xmrig | e80b8bea281fac909fe1193ba5eacad52508ed0161c89d2d9d4764e6959bf552

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
Size

1.6MB
MD5

5a8b61af55cbad96cf4d09b8e2418360
SHA1

64e0b901fc8fbbd045a909756d27a907c2d2ee61
SHA256

e80b8bea281fac909fe1193ba5eacad52508ed0161c89d2d9d4764e6959bf552
SHA512

4d41ab345d76f1871a97e94a48507bc85a674e81d5b3bf8ef8cc34213803841691eadf9e7a2dea481a068ac7f63f03b01bf3070e96519911827b8f5e06d28166
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkUCCWvLEvjuJoz5XdUK6S1uBkr5GqlfiQzf0Y098di:Lz071uv4BPMkHC0I6Gz3N1pHVfyH1E+

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral1/memory/2892-9-0x000000013FC20000-0x0000000140012000-memory.dmp	xmrig
behavioral1/memory/2868-138-0x0000000002D10000-0x0000000003102000-memory.dmp	xmrig
behavioral1/memory/340-137-0x000000013F070000-0x000000013F462000-memory.dmp	xmrig
behavioral1/memory/2620-135-0x000000013F7F0000-0x000000013FBE2000-memory.dmp	xmrig
behavioral1/memory/2828-127-0x000000013F1E0000-0x000000013F5D2000-memory.dmp	xmrig
behavioral1/memory/2484-125-0x000000013F810000-0x000000013FC02000-memory.dmp	xmrig
behavioral1/memory/2428-123-0x000000013F190000-0x000000013F582000-memory.dmp	xmrig
behavioral1/memory/2520-121-0x000000013F120000-0x000000013F512000-memory.dmp	xmrig
behavioral1/memory/2680-119-0x000000013FB10000-0x000000013FF02000-memory.dmp	xmrig
behavioral1/memory/2444-118-0x000000013F950000-0x000000013FD42000-memory.dmp	xmrig
behavioral1/memory/2416-115-0x000000013F2D0000-0x000000013F6C2000-memory.dmp	xmrig
behavioral1/memory/2644-113-0x000000013F500000-0x000000013F8F2000-memory.dmp	xmrig
behavioral1/memory/2560-111-0x000000013FCB0000-0x00000001400A2000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2596	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2892	BWdEuVN.exe
2560	stVXjfg.exe
2644	RTzQWPK.exe
2416	wHIakVy.exe
2444	OjywTaY.exe
2680	eUAKmeL.exe
2520	bynmqTS.exe
2428	MMzLXKy.exe
2484	bZyjWga.exe
2828	jOtLKSK.exe
2620	gVyLKQR.exe
340	nGvostH.exe
2388	VeAZdRN.exe
1360	kKFyEOJ.exe
680	DDfHaKt.exe
1720	FMHoAhH.exe
936	fPMDXEI.exe
1676	RclCzom.exe
2468	HXAcCVD.exe
2604	rPsfamk.exe
2708	MPbJlSq.exe
2384	rfZRNli.exe
1432	DLghogW.exe
2996	bNWpUms.exe
2176	vfCCkqR.exe
3044	FkUuEXY.exe
2504	JxwhnpH.exe
2092	HVZbxWy.exe
1684	sbYkIAN.exe
1524	Unebhqo.exe
1352	ucuGcvu.exe
964	PqUyuzF.exe
1632	oQfZggE.exe
1624	yIBOTRY.exe
884	BccwxDl.exe
3056	MzYlcPB.exe
1508	vaiGkQZ.exe
2792	GVSxwRp.exe
2124	wsWEKWz.exe
1468	KlhgBIP.exe
856	FBNmXsg.exe
3068	kntEMAo.exe
1744	ktJbvJk.exe
2332	ymGYYdH.exe
2020	WbaKYmf.exe
1976	syASdyk.exe
1664	zURDqkH.exe
3008	sEoDIQt.exe
2636	dFdqtaV.exe
2628	vPnwfpF.exe
2540	RBdLahD.exe
2544	YlUxMki.exe
2196	TanVUmk.exe
2832	LhSQAfi.exe
2500	vyuAayb.exe
744	azvGWDq.exe
1728	UoOLako.exe
2320	jPycPpW.exe
2668	BTljdrC.exe
2616	evELtko.exe
2672	SDoQTXP.exe
2212	oDCAHWr.exe
2412	dClwtoi.exe
2364	bVArMhO.exe

Loads dropped DLL 64 IoCs

pid	Process
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2868-1-0x000000013FBA0000-0x000000013FF92000-memory.dmp	upx
behavioral1/files/0x000c00000001445e-3.dat	upx
behavioral1/memory/2868-6-0x0000000002470000-0x0000000002862000-memory.dmp	upx
behavioral1/memory/2892-9-0x000000013FC20000-0x0000000140012000-memory.dmp	upx
behavioral1/files/0x002e000000014698-15.dat	upx
behavioral1/files/0x000f0000000006fd-18.dat	upx
behavioral1/files/0x0007000000014b6d-27.dat	upx
behavioral1/files/0x0007000000014c67-37.dat	upx
behavioral1/files/0x0007000000015c3c-41.dat	upx
behavioral1/files/0x000e000000014738-44.dat	upx
behavioral1/files/0x0006000000016c1a-48.dat	upx
behavioral1/files/0x0006000000016c23-52.dat	upx
behavioral1/files/0x0006000000016c90-56.dat	upx
behavioral1/files/0x0006000000016cf0-76.dat	upx
behavioral1/files/0x0006000000016d24-91.dat	upx
behavioral1/files/0x0006000000016d4a-103.dat	upx
behavioral1/files/0x0006000000016e56-155.dat	upx
behavioral1/files/0x0006000000016d84-143.dat	upx
behavioral1/files/0x000600000001704f-161.dat	upx
behavioral1/files/0x0006000000017090-173.dat	upx
behavioral1/files/0x000500000001868c-178.dat	upx
behavioral1/files/0x00050000000186a0-188.dat	upx
behavioral1/files/0x0006000000018ae2-193.dat	upx
behavioral1/files/0x0005000000018698-183.dat	upx
behavioral1/memory/340-137-0x000000013F070000-0x000000013F462000-memory.dmp	upx
behavioral1/memory/2620-135-0x000000013F7F0000-0x000000013FBE2000-memory.dmp	upx
behavioral1/memory/2828-127-0x000000013F1E0000-0x000000013F5D2000-memory.dmp	upx
behavioral1/memory/2484-125-0x000000013F810000-0x000000013FC02000-memory.dmp	upx
behavioral1/memory/2428-123-0x000000013F190000-0x000000013F582000-memory.dmp	upx
behavioral1/memory/2520-121-0x000000013F120000-0x000000013F512000-memory.dmp	upx
behavioral1/memory/2680-119-0x000000013FB10000-0x000000013FF02000-memory.dmp	upx
behavioral1/memory/2444-118-0x000000013F950000-0x000000013FD42000-memory.dmp	upx
behavioral1/memory/2416-115-0x000000013F2D0000-0x000000013F6C2000-memory.dmp	upx
behavioral1/memory/2644-113-0x000000013F500000-0x000000013F8F2000-memory.dmp	upx
behavioral1/memory/2560-111-0x000000013FCB0000-0x00000001400A2000-memory.dmp	upx
behavioral1/files/0x0006000000016d89-148.dat	upx
behavioral1/files/0x0006000000016d55-141.dat	upx
behavioral1/files/0x0006000000016d4f-107.dat	upx
behavioral1/files/0x0006000000016d41-99.dat	upx
behavioral1/files/0x0006000000016d36-95.dat	upx
behavioral1/files/0x0006000000016d11-86.dat	upx
behavioral1/files/0x0006000000016d01-82.dat	upx
behavioral1/files/0x0006000000016cd4-67.dat	upx
behavioral1/files/0x0006000000016ca9-60.dat	upx
behavioral1/files/0x0006000000016ccf-75.dat	upx
behavioral1/files/0x0008000000014aec-26.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\onTGbgm.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\fiGMIAY.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\vcnpqQg.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\fPMDXEI.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\TanVUmk.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\VBuwBUH.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\vyuAayb.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\jXDyQFu.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\djjAgSc.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\rfZRNli.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\RtPFCVg.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\WnoZuCU.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\vfCCkqR.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\JxwhnpH.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\UoOLako.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\NAgFTyU.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\ZewrXGK.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\HXAcCVD.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\dFdqtaV.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\drVRlAI.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\iGNAohU.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\LhSQAfi.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\jPycPpW.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\RxleIcf.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\BEyyTXm.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\RclCzom.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\rPsfamk.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\DLghogW.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\GVSxwRp.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\bzfSvHp.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\gVyLKQR.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\WbaKYmf.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\syASdyk.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\zURDqkH.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\dClwtoi.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\BccwxDl.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\wHKlGSz.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\BWdEuVN.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\kKFyEOJ.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\FBNmXsg.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\crfaqPE.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\FTABYMm.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\fvtPesK.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\RTzQWPK.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\MzYlcPB.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\BTljdrC.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\UNEohgU.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\wHIakVy.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\bynmqTS.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\jOtLKSK.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\HVZbxWy.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\yIBOTRY.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\KaBWBcR.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\bNWpUms.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\SiOlZLB.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\stVXjfg.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\DRyHGjA.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\MPbJlSq.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\sbYkIAN.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\mxLbyJR.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\FMHoAhH.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\FEOoJaH.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\DDfHaKt.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
File created	C:\Windows\System\ucuGcvu.exe	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2596	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
Token: SeDebugPrivilege	2596	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2596	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	29
PID 2868 wrote to memory of 2596	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	29
PID 2868 wrote to memory of 2596	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	29
PID 2868 wrote to memory of 2892	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	30
PID 2868 wrote to memory of 2892	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	30
PID 2868 wrote to memory of 2892	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	30
PID 2868 wrote to memory of 2560	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	31
PID 2868 wrote to memory of 2560	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	31
PID 2868 wrote to memory of 2560	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	31
PID 2868 wrote to memory of 2644	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	32
PID 2868 wrote to memory of 2644	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	32
PID 2868 wrote to memory of 2644	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	32
PID 2868 wrote to memory of 2416	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	33
PID 2868 wrote to memory of 2416	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	33
PID 2868 wrote to memory of 2416	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	33
PID 2868 wrote to memory of 2444	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	34
PID 2868 wrote to memory of 2444	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	34
PID 2868 wrote to memory of 2444	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	34
PID 2868 wrote to memory of 2680	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	35
PID 2868 wrote to memory of 2680	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	35
PID 2868 wrote to memory of 2680	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	35
PID 2868 wrote to memory of 2520	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	36
PID 2868 wrote to memory of 2520	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	36
PID 2868 wrote to memory of 2520	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	36
PID 2868 wrote to memory of 2428	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	37
PID 2868 wrote to memory of 2428	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	37
PID 2868 wrote to memory of 2428	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	37
PID 2868 wrote to memory of 2484	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	38
PID 2868 wrote to memory of 2484	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	38
PID 2868 wrote to memory of 2484	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	38
PID 2868 wrote to memory of 2828	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	39
PID 2868 wrote to memory of 2828	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	39
PID 2868 wrote to memory of 2828	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	39
PID 2868 wrote to memory of 2620	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	40
PID 2868 wrote to memory of 2620	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	40
PID 2868 wrote to memory of 2620	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	40
PID 2868 wrote to memory of 340	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	41
PID 2868 wrote to memory of 340	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	41
PID 2868 wrote to memory of 340	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	41
PID 2868 wrote to memory of 2388	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	42
PID 2868 wrote to memory of 2388	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	42
PID 2868 wrote to memory of 2388	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	42
PID 2868 wrote to memory of 680	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	43
PID 2868 wrote to memory of 680	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	43
PID 2868 wrote to memory of 680	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	43
PID 2868 wrote to memory of 1360	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	44
PID 2868 wrote to memory of 1360	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	44
PID 2868 wrote to memory of 1360	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	44
PID 2868 wrote to memory of 1720	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	45
PID 2868 wrote to memory of 1720	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	45
PID 2868 wrote to memory of 1720	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	45
PID 2868 wrote to memory of 936	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	46
PID 2868 wrote to memory of 936	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	46
PID 2868 wrote to memory of 936	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	46
PID 2868 wrote to memory of 1676	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	47
PID 2868 wrote to memory of 1676	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	47
PID 2868 wrote to memory of 1676	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	47
PID 2868 wrote to memory of 2468	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	48
PID 2868 wrote to memory of 2468	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	48
PID 2868 wrote to memory of 2468	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	48
PID 2868 wrote to memory of 2604	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	49
PID 2868 wrote to memory of 2604	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	49
PID 2868 wrote to memory of 2604	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	49
PID 2868 wrote to memory of 2708	2868	5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe	50

C:\Users\Admin\AppData\Local\Temp\5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a8b61af55cbad96cf4d09b8e2418360_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System\BWdEuVN.exe
  C:\Windows\System\BWdEuVN.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\stVXjfg.exe
  C:\Windows\System\stVXjfg.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\RTzQWPK.exe
  C:\Windows\System\RTzQWPK.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\wHIakVy.exe
  C:\Windows\System\wHIakVy.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\OjywTaY.exe
  C:\Windows\System\OjywTaY.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\eUAKmeL.exe
  C:\Windows\System\eUAKmeL.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\bynmqTS.exe
  C:\Windows\System\bynmqTS.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\MMzLXKy.exe
  C:\Windows\System\MMzLXKy.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\bZyjWga.exe
  C:\Windows\System\bZyjWga.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\jOtLKSK.exe
  C:\Windows\System\jOtLKSK.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\gVyLKQR.exe
  C:\Windows\System\gVyLKQR.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\nGvostH.exe
  C:\Windows\System\nGvostH.exe
  2⤵
  - Executes dropped EXE
  PID:340
- C:\Windows\System\VeAZdRN.exe
  C:\Windows\System\VeAZdRN.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\DDfHaKt.exe
  C:\Windows\System\DDfHaKt.exe
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\System\kKFyEOJ.exe
  C:\Windows\System\kKFyEOJ.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System\FMHoAhH.exe
  C:\Windows\System\FMHoAhH.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\fPMDXEI.exe
  C:\Windows\System\fPMDXEI.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System\RclCzom.exe
  C:\Windows\System\RclCzom.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\HXAcCVD.exe
  C:\Windows\System\HXAcCVD.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\rPsfamk.exe
  C:\Windows\System\rPsfamk.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\MPbJlSq.exe
  C:\Windows\System\MPbJlSq.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\rfZRNli.exe
  C:\Windows\System\rfZRNli.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\DLghogW.exe
  C:\Windows\System\DLghogW.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\vfCCkqR.exe
  C:\Windows\System\vfCCkqR.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\bNWpUms.exe
  C:\Windows\System\bNWpUms.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\FkUuEXY.exe
  C:\Windows\System\FkUuEXY.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\JxwhnpH.exe
  C:\Windows\System\JxwhnpH.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\HVZbxWy.exe
  C:\Windows\System\HVZbxWy.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\sbYkIAN.exe
  C:\Windows\System\sbYkIAN.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\Unebhqo.exe
  C:\Windows\System\Unebhqo.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\ucuGcvu.exe
  C:\Windows\System\ucuGcvu.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System\PqUyuzF.exe
  C:\Windows\System\PqUyuzF.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\oQfZggE.exe
  C:\Windows\System\oQfZggE.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\yIBOTRY.exe
  C:\Windows\System\yIBOTRY.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\BccwxDl.exe
  C:\Windows\System\BccwxDl.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System\MzYlcPB.exe
  C:\Windows\System\MzYlcPB.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\vaiGkQZ.exe
  C:\Windows\System\vaiGkQZ.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\GVSxwRp.exe
  C:\Windows\System\GVSxwRp.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\wsWEKWz.exe
  C:\Windows\System\wsWEKWz.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\KlhgBIP.exe
  C:\Windows\System\KlhgBIP.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\FBNmXsg.exe
  C:\Windows\System\FBNmXsg.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\kntEMAo.exe
  C:\Windows\System\kntEMAo.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\ktJbvJk.exe
  C:\Windows\System\ktJbvJk.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\ymGYYdH.exe
  C:\Windows\System\ymGYYdH.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\WbaKYmf.exe
  C:\Windows\System\WbaKYmf.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\syASdyk.exe
  C:\Windows\System\syASdyk.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\zURDqkH.exe
  C:\Windows\System\zURDqkH.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\sEoDIQt.exe
  C:\Windows\System\sEoDIQt.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\dFdqtaV.exe
  C:\Windows\System\dFdqtaV.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\vPnwfpF.exe
  C:\Windows\System\vPnwfpF.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\RBdLahD.exe
  C:\Windows\System\RBdLahD.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\YlUxMki.exe
  C:\Windows\System\YlUxMki.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\TanVUmk.exe
  C:\Windows\System\TanVUmk.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\LhSQAfi.exe
  C:\Windows\System\LhSQAfi.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\vyuAayb.exe
  C:\Windows\System\vyuAayb.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\azvGWDq.exe
  C:\Windows\System\azvGWDq.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\UoOLako.exe
  C:\Windows\System\UoOLako.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\jPycPpW.exe
  C:\Windows\System\jPycPpW.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\BTljdrC.exe
  C:\Windows\System\BTljdrC.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\evELtko.exe
  C:\Windows\System\evELtko.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\SDoQTXP.exe
  C:\Windows\System\SDoQTXP.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\oDCAHWr.exe
  C:\Windows\System\oDCAHWr.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\dClwtoi.exe
  C:\Windows\System\dClwtoi.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\bVArMhO.exe
  C:\Windows\System\bVArMhO.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\jDRmXHH.exe
  C:\Windows\System\jDRmXHH.exe
  2⤵
  PID:564
- C:\Windows\System\aYuTlaB.exe
  C:\Windows\System\aYuTlaB.exe
  2⤵
  PID:3020
- C:\Windows\System\HlreGvc.exe
  C:\Windows\System\HlreGvc.exe
  2⤵
  PID:1868
- C:\Windows\System\opcAqMB.exe
  C:\Windows\System\opcAqMB.exe
  2⤵
  PID:2232
- C:\Windows\System\VBuwBUH.exe
  C:\Windows\System\VBuwBUH.exe
  2⤵
  PID:2740
- C:\Windows\System\zscGgjA.exe
  C:\Windows\System\zscGgjA.exe
  2⤵
  PID:3032
- C:\Windows\System\ieZnafn.exe
  C:\Windows\System\ieZnafn.exe
  2⤵
  PID:2988
- C:\Windows\System\crfaqPE.exe
  C:\Windows\System\crfaqPE.exe
  2⤵
  PID:2876
- C:\Windows\System\wHKlGSz.exe
  C:\Windows\System\wHKlGSz.exe
  2⤵
  PID:2948
- C:\Windows\System\EpuIMEk.exe
  C:\Windows\System\EpuIMEk.exe
  2⤵
  PID:2132
- C:\Windows\System\oDPNMvf.exe
  C:\Windows\System\oDPNMvf.exe
  2⤵
  PID:2016
- C:\Windows\System\RxleIcf.exe
  C:\Windows\System\RxleIcf.exe
  2⤵
  PID:768
- C:\Windows\System\FTABYMm.exe
  C:\Windows\System\FTABYMm.exe
  2⤵
  PID:1004
- C:\Windows\System\bzfSvHp.exe
  C:\Windows\System\bzfSvHp.exe
  2⤵
  PID:2572
- C:\Windows\System\RtPFCVg.exe
  C:\Windows\System\RtPFCVg.exe
  2⤵
  PID:1640
- C:\Windows\System\BEyyTXm.exe
  C:\Windows\System\BEyyTXm.exe
  2⤵
  PID:868
- C:\Windows\System\WnoZuCU.exe
  C:\Windows\System\WnoZuCU.exe
  2⤵
  PID:1832
- C:\Windows\System\NAgFTyU.exe
  C:\Windows\System\NAgFTyU.exe
  2⤵
  PID:1688
- C:\Windows\System\OEonDuy.exe
  C:\Windows\System\OEonDuy.exe
  2⤵
  PID:760
- C:\Windows\System\XSHMtMz.exe
  C:\Windows\System\XSHMtMz.exe
  2⤵
  PID:2116
- C:\Windows\System\lhELZyx.exe
  C:\Windows\System\lhELZyx.exe
  2⤵
  PID:2308
- C:\Windows\System\SiOlZLB.exe
  C:\Windows\System\SiOlZLB.exe
  2⤵
  PID:2452
- C:\Windows\System\ZewrXGK.exe
  C:\Windows\System\ZewrXGK.exe
  2⤵
  PID:1680
- C:\Windows\System\mnQBOeV.exe
  C:\Windows\System\mnQBOeV.exe
  2⤵
  PID:2192
- C:\Windows\System\iGNAohU.exe
  C:\Windows\System\iGNAohU.exe
  2⤵
  PID:2336
- C:\Windows\System\mxLbyJR.exe
  C:\Windows\System\mxLbyJR.exe
  2⤵
  PID:1576
- C:\Windows\System\UNEohgU.exe
  C:\Windows\System\UNEohgU.exe
  2⤵
  PID:2248
- C:\Windows\System\ErFeASw.exe
  C:\Windows\System\ErFeASw.exe
  2⤵
  PID:2704
- C:\Windows\System\DRyHGjA.exe
  C:\Windows\System\DRyHGjA.exe
  2⤵
  PID:2420
- C:\Windows\System\fvtPesK.exe
  C:\Windows\System\fvtPesK.exe
  2⤵
  PID:2456
- C:\Windows\System\sxhFwCa.exe
  C:\Windows\System\sxhFwCa.exe
  2⤵
  PID:1184
- C:\Windows\System\onTGbgm.exe
  C:\Windows\System\onTGbgm.exe
  2⤵
  PID:664
- C:\Windows\System\bULqEpT.exe
  C:\Windows\System\bULqEpT.exe
  2⤵
  PID:1296
- C:\Windows\System\jXDyQFu.exe
  C:\Windows\System\jXDyQFu.exe
  2⤵
  PID:1616
- C:\Windows\System\KaBWBcR.exe
  C:\Windows\System\KaBWBcR.exe
  2⤵
  PID:2652
- C:\Windows\System\WAjfuWa.exe
  C:\Windows\System\WAjfuWa.exe
  2⤵
  PID:2972
- C:\Windows\System\fiGMIAY.exe
  C:\Windows\System\fiGMIAY.exe
  2⤵
  PID:1956
- C:\Windows\System\FEOoJaH.exe
  C:\Windows\System\FEOoJaH.exe
  2⤵
  PID:2060
- C:\Windows\System\vcnpqQg.exe
  C:\Windows\System\vcnpqQg.exe
  2⤵
  PID:2216
- C:\Windows\System\djjAgSc.exe
  C:\Windows\System\djjAgSc.exe
  2⤵
  PID:896
- C:\Windows\System\drVRlAI.exe
  C:\Windows\System\drVRlAI.exe
  2⤵
  PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DLghogW.exe

Filesize
1.6MB

MD5
d0d36de1a93bef9b420abf4394f56c44

SHA1
39681559018ccc0463e6111b720925490f1c0bac

SHA256
051a5cdf093b864051b842f951aac3d8b79ea0ffb1bd18d3374b8f4670b590fd

SHA512
4026749b6c4703198ea552092e3114362a62657d922d4ea0890d54fe3bd16a5e95064de06ee49ea3fcbcd98b0a52d0b03d45e35048bdccde36b21983ca8695d4

Download Submit
C:\Windows\system\FMHoAhH.exe

Filesize
1.6MB

MD5
ec2c2ef1f97cc4fd77e20dd99c59036a

SHA1
96e9a54d84676db624634bda3bd59866cced0c87

SHA256
9bc5197e88f4b64a9799a1ef19afdb95241cbeba729d7df2eb7d1204466cb6a5

SHA512
b5e36521b3e65f75b6a56a3aee6af659b4405ac48984eaf739eb2d8f8ec4e1d5d3ff14ee96b3b5e1a66ac0d50227c1f99206e3a261a8e1ab48368b19a4f06cbe

Download Submit
C:\Windows\system\FkUuEXY.exe

Filesize
1.6MB

MD5
33073412dd92d8b20517515a57d69bf4

SHA1
3dd7287ad23a1295555ee7a531c36eca9dc6e7cc

SHA256
e11e87c6f7a83e2d7e9252bf2725018bf2bec04ebaddadfb6d5954333a74d3c4

SHA512
8d24690ed13baa926c10b46d13c4cc6982562cef59192a0d1e96ec6b39d4c7a7b13349db9c24e5fc2f4debb27c4c2579e76d86342955f42cc82646954781d11c

Download Submit
C:\Windows\system\HVZbxWy.exe

Filesize
1.6MB

MD5
8913910768c00d03f750de133f4b42b0

SHA1
159a5372ac2dd6d31523902ffc9953be088c7ab9

SHA256
db89d76b682cd4e2312db0e777af02614ca149a2e28a33f8b36c6b2e32032661

SHA512
6367e87b5330746a51bfabe90b57f34f53d962012d35dac3ad0ae603202ea46b4a21a0a329c82c8f8ce2272dfbf89feec03f6ed87b6307e9eccb9a57d0f7602d

Download Submit
C:\Windows\system\HXAcCVD.exe

Filesize
1.6MB

MD5
7c0ec18b46b908d0c2c1273ad161a32c

SHA1
01c2b15cdd30d32e0542d04c13f8ae16b964f973

SHA256
97f546c6d364378af015a26dd4d9daf765bed874bc641499d8b0086169f42616

SHA512
397f6be098a099cb876f35a6141b8ec1510b7ac63c724923373b1fd65f90bedcc5ecf4472579df9073ebad5bbd959a903eb9541f2020466093e46561278292cc

Download Submit
C:\Windows\system\JxwhnpH.exe

Filesize
1.6MB

MD5
af0b7733ba38849ce48cdc360e56bbd7

SHA1
f1578fc497931f3b6d8dee6c5957d01a82e63fa8

SHA256
ff34251ba25390333a007d4523d4818467ecaa32a972cbe93fc2a5191bb1a425

SHA512
ae54ac6d5e3bbcde11cbf37e9cd3105849b606b49563f4a5b350af0aec998d45cfbfe6f51609c97d3872cf33fabe5695c2846ecf9699eb41a8335f450a0d87e5

Download Submit
C:\Windows\system\MMzLXKy.exe

Filesize
1.6MB

MD5
7e29daa0412756ea04bc5ba10c24040d

SHA1
2c0982947ecc406c225a16b53e44f94cd6a11ed1

SHA256
9fd04a0bf807f3a8719c01fd759b105be1170530ca2a9b2777404b280be1b937

SHA512
7dea292102e69d8babb99f6ce21ad14d47c1606f64cc0b3c098198b8b831c08b526bfe13ca7e93617c25940aa218f6461a534efcc338b162b2c5ad0ad7eb1ce7

Download Submit
C:\Windows\system\MPbJlSq.exe

Filesize
1.6MB

MD5
fd04d74673e08e28dd0d8dbf8c818fb3

SHA1
7387504b34677bad0c791c75cf0cb8291a9b7783

SHA256
36315a496419e4fc6a8ab6d4bf091fa4d320e60dccbbdf8a9da3c7509dfb2aac

SHA512
2bc581a693c87c369481758625987ea09ede51f40a5f5d4119bb51d76327523d00a1ddbc657cd166e5a7f34cf42cae2977e0cac9ad51a4ca229523adec9f86a7

Download Submit
C:\Windows\system\PqUyuzF.exe

Filesize
1.6MB

MD5
e8730541bd1c76b9ab3566a474a8c488

SHA1
4bce4ee7741226ef149d429f45951d469774f78a

SHA256
d6250dad38fdc9bb42a223529630941529574a1ae6f895e2298d49fc97a738c7

SHA512
a44d22ef0a68722d7a907249baa41d6a1a4f50610b277e7bbe7b5c776239f8bff6bf82dfa47d1634f575b11227afb70a5bb157fcad628baf254853c9cbfe1cdb

Download Submit
C:\Windows\system\RTzQWPK.exe

Filesize
1.6MB

MD5
cd52fc784a7e96dd6a69f21479c7fea6

SHA1
9f12908a73c3bac4c53afbc54033e49a7275a659

SHA256
3a170a8d2226e51a14ec1ed4185e8b8ff32538f0875aea1c51ad20fcf1c76e50

SHA512
a048692cd8fa32a709a318b0b94932e52ff6f9bbce30ad36f6eace5bb6160a9460ab29d399f0e8354b8ffd0f5e88fdec4736835780c536b5c77d166be2df9869

Download Submit
C:\Windows\system\RclCzom.exe

Filesize
1.6MB

MD5
496bbcefbbdda4b8c8c5e640f99e83b9

SHA1
d2f628943047204aebecb47157df774dfb5da040

SHA256
42d28ae5f62dc928524385da2d3eeb5369cf38d167c830c7da66acded826b3e6

SHA512
d5db0039c809abf65f63f6f158543ec5cb7508042426f793c88547b6d8275a67091e3ae758613ebd506b2a753ae896f4d6a0bf727239ce3a63f80ae4ad9344dd

Download Submit
C:\Windows\system\Unebhqo.exe

Filesize
1.6MB

MD5
ca82ae871a698a445d76fb9a76097857

SHA1
0ed4c038b00a98dd50b519fbb250fdff9313e89f

SHA256
7d9dfe1316fa5dac16086d444334a90505a5786e1f852c3273249d6a934225e5

SHA512
c86fdb1ce8fceef0167a3e7179a1ea0fb0171d94e0ccbfebe52f03a6ca3f1fb86384722f42ed200414f907946db4763679d92a0deb02af052a96e89203eac446

Download Submit
C:\Windows\system\VeAZdRN.exe

Filesize
1.6MB

MD5
26c9349cc10c31657b5196be81a2dc35

SHA1
51f71ed92563d488b3c08c728a7e4b57b2910b30

SHA256
b27d448ed776a08cbb740d9b582562022c66c8cec513c540f7abaf6ebf5ee779

SHA512
8a954e2ac727af14c7fa50f33efc74e9adcfa9c296afd5e01204c9d401d4f4a7701b5004d5eabf35a44e1f336fd5d2884662212cc86d7b40ba3a8c366d64203f

Download Submit
C:\Windows\system\bNWpUms.exe

Filesize
1.6MB

MD5
3c4aec40abe2a4be1ea58b1f96187dd1

SHA1
8e5f5a96cad8daa4329b1541e8d72ab22e32af96

SHA256
2942c606fac74560ae6d55fc0f72d5ee9d799f73927ae0957fa30191ab3082ef

SHA512
19511a098f50c954fc13e29465dd3cdf53828871e874ac7d87e537dc1a76941fba963133dd3208d0bee8041665927d792e3d98435809b1dc7df98db421a6df2e

Download Submit
C:\Windows\system\bZyjWga.exe

Filesize
1.6MB

MD5
af1894a4db3da679fd4c45ddb2c66a28

SHA1
151fdfeffd04fe4450782e11b81bf69feea63255

SHA256
0f3333cb7ec412b2fc92d607a6837410eb4200773b4ec734f2296d01be95d0a6

SHA512
b4e592a3b15d0e5052dfcfce3e6bcad1e0881290f885e15fdd908c6a18833ac214efec62449d6f07b7b1e9b46de48f3190cc02e35941d5fdb2aabb7268ce54cd

Download Submit
C:\Windows\system\bynmqTS.exe

Filesize
1.6MB

MD5
4d7f4264e3ebda53807d71576f3c5720

SHA1
80355ea35dd7a418abc4884149a52c2e9584c410

SHA256
779041970a5a48d4d670c1e84b4f235507b7c037356cf90025b8be9044e1b052

SHA512
818393c8c4c407d66a0e352f0a10aef1ed52d122a474cab88baac350a99bf6db0340364eb6705678b3820938e98de8f534d859c58a485aa9c771c3af5ed6fd24

Download Submit
C:\Windows\system\eUAKmeL.exe

Filesize
1.6MB

MD5
390875985c83ec202681e1a9ddcdc1df

SHA1
d9925a7fd72916d4043ff8b52c897097dbbdabdb

SHA256
98186608686915cd600c7837144f3cc715ef8d4ff8101fc04dffe88322a0faa2

SHA512
c78dd8e4b0f200341526a20a173be358442d3dff5775a2160f824b26f2df41fd472d2ce87cc651ee7ae6dfc8b5da26b30a5a6ce4d477de203e785897c1ba5d70

Download Submit
C:\Windows\system\fPMDXEI.exe

Filesize
1.6MB

MD5
e93843ce99262983754638b40f028ca5

SHA1
cff311367b251af9d665dda9e5b7c88189707495

SHA256
25641f14ed1e3ccee17b2aa31c12a4c7159a6ef6683c7e2d83fb9349814ebe90

SHA512
dbfbd9116a08aac1d7953221cf01e82d2137067e4d08fd20be53b8961e60bfe4ec4571a796aa34c1cfff88c2abe432f71b5a63381ab56065c6121559866e9118

Download Submit
C:\Windows\system\gVyLKQR.exe

Filesize
1.6MB

MD5
46a6dbfd5aba72bf67b2824fb775bd90

SHA1
6f2ce76f2b4154f9f3defbf912ad775360ae411f

SHA256
cdd6964e5789e9642167b89a459af296929b1bb91a865a34e131a4c09b9f8d59

SHA512
fa17284d2efb2cc8e52057427816e45e78a398f59e3756b38eb49e3a7a1ed58b8557f538526030f12c3cb35393a90a472531ae965c76a5abba61cc07c5b50d36

Download Submit
C:\Windows\system\jOtLKSK.exe

Filesize
1.6MB

MD5
67551a3d1a1be8aca70f7afc7ee47092

SHA1
d6e16422679851437d335a87201c31bf441ebdfa

SHA256
b0a8fdc89b5aa246b27109dca225d95c60639b5003bd1d2e00000bcd373f3116

SHA512
82cd80607954731f0e64590527c860daa71e52ee8f8e28c954cfbd922d444dd3003560fe03efcd9192c6cee3eb8fd4c1fda36cecbcabf9e81421161799812647

Download Submit
C:\Windows\system\kKFyEOJ.exe

Filesize
1.6MB

MD5
3635be53714af35bec3ad6b34009fe05

SHA1
40840623d57fbd40e55df4aca61faf4718b03965

SHA256
e32ef2f487bec028baa233f29dfc6df42b85db2414aa6657947e3ea2a69e9752

SHA512
5df211ddc732639265ae0b85b991359cebea1d3d0a19783ddf7a9021d266063126fe892b24454075bddc075fce4fdf1911e430cb42688402edc6f804357726f8

Download Submit
C:\Windows\system\nGvostH.exe

Filesize
1.6MB

MD5
84966dd9c5a7aca2f31061fba62d7eb0

SHA1
3b5a993867242bf4c59568771ce22c53f4f5c9ca

SHA256
98b8ea9e4b9d2350d35f5a997948eb8642409990704c6b7f73088074add2382d

SHA512
431d6edc0997945b23b240ae80c8f108d1bcbbd687f5b3801603a43a2627728c3c5601ee1e24ff5cf76a685220baecad4428d409cae49eddc07f835dcbb0d67b

Download Submit
C:\Windows\system\rPsfamk.exe

Filesize
1.6MB

MD5
a2f1cec2b4b2a0e7d6f83aab214050cc

SHA1
1d05a230e6ac9e18976434641a0b03126e74736c

SHA256
2eea7b593b9b987f1ebacc77abfd55f73ad2e06a829cad431640c42f0af57090

SHA512
51399c34d08b7e919de7c42b6b3a094086c015b373bb3bf8bedf8502590c42b4cf009460e786d67005d8ff2371489e643c8587b43ef9d8a9a9422ac04c2d7423

Download Submit
C:\Windows\system\rfZRNli.exe

Filesize
1.6MB

MD5
4f8a633ede0752c536ea45c219b6a8bb

SHA1
986bc694164844c2581bbbeeecee8bbb561a11d3

SHA256
0ac2d7b2c32340641f89aa03e3ac1ffc219f40c014227c5a5e3a0ffbdfcf2b2d

SHA512
9db5afed19fdd754b02ea0c9d697c061661b9a8f79fc9bd6ab82355ea4e729596fcd79902983f09abb7f58c6a2c655dd48b32f853bc0a54279d650f1fcc8f9bb

Download Submit
C:\Windows\system\sbYkIAN.exe

Filesize
1.6MB

MD5
8ade7b067218a974f2ae811214e57abc

SHA1
879a9bd3cfe982e3d12c38316994c26134e2a748

SHA256
eb59ed6b7d52fe07c20c871b62c83181c0ead408f5884c32d898fd2f2d1b8b3f

SHA512
da86879d25aeafb8916b38b41266793f627083d33f6af8ca6635ebc34d8cb859b9dbb5ea8fcc0a91b06c1fb5685d896954ba2b7e3a90fbcd22ac3467f8ede362

Download Submit
C:\Windows\system\ucuGcvu.exe

Filesize
1.6MB

MD5
b405a8fc0e8236515f6514e379ba964b

SHA1
f9ade99a62275b93693b8f6ae3220ee785ed0de2

SHA256
9be8d622f45ac08eacbfea24a56a1ae3c0b16b112cdc9b2ce883e5978d532c5b

SHA512
a7c6ce80f9b9a4d763698ee284aa0ed75338d95a8e6ff660895a9f2104a6e8e03282587837fca949a6c3650573500fed3e97ba7b3193b78a534a3ca2208a0eac

Download Submit
C:\Windows\system\wHIakVy.exe

Filesize
1.6MB

MD5
6652dee346cd6950bc09ac5985fccac9

SHA1
ce17cdf7eed4a4969dbf5c3e3117cf7d6e447ae9

SHA256
83cbce19f64d866c1c7c5eb1942a89f70f70730bd19126ceeb11b6565f76fb1e

SHA512
a2519639069250b82d0903536b4ad750209f29f6dba2d933d908a85795ed73494276315acb0a773a28d207897ccb3aa0f2f77042e46a597c1a6b2a5729d2617f

Download Submit
\Windows\system\BWdEuVN.exe

Filesize
1.6MB

MD5
a122b6de73098d0872e5d37efe93bb42

SHA1
cf58d1c02ac31e58d37138ca15b3e5a0258e290a

SHA256
714f7c4c90789b84c6bfc011cafd29efdcedec4e2bea7c5de8d936aef9a6f27f

SHA512
92cc32a1f092e8f617b6bd02623a3b2bf1158399acf88ea1d2e8a74dd71482f1a6a8d747a90aa3d0b19ea311d3d943b891632ac7485a154a2f58d10e527ff82f

Download Submit
\Windows\system\DDfHaKt.exe

Filesize
1.6MB

MD5
0af8c77319cdf513a6d5f10ef3ec52d5

SHA1
2ab7bef869d0089a190d43b8e6feccf64fa818ef

SHA256
91134dd47782b9a235e1cb5cc83a6b802075376d9ca5ca3dca69dec07f63bf52

SHA512
53416a173cb48232c70d39ad6220e378ca953369a69226d85d6998ddb3af344813ee5cc52aca5c57064739c13c7eccc1b0d7af06dc72e00ede6a515b0c7d1946

Download Submit
\Windows\system\OjywTaY.exe

Filesize
1.6MB

MD5
859151766258aad3c6478006a75dec3b

SHA1
44fb8bfb5cbac55f4f96318d5172f4ee2cd56f59

SHA256
6a60e6799afabd3647245bffff4235b2b69325b79c0de2e18e351ff0620d78a8

SHA512
6cc93e20228a363f66d7133d96ba88f583dee79cc8f913ae34131a35703e22f2ef0318c87ab9a5a2de72d9afc223138e749c2f0aa1c9e5cdc99f9109809f7693

Download Submit
\Windows\system\stVXjfg.exe

Filesize
1.6MB

MD5
fcc09199f5f077b0038cdde4e4893b3a

SHA1
210839f928dc39a3cd1b7e2da089b6454a4c11bb

SHA256
90f89eb21f10833da743c146679cda40dabf7a425e4480e99ac09f756179b1db

SHA512
3ddc4d56cb52af82b3b8493324ba542eaa09b67a7cd8392af043b4cc757bf803ac4a7926be03f6d5a715e4417b2ccd1e9e9f98c1697a173c237e4d4b18224c00

Download Submit
\Windows\system\vfCCkqR.exe

Filesize
1.6MB

MD5
74ea913289a46d4e952b7474dcb77066

SHA1
489c8bee5358fb18f5b8cac31feb1eb08e54672e

SHA256
42bf7491ad793860f8da1c62fcf23da262787cbf34ef4ee0e5e7bdadb0a3dd7d

SHA512
ddaf1df69f1eac4542762b01cf74f332ad8db8c5175dc643999bb9cd3102092b404fad0a0c6e7a7bb9fc90e68f665c4327f54967a4148baeb51158694ac5ec61

Download Submit
memory/340-137-0x000000013F070000-0x000000013F462000-memory.dmp

Filesize
3.9MB

Download
memory/2416-115-0x000000013F2D0000-0x000000013F6C2000-memory.dmp

Filesize
3.9MB

Download
memory/2428-123-0x000000013F190000-0x000000013F582000-memory.dmp

Filesize
3.9MB

Download
memory/2444-118-0x000000013F950000-0x000000013FD42000-memory.dmp

Filesize
3.9MB

Download
memory/2484-125-0x000000013F810000-0x000000013FC02000-memory.dmp

Filesize
3.9MB

Download
memory/2520-121-0x000000013F120000-0x000000013F512000-memory.dmp

Filesize
3.9MB

Download
memory/2560-111-0x000000013FCB0000-0x00000001400A2000-memory.dmp

Filesize
3.9MB

Download
memory/2596-14-0x000007FEF5D7E000-0x000007FEF5D7F000-memory.dmp

Filesize
4KB

Download
memory/2596-87-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2596-109-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-110-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-132-0x00000000020D0000-0x00000000020D8000-memory.dmp

Filesize
32KB

Download
memory/2620-135-0x000000013F7F0000-0x000000013FBE2000-memory.dmp

Filesize
3.9MB

Download
memory/2644-113-0x000000013F500000-0x000000013F8F2000-memory.dmp

Filesize
3.9MB

Download
memory/2680-119-0x000000013FB10000-0x000000013FF02000-memory.dmp

Filesize
3.9MB

Download
memory/2828-127-0x000000013F1E0000-0x000000013F5D2000-memory.dmp

Filesize
3.9MB

Download
memory/2868-124-0x0000000002FD0000-0x00000000033C2000-memory.dmp

Filesize
3.9MB

Download
memory/2868-114-0x000000013F2D0000-0x000000013F6C2000-memory.dmp

Filesize
3.9MB

Download
memory/2868-112-0x000000013F500000-0x000000013F8F2000-memory.dmp

Filesize
3.9MB

Download
memory/2868-120-0x000000013F120000-0x000000013F512000-memory.dmp

Filesize
3.9MB

Download
memory/2868-122-0x000000013F190000-0x000000013F582000-memory.dmp

Filesize
3.9MB

Download
memory/2868-116-0x0000000002FD0000-0x00000000033C2000-memory.dmp

Filesize
3.9MB

Download
memory/2868-126-0x000000013F1E0000-0x000000013F5D2000-memory.dmp

Filesize
3.9MB

Download
memory/2868-117-0x0000000002FD0000-0x00000000033C2000-memory.dmp

Filesize
3.9MB

Download
memory/2868-128-0x0000000002FD0000-0x00000000033C2000-memory.dmp

Filesize
3.9MB

Download
memory/2868-1-0x000000013FBA0000-0x000000013FF92000-memory.dmp

Filesize
3.9MB

Download
memory/2868-136-0x000000013F070000-0x000000013F462000-memory.dmp

Filesize
3.9MB

Download
memory/2868-138-0x0000000002D10000-0x0000000003102000-memory.dmp

Filesize
3.9MB

Download
memory/2868-0-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2868-6-0x0000000002470000-0x0000000002862000-memory.dmp

Filesize
3.9MB

Download
memory/2892-9-0x000000013FC20000-0x0000000140012000-memory.dmp

Filesize
3.9MB

Download