kpot | 89a9f1a641111862413500b33cb42e99cb5c49140a4123a568fbd6225c64b238

Analysis

max time kernel
140s
max time network
159s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
Size

2.3MB
MD5

2b21c3b0ddabfedb9c00308312406ed0
SHA1

fe76339d3a97caea366c9d0c3f6ad9b61cf7b6c1
SHA256

89a9f1a641111862413500b33cb42e99cb5c49140a4123a568fbd6225c64b238
SHA512

81b111fb0630f507c66e1dc6865c73b81df8bf753a0a1a8cab00c77a03e11edeb01aa4b2794c60078dd3d01d0983c1a93e0217c9c064ce96b62faf6b23e6cf9e
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wIC5aIwC+Agr6SNvFMs+4R:BemTLkNdfE0pZrwS

Score

10^/10

kpot xmrig miner stealer trojan upx

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 5 IoCs

resource	yara_rule
behavioral1/files/0x000800000001739d-51.dat	family_kpot
behavioral1/files/0x000500000001874c-141.dat	family_kpot
behavioral1/files/0x00050000000191ed-164.dat	family_kpot
behavioral1/files/0x000500000001874a-124.dat	family_kpot
behavioral1/files/0x0007000000016cb2-34.dat	family_kpot

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 33 IoCs

miner

resource	yara_rule
behavioral1/memory/2016-0-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/files/0x000800000001739d-51.dat	xmrig
behavioral1/memory/2660-115-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2340-142-0x000000013FD80000-0x00000001400D4000-memory.dmp	xmrig
behavioral1/files/0x000500000001874c-141.dat	xmrig
behavioral1/files/0x00050000000191ed-164.dat	xmrig
behavioral1/files/0x0005000000019235-175.dat	xmrig
behavioral1/files/0x0005000000019331-184.dat	xmrig
behavioral1/files/0x00050000000191ed-148.dat	xmrig
behavioral1/files/0x0005000000019233-162.dat	xmrig
behavioral1/memory/3044-131-0x000000013FA00000-0x000000013FD54000-memory.dmp	xmrig
behavioral1/files/0x000500000001874a-124.dat	xmrig
behavioral1/memory/2564-112-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/1456-88-0x000000013F320000-0x000000013F674000-memory.dmp	xmrig
behavioral1/memory/2524-78-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/files/0x000600000001744c-59.dat	xmrig
behavioral1/files/0x0007000000016cb2-34.dat	xmrig
behavioral1/memory/2916-22-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2016-1067-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/2868-1073-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/2916-1074-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2564-1075-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/2660-1078-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2588-1081-0x000000013F490000-0x000000013F7E4000-memory.dmp	xmrig
behavioral1/memory/2396-1082-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig
behavioral1/memory/3044-1084-0x000000013FA00000-0x000000013FD54000-memory.dmp	xmrig
behavioral1/memory/2524-1083-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/memory/1456-1085-0x000000013F320000-0x000000013F674000-memory.dmp	xmrig
behavioral1/memory/2340-1086-0x000000013FD80000-0x00000001400D4000-memory.dmp	xmrig
behavioral1/memory/2132-1080-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/memory/2728-1079-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/memory/2576-1077-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/2480-1076-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2868	ICBjFjE.exe
2916	OVHePUa.exe
2564	SylLtsn.exe
2480	zWnJtyh.exe
2576	aEheefC.exe
2660	eLJfYVG.exe
2728	nxjtHKx.exe
2132	Yhmuqed.exe
2588	SPNqBoC.exe
2396	IJxQzfu.exe
2524	rzvtQbY.exe
3044	wbGrErM.exe
1456	YcmhKgH.exe
2340	WuQIXNN.exe
2600	CZpYpWO.exe
2680	zeRSAzj.exe
1444	rlrDJkU.exe
288	JovfxYz.exe
1848	FHiTpSx.exe
1584	ihWbYCP.exe
1944	ZExzcVM.exe
1532	rrrsOEn.exe
2272	BThIIre.exe
2176	teDNFWt.exe
672	WnrAKTX.exe
340	fZDcXSO.exe
580	jThYKco.exe
1992	mxqMtAE.exe
1740	FpIlvnP.exe
2784	HSwFqyH.exe
1876	CzJNygL.exe
2252	RFBovJE.exe
2320	gXKGEGP.exe
2932	WAWWhyS.exe
2636	PcBOyVt.exe
1716	fspZEmi.exe
1608	jmdQYwV.exe
1720	NdMSvuv.exe
1800	dvddQKw.exe
548	ilhXpNT.exe
1652	jLtmbMm.exe
764	LpQHCRZ.exe
1068	kwCbviH.exe
1912	mpoIOWX.exe
2828	bzaACYT.exe
2108	lNmKhpR.exe
1656	jVhkrRP.exe
812	frQkypf.exe
3008	YxhafwG.exe
3016	IYQjVJC.exe
2164	LoGAOAn.exe
1036	JOwvWYi.exe
2232	jvtcZIr.exe
2052	usPbFWb.exe
1540	sThfMkt.exe
1544	PFRDDJj.exe
2496	ZlaCVKE.exe
2360	gZzcWOw.exe
2380	AKXRKhQ.exe
2500	aRXwbaH.exe
2356	hnSIAXr.exe
2428	ouADRTS.exe
1692	LPSWYRj.exe
1388	UyyYjkr.exe

Loads dropped DLL 64 IoCs

pid	Process
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2016-0-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/files/0x000c000000013ab9-5.dat	upx
behavioral1/files/0x00310000000165f0-12.dat	upx
behavioral1/files/0x0007000000016c42-19.dat	upx
behavioral1/files/0x000800000001739d-51.dat	upx
behavioral1/memory/2132-64-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/memory/2588-72-0x000000013F490000-0x000000013F7E4000-memory.dmp	upx
behavioral1/memory/2480-114-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/2660-115-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/files/0x000500000001874a-127.dat	upx
behavioral1/files/0x0030000000016813-135.dat	upx
behavioral1/memory/2340-142-0x000000013FD80000-0x00000001400D4000-memory.dmp	upx
behavioral1/files/0x000500000001874c-141.dat	upx
behavioral1/files/0x00050000000191ed-164.dat	upx
behavioral1/files/0x0005000000019235-175.dat	upx
behavioral1/files/0x0005000000019331-184.dat	upx
behavioral1/files/0x0005000000019331-186.dat	upx
behavioral1/files/0x00050000000191ed-148.dat	upx
behavioral1/files/0x0005000000019233-162.dat	upx
behavioral1/memory/3044-131-0x000000013FA00000-0x000000013FD54000-memory.dmp	upx
behavioral1/memory/2396-129-0x000000013FC90000-0x000000013FFE4000-memory.dmp	upx
behavioral1/files/0x000500000001874a-124.dat	upx
behavioral1/memory/2564-112-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/1456-88-0x000000013F320000-0x000000013F674000-memory.dmp	upx
behavioral1/files/0x001500000001863c-86.dat	upx
behavioral1/files/0x001500000001863c-84.dat	upx
behavioral1/memory/2524-78-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/files/0x000600000001744c-59.dat	upx
behavioral1/memory/2728-54-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/2576-47-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/files/0x0007000000016cb2-34.dat	upx
behavioral1/memory/2916-22-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2868-14-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/2016-1067-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/memory/2868-1073-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/2916-1074-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2564-1075-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/2660-1078-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/2588-1081-0x000000013F490000-0x000000013F7E4000-memory.dmp	upx
behavioral1/memory/2396-1082-0x000000013FC90000-0x000000013FFE4000-memory.dmp	upx
behavioral1/memory/3044-1084-0x000000013FA00000-0x000000013FD54000-memory.dmp	upx
behavioral1/memory/2524-1083-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/1456-1085-0x000000013F320000-0x000000013F674000-memory.dmp	upx
behavioral1/memory/2340-1086-0x000000013FD80000-0x00000001400D4000-memory.dmp	upx
behavioral1/memory/2132-1080-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/memory/2728-1079-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/2576-1077-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/memory/2480-1076-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\rDffuYH.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\CREcegS.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\uVVZiCk.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\rlykLcP.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\HXNgFxJ.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\gByZnrO.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\XhYhSAN.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\woWaLGZ.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\LKsuyKh.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\uAODWbl.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\mHzBZYM.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\xZQEBqu.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\RYAWniq.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\AFdPgRZ.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\uzfuOZh.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\fErwrro.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\CZpYpWO.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\xwiJHBU.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\LMMnTGS.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\XuqUyKr.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\nLORZfg.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\YrevORi.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\FhtEnhN.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\TacwtIy.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\VRyKKgy.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\tcEEHMj.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\HHwnwQV.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\EEEetki.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\zzEyIfL.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\yBudnvB.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\uYwqiKT.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\BfasmMj.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\KQhcEMA.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\JWTkNzA.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\wIhmucr.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\fdqfQyO.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\PAokwrf.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\SBhQtMO.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\NEpOJQa.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\DkATFiv.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\FpIlvnP.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\FJQMweR.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\UxOpGVI.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\uWcnXpx.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\wUUpcDw.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\SVJGmut.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\DYcujOL.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\sHbdtwo.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\QHIWCPH.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\ZZzZkgP.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\PcsOVDi.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\TZQlNdo.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\EaCjTDB.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\mHjfFNv.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\AKXRKhQ.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\pvrxvCs.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\yEmMtHN.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\rVXOVtD.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\yqBRmZe.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\lBThIMi.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\SPNqBoC.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\UyyYjkr.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\WAWWhyS.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
File created	C:\Windows\System\bQqRgBZ.exe	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2868	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	29
PID 2016 wrote to memory of 2868	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	29
PID 2016 wrote to memory of 2868	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	29
PID 2016 wrote to memory of 2916	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	30
PID 2016 wrote to memory of 2916	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	30
PID 2016 wrote to memory of 2916	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	30
PID 2016 wrote to memory of 2564	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	31
PID 2016 wrote to memory of 2564	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	31
PID 2016 wrote to memory of 2564	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	31
PID 2016 wrote to memory of 2576	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	32
PID 2016 wrote to memory of 2576	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	32
PID 2016 wrote to memory of 2576	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	32
PID 2016 wrote to memory of 2480	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	33
PID 2016 wrote to memory of 2480	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	33
PID 2016 wrote to memory of 2480	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	33
PID 2016 wrote to memory of 2660	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	34
PID 2016 wrote to memory of 2660	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	34
PID 2016 wrote to memory of 2660	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	34
PID 2016 wrote to memory of 2728	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	35
PID 2016 wrote to memory of 2728	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	35
PID 2016 wrote to memory of 2728	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	35
PID 2016 wrote to memory of 2132	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	36
PID 2016 wrote to memory of 2132	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	36
PID 2016 wrote to memory of 2132	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	36
PID 2016 wrote to memory of 2588	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	37
PID 2016 wrote to memory of 2588	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	37
PID 2016 wrote to memory of 2588	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	37
PID 2016 wrote to memory of 2396	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	38
PID 2016 wrote to memory of 2396	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	38
PID 2016 wrote to memory of 2396	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	38
PID 2016 wrote to memory of 2524	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	39
PID 2016 wrote to memory of 2524	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	39
PID 2016 wrote to memory of 2524	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	39
PID 2016 wrote to memory of 3044	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	40
PID 2016 wrote to memory of 3044	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	40
PID 2016 wrote to memory of 3044	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	40
PID 2016 wrote to memory of 1456	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	41
PID 2016 wrote to memory of 1456	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	41
PID 2016 wrote to memory of 1456	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	41
PID 2016 wrote to memory of 2340	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	42
PID 2016 wrote to memory of 2340	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	42
PID 2016 wrote to memory of 2340	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	42
PID 2016 wrote to memory of 2600	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	43
PID 2016 wrote to memory of 2600	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	43
PID 2016 wrote to memory of 2600	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	43
PID 2016 wrote to memory of 2680	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	44
PID 2016 wrote to memory of 2680	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	44
PID 2016 wrote to memory of 2680	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	44
PID 2016 wrote to memory of 1444	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	45
PID 2016 wrote to memory of 1444	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	45
PID 2016 wrote to memory of 1444	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	45
PID 2016 wrote to memory of 288	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	46
PID 2016 wrote to memory of 288	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	46
PID 2016 wrote to memory of 288	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	46
PID 2016 wrote to memory of 1848	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	47
PID 2016 wrote to memory of 1848	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	47
PID 2016 wrote to memory of 1848	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	47
PID 2016 wrote to memory of 1584	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	48
PID 2016 wrote to memory of 1584	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	48
PID 2016 wrote to memory of 1584	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	48
PID 2016 wrote to memory of 1944	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	49
PID 2016 wrote to memory of 1944	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	49
PID 2016 wrote to memory of 1944	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	49
PID 2016 wrote to memory of 1532	2016	2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe	50

C:\Users\Admin\AppData\Local\Temp\2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2b21c3b0ddabfedb9c00308312406ed0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\System\ICBjFjE.exe
  C:\Windows\System\ICBjFjE.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\OVHePUa.exe
  C:\Windows\System\OVHePUa.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\SylLtsn.exe
  C:\Windows\System\SylLtsn.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\aEheefC.exe
  C:\Windows\System\aEheefC.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\zWnJtyh.exe
  C:\Windows\System\zWnJtyh.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\eLJfYVG.exe
  C:\Windows\System\eLJfYVG.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\nxjtHKx.exe
  C:\Windows\System\nxjtHKx.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\Yhmuqed.exe
  C:\Windows\System\Yhmuqed.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\SPNqBoC.exe
  C:\Windows\System\SPNqBoC.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\IJxQzfu.exe
  C:\Windows\System\IJxQzfu.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\rzvtQbY.exe
  C:\Windows\System\rzvtQbY.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\wbGrErM.exe
  C:\Windows\System\wbGrErM.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\YcmhKgH.exe
  C:\Windows\System\YcmhKgH.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System\WuQIXNN.exe
  C:\Windows\System\WuQIXNN.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\CZpYpWO.exe
  C:\Windows\System\CZpYpWO.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\zeRSAzj.exe
  C:\Windows\System\zeRSAzj.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\rlrDJkU.exe
  C:\Windows\System\rlrDJkU.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\JovfxYz.exe
  C:\Windows\System\JovfxYz.exe
  2⤵
  - Executes dropped EXE
  PID:288
- C:\Windows\System\FHiTpSx.exe
  C:\Windows\System\FHiTpSx.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\ihWbYCP.exe
  C:\Windows\System\ihWbYCP.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\ZExzcVM.exe
  C:\Windows\System\ZExzcVM.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\rrrsOEn.exe
  C:\Windows\System\rrrsOEn.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\BThIIre.exe
  C:\Windows\System\BThIIre.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\teDNFWt.exe
  C:\Windows\System\teDNFWt.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\mxqMtAE.exe
  C:\Windows\System\mxqMtAE.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System\WnrAKTX.exe
  C:\Windows\System\WnrAKTX.exe
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\System\fZDcXSO.exe
  C:\Windows\System\fZDcXSO.exe
  2⤵
  - Executes dropped EXE
  PID:340
- C:\Windows\System\jThYKco.exe
  C:\Windows\System\jThYKco.exe
  2⤵
  - Executes dropped EXE
  PID:580
- C:\Windows\System\HSwFqyH.exe
  C:\Windows\System\HSwFqyH.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\FpIlvnP.exe
  C:\Windows\System\FpIlvnP.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\CzJNygL.exe
  C:\Windows\System\CzJNygL.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\RFBovJE.exe
  C:\Windows\System\RFBovJE.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\gXKGEGP.exe
  C:\Windows\System\gXKGEGP.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\WAWWhyS.exe
  C:\Windows\System\WAWWhyS.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\PcBOyVt.exe
  C:\Windows\System\PcBOyVt.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\fspZEmi.exe
  C:\Windows\System\fspZEmi.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\jmdQYwV.exe
  C:\Windows\System\jmdQYwV.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\NdMSvuv.exe
  C:\Windows\System\NdMSvuv.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\dvddQKw.exe
  C:\Windows\System\dvddQKw.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\ilhXpNT.exe
  C:\Windows\System\ilhXpNT.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\jLtmbMm.exe
  C:\Windows\System\jLtmbMm.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\LpQHCRZ.exe
  C:\Windows\System\LpQHCRZ.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\kwCbviH.exe
  C:\Windows\System\kwCbviH.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\mpoIOWX.exe
  C:\Windows\System\mpoIOWX.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\bzaACYT.exe
  C:\Windows\System\bzaACYT.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\lNmKhpR.exe
  C:\Windows\System\lNmKhpR.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\jVhkrRP.exe
  C:\Windows\System\jVhkrRP.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\frQkypf.exe
  C:\Windows\System\frQkypf.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System\YxhafwG.exe
  C:\Windows\System\YxhafwG.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\IYQjVJC.exe
  C:\Windows\System\IYQjVJC.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\LoGAOAn.exe
  C:\Windows\System\LoGAOAn.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\JOwvWYi.exe
  C:\Windows\System\JOwvWYi.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\jvtcZIr.exe
  C:\Windows\System\jvtcZIr.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System\usPbFWb.exe
  C:\Windows\System\usPbFWb.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\sThfMkt.exe
  C:\Windows\System\sThfMkt.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\PFRDDJj.exe
  C:\Windows\System\PFRDDJj.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\ZlaCVKE.exe
  C:\Windows\System\ZlaCVKE.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\gZzcWOw.exe
  C:\Windows\System\gZzcWOw.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\aRXwbaH.exe
  C:\Windows\System\aRXwbaH.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\AKXRKhQ.exe
  C:\Windows\System\AKXRKhQ.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\hnSIAXr.exe
  C:\Windows\System\hnSIAXr.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\ouADRTS.exe
  C:\Windows\System\ouADRTS.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\LPSWYRj.exe
  C:\Windows\System\LPSWYRj.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\UyyYjkr.exe
  C:\Windows\System\UyyYjkr.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\fUaiXJI.exe
  C:\Windows\System\fUaiXJI.exe
  2⤵
  PID:2624
- C:\Windows\System\KUyAdQb.exe
  C:\Windows\System\KUyAdQb.exe
  2⤵
  PID:328
- C:\Windows\System\kMfjOvP.exe
  C:\Windows\System\kMfjOvP.exe
  2⤵
  PID:1804
- C:\Windows\System\epdeKCE.exe
  C:\Windows\System\epdeKCE.exe
  2⤵
  PID:1612
- C:\Windows\System\FJQMweR.exe
  C:\Windows\System\FJQMweR.exe
  2⤵
  PID:1220
- C:\Windows\System\VLTLmUa.exe
  C:\Windows\System\VLTLmUa.exe
  2⤵
  PID:2456
- C:\Windows\System\woWaLGZ.exe
  C:\Windows\System\woWaLGZ.exe
  2⤵
  PID:2080
- C:\Windows\System\TlApdmD.exe
  C:\Windows\System\TlApdmD.exe
  2⤵
  PID:1060
- C:\Windows\System\iFmprJw.exe
  C:\Windows\System\iFmprJw.exe
  2⤵
  PID:392
- C:\Windows\System\sziuxEG.exe
  C:\Windows\System\sziuxEG.exe
  2⤵
  PID:1076
- C:\Windows\System\UqyLIqK.exe
  C:\Windows\System\UqyLIqK.exe
  2⤵
  PID:1564
- C:\Windows\System\prFVPEW.exe
  C:\Windows\System\prFVPEW.exe
  2⤵
  PID:1156
- C:\Windows\System\pvrxvCs.exe
  C:\Windows\System\pvrxvCs.exe
  2⤵
  PID:2924
- C:\Windows\System\qNFTMyV.exe
  C:\Windows\System\qNFTMyV.exe
  2⤵
  PID:1288
- C:\Windows\System\uAODWbl.exe
  C:\Windows\System\uAODWbl.exe
  2⤵
  PID:304
- C:\Windows\System\ctetIJF.exe
  C:\Windows\System\ctetIJF.exe
  2⤵
  PID:1332
- C:\Windows\System\AIBtLbf.exe
  C:\Windows\System\AIBtLbf.exe
  2⤵
  PID:760
- C:\Windows\System\VwdbORZ.exe
  C:\Windows\System\VwdbORZ.exe
  2⤵
  PID:852
- C:\Windows\System\GUhMTdE.exe
  C:\Windows\System\GUhMTdE.exe
  2⤵
  PID:552
- C:\Windows\System\miHDSFK.exe
  C:\Windows\System\miHDSFK.exe
  2⤵
  PID:344
- C:\Windows\System\jwMwqSR.exe
  C:\Windows\System\jwMwqSR.exe
  2⤵
  PID:2120
- C:\Windows\System\wIhmucr.exe
  C:\Windows\System\wIhmucr.exe
  2⤵
  PID:2100
- C:\Windows\System\eciFpSa.exe
  C:\Windows\System\eciFpSa.exe
  2⤵
  PID:2316
- C:\Windows\System\AFdPgRZ.exe
  C:\Windows\System\AFdPgRZ.exe
  2⤵
  PID:2300
- C:\Windows\System\FJhXwou.exe
  C:\Windows\System\FJhXwou.exe
  2⤵
  PID:1644
- C:\Windows\System\cHgirkV.exe
  C:\Windows\System\cHgirkV.exe
  2⤵
  PID:2512
- C:\Windows\System\aPGmPbG.exe
  C:\Windows\System\aPGmPbG.exe
  2⤵
  PID:2408
- C:\Windows\System\LiZRvAq.exe
  C:\Windows\System\LiZRvAq.exe
  2⤵
  PID:2664
- C:\Windows\System\JrwbGLS.exe
  C:\Windows\System\JrwbGLS.exe
  2⤵
  PID:2540
- C:\Windows\System\YDDMuGn.exe
  C:\Windows\System\YDDMuGn.exe
  2⤵
  PID:1620
- C:\Windows\System\gvjMNTF.exe
  C:\Windows\System\gvjMNTF.exe
  2⤵
  PID:2820
- C:\Windows\System\JxohlnC.exe
  C:\Windows\System\JxohlnC.exe
  2⤵
  PID:2848
- C:\Windows\System\WQikNAo.exe
  C:\Windows\System\WQikNAo.exe
  2⤵
  PID:1780
- C:\Windows\System\KQhcEMA.exe
  C:\Windows\System\KQhcEMA.exe
  2⤵
  PID:488
- C:\Windows\System\cAztsqV.exe
  C:\Windows\System\cAztsqV.exe
  2⤵
  PID:2708
- C:\Windows\System\mufcrjr.exe
  C:\Windows\System\mufcrjr.exe
  2⤵
  PID:1680
- C:\Windows\System\PtwJalB.exe
  C:\Windows\System\PtwJalB.exe
  2⤵
  PID:1576
- C:\Windows\System\HoRWVCn.exe
  C:\Windows\System\HoRWVCn.exe
  2⤵
  PID:1924
- C:\Windows\System\LJVchWm.exe
  C:\Windows\System\LJVchWm.exe
  2⤵
  PID:1744
- C:\Windows\System\JvPuFjW.exe
  C:\Windows\System\JvPuFjW.exe
  2⤵
  PID:1552
- C:\Windows\System\jUXvHgS.exe
  C:\Windows\System\jUXvHgS.exe
  2⤵
  PID:3020
- C:\Windows\System\pSXDCuP.exe
  C:\Windows\System\pSXDCuP.exe
  2⤵
  PID:1672
- C:\Windows\System\jrXTWNQ.exe
  C:\Windows\System\jrXTWNQ.exe
  2⤵
  PID:1568
- C:\Windows\System\DYcujOL.exe
  C:\Windows\System\DYcujOL.exe
  2⤵
  PID:900
- C:\Windows\System\zsvoYBq.exe
  C:\Windows\System\zsvoYBq.exe
  2⤵
  PID:1640
- C:\Windows\System\BnEagZM.exe
  C:\Windows\System\BnEagZM.exe
  2⤵
  PID:2580
- C:\Windows\System\lUxqwUj.exe
  C:\Windows\System\lUxqwUj.exe
  2⤵
  PID:2368
- C:\Windows\System\JWTkNzA.exe
  C:\Windows\System\JWTkNzA.exe
  2⤵
  PID:2444
- C:\Windows\System\YQmjRAR.exe
  C:\Windows\System\YQmjRAR.exe
  2⤵
  PID:2864
- C:\Windows\System\IizcLZa.exe
  C:\Windows\System\IizcLZa.exe
  2⤵
  PID:1496
- C:\Windows\System\jzBkdtX.exe
  C:\Windows\System\jzBkdtX.exe
  2⤵
  PID:2788
- C:\Windows\System\HHwnwQV.exe
  C:\Windows\System\HHwnwQV.exe
  2⤵
  PID:448
- C:\Windows\System\PnuDOSv.exe
  C:\Windows\System\PnuDOSv.exe
  2⤵
  PID:2752
- C:\Windows\System\qJFFskK.exe
  C:\Windows\System\qJFFskK.exe
  2⤵
  PID:1232
- C:\Windows\System\dKrhDuG.exe
  C:\Windows\System\dKrhDuG.exe
  2⤵
  PID:2008
- C:\Windows\System\aROFqWI.exe
  C:\Windows\System\aROFqWI.exe
  2⤵
  PID:2004
- C:\Windows\System\BcuZOdI.exe
  C:\Windows\System\BcuZOdI.exe
  2⤵
  PID:1536
- C:\Windows\System\bFSAWil.exe
  C:\Windows\System\bFSAWil.exe
  2⤵
  PID:2652
- C:\Windows\System\imMHujq.exe
  C:\Windows\System\imMHujq.exe
  2⤵
  PID:692
- C:\Windows\System\QnwnVQM.exe
  C:\Windows\System\QnwnVQM.exe
  2⤵
  PID:2712
- C:\Windows\System\uiivNqT.exe
  C:\Windows\System\uiivNqT.exe
  2⤵
  PID:904
- C:\Windows\System\LKsuyKh.exe
  C:\Windows\System\LKsuyKh.exe
  2⤵
  PID:2156
- C:\Windows\System\HvvTuim.exe
  C:\Windows\System\HvvTuim.exe
  2⤵
  PID:320
- C:\Windows\System\KhHWgnx.exe
  C:\Windows\System\KhHWgnx.exe
  2⤵
  PID:2940
- C:\Windows\System\btRLrFZ.exe
  C:\Windows\System\btRLrFZ.exe
  2⤵
  PID:2656
- C:\Windows\System\VdLhQAy.exe
  C:\Windows\System\VdLhQAy.exe
  2⤵
  PID:2184
- C:\Windows\System\ggyWozU.exe
  C:\Windows\System\ggyWozU.exe
  2⤵
  PID:2716
- C:\Windows\System\TPGUYwp.exe
  C:\Windows\System\TPGUYwp.exe
  2⤵
  PID:608
- C:\Windows\System\LMFPVnM.exe
  C:\Windows\System\LMFPVnM.exe
  2⤵
  PID:3092
- C:\Windows\System\amLlcZu.exe
  C:\Windows\System\amLlcZu.exe
  2⤵
  PID:3116
- C:\Windows\System\KEzGVlV.exe
  C:\Windows\System\KEzGVlV.exe
  2⤵
  PID:3132
- C:\Windows\System\FYPDpvf.exe
  C:\Windows\System\FYPDpvf.exe
  2⤵
  PID:3152
- C:\Windows\System\XYJiAZu.exe
  C:\Windows\System\XYJiAZu.exe
  2⤵
  PID:3176
- C:\Windows\System\rbwLrvf.exe
  C:\Windows\System\rbwLrvf.exe
  2⤵
  PID:3196
- C:\Windows\System\oMpolsF.exe
  C:\Windows\System\oMpolsF.exe
  2⤵
  PID:3212
- C:\Windows\System\yEmMtHN.exe
  C:\Windows\System\yEmMtHN.exe
  2⤵
  PID:3228
- C:\Windows\System\ZKoAeJI.exe
  C:\Windows\System\ZKoAeJI.exe
  2⤵
  PID:3244
- C:\Windows\System\qxsoZyR.exe
  C:\Windows\System\qxsoZyR.exe
  2⤵
  PID:3272
- C:\Windows\System\wHVIvoI.exe
  C:\Windows\System\wHVIvoI.exe
  2⤵
  PID:3292
- C:\Windows\System\YXrrFDl.exe
  C:\Windows\System\YXrrFDl.exe
  2⤵
  PID:3312
- C:\Windows\System\nnRoVoP.exe
  C:\Windows\System\nnRoVoP.exe
  2⤵
  PID:3336
- C:\Windows\System\hHRYgIR.exe
  C:\Windows\System\hHRYgIR.exe
  2⤵
  PID:3360
- C:\Windows\System\FhtEnhN.exe
  C:\Windows\System\FhtEnhN.exe
  2⤵
  PID:3388
- C:\Windows\System\wfvRoHw.exe
  C:\Windows\System\wfvRoHw.exe
  2⤵
  PID:3404
- C:\Windows\System\sHbdtwo.exe
  C:\Windows\System\sHbdtwo.exe
  2⤵
  PID:3420
- C:\Windows\System\fdqfQyO.exe
  C:\Windows\System\fdqfQyO.exe
  2⤵
  PID:3440
- C:\Windows\System\TacwtIy.exe
  C:\Windows\System\TacwtIy.exe
  2⤵
  PID:3460
- C:\Windows\System\rlykLcP.exe
  C:\Windows\System\rlykLcP.exe
  2⤵
  PID:3480
- C:\Windows\System\qrFsbao.exe
  C:\Windows\System\qrFsbao.exe
  2⤵
  PID:3504
- C:\Windows\System\xzNbORV.exe
  C:\Windows\System\xzNbORV.exe
  2⤵
  PID:3520
- C:\Windows\System\ovNPZOI.exe
  C:\Windows\System\ovNPZOI.exe
  2⤵
  PID:3540
- C:\Windows\System\gtwbDhx.exe
  C:\Windows\System\gtwbDhx.exe
  2⤵
  PID:3556
- C:\Windows\System\tcguwkf.exe
  C:\Windows\System\tcguwkf.exe
  2⤵
  PID:3576
- C:\Windows\System\HxLNIZQ.exe
  C:\Windows\System\HxLNIZQ.exe
  2⤵
  PID:3596
- C:\Windows\System\IfinmZw.exe
  C:\Windows\System\IfinmZw.exe
  2⤵
  PID:3612
- C:\Windows\System\tYrxMLb.exe
  C:\Windows\System\tYrxMLb.exe
  2⤵
  PID:3636
- C:\Windows\System\hagoyat.exe
  C:\Windows\System\hagoyat.exe
  2⤵
  PID:3652
- C:\Windows\System\UOqhnWM.exe
  C:\Windows\System\UOqhnWM.exe
  2⤵
  PID:3672
- C:\Windows\System\YeGNros.exe
  C:\Windows\System\YeGNros.exe
  2⤵
  PID:3688
- C:\Windows\System\VoolNOd.exe
  C:\Windows\System\VoolNOd.exe
  2⤵
  PID:3704
- C:\Windows\System\hunVxlK.exe
  C:\Windows\System\hunVxlK.exe
  2⤵
  PID:3740
- C:\Windows\System\uRcumxr.exe
  C:\Windows\System\uRcumxr.exe
  2⤵
  PID:3760
- C:\Windows\System\WDnkJsU.exe
  C:\Windows\System\WDnkJsU.exe
  2⤵
  PID:3776
- C:\Windows\System\zAeQKrH.exe
  C:\Windows\System\zAeQKrH.exe
  2⤵
  PID:3800
- C:\Windows\System\xmbltrC.exe
  C:\Windows\System\xmbltrC.exe
  2⤵
  PID:3820
- C:\Windows\System\dinWbNw.exe
  C:\Windows\System\dinWbNw.exe
  2⤵
  PID:3836
- C:\Windows\System\EEEetki.exe
  C:\Windows\System\EEEetki.exe
  2⤵
  PID:3852
- C:\Windows\System\lPqqmwr.exe
  C:\Windows\System\lPqqmwr.exe
  2⤵
  PID:3868
- C:\Windows\System\LMMnTGS.exe
  C:\Windows\System\LMMnTGS.exe
  2⤵
  PID:3888
- C:\Windows\System\CREcegS.exe
  C:\Windows\System\CREcegS.exe
  2⤵
  PID:3904
- C:\Windows\System\tAPSguC.exe
  C:\Windows\System\tAPSguC.exe
  2⤵
  PID:3944
- C:\Windows\System\DfeEgCg.exe
  C:\Windows\System\DfeEgCg.exe
  2⤵
  PID:3964
- C:\Windows\System\FjxVefZ.exe
  C:\Windows\System\FjxVefZ.exe
  2⤵
  PID:3984
- C:\Windows\System\XuqUyKr.exe
  C:\Windows\System\XuqUyKr.exe
  2⤵
  PID:4004
- C:\Windows\System\pJAkhnZ.exe
  C:\Windows\System\pJAkhnZ.exe
  2⤵
  PID:4024
- C:\Windows\System\nxLrVjA.exe
  C:\Windows\System\nxLrVjA.exe
  2⤵
  PID:4040
- C:\Windows\System\ShwZHwG.exe
  C:\Windows\System\ShwZHwG.exe
  2⤵
  PID:4068
- C:\Windows\System\ErkcOEh.exe
  C:\Windows\System\ErkcOEh.exe
  2⤵
  PID:4088
- C:\Windows\System\nLORZfg.exe
  C:\Windows\System\nLORZfg.exe
  2⤵
  PID:1324
- C:\Windows\System\QHIWCPH.exe
  C:\Windows\System\QHIWCPH.exe
  2⤵
  PID:1452
- C:\Windows\System\uIMfHvk.exe
  C:\Windows\System\uIMfHvk.exe
  2⤵
  PID:1556
- C:\Windows\System\tIxLrYI.exe
  C:\Windows\System\tIxLrYI.exe
  2⤵
  PID:1688
- C:\Windows\System\SeKWuyI.exe
  C:\Windows\System\SeKWuyI.exe
  2⤵
  PID:2412
- C:\Windows\System\WMEqCpY.exe
  C:\Windows\System\WMEqCpY.exe
  2⤵
  PID:3088
- C:\Windows\System\bQqRgBZ.exe
  C:\Windows\System\bQqRgBZ.exe
  2⤵
  PID:3168
- C:\Windows\System\QHBvKrT.exe
  C:\Windows\System\QHBvKrT.exe
  2⤵
  PID:3148
- C:\Windows\System\xwiJHBU.exe
  C:\Windows\System\xwiJHBU.exe
  2⤵
  PID:3112
- C:\Windows\System\PTFMunh.exe
  C:\Windows\System\PTFMunh.exe
  2⤵
  PID:3252
- C:\Windows\System\oIbGPrK.exe
  C:\Windows\System\oIbGPrK.exe
  2⤵
  PID:3264
- C:\Windows\System\rVXOVtD.exe
  C:\Windows\System\rVXOVtD.exe
  2⤵
  PID:3328
- C:\Windows\System\wUUpcDw.exe
  C:\Windows\System\wUUpcDw.exe
  2⤵
  PID:3348
- C:\Windows\System\luFTyEr.exe
  C:\Windows\System\luFTyEr.exe
  2⤵
  PID:3380
- C:\Windows\System\XhTNqMU.exe
  C:\Windows\System\XhTNqMU.exe
  2⤵
  PID:3400
- C:\Windows\System\vbVtktL.exe
  C:\Windows\System\vbVtktL.exe
  2⤵
  PID:3488
- C:\Windows\System\llKbzbh.exe
  C:\Windows\System\llKbzbh.exe
  2⤵
  PID:3468
- C:\Windows\System\yqBRmZe.exe
  C:\Windows\System\yqBRmZe.exe
  2⤵
  PID:3500
- C:\Windows\System\NAeNIfs.exe
  C:\Windows\System\NAeNIfs.exe
  2⤵
  PID:3608
- C:\Windows\System\JHhlbRO.exe
  C:\Windows\System\JHhlbRO.exe
  2⤵
  PID:3684
- C:\Windows\System\jkdRXQr.exe
  C:\Windows\System\jkdRXQr.exe
  2⤵
  PID:3620
- C:\Windows\System\pBJVWtP.exe
  C:\Windows\System\pBJVWtP.exe
  2⤵
  PID:3516
- C:\Windows\System\YrevORi.exe
  C:\Windows\System\YrevORi.exe
  2⤵
  PID:3728
- C:\Windows\System\MGJvNUm.exe
  C:\Windows\System\MGJvNUm.exe
  2⤵
  PID:3696
- C:\Windows\System\aLrvbDI.exe
  C:\Windows\System\aLrvbDI.exe
  2⤵
  PID:3660
- C:\Windows\System\OsggbeQ.exe
  C:\Windows\System\OsggbeQ.exe
  2⤵
  PID:3756
- C:\Windows\System\POquFUL.exe
  C:\Windows\System\POquFUL.exe
  2⤵
  PID:3844
- C:\Windows\System\PAokwrf.exe
  C:\Windows\System\PAokwrf.exe
  2⤵
  PID:3788
- C:\Windows\System\gAYsXRo.exe
  C:\Windows\System\gAYsXRo.exe
  2⤵
  PID:3832
- C:\Windows\System\alZFwrr.exe
  C:\Windows\System\alZFwrr.exe
  2⤵
  PID:3924
- C:\Windows\System\gBvRNqR.exe
  C:\Windows\System\gBvRNqR.exe
  2⤵
  PID:3932
- C:\Windows\System\PeUttcp.exe
  C:\Windows\System\PeUttcp.exe
  2⤵
  PID:4016
- C:\Windows\System\SBhQtMO.exe
  C:\Windows\System\SBhQtMO.exe
  2⤵
  PID:4048
- C:\Windows\System\ZZzZkgP.exe
  C:\Windows\System\ZZzZkgP.exe
  2⤵
  PID:4052
- C:\Windows\System\PcsOVDi.exe
  C:\Windows\System\PcsOVDi.exe
  2⤵
  PID:4036
- C:\Windows\System\UJPYmvH.exe
  C:\Windows\System\UJPYmvH.exe
  2⤵
  PID:816
- C:\Windows\System\NfFsjII.exe
  C:\Windows\System\NfFsjII.exe
  2⤵
  PID:1952
- C:\Windows\System\WkQPmqL.exe
  C:\Windows\System\WkQPmqL.exe
  2⤵
  PID:3080
- C:\Windows\System\tGUnLSe.exe
  C:\Windows\System\tGUnLSe.exe
  2⤵
  PID:1976
- C:\Windows\System\AcGLmOs.exe
  C:\Windows\System\AcGLmOs.exe
  2⤵
  PID:3256
- C:\Windows\System\YcIkLmS.exe
  C:\Windows\System\YcIkLmS.exe
  2⤵
  PID:3260
- C:\Windows\System\DefMlLy.exe
  C:\Windows\System\DefMlLy.exe
  2⤵
  PID:3204
- C:\Windows\System\FxQiNtK.exe
  C:\Windows\System\FxQiNtK.exe
  2⤵
  PID:3344
- C:\Windows\System\hPWGYFW.exe
  C:\Windows\System\hPWGYFW.exe
  2⤵
  PID:3192
- C:\Windows\System\cGErbHR.exe
  C:\Windows\System\cGErbHR.exe
  2⤵
  PID:3452
- C:\Windows\System\azeLqQf.exe
  C:\Windows\System\azeLqQf.exe
  2⤵
  PID:3532
- C:\Windows\System\YfTtZjS.exe
  C:\Windows\System\YfTtZjS.exe
  2⤵
  PID:3648
- C:\Windows\System\uVVZiCk.exe
  C:\Windows\System\uVVZiCk.exe
  2⤵
  PID:3724
- C:\Windows\System\FSkmgda.exe
  C:\Windows\System\FSkmgda.exe
  2⤵
  PID:3584
- C:\Windows\System\zzEyIfL.exe
  C:\Windows\System\zzEyIfL.exe
  2⤵
  PID:3592
- C:\Windows\System\wwOYDEe.exe
  C:\Windows\System\wwOYDEe.exe
  2⤵
  PID:3812
- C:\Windows\System\VRyKKgy.exe
  C:\Windows\System\VRyKKgy.exe
  2⤵
  PID:3860
- C:\Windows\System\dIGAeUL.exe
  C:\Windows\System\dIGAeUL.exe
  2⤵
  PID:3876
- C:\Windows\System\NzaoNFw.exe
  C:\Windows\System\NzaoNFw.exe
  2⤵
  PID:3960
- C:\Windows\System\taBKjgd.exe
  C:\Windows\System\taBKjgd.exe
  2⤵
  PID:3164
- C:\Windows\System\MMGQwuF.exe
  C:\Windows\System\MMGQwuF.exe
  2⤵
  PID:3368
- C:\Windows\System\qgIwQKF.exe
  C:\Windows\System\qgIwQKF.exe
  2⤵
  PID:3448
- C:\Windows\System\HXNgFxJ.exe
  C:\Windows\System\HXNgFxJ.exe
  2⤵
  PID:3472
- C:\Windows\System\fbthbUZ.exe
  C:\Windows\System\fbthbUZ.exe
  2⤵
  PID:4012
- C:\Windows\System\JlZISTy.exe
  C:\Windows\System\JlZISTy.exe
  2⤵
  PID:3476
- C:\Windows\System\sFsUGWK.exe
  C:\Windows\System\sFsUGWK.exe
  2⤵
  PID:3528
- C:\Windows\System\hvwqtpC.exe
  C:\Windows\System\hvwqtpC.exe
  2⤵
  PID:3084
- C:\Windows\System\AWhPqTK.exe
  C:\Windows\System\AWhPqTK.exe
  2⤵
  PID:2968
- C:\Windows\System\yBudnvB.exe
  C:\Windows\System\yBudnvB.exe
  2⤵
  PID:1580
- C:\Windows\System\uYwqiKT.exe
  C:\Windows\System\uYwqiKT.exe
  2⤵
  PID:3492
- C:\Windows\System\SzhjTtc.exe
  C:\Windows\System\SzhjTtc.exe
  2⤵
  PID:3816
- C:\Windows\System\Ionamvp.exe
  C:\Windows\System\Ionamvp.exe
  2⤵
  PID:3940
- C:\Windows\System\SVJGmut.exe
  C:\Windows\System\SVJGmut.exe
  2⤵
  PID:4100
- C:\Windows\System\BNDYLlf.exe
  C:\Windows\System\BNDYLlf.exe
  2⤵
  PID:4116
- C:\Windows\System\oeNTTch.exe
  C:\Windows\System\oeNTTch.exe
  2⤵
  PID:4132
- C:\Windows\System\mIDCvVi.exe
  C:\Windows\System\mIDCvVi.exe
  2⤵
  PID:4148
- C:\Windows\System\NEpOJQa.exe
  C:\Windows\System\NEpOJQa.exe
  2⤵
  PID:4164
- C:\Windows\System\gByZnrO.exe
  C:\Windows\System\gByZnrO.exe
  2⤵
  PID:4180
- C:\Windows\System\vwGaJQj.exe
  C:\Windows\System\vwGaJQj.exe
  2⤵
  PID:4208
- C:\Windows\System\DXaLPML.exe
  C:\Windows\System\DXaLPML.exe
  2⤵
  PID:4312
- C:\Windows\System\MTPfSfa.exe
  C:\Windows\System\MTPfSfa.exe
  2⤵
  PID:4328
- C:\Windows\System\DWHUwAS.exe
  C:\Windows\System\DWHUwAS.exe
  2⤵
  PID:4356
- C:\Windows\System\RJboncl.exe
  C:\Windows\System\RJboncl.exe
  2⤵
  PID:4372
- C:\Windows\System\DkATFiv.exe
  C:\Windows\System\DkATFiv.exe
  2⤵
  PID:4388
- C:\Windows\System\ycRGcDf.exe
  C:\Windows\System\ycRGcDf.exe
  2⤵
  PID:4404
- C:\Windows\System\qWwpwXR.exe
  C:\Windows\System\qWwpwXR.exe
  2⤵
  PID:4420
- C:\Windows\System\LScrRfm.exe
  C:\Windows\System\LScrRfm.exe
  2⤵
  PID:4444
- C:\Windows\System\lguiPEr.exe
  C:\Windows\System\lguiPEr.exe
  2⤵
  PID:4460
- C:\Windows\System\aFDZcVI.exe
  C:\Windows\System\aFDZcVI.exe
  2⤵
  PID:4476
- C:\Windows\System\SzMxTIf.exe
  C:\Windows\System\SzMxTIf.exe
  2⤵
  PID:4492
- C:\Windows\System\tnqbnVO.exe
  C:\Windows\System\tnqbnVO.exe
  2⤵
  PID:4512
- C:\Windows\System\uzfuOZh.exe
  C:\Windows\System\uzfuOZh.exe
  2⤵
  PID:4532
- C:\Windows\System\CQMHTRj.exe
  C:\Windows\System\CQMHTRj.exe
  2⤵
  PID:4552
- C:\Windows\System\BfasmMj.exe
  C:\Windows\System\BfasmMj.exe
  2⤵
  PID:4600
- C:\Windows\System\QkaGCSg.exe
  C:\Windows\System\QkaGCSg.exe
  2⤵
  PID:4616
- C:\Windows\System\zCSQxjD.exe
  C:\Windows\System\zCSQxjD.exe
  2⤵
  PID:4632
- C:\Windows\System\VkrXgPM.exe
  C:\Windows\System\VkrXgPM.exe
  2⤵
  PID:4648
- C:\Windows\System\xZQEBqu.exe
  C:\Windows\System\xZQEBqu.exe
  2⤵
  PID:4668
- C:\Windows\System\iLtyDqq.exe
  C:\Windows\System\iLtyDqq.exe
  2⤵
  PID:4684
- C:\Windows\System\UxOpGVI.exe
  C:\Windows\System\UxOpGVI.exe
  2⤵
  PID:4704
- C:\Windows\System\QldJmIp.exe
  C:\Windows\System\QldJmIp.exe
  2⤵
  PID:4724
- C:\Windows\System\RYAWniq.exe
  C:\Windows\System\RYAWniq.exe
  2⤵
  PID:4744
- C:\Windows\System\DnhWtAZ.exe
  C:\Windows\System\DnhWtAZ.exe
  2⤵
  PID:4768
- C:\Windows\System\OjlqaOs.exe
  C:\Windows\System\OjlqaOs.exe
  2⤵
  PID:4784
- C:\Windows\System\bSchryP.exe
  C:\Windows\System\bSchryP.exe
  2⤵
  PID:4800
- C:\Windows\System\tcEEHMj.exe
  C:\Windows\System\tcEEHMj.exe
  2⤵
  PID:4816
- C:\Windows\System\lBThIMi.exe
  C:\Windows\System\lBThIMi.exe
  2⤵
  PID:4832
- C:\Windows\System\IcJxTQT.exe
  C:\Windows\System\IcJxTQT.exe
  2⤵
  PID:4848
- C:\Windows\System\Gkmiell.exe
  C:\Windows\System\Gkmiell.exe
  2⤵
  PID:4864
- C:\Windows\System\uWcnXpx.exe
  C:\Windows\System\uWcnXpx.exe
  2⤵
  PID:4880
- C:\Windows\System\FOOMeAj.exe
  C:\Windows\System\FOOMeAj.exe
  2⤵
  PID:4896
- C:\Windows\System\KBvJEEz.exe
  C:\Windows\System\KBvJEEz.exe
  2⤵
  PID:4916
- C:\Windows\System\OviaKpG.exe
  C:\Windows\System\OviaKpG.exe
  2⤵
  PID:4932
- C:\Windows\System\uiDCwmY.exe
  C:\Windows\System\uiDCwmY.exe
  2⤵
  PID:4952
- C:\Windows\System\sXrijIx.exe
  C:\Windows\System\sXrijIx.exe
  2⤵
  PID:4972
- C:\Windows\System\RiWlTZU.exe
  C:\Windows\System\RiWlTZU.exe
  2⤵
  PID:4988
- C:\Windows\System\fXsluRM.exe
  C:\Windows\System\fXsluRM.exe
  2⤵
  PID:5008
- C:\Windows\System\HxKtqkw.exe
  C:\Windows\System\HxKtqkw.exe
  2⤵
  PID:5024
- C:\Windows\System\fErwrro.exe
  C:\Windows\System\fErwrro.exe
  2⤵
  PID:5096
- C:\Windows\System\YGSZswu.exe
  C:\Windows\System\YGSZswu.exe
  2⤵
  PID:5112
- C:\Windows\System\caqAxnb.exe
  C:\Windows\System\caqAxnb.exe
  2⤵
  PID:3716
- C:\Windows\System\pyrOEVW.exe
  C:\Windows\System\pyrOEVW.exe
  2⤵
  PID:3572
- C:\Windows\System\djQrjNV.exe
  C:\Windows\System\djQrjNV.exe
  2⤵
  PID:3496
- C:\Windows\System\zYrYoTq.exe
  C:\Windows\System\zYrYoTq.exe
  2⤵
  PID:4140
- C:\Windows\System\LsGlgmw.exe
  C:\Windows\System\LsGlgmw.exe
  2⤵
  PID:3916
- C:\Windows\System\MYCXGpV.exe
  C:\Windows\System\MYCXGpV.exe
  2⤵
  PID:3456
- C:\Windows\System\PmlDvhR.exe
  C:\Windows\System\PmlDvhR.exe
  2⤵
  PID:3160
- C:\Windows\System\LowDGVZ.exe
  C:\Windows\System\LowDGVZ.exe
  2⤵
  PID:4124
- C:\Windows\System\DSBLHhI.exe
  C:\Windows\System\DSBLHhI.exe
  2⤵
  PID:4192
- C:\Windows\System\xkEYABE.exe
  C:\Windows\System\xkEYABE.exe
  2⤵
  PID:3712
- C:\Windows\System\XmfaotV.exe
  C:\Windows\System\XmfaotV.exe
  2⤵
  PID:4020
- C:\Windows\System\tiDZCSQ.exe
  C:\Windows\System\tiDZCSQ.exe
  2⤵
  PID:4248
- C:\Windows\System\GnxkbcQ.exe
  C:\Windows\System\GnxkbcQ.exe
  2⤵
  PID:4268
- C:\Windows\System\XhYhSAN.exe
  C:\Windows\System\XhYhSAN.exe
  2⤵
  PID:4292
- C:\Windows\System\rDffuYH.exe
  C:\Windows\System\rDffuYH.exe
  2⤵
  PID:3880
- C:\Windows\System\gpZCllh.exe
  C:\Windows\System\gpZCllh.exe
  2⤵
  PID:4340
- C:\Windows\System\TZQlNdo.exe
  C:\Windows\System\TZQlNdo.exe
  2⤵
  PID:4412
- C:\Windows\System\SSoiytQ.exe
  C:\Windows\System\SSoiytQ.exe
  2⤵
  PID:4396
- C:\Windows\System\ktxSXiy.exe
  C:\Windows\System\ktxSXiy.exe
  2⤵
  PID:4456
- C:\Windows\System\luPQwyI.exe
  C:\Windows\System\luPQwyI.exe
  2⤵
  PID:4436
- C:\Windows\System\EaCjTDB.exe
  C:\Windows\System\EaCjTDB.exe
  2⤵
  PID:4580
- C:\Windows\System\ZfVDuoV.exe
  C:\Windows\System\ZfVDuoV.exe
  2⤵
  PID:4508
- C:\Windows\System\mHjfFNv.exe
  C:\Windows\System\mHjfFNv.exe
  2⤵
  PID:4500
- C:\Windows\System\mHzBZYM.exe
  C:\Windows\System\mHzBZYM.exe
  2⤵
  PID:4596
- C:\Windows\System\QoPoMNr.exe
  C:\Windows\System\QoPoMNr.exe
  2⤵
  PID:4624
- C:\Windows\System\liVCeZG.exe
  C:\Windows\System\liVCeZG.exe
  2⤵
  PID:4664
- C:\Windows\System\BdieLKf.exe
  C:\Windows\System\BdieLKf.exe
  2⤵
  PID:4776
- C:\Windows\System\RHqARVs.exe
  C:\Windows\System\RHqARVs.exe
  2⤵
  PID:4840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BThIIre.exe

Filesize
2.1MB

MD5
6233713d34e02db34bf21bc182c04715

SHA1
3ed3c9763eb5cfe1d8e037fba64818f72bed51f2

SHA256
e52530402f6dd75f6cd45c5abf907f590086680e18c9d33bf0ed4be923f935d6

SHA512
4d616757c923a42da5904e4c5eb6163600173dbb639a8f391ab461881019c236fd44c985dcc2501aeae7de2c2fcc103ab705392b265bfdb2ddc7625ebc327695

Download Submit
C:\Windows\system\CZpYpWO.exe

Filesize
384KB

MD5
6207c08555e637186de329c9179e16d9

SHA1
09098b1d2cbfb2ab317439f6c4fc0121d5b8f70a

SHA256
90e60744ec9da51fba847be626db348bca6bdaf98ac91b116446f5b42433003b

SHA512
a17015ce5be9dbe107f45a5361c78d0722d3574d1684f1ab5a78044304a8f13b281179a8bde4be29c0529678da2d8332817db568d46fd1e81541274c1a2a6ea7

Download Submit
C:\Windows\system\HSwFqyH.exe

Filesize
704KB

MD5
27f1ae58c0e7ea96c463a8f0329d13e3

SHA1
a5352f33f2a7ec676e07aa36bd587f2a910b1502

SHA256
570ef729e78067f9e824a09ee84a0b44c24671dfe07947eaca970f453f235334

SHA512
51c2e61154a9cf7b8c51728bee23d084e40467a64fc74544ed07917de5c42cd2c4f093dc4dba57e475be140334b7f9d2f8c2784d353f9bec4fe5fc6098f5ad70

Download Submit
C:\Windows\system\ICBjFjE.exe

Filesize
640KB

MD5
469aca0e2abc33bcc5100f89b3196890

SHA1
b77c2be76b0bcd5c1640c82143bf4ae8abf6ed35

SHA256
8e4d419e754f89fae1d30741df9483d06709f6d20541cbce976b97c6b74f264f

SHA512
bb8f27156094a7b200e5c1844466de9827240ad5c62598ca983899918fcfddc76480438ab7ff457f4059655d26f5dee65f9d3ba57dc850a7e0c1c267d7e2bdae

Download Submit
C:\Windows\system\OVHePUa.exe

Filesize
448KB

MD5
0642442db4acbbfb6037e06789624264

SHA1
923aee440a6887c7a7a8a78085aa492b2cdcee65

SHA256
5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85

SHA512
7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

Download Submit
C:\Windows\system\RFBovJE.exe

Filesize
128KB

MD5
7ce4ba1725e83a50f64ba525f8815dcf

SHA1
b1714a2d23cfc42c18c37e1546ac0908d8252c04

SHA256
9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908

SHA512
2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

Download Submit
C:\Windows\system\SPNqBoC.exe

Filesize
1.9MB

MD5
07028623e1fbd44fe1a06d6eae474915

SHA1
b64944942aeb6472f2cf610c5f1671f2fd569669

SHA256
b88a5ed630629712cd7871eff08932028c2d24c880826ebef21c444a855561d3

SHA512
3b14dcf34f01f9f41f0d18e54781687f11e28a1ee55eead145c2ac76a93d8d17c5de9dbaba627b945272b95fc47842785b3f834f26f49f59ebce644e61b6ef3e

Download Submit
C:\Windows\system\ZExzcVM.exe

Filesize
512KB

MD5
6b5887af4274a78686a788865765637c

SHA1
5afc15e6fcbc11377bbabbda47ff43f6ebedd369

SHA256
ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006

SHA512
4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

Download Submit
C:\Windows\system\eLJfYVG.exe

Filesize
2.3MB

MD5
f43a908e5b8897492146644492ce0a40

SHA1
7156551e964464b2ff51098850080ee3968d4425

SHA256
38e815d9a7eb7928a3051c9bdce5f68c2dd58a12604c1899303bea8b8584a34c

SHA512
8476c4cc7c63e60a519f4456b4f7e824ad8c79958d3098f187130d019566f1c3424d61ad659a4c4f7bcb7f416610397ebe72490cae24f099dad9e19a93069d4e

Download Submit
C:\Windows\system\jThYKco.exe

Filesize
896KB

MD5
d8061570a3d685a09a8726d2e2043dcd

SHA1
5784ed9099dd4b61b63fc8ab2f585fc9e4456099

SHA256
2858747fe15b825bca2004f1fb5434e70a8f8952f994cb7850f53fc69e794e72

SHA512
491823d9b7c3d0e919d65b711645bd0839fa6e3b7a404dd101f61c497b50d40cc12658380d09032bb5d5d2ac84e5d2791f8235e5d4c6f54ca1090b042d3a4b7a

Download Submit
C:\Windows\system\mxqMtAE.exe

Filesize
2.3MB

MD5
7f01870f5e3818afd4d88510f5e2150d

SHA1
0d0cae45f28d967a046f00dab4f3cd50325d7fdb

SHA256
91ce80ddb239f092eb614bd090fa71867cf3de1c3579608f1e7f83d4ccbb192e

SHA512
2574cbbb7a715e6e14d04b8aa4e7da6ed4cb83590400d336de215f4ba78838710797dcd9934b667c9531ac42bd00c80284c32372ba548c897ff7e06af758c8d8

Download Submit
C:\Windows\system\rrrsOEn.exe

Filesize
192KB

MD5
4a486a2a371d8db348dc0ad03e9fd9f0

SHA1
edd912c5d606628022dc3216eaf2db7c93554ff7

SHA256
93ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b

SHA512
deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b

Download Submit
\Windows\system\CZpYpWO.exe

Filesize
320KB

MD5
d21590ae8170aaccbcd19e7067ab6994

SHA1
10f350169749c21440531509a3e7295f89c18083

SHA256
46a31c66a5e2b5dc524bccbbcd87f163f058b2fedffe048e3850fee93fbd703a

SHA512
0a218e8b4f06e2867073755e2a8ca9407d373ed70a6cdd1433032aeda4491ab35054bde1767383405cb6459bec67b81063efb85a1f210d8040c877770e4e047f

Download Submit
\Windows\system\RFBovJE.exe

Filesize
1.1MB

MD5
cdcf7356647142d422479f05aad1001b

SHA1
2fda40d60a5615f87789846dc8219bea51def515

SHA256
2cbe7d6b79d031ef87e25b9df210f15a283114a83369809ccac96683171ab551

SHA512
30ff3785f4f2744e1b83fc3ae807e49c2e99d8ebda936a47f59bd97d0ed22a8fce2c2933fd2a4452a2399dd28d53bea5e5764a413a49014c1a4fa6622137e1e5

Download Submit
\Windows\system\ZExzcVM.exe

Filesize
1.7MB

MD5
49267022380827e0001200568f1e81dc

SHA1
7f9fc45c59d6cbaf66635418a40015f99df01296

SHA256
75c54c7daa9ad9573d63de282facc4335e1b41fb499df3b67b282178259b9f86

SHA512
46ae3ac5bda2aba312ecbab0457192d01947c3d56700fe6de810036937b4a6dc5ed4ab1fdf684106550a3b40627cd5534f20654b4366a31b1dd598824bfd3b82

Download Submit
\Windows\system\aEheefC.exe

Filesize
576KB

MD5
2b325ba998218e1724cf0adeb30ee980

SHA1
91c91f972b93ca21c02dbae5cc375d4e1212c0a0

SHA256
3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9

SHA512
d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5

Download Submit
\Windows\system\mxqMtAE.exe

Filesize
960KB

MD5
180ec18cff675908ea09fb02b8edeae7

SHA1
908a0fde6e66598e819044f800d2fb12a2c2d5e4

SHA256
35e0571c2720559fc2e392ef1ac01a4890a7f5a52de790fe0560ba1ddb8b0978

SHA512
f4efca4f8c80307ac309f06271cca1b553bd93330b442aaa71749f3ce5f3d47dab778dbee66162c088762bb8f4726a65ed8e5313f9bd8da09d951b910b9f8e49

Download Submit
\Windows\system\rzvtQbY.exe

Filesize
1.3MB

MD5
cee1d7c75ec08ec3a0aa1b8d4f177dfa

SHA1
1207597f2e309bc114f05644994b14dd66867494

SHA256
aa8ddc9425332a6bee37c4e0cdbeb60d28c71352fc9d454ff68cbf78457825d8

SHA512
83e5da81ccdb7e0e25cbade96c3e7093378153d455d369d7d4f6a3aea8f892a34b9bfa83bb0709e115260a1817b227b386a9401fd7ac3a3fca4238ed40b276eb

Download Submit
memory/1456-88-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/1456-1085-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/2016-104-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2016-41-0x0000000002010000-0x0000000002364000-memory.dmp

Filesize
3.3MB

Download
memory/2016-132-0x000000013F320000-0x000000013F674000-memory.dmp

Filesize
3.3MB

Download
memory/2016-123-0x0000000002010000-0x0000000002364000-memory.dmp

Filesize
3.3MB

Download
memory/2016-118-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2016-1068-0x0000000002010000-0x0000000002364000-memory.dmp

Filesize
3.3MB

Download
memory/2016-130-0x0000000002010000-0x0000000002364000-memory.dmp

Filesize
3.3MB

Download
memory/2016-1070-0x000000013F490000-0x000000013F7E4000-memory.dmp

Filesize
3.3MB

Download
memory/2016-1069-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2016-122-0x0000000002010000-0x0000000002364000-memory.dmp

Filesize
3.3MB

Download
memory/2016-1067-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2016-0-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2016-97-0x0000000002010000-0x0000000002364000-memory.dmp

Filesize
3.3MB

Download
memory/2016-10-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2016-92-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2016-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2016-1072-0x0000000002010000-0x0000000002364000-memory.dmp

Filesize
3.3MB

Download
memory/2016-68-0x000000013F490000-0x000000013F7E4000-memory.dmp

Filesize
3.3MB

Download
memory/2016-1071-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2016-36-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2132-64-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2132-1080-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2340-142-0x000000013FD80000-0x00000001400D4000-memory.dmp

Filesize
3.3MB

Download
memory/2340-1086-0x000000013FD80000-0x00000001400D4000-memory.dmp

Filesize
3.3MB

Download
memory/2396-1082-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2396-129-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-114-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-1076-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-1083-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-78-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2564-1075-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2564-112-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-47-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-1077-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-72-0x000000013F490000-0x000000013F7E4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-1081-0x000000013F490000-0x000000013F7E4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-1078-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-115-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2728-54-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2728-1079-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2868-14-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2868-1073-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2916-22-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2916-1074-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/3044-1084-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/3044-131-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download