kpot | 59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
Size

2.1MB
MD5

8ad9b532e9950e985a8ade967ea18fa0
SHA1

8db1987373df5ab49e1e5b5079e6d8b48e78c23a
SHA256

59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f
SHA512

5631d0665d7e25142c027e5209e34f07283f3ef4d272e488096b52870cdc1774c695a32d34600e79135e0f3f00191feefd57c5fe2fdc2f0cc585cd1173a16be7
SSDEEP

49152:GezaTF8FcNkNdfE0pZ9oztFwIi5aIwC+Agr6S/FYqOc2rV:GemTLkNdfE0pZaQh

Score

10^/10

kpot xmrig miner persistence privilege_escalation stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 33 IoCs

resource	yara_rule
behavioral2/files/0x000600000002327b-4.dat	family_kpot
behavioral2/files/0x000900000002340c-9.dat	family_kpot
behavioral2/files/0x0007000000023416-8.dat	family_kpot
behavioral2/files/0x0007000000023417-20.dat	family_kpot
behavioral2/files/0x0007000000023418-24.dat	family_kpot
behavioral2/files/0x0007000000023419-29.dat	family_kpot
behavioral2/files/0x000700000002341a-34.dat	family_kpot
behavioral2/files/0x000900000002340f-39.dat	family_kpot
behavioral2/files/0x000700000002341b-44.dat	family_kpot
behavioral2/files/0x000700000002341d-53.dat	family_kpot
behavioral2/files/0x0007000000023421-73.dat	family_kpot
behavioral2/files/0x000700000002341f-84.dat	family_kpot
behavioral2/files/0x0007000000023427-92.dat	family_kpot
behavioral2/files/0x0007000000023426-102.dat	family_kpot
behavioral2/files/0x0007000000023425-100.dat	family_kpot
behavioral2/files/0x0007000000023424-98.dat	family_kpot
behavioral2/files/0x0007000000023423-96.dat	family_kpot
behavioral2/files/0x0007000000023422-94.dat	family_kpot
behavioral2/files/0x0007000000023420-81.dat	family_kpot
behavioral2/files/0x000700000002341e-67.dat	family_kpot
behavioral2/files/0x000700000002341c-52.dat	family_kpot
behavioral2/files/0x0007000000023428-108.dat	family_kpot
behavioral2/files/0x000700000002342b-112.dat	family_kpot
behavioral2/files/0x000700000002342c-117.dat	family_kpot
behavioral2/files/0x000700000002342d-122.dat	family_kpot
behavioral2/files/0x000700000002342e-132.dat	family_kpot
behavioral2/files/0x0007000000023430-138.dat	family_kpot
behavioral2/files/0x0007000000023432-153.dat	family_kpot
behavioral2/files/0x0007000000023433-155.dat	family_kpot
behavioral2/files/0x0007000000023431-151.dat	family_kpot
behavioral2/files/0x000700000002342f-134.dat	family_kpot
behavioral2/files/0x0007000000023434-159.dat	family_kpot
behavioral2/files/0x000c0000000006c3-162.dat	family_kpot

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 33 IoCs

miner

resource	yara_rule
behavioral2/files/0x000600000002327b-4.dat	xmrig
behavioral2/files/0x000900000002340c-9.dat	xmrig
behavioral2/files/0x0007000000023416-8.dat	xmrig
behavioral2/files/0x0007000000023417-20.dat	xmrig
behavioral2/files/0x0007000000023418-24.dat	xmrig
behavioral2/files/0x0007000000023419-29.dat	xmrig
behavioral2/files/0x000700000002341a-34.dat	xmrig
behavioral2/files/0x000900000002340f-39.dat	xmrig
behavioral2/files/0x000700000002341b-44.dat	xmrig
behavioral2/files/0x000700000002341d-53.dat	xmrig
behavioral2/files/0x0007000000023421-73.dat	xmrig
behavioral2/files/0x000700000002341f-84.dat	xmrig
behavioral2/files/0x0007000000023427-92.dat	xmrig
behavioral2/files/0x0007000000023426-102.dat	xmrig
behavioral2/files/0x0007000000023425-100.dat	xmrig
behavioral2/files/0x0007000000023424-98.dat	xmrig
behavioral2/files/0x0007000000023423-96.dat	xmrig
behavioral2/files/0x0007000000023422-94.dat	xmrig
behavioral2/files/0x0007000000023420-81.dat	xmrig
behavioral2/files/0x000700000002341e-67.dat	xmrig
behavioral2/files/0x000700000002341c-52.dat	xmrig
behavioral2/files/0x0007000000023428-108.dat	xmrig
behavioral2/files/0x000700000002342b-112.dat	xmrig
behavioral2/files/0x000700000002342c-117.dat	xmrig
behavioral2/files/0x000700000002342d-122.dat	xmrig
behavioral2/files/0x000700000002342e-132.dat	xmrig
behavioral2/files/0x0007000000023430-138.dat	xmrig
behavioral2/files/0x0007000000023432-153.dat	xmrig
behavioral2/files/0x0007000000023433-155.dat	xmrig
behavioral2/files/0x0007000000023431-151.dat	xmrig
behavioral2/files/0x000700000002342f-134.dat	xmrig
behavioral2/files/0x0007000000023434-159.dat	xmrig
behavioral2/files/0x000c0000000006c3-162.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1572	YtsEdQf.exe
4988	gDyqjOJ.exe
3888	urJgyOB.exe
3056	AyGcpGR.exe
1820	vbTaTHB.exe
5032	ncfCRwz.exe
4880	DMFeUgv.exe
2772	bTUKtdD.exe
4300	ZjmyZdQ.exe
3224	UJcYmQB.exe
648	zvtBwmi.exe
4360	ySoFjjh.exe
3388	DTjcWfV.exe
4744	XIqzaWd.exe
3412	OLnPlkS.exe
2912	IgKQdnX.exe
2244	UTXLiyP.exe
4912	hmUoZLm.exe
3424	ogzVeis.exe
3952	DQrICEJ.exe
3884	CrhnaUR.exe
5080	yhlIodz.exe
5084	BAgezoX.exe
3456	ITVWPVs.exe
1516	qgGcTNR.exe
2396	SakmTwn.exe
5036	cJQSlNt.exe
3632	UBEesWO.exe
4680	dQlHNXE.exe
3928	pmKAUru.exe
5064	WrEiokR.exe
4760	xcgxNit.exe
2008	QjGdQJW.exe
2056	buqWJog.exe
3504	xWyNfYj.exe
1288	iUxezbT.exe
3956	KJLzdRJ.exe
4332	ArbQHvo.exe
1216	jutUyem.exe
2588	BdHXdZX.exe
2656	PbxjGLr.exe
1184	hMFDwai.exe
3192	PjcEeBz.exe
4144	bLtqeYl.exe
812	oImWRYx.exe
4308	FWhBHZn.exe
1936	HNRoKQr.exe
3044	ZowMbNo.exe
2504	HtCTdje.exe
2760	ERoBiZf.exe
4092	XMFgoBM.exe
4764	GssimCY.exe
3508	HpGVeVd.exe
4780	LJfaisv.exe
1456	DcvZzXE.exe
1440	yRHwosz.exe
1932	QrzExtg.exe
4564	bIwabsj.exe
3968	BrHZEqM.exe
5000	RhgGECr.exe
4172	tmEiRIG.exe
1432	phpTfmi.exe
900	bjIzhwC.exe
3144	OknOlKJ.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\IgKQdnX.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\LkdQvsh.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\JDQgYqY.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\aRjRzjW.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\KSkNmUl.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\OLnPlkS.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\BXlFOyh.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\ZYiBwxr.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\IHIBfDD.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\YwcCPQV.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\bIwabsj.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\rbmmXWh.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\FwKRpHg.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\WkxHoWa.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\ZADpmjN.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\IdMTdpL.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\oqawhhn.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\cJQSlNt.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\gtQVKNv.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\xUWahyF.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\bdmUKiG.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\dKHdnhu.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\aNBJREQ.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\fUtnziB.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\UZOcjVM.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\UJcYmQB.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\DQrICEJ.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\hMFDwai.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\PjcEeBz.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\GssimCY.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\QBbXUCM.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\ZblFxyK.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\JcIGQTa.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\zvtBwmi.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\QUpQWgn.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\NiTHctJ.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\MLZZaQQ.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\dCrOmRC.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\KLBhQIc.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\urJgyOB.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\SqXmToR.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\fdNMdDz.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\rjwRtYX.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\mGlBvrk.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\xUuyZnK.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\hmUoZLm.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\XIqzaWd.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\SakmTwn.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\phpTfmi.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\WSPRIfC.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\jbbGkEq.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\ZrDNWeP.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\KsdwvVm.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\ncfCRwz.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\ihhFEcN.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\dehrNHL.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\VFBvQGe.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\UchksBo.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\hwxQvNX.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\IFShPLM.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\iUxezbT.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\sWmEZhW.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\nwOyUZz.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
File created	C:\Windows\System\Txmkmfy.exe	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 1572	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	83
PID 3252 wrote to memory of 1572	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	83
PID 3252 wrote to memory of 4988	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	84
PID 3252 wrote to memory of 4988	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	84
PID 3252 wrote to memory of 3888	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	85
PID 3252 wrote to memory of 3888	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	85
PID 3252 wrote to memory of 3056	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	86
PID 3252 wrote to memory of 3056	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	86
PID 3252 wrote to memory of 1820	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	87
PID 3252 wrote to memory of 1820	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	87
PID 3252 wrote to memory of 5032	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	88
PID 3252 wrote to memory of 5032	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	88
PID 3252 wrote to memory of 4880	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	89
PID 3252 wrote to memory of 4880	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	89
PID 3252 wrote to memory of 2772	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	90
PID 3252 wrote to memory of 2772	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	90
PID 3252 wrote to memory of 4300	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	92
PID 3252 wrote to memory of 4300	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	92
PID 3252 wrote to memory of 3224	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	93
PID 3252 wrote to memory of 3224	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	93
PID 3252 wrote to memory of 648	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	94
PID 3252 wrote to memory of 648	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	94
PID 3252 wrote to memory of 4360	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	95
PID 3252 wrote to memory of 4360	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	95
PID 3252 wrote to memory of 3388	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	96
PID 3252 wrote to memory of 3388	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	96
PID 3252 wrote to memory of 4744	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	97
PID 3252 wrote to memory of 4744	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	97
PID 3252 wrote to memory of 3412	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	98
PID 3252 wrote to memory of 3412	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	98
PID 3252 wrote to memory of 2912	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	99
PID 3252 wrote to memory of 2912	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	99
PID 3252 wrote to memory of 2244	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	100
PID 3252 wrote to memory of 2244	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	100
PID 3252 wrote to memory of 4912	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	101
PID 3252 wrote to memory of 4912	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	101
PID 3252 wrote to memory of 3424	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	102
PID 3252 wrote to memory of 3424	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	102
PID 3252 wrote to memory of 3952	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	103
PID 3252 wrote to memory of 3952	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	103
PID 3252 wrote to memory of 3884	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	104
PID 3252 wrote to memory of 3884	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	104
PID 3252 wrote to memory of 5080	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	106
PID 3252 wrote to memory of 5080	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	106
PID 3252 wrote to memory of 5084	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	107
PID 3252 wrote to memory of 5084	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	107
PID 3252 wrote to memory of 3456	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	108
PID 3252 wrote to memory of 3456	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	108
PID 3252 wrote to memory of 1516	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	109
PID 3252 wrote to memory of 1516	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	109
PID 3252 wrote to memory of 2396	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	110
PID 3252 wrote to memory of 2396	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	110
PID 3252 wrote to memory of 5036	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	111
PID 3252 wrote to memory of 5036	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	111
PID 3252 wrote to memory of 3632	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	112
PID 3252 wrote to memory of 3632	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	112
PID 3252 wrote to memory of 4680	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	113
PID 3252 wrote to memory of 4680	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	113
PID 3252 wrote to memory of 3928	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	114
PID 3252 wrote to memory of 3928	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	114
PID 3252 wrote to memory of 5064	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	115
PID 3252 wrote to memory of 5064	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	115
PID 3252 wrote to memory of 4760	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	116
PID 3252 wrote to memory of 4760	3252	59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe	116

C:\Users\Admin\AppData\Local\Temp\59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59c8b8b9fffd175f4840464aeee1f8e192adb04ff9a50456b407b441dd16347f_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\System\YtsEdQf.exe
  C:\Windows\System\YtsEdQf.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\gDyqjOJ.exe
  C:\Windows\System\gDyqjOJ.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\urJgyOB.exe
  C:\Windows\System\urJgyOB.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\AyGcpGR.exe
  C:\Windows\System\AyGcpGR.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\vbTaTHB.exe
  C:\Windows\System\vbTaTHB.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\ncfCRwz.exe
  C:\Windows\System\ncfCRwz.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\DMFeUgv.exe
  C:\Windows\System\DMFeUgv.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\bTUKtdD.exe
  C:\Windows\System\bTUKtdD.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\ZjmyZdQ.exe
  C:\Windows\System\ZjmyZdQ.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\UJcYmQB.exe
  C:\Windows\System\UJcYmQB.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System\zvtBwmi.exe
  C:\Windows\System\zvtBwmi.exe
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Windows\System\ySoFjjh.exe
  C:\Windows\System\ySoFjjh.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\DTjcWfV.exe
  C:\Windows\System\DTjcWfV.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\XIqzaWd.exe
  C:\Windows\System\XIqzaWd.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\OLnPlkS.exe
  C:\Windows\System\OLnPlkS.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\IgKQdnX.exe
  C:\Windows\System\IgKQdnX.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\UTXLiyP.exe
  C:\Windows\System\UTXLiyP.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\hmUoZLm.exe
  C:\Windows\System\hmUoZLm.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\ogzVeis.exe
  C:\Windows\System\ogzVeis.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\DQrICEJ.exe
  C:\Windows\System\DQrICEJ.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\CrhnaUR.exe
  C:\Windows\System\CrhnaUR.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\yhlIodz.exe
  C:\Windows\System\yhlIodz.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\BAgezoX.exe
  C:\Windows\System\BAgezoX.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\ITVWPVs.exe
  C:\Windows\System\ITVWPVs.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System\qgGcTNR.exe
  C:\Windows\System\qgGcTNR.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\SakmTwn.exe
  C:\Windows\System\SakmTwn.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\cJQSlNt.exe
  C:\Windows\System\cJQSlNt.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\UBEesWO.exe
  C:\Windows\System\UBEesWO.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\dQlHNXE.exe
  C:\Windows\System\dQlHNXE.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\pmKAUru.exe
  C:\Windows\System\pmKAUru.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\WrEiokR.exe
  C:\Windows\System\WrEiokR.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\xcgxNit.exe
  C:\Windows\System\xcgxNit.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\QjGdQJW.exe
  C:\Windows\System\QjGdQJW.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\buqWJog.exe
  C:\Windows\System\buqWJog.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\xWyNfYj.exe
  C:\Windows\System\xWyNfYj.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\iUxezbT.exe
  C:\Windows\System\iUxezbT.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System\KJLzdRJ.exe
  C:\Windows\System\KJLzdRJ.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\ArbQHvo.exe
  C:\Windows\System\ArbQHvo.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System\jutUyem.exe
  C:\Windows\System\jutUyem.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\BdHXdZX.exe
  C:\Windows\System\BdHXdZX.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\PbxjGLr.exe
  C:\Windows\System\PbxjGLr.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\hMFDwai.exe
  C:\Windows\System\hMFDwai.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\PjcEeBz.exe
  C:\Windows\System\PjcEeBz.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\bLtqeYl.exe
  C:\Windows\System\bLtqeYl.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System\oImWRYx.exe
  C:\Windows\System\oImWRYx.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System\FWhBHZn.exe
  C:\Windows\System\FWhBHZn.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System\HNRoKQr.exe
  C:\Windows\System\HNRoKQr.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\ZowMbNo.exe
  C:\Windows\System\ZowMbNo.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\HtCTdje.exe
  C:\Windows\System\HtCTdje.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\ERoBiZf.exe
  C:\Windows\System\ERoBiZf.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\XMFgoBM.exe
  C:\Windows\System\XMFgoBM.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System\GssimCY.exe
  C:\Windows\System\GssimCY.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\HpGVeVd.exe
  C:\Windows\System\HpGVeVd.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\LJfaisv.exe
  C:\Windows\System\LJfaisv.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\DcvZzXE.exe
  C:\Windows\System\DcvZzXE.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System\yRHwosz.exe
  C:\Windows\System\yRHwosz.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\QrzExtg.exe
  C:\Windows\System\QrzExtg.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\bIwabsj.exe
  C:\Windows\System\bIwabsj.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\BrHZEqM.exe
  C:\Windows\System\BrHZEqM.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System\RhgGECr.exe
  C:\Windows\System\RhgGECr.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\tmEiRIG.exe
  C:\Windows\System\tmEiRIG.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\phpTfmi.exe
  C:\Windows\System\phpTfmi.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\bjIzhwC.exe
  C:\Windows\System\bjIzhwC.exe
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\System\OknOlKJ.exe
  C:\Windows\System\OknOlKJ.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\kfkDhkV.exe
  C:\Windows\System\kfkDhkV.exe
  2⤵
  PID:4704
- C:\Windows\System\rbmmXWh.exe
  C:\Windows\System\rbmmXWh.exe
  2⤵
  PID:2372
- C:\Windows\System\sBIhOvh.exe
  C:\Windows\System\sBIhOvh.exe
  2⤵
  PID:4124
- C:\Windows\System\cBLQfJq.exe
  C:\Windows\System\cBLQfJq.exe
  2⤵
  PID:4408
- C:\Windows\System\hQTHPmB.exe
  C:\Windows\System\hQTHPmB.exe
  2⤵
  PID:4400
- C:\Windows\System\Bhogekl.exe
  C:\Windows\System\Bhogekl.exe
  2⤵
  PID:4232
- C:\Windows\System\SqXmToR.exe
  C:\Windows\System\SqXmToR.exe
  2⤵
  PID:816
- C:\Windows\System\ezYyIPz.exe
  C:\Windows\System\ezYyIPz.exe
  2⤵
  PID:4456
- C:\Windows\System\fapPNCO.exe
  C:\Windows\System\fapPNCO.exe
  2⤵
  PID:840
- C:\Windows\System\nCeHNZl.exe
  C:\Windows\System\nCeHNZl.exe
  2⤵
  PID:5100
- C:\Windows\System\TWKBJrc.exe
  C:\Windows\System\TWKBJrc.exe
  2⤵
  PID:4884
- C:\Windows\System\ruhQmuh.exe
  C:\Windows\System\ruhQmuh.exe
  2⤵
  PID:3932
- C:\Windows\System\WzlUSNe.exe
  C:\Windows\System\WzlUSNe.exe
  2⤵
  PID:4336
- C:\Windows\System\nvRKKSi.exe
  C:\Windows\System\nvRKKSi.exe
  2⤵
  PID:1752
- C:\Windows\System\fdNMdDz.exe
  C:\Windows\System\fdNMdDz.exe
  2⤵
  PID:4032
- C:\Windows\System\WSPRIfC.exe
  C:\Windows\System\WSPRIfC.exe
  2⤵
  PID:336
- C:\Windows\System\EJDvYUC.exe
  C:\Windows\System\EJDvYUC.exe
  2⤵
  PID:764
- C:\Windows\System\fgCQXtU.exe
  C:\Windows\System\fgCQXtU.exe
  2⤵
  PID:4312
- C:\Windows\System\eTtoqlE.exe
  C:\Windows\System\eTtoqlE.exe
  2⤵
  PID:3012
- C:\Windows\System\TxrYAHC.exe
  C:\Windows\System\TxrYAHC.exe
  2⤵
  PID:4288
- C:\Windows\System\aFtbErO.exe
  C:\Windows\System\aFtbErO.exe
  2⤵
  PID:2336
- C:\Windows\System\piqrPfp.exe
  C:\Windows\System\piqrPfp.exe
  2⤵
  PID:4596
- C:\Windows\System\jvTlZQn.exe
  C:\Windows\System\jvTlZQn.exe
  2⤵
  PID:3100
- C:\Windows\System\RISyFfG.exe
  C:\Windows\System\RISyFfG.exe
  2⤵
  PID:4752
- C:\Windows\System\bdmUKiG.exe
  C:\Windows\System\bdmUKiG.exe
  2⤵
  PID:5132
- C:\Windows\System\QaMHnGy.exe
  C:\Windows\System\QaMHnGy.exe
  2⤵
  PID:5152
- C:\Windows\System\XUHAKHx.exe
  C:\Windows\System\XUHAKHx.exe
  2⤵
  PID:5196
- C:\Windows\System\PVYzdIM.exe
  C:\Windows\System\PVYzdIM.exe
  2⤵
  PID:5224
- C:\Windows\System\NLgGBqG.exe
  C:\Windows\System\NLgGBqG.exe
  2⤵
  PID:5260
- C:\Windows\System\MNGSjKV.exe
  C:\Windows\System\MNGSjKV.exe
  2⤵
  PID:5288
- C:\Windows\System\gtQVKNv.exe
  C:\Windows\System\gtQVKNv.exe
  2⤵
  PID:5316
- C:\Windows\System\UndpaRZ.exe
  C:\Windows\System\UndpaRZ.exe
  2⤵
  PID:5344
- C:\Windows\System\MLZZaQQ.exe
  C:\Windows\System\MLZZaQQ.exe
  2⤵
  PID:5372
- C:\Windows\System\FNqFjwq.exe
  C:\Windows\System\FNqFjwq.exe
  2⤵
  PID:5400
- C:\Windows\System\NvxpWtx.exe
  C:\Windows\System\NvxpWtx.exe
  2⤵
  PID:5436
- C:\Windows\System\LkdQvsh.exe
  C:\Windows\System\LkdQvsh.exe
  2⤵
  PID:5460
- C:\Windows\System\BXlFOyh.exe
  C:\Windows\System\BXlFOyh.exe
  2⤵
  PID:5492
- C:\Windows\System\PqPEWOp.exe
  C:\Windows\System\PqPEWOp.exe
  2⤵
  PID:5516
- C:\Windows\System\ljkAgDa.exe
  C:\Windows\System\ljkAgDa.exe
  2⤵
  PID:5544
- C:\Windows\System\aHIKPeR.exe
  C:\Windows\System\aHIKPeR.exe
  2⤵
  PID:5576
- C:\Windows\System\xaZseEo.exe
  C:\Windows\System\xaZseEo.exe
  2⤵
  PID:5604
- C:\Windows\System\wqAvVIN.exe
  C:\Windows\System\wqAvVIN.exe
  2⤵
  PID:5632
- C:\Windows\System\CCkxoXI.exe
  C:\Windows\System\CCkxoXI.exe
  2⤵
  PID:5660
- C:\Windows\System\rjwRtYX.exe
  C:\Windows\System\rjwRtYX.exe
  2⤵
  PID:5688
- C:\Windows\System\ADEBdKz.exe
  C:\Windows\System\ADEBdKz.exe
  2⤵
  PID:5720
- C:\Windows\System\EPhpXBP.exe
  C:\Windows\System\EPhpXBP.exe
  2⤵
  PID:5744
- C:\Windows\System\pAjvwKU.exe
  C:\Windows\System\pAjvwKU.exe
  2⤵
  PID:5776
- C:\Windows\System\iaXOjez.exe
  C:\Windows\System\iaXOjez.exe
  2⤵
  PID:5800
- C:\Windows\System\ABRuRhB.exe
  C:\Windows\System\ABRuRhB.exe
  2⤵
  PID:5828
- C:\Windows\System\kDJMTSv.exe
  C:\Windows\System\kDJMTSv.exe
  2⤵
  PID:5856
- C:\Windows\System\bxDezwG.exe
  C:\Windows\System\bxDezwG.exe
  2⤵
  PID:5884
- C:\Windows\System\eeLsxgl.exe
  C:\Windows\System\eeLsxgl.exe
  2⤵
  PID:5912
- C:\Windows\System\mwNycyt.exe
  C:\Windows\System\mwNycyt.exe
  2⤵
  PID:5940
- C:\Windows\System\zoXIDVx.exe
  C:\Windows\System\zoXIDVx.exe
  2⤵
  PID:5968
- C:\Windows\System\UmcYRve.exe
  C:\Windows\System\UmcYRve.exe
  2⤵
  PID:5996
- C:\Windows\System\VFBvQGe.exe
  C:\Windows\System\VFBvQGe.exe
  2⤵
  PID:6024
- C:\Windows\System\dEUsjiP.exe
  C:\Windows\System\dEUsjiP.exe
  2⤵
  PID:6056
- C:\Windows\System\pVOXvkN.exe
  C:\Windows\System\pVOXvkN.exe
  2⤵
  PID:6084
- C:\Windows\System\yehgeZP.exe
  C:\Windows\System\yehgeZP.exe
  2⤵
  PID:6116
- C:\Windows\System\bKYbtRX.exe
  C:\Windows\System\bKYbtRX.exe
  2⤵
  PID:6136
- C:\Windows\System\AvPhbWZ.exe
  C:\Windows\System\AvPhbWZ.exe
  2⤵
  PID:5148
- C:\Windows\System\LbDxyyE.exe
  C:\Windows\System\LbDxyyE.exe
  2⤵
  PID:5220
- C:\Windows\System\uxboNYQ.exe
  C:\Windows\System\uxboNYQ.exe
  2⤵
  PID:5284
- C:\Windows\System\NzSzOXg.exe
  C:\Windows\System\NzSzOXg.exe
  2⤵
  PID:5356
- C:\Windows\System\tNuJwGn.exe
  C:\Windows\System\tNuJwGn.exe
  2⤵
  PID:5424
- C:\Windows\System\jBaHYiM.exe
  C:\Windows\System\jBaHYiM.exe
  2⤵
  PID:5484
- C:\Windows\System\ulrMoCY.exe
  C:\Windows\System\ulrMoCY.exe
  2⤵
  PID:5556
- C:\Windows\System\amzgoZQ.exe
  C:\Windows\System\amzgoZQ.exe
  2⤵
  PID:5620
- C:\Windows\System\UaLNVFM.exe
  C:\Windows\System\UaLNVFM.exe
  2⤵
  PID:5672
- C:\Windows\System\dKHdnhu.exe
  C:\Windows\System\dKHdnhu.exe
  2⤵
  PID:5756
- C:\Windows\System\YbHWRuH.exe
  C:\Windows\System\YbHWRuH.exe
  2⤵
  PID:5824
- C:\Windows\System\ZzRvZcR.exe
  C:\Windows\System\ZzRvZcR.exe
  2⤵
  PID:5880
- C:\Windows\System\sWmEZhW.exe
  C:\Windows\System\sWmEZhW.exe
  2⤵
  PID:5964
- C:\Windows\System\qYwszhX.exe
  C:\Windows\System\qYwszhX.exe
  2⤵
  PID:6016
- C:\Windows\System\JDQgYqY.exe
  C:\Windows\System\JDQgYqY.exe
  2⤵
  PID:6076
- C:\Windows\System\ehyiYOh.exe
  C:\Windows\System\ehyiYOh.exe
  2⤵
  PID:5216
- C:\Windows\System\ABcZZis.exe
  C:\Windows\System\ABcZZis.exe
  2⤵
  PID:5340
- C:\Windows\System\FwKRpHg.exe
  C:\Windows\System\FwKRpHg.exe
  2⤵
  PID:5512
- C:\Windows\System\SJilhsU.exe
  C:\Windows\System\SJilhsU.exe
  2⤵
  PID:5616
- C:\Windows\System\UchksBo.exe
  C:\Windows\System\UchksBo.exe
  2⤵
  PID:5796
- C:\Windows\System\PCOTNkR.exe
  C:\Windows\System\PCOTNkR.exe
  2⤵
  PID:5992
- C:\Windows\System\QYHyiBI.exe
  C:\Windows\System\QYHyiBI.exe
  2⤵
  PID:5308
- C:\Windows\System\jbbGkEq.exe
  C:\Windows\System\jbbGkEq.exe
  2⤵
  PID:5684
- C:\Windows\System\AoFgRDb.exe
  C:\Windows\System\AoFgRDb.exe
  2⤵
  PID:5980
- C:\Windows\System\lMqajJp.exe
  C:\Windows\System\lMqajJp.exe
  2⤵
  PID:5932
- C:\Windows\System\enyLiHM.exe
  C:\Windows\System\enyLiHM.exe
  2⤵
  PID:6184
- C:\Windows\System\zARIyxH.exe
  C:\Windows\System\zARIyxH.exe
  2⤵
  PID:6216
- C:\Windows\System\Fzkkwhj.exe
  C:\Windows\System\Fzkkwhj.exe
  2⤵
  PID:6252
- C:\Windows\System\CFdIAnv.exe
  C:\Windows\System\CFdIAnv.exe
  2⤵
  PID:6284
- C:\Windows\System\acASzMn.exe
  C:\Windows\System\acASzMn.exe
  2⤵
  PID:6324
- C:\Windows\System\QHLQwAv.exe
  C:\Windows\System\QHLQwAv.exe
  2⤵
  PID:6352
- C:\Windows\System\NBCtLkL.exe
  C:\Windows\System\NBCtLkL.exe
  2⤵
  PID:6368
- C:\Windows\System\taAYBEq.exe
  C:\Windows\System\taAYBEq.exe
  2⤵
  PID:6396
- C:\Windows\System\NDhgFrt.exe
  C:\Windows\System\NDhgFrt.exe
  2⤵
  PID:6432
- C:\Windows\System\IJdAEQZ.exe
  C:\Windows\System\IJdAEQZ.exe
  2⤵
  PID:6460
- C:\Windows\System\OfewXLr.exe
  C:\Windows\System\OfewXLr.exe
  2⤵
  PID:6484
- C:\Windows\System\qKSiLEe.exe
  C:\Windows\System\qKSiLEe.exe
  2⤵
  PID:6520
- C:\Windows\System\aRjRzjW.exe
  C:\Windows\System\aRjRzjW.exe
  2⤵
  PID:6568
- C:\Windows\System\cBVTPYt.exe
  C:\Windows\System\cBVTPYt.exe
  2⤵
  PID:6604
- C:\Windows\System\aMkiunX.exe
  C:\Windows\System\aMkiunX.exe
  2⤵
  PID:6644
- C:\Windows\System\WRglQqy.exe
  C:\Windows\System\WRglQqy.exe
  2⤵
  PID:6676
- C:\Windows\System\rkqIoGf.exe
  C:\Windows\System\rkqIoGf.exe
  2⤵
  PID:6704
- C:\Windows\System\hwxQvNX.exe
  C:\Windows\System\hwxQvNX.exe
  2⤵
  PID:6736
- C:\Windows\System\WityGPR.exe
  C:\Windows\System\WityGPR.exe
  2⤵
  PID:6756
- C:\Windows\System\shQNpbt.exe
  C:\Windows\System\shQNpbt.exe
  2⤵
  PID:6792
- C:\Windows\System\PlpKfOv.exe
  C:\Windows\System\PlpKfOv.exe
  2⤵
  PID:6832
- C:\Windows\System\NLItsAn.exe
  C:\Windows\System\NLItsAn.exe
  2⤵
  PID:6876
- C:\Windows\System\NtaHrFu.exe
  C:\Windows\System\NtaHrFu.exe
  2⤵
  PID:6892
- C:\Windows\System\ZrDNWeP.exe
  C:\Windows\System\ZrDNWeP.exe
  2⤵
  PID:6908
- C:\Windows\System\hYYoiLH.exe
  C:\Windows\System\hYYoiLH.exe
  2⤵
  PID:6948
- C:\Windows\System\dCrOmRC.exe
  C:\Windows\System\dCrOmRC.exe
  2⤵
  PID:6992
- C:\Windows\System\QBbXUCM.exe
  C:\Windows\System\QBbXUCM.exe
  2⤵
  PID:7024
- C:\Windows\System\kQnQxLE.exe
  C:\Windows\System\kQnQxLE.exe
  2⤵
  PID:7052
- C:\Windows\System\HBsRpmk.exe
  C:\Windows\System\HBsRpmk.exe
  2⤵
  PID:7080
- C:\Windows\System\WkxHoWa.exe
  C:\Windows\System\WkxHoWa.exe
  2⤵
  PID:7108
- C:\Windows\System\UPpmoSK.exe
  C:\Windows\System\UPpmoSK.exe
  2⤵
  PID:7136
- C:\Windows\System\pvImhWs.exe
  C:\Windows\System\pvImhWs.exe
  2⤵
  PID:7164
- C:\Windows\System\tKflbYd.exe
  C:\Windows\System\tKflbYd.exe
  2⤵
  PID:6156
- C:\Windows\System\XTXXSQB.exe
  C:\Windows\System\XTXXSQB.exe
  2⤵
  PID:6248
- C:\Windows\System\jyfUufE.exe
  C:\Windows\System\jyfUufE.exe
  2⤵
  PID:6292
- C:\Windows\System\WPYoNVv.exe
  C:\Windows\System\WPYoNVv.exe
  2⤵
  PID:6344
- C:\Windows\System\zkRLgPF.exe
  C:\Windows\System\zkRLgPF.exe
  2⤵
  PID:6500
- C:\Windows\System\gezpNoR.exe
  C:\Windows\System\gezpNoR.exe
  2⤵
  PID:6496
- C:\Windows\System\rZkAOxs.exe
  C:\Windows\System\rZkAOxs.exe
  2⤵
  PID:6656
- C:\Windows\System\yRniLsW.exe
  C:\Windows\System\yRniLsW.exe
  2⤵
  PID:6692
- C:\Windows\System\KNDXkHy.exe
  C:\Windows\System\KNDXkHy.exe
  2⤵
  PID:6768
- C:\Windows\System\HjklpBr.exe
  C:\Windows\System\HjklpBr.exe
  2⤵
  PID:6864
- C:\Windows\System\kIWfpyq.exe
  C:\Windows\System\kIWfpyq.exe
  2⤵
  PID:6920
- C:\Windows\System\TZDnIYK.exe
  C:\Windows\System\TZDnIYK.exe
  2⤵
  PID:6968
- C:\Windows\System\eHIibNZ.exe
  C:\Windows\System\eHIibNZ.exe
  2⤵
  PID:7032
- C:\Windows\System\zmuJrdq.exe
  C:\Windows\System\zmuJrdq.exe
  2⤵
  PID:7132
- C:\Windows\System\ZblFxyK.exe
  C:\Windows\System\ZblFxyK.exe
  2⤵
  PID:6228
- C:\Windows\System\lhgGEuJ.exe
  C:\Windows\System\lhgGEuJ.exe
  2⤵
  PID:6444
- C:\Windows\System\GCpzHLI.exe
  C:\Windows\System\GCpzHLI.exe
  2⤵
  PID:6600
- C:\Windows\System\SrueTsV.exe
  C:\Windows\System\SrueTsV.exe
  2⤵
  PID:6700
- C:\Windows\System\XAmPHsH.exe
  C:\Windows\System\XAmPHsH.exe
  2⤵
  PID:7004
- C:\Windows\System\WcStcQW.exe
  C:\Windows\System\WcStcQW.exe
  2⤵
  PID:6972
- C:\Windows\System\xcjsOMo.exe
  C:\Windows\System\xcjsOMo.exe
  2⤵
  PID:7160
- C:\Windows\System\AErUJhW.exe
  C:\Windows\System\AErUJhW.exe
  2⤵
  PID:6212
- C:\Windows\System\iPhcCwK.exe
  C:\Windows\System\iPhcCwK.exe
  2⤵
  PID:7012
- C:\Windows\System\KrrMpyO.exe
  C:\Windows\System\KrrMpyO.exe
  2⤵
  PID:6712
- C:\Windows\System\ZYiBwxr.exe
  C:\Windows\System\ZYiBwxr.exe
  2⤵
  PID:7176
- C:\Windows\System\WYSWVZi.exe
  C:\Windows\System\WYSWVZi.exe
  2⤵
  PID:7208
- C:\Windows\System\ZADpmjN.exe
  C:\Windows\System\ZADpmjN.exe
  2⤵
  PID:7232
- C:\Windows\System\DibATRN.exe
  C:\Windows\System\DibATRN.exe
  2⤵
  PID:7260
- C:\Windows\System\ttCakcP.exe
  C:\Windows\System\ttCakcP.exe
  2⤵
  PID:7292
- C:\Windows\System\EwCtIus.exe
  C:\Windows\System\EwCtIus.exe
  2⤵
  PID:7320
- C:\Windows\System\vvacSFo.exe
  C:\Windows\System\vvacSFo.exe
  2⤵
  PID:7344
- C:\Windows\System\jdriYHX.exe
  C:\Windows\System\jdriYHX.exe
  2⤵
  PID:7376
- C:\Windows\System\BitDEUv.exe
  C:\Windows\System\BitDEUv.exe
  2⤵
  PID:7396
- C:\Windows\System\YBdHnjQ.exe
  C:\Windows\System\YBdHnjQ.exe
  2⤵
  PID:7428
- C:\Windows\System\JWmsNeO.exe
  C:\Windows\System\JWmsNeO.exe
  2⤵
  PID:7452
- C:\Windows\System\qMvwiaJ.exe
  C:\Windows\System\qMvwiaJ.exe
  2⤵
  PID:7480
- C:\Windows\System\ArRTGMH.exe
  C:\Windows\System\ArRTGMH.exe
  2⤵
  PID:7524
- C:\Windows\System\akEqoRp.exe
  C:\Windows\System\akEqoRp.exe
  2⤵
  PID:7548
- C:\Windows\System\nwOyUZz.exe
  C:\Windows\System\nwOyUZz.exe
  2⤵
  PID:7580
- C:\Windows\System\lnowYxh.exe
  C:\Windows\System\lnowYxh.exe
  2⤵
  PID:7612
- C:\Windows\System\rVDnTEm.exe
  C:\Windows\System\rVDnTEm.exe
  2⤵
  PID:7640
- C:\Windows\System\mceHSoo.exe
  C:\Windows\System\mceHSoo.exe
  2⤵
  PID:7672
- C:\Windows\System\JgNorNE.exe
  C:\Windows\System\JgNorNE.exe
  2⤵
  PID:7696
- C:\Windows\System\xUWahyF.exe
  C:\Windows\System\xUWahyF.exe
  2⤵
  PID:7736
- C:\Windows\System\SLVotKh.exe
  C:\Windows\System\SLVotKh.exe
  2⤵
  PID:7752
- C:\Windows\System\fNJvxjM.exe
  C:\Windows\System\fNJvxjM.exe
  2⤵
  PID:7780
- C:\Windows\System\qmCkAGi.exe
  C:\Windows\System\qmCkAGi.exe
  2⤵
  PID:7808
- C:\Windows\System\IdMTdpL.exe
  C:\Windows\System\IdMTdpL.exe
  2⤵
  PID:7836
- C:\Windows\System\peXbqvK.exe
  C:\Windows\System\peXbqvK.exe
  2⤵
  PID:7872
- C:\Windows\System\HXdgEIM.exe
  C:\Windows\System\HXdgEIM.exe
  2⤵
  PID:7892
- C:\Windows\System\KiupwOc.exe
  C:\Windows\System\KiupwOc.exe
  2⤵
  PID:7916
- C:\Windows\System\VLJHcXE.exe
  C:\Windows\System\VLJHcXE.exe
  2⤵
  PID:7932
- C:\Windows\System\pdOuTuj.exe
  C:\Windows\System\pdOuTuj.exe
  2⤵
  PID:7964
- C:\Windows\System\TZZKhMh.exe
  C:\Windows\System\TZZKhMh.exe
  2⤵
  PID:8000
- C:\Windows\System\ALSShba.exe
  C:\Windows\System\ALSShba.exe
  2⤵
  PID:8032
- C:\Windows\System\AECYRWh.exe
  C:\Windows\System\AECYRWh.exe
  2⤵
  PID:8060
- C:\Windows\System\noNQReg.exe
  C:\Windows\System\noNQReg.exe
  2⤵
  PID:8088
- C:\Windows\System\WrjRDtc.exe
  C:\Windows\System\WrjRDtc.exe
  2⤵
  PID:8116
- C:\Windows\System\FVIFChk.exe
  C:\Windows\System\FVIFChk.exe
  2⤵
  PID:8156
- C:\Windows\System\QaAroWQ.exe
  C:\Windows\System\QaAroWQ.exe
  2⤵
  PID:6884
- C:\Windows\System\pJmMutR.exe
  C:\Windows\System\pJmMutR.exe
  2⤵
  PID:7228
- C:\Windows\System\RbktPTk.exe
  C:\Windows\System\RbktPTk.exe
  2⤵
  PID:7272
- C:\Windows\System\IkZJqSE.exe
  C:\Windows\System\IkZJqSE.exe
  2⤵
  PID:7340
- C:\Windows\System\ccrjydt.exe
  C:\Windows\System\ccrjydt.exe
  2⤵
  PID:7420
- C:\Windows\System\YPBnjbs.exe
  C:\Windows\System\YPBnjbs.exe
  2⤵
  PID:7512
- C:\Windows\System\nPFaODM.exe
  C:\Windows\System\nPFaODM.exe
  2⤵
  PID:7540
- C:\Windows\System\pousukI.exe
  C:\Windows\System\pousukI.exe
  2⤵
  PID:7632
- C:\Windows\System\CazBTMf.exe
  C:\Windows\System\CazBTMf.exe
  2⤵
  PID:7688
- C:\Windows\System\ULASHFg.exe
  C:\Windows\System\ULASHFg.exe
  2⤵
  PID:7776
- C:\Windows\System\xPSoOua.exe
  C:\Windows\System\xPSoOua.exe
  2⤵
  PID:7848
- C:\Windows\System\dfuWnOe.exe
  C:\Windows\System\dfuWnOe.exe
  2⤵
  PID:7856
- C:\Windows\System\UMTtgcT.exe
  C:\Windows\System\UMTtgcT.exe
  2⤵
  PID:7928
- C:\Windows\System\PKySGJF.exe
  C:\Windows\System\PKySGJF.exe
  2⤵
  PID:7976
- C:\Windows\System\JcIGQTa.exe
  C:\Windows\System\JcIGQTa.exe
  2⤵
  PID:8080
- C:\Windows\System\JBPUNFW.exe
  C:\Windows\System\JBPUNFW.exe
  2⤵
  PID:8148
- C:\Windows\System\jBOeaMB.exe
  C:\Windows\System\jBOeaMB.exe
  2⤵
  PID:7300
- C:\Windows\System\ovigMex.exe
  C:\Windows\System\ovigMex.exe
  2⤵
  PID:7356
- C:\Windows\System\UcvAoza.exe
  C:\Windows\System\UcvAoza.exe
  2⤵
  PID:7564
- C:\Windows\System\bUaxpMJ.exe
  C:\Windows\System\bUaxpMJ.exe
  2⤵
  PID:7652
- C:\Windows\System\vBCGaHl.exe
  C:\Windows\System\vBCGaHl.exe
  2⤵
  PID:7748
- C:\Windows\System\RJdhTLX.exe
  C:\Windows\System\RJdhTLX.exe
  2⤵
  PID:7956
- C:\Windows\System\nmHaNMt.exe
  C:\Windows\System\nmHaNMt.exe
  2⤵
  PID:8112
- C:\Windows\System\IHIBfDD.exe
  C:\Windows\System\IHIBfDD.exe
  2⤵
  PID:7444
- C:\Windows\System\qRsyuVW.exe
  C:\Windows\System\qRsyuVW.exe
  2⤵
  PID:7728
- C:\Windows\System\DtuBOhw.exe
  C:\Windows\System\DtuBOhw.exe
  2⤵
  PID:7312
- C:\Windows\System\iiCjrGs.exe
  C:\Windows\System\iiCjrGs.exe
  2⤵
  PID:7604
- C:\Windows\System\dVuHAag.exe
  C:\Windows\System\dVuHAag.exe
  2⤵
  PID:8212
- C:\Windows\System\svKmWOm.exe
  C:\Windows\System\svKmWOm.exe
  2⤵
  PID:8228
- C:\Windows\System\KsdwvVm.exe
  C:\Windows\System\KsdwvVm.exe
  2⤵
  PID:8256
- C:\Windows\System\gXZXgYd.exe
  C:\Windows\System\gXZXgYd.exe
  2⤵
  PID:8284
- C:\Windows\System\aNBJREQ.exe
  C:\Windows\System\aNBJREQ.exe
  2⤵
  PID:8304
- C:\Windows\System\NeDsoHq.exe
  C:\Windows\System\NeDsoHq.exe
  2⤵
  PID:8328
- C:\Windows\System\VjtIrLR.exe
  C:\Windows\System\VjtIrLR.exe
  2⤵
  PID:8352
- C:\Windows\System\dehrNHL.exe
  C:\Windows\System\dehrNHL.exe
  2⤵
  PID:8384
- C:\Windows\System\Txmkmfy.exe
  C:\Windows\System\Txmkmfy.exe
  2⤵
  PID:8424
- C:\Windows\System\mGlBvrk.exe
  C:\Windows\System\mGlBvrk.exe
  2⤵
  PID:8452
- C:\Windows\System\hhyrCtT.exe
  C:\Windows\System\hhyrCtT.exe
  2⤵
  PID:8468
- C:\Windows\System\TpgfMWl.exe
  C:\Windows\System\TpgfMWl.exe
  2⤵
  PID:8500
- C:\Windows\System\tLJjkGb.exe
  C:\Windows\System\tLJjkGb.exe
  2⤵
  PID:8540
- C:\Windows\System\wijFwGY.exe
  C:\Windows\System\wijFwGY.exe
  2⤵
  PID:8560
- C:\Windows\System\ZzmatMp.exe
  C:\Windows\System\ZzmatMp.exe
  2⤵
  PID:8588
- C:\Windows\System\KtGTSEt.exe
  C:\Windows\System\KtGTSEt.exe
  2⤵
  PID:8608
- C:\Windows\System\wSGkoqn.exe
  C:\Windows\System\wSGkoqn.exe
  2⤵
  PID:8644
- C:\Windows\System\xdxCgJn.exe
  C:\Windows\System\xdxCgJn.exe
  2⤵
  PID:8680
- C:\Windows\System\Khfttjf.exe
  C:\Windows\System\Khfttjf.exe
  2⤵
  PID:8704
- C:\Windows\System\Jndmvcc.exe
  C:\Windows\System\Jndmvcc.exe
  2⤵
  PID:8744
- C:\Windows\System\mOsLoxI.exe
  C:\Windows\System\mOsLoxI.exe
  2⤵
  PID:8780
- C:\Windows\System\WVtflcJ.exe
  C:\Windows\System\WVtflcJ.exe
  2⤵
  PID:8800
- C:\Windows\System\jxjIkbv.exe
  C:\Windows\System\jxjIkbv.exe
  2⤵
  PID:8836
- C:\Windows\System\ihhFEcN.exe
  C:\Windows\System\ihhFEcN.exe
  2⤵
  PID:8852
- C:\Windows\System\IkmPXnx.exe
  C:\Windows\System\IkmPXnx.exe
  2⤵
  PID:8876
- C:\Windows\System\xCEXzYO.exe
  C:\Windows\System\xCEXzYO.exe
  2⤵
  PID:8908
- C:\Windows\System\NiTHctJ.exe
  C:\Windows\System\NiTHctJ.exe
  2⤵
  PID:8936
- C:\Windows\System\KSkNmUl.exe
  C:\Windows\System\KSkNmUl.exe
  2⤵
  PID:8968
- C:\Windows\System\ZDEGDJF.exe
  C:\Windows\System\ZDEGDJF.exe
  2⤵
  PID:8988
- C:\Windows\System\QUpQWgn.exe
  C:\Windows\System\QUpQWgn.exe
  2⤵
  PID:9020
- C:\Windows\System\XTHRICi.exe
  C:\Windows\System\XTHRICi.exe
  2⤵
  PID:9048
- C:\Windows\System\xUuyZnK.exe
  C:\Windows\System\xUuyZnK.exe
  2⤵
  PID:9076
- C:\Windows\System\JUJQSKq.exe
  C:\Windows\System\JUJQSKq.exe
  2⤵
  PID:9104
- C:\Windows\System\oqawhhn.exe
  C:\Windows\System\oqawhhn.exe
  2⤵
  PID:9132
- C:\Windows\System\fUtnziB.exe
  C:\Windows\System\fUtnziB.exe
  2⤵
  PID:9168
- C:\Windows\System\powocef.exe
  C:\Windows\System\powocef.exe
  2⤵
  PID:9196
- C:\Windows\System\JHtpTzu.exe
  C:\Windows\System\JHtpTzu.exe
  2⤵
  PID:8220
- C:\Windows\System\nvThOfV.exe
  C:\Windows\System\nvThOfV.exe
  2⤵
  PID:8244
- C:\Windows\System\IFShPLM.exe
  C:\Windows\System\IFShPLM.exe
  2⤵
  PID:8344
- C:\Windows\System\YwcCPQV.exe
  C:\Windows\System\YwcCPQV.exe
  2⤵
  PID:8404
- C:\Windows\System\BfcXVzj.exe
  C:\Windows\System\BfcXVzj.exe
  2⤵
  PID:8444
- C:\Windows\System\SLkTSbN.exe
  C:\Windows\System\SLkTSbN.exe
  2⤵
  PID:8556
- C:\Windows\System\VUxZXHp.exe
  C:\Windows\System\VUxZXHp.exe
  2⤵
  PID:8628
- C:\Windows\System\lqdpnaQ.exe
  C:\Windows\System\lqdpnaQ.exe
  2⤵
  PID:8720
- C:\Windows\System\SgxFHjL.exe
  C:\Windows\System\SgxFHjL.exe
  2⤵
  PID:8764
- C:\Windows\System\KLBhQIc.exe
  C:\Windows\System\KLBhQIc.exe
  2⤵
  PID:8824
- C:\Windows\System\VQwCUWq.exe
  C:\Windows\System\VQwCUWq.exe
  2⤵
  PID:8892
- C:\Windows\System\WmaikXh.exe
  C:\Windows\System\WmaikXh.exe
  2⤵
  PID:8980
- C:\Windows\System\UZOcjVM.exe
  C:\Windows\System\UZOcjVM.exe
  2⤵
  PID:9072
- C:\Windows\System\dZsWXwC.exe
  C:\Windows\System\dZsWXwC.exe
  2⤵
  PID:9120
- C:\Windows\System\BCEpjdd.exe
  C:\Windows\System\BCEpjdd.exe
  2⤵
  PID:8224
- C:\Windows\System\hsObfvS.exe
  C:\Windows\System\hsObfvS.exe
  2⤵
  PID:8412
- C:\Windows\System\jcIEHoV.exe
  C:\Windows\System\jcIEHoV.exe
  2⤵
  PID:8536
- C:\Windows\System\NUogZBd.exe
  C:\Windows\System\NUogZBd.exe
  2⤵
  PID:8668
- C:\Windows\System\ekUEKnA.exe
  C:\Windows\System\ekUEKnA.exe
  2⤵
  PID:8864
- C:\Windows\System\EXUGapN.exe
  C:\Windows\System\EXUGapN.exe
  2⤵
  PID:9040
- C:\Windows\System\NrWhVDd.exe
  C:\Windows\System\NrWhVDd.exe
  2⤵
  PID:9208
- C:\Windows\System\gvFnovH.exe
  C:\Windows\System\gvFnovH.exe
  2⤵
  PID:8512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AyGcpGR.exe

Filesize
2.1MB

MD5
529547f4f57c7dad7cb219bd10d4947d

SHA1
000a0359164631f80a40e01e6f938752851cfa40

SHA256
1e61e96ab3143261b782d8494b95421eadc30a8082cf063211c085933425a087

SHA512
044a3f70a8f2a6421c46717b777de60984f43aaa16cb9810550bec9f0188b597853e528f760c87284e57d52719b99cf93aeec6ca33afa201c6f8f0178067450b

Download Submit
C:\Windows\System\BAgezoX.exe

Filesize
2.1MB

MD5
d1dcb36e8fa797957af801b01ee505ca

SHA1
24678fbbcd47937db3cb97dd6ed59894f653f402

SHA256
a6a58382732a9a1352bf50b91c9bea71872fd81e5267563d322148ca967032f6

SHA512
d8d68a0b54bcf68477aae0ddb14412e2e5b65ebbaba4b035ad60e3d5ef4c8aa9033c0265a7664da207db5adb3103fdfe7a320835c0337bfaf92c6e6e10bb6e94

Download Submit
C:\Windows\System\CrhnaUR.exe

Filesize
2.1MB

MD5
9f4b1da076916bc166e40bc1ec6dd943

SHA1
77af9e3c833b2900ddf2696f3a632218a1def1ef

SHA256
06a808840f10136ef63095dbe51b1c4f3c4d67bb27a3900e5c52c55e0b46b0d2

SHA512
9ca9b8db8d92fa39d275922807537cfadb1fb8e4279f9b425e377c5d0275b01430582bc1519cb49cb1a00832f13a3a821feaee2498c709ff44ad5801537de359

Download Submit
C:\Windows\System\DMFeUgv.exe

Filesize
2.1MB

MD5
5e504efa786ba754de52957c07155300

SHA1
01a5d4f5550eecff9a6e125ecea2c03d3e234f2f

SHA256
13ecbb009147ab0bc064a758bc31909aff20420f3225b399b22eb62af18c4e5d

SHA512
df891074aef31cf0b554ad6db580fc6faf700ab6f1d9c0343f1ea849418d782900195488d0b7cb91ec38a95bf054854a7d1df29169d68ee46681bebb258aa258

Download Submit
C:\Windows\System\DQrICEJ.exe

Filesize
2.1MB

MD5
7d5aaf37ace9371e6ee4338fd7260c2b

SHA1
211f2fa98832aefa78acd9428199e1bf2beb6710

SHA256
d9d2ef0f80d9a8ef79733ddc9aa9b73aeeae5d6f11cd5151685d9f82a665ae67

SHA512
91edc90591d6289a4ed4f34583239617bbace94e88d3e3fbf95fce850de1f866c3f254bad64d2f7d3911e7d0293a68e09c6c326d1c4a841143252677cab60c62

Download Submit
C:\Windows\System\DTjcWfV.exe

Filesize
2.1MB

MD5
75e8fffba41786ab8040eba97224490e

SHA1
68b0adc49cdd80f4160d8171ee23250f6bf34523

SHA256
1fa5f5244d2720a3821b45e9776f0be127323b05c43a4f43b8097362ddb469cf

SHA512
618dfc5ddf5705e2922734387d2aec3ca4ee73a39c2cbc82131e11d0fb82e0ddacb460ecd8f50541152c00ff7939841f703089770b445b16fef33c576a5d2d2b

Download Submit
C:\Windows\System\ITVWPVs.exe

Filesize
2.1MB

MD5
37206fbf600478446e333229257346f1

SHA1
a8ed257f3b996e200d495fdbffa21b5227b9415e

SHA256
7add809714b8ab9731b12a0c3d30d2c09cd508253b6539b5ec2122db4ffcccc8

SHA512
0b8b6da0da79c46b884116d07bcf8279f2fbcec8a27d99d540cba5955ff23d79d169c0172c16f40d5451e2402b796a14fb81395b2bfc8372adcb77a847e081c3

Download Submit
C:\Windows\System\IgKQdnX.exe

Filesize
2.1MB

MD5
8556a4849744ad622a1e7ba2ed21c681

SHA1
93cfd6d06e29ff2e9edd377dfa4ac58a340254be

SHA256
fbe0fa187e275dbef2bf0a0fc42acb632e79fc93aab3ab4e123bb46f88547f31

SHA512
bca00562fe5c88913f0c39334f37fbf7aec563f2d26ed9599d8f39d8788b4f2722debd095c8b442dd08b0fe607dc3e90685487a5d7afe17e746ac8f2f5280bed

Download Submit
C:\Windows\System\OLnPlkS.exe

Filesize
2.1MB

MD5
ea3bb676b9159cea9b010029f63fbd99

SHA1
98463ecf7afe7c26b18393133b21d0a7a36f867b

SHA256
41af025acfecaad6870b65ee57f1da17329bf1fbbec8d19a213f411f4fd5f214

SHA512
b8a7f11dd44ca0d36008169d18ae6598ce1da9252b80394e9d34536e9d929c14a6f8a152c7646949704be122f8e37facbcf254ef8efde76bcd8440d8371792c4

Download Submit
C:\Windows\System\QjGdQJW.exe

Filesize
2.1MB

MD5
73eecc45a6e0a1326af9c868c0c66584

SHA1
cd6ce62962d2407a062e9833cb368d12cd0c7ca7

SHA256
29cfdb7c240323641072af1932f210dbddee09b120c21da0a2c0880c72e161d5

SHA512
f08c782c6efff2f04e95e9a12e280988a212bd708142d4085b21793e79673171b324e5b8944611069084f172cdc897c920b4e9dd17d4ecac48a95cb6cbc6b399

Download Submit
C:\Windows\System\SakmTwn.exe

Filesize
2.1MB

MD5
761a772590efe740c53f3ff2876cc069

SHA1
d23b124d92539dd290a65367506a3a54fd5628af

SHA256
da320b62b735e0c3f2ba2e47c3e22a85f76fab684890829425b84d1256db902e

SHA512
23c444e791e9dabca545dd7343b7f747b482a6b031b782747cb937006010d92abdc9361895f1956c0ed9fe06f4b260ab64074eacd7b3dfc183384ec5b451a68d

Download Submit
C:\Windows\System\UBEesWO.exe

Filesize
2.1MB

MD5
b9a94924f7755d59e1d2aedebd514a2e

SHA1
a249f8a97f6d9f79d3ecb96a9ccd9162d178132d

SHA256
e044fd21bb5030213ed0eaa2df521a6f7afe2d49853edfee8ab22afa6c2c8551

SHA512
0190b71da5a36d309ecac64f5ce2f4b31232c23b08c665123f80522285ee9482ef900cd7a1be0a0d5eee80634bef7fae256dcebfc3ef72e5612760fc029ca68e

Download Submit
C:\Windows\System\UJcYmQB.exe

Filesize
2.1MB

MD5
1925e74466d46026e1f62072a569b14a

SHA1
bfae49e5d85f222f1bb3914002cc45c44af00e6f

SHA256
4e4660f9204b1fbb38cb2eb2e4adebcd4a57afea82c0b3d37abc77073a64c58d

SHA512
61f78cbe62db7d141c0d10884d1416ea01cde8aeaf67621e340ec1ebc42a44f15d8d6aa1737976ade39f193cdcbafec20a97f17eb88d1976c720b8f55310ba4e

Download Submit
C:\Windows\System\UTXLiyP.exe

Filesize
2.1MB

MD5
83f3b7f0d96595b7199b05f04a793031

SHA1
6a8638c246de342a7700e55bd4579d43f8a532f9

SHA256
979b31dc9c07032d22ed2b881be0d9caa5f3b524d33ca65857b1558f8e72b124

SHA512
de6206b7c1ecbf5e4db04ab6eb1b4a75bd592fcfd8fa7d76451290fc96fc59baebac48274247e98152c693a06ba69d7b5a62712eb62b619425c27102b5be2b98

Download Submit
C:\Windows\System\WrEiokR.exe

Filesize
2.1MB

MD5
3b783da39c3a23c5ff603b58284df7dc

SHA1
8d7ece2c83d7a2ca908d9c17dd8082f50908f41a

SHA256
c13af7c2dfa93daf095197614b73a628b8c11d834ede55c0c37dce174e5b1b8b

SHA512
3ff2d00fecd5cbfc0e65a22feac71817458e5b619a22f5484d40ad2c9976626558ca4a178841b39294f9308a023d929d5d0d49a0680769cf2134efae8ade205f

Download Submit
C:\Windows\System\XIqzaWd.exe

Filesize
2.1MB

MD5
11cc07fd4e8eceb00265627772bf4b2c

SHA1
a255be29a6c2033231ade040ffa15fe7e93bc2a4

SHA256
ff21ff28059d5bf21f18ab1a0401783f61596d032a5d3b850536d19109fcc401

SHA512
3fdb95617b11f60d3f836e0b79a6348426a55377730dbfdd0ba48fa293694da47ad50d71e9ee8952d1cdbf4b97f904f4ba067e4bbf221862e7cc8dc585120a70

Download Submit
C:\Windows\System\YtsEdQf.exe

Filesize
2.1MB

MD5
99e045bc523d2207cb8a335ba5f99cb0

SHA1
2d4c95bc8c289cba7aab06aef457364b181a5d20

SHA256
ee4c48a347d550971e506f6dbe77da94ebbee0985ea0cfe156f57ef359d0e4e3

SHA512
b866e42960ca91ecd58cd0196d668782aecfc7befb52d2e91673669a3b177e1a7196333538bcd3710fd695658a40169ee9618b40a88e1ab3e0e9d60f5abb6833

Download Submit
C:\Windows\System\ZjmyZdQ.exe

Filesize
2.1MB

MD5
84e7778ff84c85bc93088aec40b67d1b

SHA1
2378df72b9cfd18d98b9055edac6fd2ee93dfbcc

SHA256
e4e2d1dcc8239f3d7643f6b753ac8bf9272dc7c39d3fbf1c34e2c68426d7917d

SHA512
bb5fa52b4fb1d0e5063066ab31afc5485991193a301ea8e800e8c2b9a8014eb16315f9f5f06f12ba3ab9bda6f4470b6bb42d6d4c1b30af1a3472395ee8764b79

Download Submit
C:\Windows\System\bTUKtdD.exe

Filesize
2.1MB

MD5
a11c772278e148aa4f43a03125b7a478

SHA1
bf825d0ee81af6369e2588ac2dc046c5307f7fc5

SHA256
825486ea48f1db487592e5d2ae2c221b766dff9ad05a070283ff04a780d0b41f

SHA512
ae6e099f9fc124d78cf06f3311e33be01e763fb14652f78cda05d258903440ec5ec5f13f2cccf8cd8e2cd1e63f13382acc1f1f05d1a17b45aa21a5677b2e4f0f

Download Submit
C:\Windows\System\cJQSlNt.exe

Filesize
2.1MB

MD5
5a9e3a2204d08e4909caecdde8f03a62

SHA1
60eec63d9c4dfd25cae61d6dc1064dca219e255a

SHA256
cfb6a0ae0ebb06e9ba9aa3a8c6b9c9c6ac00d8ea4fd928f24f469887ece66248

SHA512
e3e988644e55d25da9663c7f0a31567dc1b95151eac87c0feac24266681442b1f49d17e8c4ae4ca4c55d352e9707d4c4fb470ffdfd0388509e74b1bf857a7e2e

Download Submit
C:\Windows\System\dQlHNXE.exe

Filesize
2.1MB

MD5
439eab4e6bf5d7d730e1ebcfb429a031

SHA1
88593ffa9fc827c01e0b22e1c616f593cc3ba983

SHA256
cab498780faba736b51628756ed02b02785278b3246335366e9e959e1a44363c

SHA512
c0f0690aabaefc5d4d47edda85ea9422c35f5fe8db0f839d8fa62d39daa796f318bd8f4df6afbfca62c5f6c0430af378f0c238b71095296e45fd165a8f782656

Download Submit
C:\Windows\System\gDyqjOJ.exe

Filesize
2.1MB

MD5
e9eb43d5aa059e6f27202a9695082699

SHA1
12c594df84d1b7b1bf5d44a8079f478a3a1e491d

SHA256
4f94201d98fdb19fcbed56e7c00cce439613ede774173265dde019171383f2c8

SHA512
36277837d4df7e8ab5284c3c2560700c6cfdeac5641eb11809be8265210e5a24ab474ffa24d4c5b8347c72a8fe520e7d94bccf858f725369802ab114a88bd66f

Download Submit
C:\Windows\System\hmUoZLm.exe

Filesize
2.1MB

MD5
ede08b53237eb53b8cbfa2d7d446937f

SHA1
a568dc9bb624984fcaaba02f0061f9e576fa0727

SHA256
1a97e7d6e28b4049a0facb0fe3f1e9f1b87ef840c14e8511159ce7ecf1a9230c

SHA512
89e09bc35f8c34fc8c6a0b6f4f40debce73db3dc97386e96b9e75075269d8adba1d7a3c98e016578912d90b726385f062da8211fe94d2ac7852b8b5714f46672

Download Submit
C:\Windows\System\ncfCRwz.exe

Filesize
2.1MB

MD5
f316d971cade2fae0e22ff8050b1fe5a

SHA1
5469901a7179efbc2b1a3fefd1f2cd242ed788b4

SHA256
72aa2c373be84610f5df18ab5e23c26106545d099df41aee57ce803ab5121bee

SHA512
9caf85cda510b315a9e633be977f0014352dd7883c1f1d62d29b0381886cfbc87b11dccd43593a21af5584d33b7b40beb690c6a8a4dd5f7fd3b3b403a92e2125

Download Submit
C:\Windows\System\ogzVeis.exe

Filesize
2.1MB

MD5
6bfe17f6dec3d103e224b79eb6f923b7

SHA1
c5208113aece6f650a9b5695a4f32ccbef61ac0b

SHA256
393af419c1ae1a1675d3833e1211703139d2a30dac50baa8b441df330e859bbf

SHA512
b7a59c619a0ec430fd8d37a8942f768f4f69d03f6225deed458d0704305c36888483febb5660c4d4f5b8390cee8964f4db12683af0608e264450f4445e259b14

Download Submit
C:\Windows\System\pmKAUru.exe

Filesize
2.1MB

MD5
38ce925c47a0e6f8a17eb28b0184c7b2

SHA1
47c92fd194deb0d6486b50ccef3250f018df5247

SHA256
a8e556574f4b9d5af7dc1b73ec58f179665409a7d464a69926b9f12e75da50f4

SHA512
6d0f5523654dc592406674420dfe01f363d1c7fc955fd511fa8239a2eb53f77380085223f738dc066b3449f74ef12e70645a05143b2a36a93b5dc88364a258ce

Download Submit
C:\Windows\System\qgGcTNR.exe

Filesize
2.1MB

MD5
78f5ccdc1b5f2a9a9962d21bddc37aaf

SHA1
cf05bd1d3d6f94a3347907951dc56f6dd92b43ce

SHA256
1a7e73eed123b5cfcfdefa8d80cdb9c1c1d63ad09f36564064631a2c14afa333

SHA512
7c3818dc6c4c352f0eaf2be1752b933c84b3e9b2a0cef02ba632383e26cff753b95d62bb4ebddcf6712969d4377851f6b1654277c3a29c3928d0c56f0070a575

Download Submit
C:\Windows\System\urJgyOB.exe

Filesize
2.1MB

MD5
1af867db1f3db3512525fef6797b4d57

SHA1
182f980fa3e02e7076b0c742c9976a65b1738544

SHA256
404e3db2d813630063a920ce9c370ab294929eb1e283e0eff9344a961d117b18

SHA512
329488e227a60b9cdb70167285a43632d9021dd3cf41d7b8fa9fd4fdaffc3ca990ea77800506906869d92e1688d7bebdb40f163a2140fd5ac3ab688456fb614f

Download Submit
C:\Windows\System\vbTaTHB.exe

Filesize
2.1MB

MD5
f5e9d53f6ac64276095f291753603f52

SHA1
aa277b9bc36d2b0a6a38bc0607ff33eb6eb8800e

SHA256
ed22d081f28e0cebe2ea5491785f1bfbf4b75480655e2084f4cb9071199a13b2

SHA512
ccd871ab918d8a8f1f4aeb6feb9ed8c83ccd859c72cc6dcfdb1605e2d2c2cf2b302fb534190ce080152fae588f86f9bbf08e432936bb4865a8d1e5bd60c6653d

Download Submit
C:\Windows\System\xcgxNit.exe

Filesize
2.1MB

MD5
8504af64d6772e6a862fe21b07af5fcd

SHA1
1a48091719b4b6efa832d3d843f4f29353d73566

SHA256
a35c1c4c3ec708a95359cf35d526bf93d97efbf5a0f9467b9af5d1e6d7534ecf

SHA512
c9374ec4f9e6a301d58ad5333a29dcf004874627faede13c20532937a9654ee588c21f94fc00d2a10a8140738413bcd685c118c3d2d488cfa9f78afd5d396da0

Download Submit
C:\Windows\System\ySoFjjh.exe

Filesize
2.1MB

MD5
9c2a7c212f04406a23e025167bc40b7f

SHA1
038510a15b4201abdcbca0452c1068cf1dea1914

SHA256
5e6f9af8b2aea1067568f67ccc48bd64781aaa61ca9fc9a12dd5eff22ed01a6a

SHA512
345f2d0ebeefdede037d11975cddca574a6e6f751a695b9a1cafa86f65786c3c4ea7cb5aa710ba1b03cc208a66a4a8114f48f503c9242662991e7d8c25261027

Download Submit
C:\Windows\System\yhlIodz.exe

Filesize
2.1MB

MD5
9ee63a5868d3b310efeb03de22e65960

SHA1
c4f97f5da2b5f1e52e730597966d7ffeb9324315

SHA256
e827a5ca242b944b4916f40e8024f51b13491f32b601bc10808c99a3e15cb672

SHA512
8f18096360409d22114cfe28f958d6b85227978f5900c32c44225e56f2812e2dcb6bc229d27861004c02a226e3c0df863763deda9c9f0fcfff1be6f96e32d2a7

Download Submit
C:\Windows\System\zvtBwmi.exe

Filesize
2.1MB

MD5
c01f2359ccd4c75cb13b4b3292d76388

SHA1
160097cde349031cc267f81f87f2e58d2a96b87c

SHA256
8583b4e727876da323413bd94454dd57be787717e3913f4dc96db1f7b5050c30

SHA512
23dd513c63698b47e9951e0396ddc20a57c94523b965660ecd0d4103e6fe26589cfec73715f7bc59cf82ff8c3a0dedfc98f235bb6e6bde7d7d68d21a661c20f0

Download Submit
memory/3252-0-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download