xmrig | c631762ffafaf90b58cfedc0c5d00ad852a67db71be91b0e5271595811cb253d

Analysis

max time kernel
136s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
Size

1.3MB
MD5

df5194089147f63d672b4ffb67916050
SHA1

58379655a3e8525ba59a746fcedbc732273dd9f1
SHA256

c631762ffafaf90b58cfedc0c5d00ad852a67db71be91b0e5271595811cb253d
SHA512

e7f8667e5b868cf1945e4e0a1e854c51ce71cdc50f473ced4eac3652b8736ea33426db13e5cafff157f8c9051e15086965e688e2b63204feaf3c72194c4864cd
SSDEEP

24576:GezaTnG99Q8FcNrpyNdfE0bLBgDOp2iSLz9LbBwlKensYKkTT7UudBWkTDx:GezaTF8FcNkNdfE0pZ9oztFwI6Kw

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 32 IoCs

miner

resource	yara_rule
behavioral1/files/0x000a00000001224c-4.dat	xmrig
behavioral1/files/0x000800000001564f-11.dat	xmrig
behavioral1/files/0x000c000000012674-10.dat	xmrig
behavioral1/files/0x0007000000015653-17.dat	xmrig
behavioral1/files/0x000700000001565d-25.dat	xmrig
behavioral1/files/0x0007000000015677-26.dat	xmrig
behavioral1/files/0x0007000000015684-34.dat	xmrig
behavioral1/files/0x0008000000015d7f-37.dat	xmrig
behavioral1/files/0x0006000000015d87-41.dat	xmrig
behavioral1/files/0x0006000000015d93-43.dat	xmrig
behavioral1/files/0x0006000000015e32-49.dat	xmrig
behavioral1/files/0x0006000000015ecc-53.dat	xmrig
behavioral1/files/0x0006000000015fe5-61.dat	xmrig
behavioral1/files/0x000600000001610f-65.dat	xmrig
behavioral1/files/0x000600000001621e-69.dat	xmrig
behavioral1/files/0x00060000000164aa-77.dat	xmrig
behavioral1/files/0x000600000001658a-89.dat	xmrig
behavioral1/files/0x0006000000016adc-104.dat	xmrig
behavioral1/files/0x0006000000016c64-116.dat	xmrig
behavioral1/files/0x0006000000016d34-140.dat	xmrig
behavioral1/files/0x0006000000016d20-136.dat	xmrig
behavioral1/files/0x0006000000016d18-132.dat	xmrig
behavioral1/files/0x0006000000016d07-128.dat	xmrig
behavioral1/files/0x0006000000016cdc-124.dat	xmrig
behavioral1/files/0x0006000000016cb0-120.dat	xmrig
behavioral1/files/0x0006000000016c5e-112.dat	xmrig
behavioral1/files/0x0006000000016c44-108.dat	xmrig
behavioral1/files/0x0006000000016851-100.dat	xmrig
behavioral1/files/0x0006000000016616-96.dat	xmrig
behavioral1/files/0x0036000000014bbc-92.dat	xmrig
behavioral1/files/0x000600000001630a-73.dat	xmrig
behavioral1/files/0x0006000000015f65-57.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1280	hWxLeDz.exe
2944	onThFlM.exe
2520	qaAxIMf.exe
2532	guzxlWI.exe
2652	XRtpHxD.exe
2696	JRywIuo.exe
2560	iVFPPzr.exe
2704	kRCZWch.exe
2588	ZSDZPqA.exe
2744	bIXGHRo.exe
2228	pMlyllO.exe
2680	xrToQKB.exe
2436	utkWJpY.exe
2500	OtpZeML.exe
1656	BJBARTD.exe
2600	TzYulIk.exe
2352	ZprjCep.exe
1616	PJdFioy.exe
384	KXezNGk.exe
2156	iunNwWB.exe
1848	ymtSMgF.exe
2168	sRrHzwH.exe
2216	eSqqleW.exe
1732	evkBxzK.exe
2252	NSXdfoX.exe
1636	CxnwZeG.exe
860	qpBXhep.exe
632	OfPtANt.exe
2864	nxBzPLj.exe
2904	KamoJBy.exe
2848	bHXTNHD.exe
2792	qBFqOlT.exe
1648	IPIWzhY.exe
2804	aEUFsLK.exe
2092	iIsUMfy.exe
2108	XlMKHmL.exe
676	KbKsjIB.exe
1480	ODjohHX.exe
2360	eRgHCfx.exe
1684	FkMDsKY.exe
3032	cQSBXMB.exe
3020	eOoxLbb.exe
2148	wUkSuUx.exe
1548	OfHiDIo.exe
2336	CcZgzJo.exe
1612	owvdzgj.exe
1868	zUSYpAz.exe
2808	FGaKVxe.exe
1872	GSTskjj.exe
960	mHvRsWu.exe
568	IRUwZxO.exe
832	hXKYUhX.exe
1752	nBksopb.exe
1972	XcNANHD.exe
2272	DbYMrsI.exe
1960	wUvghjO.exe
2144	PczsUwW.exe
1500	wGBTXvY.exe
876	wjeBeGE.exe
2264	myNPrMO.exe
2096	ESbdwzQ.exe
1604	gjIRBYW.exe
2008	HvprSfA.exe
2708	ixOiTWb.exe

Loads dropped DLL 64 IoCs

pid	Process
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\bIXGHRo.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\myNPrMO.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\BxtraOj.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\sRrHzwH.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\eOoxLbb.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\psDpUGl.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\bbFiGOt.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\DHJSNka.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\XxtbyjZ.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\gniGhQC.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\qsBiBwo.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\ymtSMgF.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\YaDlPxE.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\OFxWlmJ.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\thoICTe.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\UQZsTrE.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\QhwoURk.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\hxfWASI.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\ZdgZpEE.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\eRgHCfx.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\guzxlWI.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\fhPYyVk.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\WwWWexM.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\fSGnyuf.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\vCQcTEs.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\kfqqjPB.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\jBFlhbz.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\iVFPPzr.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\PJdFioy.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\txkBqmM.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\zneNgAi.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\wUvghjO.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\fbvZDvc.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\OfPtANt.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\wGBTXvY.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\aaormmj.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\FkMDsKY.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\dSibEas.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\CmsXpiC.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\XRtpHxD.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\rjLkIUX.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\bHXTNHD.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\KamoJBy.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\SsoVoLj.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\RCjBKCa.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\ZSDZPqA.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\HiTvIIA.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\oXaLwqu.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\RzalHWY.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\KXezNGk.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\ioEcsQe.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\onThFlM.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\mHvRsWu.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\HwfswPD.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\eImiPVj.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\evkBxzK.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\JOrZeKL.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\cbyJgUK.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\nRzdKaJ.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\aEUFsLK.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\nBksopb.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\KduSPOf.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\ZGmVLlC.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\qBFqOlT.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1280	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	29
PID 1048 wrote to memory of 1280	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	29
PID 1048 wrote to memory of 1280	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	29
PID 1048 wrote to memory of 2944	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	30
PID 1048 wrote to memory of 2944	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	30
PID 1048 wrote to memory of 2944	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	30
PID 1048 wrote to memory of 2520	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	31
PID 1048 wrote to memory of 2520	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	31
PID 1048 wrote to memory of 2520	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	31
PID 1048 wrote to memory of 2532	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	32
PID 1048 wrote to memory of 2532	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	32
PID 1048 wrote to memory of 2532	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	32
PID 1048 wrote to memory of 2652	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	33
PID 1048 wrote to memory of 2652	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	33
PID 1048 wrote to memory of 2652	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	33
PID 1048 wrote to memory of 2696	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	34
PID 1048 wrote to memory of 2696	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	34
PID 1048 wrote to memory of 2696	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	34
PID 1048 wrote to memory of 2560	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	35
PID 1048 wrote to memory of 2560	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	35
PID 1048 wrote to memory of 2560	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	35
PID 1048 wrote to memory of 2704	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	36
PID 1048 wrote to memory of 2704	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	36
PID 1048 wrote to memory of 2704	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	36
PID 1048 wrote to memory of 2588	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	37
PID 1048 wrote to memory of 2588	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	37
PID 1048 wrote to memory of 2588	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	37
PID 1048 wrote to memory of 2744	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	38
PID 1048 wrote to memory of 2744	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	38
PID 1048 wrote to memory of 2744	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	38
PID 1048 wrote to memory of 2228	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	39
PID 1048 wrote to memory of 2228	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	39
PID 1048 wrote to memory of 2228	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	39
PID 1048 wrote to memory of 2680	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	40
PID 1048 wrote to memory of 2680	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	40
PID 1048 wrote to memory of 2680	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	40
PID 1048 wrote to memory of 2436	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	41
PID 1048 wrote to memory of 2436	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	41
PID 1048 wrote to memory of 2436	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	41
PID 1048 wrote to memory of 2500	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	42
PID 1048 wrote to memory of 2500	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	42
PID 1048 wrote to memory of 2500	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	42
PID 1048 wrote to memory of 1656	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	43
PID 1048 wrote to memory of 1656	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	43
PID 1048 wrote to memory of 1656	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	43
PID 1048 wrote to memory of 2600	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	44
PID 1048 wrote to memory of 2600	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	44
PID 1048 wrote to memory of 2600	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	44
PID 1048 wrote to memory of 2352	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	45
PID 1048 wrote to memory of 2352	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	45
PID 1048 wrote to memory of 2352	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	45
PID 1048 wrote to memory of 1616	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	46
PID 1048 wrote to memory of 1616	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	46
PID 1048 wrote to memory of 1616	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	46
PID 1048 wrote to memory of 384	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	47
PID 1048 wrote to memory of 384	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	47
PID 1048 wrote to memory of 384	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	47
PID 1048 wrote to memory of 2156	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	48
PID 1048 wrote to memory of 2156	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	48
PID 1048 wrote to memory of 2156	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	48
PID 1048 wrote to memory of 1848	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	49
PID 1048 wrote to memory of 1848	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	49
PID 1048 wrote to memory of 1848	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	49
PID 1048 wrote to memory of 2168	1048	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	50

C:\Users\Admin\AppData\Local\Temp\df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\System\hWxLeDz.exe
  C:\Windows\System\hWxLeDz.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System\onThFlM.exe
  C:\Windows\System\onThFlM.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\qaAxIMf.exe
  C:\Windows\System\qaAxIMf.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\guzxlWI.exe
  C:\Windows\System\guzxlWI.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\XRtpHxD.exe
  C:\Windows\System\XRtpHxD.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\JRywIuo.exe
  C:\Windows\System\JRywIuo.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\iVFPPzr.exe
  C:\Windows\System\iVFPPzr.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\kRCZWch.exe
  C:\Windows\System\kRCZWch.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\ZSDZPqA.exe
  C:\Windows\System\ZSDZPqA.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\bIXGHRo.exe
  C:\Windows\System\bIXGHRo.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\pMlyllO.exe
  C:\Windows\System\pMlyllO.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\xrToQKB.exe
  C:\Windows\System\xrToQKB.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\utkWJpY.exe
  C:\Windows\System\utkWJpY.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\OtpZeML.exe
  C:\Windows\System\OtpZeML.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\BJBARTD.exe
  C:\Windows\System\BJBARTD.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\TzYulIk.exe
  C:\Windows\System\TzYulIk.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\ZprjCep.exe
  C:\Windows\System\ZprjCep.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\PJdFioy.exe
  C:\Windows\System\PJdFioy.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\KXezNGk.exe
  C:\Windows\System\KXezNGk.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\iunNwWB.exe
  C:\Windows\System\iunNwWB.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\ymtSMgF.exe
  C:\Windows\System\ymtSMgF.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\sRrHzwH.exe
  C:\Windows\System\sRrHzwH.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\eSqqleW.exe
  C:\Windows\System\eSqqleW.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\evkBxzK.exe
  C:\Windows\System\evkBxzK.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\NSXdfoX.exe
  C:\Windows\System\NSXdfoX.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\CxnwZeG.exe
  C:\Windows\System\CxnwZeG.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\qpBXhep.exe
  C:\Windows\System\qpBXhep.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\OfPtANt.exe
  C:\Windows\System\OfPtANt.exe
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\System\nxBzPLj.exe
  C:\Windows\System\nxBzPLj.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\KamoJBy.exe
  C:\Windows\System\KamoJBy.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\bHXTNHD.exe
  C:\Windows\System\bHXTNHD.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\qBFqOlT.exe
  C:\Windows\System\qBFqOlT.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\IPIWzhY.exe
  C:\Windows\System\IPIWzhY.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\aEUFsLK.exe
  C:\Windows\System\aEUFsLK.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\iIsUMfy.exe
  C:\Windows\System\iIsUMfy.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\XlMKHmL.exe
  C:\Windows\System\XlMKHmL.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\KbKsjIB.exe
  C:\Windows\System\KbKsjIB.exe
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\System\ODjohHX.exe
  C:\Windows\System\ODjohHX.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\eRgHCfx.exe
  C:\Windows\System\eRgHCfx.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\FkMDsKY.exe
  C:\Windows\System\FkMDsKY.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\cQSBXMB.exe
  C:\Windows\System\cQSBXMB.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\wUkSuUx.exe
  C:\Windows\System\wUkSuUx.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\eOoxLbb.exe
  C:\Windows\System\eOoxLbb.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\OfHiDIo.exe
  C:\Windows\System\OfHiDIo.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\CcZgzJo.exe
  C:\Windows\System\CcZgzJo.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\owvdzgj.exe
  C:\Windows\System\owvdzgj.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\zUSYpAz.exe
  C:\Windows\System\zUSYpAz.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System\FGaKVxe.exe
  C:\Windows\System\FGaKVxe.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\GSTskjj.exe
  C:\Windows\System\GSTskjj.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\mHvRsWu.exe
  C:\Windows\System\mHvRsWu.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System\IRUwZxO.exe
  C:\Windows\System\IRUwZxO.exe
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\System\hXKYUhX.exe
  C:\Windows\System\hXKYUhX.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System\nBksopb.exe
  C:\Windows\System\nBksopb.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\XcNANHD.exe
  C:\Windows\System\XcNANHD.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\DbYMrsI.exe
  C:\Windows\System\DbYMrsI.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\wUvghjO.exe
  C:\Windows\System\wUvghjO.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\PczsUwW.exe
  C:\Windows\System\PczsUwW.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\wGBTXvY.exe
  C:\Windows\System\wGBTXvY.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System\wjeBeGE.exe
  C:\Windows\System\wjeBeGE.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\myNPrMO.exe
  C:\Windows\System\myNPrMO.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\ESbdwzQ.exe
  C:\Windows\System\ESbdwzQ.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\gjIRBYW.exe
  C:\Windows\System\gjIRBYW.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System\HvprSfA.exe
  C:\Windows\System\HvprSfA.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\ixOiTWb.exe
  C:\Windows\System\ixOiTWb.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\RzalHWY.exe
  C:\Windows\System\RzalHWY.exe
  2⤵
  PID:2036
- C:\Windows\System\nloeyeU.exe
  C:\Windows\System\nloeyeU.exe
  2⤵
  PID:2688
- C:\Windows\System\psDpUGl.exe
  C:\Windows\System\psDpUGl.exe
  2⤵
  PID:3068
- C:\Windows\System\IrsyfXC.exe
  C:\Windows\System\IrsyfXC.exe
  2⤵
  PID:2920
- C:\Windows\System\uNdTBxu.exe
  C:\Windows\System\uNdTBxu.exe
  2⤵
  PID:2448
- C:\Windows\System\YpWSFlp.exe
  C:\Windows\System\YpWSFlp.exe
  2⤵
  PID:2424
- C:\Windows\System\bbFiGOt.exe
  C:\Windows\System\bbFiGOt.exe
  2⤵
  PID:2100
- C:\Windows\System\mKztGZM.exe
  C:\Windows\System\mKztGZM.exe
  2⤵
  PID:1672
- C:\Windows\System\ZyZhuqC.exe
  C:\Windows\System\ZyZhuqC.exe
  2⤵
  PID:1580
- C:\Windows\System\VfdUksW.exe
  C:\Windows\System\VfdUksW.exe
  2⤵
  PID:1032
- C:\Windows\System\IneyLQG.exe
  C:\Windows\System\IneyLQG.exe
  2⤵
  PID:764
- C:\Windows\System\UQmfarV.exe
  C:\Windows\System\UQmfarV.exe
  2⤵
  PID:1808
- C:\Windows\System\EgtkUmA.exe
  C:\Windows\System\EgtkUmA.exe
  2⤵
  PID:2196
- C:\Windows\System\UQZsTrE.exe
  C:\Windows\System\UQZsTrE.exe
  2⤵
  PID:2240
- C:\Windows\System\QhwoURk.exe
  C:\Windows\System\QhwoURk.exe
  2⤵
  PID:1496
- C:\Windows\System\rPlpYkc.exe
  C:\Windows\System\rPlpYkc.exe
  2⤵
  PID:848
- C:\Windows\System\PpkeKPS.exe
  C:\Windows\System\PpkeKPS.exe
  2⤵
  PID:2136
- C:\Windows\System\hBaRvCX.exe
  C:\Windows\System\hBaRvCX.exe
  2⤵
  PID:480
- C:\Windows\System\XWbIaDV.exe
  C:\Windows\System\XWbIaDV.exe
  2⤵
  PID:840
- C:\Windows\System\rtFcnoa.exe
  C:\Windows\System\rtFcnoa.exe
  2⤵
  PID:1488
- C:\Windows\System\PbgeQDg.exe
  C:\Windows\System\PbgeQDg.exe
  2⤵
  PID:1688
- C:\Windows\System\txkBqmM.exe
  C:\Windows\System\txkBqmM.exe
  2⤵
  PID:2364
- C:\Windows\System\HpXjJEN.exe
  C:\Windows\System\HpXjJEN.exe
  2⤵
  PID:1160
- C:\Windows\System\zneNgAi.exe
  C:\Windows\System\zneNgAi.exe
  2⤵
  PID:1860
- C:\Windows\System\NwZGKYT.exe
  C:\Windows\System\NwZGKYT.exe
  2⤵
  PID:1528
- C:\Windows\System\kfqqjPB.exe
  C:\Windows\System\kfqqjPB.exe
  2⤵
  PID:2188
- C:\Windows\System\VnIDfIz.exe
  C:\Windows\System\VnIDfIz.exe
  2⤵
  PID:3028
- C:\Windows\System\ABXhGqH.exe
  C:\Windows\System\ABXhGqH.exe
  2⤵
  PID:1664
- C:\Windows\System\UPjnato.exe
  C:\Windows\System\UPjnato.exe
  2⤵
  PID:1964
- C:\Windows\System\TisoCwZ.exe
  C:\Windows\System\TisoCwZ.exe
  2⤵
  PID:988
- C:\Windows\System\VnuboPR.exe
  C:\Windows\System\VnuboPR.exe
  2⤵
  PID:1336
- C:\Windows\System\AKOTRKr.exe
  C:\Windows\System\AKOTRKr.exe
  2⤵
  PID:496
- C:\Windows\System\HiTvIIA.exe
  C:\Windows\System\HiTvIIA.exe
  2⤵
  PID:1072
- C:\Windows\System\KobyOIm.exe
  C:\Windows\System\KobyOIm.exe
  2⤵
  PID:1124
- C:\Windows\System\KGeTVNv.exe
  C:\Windows\System\KGeTVNv.exe
  2⤵
  PID:2300
- C:\Windows\System\nRzdKaJ.exe
  C:\Windows\System\nRzdKaJ.exe
  2⤵
  PID:1928
- C:\Windows\System\oXaLwqu.exe
  C:\Windows\System\oXaLwqu.exe
  2⤵
  PID:2292
- C:\Windows\System\HKJoyMa.exe
  C:\Windows\System\HKJoyMa.exe
  2⤵
  PID:2248
- C:\Windows\System\pzkMzOk.exe
  C:\Windows\System\pzkMzOk.exe
  2⤵
  PID:2816
- C:\Windows\System\vsznZKr.exe
  C:\Windows\System\vsznZKr.exe
  2⤵
  PID:1596
- C:\Windows\System\hxfWASI.exe
  C:\Windows\System\hxfWASI.exe
  2⤵
  PID:2000
- C:\Windows\System\UkOeuFI.exe
  C:\Windows\System\UkOeuFI.exe
  2⤵
  PID:2664
- C:\Windows\System\LyOnNgB.exe
  C:\Windows\System\LyOnNgB.exe
  2⤵
  PID:2580
- C:\Windows\System\OEWmrvu.exe
  C:\Windows\System\OEWmrvu.exe
  2⤵
  PID:2528
- C:\Windows\System\YqNNnKJ.exe
  C:\Windows\System\YqNNnKJ.exe
  2⤵
  PID:2472
- C:\Windows\System\fwzoPQJ.exe
  C:\Windows\System\fwzoPQJ.exe
  2⤵
  PID:2468
- C:\Windows\System\NGzSAde.exe
  C:\Windows\System\NGzSAde.exe
  2⤵
  PID:2484
- C:\Windows\System\vnsrAks.exe
  C:\Windows\System\vnsrAks.exe
  2⤵
  PID:1200
- C:\Windows\System\UpqhIXn.exe
  C:\Windows\System\UpqhIXn.exe
  2⤵
  PID:2200
- C:\Windows\System\VPvBOMe.exe
  C:\Windows\System\VPvBOMe.exe
  2⤵
  PID:2748
- C:\Windows\System\FPgksCK.exe
  C:\Windows\System\FPgksCK.exe
  2⤵
  PID:3056
- C:\Windows\System\KduSPOf.exe
  C:\Windows\System\KduSPOf.exe
  2⤵
  PID:300
- C:\Windows\System\SsoVoLj.exe
  C:\Windows\System\SsoVoLj.exe
  2⤵
  PID:2624
- C:\Windows\System\rjLkIUX.exe
  C:\Windows\System\rjLkIUX.exe
  2⤵
  PID:2408
- C:\Windows\System\RqViBPc.exe
  C:\Windows\System\RqViBPc.exe
  2⤵
  PID:2676
- C:\Windows\System\xfkPqBX.exe
  C:\Windows\System\xfkPqBX.exe
  2⤵
  PID:2800
- C:\Windows\System\IKdaNsy.exe
  C:\Windows\System\IKdaNsy.exe
  2⤵
  PID:1980
- C:\Windows\System\splnFut.exe
  C:\Windows\System\splnFut.exe
  2⤵
  PID:1420
- C:\Windows\System\dSibEas.exe
  C:\Windows\System\dSibEas.exe
  2⤵
  PID:904
- C:\Windows\System\lUdnECJ.exe
  C:\Windows\System\lUdnECJ.exe
  2⤵
  PID:1624
- C:\Windows\System\Frgwsca.exe
  C:\Windows\System\Frgwsca.exe
  2⤵
  PID:1776
- C:\Windows\System\DHJSNka.exe
  C:\Windows\System\DHJSNka.exe
  2⤵
  PID:1764
- C:\Windows\System\cNCGZKd.exe
  C:\Windows\System\cNCGZKd.exe
  2⤵
  PID:1356
- C:\Windows\System\ioEcsQe.exe
  C:\Windows\System\ioEcsQe.exe
  2⤵
  PID:612
- C:\Windows\System\HwfswPD.exe
  C:\Windows\System\HwfswPD.exe
  2⤵
  PID:2592
- C:\Windows\System\zhObuiE.exe
  C:\Windows\System\zhObuiE.exe
  2⤵
  PID:1248
- C:\Windows\System\thoICTe.exe
  C:\Windows\System\thoICTe.exe
  2⤵
  PID:2812
- C:\Windows\System\YZlMaaO.exe
  C:\Windows\System\YZlMaaO.exe
  2⤵
  PID:1792
- C:\Windows\System\uyushZV.exe
  C:\Windows\System\uyushZV.exe
  2⤵
  PID:2936
- C:\Windows\System\JOrZeKL.exe
  C:\Windows\System\JOrZeKL.exe
  2⤵
  PID:1920
- C:\Windows\System\XxtbyjZ.exe
  C:\Windows\System\XxtbyjZ.exe
  2⤵
  PID:2992
- C:\Windows\System\dillQaM.exe
  C:\Windows\System\dillQaM.exe
  2⤵
  PID:2572
- C:\Windows\System\gniGhQC.exe
  C:\Windows\System\gniGhQC.exe
  2⤵
  PID:2552
- C:\Windows\System\TLoOYLD.exe
  C:\Windows\System\TLoOYLD.exe
  2⤵
  PID:2568
- C:\Windows\System\EUBxjoy.exe
  C:\Windows\System\EUBxjoy.exe
  2⤵
  PID:1912
- C:\Windows\System\UZsWxDQ.exe
  C:\Windows\System\UZsWxDQ.exe
  2⤵
  PID:2212
- C:\Windows\System\HxAwtux.exe
  C:\Windows\System\HxAwtux.exe
  2⤵
  PID:296
- C:\Windows\System\MPZAZgb.exe
  C:\Windows\System\MPZAZgb.exe
  2⤵
  PID:2476
- C:\Windows\System\GJGtJpy.exe
  C:\Windows\System\GJGtJpy.exe
  2⤵
  PID:1784
- C:\Windows\System\vCQcTEs.exe
  C:\Windows\System\vCQcTEs.exe
  2⤵
  PID:1036
- C:\Windows\System\QusxWzZ.exe
  C:\Windows\System\QusxWzZ.exe
  2⤵
  PID:2308
- C:\Windows\System\wDdBWQA.exe
  C:\Windows\System\wDdBWQA.exe
  2⤵
  PID:692
- C:\Windows\System\UjmfSoR.exe
  C:\Windows\System\UjmfSoR.exe
  2⤵
  PID:2968
- C:\Windows\System\nBIwvLV.exe
  C:\Windows\System\nBIwvLV.exe
  2⤵
  PID:328
- C:\Windows\System\EetIfbD.exe
  C:\Windows\System\EetIfbD.exe
  2⤵
  PID:1856
- C:\Windows\System\FJEUylk.exe
  C:\Windows\System\FJEUylk.exe
  2⤵
  PID:836
- C:\Windows\System\esTBxFi.exe
  C:\Windows\System\esTBxFi.exe
  2⤵
  PID:2856
- C:\Windows\System\BxtraOj.exe
  C:\Windows\System\BxtraOj.exe
  2⤵
  PID:1644
- C:\Windows\System\fhPYyVk.exe
  C:\Windows\System\fhPYyVk.exe
  2⤵
  PID:900
- C:\Windows\System\mgnUUss.exe
  C:\Windows\System\mgnUUss.exe
  2⤵
  PID:1952
- C:\Windows\System\dIoKMFZ.exe
  C:\Windows\System\dIoKMFZ.exe
  2⤵
  PID:2032
- C:\Windows\System\FXCOVVD.exe
  C:\Windows\System\FXCOVVD.exe
  2⤵
  PID:2620
- C:\Windows\System\WPqqfyB.exe
  C:\Windows\System\WPqqfyB.exe
  2⤵
  PID:3048
- C:\Windows\System\XCIRhEJ.exe
  C:\Windows\System\XCIRhEJ.exe
  2⤵
  PID:1516
- C:\Windows\System\hLocAeM.exe
  C:\Windows\System\hLocAeM.exe
  2⤵
  PID:1556
- C:\Windows\System\aaormmj.exe
  C:\Windows\System\aaormmj.exe
  2⤵
  PID:2120
- C:\Windows\System\NQpJSwV.exe
  C:\Windows\System\NQpJSwV.exe
  2⤵
  PID:2388
- C:\Windows\System\unMGndZ.exe
  C:\Windows\System\unMGndZ.exe
  2⤵
  PID:2044
- C:\Windows\System\iVRyROI.exe
  C:\Windows\System\iVRyROI.exe
  2⤵
  PID:2616
- C:\Windows\System\qsBiBwo.exe
  C:\Windows\System\qsBiBwo.exe
  2⤵
  PID:2868
- C:\Windows\System\OWsFjoK.exe
  C:\Windows\System\OWsFjoK.exe
  2⤵
  PID:1324
- C:\Windows\System\UszFnsE.exe
  C:\Windows\System\UszFnsE.exe
  2⤵
  PID:2876
- C:\Windows\System\ZdgZpEE.exe
  C:\Windows\System\ZdgZpEE.exe
  2⤵
  PID:996
- C:\Windows\System\GDVncLS.exe
  C:\Windows\System\GDVncLS.exe
  2⤵
  PID:1424
- C:\Windows\System\ZZkTRZc.exe
  C:\Windows\System\ZZkTRZc.exe
  2⤵
  PID:2576
- C:\Windows\System\RCjBKCa.exe
  C:\Windows\System\RCjBKCa.exe
  2⤵
  PID:1588
- C:\Windows\System\WUWcIuq.exe
  C:\Windows\System\WUWcIuq.exe
  2⤵
  PID:1312
- C:\Windows\System\YhhGAIh.exe
  C:\Windows\System\YhhGAIh.exe
  2⤵
  PID:2428
- C:\Windows\System\raKpGzJ.exe
  C:\Windows\System\raKpGzJ.exe
  2⤵
  PID:2556
- C:\Windows\System\sDHkbyZ.exe
  C:\Windows\System\sDHkbyZ.exe
  2⤵
  PID:1108
- C:\Windows\System\agXllcA.exe
  C:\Windows\System\agXllcA.exe
  2⤵
  PID:540
- C:\Windows\System\CmsXpiC.exe
  C:\Windows\System\CmsXpiC.exe
  2⤵
  PID:2344
- C:\Windows\System\hkAPhmx.exe
  C:\Windows\System\hkAPhmx.exe
  2⤵
  PID:2972
- C:\Windows\System\wskUPlL.exe
  C:\Windows\System\wskUPlL.exe
  2⤵
  PID:920
- C:\Windows\System\CHaTRri.exe
  C:\Windows\System\CHaTRri.exe
  2⤵
  PID:696
- C:\Windows\System\hemBIUw.exe
  C:\Windows\System\hemBIUw.exe
  2⤵
  PID:2860
- C:\Windows\System\WwWWexM.exe
  C:\Windows\System\WwWWexM.exe
  2⤵
  PID:1600
- C:\Windows\System\OFxWlmJ.exe
  C:\Windows\System\OFxWlmJ.exe
  2⤵
  PID:704
- C:\Windows\System\ZGmVLlC.exe
  C:\Windows\System\ZGmVLlC.exe
  2⤵
  PID:576
- C:\Windows\System\jBFlhbz.exe
  C:\Windows\System\jBFlhbz.exe
  2⤵
  PID:1716
- C:\Windows\System\fbvZDvc.exe
  C:\Windows\System\fbvZDvc.exe
  2⤵
  PID:2064
- C:\Windows\System\tqruNNF.exe
  C:\Windows\System\tqruNNF.exe
  2⤵
  PID:888
- C:\Windows\System\wMHAwFr.exe
  C:\Windows\System\wMHAwFr.exe
  2⤵
  PID:3080
- C:\Windows\System\bOEdRii.exe
  C:\Windows\System\bOEdRii.exe
  2⤵
  PID:3100
- C:\Windows\System\fSGnyuf.exe
  C:\Windows\System\fSGnyuf.exe
  2⤵
  PID:3124
- C:\Windows\System\sDKbqFP.exe
  C:\Windows\System\sDKbqFP.exe
  2⤵
  PID:3140
- C:\Windows\System\cbyJgUK.exe
  C:\Windows\System\cbyJgUK.exe
  2⤵
  PID:3164
- C:\Windows\System\rVTyxTA.exe
  C:\Windows\System\rVTyxTA.exe
  2⤵
  PID:3184
- C:\Windows\System\lcrwimv.exe
  C:\Windows\System\lcrwimv.exe
  2⤵
  PID:3200
- C:\Windows\System\sHKzUrv.exe
  C:\Windows\System\sHKzUrv.exe
  2⤵
  PID:3220
- C:\Windows\System\eImiPVj.exe
  C:\Windows\System\eImiPVj.exe
  2⤵
  PID:3244
- C:\Windows\System\yHFrxAU.exe
  C:\Windows\System\yHFrxAU.exe
  2⤵
  PID:3260
- C:\Windows\System\SmBccNf.exe
  C:\Windows\System\SmBccNf.exe
  2⤵
  PID:3284
- C:\Windows\System\YaDlPxE.exe
  C:\Windows\System\YaDlPxE.exe
  2⤵
  PID:3304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BJBARTD.exe

Filesize
1.3MB

MD5
8125e4881341be0f7ab655ef5d429503

SHA1
26cd8d6e2bb27d6bcf446f5d290b001074a88047

SHA256
5b44b339c4217ebe1a14f3c93a6595b73e563ba5ec6894a3dff099b1247f1143

SHA512
3c0dc6831b53b0ad07ad9cc04e978478ef48019dd9506d9bd95fd3a4336655b1353f431ff2168638c478116f865416e7d35340894a096bcc9fccebe296fc0704

Download Submit
C:\Windows\system\CxnwZeG.exe

Filesize
1.3MB

MD5
37182e80b601a18316c1eca01e823177

SHA1
dc3642bad9e15fe0903991ca456bb562fc36c448

SHA256
eddb968ef231147a68bbf547ee7586396e5a485f7d917e31624a1445094f9915

SHA512
5c48f9062b5f399fb2cfac14479bf61652740191134c5a5517a46e091f0fcab987a58fd3e84eda358eacc7f95dbfdcbaa3fbb46b50805aa50dbade7a3175450a

Download Submit
C:\Windows\system\KXezNGk.exe

Filesize
1.3MB

MD5
3b6181c7d43dadb3b35c4d8a879fc82c

SHA1
fdf347cdae2a438fe5580743eb211f987efe6982

SHA256
982aaa310bf236ecfb8f9485428926b8c6895336adc763c82b97d50875ca0ea2

SHA512
8a2939ff8a43018870bff2b2ff8f41198ecb73caf0717a0fd4158ff33adbe8bce58b321e92671f08f5cc911670e5df08f19812af2872091cf9f6f529755386bd

Download Submit
C:\Windows\system\KamoJBy.exe

Filesize
1.3MB

MD5
112fabafca8f7835036d8523e9b608ac

SHA1
cb29b23451aaa41a599d07a73647f640ffa2f98f

SHA256
c221e25ff9716070d9d68bbd0453689eb970a0e2f7565b3ef286f768b6e3e6a7

SHA512
f840a4497c70a88d01cf3a467110d64895595327ae81802bef624b647f602505ed03b1ea2c2e5da3407aae181ee13c11a7e0e3b24657d792f6c18f47d4f258ec

Download Submit
C:\Windows\system\NSXdfoX.exe

Filesize
1.3MB

MD5
aa90c8a9e2409c4aff7a57907ca6a9ff

SHA1
8031b03f0ae249df6d19cac675835e52bffa62cc

SHA256
db562e15ec2916047acdac212747a3358943a76933279398b8562e6070b4a38a

SHA512
8ae2716f1ee685250955427a30021922b07dcdc28e8547dc34572427e5c4343b05726cf8e8743ffbd421ba502d982be8099392bc8cdf2253c4684f255fffafd7

Download Submit
C:\Windows\system\OfPtANt.exe

Filesize
1.3MB

MD5
a8a21d3599e96d0c1c28786fac870ab6

SHA1
78da0205cd82c2187323bf72acb95600fc562971

SHA256
e32a5effda60912a900af522c3009976ca1469826a6f75839fc784c15a2ea9d2

SHA512
cae7732719f723073b8690bd1d801ab7403a59a86d9bede1271706cf2f3ac3616c9fcbaaf8b048149effee59c9ac714d6bff4b164b5af845f46c4a3f5a171202

Download Submit
C:\Windows\system\OtpZeML.exe

Filesize
1.3MB

MD5
4b9efff1ac3a1e2c1e45acc406624d2d

SHA1
d24e79cff88c852eb68d29daded7737a8258f073

SHA256
d24cae00ce3d757eb80d65f59a9776ceccaf563d211511d57f2cede7eb897e0c

SHA512
583e612a63f7c2754fa6ceeb277278f5ffe5cde0546f8f5bbacff45b28fe79cda1462d8b9a0ec24413e3be7c069b50f2a9043ae0d79624417f345b5db9952808

Download Submit
C:\Windows\system\PJdFioy.exe

Filesize
1.3MB

MD5
f37e7d8c933f64c3738e779ac05438d4

SHA1
5f458b9b234bdbd46910e3863927cdc4734aafbb

SHA256
f15ff8a39f9aa88142ee0d1d9bad50401310106e21be3ac7e8c37ef2272faa50

SHA512
b597ccecba96319443f7de0faad5b83c54e07a56d9024f76c5a9ff7909e530c3e6cf87dee1e9e35096ab4d8bb34a98df50c2719b872ad1a1ef3ad675c0480289

Download Submit
C:\Windows\system\TzYulIk.exe

Filesize
1.3MB

MD5
393945d9cb16a5e77d30d24e9b3e552c

SHA1
5d433cedd3cb7fe6b708d1d5e9d72fc2e5c59052

SHA256
83584022f555255d69692878e28c7802ec5c62b0a9c51ef89ffbf0792cf347d1

SHA512
a666716641db80e7819145420953aaa3e867a5d041d78d0a60ac2c435fa390042483b2be5fd1b849956acb21583d233b3aea7053337431bd7e4bed06faf8521c

Download Submit
C:\Windows\system\XRtpHxD.exe

Filesize
1.3MB

MD5
04a0427e429303ed83f3a10065bdbb0f

SHA1
a2f20c7d2e259a93195837fa8b3cbfd66c833802

SHA256
fb82496bdc9909d7b925ec99596eb8bc633ee78d09ac04a5b2a7598c6076178b

SHA512
c51366124ed382a54a47c078cb6815ef75cdc7d0c56ffcaeb9064d2efbbd94ade6326c98310a9fe809ce45f7a4d8f6a130ef7dfec5eae32e02d1633236ce8681

Download Submit
C:\Windows\system\ZSDZPqA.exe

Filesize
1.3MB

MD5
f998f862c91edca4a2ef431907d2fc0b

SHA1
16e741c1df8ef917535a8adfbbab5c69498cb8ac

SHA256
4a10af17e768a8e4692b7b84db87aff3a89871247448499e983ae1912955403b

SHA512
4f5c56f64f4f08c0e2b4c9d4b3c7a5982ab0d591012febf188f5135889b7ec578e11baee8abab0bb1535c10b9126653f2529b160e251eb4c9619bf709899a30c

Download Submit
C:\Windows\system\ZprjCep.exe

Filesize
1.3MB

MD5
8fd8bab5422d5428c6c21f5fad89586c

SHA1
e8373312edd64c86969817f1e9231a3f2f7ff343

SHA256
dc7e171a90a420155addc419f9d679c77b409ac487f02e68080face516a5d1c7

SHA512
367e9df58c806027755737650a1d3c4402e386d7738490384ba59f2e5a4d3eec972037307618ace001b892970dd4b13c626e0394cde1fa74a4c5d270523f2d11

Download Submit
C:\Windows\system\bHXTNHD.exe

Filesize
1.3MB

MD5
02865acbe73bc1a315d2a980aae9b003

SHA1
76eed7cc782b670aa8d72ffdea87f741d4ed5b66

SHA256
ca18491aaef652f417cf347ed655b78634a05679d6014b7d5e5ebfe93e0a0da8

SHA512
b006c626d638f0534bf3df3bccd745af450e01e54badb0976c6a235eca270e78c686604bd5849677f262b9f008b0c0b7a6fb1caf8c75a0c959cad4965f8b19e7

Download Submit
C:\Windows\system\eSqqleW.exe

Filesize
1.3MB

MD5
d16053fe133474c5bfb1e5d808000c45

SHA1
fcf51b637dfa51cfd91b8d6d2ab3d3b3b4f9ccf6

SHA256
f62272ff34592cefb335d5b8d86d19ba473caf9358ab1796fbde60a3b0590119

SHA512
02559939d48a37636b1b8efbdcb567c10b38092ca8bcdf5d39606ff169305a26e02feb26563b087bc03ce9d55e06195ddd6cddf311e33ddc52bc9b549c1efa68

Download Submit
C:\Windows\system\evkBxzK.exe

Filesize
1.3MB

MD5
5e6bf578bfc4f8ea679b210a793c9b36

SHA1
a4248afca40c32aeb6363fb3e49f597c746bf23d

SHA256
8282edac616201cb0759aae767dd08dda4133d405f3f3d1c5c10adbe83f5a731

SHA512
f7b290f4702a7ec74c1864cb9177a33071183cbd3c8815d486fa8f7452468fc0f6d55f874456139a638630c9f37769df4af94137291e9e761aa0f5853b1e4bcd

Download Submit
C:\Windows\system\hWxLeDz.exe

Filesize
1.3MB

MD5
240616ed00593e27279a35029313d621

SHA1
0a0231a67a81ba99a33f0b43e667410cf4e0bdbc

SHA256
decee00ae10bff2b885e74e7870133f7b6cef3d21ae4b137a71a0180a0efbba8

SHA512
bc43ae3b08ffb2695eddefb4de356619cebfc54fdd26c8ec9250a57d444cc07aa4689f87ed80ce8c480b44de9294c44182af57dc19a736aac5acdab244780ac8

Download Submit
C:\Windows\system\iVFPPzr.exe

Filesize
1.3MB

MD5
3154e0f16d7c172526cdb9ad84c7be80

SHA1
3c193f664fde3a027a226d31ec6b0cb867223a27

SHA256
4c16d4eea97420fab915a4542cf8be5facabbd52f38d7372cf3cbd509f9955cf

SHA512
9d4f5286e7e94b9834786464369491aec45006af0ad224e3947f92f2aba3def6f5111cfa7eb9904ed09a74de609dd8c3e4a3eac3a6f1cc227db08c5d14ea1975

Download Submit
C:\Windows\system\iunNwWB.exe

Filesize
1.3MB

MD5
56cb47fd8f1828baab517eeee790e0cc

SHA1
088964ec639d5364db33e75017e2585ab1c03fc8

SHA256
be95ba824744a0643531dd92b291d5f527e6f49d8c4afe29a5a3a8b4f57d3fde

SHA512
806f80db2da968c4ce6cb7729546205e4b08701295ec063a95378e18f3a6dcc46ce2920028d5a6d0f067ac1471a551e0e4784f1f48ad4a07250373d9ffeaadee

Download Submit
C:\Windows\system\kRCZWch.exe

Filesize
1.3MB

MD5
22437cd591d10d919bb95c1c9e2047ce

SHA1
6212102d459d09f76ae8d74fb36273c63f76a996

SHA256
9ff9be8bbd437950a136cb7e4da131f3a18653574b434d57acbe8b2f58ed0b7f

SHA512
ee123400e52c114be407698bf2adf6d3c492210734a9a09ddac240631f8a4d1fc98dedc9ac7c419a2cd4cb39194294e18ea0e0a5f6030c39e66e73a5f91f43a7

Download Submit
C:\Windows\system\nxBzPLj.exe

Filesize
1.3MB

MD5
2f7e23239e6cc05b48b2914128ea581d

SHA1
3bc58ae3c74f627b314974e1ef19eea928c5be34

SHA256
2e5987c45d2251a40b0744434afcc60817865358352b0183009f0a56c52a3d8b

SHA512
9da3e4c70f705cd1b8de1b8e9531327a92f64385e16571891804eafc3d901af354f3536d1ebc5891a1230ec826f73d306164873e95930e3c4106b2c19539f474

Download Submit
C:\Windows\system\onThFlM.exe

Filesize
1.3MB

MD5
57ae9cd3c299b30d6155770befb7327f

SHA1
9207a2b02eca0af2724eabc785b2dcec73448a7d

SHA256
1ba1417b84ad41739123c97656f1617a6f0892784053ae3855ddbc5d0d4e4fcb

SHA512
ca3e03c62b01ab6f6a2e7fc0d3cb06bb0e2e4182d0c8eb98ade5fbf5bf6f4ddb5019d1c5685aec4e7ebd60f65e39a2a8d252a4d77c5e720bb5d318732d6f5077

Download Submit
C:\Windows\system\pMlyllO.exe

Filesize
1.3MB

MD5
a1dbdd1055fa9c8bb62924117d518d91

SHA1
e76ff119b424719942ef106f584e602badfdcd30

SHA256
a61de51018e85d0db8ab365812ca335f3602a63169d1d210fe384ddf55740284

SHA512
5fca67ce618e8eff3b19da3b7e6ff6c821a7c5a3ff56d228dcb83db5e87ef9d772c09667836f3baff68e4a34207a053e46a5379fc5ab7d117c37e9c8bb3adb40

Download Submit
C:\Windows\system\qBFqOlT.exe

Filesize
1.3MB

MD5
75c2d870f8cec4d203487ae14aebdc56

SHA1
641ee4f5d57e7a5534f87922004bcd1706d2dadf

SHA256
9af366b7a764aad01ac150773fd20e645539239c5364fd0ac01334dcaa0be1ae

SHA512
4d2dab9e3e084ca0eaf9205fd7b8b9563b20069b9820cded57ba3df0dc2dcb918f75c90b6ff905b1d6f7bc8b77d83788ec63754a27d6ef46d3e51af9341ad4af

Download Submit
C:\Windows\system\qpBXhep.exe

Filesize
1.3MB

MD5
07400152af750b7d66bbd68a3942d9df

SHA1
0b9d33a12e02e560124b8dade433c29b1984fe83

SHA256
d14b5f06413609b2895b219b39d454f52674fb68efa480bc820a6740b9090bcf

SHA512
0275a138723dd945d7ebfc600983c01a73120330d2d6a738ea5d718b2374153d84871aa96f928ffcbc1121f31de4f55f9f9a8665e70cf613fd55e800e8afa976

Download Submit
C:\Windows\system\sRrHzwH.exe

Filesize
1.3MB

MD5
94824d5c50547986e7a4792f630de08d

SHA1
448faae158df726c62c4bd8a7af766f2bd934360

SHA256
77a7143ec40b043146b1bae4d991b2f5b9e5166b083ba7adfd6ef44b38638d28

SHA512
3660f3b3976ff71c9f9f3e1300a4bd15bdcfc76516ea591e44d2658aeafa084b5526078c6a7e2673c8d587ad2f8055de7deb0b257f5c14f9ead673c0dac6109a

Download Submit
C:\Windows\system\utkWJpY.exe

Filesize
1.3MB

MD5
96e46eb9aba18c910ddbc2fc23d65540

SHA1
c415e727b3b49bf954f8b51709da05c6524bd43b

SHA256
a0c9e2b6fa5b1e3a87393965346cebe0f0671aceb075c57e451a4c75171c2fa9

SHA512
dcfbda5c3f03af40b0a60bba2f2b166d7ac680b660ef72bd79199a5280188da9cc02136346a6c1480a20b8849024badb00172f1fc0b6c951b70bfb279af32911

Download Submit
C:\Windows\system\xrToQKB.exe

Filesize
1.3MB

MD5
e074022f947a2fd00fa21df42ae38ef7

SHA1
467b079f2644e15537776618a003c6b4c2f69eac

SHA256
71c345467e760d405598fa6c2364e95c0ff9c349a2d465fb08719ff8a44c34cf

SHA512
2fdae21e81e23e6e70e4c2fe86032fdb1ea1afb602b13cd330f5c2fae8520dafadee31744c9befdf423d11d64e561a2bf8f5977831809f865ee4b67ad0b39b47

Download Submit
C:\Windows\system\ymtSMgF.exe

Filesize
1.3MB

MD5
af65b44b6a85a262217d87f2a7f8b38b

SHA1
24e2abbfe673109cf3ee634fa084360cdf5fd8ed

SHA256
baeb9fa66a2385852e6d60b2db6f7f3ca5037da8f430134ca38a5c46f37e47f9

SHA512
e11108f5912f926eccc76a3b71473133c7d733744446c7a23e6db3970a2ccdc98494d4f232655399bd2bf81f648ecdb8767a4314d288fa709ac1573277518c57

Download Submit
\Windows\system\JRywIuo.exe

Filesize
1.3MB

MD5
42b30fe9d9974e1e0f1b93afc501c7b1

SHA1
cd694a03a85e6805175187dfb0e2a7121744e029

SHA256
8aac29303fdd69b0f5d883e66356b3b65be8263e23e2f1a6cd0653c869c73206

SHA512
5f0a6703dbb732db4fda77ca44e5c837e702db9ecde2bf4b4ceade7c8a9a0b1d6766aba4e5c007823d00791d3862087016e514fc7342b6ee88d30676638b45ea

Download Submit
\Windows\system\bIXGHRo.exe

Filesize
1.3MB

MD5
9ac989bcd0c3e8a235d76800fce61f95

SHA1
905cdd65d6282aefd70e3176a3419ccb29df5b36

SHA256
37bfdd45bc1f79397c0edb1fb6adfdb9eb2eadf0564fd1a1f679b33b9a349927

SHA512
ae71632ce2a9d3a7408f9c139dc041eb7b997649b78ca89e521edf007361cc205317da49e1e1f30011b5e7c2a8ba14b84c977dd0914697ba2944fc24b09d6a03

Download Submit
\Windows\system\guzxlWI.exe

Filesize
1.3MB

MD5
a27eacae5182d520d0e911ab39e84bff

SHA1
368df84ebe07b446e86f3f79e56ff5e9b72f7325

SHA256
4cb98b5188e7530ae91cd3b26e46644fcc86300f7c2a42f8929ffdd897a2bd18

SHA512
d45feff7699cbe1fe30f17b1d72c984f517c5326b7fd9b7da660a3adc4f3f1643f6d98726e0263cfe7b55440679194ca578e105709ea57468eb5acf4e1c5bb4a

Download Submit
\Windows\system\qaAxIMf.exe

Filesize
1.3MB

MD5
83b33bb06bab323d6ccc29e1f1848547

SHA1
5f6d4fa0ac2be3b1731f38c810931b18b11b1852

SHA256
a3531e9cd4d8f75eeb25b4a2ce2130e5ab9f09e5c8fa4378dca2894a275cd736

SHA512
69bb07b2e3c641a42c145a44877ed519d9ea4b4cf10e878f101f107531e55273aa525204e34dda0c9108df68a53e61925227060b35fb1cef24491cc3cfd7625a

Download Submit
memory/1048-0-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download