kpot | 4451ea9ddb042e7f3866f67213f9b6ab54d4e4a138a8760cac06f6ea20d9fd43

Analysis

max time kernel
2s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
Size

2.0MB
MD5

414374feb07dd96ebe8af6256db984d0
SHA1

6feed79b77495cbe5aa45e45d2a00c3545132cb8
SHA256

4451ea9ddb042e7f3866f67213f9b6ab54d4e4a138a8760cac06f6ea20d9fd43
SHA512

fa0165230b37cb79c8a0c35ea6aa1bb1d88f74f974703cc8cf73fc9212c91ee36de5c255de76233f3300102f3de5d75dd36727d34388f681e08e525d19c08e52
SSDEEP

49152:oezaTF8FcNkNdfE0pZ9ozt4wIC5aIwC+Agr6StbG:oemTLkNdfE0pZrwN

Score

10^/10

kpot xmrig miner stealer trojan upx

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 6 IoCs

resource	yara_rule
behavioral2/files/0x000700000002342e-180.dat	family_kpot
behavioral2/files/0x000900000002340a-159.dat	family_kpot
behavioral2/files/0x000700000002341c-104.dat	family_kpot
behavioral2/files/0x000700000002341f-94.dat	family_kpot
behavioral2/files/0x0007000000023419-58.dat	family_kpot
behavioral2/files/0x0007000000023412-17.dat	family_kpot

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 51 IoCs

miner

resource	yara_rule
behavioral2/memory/4824-0-0x00007FF749BB0000-0x00007FF749F04000-memory.dmp	xmrig
behavioral2/files/0x0007000000023411-11.dat	xmrig
behavioral2/memory/3992-19-0x00007FF63F290000-0x00007FF63F5E4000-memory.dmp	xmrig
behavioral2/memory/4388-1071-0x00007FF7E0F40000-0x00007FF7E1294000-memory.dmp	xmrig
behavioral2/memory/2812-1072-0x00007FF77D960000-0x00007FF77DCB4000-memory.dmp	xmrig
behavioral2/memory/3688-1073-0x00007FF72BE50000-0x00007FF72C1A4000-memory.dmp	xmrig
behavioral2/memory/2880-198-0x00007FF791CC0000-0x00007FF792014000-memory.dmp	xmrig
behavioral2/files/0x000700000002342e-180.dat	xmrig
behavioral2/files/0x000900000002340a-159.dat	xmrig
behavioral2/memory/3132-1074-0x00007FF6C78F0000-0x00007FF6C7C44000-memory.dmp	xmrig
behavioral2/files/0x0007000000023426-150.dat	xmrig
behavioral2/files/0x000700000002341c-104.dat	xmrig
behavioral2/memory/1824-96-0x00007FF76B7E0000-0x00007FF76BB34000-memory.dmp	xmrig
behavioral2/files/0x000700000002341f-94.dat	xmrig
behavioral2/memory/4504-70-0x00007FF78F480000-0x00007FF78F7D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023419-58.dat	xmrig
behavioral2/memory/4388-27-0x00007FF7E0F40000-0x00007FF7E1294000-memory.dmp	xmrig
behavioral2/files/0x0007000000023412-17.dat	xmrig
behavioral2/memory/4580-1076-0x00007FF6F77F0000-0x00007FF6F7B44000-memory.dmp	xmrig
behavioral2/memory/1132-1078-0x00007FF62DE70000-0x00007FF62E1C4000-memory.dmp	xmrig
behavioral2/memory/3788-1077-0x00007FF797EA0000-0x00007FF7981F4000-memory.dmp	xmrig
behavioral2/memory/1824-1075-0x00007FF76B7E0000-0x00007FF76BB34000-memory.dmp	xmrig
behavioral2/memory/1516-1081-0x00007FF62DB50000-0x00007FF62DEA4000-memory.dmp	xmrig
behavioral2/memory/3992-1080-0x00007FF63F290000-0x00007FF63F5E4000-memory.dmp	xmrig
behavioral2/memory/688-1079-0x00007FF6C9D10000-0x00007FF6CA064000-memory.dmp	xmrig
behavioral2/memory/4388-1083-0x00007FF7E0F40000-0x00007FF7E1294000-memory.dmp	xmrig
behavioral2/memory/2812-1084-0x00007FF77D960000-0x00007FF77DCB4000-memory.dmp	xmrig
behavioral2/memory/4552-1082-0x00007FF6BA160000-0x00007FF6BA4B4000-memory.dmp	xmrig
behavioral2/memory/3688-1087-0x00007FF72BE50000-0x00007FF72C1A4000-memory.dmp	xmrig
behavioral2/memory/4504-1088-0x00007FF78F480000-0x00007FF78F7D4000-memory.dmp	xmrig
behavioral2/memory/456-1089-0x00007FF6E3B50000-0x00007FF6E3EA4000-memory.dmp	xmrig
behavioral2/memory/3612-1086-0x00007FF7BB960000-0x00007FF7BBCB4000-memory.dmp	xmrig
behavioral2/memory/5048-1090-0x00007FF7E3B60000-0x00007FF7E3EB4000-memory.dmp	xmrig
behavioral2/memory/2872-1085-0x00007FF60CE80000-0x00007FF60D1D4000-memory.dmp	xmrig
behavioral2/memory/4580-1094-0x00007FF6F77F0000-0x00007FF6F7B44000-memory.dmp	xmrig
behavioral2/memory/1824-1095-0x00007FF76B7E0000-0x00007FF76BB34000-memory.dmp	xmrig
behavioral2/memory/2880-1096-0x00007FF791CC0000-0x00007FF792014000-memory.dmp	xmrig
behavioral2/memory/3132-1093-0x00007FF6C78F0000-0x00007FF6C7C44000-memory.dmp	xmrig
behavioral2/memory/1484-1092-0x00007FF715920000-0x00007FF715C74000-memory.dmp	xmrig
behavioral2/memory/5092-1091-0x00007FF660570000-0x00007FF6608C4000-memory.dmp	xmrig
behavioral2/memory/2868-1099-0x00007FF768270000-0x00007FF7685C4000-memory.dmp	xmrig
behavioral2/memory/2252-1098-0x00007FF750A60000-0x00007FF750DB4000-memory.dmp	xmrig
behavioral2/memory/1028-1102-0x00007FF650160000-0x00007FF6504B4000-memory.dmp	xmrig
behavioral2/memory/3136-1107-0x00007FF650BE0000-0x00007FF650F34000-memory.dmp	xmrig
behavioral2/memory/3788-1106-0x00007FF797EA0000-0x00007FF7981F4000-memory.dmp	xmrig
behavioral2/memory/3240-1105-0x00007FF62E5B0000-0x00007FF62E904000-memory.dmp	xmrig
behavioral2/memory/1132-1104-0x00007FF62DE70000-0x00007FF62E1C4000-memory.dmp	xmrig
behavioral2/memory/4220-1103-0x00007FF6E6E70000-0x00007FF6E71C4000-memory.dmp	xmrig
behavioral2/memory/792-1101-0x00007FF75E660000-0x00007FF75E9B4000-memory.dmp	xmrig
behavioral2/memory/3668-1100-0x00007FF74F310000-0x00007FF74F664000-memory.dmp	xmrig
behavioral2/memory/3232-1097-0x00007FF6AF810000-0x00007FF6AFB64000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
688	QEOtYyB.exe
3992	IPcPsRL.exe
1516	iKMKFvv.exe
4388	Cydqkfg.exe
4552	nHVaHJy.exe
2812	qGDaaQy.exe
2872	vRgEDkB.exe
3688	aiJAxiY.exe
3612	nlbyyDI.exe
4504	BTMWgNb.exe
456	ZqHOFIm.exe
5048	hPCxctJ.exe
4580	HOphxJK.exe
3132	pbxqCIc.exe
1484	ywPDHfM.exe
5092	AechukS.exe
1824	yBFwVoo.exe
2880	orGcNCT.exe
2252	ugrJzEN.exe
3788	KrKvQeB.exe
4220	OPWRZxc.exe
3240	mHCopyL.exe
1132	ybWKuNa.exe
2868	ficYgop.exe
3136	ogWFiuS.exe
3668	vsVBewf.exe
3232	ufwBkAU.exe
1028	VOVJwMA.exe
792	JiPtgRz.exe
1032	usXBokG.exe
3484	eBlqDMw.exe
3464	lJeKKIv.exe
1936	fzOGVBh.exe
5080	jeXSRbc.exe
1960	xYyvQIq.exe
2976	sgwrhwP.exe
2480	lZFdBQW.exe
4340	RInWerZ.exe
3052	xWEuuyZ.exe
1952	PPJOazu.exe
2512	oMnliKj.exe
940	fuxcDRH.exe
2928	RXEHTPA.exe
116	TcGYeur.exe
1664	WxBnsth.exe
4484	IMAkrEn.exe
3748	UDWVLQB.exe
60	irgtXHn.exe
4668	HOIhfeQ.exe
5052	Xojisns.exe
3860	rGYCNOp.exe
4164	DENorrY.exe
3108	GnDqjUo.exe
608	bPZspVF.exe
1096	dmvBUPY.exe
2984	saTCbxu.exe
2384	kfCGmHB.exe
388	aMChEDP.exe
3360	jxYntOu.exe
540	xLcDDGF.exe
4052	BEmSpUB.exe
3912	cbbbbKj.exe
3512	SemznYk.exe
5088	hcfkjzJ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4824-0-0x00007FF749BB0000-0x00007FF749F04000-memory.dmp	upx
behavioral2/files/0x0007000000023411-11.dat	upx
behavioral2/memory/3992-19-0x00007FF63F290000-0x00007FF63F5E4000-memory.dmp	upx
behavioral2/memory/4552-46-0x00007FF6BA160000-0x00007FF6BA4B4000-memory.dmp	upx
behavioral2/files/0x0007000000023418-52.dat	upx
behavioral2/memory/456-77-0x00007FF6E3B50000-0x00007FF6E3EA4000-memory.dmp	upx
behavioral2/memory/3132-85-0x00007FF6C78F0000-0x00007FF6C7C44000-memory.dmp	upx
behavioral2/memory/5048-97-0x00007FF7E3B60000-0x00007FF7E3EB4000-memory.dmp	upx
behavioral2/files/0x0007000000023421-116.dat	upx
behavioral2/files/0x0007000000023429-160.dat	upx
behavioral2/memory/792-191-0x00007FF75E660000-0x00007FF75E9B4000-memory.dmp	upx
behavioral2/memory/4220-206-0x00007FF6E6E70000-0x00007FF6E71C4000-memory.dmp	upx
behavioral2/memory/3232-227-0x00007FF6AF810000-0x00007FF6AFB64000-memory.dmp	upx
behavioral2/memory/688-578-0x00007FF6C9D10000-0x00007FF6CA064000-memory.dmp	upx
behavioral2/memory/4388-1071-0x00007FF7E0F40000-0x00007FF7E1294000-memory.dmp	upx
behavioral2/memory/2812-1072-0x00007FF77D960000-0x00007FF77DCB4000-memory.dmp	upx
behavioral2/memory/3688-1073-0x00007FF72BE50000-0x00007FF72C1A4000-memory.dmp	upx
behavioral2/memory/3136-220-0x00007FF650BE0000-0x00007FF650F34000-memory.dmp	upx
behavioral2/memory/3240-213-0x00007FF62E5B0000-0x00007FF62E904000-memory.dmp	upx
behavioral2/memory/2252-202-0x00007FF750A60000-0x00007FF750DB4000-memory.dmp	upx
behavioral2/memory/2880-198-0x00007FF791CC0000-0x00007FF792014000-memory.dmp	upx
behavioral2/memory/4824-195-0x00007FF749BB0000-0x00007FF749F04000-memory.dmp	upx
behavioral2/memory/1028-188-0x00007FF650160000-0x00007FF6504B4000-memory.dmp	upx
behavioral2/memory/3668-185-0x00007FF74F310000-0x00007FF74F664000-memory.dmp	upx
behavioral2/files/0x000700000002342e-180.dat	upx
behavioral2/memory/2868-176-0x00007FF768270000-0x00007FF7685C4000-memory.dmp	upx
behavioral2/files/0x000900000002340a-159.dat	upx
behavioral2/memory/3132-1074-0x00007FF6C78F0000-0x00007FF6C7C44000-memory.dmp	upx
behavioral2/files/0x0007000000023426-150.dat	upx
behavioral2/memory/1132-148-0x00007FF62DE70000-0x00007FF62E1C4000-memory.dmp	upx
behavioral2/memory/3788-138-0x00007FF797EA0000-0x00007FF7981F4000-memory.dmp	upx
behavioral2/memory/5092-122-0x00007FF660570000-0x00007FF6608C4000-memory.dmp	upx
behavioral2/memory/1484-112-0x00007FF715920000-0x00007FF715C74000-memory.dmp	upx
behavioral2/memory/4580-105-0x00007FF6F77F0000-0x00007FF6F7B44000-memory.dmp	upx
behavioral2/files/0x000700000002341c-104.dat	upx
behavioral2/files/0x0007000000023421-101.dat	upx
behavioral2/memory/1824-96-0x00007FF76B7E0000-0x00007FF76BB34000-memory.dmp	upx
behavioral2/files/0x000700000002341f-94.dat	upx
behavioral2/files/0x000700000002341f-88.dat	upx
behavioral2/memory/4504-70-0x00007FF78F480000-0x00007FF78F7D4000-memory.dmp	upx
behavioral2/memory/3612-64-0x00007FF7BB960000-0x00007FF7BBCB4000-memory.dmp	upx
behavioral2/memory/2872-59-0x00007FF60CE80000-0x00007FF60D1D4000-memory.dmp	upx
behavioral2/files/0x0007000000023419-58.dat	upx
behavioral2/memory/3688-54-0x00007FF72BE50000-0x00007FF72C1A4000-memory.dmp	upx
behavioral2/memory/2812-37-0x00007FF77D960000-0x00007FF77DCB4000-memory.dmp	upx
behavioral2/memory/4388-27-0x00007FF7E0F40000-0x00007FF7E1294000-memory.dmp	upx
behavioral2/files/0x0007000000023415-31.dat	upx
behavioral2/memory/1516-23-0x00007FF62DB50000-0x00007FF62DEA4000-memory.dmp	upx
behavioral2/files/0x0007000000023412-17.dat	upx
behavioral2/memory/688-9-0x00007FF6C9D10000-0x00007FF6CA064000-memory.dmp	upx
behavioral2/memory/4580-1076-0x00007FF6F77F0000-0x00007FF6F7B44000-memory.dmp	upx
behavioral2/memory/1132-1078-0x00007FF62DE70000-0x00007FF62E1C4000-memory.dmp	upx
behavioral2/memory/3788-1077-0x00007FF797EA0000-0x00007FF7981F4000-memory.dmp	upx
behavioral2/memory/1824-1075-0x00007FF76B7E0000-0x00007FF76BB34000-memory.dmp	upx
behavioral2/memory/1516-1081-0x00007FF62DB50000-0x00007FF62DEA4000-memory.dmp	upx
behavioral2/memory/3992-1080-0x00007FF63F290000-0x00007FF63F5E4000-memory.dmp	upx
behavioral2/memory/688-1079-0x00007FF6C9D10000-0x00007FF6CA064000-memory.dmp	upx
behavioral2/memory/4388-1083-0x00007FF7E0F40000-0x00007FF7E1294000-memory.dmp	upx
behavioral2/memory/2812-1084-0x00007FF77D960000-0x00007FF77DCB4000-memory.dmp	upx
behavioral2/memory/4552-1082-0x00007FF6BA160000-0x00007FF6BA4B4000-memory.dmp	upx
behavioral2/memory/3688-1087-0x00007FF72BE50000-0x00007FF72C1A4000-memory.dmp	upx
behavioral2/memory/4504-1088-0x00007FF78F480000-0x00007FF78F7D4000-memory.dmp	upx
behavioral2/memory/456-1089-0x00007FF6E3B50000-0x00007FF6E3EA4000-memory.dmp	upx
behavioral2/memory/3612-1086-0x00007FF7BB960000-0x00007FF7BBCB4000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\QEOtYyB.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\hPCxctJ.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\HOphxJK.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\saTCbxu.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\jxYntOu.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\hcfkjzJ.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\BTMWgNb.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\orGcNCT.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\KrKvQeB.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\IMAkrEn.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\PEmTkcA.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\ugrJzEN.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\kfCGmHB.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\ZqHOFIm.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\ogWFiuS.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\vsVBewf.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\xWEuuyZ.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\fuxcDRH.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\pbxqCIc.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\lZFdBQW.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\RXEHTPA.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\DENorrY.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\iKMKFvv.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\OPWRZxc.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\SemznYk.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\UDWVLQB.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\aMChEDP.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\BEmSpUB.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\rReiOrh.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\SKCcfNT.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\oNwoswy.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\mHCopyL.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\sgwrhwP.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\Xojisns.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\rGYCNOp.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\dOKiVns.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\IPcPsRL.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\nHVaHJy.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\qGDaaQy.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\vRgEDkB.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\JiPtgRz.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\GnDqjUo.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\xLcDDGF.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\QnkPUfd.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\IwvMAuw.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\VOVJwMA.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\eBlqDMw.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\lJeKKIv.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\oMnliKj.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\TcGYeur.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\WxBnsth.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\irgtXHn.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\aiJAxiY.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\ybWKuNa.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\ficYgop.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\RInWerZ.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\MbmVFgx.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\xsXPFoQ.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\AechukS.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\ufwBkAU.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\xYyvQIq.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\HOIhfeQ.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\dmvBUPY.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
File created	C:\Windows\System\sDEIslJ.exe	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 688	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	84
PID 4824 wrote to memory of 688	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	84
PID 4824 wrote to memory of 3992	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	85
PID 4824 wrote to memory of 3992	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	85
PID 4824 wrote to memory of 1516	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	86
PID 4824 wrote to memory of 1516	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	86
PID 4824 wrote to memory of 4388	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	87
PID 4824 wrote to memory of 4388	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	87
PID 4824 wrote to memory of 4552	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	88
PID 4824 wrote to memory of 4552	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	88
PID 4824 wrote to memory of 2812	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	89
PID 4824 wrote to memory of 2812	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	89
PID 4824 wrote to memory of 2872	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	90
PID 4824 wrote to memory of 2872	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	90
PID 4824 wrote to memory of 3688	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	91
PID 4824 wrote to memory of 3688	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	91
PID 4824 wrote to memory of 3612	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	92
PID 4824 wrote to memory of 3612	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	92
PID 4824 wrote to memory of 4504	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	93
PID 4824 wrote to memory of 4504	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	93
PID 4824 wrote to memory of 456	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	94
PID 4824 wrote to memory of 456	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	94
PID 4824 wrote to memory of 5048	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	95
PID 4824 wrote to memory of 5048	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	95
PID 4824 wrote to memory of 4580	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	96
PID 4824 wrote to memory of 4580	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	96
PID 4824 wrote to memory of 3132	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	97
PID 4824 wrote to memory of 3132	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	97
PID 4824 wrote to memory of 1484	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	98
PID 4824 wrote to memory of 1484	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	98
PID 4824 wrote to memory of 5092	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	99
PID 4824 wrote to memory of 5092	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	99
PID 4824 wrote to memory of 1824	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	100
PID 4824 wrote to memory of 1824	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	100
PID 4824 wrote to memory of 2880	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	101
PID 4824 wrote to memory of 2880	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	101
PID 4824 wrote to memory of 2252	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	102
PID 4824 wrote to memory of 2252	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	102
PID 4824 wrote to memory of 3788	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	103
PID 4824 wrote to memory of 3788	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	103
PID 4824 wrote to memory of 4220	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	104
PID 4824 wrote to memory of 4220	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	104
PID 4824 wrote to memory of 3240	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	105
PID 4824 wrote to memory of 3240	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	105
PID 4824 wrote to memory of 1132	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	106
PID 4824 wrote to memory of 1132	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	106
PID 4824 wrote to memory of 2868	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	107
PID 4824 wrote to memory of 2868	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	107
PID 4824 wrote to memory of 3136	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	108
PID 4824 wrote to memory of 3136	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	108
PID 4824 wrote to memory of 3668	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	109
PID 4824 wrote to memory of 3668	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	109
PID 4824 wrote to memory of 3232	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	110
PID 4824 wrote to memory of 3232	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	110
PID 4824 wrote to memory of 1028	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	111
PID 4824 wrote to memory of 1028	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	111
PID 4824 wrote to memory of 792	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	112
PID 4824 wrote to memory of 792	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	112
PID 4824 wrote to memory of 1032	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	113
PID 4824 wrote to memory of 1032	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	113
PID 4824 wrote to memory of 3484	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	114
PID 4824 wrote to memory of 3484	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	114
PID 4824 wrote to memory of 3464	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	115
PID 4824 wrote to memory of 3464	4824	414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\2731331116\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\2731331116\zmstage.exe
1⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\414374feb07dd96ebe8af6256db984d0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\System\QEOtYyB.exe
  C:\Windows\System\QEOtYyB.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\System\IPcPsRL.exe
  C:\Windows\System\IPcPsRL.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\iKMKFvv.exe
  C:\Windows\System\iKMKFvv.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\Cydqkfg.exe
  C:\Windows\System\Cydqkfg.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\nHVaHJy.exe
  C:\Windows\System\nHVaHJy.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\qGDaaQy.exe
  C:\Windows\System\qGDaaQy.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\vRgEDkB.exe
  C:\Windows\System\vRgEDkB.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\aiJAxiY.exe
  C:\Windows\System\aiJAxiY.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\nlbyyDI.exe
  C:\Windows\System\nlbyyDI.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\BTMWgNb.exe
  C:\Windows\System\BTMWgNb.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\ZqHOFIm.exe
  C:\Windows\System\ZqHOFIm.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\hPCxctJ.exe
  C:\Windows\System\hPCxctJ.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\HOphxJK.exe
  C:\Windows\System\HOphxJK.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\pbxqCIc.exe
  C:\Windows\System\pbxqCIc.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\ywPDHfM.exe
  C:\Windows\System\ywPDHfM.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\AechukS.exe
  C:\Windows\System\AechukS.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\yBFwVoo.exe
  C:\Windows\System\yBFwVoo.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System\orGcNCT.exe
  C:\Windows\System\orGcNCT.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\ugrJzEN.exe
  C:\Windows\System\ugrJzEN.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\KrKvQeB.exe
  C:\Windows\System\KrKvQeB.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System\OPWRZxc.exe
  C:\Windows\System\OPWRZxc.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\mHCopyL.exe
  C:\Windows\System\mHCopyL.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\ybWKuNa.exe
  C:\Windows\System\ybWKuNa.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System\ficYgop.exe
  C:\Windows\System\ficYgop.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\ogWFiuS.exe
  C:\Windows\System\ogWFiuS.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\vsVBewf.exe
  C:\Windows\System\vsVBewf.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\ufwBkAU.exe
  C:\Windows\System\ufwBkAU.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\VOVJwMA.exe
  C:\Windows\System\VOVJwMA.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\JiPtgRz.exe
  C:\Windows\System\JiPtgRz.exe
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\System\usXBokG.exe
  C:\Windows\System\usXBokG.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System\eBlqDMw.exe
  C:\Windows\System\eBlqDMw.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\lJeKKIv.exe
  C:\Windows\System\lJeKKIv.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\fzOGVBh.exe
  C:\Windows\System\fzOGVBh.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\jeXSRbc.exe
  C:\Windows\System\jeXSRbc.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\xYyvQIq.exe
  C:\Windows\System\xYyvQIq.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\sgwrhwP.exe
  C:\Windows\System\sgwrhwP.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\lZFdBQW.exe
  C:\Windows\System\lZFdBQW.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\RInWerZ.exe
  C:\Windows\System\RInWerZ.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System\xWEuuyZ.exe
  C:\Windows\System\xWEuuyZ.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\PPJOazu.exe
  C:\Windows\System\PPJOazu.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\oMnliKj.exe
  C:\Windows\System\oMnliKj.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\fuxcDRH.exe
  C:\Windows\System\fuxcDRH.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\RXEHTPA.exe
  C:\Windows\System\RXEHTPA.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\TcGYeur.exe
  C:\Windows\System\TcGYeur.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\WxBnsth.exe
  C:\Windows\System\WxBnsth.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\IMAkrEn.exe
  C:\Windows\System\IMAkrEn.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\UDWVLQB.exe
  C:\Windows\System\UDWVLQB.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\irgtXHn.exe
  C:\Windows\System\irgtXHn.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\HOIhfeQ.exe
  C:\Windows\System\HOIhfeQ.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System\Xojisns.exe
  C:\Windows\System\Xojisns.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\rGYCNOp.exe
  C:\Windows\System\rGYCNOp.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System\DENorrY.exe
  C:\Windows\System\DENorrY.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System\GnDqjUo.exe
  C:\Windows\System\GnDqjUo.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System\bPZspVF.exe
  C:\Windows\System\bPZspVF.exe
  2⤵
  - Executes dropped EXE
  PID:608
- C:\Windows\System\dmvBUPY.exe
  C:\Windows\System\dmvBUPY.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System\saTCbxu.exe
  C:\Windows\System\saTCbxu.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\kfCGmHB.exe
  C:\Windows\System\kfCGmHB.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\aMChEDP.exe
  C:\Windows\System\aMChEDP.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System\jxYntOu.exe
  C:\Windows\System\jxYntOu.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System\xLcDDGF.exe
  C:\Windows\System\xLcDDGF.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\BEmSpUB.exe
  C:\Windows\System\BEmSpUB.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System\cbbbbKj.exe
  C:\Windows\System\cbbbbKj.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System\SemznYk.exe
  C:\Windows\System\SemznYk.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\hcfkjzJ.exe
  C:\Windows\System\hcfkjzJ.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\QnkPUfd.exe
  C:\Windows\System\QnkPUfd.exe
  2⤵
  PID:4860
- C:\Windows\System\sDEIslJ.exe
  C:\Windows\System\sDEIslJ.exe
  2⤵
  PID:348
- C:\Windows\System\OhjgoPF.exe
  C:\Windows\System\OhjgoPF.exe
  2⤵
  PID:1944
- C:\Windows\System\MbmVFgx.exe
  C:\Windows\System\MbmVFgx.exe
  2⤵
  PID:5004
- C:\Windows\System\xsXPFoQ.exe
  C:\Windows\System\xsXPFoQ.exe
  2⤵
  PID:3296
- C:\Windows\System\SKCcfNT.exe
  C:\Windows\System\SKCcfNT.exe
  2⤵
  PID:5084
- C:\Windows\System\YfOkSbr.exe
  C:\Windows\System\YfOkSbr.exe
  2⤵
  PID:4300
- C:\Windows\System\rReiOrh.exe
  C:\Windows\System\rReiOrh.exe
  2⤵
  PID:2320
- C:\Windows\System\TRXVoCP.exe
  C:\Windows\System\TRXVoCP.exe
  2⤵
  PID:4004
- C:\Windows\System\PEmTkcA.exe
  C:\Windows\System\PEmTkcA.exe
  2⤵
  PID:3908
- C:\Windows\System\dOKiVns.exe
  C:\Windows\System\dOKiVns.exe
  2⤵
  PID:960
- C:\Windows\System\oNwoswy.exe
  C:\Windows\System\oNwoswy.exe
  2⤵
  PID:4836
- C:\Windows\System\IwvMAuw.exe
  C:\Windows\System\IwvMAuw.exe
  2⤵
  PID:4944
- C:\Windows\System\QGuQlPq.exe
  C:\Windows\System\QGuQlPq.exe
  2⤵
  PID:4832
- C:\Windows\System\IwBaiSb.exe
  C:\Windows\System\IwBaiSb.exe
  2⤵
  PID:4540
- C:\Windows\System\KgkZbpt.exe
  C:\Windows\System\KgkZbpt.exe
  2⤵
  PID:2764
- C:\Windows\System\MuXMAZA.exe
  C:\Windows\System\MuXMAZA.exe
  2⤵
  PID:5156
- C:\Windows\System\fGRmoke.exe
  C:\Windows\System\fGRmoke.exe
  2⤵
  PID:5188
- C:\Windows\System\cxHUXpR.exe
  C:\Windows\System\cxHUXpR.exe
  2⤵
  PID:5220
- C:\Windows\System\IoBhJdo.exe
  C:\Windows\System\IoBhJdo.exe
  2⤵
  PID:5252
- C:\Windows\System\inkchRF.exe
  C:\Windows\System\inkchRF.exe
  2⤵
  PID:5284
- C:\Windows\System\sIFAJAk.exe
  C:\Windows\System\sIFAJAk.exe
  2⤵
  PID:5320
- C:\Windows\System\SbAZlUh.exe
  C:\Windows\System\SbAZlUh.exe
  2⤵
  PID:5356
- C:\Windows\System\SJCrYnu.exe
  C:\Windows\System\SJCrYnu.exe
  2⤵
  PID:5372
- C:\Windows\System\MaLnrSu.exe
  C:\Windows\System\MaLnrSu.exe
  2⤵
  PID:5400
- C:\Windows\System\BGkYCPl.exe
  C:\Windows\System\BGkYCPl.exe
  2⤵
  PID:5416
- C:\Windows\System\GgPTZiQ.exe
  C:\Windows\System\GgPTZiQ.exe
  2⤵
  PID:5468
- C:\Windows\System\TFPTIkj.exe
  C:\Windows\System\TFPTIkj.exe
  2⤵
  PID:5496
- C:\Windows\System\MfJUegh.exe
  C:\Windows\System\MfJUegh.exe
  2⤵
  PID:5536
- C:\Windows\System\nqwZLDV.exe
  C:\Windows\System\nqwZLDV.exe
  2⤵
  PID:5560
- C:\Windows\System\jnOWFbz.exe
  C:\Windows\System\jnOWFbz.exe
  2⤵
  PID:5588
- C:\Windows\System\dSttFaC.exe
  C:\Windows\System\dSttFaC.exe
  2⤵
  PID:5632
- C:\Windows\System\iXlxwMb.exe
  C:\Windows\System\iXlxwMb.exe
  2⤵
  PID:5660
- C:\Windows\System\qzcuBiB.exe
  C:\Windows\System\qzcuBiB.exe
  2⤵
  PID:5708
- C:\Windows\System\xZebfjj.exe
  C:\Windows\System\xZebfjj.exe
  2⤵
  PID:5736
- C:\Windows\System\lrqwOPq.exe
  C:\Windows\System\lrqwOPq.exe
  2⤵
  PID:5768
- C:\Windows\System\JmQmJIQ.exe
  C:\Windows\System\JmQmJIQ.exe
  2⤵
  PID:5792
- C:\Windows\System\DAPnTLo.exe
  C:\Windows\System\DAPnTLo.exe
  2⤵
  PID:5824
- C:\Windows\System\SPFZOlb.exe
  C:\Windows\System\SPFZOlb.exe
  2⤵
  PID:5860
- C:\Windows\System\OsdofeJ.exe
  C:\Windows\System\OsdofeJ.exe
  2⤵
  PID:5892
- C:\Windows\System\NHrfFtC.exe
  C:\Windows\System\NHrfFtC.exe
  2⤵
  PID:5920
- C:\Windows\System\eXjnpVl.exe
  C:\Windows\System\eXjnpVl.exe
  2⤵
  PID:5964
- C:\Windows\System\LzyIdzn.exe
  C:\Windows\System\LzyIdzn.exe
  2⤵
  PID:6000
- C:\Windows\System\iFazrww.exe
  C:\Windows\System\iFazrww.exe
  2⤵
  PID:6024
- C:\Windows\System\LtUgXoJ.exe
  C:\Windows\System\LtUgXoJ.exe
  2⤵
  PID:6056
- C:\Windows\System\LOXqTuV.exe
  C:\Windows\System\LOXqTuV.exe
  2⤵
  PID:6088
- C:\Windows\System\dglReFm.exe
  C:\Windows\System\dglReFm.exe
  2⤵
  PID:6124
- C:\Windows\System\RJQiOxH.exe
  C:\Windows\System\RJQiOxH.exe
  2⤵
  PID:6140
- C:\Windows\System\QESrJJm.exe
  C:\Windows\System\QESrJJm.exe
  2⤵
  PID:5132
- C:\Windows\System\xmwrMlF.exe
  C:\Windows\System\xmwrMlF.exe
  2⤵
  PID:4812
- C:\Windows\System\AwXMpuA.exe
  C:\Windows\System\AwXMpuA.exe
  2⤵
  PID:5276
- C:\Windows\System\sahhHJB.exe
  C:\Windows\System\sahhHJB.exe
  2⤵
  PID:5344
- C:\Windows\System\EjkrSJi.exe
  C:\Windows\System\EjkrSJi.exe
  2⤵
  PID:5384
- C:\Windows\System\cxJKhYn.exe
  C:\Windows\System\cxJKhYn.exe
  2⤵
  PID:5456
- C:\Windows\System\BVQHtOb.exe
  C:\Windows\System\BVQHtOb.exe
  2⤵
  PID:4240
- C:\Windows\System\WvzXDju.exe
  C:\Windows\System\WvzXDju.exe
  2⤵
  PID:5600
- C:\Windows\System\osaXZLx.exe
  C:\Windows\System\osaXZLx.exe
  2⤵
  PID:5676
- C:\Windows\System\BfRdmnS.exe
  C:\Windows\System\BfRdmnS.exe
  2⤵
  PID:5728
- C:\Windows\System\UHreoJv.exe
  C:\Windows\System\UHreoJv.exe
  2⤵
  PID:5784
- C:\Windows\System\EGFwgBA.exe
  C:\Windows\System\EGFwgBA.exe
  2⤵
  PID:5876
- C:\Windows\System\sYFDjGi.exe
  C:\Windows\System\sYFDjGi.exe
  2⤵
  PID:5972
- C:\Windows\System\PUPUTeW.exe
  C:\Windows\System\PUPUTeW.exe
  2⤵
  PID:6044
- C:\Windows\System\ZVVVIxJ.exe
  C:\Windows\System\ZVVVIxJ.exe
  2⤵
  PID:6096
- C:\Windows\System\WBtcVug.exe
  C:\Windows\System\WBtcVug.exe
  2⤵
  PID:6132
- C:\Windows\System\VUUATIZ.exe
  C:\Windows\System\VUUATIZ.exe
  2⤵
  PID:5168
- C:\Windows\System\vGGPJjI.exe
  C:\Windows\System\vGGPJjI.exe
  2⤵
  PID:5408
- C:\Windows\System\hIpqQFd.exe
  C:\Windows\System\hIpqQFd.exe
  2⤵
  PID:5452
- C:\Windows\System\OnZjseq.exe
  C:\Windows\System\OnZjseq.exe
  2⤵
  PID:5724
- C:\Windows\System\mimQDVL.exe
  C:\Windows\System\mimQDVL.exe
  2⤵
  PID:5900
- C:\Windows\System\eoqmgrX.exe
  C:\Windows\System\eoqmgrX.exe
  2⤵
  PID:6104
- C:\Windows\System\NDZnkGN.exe
  C:\Windows\System\NDZnkGN.exe
  2⤵
  PID:5000
- C:\Windows\System\WromAND.exe
  C:\Windows\System\WromAND.exe
  2⤵
  PID:5640
- C:\Windows\System\EOKrNst.exe
  C:\Windows\System\EOKrNst.exe
  2⤵
  PID:5208
- C:\Windows\System\UiQulFa.exe
  C:\Windows\System\UiQulFa.exe
  2⤵
  PID:6064
- C:\Windows\System\cGQMvsg.exe
  C:\Windows\System\cGQMvsg.exe
  2⤵
  PID:6164
- C:\Windows\System\wYjSrvP.exe
  C:\Windows\System\wYjSrvP.exe
  2⤵
  PID:6192
- C:\Windows\System\XhhEHwP.exe
  C:\Windows\System\XhhEHwP.exe
  2⤵
  PID:6232
- C:\Windows\System\EbQJTxg.exe
  C:\Windows\System\EbQJTxg.exe
  2⤵
  PID:6252
- C:\Windows\System\QDZvAkp.exe
  C:\Windows\System\QDZvAkp.exe
  2⤵
  PID:6284
- C:\Windows\System\GGkGwot.exe
  C:\Windows\System\GGkGwot.exe
  2⤵
  PID:6316
- C:\Windows\System\sMKgpGQ.exe
  C:\Windows\System\sMKgpGQ.exe
  2⤵
  PID:6344
- C:\Windows\System\UyQJQVZ.exe
  C:\Windows\System\UyQJQVZ.exe
  2⤵
  PID:6416
- C:\Windows\System\cBvNvnD.exe
  C:\Windows\System\cBvNvnD.exe
  2⤵
  PID:6436
- C:\Windows\System\PTJLlVX.exe
  C:\Windows\System\PTJLlVX.exe
  2⤵
  PID:6468
- C:\Windows\System\AYtpqEA.exe
  C:\Windows\System\AYtpqEA.exe
  2⤵
  PID:6496
- C:\Windows\System\ncVHROs.exe
  C:\Windows\System\ncVHROs.exe
  2⤵
  PID:6536
- C:\Windows\System\qlHybgo.exe
  C:\Windows\System\qlHybgo.exe
  2⤵
  PID:6572
- C:\Windows\System\IczHJQJ.exe
  C:\Windows\System\IczHJQJ.exe
  2⤵
  PID:6608
- C:\Windows\System\EKSsYOm.exe
  C:\Windows\System\EKSsYOm.exe
  2⤵
  PID:6640
- C:\Windows\System\RZHwDnV.exe
  C:\Windows\System\RZHwDnV.exe
  2⤵
  PID:6668
- C:\Windows\System\hRjOOXC.exe
  C:\Windows\System\hRjOOXC.exe
  2⤵
  PID:6696
- C:\Windows\System\WvWoent.exe
  C:\Windows\System\WvWoent.exe
  2⤵
  PID:6724
- C:\Windows\System\PZTokxQ.exe
  C:\Windows\System\PZTokxQ.exe
  2⤵
  PID:6744
- C:\Windows\System\KqilsrI.exe
  C:\Windows\System\KqilsrI.exe
  2⤵
  PID:6784
- C:\Windows\System\UrhNBiy.exe
  C:\Windows\System\UrhNBiy.exe
  2⤵
  PID:6812
- C:\Windows\System\PfDetnG.exe
  C:\Windows\System\PfDetnG.exe
  2⤵
  PID:6844
- C:\Windows\System\udqIyPd.exe
  C:\Windows\System\udqIyPd.exe
  2⤵
  PID:6876
- C:\Windows\System\IVscOTD.exe
  C:\Windows\System\IVscOTD.exe
  2⤵
  PID:6904
- C:\Windows\System\MlSgeBp.exe
  C:\Windows\System\MlSgeBp.exe
  2⤵
  PID:6940
- C:\Windows\System\pXuAwrh.exe
  C:\Windows\System\pXuAwrh.exe
  2⤵
  PID:6976
- C:\Windows\System\IgKISOl.exe
  C:\Windows\System\IgKISOl.exe
  2⤵
  PID:7004
- C:\Windows\System\qTgOvLq.exe
  C:\Windows\System\qTgOvLq.exe
  2⤵
  PID:7044
- C:\Windows\System\ciLkqwh.exe
  C:\Windows\System\ciLkqwh.exe
  2⤵
  PID:7072
- C:\Windows\System\tYwuJky.exe
  C:\Windows\System\tYwuJky.exe
  2⤵
  PID:7100
- C:\Windows\System\aHsdDoF.exe
  C:\Windows\System\aHsdDoF.exe
  2⤵
  PID:7124
- C:\Windows\System\oMwCUvs.exe
  C:\Windows\System\oMwCUvs.exe
  2⤵
  PID:7156
- C:\Windows\System\PfoSlJw.exe
  C:\Windows\System\PfoSlJw.exe
  2⤵
  PID:6184
- C:\Windows\System\HzMJIHt.exe
  C:\Windows\System\HzMJIHt.exe
  2⤵
  PID:6248
- C:\Windows\System\OpsPmGT.exe
  C:\Windows\System\OpsPmGT.exe
  2⤵
  PID:6324
- C:\Windows\System\zyMjyFz.exe
  C:\Windows\System\zyMjyFz.exe
  2⤵
  PID:6376
- C:\Windows\System\ODZsXRW.exe
  C:\Windows\System\ODZsXRW.exe
  2⤵
  PID:6488
- C:\Windows\System\nPjjyNo.exe
  C:\Windows\System\nPjjyNo.exe
  2⤵
  PID:6560
- C:\Windows\System\qvWfdwD.exe
  C:\Windows\System\qvWfdwD.exe
  2⤵
  PID:6652
- C:\Windows\System\SHlhUpP.exe
  C:\Windows\System\SHlhUpP.exe
  2⤵
  PID:6732
- C:\Windows\System\vTkDScQ.exe
  C:\Windows\System\vTkDScQ.exe
  2⤵
  PID:6804
- C:\Windows\System\RWmgHuu.exe
  C:\Windows\System\RWmgHuu.exe
  2⤵
  PID:6896
- C:\Windows\System\AMlUJZy.exe
  C:\Windows\System\AMlUJZy.exe
  2⤵
  PID:6972
- C:\Windows\System\xRJPsAl.exe
  C:\Windows\System\xRJPsAl.exe
  2⤵
  PID:7028
- C:\Windows\System\mqCgXaB.exe
  C:\Windows\System\mqCgXaB.exe
  2⤵
  PID:5244
- C:\Windows\System\zPyikDb.exe
  C:\Windows\System\zPyikDb.exe
  2⤵
  PID:7112
- C:\Windows\System\kPTUrCA.exe
  C:\Windows\System\kPTUrCA.exe
  2⤵
  PID:6244
- C:\Windows\System\KlXZesa.exe
  C:\Windows\System\KlXZesa.exe
  2⤵
  PID:6396
- C:\Windows\System\EAymgLh.exe
  C:\Windows\System\EAymgLh.exe
  2⤵
  PID:6624
- C:\Windows\System\nLHtEdS.exe
  C:\Windows\System\nLHtEdS.exe
  2⤵
  PID:6836
- C:\Windows\System\VPNaKSA.exe
  C:\Windows\System\VPNaKSA.exe
  2⤵
  PID:7068
- C:\Windows\System\KnMjdql.exe
  C:\Windows\System\KnMjdql.exe
  2⤵
  PID:6240
- C:\Windows\System\RCsOMRN.exe
  C:\Windows\System\RCsOMRN.exe
  2⤵
  PID:6720
- C:\Windows\System\tnLtLMh.exe
  C:\Windows\System\tnLtLMh.exe
  2⤵
  PID:6220
- C:\Windows\System\rXihYhk.exe
  C:\Windows\System\rXihYhk.exe
  2⤵
  PID:7196
- C:\Windows\System\giVwGUp.exe
  C:\Windows\System\giVwGUp.exe
  2⤵
  PID:7236
- C:\Windows\System\PSrVUmG.exe
  C:\Windows\System\PSrVUmG.exe
  2⤵
  PID:7260
- C:\Windows\System\SwCAGbf.exe
  C:\Windows\System\SwCAGbf.exe
  2⤵
  PID:7288
- C:\Windows\System\mHAaKoh.exe
  C:\Windows\System\mHAaKoh.exe
  2⤵
  PID:7328
- C:\Windows\System\vLtqTdD.exe
  C:\Windows\System\vLtqTdD.exe
  2⤵
  PID:7380
- C:\Windows\System\TsiNEZe.exe
  C:\Windows\System\TsiNEZe.exe
  2⤵
  PID:7428
- C:\Windows\System\faQjCyn.exe
  C:\Windows\System\faQjCyn.exe
  2⤵
  PID:7460
- C:\Windows\System\SWFckrQ.exe
  C:\Windows\System\SWFckrQ.exe
  2⤵
  PID:7500
- C:\Windows\System\jvpmqAe.exe
  C:\Windows\System\jvpmqAe.exe
  2⤵
  PID:7524
- C:\Windows\System\KmevgHi.exe
  C:\Windows\System\KmevgHi.exe
  2⤵
  PID:7556
- C:\Windows\System\xKLHReQ.exe
  C:\Windows\System\xKLHReQ.exe
  2⤵
  PID:7584
- C:\Windows\System\SvOBfND.exe
  C:\Windows\System\SvOBfND.exe
  2⤵
  PID:7612
- C:\Windows\System\MujOnsK.exe
  C:\Windows\System\MujOnsK.exe
  2⤵
  PID:7640
- C:\Windows\System\ofuwFbz.exe
  C:\Windows\System\ofuwFbz.exe
  2⤵
  PID:7660
- C:\Windows\System\yQPFTJo.exe
  C:\Windows\System\yQPFTJo.exe
  2⤵
  PID:7692
- C:\Windows\System\wtLKVLT.exe
  C:\Windows\System\wtLKVLT.exe
  2⤵
  PID:7720
- C:\Windows\System\UubFYEL.exe
  C:\Windows\System\UubFYEL.exe
  2⤵
  PID:7740
- C:\Windows\System\eyLnhgz.exe
  C:\Windows\System\eyLnhgz.exe
  2⤵
  PID:7776
- C:\Windows\System\yAbggFN.exe
  C:\Windows\System\yAbggFN.exe
  2⤵
  PID:7800
- C:\Windows\System\KoiXjAN.exe
  C:\Windows\System\KoiXjAN.exe
  2⤵
  PID:7848
- C:\Windows\System\SpSuSsI.exe
  C:\Windows\System\SpSuSsI.exe
  2⤵
  PID:7880
- C:\Windows\System\oRZLTEe.exe
  C:\Windows\System\oRZLTEe.exe
  2⤵
  PID:7908
- C:\Windows\System\AyXsSvR.exe
  C:\Windows\System\AyXsSvR.exe
  2⤵
  PID:7932
- C:\Windows\System\pkWveJt.exe
  C:\Windows\System\pkWveJt.exe
  2⤵
  PID:7960
- C:\Windows\System\wnpRdyq.exe
  C:\Windows\System\wnpRdyq.exe
  2⤵
  PID:7984
- C:\Windows\System\mGZGUxV.exe
  C:\Windows\System\mGZGUxV.exe
  2⤵
  PID:8004
- C:\Windows\System\OYjwoXC.exe
  C:\Windows\System\OYjwoXC.exe
  2⤵
  PID:8044
- C:\Windows\System\nToVIgy.exe
  C:\Windows\System\nToVIgy.exe
  2⤵
  PID:8068
- C:\Windows\System\BHjxsaL.exe
  C:\Windows\System\BHjxsaL.exe
  2⤵
  PID:8100
- C:\Windows\System\TlGjVIM.exe
  C:\Windows\System\TlGjVIM.exe
  2⤵
  PID:8132
- C:\Windows\System\MotXFtH.exe
  C:\Windows\System\MotXFtH.exe
  2⤵
  PID:8172
- C:\Windows\System\qZkyLSX.exe
  C:\Windows\System\qZkyLSX.exe
  2⤵
  PID:7224
- C:\Windows\System\hScfEqT.exe
  C:\Windows\System\hScfEqT.exe
  2⤵
  PID:7280
- C:\Windows\System\NKymzAB.exe
  C:\Windows\System\NKymzAB.exe
  2⤵
  PID:7376
- C:\Windows\System\XKcSJLD.exe
  C:\Windows\System\XKcSJLD.exe
  2⤵
  PID:7480
- C:\Windows\System\NhYnQSr.exe
  C:\Windows\System\NhYnQSr.exe
  2⤵
  PID:7576
- C:\Windows\System\isPAJrP.exe
  C:\Windows\System\isPAJrP.exe
  2⤵
  PID:7632
- C:\Windows\System\DfqZHzu.exe
  C:\Windows\System\DfqZHzu.exe
  2⤵
  PID:7704
- C:\Windows\System\VhCiILB.exe
  C:\Windows\System\VhCiILB.exe
  2⤵
  PID:7760
- C:\Windows\System\kCieIWv.exe
  C:\Windows\System\kCieIWv.exe
  2⤵
  PID:7828
- C:\Windows\System\VWFfofd.exe
  C:\Windows\System\VWFfofd.exe
  2⤵
  PID:7892
- C:\Windows\System\ZzqKNhm.exe
  C:\Windows\System\ZzqKNhm.exe
  2⤵
  PID:7944
- C:\Windows\System\UgUmaaK.exe
  C:\Windows\System\UgUmaaK.exe
  2⤵
  PID:1124
- C:\Windows\System\rtrqrVL.exe
  C:\Windows\System\rtrqrVL.exe
  2⤵
  PID:8064
- C:\Windows\System\DoyPvLY.exe
  C:\Windows\System\DoyPvLY.exe
  2⤵
  PID:8148
- C:\Windows\System\ZVDKLKC.exe
  C:\Windows\System\ZVDKLKC.exe
  2⤵
  PID:7252
- C:\Windows\System\DRuWmnT.exe
  C:\Windows\System\DRuWmnT.exe
  2⤵
  PID:7452
- C:\Windows\System\gFEvgjg.exe
  C:\Windows\System\gFEvgjg.exe
  2⤵
  PID:7608
- C:\Windows\System\ZhZwwWX.exe
  C:\Windows\System\ZhZwwWX.exe
  2⤵
  PID:7768
- C:\Windows\System\BeijPIj.exe
  C:\Windows\System\BeijPIj.exe
  2⤵
  PID:7940
- C:\Windows\System\aZNjdsu.exe
  C:\Windows\System\aZNjdsu.exe
  2⤵
  PID:8112
- C:\Windows\System\OtuSozU.exe
  C:\Windows\System\OtuSozU.exe
  2⤵
  PID:7324
- C:\Windows\System\vbcbBAn.exe
  C:\Windows\System\vbcbBAn.exe
  2⤵
  PID:7712
- C:\Windows\System\wiCQxrg.exe
  C:\Windows\System\wiCQxrg.exe
  2⤵
  PID:8076
- C:\Windows\System\fokKCBm.exe
  C:\Windows\System\fokKCBm.exe
  2⤵
  PID:7680
- C:\Windows\System\JUefPmD.exe
  C:\Windows\System\JUefPmD.exe
  2⤵
  PID:7540
- C:\Windows\System\rwtLmcE.exe
  C:\Windows\System\rwtLmcE.exe
  2⤵
  PID:8224
- C:\Windows\System\mFtGoSx.exe
  C:\Windows\System\mFtGoSx.exe
  2⤵
  PID:8252
- C:\Windows\System\vCzUGFH.exe
  C:\Windows\System\vCzUGFH.exe
  2⤵
  PID:8280
- C:\Windows\System\ZjwupRE.exe
  C:\Windows\System\ZjwupRE.exe
  2⤵
  PID:8308
- C:\Windows\System\tAjqrNv.exe
  C:\Windows\System\tAjqrNv.exe
  2⤵
  PID:8336
- C:\Windows\System\dZKazyR.exe
  C:\Windows\System\dZKazyR.exe
  2⤵
  PID:8368
- C:\Windows\System\HgVYJrM.exe
  C:\Windows\System\HgVYJrM.exe
  2⤵
  PID:8396
- C:\Windows\System\OAhQnKk.exe
  C:\Windows\System\OAhQnKk.exe
  2⤵
  PID:8424
- C:\Windows\System\UGTxcyQ.exe
  C:\Windows\System\UGTxcyQ.exe
  2⤵
  PID:8452
- C:\Windows\System\gyoCUkJ.exe
  C:\Windows\System\gyoCUkJ.exe
  2⤵
  PID:8480
- C:\Windows\System\WIgJrJn.exe
  C:\Windows\System\WIgJrJn.exe
  2⤵
  PID:8508
- C:\Windows\System\splOKNU.exe
  C:\Windows\System\splOKNU.exe
  2⤵
  PID:8536
- C:\Windows\System\xtgCJnL.exe
  C:\Windows\System\xtgCJnL.exe
  2⤵
  PID:8564
- C:\Windows\System\Glkifkz.exe
  C:\Windows\System\Glkifkz.exe
  2⤵
  PID:8596
- C:\Windows\System\bpJeJFM.exe
  C:\Windows\System\bpJeJFM.exe
  2⤵
  PID:8624
- C:\Windows\System\EHrFGKa.exe
  C:\Windows\System\EHrFGKa.exe
  2⤵
  PID:8656
- C:\Windows\System\VZyvAdU.exe
  C:\Windows\System\VZyvAdU.exe
  2⤵
  PID:8684
- C:\Windows\System\OPrjPYF.exe
  C:\Windows\System\OPrjPYF.exe
  2⤵
  PID:8712
- C:\Windows\System\qNWARZd.exe
  C:\Windows\System\qNWARZd.exe
  2⤵
  PID:8740
- C:\Windows\System\zRzTAsC.exe
  C:\Windows\System\zRzTAsC.exe
  2⤵
  PID:8760
- C:\Windows\System\sAFdevf.exe
  C:\Windows\System\sAFdevf.exe
  2⤵
  PID:8796
- C:\Windows\System\VFRAYmt.exe
  C:\Windows\System\VFRAYmt.exe
  2⤵
  PID:8824
- C:\Windows\System\byVIhMk.exe
  C:\Windows\System\byVIhMk.exe
  2⤵
  PID:8852
- C:\Windows\System\IXBPTEe.exe
  C:\Windows\System\IXBPTEe.exe
  2⤵
  PID:8880
- C:\Windows\System\SVBrlRy.exe
  C:\Windows\System\SVBrlRy.exe
  2⤵
  PID:8908
- C:\Windows\System\TPepigM.exe
  C:\Windows\System\TPepigM.exe
  2⤵
  PID:8936
- C:\Windows\System\KzPsVwc.exe
  C:\Windows\System\KzPsVwc.exe
  2⤵
  PID:8960
- C:\Windows\System\qxuqxPr.exe
  C:\Windows\System\qxuqxPr.exe
  2⤵
  PID:8980
- C:\Windows\System\SsCcjKL.exe
  C:\Windows\System\SsCcjKL.exe
  2⤵
  PID:9008
- C:\Windows\System\msvDWZI.exe
  C:\Windows\System\msvDWZI.exe
  2⤵
  PID:9040
- C:\Windows\System\DOQDsUL.exe
  C:\Windows\System\DOQDsUL.exe
  2⤵
  PID:9064
- C:\Windows\System\eocSUFM.exe
  C:\Windows\System\eocSUFM.exe
  2⤵
  PID:9104
- C:\Windows\System\yyaAfrl.exe
  C:\Windows\System\yyaAfrl.exe
  2⤵
  PID:9132
- C:\Windows\System\VUkTHet.exe
  C:\Windows\System\VUkTHet.exe
  2⤵
  PID:9160
- C:\Windows\System\umaLLDE.exe
  C:\Windows\System\umaLLDE.exe
  2⤵
  PID:9188
- C:\Windows\System\TJQLvxo.exe
  C:\Windows\System\TJQLvxo.exe
  2⤵
  PID:8196
- C:\Windows\System\tHMHyqt.exe
  C:\Windows\System\tHMHyqt.exe
  2⤵
  PID:8236
- C:\Windows\System\xVklizR.exe
  C:\Windows\System\xVklizR.exe
  2⤵
  PID:8300
- C:\Windows\System\btnKymv.exe
  C:\Windows\System\btnKymv.exe
  2⤵
  PID:8364
- C:\Windows\System\zrofyRD.exe
  C:\Windows\System\zrofyRD.exe
  2⤵
  PID:8448
- C:\Windows\System\IUUOOXk.exe
  C:\Windows\System\IUUOOXk.exe
  2⤵
  PID:8500
- C:\Windows\System\hcdpsKj.exe
  C:\Windows\System\hcdpsKj.exe
  2⤵
  PID:2536
- C:\Windows\System\xTTAJeJ.exe
  C:\Windows\System\xTTAJeJ.exe
  2⤵
  PID:8612
- C:\Windows\System\wDNbKwr.exe
  C:\Windows\System\wDNbKwr.exe
  2⤵
  PID:8680
- C:\Windows\System\efUOzXV.exe
  C:\Windows\System\efUOzXV.exe
  2⤵
  PID:2612
- C:\Windows\System\aOzagqj.exe
  C:\Windows\System\aOzagqj.exe
  2⤵
  PID:8792
- C:\Windows\System\dSITrVd.exe
  C:\Windows\System\dSITrVd.exe
  2⤵
  PID:8864
- C:\Windows\System\qSjZbZM.exe
  C:\Windows\System\qSjZbZM.exe
  2⤵
  PID:8920
- C:\Windows\System\UoKUImf.exe
  C:\Windows\System\UoKUImf.exe
  2⤵
  PID:8968
- C:\Windows\System\PYXiana.exe
  C:\Windows\System\PYXiana.exe
  2⤵
  PID:9020
- C:\Windows\System\xflqExG.exe
  C:\Windows\System\xflqExG.exe
  2⤵
  PID:9092
- C:\Windows\System\bsxDsDc.exe
  C:\Windows\System\bsxDsDc.exe
  2⤵
  PID:9172
- C:\Windows\System\AdOiIeJ.exe
  C:\Windows\System\AdOiIeJ.exe
  2⤵
  PID:8220
- C:\Windows\System\klXcBjJ.exe
  C:\Windows\System\klXcBjJ.exe
  2⤵
  PID:8356
- C:\Windows\System\qHErrjw.exe
  C:\Windows\System\qHErrjw.exe
  2⤵
  PID:8592
- C:\Windows\System\nULOyKF.exe
  C:\Windows\System\nULOyKF.exe
  2⤵
  PID:8728
- C:\Windows\System\DzpwJmh.exe
  C:\Windows\System\DzpwJmh.exe
  2⤵
  PID:8844
- C:\Windows\System\hKPxOGX.exe
  C:\Windows\System\hKPxOGX.exe
  2⤵
  PID:9024
- C:\Windows\System\NhGAJGO.exe
  C:\Windows\System\NhGAJGO.exe
  2⤵
  PID:9144
- C:\Windows\System\EleRRib.exe
  C:\Windows\System\EleRRib.exe
  2⤵
  PID:8276
- C:\Windows\System\pQczlUI.exe
  C:\Windows\System\pQczlUI.exe
  2⤵
  PID:8652
- C:\Windows\System\CAoElfF.exe
  C:\Windows\System\CAoElfF.exe
  2⤵
  PID:2988
- C:\Windows\System\VqKPZhv.exe
  C:\Windows\System\VqKPZhv.exe
  2⤵
  PID:4760
- C:\Windows\System\rDPSuim.exe
  C:\Windows\System\rDPSuim.exe
  2⤵
  PID:9100
- C:\Windows\System\aCqmKqY.exe
  C:\Windows\System\aCqmKqY.exe
  2⤵
  PID:9220
- C:\Windows\System\jWrEREC.exe
  C:\Windows\System\jWrEREC.exe
  2⤵
  PID:9248
- C:\Windows\System\EXsnfhw.exe
  C:\Windows\System\EXsnfhw.exe
  2⤵
  PID:9272
- C:\Windows\System\kTaStNC.exe
  C:\Windows\System\kTaStNC.exe
  2⤵
  PID:9304
- C:\Windows\System\FnXoHJp.exe
  C:\Windows\System\FnXoHJp.exe
  2⤵
  PID:9336
- C:\Windows\System\HeRBsTx.exe
  C:\Windows\System\HeRBsTx.exe
  2⤵
  PID:9360
- C:\Windows\System\ElOPUdY.exe
  C:\Windows\System\ElOPUdY.exe
  2⤵
  PID:9396
- C:\Windows\System\djVLijy.exe
  C:\Windows\System\djVLijy.exe
  2⤵
  PID:9420
- C:\Windows\System\KWVLGCk.exe
  C:\Windows\System\KWVLGCk.exe
  2⤵
  PID:9452
- C:\Windows\System\XZNwlBl.exe
  C:\Windows\System\XZNwlBl.exe
  2⤵
  PID:9472
- C:\Windows\System\WyccuHP.exe
  C:\Windows\System\WyccuHP.exe
  2⤵
  PID:9508
- C:\Windows\System\pfXDqMI.exe
  C:\Windows\System\pfXDqMI.exe
  2⤵
  PID:9528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AechukS.exe

Filesize
512KB

MD5
0b4145c2cc110331e4da5e560102704d

SHA1
c566b9a6ceb44b7f1c214b316c08f6bec9d9b2b1

SHA256
45685ced1acb15c50a2e82577fa387cda30481d8f7a525239c32c5f5bf6e48b4

SHA512
abf913119d63f487a6aab21c7aef0828fd1abea0d0c9a3b66bf2a375882b42bf9f76fd9b59dbd74e92020f35616ebd4ca75dc1ea4b5b55a7e8ed17cc28d58dc6

Download Submit
C:\Windows\System\AechukS.exe

Filesize
2.0MB

MD5
363f3cb003d18317a2d8d77f54ccec03

SHA1
2803668981d5da562348828d08e7c5d754e12f42

SHA256
0387960456f46091de51d2deb0c577f8dccc9ca940f7c88b4cc37670f95ee371

SHA512
601e4ca76fa093d875b7b19f4ad108c764c0af9f6e730c516b37383d030f46d3129c06ddee945b1fed7b9283a6237e7a7dcdd249fa6bd72b6442799a809aba4e

Download Submit
C:\Windows\System\BTMWgNb.exe

Filesize
2.0MB

MD5
731b07d8bfa7d47f297c769e97a9a178

SHA1
ff684b7f64d9d88713c655ec0ba4806923378aec

SHA256
b31b94b23cd69c936c0381cbce2375631dc5023f342415c04c2b2281f811fae4

SHA512
31119fc677557846582cf15b90f46970f7de1bdfde2f8781987475ca25034d09371d9f7e51ae7418fa9ca5a1212ab1b05378b9f42d0c3fd8e616946564b5e68f

Download Submit
C:\Windows\System\HOphxJK.exe

Filesize
2.0MB

MD5
c86db0d47b23f7ee816e49bff9f2efcf

SHA1
fa9bcb0060a4d1ab5506eb9c59f9fd9b9063c3b4

SHA256
42dd2fd272eb778e8c9019e50fc289bb0cfc02a2e794fde8e21e1c6f66d1c4f4

SHA512
e5681099d8ecb2c4abfd74c3239c26e8f6043329549d4ecaf465cbd64f0a615ff70642600b43efe6400bc58ca540fc396e8c6e277ea5d600ccfdb420c1f88d17

Download Submit
C:\Windows\System\IPcPsRL.exe

Filesize
1.2MB

MD5
d25c1fdeb22cc98157fde0aa46096600

SHA1
c2a0b0b2db64a7038d39c7f82f9bb5f396508c50

SHA256
7511aa59c4e02f472bc3d1c90613df12ace1da195fe4e4fe3e606ef30c5cfc1b

SHA512
c5b07e576611c900a1045082c72693ee7834d636439b4c11ad26ce83d1b5455a5af406e559e4b9349a4334111ff760a9a61fc21d4a0a18d7d83c80cf35198cc7

Download Submit
C:\Windows\System\JiPtgRz.exe

Filesize
2.0MB

MD5
76dc0affb33ac92c01948ae46a4d501a

SHA1
ac76b45db2585c8da1761ce47d363420195313dc

SHA256
877f61a82b79c1157396cf2f663cd74f01ec1d7056926024c0874be45d6064a8

SHA512
72d24cb1b6abdb538b8c0b16218924f686977ecd275027bdc9858e2b1a3e150546507b56c6673f46388d14f08c0bdb4879699afdc4912321fb46f4cbd5a9faaa

Download Submit
C:\Windows\System\iKMKFvv.exe

Filesize
2.0MB

MD5
f1ec221f343a387bacb1541254cfea14

SHA1
73563c39c5a25df3323788017c73f0f0aa6e4b2b

SHA256
ec84a2b8b70fd7d90b72243eaedd064614567672f8091fcab4a99dc062196ee3

SHA512
3a3443e10f99493614467d376f8921b08e04718d92dc155baabf57f2c1c1fdb925108795c3876c863666d9d8edbc34c288726dde8db357e262c70065ce31aab5

Download Submit
C:\Windows\System\lJeKKIv.exe

Filesize
2.0MB

MD5
4ff5b749dcb83e2cb01f6db9f7440c56

SHA1
877ee49f9ba958b4b9c9a1f2e660fd769a67b1e2

SHA256
d15f74280c2223c9002f6dbd0f13390358f9e751ffa3c503b2eb304f37a79c57

SHA512
9ce57c51b1284cd1676e822e8701444f6fe06e3cbbc14099a86fb28b301361158704a7d239ddb44dbf0aedc2abb4de4e9230828b6208301d96d55079b34f5262

Download Submit
C:\Windows\System\nlbyyDI.exe

Filesize
448KB

MD5
460a560d9343614b4f5d3d4dba3f4ee8

SHA1
b7e4e11f7bd5df3f2363cf6c1fa4d5ae53e0122e

SHA256
fd744e6808c52535a94243828181a8d013638b8f8817cf398b9172e0ee7b110d

SHA512
1f115a8993e51d1f37533d08960597baad579468fd9fc33ed73870d8dbecffbacf74c482d28ec7d6893e63aba21811f0abf2dfee545d005b933bc73799ad2c80

Download Submit
C:\Windows\System\orGcNCT.exe

Filesize
576KB

MD5
127f4866c00e3ecb45b1d23b1d0c741c

SHA1
bbd6a9cffc79a79bd90d816b9900c68bfca18543

SHA256
bcc97a96b21714501a1a73d093ecbf16bebdde5c4d96059fba2ad80c8b5330a5

SHA512
c7527a9f1edae2d067417b282065ad27153e8fbc1423f8998711e828f7b5c2f6434c8cd15eb1be193ec5e0e78c50d3413aca371edb5d76738fe331728ad68c91

Download Submit
C:\Windows\System\orGcNCT.exe

Filesize
192KB

MD5
9b577ffff6c1f5ffff7f64441d883431

SHA1
10ba0bbbec3c90794664c7d383f12f8e5eb6c74b

SHA256
91f3e82906a538100a99ed926f9fc65724c6b25f34a3a65f82125b966c8582db

SHA512
f8bb3727a9f20749433ece4d83348bcfd5e5e28efa7ccba238d5a6d724481df6d5f37b94f4ffcea847376be6b1b47a9ca7c6e243f6823afe20547eef85d0ed8f

Download Submit
C:\Windows\System\qGDaaQy.exe

Filesize
384KB

MD5
c82368624fc0cbc229c201ce1985bc94

SHA1
ee5f9762a48551b4aca0f410ce58ba6b3a31c5e7

SHA256
931c951679eb1fb702111027aabfe5c2dbae5ee0133b51e3a18f5413cb866a95

SHA512
a02b7bbdc00adbf81d06cac9c2ff95404ee7daaf391f997518b816e211a80c24bef9f62cfffbf4467be156c5ab3f90c9c19fabf63f6e25a559ab78ca4191369f

Download Submit
C:\Windows\System\vsVBewf.exe

Filesize
128KB

MD5
6f79929539cf65dcb1e405ed0a538ec1

SHA1
46963681601be609a978fb70a544460fdecbb830

SHA256
8292e8db4cea39d46d950b64cc55f87ab625ecdebcbe27f469743b8d918b78e8

SHA512
e991eb3fcf3d9e8bf2f4b7d6bc5ccb92f66bf173e56c3693b2cbd12083aeda0fcdb439b0c82e3da3f8abfa3d37b16394bcf458c3b338809e1ffa376eff9aa3d0

Download Submit
C:\Windows\System\ybWKuNa.exe

Filesize
832KB

MD5
ce178bd72ed852cee68a120a1b1fdee8

SHA1
450b4db3f97e0fa9cf2857aacb158ac3998799fc

SHA256
09942dda717225533b45ca8503ef26ec7ce53502b28a59820843418dd9c55e48

SHA512
ac11f5d8bd6a4cdcaadc561628f8aa1e827b567dbb06f407fecd65c0ccc957413ba3aabab14edce8306016a228274a4e07c6e80f331f04c7c924977540fcd45f

Download Submit
memory/456-77-0x00007FF6E3B50000-0x00007FF6E3EA4000-memory.dmp

Filesize
3.3MB

Download
memory/456-1089-0x00007FF6E3B50000-0x00007FF6E3EA4000-memory.dmp

Filesize
3.3MB

Download
memory/688-9-0x00007FF6C9D10000-0x00007FF6CA064000-memory.dmp

Filesize
3.3MB

Download
memory/688-578-0x00007FF6C9D10000-0x00007FF6CA064000-memory.dmp

Filesize
3.3MB

Download
memory/688-1079-0x00007FF6C9D10000-0x00007FF6CA064000-memory.dmp

Filesize
3.3MB

Download
memory/792-191-0x00007FF75E660000-0x00007FF75E9B4000-memory.dmp

Filesize
3.3MB

Download
memory/792-1101-0x00007FF75E660000-0x00007FF75E9B4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-1102-0x00007FF650160000-0x00007FF6504B4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-188-0x00007FF650160000-0x00007FF6504B4000-memory.dmp

Filesize
3.3MB

Download
memory/1132-1078-0x00007FF62DE70000-0x00007FF62E1C4000-memory.dmp

Filesize
3.3MB

Download
memory/1132-1104-0x00007FF62DE70000-0x00007FF62E1C4000-memory.dmp

Filesize
3.3MB

Download
memory/1132-148-0x00007FF62DE70000-0x00007FF62E1C4000-memory.dmp

Filesize
3.3MB

Download
memory/1484-1092-0x00007FF715920000-0x00007FF715C74000-memory.dmp

Filesize
3.3MB

Download
memory/1484-112-0x00007FF715920000-0x00007FF715C74000-memory.dmp

Filesize
3.3MB

Download
memory/1516-1081-0x00007FF62DB50000-0x00007FF62DEA4000-memory.dmp

Filesize
3.3MB

Download
memory/1516-23-0x00007FF62DB50000-0x00007FF62DEA4000-memory.dmp

Filesize
3.3MB

Download
memory/1824-1075-0x00007FF76B7E0000-0x00007FF76BB34000-memory.dmp

Filesize
3.3MB

Download
memory/1824-1095-0x00007FF76B7E0000-0x00007FF76BB34000-memory.dmp

Filesize
3.3MB

Download
memory/1824-96-0x00007FF76B7E0000-0x00007FF76BB34000-memory.dmp

Filesize
3.3MB

Download
memory/2252-1098-0x00007FF750A60000-0x00007FF750DB4000-memory.dmp

Filesize
3.3MB

Download
memory/2252-202-0x00007FF750A60000-0x00007FF750DB4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-1072-0x00007FF77D960000-0x00007FF77DCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-1084-0x00007FF77D960000-0x00007FF77DCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-37-0x00007FF77D960000-0x00007FF77DCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2868-1099-0x00007FF768270000-0x00007FF7685C4000-memory.dmp

Filesize
3.3MB

Download
memory/2868-176-0x00007FF768270000-0x00007FF7685C4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-1085-0x00007FF60CE80000-0x00007FF60D1D4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-59-0x00007FF60CE80000-0x00007FF60D1D4000-memory.dmp

Filesize
3.3MB

Download
memory/2880-198-0x00007FF791CC0000-0x00007FF792014000-memory.dmp

Filesize
3.3MB

Download
memory/2880-1096-0x00007FF791CC0000-0x00007FF792014000-memory.dmp

Filesize
3.3MB

Download
memory/3132-1093-0x00007FF6C78F0000-0x00007FF6C7C44000-memory.dmp

Filesize
3.3MB

Download
memory/3132-85-0x00007FF6C78F0000-0x00007FF6C7C44000-memory.dmp

Filesize
3.3MB

Download
memory/3132-1074-0x00007FF6C78F0000-0x00007FF6C7C44000-memory.dmp

Filesize
3.3MB

Download
memory/3136-220-0x00007FF650BE0000-0x00007FF650F34000-memory.dmp

Filesize
3.3MB

Download
memory/3136-1107-0x00007FF650BE0000-0x00007FF650F34000-memory.dmp

Filesize
3.3MB

Download
memory/3232-227-0x00007FF6AF810000-0x00007FF6AFB64000-memory.dmp

Filesize
3.3MB

Download
memory/3232-1097-0x00007FF6AF810000-0x00007FF6AFB64000-memory.dmp

Filesize
3.3MB

Download
memory/3240-1105-0x00007FF62E5B0000-0x00007FF62E904000-memory.dmp

Filesize
3.3MB

Download
memory/3240-213-0x00007FF62E5B0000-0x00007FF62E904000-memory.dmp

Filesize
3.3MB

Download
memory/3612-64-0x00007FF7BB960000-0x00007FF7BBCB4000-memory.dmp

Filesize
3.3MB

Download
memory/3612-1086-0x00007FF7BB960000-0x00007FF7BBCB4000-memory.dmp

Filesize
3.3MB

Download
memory/3668-185-0x00007FF74F310000-0x00007FF74F664000-memory.dmp

Filesize
3.3MB

Download
memory/3668-1100-0x00007FF74F310000-0x00007FF74F664000-memory.dmp

Filesize
3.3MB

Download
memory/3688-1087-0x00007FF72BE50000-0x00007FF72C1A4000-memory.dmp

Filesize
3.3MB

Download
memory/3688-54-0x00007FF72BE50000-0x00007FF72C1A4000-memory.dmp

Filesize
3.3MB

Download
memory/3688-1073-0x00007FF72BE50000-0x00007FF72C1A4000-memory.dmp

Filesize
3.3MB

Download
memory/3788-1077-0x00007FF797EA0000-0x00007FF7981F4000-memory.dmp

Filesize
3.3MB

Download
memory/3788-138-0x00007FF797EA0000-0x00007FF7981F4000-memory.dmp

Filesize
3.3MB

Download
memory/3788-1106-0x00007FF797EA0000-0x00007FF7981F4000-memory.dmp

Filesize
3.3MB

Download
memory/3992-1080-0x00007FF63F290000-0x00007FF63F5E4000-memory.dmp

Filesize
3.3MB

Download
memory/3992-19-0x00007FF63F290000-0x00007FF63F5E4000-memory.dmp

Filesize
3.3MB

Download
memory/4220-206-0x00007FF6E6E70000-0x00007FF6E71C4000-memory.dmp

Filesize
3.3MB

Download
memory/4220-1103-0x00007FF6E6E70000-0x00007FF6E71C4000-memory.dmp

Filesize
3.3MB

Download
memory/4388-1071-0x00007FF7E0F40000-0x00007FF7E1294000-memory.dmp

Filesize
3.3MB

Download
memory/4388-27-0x00007FF7E0F40000-0x00007FF7E1294000-memory.dmp

Filesize
3.3MB

Download
memory/4388-1083-0x00007FF7E0F40000-0x00007FF7E1294000-memory.dmp

Filesize
3.3MB

Download
memory/4504-70-0x00007FF78F480000-0x00007FF78F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/4504-1088-0x00007FF78F480000-0x00007FF78F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/4552-1082-0x00007FF6BA160000-0x00007FF6BA4B4000-memory.dmp

Filesize
3.3MB

Download
memory/4552-46-0x00007FF6BA160000-0x00007FF6BA4B4000-memory.dmp

Filesize
3.3MB

Download
memory/4580-1094-0x00007FF6F77F0000-0x00007FF6F7B44000-memory.dmp

Filesize
3.3MB

Download
memory/4580-1076-0x00007FF6F77F0000-0x00007FF6F7B44000-memory.dmp

Filesize
3.3MB

Download
memory/4580-105-0x00007FF6F77F0000-0x00007FF6F7B44000-memory.dmp

Filesize
3.3MB

Download
memory/4824-1-0x00000276407A0000-0x00000276407B0000-memory.dmp

Filesize
64KB

Download
memory/4824-195-0x00007FF749BB0000-0x00007FF749F04000-memory.dmp

Filesize
3.3MB

Download
memory/4824-0-0x00007FF749BB0000-0x00007FF749F04000-memory.dmp

Filesize
3.3MB

Download
memory/5048-97-0x00007FF7E3B60000-0x00007FF7E3EB4000-memory.dmp

Filesize
3.3MB

Download
memory/5048-1090-0x00007FF7E3B60000-0x00007FF7E3EB4000-memory.dmp

Filesize
3.3MB

Download
memory/5092-122-0x00007FF660570000-0x00007FF6608C4000-memory.dmp

Filesize
3.3MB

Download
memory/5092-1091-0x00007FF660570000-0x00007FF6608C4000-memory.dmp

Filesize
3.3MB

Download