kpot | dd4a91f25d16c780f87270de2ad0a3ef56666a1c5640b3f230e7000978ab1c72

Analysis

max time kernel
128s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
Size

2.0MB
MD5

64da800ac4d444e6aee34a08c88ebbf0
SHA1

e49da70ecb17082d6e67c47370b2f5116d73e105
SHA256

dd4a91f25d16c780f87270de2ad0a3ef56666a1c5640b3f230e7000978ab1c72
SHA512

2ebb0e996515821c177dda5f195456b468db862dffbe84beb85b0a287ceee8a6747b041b2811abfd0afc64e08115b1c777bc6ea60769ab5415dd148b4988ec62
SSDEEP

49152:GezaTF8FcNkNdfE0pZ9oztFwIi5aIwC+Agr6S/FYqOc2a:GemTLkNdfE0pZaQi

Score

10^/10

kpot xmrig miner stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 15 IoCs

resource	yara_rule
behavioral1/files/0x000d000000014267-2.dat	family_kpot
behavioral1/files/0x000900000001441e-9.dat	family_kpot
behavioral1/files/0x000800000001466c-12.dat	family_kpot
behavioral1/files/0x000900000001445e-19.dat	family_kpot
behavioral1/files/0x0007000000014698-25.dat	family_kpot
behavioral1/files/0x0007000000014738-27.dat	family_kpot
behavioral1/files/0x0007000000014909-32.dat	family_kpot
behavioral1/files/0x0009000000014a94-39.dat	family_kpot
behavioral1/files/0x000600000001560a-44.dat	family_kpot
behavioral1/files/0x0006000000015a2d-45.dat	family_kpot
behavioral1/files/0x0006000000015a98-51.dat	family_kpot
behavioral1/files/0x0006000000015c0d-55.dat	family_kpot
behavioral1/files/0x0006000000015c23-59.dat	family_kpot
behavioral1/files/0x0006000000015c2f-63.dat	family_kpot
behavioral1/files/0x0006000000015c3c-65.dat	family_kpot

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral1/files/0x000d000000014267-2.dat	xmrig
behavioral1/files/0x000900000001441e-9.dat	xmrig
behavioral1/files/0x000800000001466c-12.dat	xmrig
behavioral1/files/0x000900000001445e-19.dat	xmrig
behavioral1/files/0x0007000000014698-25.dat	xmrig
behavioral1/files/0x0007000000014738-27.dat	xmrig
behavioral1/files/0x0007000000014909-32.dat	xmrig
behavioral1/files/0x0009000000014a94-39.dat	xmrig
behavioral1/files/0x000600000001560a-44.dat	xmrig
behavioral1/files/0x0006000000015a2d-45.dat	xmrig
behavioral1/files/0x0006000000015a98-51.dat	xmrig
behavioral1/files/0x0006000000015c0d-55.dat	xmrig
behavioral1/files/0x0006000000015c23-59.dat	xmrig
behavioral1/files/0x0006000000015c2f-63.dat	xmrig
behavioral1/files/0x0006000000015c3c-65.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1448	gvhnVPl.exe
1904	IzUrfGW.exe
1296	ytOzZFU.exe
2652	hbEtUwk.exe
2524	vNCsNKn.exe
2612	SjBAnEO.exe
2708	zfStxWo.exe
2876	gneCxkg.exe
2412	LfXeEyV.exe
2664	LiyJxoc.exe
2156	VZkHDLg.exe
2548	nJDlayg.exe
656	XDTMnLT.exe
2392	glGsvOr.exe
2452	uiOHLos.exe
2160	HYbDyJI.exe
788	mYlRaCY.exe
1108	xJMPQGK.exe
1456	MOEEnUY.exe
936	VglHFkP.exe
1992	mKvcXcI.exe
2296	LiJmAnm.exe
1924	eAbSGUY.exe
1952	gnnLahw.exe
2292	xrCRmVq.exe
828	RAJIBLU.exe
916	SGlsxvl.exe
2348	huqmWPS.exe
1508	iiTTBEC.exe
1612	qoSdjeJ.exe
2660	OstVecR.exe
2436	UcjsPrd.exe
2140	oKoEDan.exe
1956	pYPDJmd.exe
860	zfqgieK.exe
2236	gvqNAlu.exe
2988	lmuIvTb.exe
2676	qJVIwPs.exe
432	RGhMOBK.exe
2912	SYSDqqI.exe
816	nyqFzky.exe
1800	ZOlDdQM.exe
1792	YQSmCaB.exe
1600	zyBeQwI.exe
2268	mRMDRvA.exe
940	rNDsJBR.exe
2284	anDePrO.exe
1828	dqOjTKg.exe
1604	aPTMXeG.exe
1120	dPrJpdg.exe
1468	JWnYdoa.exe
3004	tXAhVUz.exe
2096	PFfUDVN.exe
2820	jgVrVnp.exe
528	XhhROSq.exe
3020	FcdhPij.exe
3048	keMCHQG.exe
1004	tSmIGbA.exe
856	vDTquxL.exe
2324	HzKazfp.exe
2844	tBkYODt.exe
2700	DpKVhBE.exe
1696	hpLTeFT.exe
1588	nAuyyYN.exe

Loads dropped DLL 64 IoCs

pid	Process
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\gvqNAlu.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\XhhROSq.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\zpopGFa.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\jAElbTT.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\GmXXVqT.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\RGhMOBK.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\SYSDqqI.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\yzQsCle.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\RCUbxhH.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\IcASffY.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\PZApreb.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\LbwmwSg.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\KhWDtXe.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\zTURhDU.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\LpNRwjb.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\HYbDyJI.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\JQsDPnd.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\uCxppUy.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\ckfRDoV.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\SGlsxvl.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\LLWiQmX.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\CfZDVQL.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\dYFGgIP.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\NFPISvW.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\HlMBogf.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\GpXYOeI.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\VnnFBEA.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\vDTquxL.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\VZTkOYo.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\tetSrsR.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\dIwSPbg.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\hXebDze.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\OwDNUTe.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\VWAPGXX.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\JWnYdoa.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\nVOpMTu.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\GuHrnpq.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\rzeVcFC.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\xWaxtHl.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\aIyjWdc.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\sCrItRN.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\LyWbjEM.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\vnNoAcc.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\acugDNl.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\pNMBWYM.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\GtnyDHD.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\nBcyiLe.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\qdgOwBF.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\bMoIRLG.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\MbXmAva.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\ZVyTlUk.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\zGCIWqt.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\TFRcFRF.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\RAJIBLU.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\oDREVWs.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\QoQQWEr.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\cDqpckV.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\pSDGXas.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\zyBeQwI.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\ffFmTXz.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\pxHtUSJ.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\MOEEnUY.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\JZTdJlH.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
File created	C:\Windows\System\koLFZoW.exe	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1448	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	29
PID 2032 wrote to memory of 1448	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	29
PID 2032 wrote to memory of 1448	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	29
PID 2032 wrote to memory of 1904	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	30
PID 2032 wrote to memory of 1904	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	30
PID 2032 wrote to memory of 1904	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	30
PID 2032 wrote to memory of 1296	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	31
PID 2032 wrote to memory of 1296	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	31
PID 2032 wrote to memory of 1296	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	31
PID 2032 wrote to memory of 2652	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	32
PID 2032 wrote to memory of 2652	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	32
PID 2032 wrote to memory of 2652	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	32
PID 2032 wrote to memory of 2524	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	33
PID 2032 wrote to memory of 2524	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	33
PID 2032 wrote to memory of 2524	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	33
PID 2032 wrote to memory of 2612	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	34
PID 2032 wrote to memory of 2612	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	34
PID 2032 wrote to memory of 2612	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	34
PID 2032 wrote to memory of 2708	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	35
PID 2032 wrote to memory of 2708	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	35
PID 2032 wrote to memory of 2708	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	35
PID 2032 wrote to memory of 2876	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	36
PID 2032 wrote to memory of 2876	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	36
PID 2032 wrote to memory of 2876	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	36
PID 2032 wrote to memory of 2412	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	37
PID 2032 wrote to memory of 2412	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	37
PID 2032 wrote to memory of 2412	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	37
PID 2032 wrote to memory of 2664	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	38
PID 2032 wrote to memory of 2664	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	38
PID 2032 wrote to memory of 2664	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	38
PID 2032 wrote to memory of 2156	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	39
PID 2032 wrote to memory of 2156	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	39
PID 2032 wrote to memory of 2156	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	39
PID 2032 wrote to memory of 2548	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	40
PID 2032 wrote to memory of 2548	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	40
PID 2032 wrote to memory of 2548	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	40
PID 2032 wrote to memory of 656	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	41
PID 2032 wrote to memory of 656	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	41
PID 2032 wrote to memory of 656	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	41
PID 2032 wrote to memory of 2392	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	42
PID 2032 wrote to memory of 2392	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	42
PID 2032 wrote to memory of 2392	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	42
PID 2032 wrote to memory of 2452	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	43
PID 2032 wrote to memory of 2452	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	43
PID 2032 wrote to memory of 2452	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	43
PID 2032 wrote to memory of 2160	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	44
PID 2032 wrote to memory of 2160	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	44
PID 2032 wrote to memory of 2160	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	44
PID 2032 wrote to memory of 788	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	45
PID 2032 wrote to memory of 788	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	45
PID 2032 wrote to memory of 788	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	45
PID 2032 wrote to memory of 1108	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	46
PID 2032 wrote to memory of 1108	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	46
PID 2032 wrote to memory of 1108	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	46
PID 2032 wrote to memory of 1456	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	47
PID 2032 wrote to memory of 1456	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	47
PID 2032 wrote to memory of 1456	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	47
PID 2032 wrote to memory of 936	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	48
PID 2032 wrote to memory of 936	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	48
PID 2032 wrote to memory of 936	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	48
PID 2032 wrote to memory of 1992	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	49
PID 2032 wrote to memory of 1992	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	49
PID 2032 wrote to memory of 1992	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	49
PID 2032 wrote to memory of 2296	2032	64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe	50

C:\Users\Admin\AppData\Local\Temp\64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\64da800ac4d444e6aee34a08c88ebbf0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\System\gvhnVPl.exe
  C:\Windows\System\gvhnVPl.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\IzUrfGW.exe
  C:\Windows\System\IzUrfGW.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\ytOzZFU.exe
  C:\Windows\System\ytOzZFU.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\hbEtUwk.exe
  C:\Windows\System\hbEtUwk.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\vNCsNKn.exe
  C:\Windows\System\vNCsNKn.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\SjBAnEO.exe
  C:\Windows\System\SjBAnEO.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\zfStxWo.exe
  C:\Windows\System\zfStxWo.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\gneCxkg.exe
  C:\Windows\System\gneCxkg.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\LfXeEyV.exe
  C:\Windows\System\LfXeEyV.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\LiyJxoc.exe
  C:\Windows\System\LiyJxoc.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\VZkHDLg.exe
  C:\Windows\System\VZkHDLg.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\nJDlayg.exe
  C:\Windows\System\nJDlayg.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\XDTMnLT.exe
  C:\Windows\System\XDTMnLT.exe
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\System\glGsvOr.exe
  C:\Windows\System\glGsvOr.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\uiOHLos.exe
  C:\Windows\System\uiOHLos.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\HYbDyJI.exe
  C:\Windows\System\HYbDyJI.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\mYlRaCY.exe
  C:\Windows\System\mYlRaCY.exe
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\System\xJMPQGK.exe
  C:\Windows\System\xJMPQGK.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\MOEEnUY.exe
  C:\Windows\System\MOEEnUY.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System\VglHFkP.exe
  C:\Windows\System\VglHFkP.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System\mKvcXcI.exe
  C:\Windows\System\mKvcXcI.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System\LiJmAnm.exe
  C:\Windows\System\LiJmAnm.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\eAbSGUY.exe
  C:\Windows\System\eAbSGUY.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\gnnLahw.exe
  C:\Windows\System\gnnLahw.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\xrCRmVq.exe
  C:\Windows\System\xrCRmVq.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\RAJIBLU.exe
  C:\Windows\System\RAJIBLU.exe
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\System\SGlsxvl.exe
  C:\Windows\System\SGlsxvl.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System\huqmWPS.exe
  C:\Windows\System\huqmWPS.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\iiTTBEC.exe
  C:\Windows\System\iiTTBEC.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\qoSdjeJ.exe
  C:\Windows\System\qoSdjeJ.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\OstVecR.exe
  C:\Windows\System\OstVecR.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\UcjsPrd.exe
  C:\Windows\System\UcjsPrd.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\oKoEDan.exe
  C:\Windows\System\oKoEDan.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\pYPDJmd.exe
  C:\Windows\System\pYPDJmd.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\zfqgieK.exe
  C:\Windows\System\zfqgieK.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\gvqNAlu.exe
  C:\Windows\System\gvqNAlu.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\lmuIvTb.exe
  C:\Windows\System\lmuIvTb.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\qJVIwPs.exe
  C:\Windows\System\qJVIwPs.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\RGhMOBK.exe
  C:\Windows\System\RGhMOBK.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\SYSDqqI.exe
  C:\Windows\System\SYSDqqI.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\nyqFzky.exe
  C:\Windows\System\nyqFzky.exe
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Windows\System\ZOlDdQM.exe
  C:\Windows\System\ZOlDdQM.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\YQSmCaB.exe
  C:\Windows\System\YQSmCaB.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\zyBeQwI.exe
  C:\Windows\System\zyBeQwI.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\mRMDRvA.exe
  C:\Windows\System\mRMDRvA.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\rNDsJBR.exe
  C:\Windows\System\rNDsJBR.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\anDePrO.exe
  C:\Windows\System\anDePrO.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\dqOjTKg.exe
  C:\Windows\System\dqOjTKg.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\aPTMXeG.exe
  C:\Windows\System\aPTMXeG.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System\dPrJpdg.exe
  C:\Windows\System\dPrJpdg.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\JWnYdoa.exe
  C:\Windows\System\JWnYdoa.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\tXAhVUz.exe
  C:\Windows\System\tXAhVUz.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\PFfUDVN.exe
  C:\Windows\System\PFfUDVN.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\jgVrVnp.exe
  C:\Windows\System\jgVrVnp.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\FcdhPij.exe
  C:\Windows\System\FcdhPij.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\XhhROSq.exe
  C:\Windows\System\XhhROSq.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\keMCHQG.exe
  C:\Windows\System\keMCHQG.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\tSmIGbA.exe
  C:\Windows\System\tSmIGbA.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System\vDTquxL.exe
  C:\Windows\System\vDTquxL.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\HzKazfp.exe
  C:\Windows\System\HzKazfp.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\tBkYODt.exe
  C:\Windows\System\tBkYODt.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\DpKVhBE.exe
  C:\Windows\System\DpKVhBE.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\nAuyyYN.exe
  C:\Windows\System\nAuyyYN.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\hpLTeFT.exe
  C:\Windows\System\hpLTeFT.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\JZTdJlH.exe
  C:\Windows\System\JZTdJlH.exe
  2⤵
  PID:1384
- C:\Windows\System\tlhDOtu.exe
  C:\Windows\System\tlhDOtu.exe
  2⤵
  PID:2692
- C:\Windows\System\ERVijea.exe
  C:\Windows\System\ERVijea.exe
  2⤵
  PID:2532
- C:\Windows\System\xacJUyy.exe
  C:\Windows\System\xacJUyy.exe
  2⤵
  PID:2384
- C:\Windows\System\vsIsHLK.exe
  C:\Windows\System\vsIsHLK.exe
  2⤵
  PID:1056
- C:\Windows\System\saBQthR.exe
  C:\Windows\System\saBQthR.exe
  2⤵
  PID:2604
- C:\Windows\System\ovGuDpZ.exe
  C:\Windows\System\ovGuDpZ.exe
  2⤵
  PID:2388
- C:\Windows\System\sRjugFs.exe
  C:\Windows\System\sRjugFs.exe
  2⤵
  PID:2168
- C:\Windows\System\BVTtnGq.exe
  C:\Windows\System\BVTtnGq.exe
  2⤵
  PID:2960
- C:\Windows\System\ALiOMhx.exe
  C:\Windows\System\ALiOMhx.exe
  2⤵
  PID:2208
- C:\Windows\System\nVOpMTu.exe
  C:\Windows\System\nVOpMTu.exe
  2⤵
  PID:2492
- C:\Windows\System\URqTqwh.exe
  C:\Windows\System\URqTqwh.exe
  2⤵
  PID:2592
- C:\Windows\System\GuHrnpq.exe
  C:\Windows\System\GuHrnpq.exe
  2⤵
  PID:2304
- C:\Windows\System\WwgRFxy.exe
  C:\Windows\System\WwgRFxy.exe
  2⤵
  PID:1556
- C:\Windows\System\StXnGzi.exe
  C:\Windows\System\StXnGzi.exe
  2⤵
  PID:2948
- C:\Windows\System\RctYOjK.exe
  C:\Windows\System\RctYOjK.exe
  2⤵
  PID:676
- C:\Windows\System\qaUQbjB.exe
  C:\Windows\System\qaUQbjB.exe
  2⤵
  PID:2372
- C:\Windows\System\rXMVbCE.exe
  C:\Windows\System\rXMVbCE.exe
  2⤵
  PID:888
- C:\Windows\System\NEGjPzi.exe
  C:\Windows\System\NEGjPzi.exe
  2⤵
  PID:1188
- C:\Windows\System\dYFGgIP.exe
  C:\Windows\System\dYFGgIP.exe
  2⤵
  PID:1712
- C:\Windows\System\WkTSoIg.exe
  C:\Windows\System\WkTSoIg.exe
  2⤵
  PID:1928
- C:\Windows\System\ryDLQJh.exe
  C:\Windows\System\ryDLQJh.exe
  2⤵
  PID:2312
- C:\Windows\System\vEhFmsF.exe
  C:\Windows\System\vEhFmsF.exe
  2⤵
  PID:912
- C:\Windows\System\uRgMJjO.exe
  C:\Windows\System\uRgMJjO.exe
  2⤵
  PID:2224
- C:\Windows\System\LbwmwSg.exe
  C:\Windows\System\LbwmwSg.exe
  2⤵
  PID:1764
- C:\Windows\System\oDREVWs.exe
  C:\Windows\System\oDREVWs.exe
  2⤵
  PID:2364
- C:\Windows\System\ysYVvgO.exe
  C:\Windows\System\ysYVvgO.exe
  2⤵
  PID:2688
- C:\Windows\System\FDXbkSY.exe
  C:\Windows\System\FDXbkSY.exe
  2⤵
  PID:2968
- C:\Windows\System\KhWDtXe.exe
  C:\Windows\System\KhWDtXe.exe
  2⤵
  PID:2252
- C:\Windows\System\wkuDnGE.exe
  C:\Windows\System\wkuDnGE.exe
  2⤵
  PID:2996
- C:\Windows\System\xuTCPUb.exe
  C:\Windows\System\xuTCPUb.exe
  2⤵
  PID:2116
- C:\Windows\System\qboaiBo.exe
  C:\Windows\System\qboaiBo.exe
  2⤵
  PID:1052
- C:\Windows\System\FyKuLKN.exe
  C:\Windows\System\FyKuLKN.exe
  2⤵
  PID:2736
- C:\Windows\System\ahxUaxn.exe
  C:\Windows\System\ahxUaxn.exe
  2⤵
  PID:2008
- C:\Windows\System\CynoCGG.exe
  C:\Windows\System\CynoCGG.exe
  2⤵
  PID:1836
- C:\Windows\System\rzeVcFC.exe
  C:\Windows\System\rzeVcFC.exe
  2⤵
  PID:1512
- C:\Windows\System\vJDUsVK.exe
  C:\Windows\System\vJDUsVK.exe
  2⤵
  PID:740
- C:\Windows\System\MSxozyp.exe
  C:\Windows\System\MSxozyp.exe
  2⤵
  PID:2964
- C:\Windows\System\jNvPSsp.exe
  C:\Windows\System\jNvPSsp.exe
  2⤵
  PID:1652
- C:\Windows\System\fwJsWra.exe
  C:\Windows\System\fwJsWra.exe
  2⤵
  PID:848
- C:\Windows\System\DYECZcR.exe
  C:\Windows\System\DYECZcR.exe
  2⤵
  PID:2892
- C:\Windows\System\JQsDPnd.exe
  C:\Windows\System\JQsDPnd.exe
  2⤵
  PID:2928
- C:\Windows\System\VdooPWb.exe
  C:\Windows\System\VdooPWb.exe
  2⤵
  PID:2828
- C:\Windows\System\RKFzvrh.exe
  C:\Windows\System\RKFzvrh.exe
  2⤵
  PID:2744
- C:\Windows\System\ZKZvvkF.exe
  C:\Windows\System\ZKZvvkF.exe
  2⤵
  PID:1940
- C:\Windows\System\LvuWSpu.exe
  C:\Windows\System\LvuWSpu.exe
  2⤵
  PID:1580
- C:\Windows\System\ZPsGgJS.exe
  C:\Windows\System\ZPsGgJS.exe
  2⤵
  PID:2940
- C:\Windows\System\aiUfyBe.exe
  C:\Windows\System\aiUfyBe.exe
  2⤵
  PID:2060
- C:\Windows\System\OKCmEes.exe
  C:\Windows\System\OKCmEes.exe
  2⤵
  PID:1728
- C:\Windows\System\AsEvdRA.exe
  C:\Windows\System\AsEvdRA.exe
  2⤵
  PID:2716
- C:\Windows\System\TjFYOPW.exe
  C:\Windows\System\TjFYOPW.exe
  2⤵
  PID:2812
- C:\Windows\System\JokMJuE.exe
  C:\Windows\System\JokMJuE.exe
  2⤵
  PID:2152
- C:\Windows\System\OMmcgPm.exe
  C:\Windows\System\OMmcgPm.exe
  2⤵
  PID:2428
- C:\Windows\System\bcjMlnF.exe
  C:\Windows\System\bcjMlnF.exe
  2⤵
  PID:1008
- C:\Windows\System\LcaSKGr.exe
  C:\Windows\System\LcaSKGr.exe
  2⤵
  PID:2128
- C:\Windows\System\NFPISvW.exe
  C:\Windows\System\NFPISvW.exe
  2⤵
  PID:692
- C:\Windows\System\kRYsMqj.exe
  C:\Windows\System\kRYsMqj.exe
  2⤵
  PID:2000
- C:\Windows\System\rZmnZPE.exe
  C:\Windows\System\rZmnZPE.exe
  2⤵
  PID:2620
- C:\Windows\System\SBZansY.exe
  C:\Windows\System\SBZansY.exe
  2⤵
  PID:2808
- C:\Windows\System\NDBEPqH.exe
  C:\Windows\System\NDBEPqH.exe
  2⤵
  PID:2732
- C:\Windows\System\uHFlkBT.exe
  C:\Windows\System\uHFlkBT.exe
  2⤵
  PID:1500
- C:\Windows\System\CEgpQZK.exe
  C:\Windows\System\CEgpQZK.exe
  2⤵
  PID:1628
- C:\Windows\System\NPAPXCT.exe
  C:\Windows\System\NPAPXCT.exe
  2⤵
  PID:1452
- C:\Windows\System\OgzsAYS.exe
  C:\Windows\System\OgzsAYS.exe
  2⤵
  PID:1592
- C:\Windows\System\aiJjRSq.exe
  C:\Windows\System\aiJjRSq.exe
  2⤵
  PID:2656
- C:\Windows\System\koLFZoW.exe
  C:\Windows\System\koLFZoW.exe
  2⤵
  PID:1164
- C:\Windows\System\QaPfExE.exe
  C:\Windows\System\QaPfExE.exe
  2⤵
  PID:1644
- C:\Windows\System\ICpBFsH.exe
  C:\Windows\System\ICpBFsH.exe
  2⤵
  PID:3036
- C:\Windows\System\EVcbkqO.exe
  C:\Windows\System\EVcbkqO.exe
  2⤵
  PID:592
- C:\Windows\System\pdBQdfj.exe
  C:\Windows\System\pdBQdfj.exe
  2⤵
  PID:2712
- C:\Windows\System\UlPXJMP.exe
  C:\Windows\System\UlPXJMP.exe
  2⤵
  PID:1464
- C:\Windows\System\kMbEuVb.exe
  C:\Windows\System\kMbEuVb.exe
  2⤵
  PID:2012
- C:\Windows\System\nTTUUOZ.exe
  C:\Windows\System\nTTUUOZ.exe
  2⤵
  PID:764
- C:\Windows\System\zpopGFa.exe
  C:\Windows\System\zpopGFa.exe
  2⤵
  PID:1916
- C:\Windows\System\afvpYps.exe
  C:\Windows\System\afvpYps.exe
  2⤵
  PID:968
- C:\Windows\System\jwYFzXV.exe
  C:\Windows\System\jwYFzXV.exe
  2⤵
  PID:2408
- C:\Windows\System\ptRbKOF.exe
  C:\Windows\System\ptRbKOF.exe
  2⤵
  PID:1900
- C:\Windows\System\vqGJYxS.exe
  C:\Windows\System\vqGJYxS.exe
  2⤵
  PID:1668
- C:\Windows\System\ZeYfXbS.exe
  C:\Windows\System\ZeYfXbS.exe
  2⤵
  PID:3012
- C:\Windows\System\QlubVgE.exe
  C:\Windows\System\QlubVgE.exe
  2⤵
  PID:1100
- C:\Windows\System\trGyAlM.exe
  C:\Windows\System\trGyAlM.exe
  2⤵
  PID:1044
- C:\Windows\System\LOyARFe.exe
  C:\Windows\System\LOyARFe.exe
  2⤵
  PID:2636
- C:\Windows\System\nvdDmhY.exe
  C:\Windows\System\nvdDmhY.exe
  2⤵
  PID:2752
- C:\Windows\System\VOloURG.exe
  C:\Windows\System\VOloURG.exe
  2⤵
  PID:2748
- C:\Windows\System\PsdMEKB.exe
  C:\Windows\System\PsdMEKB.exe
  2⤵
  PID:2584
- C:\Windows\System\bMoIRLG.exe
  C:\Windows\System\bMoIRLG.exe
  2⤵
  PID:2672
- C:\Windows\System\aMQcrRU.exe
  C:\Windows\System\aMQcrRU.exe
  2⤵
  PID:2448
- C:\Windows\System\QoQQWEr.exe
  C:\Windows\System\QoQQWEr.exe
  2⤵
  PID:1964
- C:\Windows\System\VtiaHoH.exe
  C:\Windows\System\VtiaHoH.exe
  2⤵
  PID:2376
- C:\Windows\System\dKMRPHU.exe
  C:\Windows\System\dKMRPHU.exe
  2⤵
  PID:1472
- C:\Windows\System\vnNoAcc.exe
  C:\Windows\System\vnNoAcc.exe
  2⤵
  PID:1780
- C:\Windows\System\UTvfwqV.exe
  C:\Windows\System\UTvfwqV.exe
  2⤵
  PID:640
- C:\Windows\System\HlMBogf.exe
  C:\Windows\System\HlMBogf.exe
  2⤵
  PID:2756
- C:\Windows\System\xWaxtHl.exe
  C:\Windows\System\xWaxtHl.exe
  2⤵
  PID:2564
- C:\Windows\System\fzFLVYe.exe
  C:\Windows\System\fzFLVYe.exe
  2⤵
  PID:2172
- C:\Windows\System\dLvlAlv.exe
  C:\Windows\System\dLvlAlv.exe
  2⤵
  PID:1356
- C:\Windows\System\JwQLzKu.exe
  C:\Windows\System\JwQLzKu.exe
  2⤵
  PID:1812
- C:\Windows\System\lGMqava.exe
  C:\Windows\System\lGMqava.exe
  2⤵
  PID:1428
- C:\Windows\System\OlmSwAv.exe
  C:\Windows\System\OlmSwAv.exe
  2⤵
  PID:1700
- C:\Windows\System\GpXYOeI.exe
  C:\Windows\System\GpXYOeI.exe
  2⤵
  PID:2104
- C:\Windows\System\PKCdRVG.exe
  C:\Windows\System\PKCdRVG.exe
  2⤵
  PID:2884
- C:\Windows\System\cyugMzw.exe
  C:\Windows\System\cyugMzw.exe
  2⤵
  PID:3100
- C:\Windows\System\RLepDXT.exe
  C:\Windows\System\RLepDXT.exe
  2⤵
  PID:3120
- C:\Windows\System\QBmaWSE.exe
  C:\Windows\System\QBmaWSE.exe
  2⤵
  PID:3144
- C:\Windows\System\GZSiQJU.exe
  C:\Windows\System\GZSiQJU.exe
  2⤵
  PID:3160
- C:\Windows\System\uCxppUy.exe
  C:\Windows\System\uCxppUy.exe
  2⤵
  PID:3176
- C:\Windows\System\mqoebay.exe
  C:\Windows\System\mqoebay.exe
  2⤵
  PID:3192
- C:\Windows\System\aIyjWdc.exe
  C:\Windows\System\aIyjWdc.exe
  2⤵
  PID:3208
- C:\Windows\System\iMMAcIR.exe
  C:\Windows\System\iMMAcIR.exe
  2⤵
  PID:3240
- C:\Windows\System\qlOEYxF.exe
  C:\Windows\System\qlOEYxF.exe
  2⤵
  PID:3256
- C:\Windows\System\kqdKFDD.exe
  C:\Windows\System\kqdKFDD.exe
  2⤵
  PID:3280
- C:\Windows\System\zTURhDU.exe
  C:\Windows\System\zTURhDU.exe
  2⤵
  PID:3296
- C:\Windows\System\JQNYDuU.exe
  C:\Windows\System\JQNYDuU.exe
  2⤵
  PID:3328
- C:\Windows\System\UacjtHg.exe
  C:\Windows\System\UacjtHg.exe
  2⤵
  PID:3344
- C:\Windows\System\aRxxypy.exe
  C:\Windows\System\aRxxypy.exe
  2⤵
  PID:3360
- C:\Windows\System\BoguGcg.exe
  C:\Windows\System\BoguGcg.exe
  2⤵
  PID:3380
- C:\Windows\System\pYQaPja.exe
  C:\Windows\System\pYQaPja.exe
  2⤵
  PID:3400
- C:\Windows\System\jAElbTT.exe
  C:\Windows\System\jAElbTT.exe
  2⤵
  PID:3416
- C:\Windows\System\gTPLdbZ.exe
  C:\Windows\System\gTPLdbZ.exe
  2⤵
  PID:3440
- C:\Windows\System\vebQdHe.exe
  C:\Windows\System\vebQdHe.exe
  2⤵
  PID:3472
- C:\Windows\System\DqEzFwe.exe
  C:\Windows\System\DqEzFwe.exe
  2⤵
  PID:3488
- C:\Windows\System\GMcTbhc.exe
  C:\Windows\System\GMcTbhc.exe
  2⤵
  PID:3504
- C:\Windows\System\mYdrspK.exe
  C:\Windows\System\mYdrspK.exe
  2⤵
  PID:3524
- C:\Windows\System\OePilWK.exe
  C:\Windows\System\OePilWK.exe
  2⤵
  PID:3568
- C:\Windows\System\zBMQtFK.exe
  C:\Windows\System\zBMQtFK.exe
  2⤵
  PID:3588
- C:\Windows\System\JOGhILW.exe
  C:\Windows\System\JOGhILW.exe
  2⤵
  PID:3612
- C:\Windows\System\mlKbyJo.exe
  C:\Windows\System\mlKbyJo.exe
  2⤵
  PID:3628
- C:\Windows\System\ThByxph.exe
  C:\Windows\System\ThByxph.exe
  2⤵
  PID:3644
- C:\Windows\System\VZTkOYo.exe
  C:\Windows\System\VZTkOYo.exe
  2⤵
  PID:3664
- C:\Windows\System\rbsYSxu.exe
  C:\Windows\System\rbsYSxu.exe
  2⤵
  PID:3688
- C:\Windows\System\MbXmAva.exe
  C:\Windows\System\MbXmAva.exe
  2⤵
  PID:3704
- C:\Windows\System\GCqgbHq.exe
  C:\Windows\System\GCqgbHq.exe
  2⤵
  PID:3724
- C:\Windows\System\lJGnAzd.exe
  C:\Windows\System\lJGnAzd.exe
  2⤵
  PID:3740
- C:\Windows\System\hSyIWNH.exe
  C:\Windows\System\hSyIWNH.exe
  2⤵
  PID:3756
- C:\Windows\System\jPcztQQ.exe
  C:\Windows\System\jPcztQQ.exe
  2⤵
  PID:3772
- C:\Windows\System\DvNPPUD.exe
  C:\Windows\System\DvNPPUD.exe
  2⤵
  PID:3792
- C:\Windows\System\IHLKSPa.exe
  C:\Windows\System\IHLKSPa.exe
  2⤵
  PID:3812
- C:\Windows\System\ffFmTXz.exe
  C:\Windows\System\ffFmTXz.exe
  2⤵
  PID:3832
- C:\Windows\System\qkGTzRX.exe
  C:\Windows\System\qkGTzRX.exe
  2⤵
  PID:3852
- C:\Windows\System\GmXXVqT.exe
  C:\Windows\System\GmXXVqT.exe
  2⤵
  PID:3884
- C:\Windows\System\WxJtdhD.exe
  C:\Windows\System\WxJtdhD.exe
  2⤵
  PID:3900
- C:\Windows\System\PHwIxhw.exe
  C:\Windows\System\PHwIxhw.exe
  2⤵
  PID:3916
- C:\Windows\System\zSVPVkM.exe
  C:\Windows\System\zSVPVkM.exe
  2⤵
  PID:3936
- C:\Windows\System\AyhQnbm.exe
  C:\Windows\System\AyhQnbm.exe
  2⤵
  PID:3952
- C:\Windows\System\kmBEzsV.exe
  C:\Windows\System\kmBEzsV.exe
  2⤵
  PID:3980
- C:\Windows\System\DmqVSLh.exe
  C:\Windows\System\DmqVSLh.exe
  2⤵
  PID:4000
- C:\Windows\System\LLWiQmX.exe
  C:\Windows\System\LLWiQmX.exe
  2⤵
  PID:4016
- C:\Windows\System\UvtOGWG.exe
  C:\Windows\System\UvtOGWG.exe
  2⤵
  PID:4036
- C:\Windows\System\RsylHkm.exe
  C:\Windows\System\RsylHkm.exe
  2⤵
  PID:4052
- C:\Windows\System\acugDNl.exe
  C:\Windows\System\acugDNl.exe
  2⤵
  PID:4068
- C:\Windows\System\dieqECR.exe
  C:\Windows\System\dieqECR.exe
  2⤵
  PID:2540
- C:\Windows\System\HPllfnR.exe
  C:\Windows\System\HPllfnR.exe
  2⤵
  PID:1892
- C:\Windows\System\dasyfSB.exe
  C:\Windows\System\dasyfSB.exe
  2⤵
  PID:2552
- C:\Windows\System\bhZhNTQ.exe
  C:\Windows\System\bhZhNTQ.exe
  2⤵
  PID:3092
- C:\Windows\System\CShscmN.exe
  C:\Windows\System\CShscmN.exe
  2⤵
  PID:3080
- C:\Windows\System\WREDAOz.exe
  C:\Windows\System\WREDAOz.exe
  2⤵
  PID:3188
- C:\Windows\System\pNMBWYM.exe
  C:\Windows\System\pNMBWYM.exe
  2⤵
  PID:3140
- C:\Windows\System\VvCjfAo.exe
  C:\Windows\System\VvCjfAo.exe
  2⤵
  PID:3236
- C:\Windows\System\oSLocJA.exe
  C:\Windows\System\oSLocJA.exe
  2⤵
  PID:3268
- C:\Windows\System\xEliVEG.exe
  C:\Windows\System\xEliVEG.exe
  2⤵
  PID:3248
- C:\Windows\System\wlmYhKs.exe
  C:\Windows\System\wlmYhKs.exe
  2⤵
  PID:3312
- C:\Windows\System\tYuOlrs.exe
  C:\Windows\System\tYuOlrs.exe
  2⤵
  PID:3352
- C:\Windows\System\LtXqCCz.exe
  C:\Windows\System\LtXqCCz.exe
  2⤵
  PID:472
- C:\Windows\System\beQPRHw.exe
  C:\Windows\System\beQPRHw.exe
  2⤵
  PID:3368
- C:\Windows\System\DjnwxEh.exe
  C:\Windows\System\DjnwxEh.exe
  2⤵
  PID:3432
- C:\Windows\System\gAnTdrR.exe
  C:\Windows\System\gAnTdrR.exe
  2⤵
  PID:2040
- C:\Windows\System\xoJIBrn.exe
  C:\Windows\System\xoJIBrn.exe
  2⤵
  PID:3480
- C:\Windows\System\XCxrowx.exe
  C:\Windows\System\XCxrowx.exe
  2⤵
  PID:3496
- C:\Windows\System\kthmpaQ.exe
  C:\Windows\System\kthmpaQ.exe
  2⤵
  PID:3544
- C:\Windows\System\YpAlWrL.exe
  C:\Windows\System\YpAlWrL.exe
  2⤵
  PID:3456
- C:\Windows\System\ZVyTlUk.exe
  C:\Windows\System\ZVyTlUk.exe
  2⤵
  PID:2352
- C:\Windows\System\qpSKnBp.exe
  C:\Windows\System\qpSKnBp.exe
  2⤵
  PID:1748
- C:\Windows\System\zCZzYCm.exe
  C:\Windows\System\zCZzYCm.exe
  2⤵
  PID:1984
- C:\Windows\System\AhiCLhT.exe
  C:\Windows\System\AhiCLhT.exe
  2⤵
  PID:1976
- C:\Windows\System\efuFkiO.exe
  C:\Windows\System\efuFkiO.exe
  2⤵
  PID:2764
- C:\Windows\System\OduoWsS.exe
  C:\Windows\System\OduoWsS.exe
  2⤵
  PID:3556
- C:\Windows\System\nBcyiLe.exe
  C:\Windows\System\nBcyiLe.exe
  2⤵
  PID:3580
- C:\Windows\System\hAlAskg.exe
  C:\Windows\System\hAlAskg.exe
  2⤵
  PID:3604
- C:\Windows\System\yzQsCle.exe
  C:\Windows\System\yzQsCle.exe
  2⤵
  PID:3652
- C:\Windows\System\fbLUgMF.exe
  C:\Windows\System\fbLUgMF.exe
  2⤵
  PID:3684
- C:\Windows\System\agolydL.exe
  C:\Windows\System\agolydL.exe
  2⤵
  PID:3720
- C:\Windows\System\ViaJeUA.exe
  C:\Windows\System\ViaJeUA.exe
  2⤵
  PID:3752
- C:\Windows\System\hEbPRtV.exe
  C:\Windows\System\hEbPRtV.exe
  2⤵
  PID:3828
- C:\Windows\System\LASakWG.exe
  C:\Windows\System\LASakWG.exe
  2⤵
  PID:3824
- C:\Windows\System\JzoxMWK.exe
  C:\Windows\System\JzoxMWK.exe
  2⤵
  PID:3788
- C:\Windows\System\zQzBNOc.exe
  C:\Windows\System\zQzBNOc.exe
  2⤵
  PID:3924
- C:\Windows\System\zLciDIH.exe
  C:\Windows\System\zLciDIH.exe
  2⤵
  PID:3960
- C:\Windows\System\qEGkUHQ.exe
  C:\Windows\System\qEGkUHQ.exe
  2⤵
  PID:4044
- C:\Windows\System\KfYMgwh.exe
  C:\Windows\System\KfYMgwh.exe
  2⤵
  PID:4088
- C:\Windows\System\ObMIBkw.exe
  C:\Windows\System\ObMIBkw.exe
  2⤵
  PID:4060
- C:\Windows\System\zGMUmEf.exe
  C:\Windows\System\zGMUmEf.exe
  2⤵
  PID:1264
- C:\Windows\System\mCiRmFA.exe
  C:\Windows\System\mCiRmFA.exe
  2⤵
  PID:3988
- C:\Windows\System\IkQEdnE.exe
  C:\Windows\System\IkQEdnE.exe
  2⤵
  PID:3132
- C:\Windows\System\TMbJHFP.exe
  C:\Windows\System\TMbJHFP.exe
  2⤵
  PID:3088
- C:\Windows\System\tetSrsR.exe
  C:\Windows\System\tetSrsR.exe
  2⤵
  PID:3304
- C:\Windows\System\zEyWzGL.exe
  C:\Windows\System\zEyWzGL.exe
  2⤵
  PID:932
- C:\Windows\System\cDqpckV.exe
  C:\Windows\System\cDqpckV.exe
  2⤵
  PID:3376
- C:\Windows\System\ppzLMlB.exe
  C:\Windows\System\ppzLMlB.exe
  2⤵
  PID:2780
- C:\Windows\System\RCUbxhH.exe
  C:\Windows\System\RCUbxhH.exe
  2⤵
  PID:3224
- C:\Windows\System\qTtFfJT.exe
  C:\Windows\System\qTtFfJT.exe
  2⤵
  PID:3128
- C:\Windows\System\sCrItRN.exe
  C:\Windows\System\sCrItRN.exe
  2⤵
  PID:2216
- C:\Windows\System\TerdkQh.exe
  C:\Windows\System\TerdkQh.exe
  2⤵
  PID:3540
- C:\Windows\System\vHnGlNC.exe
  C:\Windows\System\vHnGlNC.exe
  2⤵
  PID:368
- C:\Windows\System\syBhsyD.exe
  C:\Windows\System\syBhsyD.exe
  2⤵
  PID:1220
- C:\Windows\System\IOMJaXO.exe
  C:\Windows\System\IOMJaXO.exe
  2⤵
  PID:2124
- C:\Windows\System\zGCIWqt.exe
  C:\Windows\System\zGCIWqt.exe
  2⤵
  PID:1576
- C:\Windows\System\cYKiUKs.exe
  C:\Windows\System\cYKiUKs.exe
  2⤵
  PID:3536
- C:\Windows\System\pMCCZhE.exe
  C:\Windows\System\pMCCZhE.exe
  2⤵
  PID:3596
- C:\Windows\System\dIwSPbg.exe
  C:\Windows\System\dIwSPbg.exe
  2⤵
  PID:2416
- C:\Windows\System\VWAPGXX.exe
  C:\Windows\System\VWAPGXX.exe
  2⤵
  PID:3672
- C:\Windows\System\YnatNxV.exe
  C:\Windows\System\YnatNxV.exe
  2⤵
  PID:3712
- C:\Windows\System\CzAQAPN.exe
  C:\Windows\System\CzAQAPN.exe
  2⤵
  PID:3928
- C:\Windows\System\xQtTZYO.exe
  C:\Windows\System\xQtTZYO.exe
  2⤵
  PID:3800
- C:\Windows\System\sUYsPpj.exe
  C:\Windows\System\sUYsPpj.exe
  2⤵
  PID:4076
- C:\Windows\System\bONwTPZ.exe
  C:\Windows\System\bONwTPZ.exe
  2⤵
  PID:3972
- C:\Windows\System\ULNjvdX.exe
  C:\Windows\System\ULNjvdX.exe
  2⤵
  PID:4008
- C:\Windows\System\xJfikVx.exe
  C:\Windows\System\xJfikVx.exe
  2⤵
  PID:3288
- C:\Windows\System\OJgFuZU.exe
  C:\Windows\System\OJgFuZU.exe
  2⤵
  PID:2788
- C:\Windows\System\GtnyDHD.exe
  C:\Windows\System\GtnyDHD.exe
  2⤵
  PID:1896
- C:\Windows\System\AaNCujQ.exe
  C:\Windows\System\AaNCujQ.exe
  2⤵
  PID:4028
- C:\Windows\System\UutWjaZ.exe
  C:\Windows\System\UutWjaZ.exe
  2⤵
  PID:3388
- C:\Windows\System\gbmcbDR.exe
  C:\Windows\System\gbmcbDR.exe
  2⤵
  PID:3372
- C:\Windows\System\gZFMweg.exe
  C:\Windows\System\gZFMweg.exe
  2⤵
  PID:3412
- C:\Windows\System\TFRcFRF.exe
  C:\Windows\System\TFRcFRF.exe
  2⤵
  PID:3468
- C:\Windows\System\SxYdBoh.exe
  C:\Windows\System\SxYdBoh.exe
  2⤵
  PID:3512
- C:\Windows\System\KDKYbaD.exe
  C:\Windows\System\KDKYbaD.exe
  2⤵
  PID:3624
- C:\Windows\System\JVCzfSX.exe
  C:\Windows\System\JVCzfSX.exe
  2⤵
  PID:1788
- C:\Windows\System\AdVedFG.exe
  C:\Windows\System\AdVedFG.exe
  2⤵
  PID:3156
- C:\Windows\System\pxHtUSJ.exe
  C:\Windows\System\pxHtUSJ.exe
  2⤵
  PID:1616
- C:\Windows\System\vtHmEJY.exe
  C:\Windows\System\vtHmEJY.exe
  2⤵
  PID:3608
- C:\Windows\System\VnnFBEA.exe
  C:\Windows\System\VnnFBEA.exe
  2⤵
  PID:3452
- C:\Windows\System\PdCVeoT.exe
  C:\Windows\System\PdCVeoT.exe
  2⤵
  PID:3640
- C:\Windows\System\OLTySYW.exe
  C:\Windows\System\OLTySYW.exe
  2⤵
  PID:3944
- C:\Windows\System\YUSmZNk.exe
  C:\Windows\System\YUSmZNk.exe
  2⤵
  PID:2316
- C:\Windows\System\lfWlngP.exe
  C:\Windows\System\lfWlngP.exe
  2⤵
  PID:1820
- C:\Windows\System\mhHKtJM.exe
  C:\Windows\System\mhHKtJM.exe
  2⤵
  PID:3784
- C:\Windows\System\thlbTbb.exe
  C:\Windows\System\thlbTbb.exe
  2⤵
  PID:3968
- C:\Windows\System\hXebDze.exe
  C:\Windows\System\hXebDze.exe
  2⤵
  PID:3860
- C:\Windows\System\TPTkTuL.exe
  C:\Windows\System\TPTkTuL.exe
  2⤵
  PID:3768
- C:\Windows\System\ZoORnHA.exe
  C:\Windows\System\ZoORnHA.exe
  2⤵
  PID:580
- C:\Windows\System\MYLrWYL.exe
  C:\Windows\System\MYLrWYL.exe
  2⤵
  PID:3996
- C:\Windows\System\DOIIesR.exe
  C:\Windows\System\DOIIesR.exe
  2⤵
  PID:3948
- C:\Windows\System\LpNRwjb.exe
  C:\Windows\System\LpNRwjb.exe
  2⤵
  PID:1736
- C:\Windows\System\ckfRDoV.exe
  C:\Windows\System\ckfRDoV.exe
  2⤵
  PID:572
- C:\Windows\System\MxWOkCI.exe
  C:\Windows\System\MxWOkCI.exe
  2⤵
  PID:3320
- C:\Windows\System\DWwBSaf.exe
  C:\Windows\System\DWwBSaf.exe
  2⤵
  PID:3564
- C:\Windows\System\IcASffY.exe
  C:\Windows\System\IcASffY.exe
  2⤵
  PID:3848
- C:\Windows\System\ECvBdTe.exe
  C:\Windows\System\ECvBdTe.exe
  2⤵
  PID:3340
- C:\Windows\System\qdgOwBF.exe
  C:\Windows\System\qdgOwBF.exe
  2⤵
  PID:4084
- C:\Windows\System\JtlZBuJ.exe
  C:\Windows\System\JtlZBuJ.exe
  2⤵
  PID:4024
- C:\Windows\System\BDhHeel.exe
  C:\Windows\System\BDhHeel.exe
  2⤵
  PID:3516
- C:\Windows\System\pUZRIMP.exe
  C:\Windows\System\pUZRIMP.exe
  2⤵
  PID:4108
- C:\Windows\System\pSDGXas.exe
  C:\Windows\System\pSDGXas.exe
  2⤵
  PID:4132
- C:\Windows\System\zuufcDU.exe
  C:\Windows\System\zuufcDU.exe
  2⤵
  PID:4148
- C:\Windows\System\LyWbjEM.exe
  C:\Windows\System\LyWbjEM.exe
  2⤵
  PID:4168
- C:\Windows\System\CfZDVQL.exe
  C:\Windows\System\CfZDVQL.exe
  2⤵
  PID:4188
- C:\Windows\System\OwDNUTe.exe
  C:\Windows\System\OwDNUTe.exe
  2⤵
  PID:4212
- C:\Windows\System\ZFMgeLL.exe
  C:\Windows\System\ZFMgeLL.exe
  2⤵
  PID:4228
- C:\Windows\System\gQtUhrj.exe
  C:\Windows\System\gQtUhrj.exe
  2⤵
  PID:4248
- C:\Windows\System\PZApreb.exe
  C:\Windows\System\PZApreb.exe
  2⤵
  PID:4268
- C:\Windows\System\txlQSiV.exe
  C:\Windows\System\txlQSiV.exe
  2⤵
  PID:4288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\HYbDyJI.exe

Filesize
128KB

MD5
a1307cf3385032ad126c6d0b477066b0

SHA1
cd75e7594dab159031b0dd1cf66a9bc29d3f6f10

SHA256
5f1996d387c2de315bb359de53c91f6dfdb6f5bc82749b498694df075c5983a8

SHA512
ae6296033bfe718203cd10ab707e2a6cbba7140f93d02cc6e7f5cca22a5526ac220a835b3bbc2fd007ce24c2e5b49d978732b33f9f88b13b3b3a3df090791129

Download Submit
C:\Windows\system\IzUrfGW.exe

Filesize
2.0MB

MD5
ddfd4c1c67e61171198e0212962ef479

SHA1
a4c946f37a941bd8e134cf4d1a47b58c9805412e

SHA256
388217ab7ce87aa35044667a09ef908e00d6f06a4857d063074eb293a27f85f8

SHA512
f713305659a7dc6ac5f8ee9ddd93b7fd0d04b5da55bb7063507081b22acb824a304e7b5f91739cb2246c56ac7846ea3fd7351752f2353cadde25349d438f085c

Download Submit
C:\Windows\system\LfXeEyV.exe

Filesize
2.0MB

MD5
95ad32876526170bf8f3d66f4d5b67da

SHA1
c10401dc539982534c99e070fab0e87a8aa35e1a

SHA256
e36203cca2eac4ddbf0e2b1a44ecfa57a18ff3e470e00e626a27a519807dfcf9

SHA512
a24f5603607b97baa77e5eced237492c3dcde703649c353dc6a38ef0c737703ae892ef59cc1a26733437cd0f60da75e2a676a535245b1ec56ed3f42832806da0

Download Submit
C:\Windows\system\VZkHDLg.exe

Filesize
2.0MB

MD5
e03178a1708e95e0afcb9953d1f1a979

SHA1
16b841fdb2804d8b9a4fdb78de9d3f84a6e19d3d

SHA256
96cbe5fe5dc80cf0576cc713e3d1a435e54f15c8d5d812d2db161005bcc31afb

SHA512
7e0ff5be26c860bb3b79b1547433ab9450bc26237b236e2920fbd56ccef70c90d46566e6a70a1394aacd4b4a1e74e303c4e9437b98835fb7ce9687ffd4bd308b

Download Submit
C:\Windows\system\XDTMnLT.exe

Filesize
2.0MB

MD5
08394d9c9261e59371d9d628da5066d6

SHA1
ad2d9245196ab5394d3a046bc83a44b88ad19e71

SHA256
9d56788a1674e369b9a2b08d272e38e7feff3b429d57d8e700e127f1c77cc7bf

SHA512
5997ba2438213d1bac8299485da66518f6edc452872759e83e22352855da82d02af61f988b6f93b25daa39d022348d6940fe0bcea2137ef3802ac64ecbd1662e

Download Submit
C:\Windows\system\glGsvOr.exe

Filesize
2.0MB

MD5
7b2eb366463a50e44eeb3cb329c72a6e

SHA1
10935d7eb1e8ff5112f461441e944613eca0a5f2

SHA256
1a8ab721532df672a4f44d3dbfaceab511bd452fec792d921ba8133274900e1c

SHA512
80e46b9ddc937d0b8279e1e54cd36442bf8e479166ed4de847f9121a3c623c7c0dd73c7550cfec138914238706ed4403523dd2f7abcccfee1e7633c45ec51c00

Download Submit
C:\Windows\system\gneCxkg.exe

Filesize
2.0MB

MD5
72255293983a038e07b4937a29fea8c7

SHA1
db65281659e2d287a1c92f3ba6c8766197e0a1e7

SHA256
c723b16758fbb2d01383457a9796aead04451a081b893d0eedea1574969e4acd

SHA512
a88cecaf7e9dd4232c8cc871d5824ec94958753eb4f47b275a91f8d356c346191971c71388a27cbaefe5b908bd8820f0076ad067fe95c3011de8ecc2cabe42e6

Download Submit
C:\Windows\system\hbEtUwk.exe

Filesize
2.0MB

MD5
d1e61abe5cf62a5cb8537969fa071d11

SHA1
fa179654bea20972e33720db89fcf265c81f112e

SHA256
7201b079bf40c8a8777b8c8065ad384cb66926f75a0c96a5a77fed7c93d2cc88

SHA512
4efb2738a2ac0c26d698adab595e3704c7163e5e9b72d943771b8164f3d62bf0b480f3863da1e1a22487f8916ab662b4058f9b85a1a54fb359d4f39e6e7b4f3c

Download Submit
C:\Windows\system\nJDlayg.exe

Filesize
2.0MB

MD5
b3cf530ee6bc5a73731b5b0f2cdfe8c0

SHA1
59265a7b7b61276ab3e1b0c174d9698dc7fa6f61

SHA256
7e9ba8e9d66a83fbf85ce6ca22c41dab4c214d2cb386f6690b7adca74b059b55

SHA512
ccbd66dbaa36b1be1404ee6c65d7bf9333e29e2f06c51ec5226f7ffc8900f761d617ea9b68cc9298a844511582d714ca91bbf1a68586677059da95a2d3fe5090

Download Submit
C:\Windows\system\vNCsNKn.exe

Filesize
2.0MB

MD5
5cbd5cfa7ce6f475dfa37b14aa130f8a

SHA1
f6cf791fbcd511758f6ddb6e27f3dc58ced9f2df

SHA256
0aec94155d059d45292c67f0b37176e2f290943acbded334be4940b737dcdf29

SHA512
15445f54cb4b035e6eac0de7da2500f22f984036d1dc2c867e77a6075ce9ababbcef2d7251f696f88c7ca3a4330a0456da760a5866d7d3cbd254c4aad96eb439

Download Submit
\Windows\system\LiyJxoc.exe

Filesize
2.0MB

MD5
b1e545ef2e1a521655d0463df17adb20

SHA1
a8d034df5bd4305c3631475e36be0dc14ffe7c64

SHA256
ea5e7d1b3bf663f69e6201a6173129672f9bab536a3c4dba711fb1ba2de5a78a

SHA512
b71c6fe395af466d112ca2a0afbaf0a89a5f0aedb42b32a68e765548bf0a58f5b17933dc3771d4aaa68adc802c0dbb0ad002987aa2293552fd233d8243c42515

Download Submit
\Windows\system\SjBAnEO.exe

Filesize
2.0MB

MD5
6b5cc4b7c343338eb6250d7881fbc424

SHA1
3c4c9f1bf93ba5812cb885db1b420b750afed9e8

SHA256
afc9020ed745ec15af57b1fb9d15e596255406fcb50bea854181d95798320e47

SHA512
20b966b7deb5469be57596162b2492d0eaa3555cca41e50c816dd5aeb99fae22b9ef1ce94c0b91e6fec30681937bfabe7f2a98e229d4264554a0bf684001877e

Download Submit
\Windows\system\gvhnVPl.exe

Filesize
2.0MB

MD5
3f018ce70ae52a04166901c8f3983d57

SHA1
a7db60d9f4aaa1a4e31b82789f3595a7deec1c28

SHA256
d21bc94a06d02f383a58faa1043f81bf92e418b2e198e7a69936587136b28e84

SHA512
5e3688462b7a2c67a2b4a56c4f248d9fd5a58130d60b6260edf730a086a6e35d6650cae07da1a99702147d864d01459fc1eb28fe406c5a34c0e3382062f429a9

Download Submit
\Windows\system\uiOHLos.exe

Filesize
2.0MB

MD5
2a14cc2b4c6583316fe426fe4c42f4fa

SHA1
d35b7b8b48803d4099428fabe0b50edfb16b003f

SHA256
8ee9d55346cd797c21d6bbcfdf309598dfb41710efec65bc81af1d2bccacad85

SHA512
0b24db23b0d2312b82fb51ea36f36dd05223cea6e1ec39894056241013ada007b8a957c0092715170aed214121a1524940f265ad8c0ffde0a6e326388b3c9db9

Download Submit
\Windows\system\ytOzZFU.exe

Filesize
2.0MB

MD5
abe573f50480340d79c19719abbac6f6

SHA1
cb3d5a15df670b9bf1067df81f7cce027a077ba5

SHA256
4c8017437b3fa90a4d6e6ce7d89538c9af9aad034ae1079b9bd6ebb2a080c730

SHA512
875cef7e9a1288010d038f4c500ee28c187973c7bbc72926c0ba967862628b1035e830fd9d039281e1ff056c8f5c777107c9e78f413e35a3bda7a431ef108e94

Download Submit
\Windows\system\zfStxWo.exe

Filesize
2.0MB

MD5
fa83fdf36aee53b04972cc6b96eae3fe

SHA1
4fa77d5814e24846992068c9339c8c0aaa6a69af

SHA256
bc0c22b76c82d9b3a86e0ddd2dd8e38834fec7c73607239c0fd1d393b8d33cbb

SHA512
f90b90f761e10d74e83a7a63ba3555383d74e0c7a7742807232d7150894281834428c2e6a6d886fa3ce2c45e9a488f62f246810a3a8d41b6413b56cba78fd742

Download Submit
memory/2032-0-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download