VlPHrPT.exe
  2⤵
  PID:8520
- C:\Windows\System\cYvTifb.exe
  C:\Windows\System\cYvTifb.exe
  2⤵
  PID:8556
- C:\Windows\System\KoHggDG.exe
  C:\Windows\System\KoHggDG.exe
  2⤵
  PID:8592
- C:\Windows\System\BuTynFZ.exe
  C:\Windows\System\BuTynFZ.exe
  2⤵
  PID:8620
- C:\Windows\System\yPhempX.exe
  C:\Windows\System\yPhempX.exe
  2⤵
  PID:8656
- C:\Windows\System\FckwvXm.exe
  C:\Windows\System\FckwvXm.exe
  2⤵
  PID:8688
- C:\Windows\System\WKrQIKC.exe
  C:\Windows\System\WKrQIKC.exe
  2⤵
  PID:8724
- C:\Windows\System\vRjugUX.exe
  C:\Windows\System\vRjugUX.exe
  2⤵
  PID:8744
- C:\Windows\System\veVFQkq.exe
  C:\Windows\System\veVFQkq.exe
  2⤵
  PID:8772
- C:\Windows\System\HOvUgGF.exe
  C:\Windows\System\HOvUgGF.exe
  2⤵
  PID:8812
- C:\Windows\System\CcUelEM.exe
  C:\Windows\System\CcUelEM.exe
  2⤵
  PID:8848
- C:\Windows\System\kGUtNSP.exe
  C:\Windows\System\kGUtNSP.exe
  2⤵
  PID:8892
- C:\Windows\System\wrFCxWJ.exe
  C:\Windows\System\wrFCxWJ.exe
  2⤵
  PID:8912
- C:\Windows\System\rseScBb.exe
  C:\Windows\System\rseScBb.exe
  2⤵
  PID:8940
- C:\Windows\System\IoXYAPh.exe
  C:\Windows\System\IoXYAPh.exe
  2⤵
  PID:8972
- C:\Windows\System\NBalapu.exe
  C:\Windows\System\NBalapu.exe
  2⤵
  PID:9016
- C:\Windows\System\xxaEtRh.exe
  C:\Windows\System\xxaEtRh.exe
  2⤵
  PID:9056
- C:\Windows\System\mwXbIvf.exe
  C:\Windows\System\mwXbIvf.exe
  2⤵
  PID:9096
- C:\Windows\System\aGAcUSq.exe
  C:\Windows\System\aGAcUSq.exe
  2⤵
  PID:9128
- C:\Windows\System\xBrcApy.exe
  C:\Windows\System\xBrcApy.exe
  2⤵
  PID:9172
- C:\Windows\System\feCCEyb.exe
  C:\Windows\System\feCCEyb.exe
  2⤵
  PID:9188
- C:\Windows\System\gAoPEzA.exe
  C:\Windows\System\gAoPEzA.exe
  2⤵
  PID:1136
- C:\Windows\System\lRcDDQi.exe
  C:\Windows\System\lRcDDQi.exe
  2⤵
  PID:8136
- C:\Windows\System\FqzTwKW.exe
  C:\Windows\System\FqzTwKW.exe
  2⤵
  PID:8228
- C:\Windows\System\GgmwdKq.exe
  C:\Windows\System\GgmwdKq.exe
  2⤵
  PID:8320
- C:\Windows\System\wcjIIXT.exe
  C:\Windows\System\wcjIIXT.exe
  2⤵
  PID:8404
- C:\Windows\System\UDOTaoV.exe
  C:\Windows\System\UDOTaoV.exe
  2⤵
  PID:8480
- C:\Windows\System\fqFLcmg.exe
  C:\Windows\System\fqFLcmg.exe
  2⤵
  PID:8508
- C:\Windows\System\AWyKCgO.exe
  C:\Windows\System\AWyKCgO.exe
  2⤵
  PID:8540
- C:\Windows\System\HXrTlYw.exe
  C:\Windows\System\HXrTlYw.exe
  2⤵
  PID:7880
- C:\Windows\System\fghsvmO.exe
  C:\Windows\System\fghsvmO.exe
  2⤵
  PID:8616
- C:\Windows\System\HMMSBAX.exe
  C:\Windows\System\HMMSBAX.exe
  2⤵
  PID:8696
- C:\Windows\System\twqHRSK.exe
  C:\Windows\System\twqHRSK.exe
  2⤵
  PID:8764
- C:\Windows\System\ueieBuJ.exe
  C:\Windows\System\ueieBuJ.exe
  2⤵
  PID:8836
- C:\Windows\System\OLWQwhu.exe
  C:\Windows\System\OLWQwhu.exe
  2⤵
  PID:8932
- C:\Windows\System\nnorFDD.exe
  C:\Windows\System\nnorFDD.exe
  2⤵
  PID:468
- C:\Windows\System\ogDHkyc.exe
  C:\Windows\System\ogDHkyc.exe
  2⤵
  PID:9080
- C:\Windows\System\whqdOEr.exe
  C:\Windows\System\whqdOEr.exe
  2⤵
  PID:9164
- C:\Windows\System\FesZvbN.exe
  C:\Windows\System\FesZvbN.exe
  2⤵
  PID:8216
- C:\Windows\System\cvjgdXm.exe
  C:\Windows\System\cvjgdXm.exe
  2⤵
  PID:8420
- C:\Windows\System\rPCnhUR.exe
  C:\Windows\System\rPCnhUR.exe
  2⤵
  PID:8736
- C:\Windows\System\ynYQqUl.exe
  C:\Windows\System\ynYQqUl.exe
  2⤵
  PID:8672
- C:\Windows\System\AetljRv.exe
  C:\Windows\System\AetljRv.exe
  2⤵
  PID:8928
- C:\Windows\System\QCwTffe.exe
  C:\Windows\System\QCwTffe.exe
  2⤵
  PID:9156
- C:\Windows\System\XRMAiqO.exe
  C:\Windows\System\XRMAiqO.exe
  2⤵
  PID:4184
- C:\Windows\System\ISLOBok.exe
  C:\Windows\System\ISLOBok.exe
  2⤵
  PID:208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\MRXTVKI.exe

Filesize
2.1MB

MD5
b0b95a5780d03be79e6a59f4b813b962

SHA1
bec380589bbfc012116204637672f91df126da86

SHA256
524d1af26909498421cd5c5390c73971b9cdbcf33e1fd17b96a70e90f1ba44ae

SHA512
66f0bd3b7cfb99cdff1c8348024abd0c153002f559a3b545bb9f77dafe0d35d1f8b4344a0157186e90c737272fea6e95352f1a652949b6d3ec1fad6aeb9da25e

Download Submit
C:\Windows\System\NjcJwsi.exe

Filesize
1.8MB

MD5
eb08e4df424f191a033ad06f25e8f874

SHA1
7b8d162af590c1aa9dfd49d89d5b19f3df55ddc2

SHA256
24228c903750dd4a07c59364a6eeafcde22c71311b113e7e14b271cbba1b7f36

SHA512
47395ce1b450e36e275f4e7aab9f5142236c7f77425a04c32280c65c80abd05370bb2599353205b164c2422d7eb6c1107436c9066d09ec32faec3473ddbf32b1

Download Submit
C:\Windows\System\RbzYWAD.exe

Filesize
1.9MB

MD5
fb778e5ee088c0dc02bba2d19d313516

SHA1
8f59b61624148c2cdacfaf4b191dd39fab5f1be8

SHA256
354c9f9998184ca8cf0827d0fbe12994bafd494f58ea2e141d1ed813e932929b

SHA512
823590498286d682d22eef3a0ceac9859517808b71c4a6fb594c7978e2149f869e063ff6bebb930bd4275b3d4cf2aaaf0fb6dc19ccdbf95efa28162b8dea354d

Download Submit
C:\Windows\System\WIBrQUe.exe

Filesize
1.9MB

MD5
44e2b4654c227c157a5d347a151a2441

SHA1
10509bc62df2cb270560145339ebdada812e7090

SHA256
44a3809065ef8f172473cae1796ee1efafb9af200a89a9cb85f8c2da1d079294

SHA512
4663c875764a2552fbd618502284a5149d08772ac3b06f208d82dd89d33da43c25ba3e68b8550290a892533f868b69fedfabbf02b17d8a2a8aad226818e2a56a

Download Submit
C:\Windows\System\dAJhnEO.exe

Filesize
2.1MB

MD5
5ec0b8e78c894a8e9f3b953440fe736c

SHA1
45997bada30341247ba2f23b6b42cc9aa6f6562d

SHA256
d594d87976a40cd97069480793d101c8a0921ef87acf1044adc8ea1cc810d1d6

SHA512
ae5bd232574ca31311964ddd2ab4601d84176964d3f732a07ceb62121df81474f7e2a662359862be14effb1a6771b55cc7c35a7c6468c16dcd40a5314af90699

Download Submit
C:\Windows\System\fpFJUCf.exe

Filesize
2.1MB

MD5
55d494c3ab1ad7133dc754ad3badceef

SHA1
c194a19f45c9e4a47d25d58e72e95404f93b1176

SHA256
9c051ab04651a8ef76f69f47c559a5376bca8c1d93a700a4af2e71ac6f879c57

SHA512
26294ef7aaaf27ad1a057201c010679dc735d6c9fc4cd8f1de2ef56dbbae3dfdb6c6ff06eeb8f312a7e77f6d22087559c6f12e78bbf7331797b5a45100c64603

Download Submit
C:\Windows\System\iRTINzy.exe

Filesize
2.1MB

MD5
d0cb7ddacda10e9dd2c6fd9ebb274572

SHA1
28ab157b130730bf4da1cc7434a74d6b324a36e9

SHA256
7b2ee01c836fe86cec65388b1b669208927f0f8e8af172e345e5850b34aa4dcb

SHA512
0a49e0fd433680a2ae40eecb22c49bd25a1e22bb7c7172f75155985292a474e679d40bf3f245e6799cf2b3af3b69f263a5f3acd1253abec79d286038641cc50e

Download Submit
C:\Windows\System\mQQbVwL.exe

Filesize
1.2MB

MD5
cd5ef36ef03eac2b20cce67daca8e60e

SHA1
78ffe5bdf11fd5c1af061891a6f825c7e6d5971e

SHA256
c9394411c09cedeb6199f3ce46bf92c0c6fd19fa68844008591c10a1cf195974

SHA512
5806b974fa088e66d040826bc66b929a74fa0017878d780c1b5daeca898125a6d7965ed63fbdb5f892a98e1909fc8fae29ef3faa316e6f8db54adbdaa8571a2a

Download Submit
C:\Windows\System\mUyWVRk.exe

Filesize
2.1MB

MD5
083476d8f99e9b6e62f6304746f5cd36

SHA1
d78eb3625d63f19b4a7d66550899cc73e88108d0

SHA256
8680f17be68b9f0285441e97de54a8223bdb1bb05a7b2b61b76a26307a9f936c

SHA512
3de7346a22c63f62d0801d49d51237860f42d7439f37ea649e6bd7701d3002f0f7eb156ec0bf0ec7629971f761e04ad6f8d5513591c2d62993fd653c13743972

Download Submit
C:\Windows\System\nwpGppX.exe

Filesize
2.1MB

MD5
abaa832ef52683b57deb7aa379e4b64b

SHA1
5d27e190c7b62dba46044ecd68264b97ef606b32

SHA256
3619986b0656dbb00a209cc818d542b2034a0f3dd444a8911f48fa86f261d715

SHA512
f0d9c0a09f8e0740d72ad7a356d7ffd4f1d9ca545cc2d67234eaddaa273c881e1a41d148dde103fbd30cbb1617c756624367f6eb65fa05b3c3e610f68381667e

Download Submit
C:\Windows\System\qzfAyQA.exe

Filesize
2.1MB

MD5
d5f8fde12f36c7fd147451f33ed6261c

SHA1
f218ab457599f5e2fcb412e9391c18eaae57a576

SHA256
c3bdcf4d708e91b8fa79cac3f9cb10b4a001f61750291097dcf406455c71c37c

SHA512
7b431d87e76d966033fa97e3b05f3b82732cec5eb0c513cd8a34cb139058f02a4048143d826fe1407a5ba65fe83d7843659e68b4ea145f383770ce2a208a7d3b

Download Submit
C:\Windows\System\qzfAyQA.exe

Filesize
1.6MB

MD5
402a2952d8f8e806dd2c302e37dd7553

SHA1
cfdc97b8353c35ebc6c04ea04b759539c283f208

SHA256
81ae49e606caca6d1b5248ba08545dd565e286f11657bb656d502da8a4a49ae3

SHA512
45fb7faac9022b883ca18f96998912681a7d486b14ed567582df49f4cd619990057f9a556bac12532b55b70b7f8492ac1ca3b7ce3997a16e6e649c1cab3d44d1

Download Submit
C:\Windows\System\sftjkxU.exe

Filesize
448KB

MD5
0642442db4acbbfb6037e06789624264

SHA1
923aee440a6887c7a7a8a78085aa492b2cdcee65

SHA256
5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85

SHA512
7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

Download Submit
C:\Windows\System\zexNvsv.exe

Filesize
1.7MB

MD5
8a44452e4020a5690bdb5ab4b9423a30

SHA1
4c411a1c72f814994199ff87e2b15a023e8ec369

SHA256
11f8d90029978b95c0d172136a1a1e9fd350b1531c027ef2956a436ecc0f23c2

SHA512
1c509b1048697ea0666b458b36ab55ba466e8cf34835bddc820597e47ba06b780c081d40ee741e43ebc310617f51bf86b8181cac038f5b71669b77caa09bad01

Download Submit
memory/396-1080-0x00007FF6D1F00000-0x00007FF6D2254000-memory.dmp

Filesize
3.3MB

Download
memory/396-44-0x00007FF6D1F00000-0x00007FF6D2254000-memory.dmp

Filesize
3.3MB

Download
memory/404-181-0x00007FF6C8D90000-0x00007FF6C90E4000-memory.dmp

Filesize
3.3MB

Download
memory/404-1094-0x00007FF6C8D90000-0x00007FF6C90E4000-memory.dmp

Filesize
3.3MB

Download
memory/436-28-0x00007FF7A2130000-0x00007FF7A2484000-memory.dmp

Filesize
3.3MB

Download
memory/436-1079-0x00007FF7A2130000-0x00007FF7A2484000-memory.dmp

Filesize
3.3MB

Download
memory/456-11-0x00007FF6402E0000-0x00007FF640634000-memory.dmp

Filesize
3.3MB

Download
memory/456-1077-0x00007FF6402E0000-0x00007FF640634000-memory.dmp

Filesize
3.3MB

Download
memory/456-1071-0x00007FF6402E0000-0x00007FF640634000-memory.dmp

Filesize
3.3MB

Download
memory/464-1088-0x00007FF711400000-0x00007FF711754000-memory.dmp

Filesize
3.3MB

Download
memory/464-1075-0x00007FF711400000-0x00007FF711754000-memory.dmp

Filesize
3.3MB

Download
memory/464-77-0x00007FF711400000-0x00007FF711754000-memory.dmp

Filesize
3.3MB

Download
memory/1112-1091-0x00007FF792E30000-0x00007FF793184000-memory.dmp

Filesize
3.3MB

Download
memory/1112-218-0x00007FF792E30000-0x00007FF793184000-memory.dmp

Filesize
3.3MB

Download
memory/1116-1096-0x00007FF778C80000-0x00007FF778FD4000-memory.dmp

Filesize
3.3MB

Download
memory/1116-225-0x00007FF778C80000-0x00007FF778FD4000-memory.dmp

Filesize
3.3MB

Download
memory/1212-1070-0x00007FF7BAEF0000-0x00007FF7BB244000-memory.dmp

Filesize
3.3MB

Download
memory/1212-1-0x00000201BF7D0000-0x00000201BF7E0000-memory.dmp

Filesize
64KB

Download
memory/1212-0-0x00007FF7BAEF0000-0x00007FF7BB244000-memory.dmp

Filesize
3.3MB

Download
memory/1488-215-0x00007FF7AE830000-0x00007FF7AEB84000-memory.dmp

Filesize
3.3MB

Download
memory/1488-1101-0x00007FF7AE830000-0x00007FF7AEB84000-memory.dmp

Filesize
3.3MB

Download
memory/1704-153-0x00007FF6BCE80000-0x00007FF6BD1D4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-1097-0x00007FF6BCE80000-0x00007FF6BD1D4000-memory.dmp

Filesize
3.3MB

Download
memory/1740-1104-0x00007FF7BEF50000-0x00007FF7BF2A4000-memory.dmp

Filesize
3.3MB

Download
memory/1740-233-0x00007FF7BEF50000-0x00007FF7BF2A4000-memory.dmp

Filesize
3.3MB

Download
memory/1904-1072-0x00007FF7F23E0000-0x00007FF7F2734000-memory.dmp

Filesize
3.3MB

Download
memory/1904-1078-0x00007FF7F23E0000-0x00007FF7F2734000-memory.dmp

Filesize
3.3MB

Download
memory/1904-14-0x00007FF7F23E0000-0x00007FF7F2734000-memory.dmp

Filesize
3.3MB

Download
memory/2096-1102-0x00007FF79A4B0000-0x00007FF79A804000-memory.dmp

Filesize
3.3MB

Download
memory/2096-205-0x00007FF79A4B0000-0x00007FF79A804000-memory.dmp

Filesize
3.3MB

Download
memory/2512-1090-0x00007FF7F34D0000-0x00007FF7F3824000-memory.dmp

Filesize
3.3MB

Download
memory/2512-127-0x00007FF7F34D0000-0x00007FF7F3824000-memory.dmp

Filesize
3.3MB

Download
memory/3084-148-0x00007FF640A40000-0x00007FF640D94000-memory.dmp

Filesize
3.3MB

Download
memory/3084-1089-0x00007FF640A40000-0x00007FF640D94000-memory.dmp

Filesize
3.3MB

Download
memory/3296-1086-0x00007FF7644B0000-0x00007FF764804000-memory.dmp

Filesize
3.3MB

Download
memory/3296-1074-0x00007FF7644B0000-0x00007FF764804000-memory.dmp

Filesize
3.3MB

Download
memory/3296-65-0x00007FF7644B0000-0x00007FF764804000-memory.dmp

Filesize
3.3MB

Download
memory/3528-36-0x00007FF66E180000-0x00007FF66E4D4000-memory.dmp

Filesize
3.3MB

Download
memory/3528-1073-0x00007FF66E180000-0x00007FF66E4D4000-memory.dmp

Filesize
3.3MB

Download
memory/3528-1081-0x00007FF66E180000-0x00007FF66E4D4000-memory.dmp

Filesize
3.3MB

Download
memory/3596-194-0x00007FF7536C0000-0x00007FF753A14000-memory.dmp

Filesize
3.3MB

Download
memory/3596-1099-0x00007FF7536C0000-0x00007FF753A14000-memory.dmp

Filesize
3.3MB

Download
memory/3612-219-0x00007FF74D800000-0x00007FF74DB54000-memory.dmp

Filesize
3.3MB

Download
memory/3612-1095-0x00007FF74D800000-0x00007FF74DB54000-memory.dmp

Filesize
3.3MB

Download
memory/3700-99-0x00007FF7BA730000-0x00007FF7BAA84000-memory.dmp

Filesize
3.3MB

Download
memory/3700-1083-0x00007FF7BA730000-0x00007FF7BAA84000-memory.dmp

Filesize
3.3MB

Download
memory/4024-180-0x00007FF7D0720000-0x00007FF7D0A74000-memory.dmp

Filesize
3.3MB

Download
memory/4024-1092-0x00007FF7D0720000-0x00007FF7D0A74000-memory.dmp

Filesize
3.3MB

Download
memory/4292-202-0x00007FF655D10000-0x00007FF656064000-memory.dmp

Filesize
3.3MB

Download
memory/4292-1100-0x00007FF655D10000-0x00007FF656064000-memory.dmp

Filesize
3.3MB

Download
memory/4308-1087-0x00007FF6B1630000-0x00007FF6B1984000-memory.dmp

Filesize
3.3MB

Download
memory/4308-89-0x00007FF6B1630000-0x00007FF6B1984000-memory.dmp

Filesize
3.3MB

Download
memory/4324-1085-0x00007FF7F0C80000-0x00007FF7F0FD4000-memory.dmp

Filesize
3.3MB

Download
memory/4324-114-0x00007FF7F0C80000-0x00007FF7F0FD4000-memory.dmp

Filesize
3.3MB

Download
memory/4488-1103-0x00007FF6757C0000-0x00007FF675B14000-memory.dmp

Filesize
3.3MB

Download
memory/4488-236-0x00007FF6757C0000-0x00007FF675B14000-memory.dmp

Filesize
3.3MB

Download
memory/4592-164-0x00007FF7285B0000-0x00007FF728904000-memory.dmp

Filesize
3.3MB

Download
memory/4592-1093-0x00007FF7285B0000-0x00007FF728904000-memory.dmp

Filesize
3.3MB

Download
memory/4616-1105-0x00007FF60FCF0000-0x00007FF610044000-memory.dmp

Filesize
3.3MB

Download
memory/4616-217-0x00007FF60FCF0000-0x00007FF610044000-memory.dmp

Filesize
3.3MB

Download
memory/4844-47-0x00007FF6630F0000-0x00007FF663444000-memory.dmp

Filesize
3.3MB

Download
memory/4844-1076-0x00007FF6630F0000-0x00007FF663444000-memory.dmp

Filesize
3.3MB

Download
memory/4844-1084-0x00007FF6630F0000-0x00007FF663444000-memory.dmp

Filesize
3.3MB

Download
memory/4940-188-0x00007FF7206B0000-0x00007FF720A04000-memory.dmp

Filesize
3.3MB

Download
memory/4940-1098-0x00007FF7206B0000-0x00007FF720A04000-memory.dmp

Filesize
3.3MB

Download
memory/5036-56-0x00007FF656BD0000-0x00007FF656F24000-memory.dmp

Filesize
3.3MB

Download
memory/5036-1082-0x00007FF656BD0000-0x00007FF656F24000-memory.dmp

Filesize
3.3MB

Download