kpot | f3e361b0a8e44b616df17b68166dc2b5d29eae2b8b6fb99a5704611fc8c9e118

Analysis

max time kernel
149s
max time network
157s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
Size

2.1MB
MD5

d49e53bdcac142adf048126bcebbc730
SHA1

d7fdf191a0f712fb4c48f15242ec949a36c5c9c6
SHA256

f3e361b0a8e44b616df17b68166dc2b5d29eae2b8b6fb99a5704611fc8c9e118
SHA512

864710aeb441e7c0ce9006798e64f2466ebfe759e411892599458f7db895c3fd4fb2c0f4ddd439dff2d565a52b9b5c2ef88e0eded2690bee2f41639976a9bc8c
SSDEEP

49152:GezaTF8FcNkNdfE0pZ9oztFwIi5aIwC+Agr6S/FYqOc2hlr:GemTLkNdfE0pZaQf

Score

10^/10

kpot xmrig miner stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 32 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016af1-159.dat	family_kpot
behavioral1/files/0x0006000000016812-154.dat	family_kpot
behavioral1/files/0x00060000000165fd-149.dat	family_kpot
behavioral1/files/0x000600000001657c-144.dat	family_kpot
behavioral1/files/0x000600000001644e-139.dat	family_kpot
behavioral1/files/0x00060000000162fd-134.dat	family_kpot
behavioral1/files/0x0006000000016231-129.dat	family_kpot
behavioral1/files/0x0006000000016096-124.dat	family_kpot
behavioral1/files/0x0006000000015f1f-115.dat	family_kpot
behavioral1/files/0x0006000000015ff4-118.dat	family_kpot
behavioral1/files/0x0006000000015e85-105.dat	family_kpot
behavioral1/files/0x0006000000015eb5-109.dat	family_kpot
behavioral1/files/0x0006000000015dc5-99.dat	family_kpot
behavioral1/files/0x0006000000015cfc-94.dat	family_kpot
behavioral1/files/0x0006000000015cf2-89.dat	family_kpot
behavioral1/files/0x0006000000015cd2-84.dat	family_kpot
behavioral1/files/0x0006000000015cb9-79.dat	family_kpot
behavioral1/files/0x0006000000015cb2-74.dat	family_kpot
behavioral1/files/0x0006000000015ca2-69.dat	family_kpot
behavioral1/files/0x0006000000015c91-64.dat	family_kpot
behavioral1/files/0x0006000000015c83-59.dat	family_kpot
behavioral1/files/0x0006000000015c79-54.dat	family_kpot
behavioral1/files/0x0006000000015c60-44.dat	family_kpot
behavioral1/files/0x0006000000015c68-49.dat	family_kpot
behavioral1/files/0x0008000000015c58-39.dat	family_kpot
behavioral1/files/0x0009000000014b88-35.dat	family_kpot
behavioral1/files/0x0007000000014973-22.dat	family_kpot
behavioral1/files/0x00070000000149ec-28.dat	family_kpot
behavioral1/files/0x00070000000147d5-20.dat	family_kpot
behavioral1/files/0x000900000001469e-11.dat	family_kpot
behavioral1/files/0x0026000000014497-9.dat	family_kpot
behavioral1/files/0x000b000000012295-4.dat	family_kpot

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 32 IoCs

miner

resource	yara_rule
behavioral1/files/0x0006000000016af1-159.dat	xmrig
behavioral1/files/0x0006000000016812-154.dat	xmrig
behavioral1/files/0x00060000000165fd-149.dat	xmrig
behavioral1/files/0x000600000001657c-144.dat	xmrig
behavioral1/files/0x000600000001644e-139.dat	xmrig
behavioral1/files/0x00060000000162fd-134.dat	xmrig
behavioral1/files/0x0006000000016231-129.dat	xmrig
behavioral1/files/0x0006000000016096-124.dat	xmrig
behavioral1/files/0x0006000000015f1f-115.dat	xmrig
behavioral1/files/0x0006000000015ff4-118.dat	xmrig
behavioral1/files/0x0006000000015e85-105.dat	xmrig
behavioral1/files/0x0006000000015eb5-109.dat	xmrig
behavioral1/files/0x0006000000015dc5-99.dat	xmrig
behavioral1/files/0x0006000000015cfc-94.dat	xmrig
behavioral1/files/0x0006000000015cf2-89.dat	xmrig
behavioral1/files/0x0006000000015cd2-84.dat	xmrig
behavioral1/files/0x0006000000015cb9-79.dat	xmrig
behavioral1/files/0x0006000000015cb2-74.dat	xmrig
behavioral1/files/0x0006000000015ca2-69.dat	xmrig
behavioral1/files/0x0006000000015c91-64.dat	xmrig
behavioral1/files/0x0006000000015c83-59.dat	xmrig
behavioral1/files/0x0006000000015c79-54.dat	xmrig
behavioral1/files/0x0006000000015c60-44.dat	xmrig
behavioral1/files/0x0006000000015c68-49.dat	xmrig
behavioral1/files/0x0008000000015c58-39.dat	xmrig
behavioral1/files/0x0009000000014b88-35.dat	xmrig
behavioral1/files/0x0007000000014973-22.dat	xmrig
behavioral1/files/0x00070000000149ec-28.dat	xmrig
behavioral1/files/0x00070000000147d5-20.dat	xmrig
behavioral1/files/0x000900000001469e-11.dat	xmrig
behavioral1/files/0x0026000000014497-9.dat	xmrig
behavioral1/files/0x000b000000012295-4.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2280	sOpOyHr.exe
3040	SDbwqGA.exe
2588	uziXVrL.exe
2596	naVCnIY.exe
2864	jgTLBwc.exe
2576	wdJSIeo.exe
2728	tEHrnvl.exe
2836	NwkUiLN.exe
2716	EtKAvyt.exe
1684	jnDjXEd.exe
2488	bFMQnhf.exe
2940	SsjSQWL.exe
2296	qtTdINx.exe
2132	XUMpJwx.exe
588	oqHXCjw.exe
2820	RFTjYxd.exe
2968	pWwAfPg.exe
2980	OLcBWZM.exe
2680	VHbHoGn.exe
1860	eGIIOwR.exe
1640	liHScUu.exe
1956	JcBHvvc.exe
1488	yXSVVLD.exe
2696	VMQrJHe.exe
708	hFslZby.exe
568	hRPsADv.exe
2796	xigpURi.exe
1084	dCalOer.exe
1144	BKBMczR.exe
1328	QmMFRVS.exe
1932	rVSSaIG.exe
1988	cKlwIFU.exe
1272	wVojXue.exe
2036	bKNkzxa.exe
2292	PMFkXll.exe
2632	erEdMiC.exe
2060	ubcJmjS.exe
3032	TIWvxxk.exe
1792	LLBFGEF.exe
1884	ijKQHvG.exe
432	hQyJJMH.exe
2276	RacKAWp.exe
2324	kJqrNuk.exe
2336	tSQcwTo.exe
840	tHFRODh.exe
1316	XSZgDsv.exe
1448	oUhHpNx.exe
3068	fcFuhkj.exe
764	FgyNNCd.exe
2268	ACoIpYW.exe
2420	owNbySX.exe
1164	vgLNBvl.exe
660	BuVgLQR.exe
1688	UuglRyh.exe
2188	UHzevyN.exe
1744	brjuVek.exe
2788	wJJovxl.exe
3028	zspTOBW.exe
2384	nKOXnXa.exe
1224	SgwYzzk.exe
896	JjmPhiP.exe
768	MJlAtjy.exe
2172	wOOHmKp.exe
2852	QGsrcKe.exe

Loads dropped DLL 64 IoCs

pid	Process
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\NbdUcae.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\vgLNBvl.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\NfNUfII.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\kpgerOd.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\fmgtRjz.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\NgHKmFo.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\kKYbuol.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\SDbwqGA.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\eGIIOwR.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\XYZKbSD.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\hrDGEac.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\XUMpJwx.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\qQdjGwb.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\DJtkFQf.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\DUzJprm.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\zspTOBW.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\RkxANQM.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\gRBWrgi.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\uGbTObg.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\mzEfnec.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\YpnWEfe.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\tHFRODh.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\xyTFJVY.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\KaupZGF.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\KeumEwx.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\NwkUiLN.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\QGsrcKe.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\xQVbYYK.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\dCalOer.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\IBJaLok.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\bQBXLyp.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\zHIQuBh.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\wVojXue.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\lrbcDck.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\PCkXdYd.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\YSNZsjp.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\aBaINku.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\FVyBKwG.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\uziXVrL.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\mDRigoC.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\xihjxYq.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\MOkIZuv.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\wOOHmKp.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\MfKqbJS.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\fyzzjPo.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\JMpEWNh.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\iadeXDc.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\VBXMaan.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\qtTdINx.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\erEdMiC.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\QnJJxNS.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\tazClim.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\wYXnSys.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\MbKrxXF.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\fohbggv.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\ZJwjdWs.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\sRWCIzw.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\gYEsqyJ.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\DVdFnxi.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\pTTjvvt.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\xycKDxX.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\RFTjYxd.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\ogAfkUf.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
File created	C:\Windows\System\HwggYNM.exe	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2280	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	29
PID 2016 wrote to memory of 2280	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	29
PID 2016 wrote to memory of 2280	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	29
PID 2016 wrote to memory of 3040	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	30
PID 2016 wrote to memory of 3040	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	30
PID 2016 wrote to memory of 3040	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	30
PID 2016 wrote to memory of 2588	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	31
PID 2016 wrote to memory of 2588	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	31
PID 2016 wrote to memory of 2588	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	31
PID 2016 wrote to memory of 2596	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	32
PID 2016 wrote to memory of 2596	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	32
PID 2016 wrote to memory of 2596	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	32
PID 2016 wrote to memory of 2864	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	33
PID 2016 wrote to memory of 2864	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	33
PID 2016 wrote to memory of 2864	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	33
PID 2016 wrote to memory of 2576	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	34
PID 2016 wrote to memory of 2576	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	34
PID 2016 wrote to memory of 2576	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	34
PID 2016 wrote to memory of 2728	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	35
PID 2016 wrote to memory of 2728	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	35
PID 2016 wrote to memory of 2728	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	35
PID 2016 wrote to memory of 2836	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	36
PID 2016 wrote to memory of 2836	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	36
PID 2016 wrote to memory of 2836	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	36
PID 2016 wrote to memory of 2716	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	37
PID 2016 wrote to memory of 2716	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	37
PID 2016 wrote to memory of 2716	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	37
PID 2016 wrote to memory of 1684	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	38
PID 2016 wrote to memory of 1684	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	38
PID 2016 wrote to memory of 1684	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	38
PID 2016 wrote to memory of 2488	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	39
PID 2016 wrote to memory of 2488	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	39
PID 2016 wrote to memory of 2488	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	39
PID 2016 wrote to memory of 2940	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	40
PID 2016 wrote to memory of 2940	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	40
PID 2016 wrote to memory of 2940	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	40
PID 2016 wrote to memory of 2296	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	41
PID 2016 wrote to memory of 2296	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	41
PID 2016 wrote to memory of 2296	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	41
PID 2016 wrote to memory of 2132	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	42
PID 2016 wrote to memory of 2132	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	42
PID 2016 wrote to memory of 2132	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	42
PID 2016 wrote to memory of 588	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	43
PID 2016 wrote to memory of 588	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	43
PID 2016 wrote to memory of 588	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	43
PID 2016 wrote to memory of 2820	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	44
PID 2016 wrote to memory of 2820	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	44
PID 2016 wrote to memory of 2820	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	44
PID 2016 wrote to memory of 2968	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	45
PID 2016 wrote to memory of 2968	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	45
PID 2016 wrote to memory of 2968	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	45
PID 2016 wrote to memory of 2980	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	46
PID 2016 wrote to memory of 2980	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	46
PID 2016 wrote to memory of 2980	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	46
PID 2016 wrote to memory of 2680	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	47
PID 2016 wrote to memory of 2680	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	47
PID 2016 wrote to memory of 2680	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	47
PID 2016 wrote to memory of 1860	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	48
PID 2016 wrote to memory of 1860	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	48
PID 2016 wrote to memory of 1860	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	48
PID 2016 wrote to memory of 1640	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	49
PID 2016 wrote to memory of 1640	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	49
PID 2016 wrote to memory of 1640	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	49
PID 2016 wrote to memory of 1956	2016	d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe	50

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\1908753548\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\1908753548\zmstage.exe
1⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d49e53bdcac142adf048126bcebbc730_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\System\sOpOyHr.exe
  C:\Windows\System\sOpOyHr.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\SDbwqGA.exe
  C:\Windows\System\SDbwqGA.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\uziXVrL.exe
  C:\Windows\System\uziXVrL.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\naVCnIY.exe
  C:\Windows\System\naVCnIY.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\jgTLBwc.exe
  C:\Windows\System\jgTLBwc.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\wdJSIeo.exe
  C:\Windows\System\wdJSIeo.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\tEHrnvl.exe
  C:\Windows\System\tEHrnvl.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\NwkUiLN.exe
  C:\Windows\System\NwkUiLN.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\EtKAvyt.exe
  C:\Windows\System\EtKAvyt.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\jnDjXEd.exe
  C:\Windows\System\jnDjXEd.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\bFMQnhf.exe
  C:\Windows\System\bFMQnhf.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\SsjSQWL.exe
  C:\Windows\System\SsjSQWL.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\qtTdINx.exe
  C:\Windows\System\qtTdINx.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\XUMpJwx.exe
  C:\Windows\System\XUMpJwx.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\oqHXCjw.exe
  C:\Windows\System\oqHXCjw.exe
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\System\RFTjYxd.exe
  C:\Windows\System\RFTjYxd.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\pWwAfPg.exe
  C:\Windows\System\pWwAfPg.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\OLcBWZM.exe
  C:\Windows\System\OLcBWZM.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\VHbHoGn.exe
  C:\Windows\System\VHbHoGn.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\eGIIOwR.exe
  C:\Windows\System\eGIIOwR.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\liHScUu.exe
  C:\Windows\System\liHScUu.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\JcBHvvc.exe
  C:\Windows\System\JcBHvvc.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\yXSVVLD.exe
  C:\Windows\System\yXSVVLD.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\VMQrJHe.exe
  C:\Windows\System\VMQrJHe.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\hFslZby.exe
  C:\Windows\System\hFslZby.exe
  2⤵
  - Executes dropped EXE
  PID:708
- C:\Windows\System\hRPsADv.exe
  C:\Windows\System\hRPsADv.exe
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\System\xigpURi.exe
  C:\Windows\System\xigpURi.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\dCalOer.exe
  C:\Windows\System\dCalOer.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System\BKBMczR.exe
  C:\Windows\System\BKBMczR.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\QmMFRVS.exe
  C:\Windows\System\QmMFRVS.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\rVSSaIG.exe
  C:\Windows\System\rVSSaIG.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\cKlwIFU.exe
  C:\Windows\System\cKlwIFU.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\wVojXue.exe
  C:\Windows\System\wVojXue.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\bKNkzxa.exe
  C:\Windows\System\bKNkzxa.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\PMFkXll.exe
  C:\Windows\System\PMFkXll.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\erEdMiC.exe
  C:\Windows\System\erEdMiC.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\ubcJmjS.exe
  C:\Windows\System\ubcJmjS.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\TIWvxxk.exe
  C:\Windows\System\TIWvxxk.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\LLBFGEF.exe
  C:\Windows\System\LLBFGEF.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\ijKQHvG.exe
  C:\Windows\System\ijKQHvG.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\hQyJJMH.exe
  C:\Windows\System\hQyJJMH.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\RacKAWp.exe
  C:\Windows\System\RacKAWp.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\kJqrNuk.exe
  C:\Windows\System\kJqrNuk.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\tSQcwTo.exe
  C:\Windows\System\tSQcwTo.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\tHFRODh.exe
  C:\Windows\System\tHFRODh.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System\XSZgDsv.exe
  C:\Windows\System\XSZgDsv.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System\oUhHpNx.exe
  C:\Windows\System\oUhHpNx.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\fcFuhkj.exe
  C:\Windows\System\fcFuhkj.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\FgyNNCd.exe
  C:\Windows\System\FgyNNCd.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\ACoIpYW.exe
  C:\Windows\System\ACoIpYW.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\owNbySX.exe
  C:\Windows\System\owNbySX.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\vgLNBvl.exe
  C:\Windows\System\vgLNBvl.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System\BuVgLQR.exe
  C:\Windows\System\BuVgLQR.exe
  2⤵
  - Executes dropped EXE
  PID:660
- C:\Windows\System\UuglRyh.exe
  C:\Windows\System\UuglRyh.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\UHzevyN.exe
  C:\Windows\System\UHzevyN.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\brjuVek.exe
  C:\Windows\System\brjuVek.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\wJJovxl.exe
  C:\Windows\System\wJJovxl.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\zspTOBW.exe
  C:\Windows\System\zspTOBW.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\nKOXnXa.exe
  C:\Windows\System\nKOXnXa.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\SgwYzzk.exe
  C:\Windows\System\SgwYzzk.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\JjmPhiP.exe
  C:\Windows\System\JjmPhiP.exe
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\System\MJlAtjy.exe
  C:\Windows\System\MJlAtjy.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System\wOOHmKp.exe
  C:\Windows\System\wOOHmKp.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\QGsrcKe.exe
  C:\Windows\System\QGsrcKe.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\prqOwhy.exe
  C:\Windows\System\prqOwhy.exe
  2⤵
  PID:1656
- C:\Windows\System\XSYjqcW.exe
  C:\Windows\System\XSYjqcW.exe
  2⤵
  PID:2524
- C:\Windows\System\shsnhtO.exe
  C:\Windows\System\shsnhtO.exe
  2⤵
  PID:2648
- C:\Windows\System\fohbggv.exe
  C:\Windows\System\fohbggv.exe
  2⤵
  PID:2876
- C:\Windows\System\Rcstgiz.exe
  C:\Windows\System\Rcstgiz.exe
  2⤵
  PID:2560
- C:\Windows\System\ouQLZMD.exe
  C:\Windows\System\ouQLZMD.exe
  2⤵
  PID:2992
- C:\Windows\System\RkxANQM.exe
  C:\Windows\System\RkxANQM.exe
  2⤵
  PID:2496
- C:\Windows\System\hUOJxlc.exe
  C:\Windows\System\hUOJxlc.exe
  2⤵
  PID:940
- C:\Windows\System\QdWqkTH.exe
  C:\Windows\System\QdWqkTH.exe
  2⤵
  PID:2492
- C:\Windows\System\wlSSoNN.exe
  C:\Windows\System\wlSSoNN.exe
  2⤵
  PID:2424
- C:\Windows\System\ogAfkUf.exe
  C:\Windows\System\ogAfkUf.exe
  2⤵
  PID:2832
- C:\Windows\System\ovVLUuV.exe
  C:\Windows\System\ovVLUuV.exe
  2⤵
  PID:2972
- C:\Windows\System\PdsRreo.exe
  C:\Windows\System\PdsRreo.exe
  2⤵
  PID:2148
- C:\Windows\System\xchDlJR.exe
  C:\Windows\System\xchDlJR.exe
  2⤵
  PID:1548
- C:\Windows\System\UDmwaFw.exe
  C:\Windows\System\UDmwaFw.exe
  2⤵
  PID:2776
- C:\Windows\System\XIsBqNU.exe
  C:\Windows\System\XIsBqNU.exe
  2⤵
  PID:2512
- C:\Windows\System\UUYrxWl.exe
  C:\Windows\System\UUYrxWl.exe
  2⤵
  PID:2804
- C:\Windows\System\EISUlIG.exe
  C:\Windows\System\EISUlIG.exe
  2⤵
  PID:1220
- C:\Windows\System\BQdJSjo.exe
  C:\Windows\System\BQdJSjo.exe
  2⤵
  PID:1404
- C:\Windows\System\iflaRDo.exe
  C:\Windows\System\iflaRDo.exe
  2⤵
  PID:2540
- C:\Windows\System\TGrPFaQ.exe
  C:\Windows\System\TGrPFaQ.exe
  2⤵
  PID:1072
- C:\Windows\System\zenzBmc.exe
  C:\Windows\System\zenzBmc.exe
  2⤵
  PID:2888
- C:\Windows\System\VIrfhZs.exe
  C:\Windows\System\VIrfhZs.exe
  2⤵
  PID:2020
- C:\Windows\System\WmTxDWJ.exe
  C:\Windows\System\WmTxDWJ.exe
  2⤵
  PID:1516
- C:\Windows\System\gXQENiq.exe
  C:\Windows\System\gXQENiq.exe
  2⤵
  PID:640
- C:\Windows\System\oFhdqmj.exe
  C:\Windows\System\oFhdqmj.exe
  2⤵
  PID:1680
- C:\Windows\System\VeaFJuO.exe
  C:\Windows\System\VeaFJuO.exe
  2⤵
  PID:856
- C:\Windows\System\uyIDslC.exe
  C:\Windows\System\uyIDslC.exe
  2⤵
  PID:1788
- C:\Windows\System\nzEfeeJ.exe
  C:\Windows\System\nzEfeeJ.exe
  2⤵
  PID:544
- C:\Windows\System\NfNUfII.exe
  C:\Windows\System\NfNUfII.exe
  2⤵
  PID:1544
- C:\Windows\System\fyzzjPo.exe
  C:\Windows\System\fyzzjPo.exe
  2⤵
  PID:1232
- C:\Windows\System\KaupZGF.exe
  C:\Windows\System\KaupZGF.exe
  2⤵
  PID:1624
- C:\Windows\System\DJtkFQf.exe
  C:\Windows\System\DJtkFQf.exe
  2⤵
  PID:1112
- C:\Windows\System\baHFwbC.exe
  C:\Windows\System\baHFwbC.exe
  2⤵
  PID:268
- C:\Windows\System\gebKNYJ.exe
  C:\Windows\System\gebKNYJ.exe
  2⤵
  PID:2340
- C:\Windows\System\NhgscGK.exe
  C:\Windows\System\NhgscGK.exe
  2⤵
  PID:1584
- C:\Windows\System\eBTfIYK.exe
  C:\Windows\System\eBTfIYK.exe
  2⤵
  PID:2108
- C:\Windows\System\ywsaZAL.exe
  C:\Windows\System\ywsaZAL.exe
  2⤵
  PID:2900
- C:\Windows\System\DLZtqyv.exe
  C:\Windows\System\DLZtqyv.exe
  2⤵
  PID:2288
- C:\Windows\System\ecUArNz.exe
  C:\Windows\System\ecUArNz.exe
  2⤵
  PID:2404
- C:\Windows\System\ZJwjdWs.exe
  C:\Windows\System\ZJwjdWs.exe
  2⤵
  PID:2044
- C:\Windows\System\gWGCMqt.exe
  C:\Windows\System\gWGCMqt.exe
  2⤵
  PID:1608
- C:\Windows\System\baJZNAs.exe
  C:\Windows\System\baJZNAs.exe
  2⤵
  PID:2552
- C:\Windows\System\UaYMfNI.exe
  C:\Windows\System\UaYMfNI.exe
  2⤵
  PID:2720
- C:\Windows\System\eqnHqmv.exe
  C:\Windows\System\eqnHqmv.exe
  2⤵
  PID:2556
- C:\Windows\System\OCwuVvl.exe
  C:\Windows\System\OCwuVvl.exe
  2⤵
  PID:2952
- C:\Windows\System\wjnSqjh.exe
  C:\Windows\System\wjnSqjh.exe
  2⤵
  PID:2824
- C:\Windows\System\PFEUecE.exe
  C:\Windows\System\PFEUecE.exe
  2⤵
  PID:2964
- C:\Windows\System\DhJSAor.exe
  C:\Windows\System\DhJSAor.exe
  2⤵
  PID:2652
- C:\Windows\System\GXyFaky.exe
  C:\Windows\System\GXyFaky.exe
  2⤵
  PID:2100
- C:\Windows\System\dtPkRQl.exe
  C:\Windows\System\dtPkRQl.exe
  2⤵
  PID:1940
- C:\Windows\System\yfMtMGE.exe
  C:\Windows\System\yfMtMGE.exe
  2⤵
  PID:1536
- C:\Windows\System\CsoFDRD.exe
  C:\Windows\System\CsoFDRD.exe
  2⤵
  PID:1368
- C:\Windows\System\OvZXSRe.exe
  C:\Windows\System\OvZXSRe.exe
  2⤵
  PID:2432
- C:\Windows\System\BFObpSt.exe
  C:\Windows\System\BFObpSt.exe
  2⤵
  PID:2628
- C:\Windows\System\RlmKcCw.exe
  C:\Windows\System\RlmKcCw.exe
  2⤵
  PID:2748
- C:\Windows\System\MLfWFqo.exe
  C:\Windows\System\MLfWFqo.exe
  2⤵
  PID:2440
- C:\Windows\System\MGpkrPG.exe
  C:\Windows\System\MGpkrPG.exe
  2⤵
  PID:2460
- C:\Windows\System\MUjvcbO.exe
  C:\Windows\System\MUjvcbO.exe
  2⤵
  PID:2096
- C:\Windows\System\ldgVPYC.exe
  C:\Windows\System\ldgVPYC.exe
  2⤵
  PID:1924
- C:\Windows\System\HwggYNM.exe
  C:\Windows\System\HwggYNM.exe
  2⤵
  PID:1960
- C:\Windows\System\DvPyZgP.exe
  C:\Windows\System\DvPyZgP.exe
  2⤵
  PID:2504
- C:\Windows\System\KmblQUe.exe
  C:\Windows\System\KmblQUe.exe
  2⤵
  PID:976
- C:\Windows\System\wEooTun.exe
  C:\Windows\System\wEooTun.exe
  2⤵
  PID:852
- C:\Windows\System\zqGAOmz.exe
  C:\Windows\System\zqGAOmz.exe
  2⤵
  PID:632
- C:\Windows\System\sRWCIzw.exe
  C:\Windows\System\sRWCIzw.exe
  2⤵
  PID:2884
- C:\Windows\System\lrbcDck.exe
  C:\Windows\System\lrbcDck.exe
  2⤵
  PID:2880
- C:\Windows\System\BYwLtEA.exe
  C:\Windows\System\BYwLtEA.exe
  2⤵
  PID:1776
- C:\Windows\System\TwxjVpi.exe
  C:\Windows\System\TwxjVpi.exe
  2⤵
  PID:704
- C:\Windows\System\uViXmjn.exe
  C:\Windows\System\uViXmjn.exe
  2⤵
  PID:2196
- C:\Windows\System\nFyDTwd.exe
  C:\Windows\System\nFyDTwd.exe
  2⤵
  PID:2536
- C:\Windows\System\uRoPmsG.exe
  C:\Windows\System\uRoPmsG.exe
  2⤵
  PID:2328
- C:\Windows\System\FutDPPi.exe
  C:\Windows\System\FutDPPi.exe
  2⤵
  PID:1128
- C:\Windows\System\FwTiwMM.exe
  C:\Windows\System\FwTiwMM.exe
  2⤵
  PID:3056
- C:\Windows\System\mDRigoC.exe
  C:\Windows\System\mDRigoC.exe
  2⤵
  PID:1800
- C:\Windows\System\VoPjcDP.exe
  C:\Windows\System\VoPjcDP.exe
  2⤵
  PID:1768
- C:\Windows\System\UYSQEaT.exe
  C:\Windows\System\UYSQEaT.exe
  2⤵
  PID:1880
- C:\Windows\System\dBhRdqP.exe
  C:\Windows\System\dBhRdqP.exe
  2⤵
  PID:2456
- C:\Windows\System\nJEcnCp.exe
  C:\Windows\System\nJEcnCp.exe
  2⤵
  PID:2160
- C:\Windows\System\tvWoCDR.exe
  C:\Windows\System\tvWoCDR.exe
  2⤵
  PID:304
- C:\Windows\System\lvbVwwj.exe
  C:\Windows\System\lvbVwwj.exe
  2⤵
  PID:2180
- C:\Windows\System\CYRrDBP.exe
  C:\Windows\System\CYRrDBP.exe
  2⤵
  PID:2392
- C:\Windows\System\qEPsFCg.exe
  C:\Windows\System\qEPsFCg.exe
  2⤵
  PID:1752
- C:\Windows\System\BFRUNuU.exe
  C:\Windows\System\BFRUNuU.exe
  2⤵
  PID:880
- C:\Windows\System\xqlINhJ.exe
  C:\Windows\System\xqlINhJ.exe
  2⤵
  PID:2724
- C:\Windows\System\kpgerOd.exe
  C:\Windows\System\kpgerOd.exe
  2⤵
  PID:2028
- C:\Windows\System\DngflHf.exe
  C:\Windows\System\DngflHf.exe
  2⤵
  PID:2700
- C:\Windows\System\zDyfoKD.exe
  C:\Windows\System\zDyfoKD.exe
  2⤵
  PID:2184
- C:\Windows\System\xyTFJVY.exe
  C:\Windows\System\xyTFJVY.exe
  2⤵
  PID:2204
- C:\Windows\System\fSQemIn.exe
  C:\Windows\System\fSQemIn.exe
  2⤵
  PID:1132
- C:\Windows\System\QnJJxNS.exe
  C:\Windows\System\QnJJxNS.exe
  2⤵
  PID:2692
- C:\Windows\System\ioWPjLP.exe
  C:\Windows\System\ioWPjLP.exe
  2⤵
  PID:2228
- C:\Windows\System\NjnnXvs.exe
  C:\Windows\System\NjnnXvs.exe
  2⤵
  PID:1192
- C:\Windows\System\llRGBHM.exe
  C:\Windows\System\llRGBHM.exe
  2⤵
  PID:2144
- C:\Windows\System\Etkbwha.exe
  C:\Windows\System\Etkbwha.exe
  2⤵
  PID:844
- C:\Windows\System\gRBWrgi.exe
  C:\Windows\System\gRBWrgi.exe
  2⤵
  PID:396
- C:\Windows\System\hGYXftY.exe
  C:\Windows\System\hGYXftY.exe
  2⤵
  PID:1504
- C:\Windows\System\IBJaLok.exe
  C:\Windows\System\IBJaLok.exe
  2⤵
  PID:1872
- C:\Windows\System\azvZcAF.exe
  C:\Windows\System\azvZcAF.exe
  2⤵
  PID:1648
- C:\Windows\System\mPXNBxb.exe
  C:\Windows\System\mPXNBxb.exe
  2⤵
  PID:2708
- C:\Windows\System\LWWlUiU.exe
  C:\Windows\System\LWWlUiU.exe
  2⤵
  PID:1804
- C:\Windows\System\vaWWfCD.exe
  C:\Windows\System\vaWWfCD.exe
  2⤵
  PID:332
- C:\Windows\System\upvsqMe.exe
  C:\Windows\System\upvsqMe.exe
  2⤵
  PID:1972
- C:\Windows\System\HIrYdBr.exe
  C:\Windows\System\HIrYdBr.exe
  2⤵
  PID:1468
- C:\Windows\System\gwhXVBS.exe
  C:\Windows\System\gwhXVBS.exe
  2⤵
  PID:2520
- C:\Windows\System\rixancD.exe
  C:\Windows\System\rixancD.exe
  2⤵
  PID:2580
- C:\Windows\System\LGkxsHr.exe
  C:\Windows\System\LGkxsHr.exe
  2⤵
  PID:680
- C:\Windows\System\msnTNjt.exe
  C:\Windows\System\msnTNjt.exe
  2⤵
  PID:1376
- C:\Windows\System\nuSJQKL.exe
  C:\Windows\System\nuSJQKL.exe
  2⤵
  PID:1664
- C:\Windows\System\bQBXLyp.exe
  C:\Windows\System\bQBXLyp.exe
  2⤵
  PID:908
- C:\Windows\System\qQdjGwb.exe
  C:\Windows\System\qQdjGwb.exe
  2⤵
  PID:1432
- C:\Windows\System\EOhrNcV.exe
  C:\Windows\System\EOhrNcV.exe
  2⤵
  PID:2592
- C:\Windows\System\HfARiSe.exe
  C:\Windows\System\HfARiSe.exe
  2⤵
  PID:2024
- C:\Windows\System\QDWCkxZ.exe
  C:\Windows\System\QDWCkxZ.exe
  2⤵
  PID:2772
- C:\Windows\System\tuuhyXP.exe
  C:\Windows\System\tuuhyXP.exe
  2⤵
  PID:2984
- C:\Windows\System\fNLHAMp.exe
  C:\Windows\System\fNLHAMp.exe
  2⤵
  PID:472
- C:\Windows\System\ClQvmnc.exe
  C:\Windows\System\ClQvmnc.exe
  2⤵
  PID:1984
- C:\Windows\System\uZubhID.exe
  C:\Windows\System\uZubhID.exe
  2⤵
  PID:2752
- C:\Windows\System\XYZKbSD.exe
  C:\Windows\System\XYZKbSD.exe
  2⤵
  PID:2764
- C:\Windows\System\uGbTObg.exe
  C:\Windows\System\uGbTObg.exe
  2⤵
  PID:2156
- C:\Windows\System\mzEfnec.exe
  C:\Windows\System\mzEfnec.exe
  2⤵
  PID:2112
- C:\Windows\System\BUiKSLO.exe
  C:\Windows\System\BUiKSLO.exe
  2⤵
  PID:1256
- C:\Windows\System\tyBzWRW.exe
  C:\Windows\System\tyBzWRW.exe
  2⤵
  PID:1708
- C:\Windows\System\qcHpTgl.exe
  C:\Windows\System\qcHpTgl.exe
  2⤵
  PID:2316
- C:\Windows\System\VQNzOvw.exe
  C:\Windows\System\VQNzOvw.exe
  2⤵
  PID:2264
- C:\Windows\System\PCkXdYd.exe
  C:\Windows\System\PCkXdYd.exe
  2⤵
  PID:1668
- C:\Windows\System\XnTSNKF.exe
  C:\Windows\System\XnTSNKF.exe
  2⤵
  PID:3104
- C:\Windows\System\YsJCwfy.exe
  C:\Windows\System\YsJCwfy.exe
  2⤵
  PID:3124
- C:\Windows\System\YSNZsjp.exe
  C:\Windows\System\YSNZsjp.exe
  2⤵
  PID:3140
- C:\Windows\System\tQZCEoI.exe
  C:\Windows\System\tQZCEoI.exe
  2⤵
  PID:3156
- C:\Windows\System\zAfRcZh.exe
  C:\Windows\System\zAfRcZh.exe
  2⤵
  PID:3184
- C:\Windows\System\QGXhxHC.exe
  C:\Windows\System\QGXhxHC.exe
  2⤵
  PID:3200
- C:\Windows\System\hrDGEac.exe
  C:\Windows\System\hrDGEac.exe
  2⤵
  PID:3228
- C:\Windows\System\umvVPlE.exe
  C:\Windows\System\umvVPlE.exe
  2⤵
  PID:3244
- C:\Windows\System\moyWJLG.exe
  C:\Windows\System\moyWJLG.exe
  2⤵
  PID:3260
- C:\Windows\System\mVYakZE.exe
  C:\Windows\System\mVYakZE.exe
  2⤵
  PID:3280
- C:\Windows\System\VarTxHq.exe
  C:\Windows\System\VarTxHq.exe
  2⤵
  PID:3296
- C:\Windows\System\CaMORRi.exe
  C:\Windows\System\CaMORRi.exe
  2⤵
  PID:3320
- C:\Windows\System\XFHORmh.exe
  C:\Windows\System\XFHORmh.exe
  2⤵
  PID:3336
- C:\Windows\System\fmgtRjz.exe
  C:\Windows\System\fmgtRjz.exe
  2⤵
  PID:3364
- C:\Windows\System\ZveBnyV.exe
  C:\Windows\System\ZveBnyV.exe
  2⤵
  PID:3384
- C:\Windows\System\gYEsqyJ.exe
  C:\Windows\System\gYEsqyJ.exe
  2⤵
  PID:3404
- C:\Windows\System\ABZHLzH.exe
  C:\Windows\System\ABZHLzH.exe
  2⤵
  PID:3420
- C:\Windows\System\jCOXQHC.exe
  C:\Windows\System\jCOXQHC.exe
  2⤵
  PID:3436
- C:\Windows\System\AglqfaC.exe
  C:\Windows\System\AglqfaC.exe
  2⤵
  PID:3452
- C:\Windows\System\oHaDaYf.exe
  C:\Windows\System\oHaDaYf.exe
  2⤵
  PID:3468
- C:\Windows\System\XVrHrrz.exe
  C:\Windows\System\XVrHrrz.exe
  2⤵
  PID:3488
- C:\Windows\System\dtRzBoA.exe
  C:\Windows\System\dtRzBoA.exe
  2⤵
  PID:3508
- C:\Windows\System\QhACarm.exe
  C:\Windows\System\QhACarm.exe
  2⤵
  PID:3528
- C:\Windows\System\rOAQZdc.exe
  C:\Windows\System\rOAQZdc.exe
  2⤵
  PID:3556
- C:\Windows\System\CXUNORv.exe
  C:\Windows\System\CXUNORv.exe
  2⤵
  PID:3572
- C:\Windows\System\NgHKmFo.exe
  C:\Windows\System\NgHKmFo.exe
  2⤵
  PID:3600
- C:\Windows\System\QrpStyH.exe
  C:\Windows\System\QrpStyH.exe
  2⤵
  PID:3628
- C:\Windows\System\utkvEfi.exe
  C:\Windows\System\utkvEfi.exe
  2⤵
  PID:3648
- C:\Windows\System\MfKqbJS.exe
  C:\Windows\System\MfKqbJS.exe
  2⤵
  PID:3664
- C:\Windows\System\sojmdlp.exe
  C:\Windows\System\sojmdlp.exe
  2⤵
  PID:3680
- C:\Windows\System\zHIQuBh.exe
  C:\Windows\System\zHIQuBh.exe
  2⤵
  PID:3700
- C:\Windows\System\rRwuMhU.exe
  C:\Windows\System\rRwuMhU.exe
  2⤵
  PID:3716
- C:\Windows\System\bFUZaLZ.exe
  C:\Windows\System\bFUZaLZ.exe
  2⤵
  PID:3732
- C:\Windows\System\XDghvUJ.exe
  C:\Windows\System\XDghvUJ.exe
  2⤵
  PID:3748
- C:\Windows\System\BynSdlW.exe
  C:\Windows\System\BynSdlW.exe
  2⤵
  PID:3764
- C:\Windows\System\NbdUcae.exe
  C:\Windows\System\NbdUcae.exe
  2⤵
  PID:3784
- C:\Windows\System\QVYpSCo.exe
  C:\Windows\System\QVYpSCo.exe
  2⤵
  PID:3808
- C:\Windows\System\JMpEWNh.exe
  C:\Windows\System\JMpEWNh.exe
  2⤵
  PID:3828
- C:\Windows\System\bXQRWCZ.exe
  C:\Windows\System\bXQRWCZ.exe
  2⤵
  PID:3848
- C:\Windows\System\KeumEwx.exe
  C:\Windows\System\KeumEwx.exe
  2⤵
  PID:3868
- C:\Windows\System\DVdFnxi.exe
  C:\Windows\System\DVdFnxi.exe
  2⤵
  PID:3888
- C:\Windows\System\DUzJprm.exe
  C:\Windows\System\DUzJprm.exe
  2⤵
  PID:3908
- C:\Windows\System\tolWVLh.exe
  C:\Windows\System\tolWVLh.exe
  2⤵
  PID:3924
- C:\Windows\System\GCtjEbR.exe
  C:\Windows\System\GCtjEbR.exe
  2⤵
  PID:3944
- C:\Windows\System\SWVBoco.exe
  C:\Windows\System\SWVBoco.exe
  2⤵
  PID:3964
- C:\Windows\System\deyVANb.exe
  C:\Windows\System\deyVANb.exe
  2⤵
  PID:3984
- C:\Windows\System\YYOYkLP.exe
  C:\Windows\System\YYOYkLP.exe
  2⤵
  PID:4000
- C:\Windows\System\foqyWoC.exe
  C:\Windows\System\foqyWoC.exe
  2⤵
  PID:4020
- C:\Windows\System\OTmzHYJ.exe
  C:\Windows\System\OTmzHYJ.exe
  2⤵
  PID:4036
- C:\Windows\System\wrLHiXG.exe
  C:\Windows\System\wrLHiXG.exe
  2⤵
  PID:4052
- C:\Windows\System\xihjxYq.exe
  C:\Windows\System\xihjxYq.exe
  2⤵
  PID:4076
- C:\Windows\System\WSTkZsS.exe
  C:\Windows\System\WSTkZsS.exe
  2⤵
  PID:1904
- C:\Windows\System\qSevxxT.exe
  C:\Windows\System\qSevxxT.exe
  2⤵
  PID:1928
- C:\Windows\System\rfWkMGK.exe
  C:\Windows\System\rfWkMGK.exe
  2⤵
  PID:2092
- C:\Windows\System\iadeXDc.exe
  C:\Windows\System\iadeXDc.exe
  2⤵
  PID:3116
- C:\Windows\System\oRdaDDK.exe
  C:\Windows\System\oRdaDDK.exe
  2⤵
  PID:3176
- C:\Windows\System\QBOINZp.exe
  C:\Windows\System\QBOINZp.exe
  2⤵
  PID:3192
- C:\Windows\System\MOkIZuv.exe
  C:\Windows\System\MOkIZuv.exe
  2⤵
  PID:3220
- C:\Windows\System\XNbauuJ.exe
  C:\Windows\System\XNbauuJ.exe
  2⤵
  PID:3292
- C:\Windows\System\GSxYclk.exe
  C:\Windows\System\GSxYclk.exe
  2⤵
  PID:3240
- C:\Windows\System\DoIMcYR.exe
  C:\Windows\System\DoIMcYR.exe
  2⤵
  PID:3304
- C:\Windows\System\xQVbYYK.exe
  C:\Windows\System\xQVbYYK.exe
  2⤵
  PID:3360
- C:\Windows\System\DsCGuWH.exe
  C:\Windows\System\DsCGuWH.exe
  2⤵
  PID:3380
- C:\Windows\System\CjVPeoM.exe
  C:\Windows\System\CjVPeoM.exe
  2⤵
  PID:3396
- C:\Windows\System\lGrunvR.exe
  C:\Windows\System\lGrunvR.exe
  2⤵
  PID:3516
- C:\Windows\System\oNTREyZ.exe
  C:\Windows\System\oNTREyZ.exe
  2⤵
  PID:3564
- C:\Windows\System\HAXBCbw.exe
  C:\Windows\System\HAXBCbw.exe
  2⤵
  PID:3432
- C:\Windows\System\mSFyWjU.exe
  C:\Windows\System\mSFyWjU.exe
  2⤵
  PID:3460
- C:\Windows\System\tNNbKEx.exe
  C:\Windows\System\tNNbKEx.exe
  2⤵
  PID:3540
- C:\Windows\System\bVICOyQ.exe
  C:\Windows\System\bVICOyQ.exe
  2⤵
  PID:3580
- C:\Windows\System\USTOKId.exe
  C:\Windows\System\USTOKId.exe
  2⤵
  PID:3612
- C:\Windows\System\YpnWEfe.exe
  C:\Windows\System\YpnWEfe.exe
  2⤵
  PID:3724
- C:\Windows\System\BAJiHbJ.exe
  C:\Windows\System\BAJiHbJ.exe
  2⤵
  PID:3640
- C:\Windows\System\jgIyGnM.exe
  C:\Windows\System\jgIyGnM.exe
  2⤵
  PID:3804
- C:\Windows\System\bTppfHc.exe
  C:\Windows\System\bTppfHc.exe
  2⤵
  PID:3676
- C:\Windows\System\bTLMpDL.exe
  C:\Windows\System\bTLMpDL.exe
  2⤵
  PID:3916
- C:\Windows\System\tazClim.exe
  C:\Windows\System\tazClim.exe
  2⤵
  PID:3776
- C:\Windows\System\UiBOSur.exe
  C:\Windows\System\UiBOSur.exe
  2⤵
  PID:3644
- C:\Windows\System\qKOeIdC.exe
  C:\Windows\System\qKOeIdC.exe
  2⤵
  PID:4032
- C:\Windows\System\wYXnSys.exe
  C:\Windows\System\wYXnSys.exe
  2⤵
  PID:3772
- C:\Windows\System\TGSQwbe.exe
  C:\Windows\System\TGSQwbe.exe
  2⤵
  PID:3824
- C:\Windows\System\awGnEIJ.exe
  C:\Windows\System\awGnEIJ.exe
  2⤵
  PID:3896
- C:\Windows\System\OKuVavj.exe
  C:\Windows\System\OKuVavj.exe
  2⤵
  PID:3980
- C:\Windows\System\SHTfYoe.exe
  C:\Windows\System\SHTfYoe.exe
  2⤵
  PID:4012
- C:\Windows\System\gNIoAlx.exe
  C:\Windows\System\gNIoAlx.exe
  2⤵
  PID:3092
- C:\Windows\System\IjjClqT.exe
  C:\Windows\System\IjjClqT.exe
  2⤵
  PID:4088
- C:\Windows\System\iAcxihO.exe
  C:\Windows\System\iAcxihO.exe
  2⤵
  PID:3112
- C:\Windows\System\opvBzkr.exe
  C:\Windows\System\opvBzkr.exe
  2⤵
  PID:3172
- C:\Windows\System\UdbLOaQ.exe
  C:\Windows\System\UdbLOaQ.exe
  2⤵
  PID:3152
- C:\Windows\System\SpNKXQw.exe
  C:\Windows\System\SpNKXQw.exe
  2⤵
  PID:3208
- C:\Windows\System\aBaINku.exe
  C:\Windows\System\aBaINku.exe
  2⤵
  PID:3328
- C:\Windows\System\VFdGpPc.exe
  C:\Windows\System\VFdGpPc.exe
  2⤵
  PID:3332
- C:\Windows\System\jmgnDww.exe
  C:\Windows\System\jmgnDww.exe
  2⤵
  PID:3352
- C:\Windows\System\MhjoYfo.exe
  C:\Windows\System\MhjoYfo.exe
  2⤵
  PID:3412
- C:\Windows\System\tDytzlS.exe
  C:\Windows\System\tDytzlS.exe
  2⤵
  PID:2152
- C:\Windows\System\OTqFCba.exe
  C:\Windows\System\OTqFCba.exe
  2⤵
  PID:3428
- C:\Windows\System\BDQKIAB.exe
  C:\Windows\System\BDQKIAB.exe
  2⤵
  PID:3504
- C:\Windows\System\lVZUWaH.exe
  C:\Windows\System\lVZUWaH.exe
  2⤵
  PID:3500
- C:\Windows\System\bCBuLde.exe
  C:\Windows\System\bCBuLde.exe
  2⤵
  PID:3596
- C:\Windows\System\yVSfntn.exe
  C:\Windows\System\yVSfntn.exe
  2⤵
  PID:3800
- C:\Windows\System\aROhFaW.exe
  C:\Windows\System\aROhFaW.exe
  2⤵
  PID:3844
- C:\Windows\System\qamOffM.exe
  C:\Windows\System\qamOffM.exe
  2⤵
  PID:4028
- C:\Windows\System\skudzzq.exe
  C:\Windows\System\skudzzq.exe
  2⤵
  PID:3076
- C:\Windows\System\MzSIhub.exe
  C:\Windows\System\MzSIhub.exe
  2⤵
  PID:4072
- C:\Windows\System\CCaZvbf.exe
  C:\Windows\System\CCaZvbf.exe
  2⤵
  PID:3864
- C:\Windows\System\AbUHrSA.exe
  C:\Windows\System\AbUHrSA.exe
  2⤵
  PID:2320
- C:\Windows\System\kKYbuol.exe
  C:\Windows\System\kKYbuol.exe
  2⤵
  PID:3100
- C:\Windows\System\FVyBKwG.exe
  C:\Windows\System\FVyBKwG.exe
  2⤵
  PID:3148
- C:\Windows\System\ierNXDd.exe
  C:\Windows\System\ierNXDd.exe
  2⤵
  PID:3376
- C:\Windows\System\TLcxyqP.exe
  C:\Windows\System\TLcxyqP.exe
  2⤵
  PID:3620
- C:\Windows\System\pTTjvvt.exe
  C:\Windows\System\pTTjvvt.exe
  2⤵
  PID:1416
- C:\Windows\System\gBevQWc.exe
  C:\Windows\System\gBevQWc.exe
  2⤵
  PID:1140
- C:\Windows\System\cHmiHhd.exe
  C:\Windows\System\cHmiHhd.exe
  2⤵
  PID:3624
- C:\Windows\System\MbKrxXF.exe
  C:\Windows\System\MbKrxXF.exe
  2⤵
  PID:3820
- C:\Windows\System\mUKscpu.exe
  C:\Windows\System\mUKscpu.exe
  2⤵
  PID:3552
- C:\Windows\System\ElqPUNr.exe
  C:\Windows\System\ElqPUNr.exe
  2⤵
  PID:3688
- C:\Windows\System\PdAZuAD.exe
  C:\Windows\System\PdAZuAD.exe
  2⤵
  PID:3860
- C:\Windows\System\IAoQIQB.exe
  C:\Windows\System\IAoQIQB.exe
  2⤵
  PID:2896
- C:\Windows\System\bHkJOBf.exe
  C:\Windows\System\bHkJOBf.exe
  2⤵
  PID:3356
- C:\Windows\System\jHYAFOS.exe
  C:\Windows\System\jHYAFOS.exe
  2⤵
  PID:4084
- C:\Windows\System\SkbNcAV.exe
  C:\Windows\System\SkbNcAV.exe
  2⤵
  PID:3744
- C:\Windows\System\RLvCvfd.exe
  C:\Windows\System\RLvCvfd.exe
  2⤵
  PID:3136
- C:\Windows\System\loWAwlb.exe
  C:\Windows\System\loWAwlb.exe
  2⤵
  PID:1176
- C:\Windows\System\oXgObQR.exe
  C:\Windows\System\oXgObQR.exe
  2⤵
  PID:3164
- C:\Windows\System\xycKDxX.exe
  C:\Windows\System\xycKDxX.exe
  2⤵
  PID:3084
- C:\Windows\System\aKbsBLX.exe
  C:\Windows\System\aKbsBLX.exe
  2⤵
  PID:3672
- C:\Windows\System\djUJYrO.exe
  C:\Windows\System\djUJYrO.exe
  2⤵
  PID:3236
- C:\Windows\System\XmZFuAs.exe
  C:\Windows\System\XmZFuAs.exe
  2⤵
  PID:3708
- C:\Windows\System\iXaURFC.exe
  C:\Windows\System\iXaURFC.exe
  2⤵
  PID:3312
- C:\Windows\System\VBXMaan.exe
  C:\Windows\System\VBXMaan.exe
  2⤵
  PID:3940
- C:\Windows\System\cApLcnI.exe
  C:\Windows\System\cApLcnI.exe
  2⤵
  PID:3884
- C:\Windows\System\jgfjLbu.exe
  C:\Windows\System\jgfjLbu.exe
  2⤵
  PID:3588
- C:\Windows\System\PmAubgt.exe
  C:\Windows\System\PmAubgt.exe
  2⤵
  PID:3696
- C:\Windows\System\niVVHgk.exe
  C:\Windows\System\niVVHgk.exe
  2⤵
  PID:3740
- C:\Windows\System\PRoKVtt.exe
  C:\Windows\System\PRoKVtt.exe
  2⤵
  PID:3996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BKBMczR.exe

Filesize
2.1MB

MD5
e0372ec54f2e35ed238c88c28be8625a

SHA1
4448030fea9865dff028720146cdc43feea8623e

SHA256
b3b7484b7b0dde6d99e0c2248561ccac4e4537cdc87dee39f61905cadc5639b3

SHA512
b6a043511952412b6787ed9dcaefcf967c87528e449807ffca0fb747ed61c981a137327f13730b3d515d7d95270e871f1d457cbd4394f16ad5b47e74a231a2c3

Download Submit
C:\Windows\system\EtKAvyt.exe

Filesize
2.1MB

MD5
2338a8f08f27de11720dd14e0ac957be

SHA1
5eb32375be8e2741971f8e1b3270cb013b164526

SHA256
53a6ae4c6442cbe756335c9fb4d1687266f3b9e1db6a7db0276a8b0fce4770aa

SHA512
01f57c81b56c9f1aae77a1284b57f66a881c188b807d3fd2dfd68d68906a5729dc2cb09383e5273fc4ba0508d649aa87d17f67b697f5f9d484f7f20368530d59

Download Submit
C:\Windows\system\JcBHvvc.exe

Filesize
2.1MB

MD5
8a690a7df985a94b7c1e16a0a32c6a8b

SHA1
c7c9943127a4a206794713dc6954eac0b4ada7ac

SHA256
242cea7bcb5c3784e19b62121701c1a829560543cecda4dc1b118c49dd93e8ac

SHA512
b84a672d98973372e12010d97bc02f2246e5c63f32bf84524491020d71ca7ae89816abd22f7f042ee4be1814d560168846aeef42a729b64243244cd78c88a19d

Download Submit
C:\Windows\system\NwkUiLN.exe

Filesize
2.1MB

MD5
183fd11f8b7ab74bf1514d2ae1a108af

SHA1
d1818dfd7cf55c22b5c8bcb0bfea110cd8a7a018

SHA256
53eb3030fc1596d345f3bc76dd102be6a223e5c4224580b7d0b5f13e9f0a8b03

SHA512
ae78fa56a19a9129203d4e0e1c9a8befc93fe4c3d02ccd9d03f44aa8ee6924f13b25c968321ab8d87b1977fdd32f36fdd8e962dbcc59d677f11787ce3e5f5302

Download Submit
C:\Windows\system\OLcBWZM.exe

Filesize
2.1MB

MD5
3022a72fc7b724d03e52aae28297177d

SHA1
a770d9c3d68e7d2082582d2739dd5f388ebb7dbd

SHA256
4aef064361162f60552433f059e030142a7fc5662b0c27d81e4f7e1993014d33

SHA512
4a3a81a2a80fed60f6c12c73c30e4a162830550f012f13024f7d81c519ced2fc93f128f532e36b43055fa384e20173fa0c66c6775b00eef689e981a11a1c36fc

Download Submit
C:\Windows\system\QmMFRVS.exe

Filesize
2.1MB

MD5
48ace69017c8270cd45ad7bd1ab62bb8

SHA1
77e6c52b575d897b963d2247235cc4687517dd1c

SHA256
99bab36d268f8c95a5055cb61d92f4ed99019f024a89df5e61bf8b33249db058

SHA512
7a704b926eb7f0cfe4a0ce2e06ec25999b46297b7c5d3d976d9345316b5d8809d6507fe634368845b9bf9f5d872508563f39c3eada0cfa83f7524b30d2b66e6d

Download Submit
C:\Windows\system\RFTjYxd.exe

Filesize
2.1MB

MD5
5b20a78facefaf4dc7fb929dd82a74bb

SHA1
ea2e3bb1e16576ffb903c4a5a2e93f61347cb8c5

SHA256
b7ee436770ba3dc469c487fc0511842ce9610bcffee5ab52df89e992d8913515

SHA512
706feb604c54ffa8ae298d8348788cc6b64a87b1df201e02f0ad8048c2a7a1e18decdf9e776760a51858f40c583351f43f0aa089427f4734b1ea76a9fb206f57

Download Submit
C:\Windows\system\SDbwqGA.exe

Filesize
2.1MB

MD5
21d735a13d35c1f63f27c179327d7dfc

SHA1
1fb76f8b7114d97ec3d78421bbc249c02dc572a5

SHA256
866d24eea50da7b4687c2aa909f06172ce1a1b845d75156de975cfb12af97170

SHA512
b7b0708d69bb8207332e1f061bc51b64035d2dec00ee3dbfe314b5455e653c5c8767a7296e79891c40db3999c3a5410b346a4e68c7c8d7ac0014b56ae5d06f4e

Download Submit
C:\Windows\system\SsjSQWL.exe

Filesize
2.1MB

MD5
c5c1018af0c360dd6301a01a80d90c6c

SHA1
5154bd0926ea4c158ed65645b786209d56802f78

SHA256
1010db0bb8feb43551b26d936ac8383fe7f2cf6a4a01c22a666a74ad7ea0c985

SHA512
8a319c02545545830aaff464de6bad8d404cdfe595da0038985b464797456cf4e6e642c16aba9811d228cd74ba0e6f547e4e8b76e9a19f96d1df9ec274683dba

Download Submit
C:\Windows\system\VHbHoGn.exe

Filesize
2.1MB

MD5
64e010714d2ae6e7fe76692b74f2f7b0

SHA1
660705109a2b5be4b17b0c824b1d547ce582f8f9

SHA256
a7a13ec2f2bae2ac06015d81015600d506446f00e6284cda2a09017d178c4164

SHA512
6c5e988c4a8d59eb383de9115522d39f1bd808ec1899bd93cd8ae6fa8826c37311e28ade712b98eb6cb124aa48695949706ceb31e9c1bb9074a68e605fa9e6cc

Download Submit
C:\Windows\system\VMQrJHe.exe

Filesize
2.1MB

MD5
bd4a1e2cd38354c5082586cd6f121ac6

SHA1
35adb27e75414941d6529ce176cc46517426460e

SHA256
912add90b775d35effdcebd815c8f963b3cf7b8f6f69fc56128690a6e3122d19

SHA512
e0ddfc6ee2eb9818821c31d2028fd34414e2e5a2fdaaba169ac287f1edc1087a82c4d8992a22c394a8c06cd6cae8ec29ba9ab0fa9e361d86b30421a743cf5f14

Download Submit
C:\Windows\system\XUMpJwx.exe

Filesize
2.1MB

MD5
e9fde2d4eebf26d3e475e80b5fd8841a

SHA1
b30880298b3f392817acc7de1224a98356c28d5f

SHA256
b2237edfdd4b364eb0293d840cd6e397c98e225b79d97117bfb6e704c334942f

SHA512
a71900539a7741ab65cb98f0132de09c7524a099e2373cddf4ab99328e0812f9f13e6f751372c9881463f397eb963b146faa6add89217908af7e0692450a6251

Download Submit
C:\Windows\system\bFMQnhf.exe

Filesize
2.1MB

MD5
52d0e1c37836270b2968e601bb75b6f9

SHA1
e2eb205a8f1160a5725a9cbb9ebd878f217d4fce

SHA256
dde190c368a36d76689f4027ab41eaa0b63c90a13d95bc213792bd9f6664bc9a

SHA512
f51f211fc0ec8bc71eed1b91727d860c1bca3c2350de6a566b9bab360defa3785b1fc7dc7c1c8ba299db92ece074aec96dd56a2d11ebc3d0de8440ddd4c3775e

Download Submit
C:\Windows\system\cKlwIFU.exe

Filesize
2.1MB

MD5
0d5ff383bc0280142d292a7459ad099b

SHA1
f2c116fe4823bd4aa353dc4a35e260eb7439cbda

SHA256
b7c3c8affcd739459496980057c59bfaa0ff5cdfb0b005e4f499a77071602ff4

SHA512
8a7861750532868d609589de2961fecf8974ac1c3b90acefeb0e787fb27cf01e36023f2313dfd1cc0ae11ff2e27065ce78e637a01cedc2b0ebd718808b672fa3

Download Submit
C:\Windows\system\dCalOer.exe

Filesize
2.1MB

MD5
ac86c9997e2de865b584257f2f1bac30

SHA1
2af2a2ae2213bb18dcd9782432c7895b7ddc28c8

SHA256
9505eaeccf705d87b9272d620899e3b022c14eafd1a35faba3a592e4d5187743

SHA512
72a966d3bde9ba3c54c95cc1bbf3e09b79604725de7b815d653eabac4d00d40f0ec1ae86380523372c14c6f95e6cb1c78187b4ccf7f7e126bb6d89151ca4dc3a

Download Submit
C:\Windows\system\eGIIOwR.exe

Filesize
2.1MB

MD5
71ec0aa05e269edfc7bbb74a1aaadb2e

SHA1
b4f966dd1aa146dfdb5f1f2b1794e1080668fa44

SHA256
3a59ee80f59b50a930b5ca8faa16483ab0a2ac7a155bc5836feabd24f05d2fd4

SHA512
8e3f4cbc5295ab7f591dfdf12e71123ed122d1dae47b5ba84582eddac7729e2b9602bc74f658731d3dd34f46b812a26ce4e776f6d732b0be0373cc0f9e4229ca

Download Submit
C:\Windows\system\hFslZby.exe

Filesize
2.1MB

MD5
e4f6d66b808f3a92d38b64aa5772c6eb

SHA1
f1d2ecc0482d84539a273e4ba640be07fe9c5620

SHA256
b57feeef29cb2e2622f3e8a6d6d830eeeeaa25754627ccf8213f9cce0d62aba8

SHA512
4ac0ac4d097b716c60546419c052db6eac0e7d78062c17c5a465a66ab06c0ae2849d8a733b9ae13e511355d22c137c29ef53f7c7ae5a1de4057a5acce0b809a3

Download Submit
C:\Windows\system\hRPsADv.exe

Filesize
2.1MB

MD5
7d694f6ae8ee2520f0dfc46ee3c190b1

SHA1
fdba905eadc1842c24b0ad012ae812ed0144d73a

SHA256
dfd0f2199498db79ae8730314a858112300311b36c3b111b4a4c1d8c32737603

SHA512
dfa63b2855f1760047323e6fc6ff3941731ce98f08f9d6062dce1fa4fc0c5d987bc484efdcf438d4e2d0caf5868416d6059fe8c8331dd0a16ee818e7175e298d

Download Submit
C:\Windows\system\jnDjXEd.exe

Filesize
2.1MB

MD5
5fa8bf9a865da4cafca3e146bdf73558

SHA1
2353ec1715997216c42a7212ab7d07c4e7cdef47

SHA256
c497adae3076ca178705fd8e01c4494da2027447cbd890680dcc126bb57fc117

SHA512
f385fee918c54fd6074a0c3e6a57185430fa43c8ad7f8dad8d4f9af716d914676f7fa3b80afc01abe82d305adfbe42996ddc50961d8ebd51100576e55efd9ab9

Download Submit
C:\Windows\system\liHScUu.exe

Filesize
2.1MB

MD5
693024deb2b2d7cc247e585e7c2e097d

SHA1
a4c677da79532342503cc7bb621342eebf75ee7c

SHA256
400cf99a78d3d93b805d485d108bde7c6b25e55f60163018ea9ff9985f30a319

SHA512
e5e7ea018e0144e74ab7f5331ddc652486fefc1dbefd9b8ae0df69f110c21680873692eda9ca4a8842172f523fd28c4a3bd76fffb9c1e01158210221e7364710

Download Submit
C:\Windows\system\naVCnIY.exe

Filesize
2.1MB

MD5
683ceffd40178595477b8ccfa1d706f5

SHA1
cc9f290c3ad5afed7b5de82104db967f1197c877

SHA256
b307b62117726c03a80896b4c2151e05bdae9c19b168c8cdf83b66cbaa05328f

SHA512
e7247fa60fefd1ad4b5c2000487cc34450fe9f8b225747f8e2c5d74032fefec1f9bc9c58c07451056f86caf44144acf6f6861a95cbca910133c653766ba722e1

Download Submit
C:\Windows\system\oqHXCjw.exe

Filesize
2.1MB

MD5
d0df3b4d762c23b19818ff8307b208bc

SHA1
33d763d35a1e49e6cf6535ec7021b89c3fc43795

SHA256
a48c195dfd84e33aba4d6bdbf346e9da981daab64be0a4e905288441fae84d1a

SHA512
f4b5a4791a016ecfe46b69c68e600d3b87f2d99b3d3481fcfbd48f9bfc8ece96cf54536330d07bc5bc2b400ac6e7cb30edba2ae0b239638f43bec5b66f0ffab4

Download Submit
C:\Windows\system\pWwAfPg.exe

Filesize
2.1MB

MD5
e794417c3b53c5a6e04e0dedd9d8c259

SHA1
f6d9386c59a3b1abd36967ec0e093b9c61eafb34

SHA256
41f8cf9c8d69607c69f8531c6969e8dd8ffa1b36db5e3edcf6bfbdab966a8de6

SHA512
bb863abb0ac4735fe20a600b4e6513e88f5be8c40983066a1aa54c9c587ca5b9aa6f988d7cb1fdaf9f549306015405d75ee076d232c09ed76dafe28364e152d2

Download Submit
C:\Windows\system\qtTdINx.exe

Filesize
2.1MB

MD5
9e630014a5f3e7ea89f2461cbd3dd9ce

SHA1
f16298888ad2551e029b4a5ee061ddf9f21db762

SHA256
5f733ddb41ee973d9e6d068228b00185ab452c2582de9491fe1e16e246904ca7

SHA512
7b0cf16192c0f8bbb0e1974f6f612e6d8ee631c973dc16db6f76b859fb4ac539c4f32cf9379e8df154f6f4ce67a8f3a6129e9c975294a9eb09aad264c9ac9f02

Download Submit
C:\Windows\system\rVSSaIG.exe

Filesize
2.1MB

MD5
ce3c2040cb7325e4507d8bb7d5b16214

SHA1
fd0df9fc73c09f5c18bcb7634c301ec7e3552f30

SHA256
43672d8a96bd5a8107a3fae1ee59b2f2cf3335c2690a76cc30be57cdc304b85c

SHA512
df4859f5a81d1e1cb216852bf3594d4e901d01b6090f23434436dc5063e1e12c360da7eb4cf2e5d97167bcc858a209dca4a7e64e72cf2fd7f3a7a2e195dee175

Download Submit
C:\Windows\system\sOpOyHr.exe

Filesize
2.1MB

MD5
13d6bcd2947ad6dce1cedc418a00d8de

SHA1
84caa813b0a6d5cbfaa9da5852906bf71ff28b7d

SHA256
df93391eaac7f3f6d460221790603e7457ec976c16da6a218c84437dc190af9b

SHA512
e78f3333487b2916d492f9a87547adc64a43a982e06c3a77acead7d9901c133732bad81d1448cf4db7682503cc2345178bfc4b2c0ca5d839b6f25b9d3a44fc83

Download Submit
C:\Windows\system\tEHrnvl.exe

Filesize
2.1MB

MD5
203fa3c2c1711790d8b43de1d922ab31

SHA1
5cc192761a28018bdb1e58aaed2d2cad2ca3911a

SHA256
685445690348b2d713489baae35d7d008072ae5e08f9c1d3cf69f94a91501d58

SHA512
8400ddcc15b65af1001479da93205f55c4134440c0bd11dd6af73f1c45b9bc252affbc61ae9069d672c7057838ee5c98b22146856bdd7deb6cc0918cc1b3b14a

Download Submit
C:\Windows\system\wdJSIeo.exe

Filesize
2.1MB

MD5
d8a30a887b1f69e64771841ca7f5b618

SHA1
226f2fcb2a288d204fd08d96fdbbd0c2fb536850

SHA256
ef12c3d992afc3e10ef5ca3215f2147560070d32bf6c1290e2a730d496d75c26

SHA512
1eeef89fcc72cafdc01bcd65cf6144d2771b7c536e84bce97c23881024170913cc0d5be317eaa5c23ad180c10f13ece62891c76c43f993ec938a2f2d22d0b526

Download Submit
C:\Windows\system\xigpURi.exe

Filesize
2.1MB

MD5
54c0faf3aac1f84369259f9c4ec60223

SHA1
d19f0f15a11e549ba354554e2b3f93e775e7bfc5

SHA256
a03e3726054ec139a8123a83bc7f5695c8264a81573dcfedd116ef247e02a65a

SHA512
9b1a37173f8c4d93d51e10b56018204d44d78d5d9c8bca03da1a556c5714e93c07f695a72ca7397bb996e34faeb8ddae26857e7eb2a92a7902b3940d180fc647

Download Submit
C:\Windows\system\yXSVVLD.exe

Filesize
2.1MB

MD5
1d88462a3107c4f282aad5e186f1e779

SHA1
d2d0b21abf056bd9fab308df7bfab94376d3fc37

SHA256
360777008ce9f886ade05ef6de8e83bd400aa6775217a6428f6b29ab30c7d071

SHA512
21bf10c47e3ab486f62a6604d8b3216b37d9539b88cac3fcec2bce246c25574d77cc2601dcb86ee89e8f007be01366e25c667b7ad551fdff4aa207562b6abd3c

Download Submit
\Windows\system\jgTLBwc.exe

Filesize
2.1MB

MD5
c840d1440f37417d3fc4a82353053504

SHA1
43d797b86c90175766de71a2c4e3ca6c9f1ec3f9

SHA256
9d1bdf0d41fb36fab6a14a05498ed289fe657227c18442e7b5e6027ec0bec0a6

SHA512
5d100830d39e9bbd3ac8aca174462f0c3267c7925a5b00d59c2d264bec0332a3b5936f8855c2700fd263ea70b9b911689c18355434017f0d1bce879986bceead

Download Submit
\Windows\system\uziXVrL.exe

Filesize
2.1MB

MD5
1cd79f950985e1d783bb0cedf8900c30

SHA1
93d5662166946b4abdc27828c8ded64edc648403

SHA256
073be74f42dbcb406c0d24129055978943334dc66751b91b0562068488474f4c

SHA512
57826e85a2b5e1ac8559884161ebede13eca191a810fe9b6cd67b2db13d0a09180bd34845fe91679e0427823a7d7ecc708ddeaa0401769feea15e949521df618

Download Submit
memory/2016-0-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download