xmrig | d6973371a72b815e4de33fb48bd8be1111f21e06688a4f4393cb4503b3eaf093

Analysis

max time kernel
137s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
Size

1.2MB
MD5

65d8fe4b0dff7e163122bc54e2f7df30
SHA1

afe69d29fa4145e15b444475f61ff8ee66ff0494
SHA256

d6973371a72b815e4de33fb48bd8be1111f21e06688a4f4393cb4503b3eaf093
SHA512

66eed5cb10a2734f74099b1e06b9512bb23496030fa906b3842948d5e81a01879034941287ba5fd551c6e39d18a6eef3a06bb91fbdaa6a7e610b95788928b4e0
SSDEEP

24576:GezaTnG99Q8FcNrpyNdfE0bLBgDOp2iSLz9LbBwlKensYKkTT7UudBW9VFIk8:GezaTF8FcNkNdfE0pZ9oztFwI6KDFf8

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 33 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\System\nbVUPPF.exe	xmrig
C:\Windows\System\pKCisxQ.exe	xmrig
C:\Windows\System\ghwSdcj.exe	xmrig
C:\Windows\System\JikHMWP.exe	xmrig
C:\Windows\System\xiquoOp.exe	xmrig
C:\Windows\System\lamLRYl.exe	xmrig
C:\Windows\System\OtArqBX.exe	xmrig
C:\Windows\System\jnBUGha.exe	xmrig
C:\Windows\System\cQmUSzZ.exe	xmrig
C:\Windows\System\eDfHXqE.exe	xmrig
C:\Windows\System\CJvInbW.exe	xmrig
C:\Windows\System\iHLZVCB.exe	xmrig
C:\Windows\System\UEEHtvl.exe	xmrig
C:\Windows\System\dHRNrGU.exe	xmrig
C:\Windows\System\QcqckyQ.exe	xmrig
C:\Windows\System\xClgQoZ.exe	xmrig
C:\Windows\System\QoNPbjZ.exe	xmrig
C:\Windows\System\UYajUuq.exe	xmrig
C:\Windows\System\MHrfiCQ.exe	xmrig
C:\Windows\System\sBcoBkP.exe	xmrig
C:\Windows\System\nIjqEMA.exe	xmrig
C:\Windows\System\AScyYts.exe	xmrig
C:\Windows\System\bWXBygW.exe	xmrig
C:\Windows\System\koljfsD.exe	xmrig
C:\Windows\System\lrkrlkX.exe	xmrig
C:\Windows\System\nzXsynn.exe	xmrig
C:\Windows\System\UatfSYc.exe	xmrig
C:\Windows\System\GQBWgcB.exe	xmrig
C:\Windows\System\ejoTZwg.exe	xmrig
C:\Windows\System\GbCXDHt.exe	xmrig
C:\Windows\System\lrOqHyt.exe	xmrig
C:\Windows\System\OCjZDOJ.exe	xmrig
C:\Windows\System\SgkIfHr.exe	xmrig

Executes dropped EXE 64 IoCs

Processes:

nbVUPPF.exeghwSdcj.exepKCisxQ.exeJikHMWP.exexiquoOp.exelamLRYl.exeOtArqBX.exejnBUGha.execQmUSzZ.exeeDfHXqE.exeCJvInbW.exeiHLZVCB.exeUEEHtvl.exedHRNrGU.exeQcqckyQ.exeSgkIfHr.exexClgQoZ.exeQoNPbjZ.exeUYajUuq.exeMHrfiCQ.exesBcoBkP.exeAScyYts.exenIjqEMA.exebWXBygW.exekoljfsD.exeOCjZDOJ.exelrOqHyt.exeGbCXDHt.exelrkrlkX.exenzXsynn.exeUatfSYc.exeGQBWgcB.exeejoTZwg.exeQqlkIgf.exeKgPHmLq.exeJWmdDdy.exechYzrfI.exelqufOow.exevzRRerb.execzXsZvJ.exeZsaEOWR.exeACSKdhY.exevkISCCL.exevqaRAaF.exeTTcQFTY.exeCqFMPUd.exelXWhbMg.exenuAPDbb.exeBgjZIDA.exeKcCvzEh.exeZSvKsAx.exeKWGEEpz.exewKzmzUA.exeZjNDItG.exejQqndpX.exenxZDSve.exebsFXSZj.exebnFPugM.exetoXDEji.exegeRrpzV.exeEJrEvAi.exeagEFQhe.exeWcVOFZI.exeQMnSndy.exe

pid	process
1700	nbVUPPF.exe
3112	ghwSdcj.exe
3132	pKCisxQ.exe
1424	JikHMWP.exe
4596	xiquoOp.exe
1236	lamLRYl.exe
4804	OtArqBX.exe
2600	jnBUGha.exe
1308	cQmUSzZ.exe
3068	eDfHXqE.exe
2948	CJvInbW.exe
3540	iHLZVCB.exe
4576	UEEHtvl.exe
1092	dHRNrGU.exe
3980	QcqckyQ.exe
3276	SgkIfHr.exe
728	xClgQoZ.exe
4732	QoNPbjZ.exe
3080	UYajUuq.exe
4560	MHrfiCQ.exe
3860	sBcoBkP.exe
988	AScyYts.exe
2520	nIjqEMA.exe
3120	bWXBygW.exe
5080	koljfsD.exe
3108	OCjZDOJ.exe
4808	lrOqHyt.exe
3636	GbCXDHt.exe
3232	lrkrlkX.exe
3512	nzXsynn.exe
4652	UatfSYc.exe
4460	GQBWgcB.exe
2004	ejoTZwg.exe
5048	QqlkIgf.exe
2300	KgPHmLq.exe
4896	JWmdDdy.exe
3608	chYzrfI.exe
1720	lqufOow.exe
1852	vzRRerb.exe
4632	czXsZvJ.exe
4372	ZsaEOWR.exe
5000	ACSKdhY.exe
2952	vkISCCL.exe
3324	vqaRAaF.exe
4288	TTcQFTY.exe
4836	CqFMPUd.exe
3864	lXWhbMg.exe
4432	nuAPDbb.exe
4536	BgjZIDA.exe
2228	KcCvzEh.exe
4636	ZSvKsAx.exe
1284	KWGEEpz.exe
3968	wKzmzUA.exe
628	ZjNDItG.exe
3996	jQqndpX.exe
712	nxZDSve.exe
2820	bsFXSZj.exe
2100	bnFPugM.exe
208	toXDEji.exe
2660	geRrpzV.exe
2768	EJrEvAi.exe
2828	agEFQhe.exe
2328	WcVOFZI.exe
4752	QMnSndy.exe

Drops file in Windows directory 64 IoCs

Processes:

65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\lXWhbMg.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\ruvwDpa.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\Liwyyxk.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\iVqaiYO.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\xiquoOp.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\iHLZVCB.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\USZjrMv.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\LMwecUA.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\bLZBcxP.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\PvlSpRB.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\czXsZvJ.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\EtTGIdW.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\sBcoBkP.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\UatfSYc.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\NPSbRMj.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\XVqmjnc.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\UEEHtvl.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\CREDISJ.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\hImlePC.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\xreeQri.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\yaPmvHA.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\QqlkIgf.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\FehReeH.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\PZffKGG.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\vqaRAaF.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\lxuqNJm.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\RVHygfq.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\cQmUSzZ.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\MHrfiCQ.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\agEFQhe.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\kwEjsTL.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\rGBnfTc.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\GDlooJV.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\paNbOtf.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\OCjZDOJ.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\TTcQFTY.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\yVGACGr.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\GdnEoZY.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\vEbGCuL.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\zkuUGqM.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\AScGBBo.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\ePPuhVi.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\GfbPxqf.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\HtRkWxU.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\OcZxNvz.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\KEuDheX.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\MAzUrxJ.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\CizogLO.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\lBBMHgP.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\JikHMWP.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\nIjqEMA.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\lrkrlkX.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\JWmdDdy.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\rRTBaJe.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\HPGRmUL.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\riWJvmB.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\cMETrGo.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\qDsmazA.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\OkPkOCi.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\nxZDSve.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\bsFXSZj.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\WrVOlqd.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\viDXyWp.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
File created	C:\Windows\System\McZEyHs.exe	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe

description	pid	process
Token: SeLockMemoryPrivilege	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe

description	pid	process	target process
PID 3688 wrote to memory of 1700	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	nbVUPPF.exe
PID 3688 wrote to memory of 1700	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	nbVUPPF.exe
PID 3688 wrote to memory of 3112	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	ghwSdcj.exe
PID 3688 wrote to memory of 3112	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	ghwSdcj.exe
PID 3688 wrote to memory of 3132	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	pKCisxQ.exe
PID 3688 wrote to memory of 3132	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	pKCisxQ.exe
PID 3688 wrote to memory of 1424	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	JikHMWP.exe
PID 3688 wrote to memory of 1424	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	JikHMWP.exe
PID 3688 wrote to memory of 4596	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	xiquoOp.exe
PID 3688 wrote to memory of 4596	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	xiquoOp.exe
PID 3688 wrote to memory of 1236	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	lamLRYl.exe
PID 3688 wrote to memory of 1236	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	lamLRYl.exe
PID 3688 wrote to memory of 4804	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	OtArqBX.exe
PID 3688 wrote to memory of 4804	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	OtArqBX.exe
PID 3688 wrote to memory of 2600	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	jnBUGha.exe
PID 3688 wrote to memory of 2600	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	jnBUGha.exe
PID 3688 wrote to memory of 1308	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	cQmUSzZ.exe
PID 3688 wrote to memory of 1308	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	cQmUSzZ.exe
PID 3688 wrote to memory of 3068	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	eDfHXqE.exe
PID 3688 wrote to memory of 3068	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	eDfHXqE.exe
PID 3688 wrote to memory of 2948	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	CJvInbW.exe
PID 3688 wrote to memory of 2948	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	CJvInbW.exe
PID 3688 wrote to memory of 3540	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	iHLZVCB.exe
PID 3688 wrote to memory of 3540	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	iHLZVCB.exe
PID 3688 wrote to memory of 4576	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	UEEHtvl.exe
PID 3688 wrote to memory of 4576	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	UEEHtvl.exe
PID 3688 wrote to memory of 1092	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	dHRNrGU.exe
PID 3688 wrote to memory of 1092	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	dHRNrGU.exe
PID 3688 wrote to memory of 3980	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	QcqckyQ.exe
PID 3688 wrote to memory of 3980	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	QcqckyQ.exe
PID 3688 wrote to memory of 3276	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	SgkIfHr.exe
PID 3688 wrote to memory of 3276	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	SgkIfHr.exe
PID 3688 wrote to memory of 728	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	xClgQoZ.exe
PID 3688 wrote to memory of 728	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	xClgQoZ.exe
PID 3688 wrote to memory of 4732	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	QoNPbjZ.exe
PID 3688 wrote to memory of 4732	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	QoNPbjZ.exe
PID 3688 wrote to memory of 3080	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	UYajUuq.exe
PID 3688 wrote to memory of 3080	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	UYajUuq.exe
PID 3688 wrote to memory of 4560	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	MHrfiCQ.exe
PID 3688 wrote to memory of 4560	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	MHrfiCQ.exe
PID 3688 wrote to memory of 3860	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	sBcoBkP.exe
PID 3688 wrote to memory of 3860	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	sBcoBkP.exe
PID 3688 wrote to memory of 988	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	AScyYts.exe
PID 3688 wrote to memory of 988	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	AScyYts.exe
PID 3688 wrote to memory of 2520	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	nIjqEMA.exe
PID 3688 wrote to memory of 2520	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	nIjqEMA.exe
PID 3688 wrote to memory of 3120	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	bWXBygW.exe
PID 3688 wrote to memory of 3120	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	bWXBygW.exe
PID 3688 wrote to memory of 5080	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	koljfsD.exe
PID 3688 wrote to memory of 5080	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	koljfsD.exe
PID 3688 wrote to memory of 3108	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	OCjZDOJ.exe
PID 3688 wrote to memory of 3108	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	OCjZDOJ.exe
PID 3688 wrote to memory of 4808	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	lrOqHyt.exe
PID 3688 wrote to memory of 4808	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	lrOqHyt.exe
PID 3688 wrote to memory of 3636	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	GbCXDHt.exe
PID 3688 wrote to memory of 3636	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	GbCXDHt.exe
PID 3688 wrote to memory of 3232	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	lrkrlkX.exe
PID 3688 wrote to memory of 3232	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	lrkrlkX.exe
PID 3688 wrote to memory of 3512	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	nzXsynn.exe
PID 3688 wrote to memory of 3512	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	nzXsynn.exe
PID 3688 wrote to memory of 4652	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	UatfSYc.exe
PID 3688 wrote to memory of 4652	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	UatfSYc.exe
PID 3688 wrote to memory of 4460	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	GQBWgcB.exe
PID 3688 wrote to memory of 4460	3688	65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe	GQBWgcB.exe

C:\Users\Admin\AppData\Local\Temp\65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\65d8fe4b0dff7e163122bc54e2f7df30_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\System\nbVUPPF.exe
C:\Windows\System\nbVUPPF.exe
2⤵
- Executes dropped EXE
PID:1700

C:\Windows\System\ghwSdcj.exe
C:\Windows\System\ghwSdcj.exe
2⤵
- Executes dropped EXE
PID:3112

C:\Windows\System\pKCisxQ.exe
C:\Windows\System\pKCisxQ.exe
2⤵
- Executes dropped EXE
PID:3132

C:\Windows\System\JikHMWP.exe
C:\Windows\System\JikHMWP.exe
2⤵
- Executes dropped EXE
PID:1424

C:\Windows\System\xiquoOp.exe
C:\Windows\System\xiquoOp.exe
2⤵
- Executes dropped EXE
PID:4596

C:\Windows\System\lamLRYl.exe
C:\Windows\System\lamLRYl.exe
2⤵
- Executes dropped EXE
PID:1236

C:\Windows\System\OtArqBX.exe
C:\Windows\System\OtArqBX.exe
2⤵
- Executes dropped EXE
PID:4804

C:\Windows\System\jnBUGha.exe
C:\Windows\System\jnBUGha.exe
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\System\cQmUSzZ.exe
C:\Windows\System\cQmUSzZ.exe
2⤵
- Executes dropped EXE
PID:1308

C:\Windows\System\eDfHXqE.exe
C:\Windows\System\eDfHXqE.exe
2⤵
- Executes dropped EXE
PID:3068

C:\Windows\System\CJvInbW.exe
C:\Windows\System\CJvInbW.exe
2⤵
- Executes dropped EXE
PID:2948

C:\Windows\System\iHLZVCB.exe
C:\Windows\System\iHLZVCB.exe
2⤵
- Executes dropped EXE
PID:3540

C:\Windows\System\UEEHtvl.exe
C:\Windows\System\UEEHtvl.exe
2⤵
- Executes dropped EXE
PID:4576

C:\Windows\System\dHRNrGU.exe
C:\Windows\System\dHRNrGU.exe
2⤵
- Executes dropped EXE
PID:1092

C:\Windows\System\QcqckyQ.exe
C:\Windows\System\QcqckyQ.exe
2⤵
- Executes dropped EXE
PID:3980

C:\Windows\System\SgkIfHr.exe
C:\Windows\System\SgkIfHr.exe
2⤵
- Executes dropped EXE
PID:3276

C:\Windows\System\xClgQoZ.exe
C:\Windows\System\xClgQoZ.exe
2⤵
- Executes dropped EXE
PID:728

C:\Windows\System\QoNPbjZ.exe
C:\Windows\System\QoNPbjZ.exe
2⤵
- Executes dropped EXE
PID:4732

C:\Windows\System\UYajUuq.exe
C:\Windows\System\UYajUuq.exe
2⤵
- Executes dropped EXE
PID:3080

C:\Windows\System\MHrfiCQ.exe
C:\Windows\System\MHrfiCQ.exe
2⤵
- Executes dropped EXE
PID:4560

C:\Windows\System\sBcoBkP.exe
C:\Windows\System\sBcoBkP.exe
2⤵
- Executes dropped EXE
PID:3860

C:\Windows\System\AScyYts.exe
C:\Windows\System\AScyYts.exe
2⤵
- Executes dropped EXE
PID:988

C:\Windows\System\nIjqEMA.exe
C:\Windows\System\nIjqEMA.exe
2⤵
- Executes dropped EXE
PID:2520

C:\Windows\System\bWXBygW.exe
C:\Windows\System\bWXBygW.exe
2⤵
- Executes dropped EXE
PID:3120

C:\Windows\System\koljfsD.exe
C:\Windows\System\koljfsD.exe
2⤵
- Executes dropped EXE
PID:5080

C:\Windows\System\OCjZDOJ.exe
C:\Windows\System\OCjZDOJ.exe
2⤵
- Executes dropped EXE
PID:3108

C:\Windows\System\lrOqHyt.exe
C:\Windows\System\lrOqHyt.exe
2⤵
- Executes dropped EXE
PID:4808

C:\Windows\System\GbCXDHt.exe
C:\Windows\System\GbCXDHt.exe
2⤵
- Executes dropped EXE
PID:3636

C:\Windows\System\lrkrlkX.exe
C:\Windows\System\lrkrlkX.exe
2⤵
- Executes dropped EXE
PID:3232

C:\Windows\System\nzXsynn.exe
C:\Windows\System\nzXsynn.exe
2⤵
- Executes dropped EXE
PID:3512

C:\Windows\System\UatfSYc.exe
C:\Windows\System\UatfSYc.exe
2⤵
- Executes dropped EXE
PID:4652

C:\Windows\System\GQBWgcB.exe
C:\Windows\System\GQBWgcB.exe
2⤵
- Executes dropped EXE
PID:4460

C:\Windows\System\ejoTZwg.exe
C:\Windows\System\ejoTZwg.exe
2⤵
- Executes dropped EXE
PID:2004

C:\Windows\System\QqlkIgf.exe
C:\Windows\System\QqlkIgf.exe
2⤵
- Executes dropped EXE
PID:5048

C:\Windows\System\KgPHmLq.exe
C:\Windows\System\KgPHmLq.exe
2⤵
- Executes dropped EXE
PID:2300

C:\Windows\System\JWmdDdy.exe
C:\Windows\System\JWmdDdy.exe
2⤵
- Executes dropped EXE
PID:4896

C:\Windows\System\chYzrfI.exe
C:\Windows\System\chYzrfI.exe
2⤵
- Executes dropped EXE
PID:3608

C:\Windows\System\lqufOow.exe
C:\Windows\System\lqufOow.exe
2⤵
- Executes dropped EXE
PID:1720

C:\Windows\System\vzRRerb.exe
C:\Windows\System\vzRRerb.exe
2⤵
- Executes dropped EXE
PID:1852

C:\Windows\System\czXsZvJ.exe
C:\Windows\System\czXsZvJ.exe
2⤵
- Executes dropped EXE
PID:4632

C:\Windows\System\ZsaEOWR.exe
C:\Windows\System\ZsaEOWR.exe
2⤵
- Executes dropped EXE
PID:4372

C:\Windows\System\ACSKdhY.exe
C:\Windows\System\ACSKdhY.exe
2⤵
- Executes dropped EXE
PID:5000

C:\Windows\System\vkISCCL.exe
C:\Windows\System\vkISCCL.exe
2⤵
- Executes dropped EXE
PID:2952

C:\Windows\System\vqaRAaF.exe
C:\Windows\System\vqaRAaF.exe
2⤵
- Executes dropped EXE
PID:3324

C:\Windows\System\TTcQFTY.exe
C:\Windows\System\TTcQFTY.exe
2⤵
- Executes dropped EXE
PID:4288

C:\Windows\System\CqFMPUd.exe
C:\Windows\System\CqFMPUd.exe
2⤵
- Executes dropped EXE
PID:4836

C:\Windows\System\lXWhbMg.exe
C:\Windows\System\lXWhbMg.exe
2⤵
- Executes dropped EXE
PID:3864

C:\Windows\System\nuAPDbb.exe
C:\Windows\System\nuAPDbb.exe
2⤵
- Executes dropped EXE
PID:4432

C:\Windows\System\BgjZIDA.exe
C:\Windows\System\BgjZIDA.exe
2⤵
- Executes dropped EXE
PID:4536

C:\Windows\System\KcCvzEh.exe
C:\Windows\System\KcCvzEh.exe
2⤵
- Executes dropped EXE
PID:2228

C:\Windows\System\ZSvKsAx.exe
C:\Windows\System\ZSvKsAx.exe
2⤵
- Executes dropped EXE
PID:4636

C:\Windows\System\KWGEEpz.exe
C:\Windows\System\KWGEEpz.exe
2⤵
- Executes dropped EXE
PID:1284

C:\Windows\System\wKzmzUA.exe
C:\Windows\System\wKzmzUA.exe
2⤵
- Executes dropped EXE
PID:3968

C:\Windows\System\ZjNDItG.exe
C:\Windows\System\ZjNDItG.exe
2⤵
- Executes dropped EXE
PID:628

C:\Windows\System\jQqndpX.exe
C:\Windows\System\jQqndpX.exe
2⤵
- Executes dropped EXE
PID:3996

C:\Windows\System\nxZDSve.exe
C:\Windows\System\nxZDSve.exe
2⤵
- Executes dropped EXE
PID:712

C:\Windows\System\bsFXSZj.exe
C:\Windows\System\bsFXSZj.exe
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\System\bnFPugM.exe
C:\Windows\System\bnFPugM.exe
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\System\toXDEji.exe
C:\Windows\System\toXDEji.exe
2⤵
- Executes dropped EXE
PID:208

C:\Windows\System\geRrpzV.exe
C:\Windows\System\geRrpzV.exe
2⤵
- Executes dropped EXE
PID:2660

C:\Windows\System\EJrEvAi.exe
C:\Windows\System\EJrEvAi.exe
2⤵
- Executes dropped EXE
PID:2768

C:\Windows\System\agEFQhe.exe
C:\Windows\System\agEFQhe.exe
2⤵
- Executes dropped EXE
PID:2828

C:\Windows\System\WcVOFZI.exe
C:\Windows\System\WcVOFZI.exe
2⤵
- Executes dropped EXE
PID:2328

C:\Windows\System\QMnSndy.exe
C:\Windows\System\QMnSndy.exe
2⤵
- Executes dropped EXE
PID:4752

C:\Windows\System\AADCmDv.exe
C:\Windows\System\AADCmDv.exe
2⤵
PID:4364

C:\Windows\System\miOyWCv.exe
C:\Windows\System\miOyWCv.exe
2⤵
PID:4892

C:\Windows\System\CREDISJ.exe
C:\Windows\System\CREDISJ.exe
2⤵
PID:4656

C:\Windows\System\NyQIsmF.exe
C:\Windows\System\NyQIsmF.exe
2⤵
PID:2204

C:\Windows\System\uLaLRYv.exe
C:\Windows\System\uLaLRYv.exe
2⤵
PID:4828

C:\Windows\System\kavOuEm.exe
C:\Windows\System\kavOuEm.exe
2⤵
PID:4572

C:\Windows\System\VYpKDnT.exe
C:\Windows\System\VYpKDnT.exe
2⤵
PID:4568

C:\Windows\System\NDkyVlk.exe
C:\Windows\System\NDkyVlk.exe
2⤵
PID:1204

C:\Windows\System\rRTBaJe.exe
C:\Windows\System\rRTBaJe.exe
2⤵
PID:1936

C:\Windows\System\tRVRfqB.exe
C:\Windows\System\tRVRfqB.exe
2⤵
PID:4684

C:\Windows\System\pVNWXZA.exe
C:\Windows\System\pVNWXZA.exe
2⤵
PID:1180

C:\Windows\System\KzwUIjk.exe
C:\Windows\System\KzwUIjk.exe
2⤵
PID:4812

C:\Windows\System\KpIrxNk.exe
C:\Windows\System\KpIrxNk.exe
2⤵
PID:1084

C:\Windows\System\FaJVgaz.exe
C:\Windows\System\FaJVgaz.exe
2⤵
PID:3124

C:\Windows\System\XNBQrPW.exe
C:\Windows\System\XNBQrPW.exe
2⤵
PID:4756

C:\Windows\System\gQuJomt.exe
C:\Windows\System\gQuJomt.exe
2⤵
PID:3452

C:\Windows\System\qcHwqsU.exe
C:\Windows\System\qcHwqsU.exe
2⤵
PID:3352

C:\Windows\System\KpNTYLw.exe
C:\Windows\System\KpNTYLw.exe
2⤵
PID:2688

C:\Windows\System\vEbGCuL.exe
C:\Windows\System\vEbGCuL.exe
2⤵
PID:2144

C:\Windows\System\lPmvUwR.exe
C:\Windows\System\lPmvUwR.exe
2⤵
PID:3640

C:\Windows\System\oUkAhvP.exe
C:\Windows\System\oUkAhvP.exe
2⤵
PID:376

C:\Windows\System\ePPuhVi.exe
C:\Windows\System\ePPuhVi.exe
2⤵
PID:1428

C:\Windows\System\yVGACGr.exe
C:\Windows\System\yVGACGr.exe
2⤵
PID:5140

C:\Windows\System\GfbPxqf.exe
C:\Windows\System\GfbPxqf.exe
2⤵
PID:5176

C:\Windows\System\kwEjsTL.exe
C:\Windows\System\kwEjsTL.exe
2⤵
PID:5224

C:\Windows\System\GdnEoZY.exe
C:\Windows\System\GdnEoZY.exe
2⤵
PID:5248

C:\Windows\System\hImlePC.exe
C:\Windows\System\hImlePC.exe
2⤵
PID:5284

C:\Windows\System\WCkgeQW.exe
C:\Windows\System\WCkgeQW.exe
2⤵
PID:5320

C:\Windows\System\kUlTuIY.exe
C:\Windows\System\kUlTuIY.exe
2⤵
PID:5360

C:\Windows\System\LMwecUA.exe
C:\Windows\System\LMwecUA.exe
2⤵
PID:5396

C:\Windows\System\HtRkWxU.exe
C:\Windows\System\HtRkWxU.exe
2⤵
PID:5436

C:\Windows\System\YOQTYJs.exe
C:\Windows\System\YOQTYJs.exe
2⤵
PID:5464

C:\Windows\System\FxSOGFW.exe
C:\Windows\System\FxSOGFW.exe
2⤵
PID:5500

C:\Windows\System\MEEiMkh.exe
C:\Windows\System\MEEiMkh.exe
2⤵
PID:5520

C:\Windows\System\xYxqBNx.exe
C:\Windows\System\xYxqBNx.exe
2⤵
PID:5536

C:\Windows\System\WrVOlqd.exe
C:\Windows\System\WrVOlqd.exe
2⤵
PID:5572

C:\Windows\System\SBbkVYb.exe
C:\Windows\System\SBbkVYb.exe
2⤵
PID:5612

C:\Windows\System\VTQWVOB.exe
C:\Windows\System\VTQWVOB.exe
2⤵
PID:5628

C:\Windows\System\JodyzsP.exe
C:\Windows\System\JodyzsP.exe
2⤵
PID:5668

C:\Windows\System\oBPEDhK.exe
C:\Windows\System\oBPEDhK.exe
2⤵
PID:5696

C:\Windows\System\McZEyHs.exe
C:\Windows\System\McZEyHs.exe
2⤵
PID:5724

C:\Windows\System\zkuUGqM.exe
C:\Windows\System\zkuUGqM.exe
2⤵
PID:5752

C:\Windows\System\GDlooJV.exe
C:\Windows\System\GDlooJV.exe
2⤵
PID:5784

C:\Windows\System\aAMKKWi.exe
C:\Windows\System\aAMKKWi.exe
2⤵
PID:5812

C:\Windows\System\IdgCZQR.exe
C:\Windows\System\IdgCZQR.exe
2⤵
PID:5840

C:\Windows\System\NPSbRMj.exe
C:\Windows\System\NPSbRMj.exe
2⤵
PID:5872

C:\Windows\System\OcZxNvz.exe
C:\Windows\System\OcZxNvz.exe
2⤵
PID:5896

C:\Windows\System\qtBgunB.exe
C:\Windows\System\qtBgunB.exe
2⤵
PID:5916

C:\Windows\System\HPGRmUL.exe
C:\Windows\System\HPGRmUL.exe
2⤵
PID:5952

C:\Windows\System\ruvwDpa.exe
C:\Windows\System\ruvwDpa.exe
2⤵
PID:5972

C:\Windows\System\qDsmazA.exe
C:\Windows\System\qDsmazA.exe
2⤵
PID:6000

C:\Windows\System\RmsURrS.exe
C:\Windows\System\RmsURrS.exe
2⤵
PID:6032

C:\Windows\System\YtydRTT.exe
C:\Windows\System\YtydRTT.exe
2⤵
PID:6068

C:\Windows\System\MAzUrxJ.exe
C:\Windows\System\MAzUrxJ.exe
2⤵
PID:6096

C:\Windows\System\mDMPTzF.exe
C:\Windows\System\mDMPTzF.exe
2⤵
PID:6124

C:\Windows\System\sbiqoCp.exe
C:\Windows\System\sbiqoCp.exe
2⤵
PID:2264

C:\Windows\System\riWJvmB.exe
C:\Windows\System\riWJvmB.exe
2⤵
PID:5196

C:\Windows\System\rVpOhjf.exe
C:\Windows\System\rVpOhjf.exe
2⤵
PID:556

C:\Windows\System\JLTOAhz.exe
C:\Windows\System\JLTOAhz.exe
2⤵
PID:5272

C:\Windows\System\UWFOwYZ.exe
C:\Windows\System\UWFOwYZ.exe
2⤵
PID:5356

C:\Windows\System\NHaGjvA.exe
C:\Windows\System\NHaGjvA.exe
2⤵
PID:5460

C:\Windows\System\qrHGqFW.exe
C:\Windows\System\qrHGqFW.exe
2⤵
PID:5220

C:\Windows\System\rGBnfTc.exe
C:\Windows\System\rGBnfTc.exe
2⤵
PID:5596

C:\Windows\System\COkVRKx.exe
C:\Windows\System\COkVRKx.exe
2⤵
PID:5688

C:\Windows\System\UudOVSW.exe
C:\Windows\System\UudOVSW.exe
2⤵
PID:5716

C:\Windows\System\VxCRZfU.exe
C:\Windows\System\VxCRZfU.exe
2⤵
PID:5760

C:\Windows\System\viDXyWp.exe
C:\Windows\System\viDXyWp.exe
2⤵
PID:5832

C:\Windows\System\znLldsB.exe
C:\Windows\System\znLldsB.exe
2⤵
PID:5852

C:\Windows\System\EtTGIdW.exe
C:\Windows\System\EtTGIdW.exe
2⤵
PID:5904

C:\Windows\System\VjkqACd.exe
C:\Windows\System\VjkqACd.exe
2⤵
PID:5984

C:\Windows\System\brfmlXq.exe
C:\Windows\System\brfmlXq.exe
2⤵
PID:6120

C:\Windows\System\kyVDmMK.exe
C:\Windows\System\kyVDmMK.exe
2⤵
PID:2280

C:\Windows\System\ZjwnyVM.exe
C:\Windows\System\ZjwnyVM.exe
2⤵
PID:5244

C:\Windows\System\deVSlLF.exe
C:\Windows\System\deVSlLF.exe
2⤵
PID:5560

C:\Windows\System\MjJjzoe.exe
C:\Windows\System\MjJjzoe.exe
2⤵
PID:5656

C:\Windows\System\cMETrGo.exe
C:\Windows\System\cMETrGo.exe
2⤵
PID:5808

C:\Windows\System\FkNPNIa.exe
C:\Windows\System\FkNPNIa.exe
2⤵
PID:5944

C:\Windows\System\AScGBBo.exe
C:\Windows\System\AScGBBo.exe
2⤵
PID:5136

C:\Windows\System\CizogLO.exe
C:\Windows\System\CizogLO.exe
2⤵
PID:4120

C:\Windows\System\HKJKUWn.exe
C:\Windows\System\HKJKUWn.exe
2⤵
PID:5744

C:\Windows\System\JLGFSJh.exe
C:\Windows\System\JLGFSJh.exe
2⤵
PID:6020

C:\Windows\System\xreeQri.exe
C:\Windows\System\xreeQri.exe
2⤵
PID:5660

C:\Windows\System\ajBzYLj.exe
C:\Windows\System\ajBzYLj.exe
2⤵
PID:5680

C:\Windows\System\JPIYTnY.exe
C:\Windows\System\JPIYTnY.exe
2⤵
PID:6164

C:\Windows\System\lxuqNJm.exe
C:\Windows\System\lxuqNJm.exe
2⤵
PID:6180

C:\Windows\System\fIZrnzO.exe
C:\Windows\System\fIZrnzO.exe
2⤵
PID:6208

C:\Windows\System\JSePkbg.exe
C:\Windows\System\JSePkbg.exe
2⤵
PID:6236

C:\Windows\System\lBBMHgP.exe
C:\Windows\System\lBBMHgP.exe
2⤵
PID:6272

C:\Windows\System\nEzjxLo.exe
C:\Windows\System\nEzjxLo.exe
2⤵
PID:6312

C:\Windows\System\bLZBcxP.exe
C:\Windows\System\bLZBcxP.exe
2⤵
PID:6336

C:\Windows\System\paNbOtf.exe
C:\Windows\System\paNbOtf.exe
2⤵
PID:6356

C:\Windows\System\xwGOavm.exe
C:\Windows\System\xwGOavm.exe
2⤵
PID:6380

C:\Windows\System\Liwyyxk.exe
C:\Windows\System\Liwyyxk.exe
2⤵
PID:6420

C:\Windows\System\XVqmjnc.exe
C:\Windows\System\XVqmjnc.exe
2⤵
PID:6436

C:\Windows\System\xbYqvIN.exe
C:\Windows\System\xbYqvIN.exe
2⤵
PID:6476

C:\Windows\System\ODoikGq.exe
C:\Windows\System\ODoikGq.exe
2⤵
PID:6504

C:\Windows\System\GbbKbZa.exe
C:\Windows\System\GbbKbZa.exe
2⤵
PID:6532

C:\Windows\System\hxtvmQr.exe
C:\Windows\System\hxtvmQr.exe
2⤵
PID:6548

C:\Windows\System\USZjrMv.exe
C:\Windows\System\USZjrMv.exe
2⤵
PID:6576

C:\Windows\System\CYdwMht.exe
C:\Windows\System\CYdwMht.exe
2⤵
PID:6596

C:\Windows\System\wrDTeaZ.exe
C:\Windows\System\wrDTeaZ.exe
2⤵
PID:6644

C:\Windows\System\PvlSpRB.exe
C:\Windows\System\PvlSpRB.exe
2⤵
PID:6660

C:\Windows\System\fpghZHk.exe
C:\Windows\System\fpghZHk.exe
2⤵
PID:6688

C:\Windows\System\RpJrPfa.exe
C:\Windows\System\RpJrPfa.exe
2⤵
PID:6712

C:\Windows\System\OkPkOCi.exe
C:\Windows\System\OkPkOCi.exe
2⤵
PID:6736

C:\Windows\System\nENcxKv.exe
C:\Windows\System\nENcxKv.exe
2⤵
PID:6764

C:\Windows\System\xhsEYon.exe
C:\Windows\System\xhsEYon.exe
2⤵
PID:6800

C:\Windows\System\kTKwNYu.exe
C:\Windows\System\kTKwNYu.exe
2⤵
PID:6836

C:\Windows\System\KVznAxN.exe
C:\Windows\System\KVznAxN.exe
2⤵
PID:6856

C:\Windows\System\PZffKGG.exe
C:\Windows\System\PZffKGG.exe
2⤵
PID:6884

C:\Windows\System\yaPmvHA.exe
C:\Windows\System\yaPmvHA.exe
2⤵
PID:6916

C:\Windows\System\Rarorfi.exe
C:\Windows\System\Rarorfi.exe
2⤵
PID:6936

C:\Windows\System\QVYPjnR.exe
C:\Windows\System\QVYPjnR.exe
2⤵
PID:6960

C:\Windows\System\QCBNXLV.exe
C:\Windows\System\QCBNXLV.exe
2⤵
PID:6988

C:\Windows\System\rrfKLWq.exe
C:\Windows\System\rrfKLWq.exe
2⤵
PID:7012

C:\Windows\System\iVqaiYO.exe
C:\Windows\System\iVqaiYO.exe
2⤵
PID:7052

C:\Windows\System\eJjbxlq.exe
C:\Windows\System\eJjbxlq.exe
2⤵
PID:7080

C:\Windows\System\KlxKUMx.exe
C:\Windows\System\KlxKUMx.exe
2⤵
PID:7104

C:\Windows\System\UGtIqqJ.exe
C:\Windows\System\UGtIqqJ.exe
2⤵
PID:7120

C:\Windows\System\FehReeH.exe
C:\Windows\System\FehReeH.exe
2⤵
PID:7148

C:\Windows\System\FwrsJKR.exe
C:\Windows\System\FwrsJKR.exe
2⤵
PID:6228

C:\Windows\System\gZdvuTu.exe
C:\Windows\System\gZdvuTu.exe
2⤵
PID:6320

C:\Windows\System\CVsHqbs.exe
C:\Windows\System\CVsHqbs.exe
2⤵
PID:6344

C:\Windows\System\GDlSpSj.exe
C:\Windows\System\GDlSpSj.exe
2⤵
PID:6460

C:\Windows\System\iapTiqX.exe
C:\Windows\System\iapTiqX.exe
2⤵
PID:6524

C:\Windows\System\NTfJZTB.exe
C:\Windows\System\NTfJZTB.exe
2⤵
PID:6560

C:\Windows\System\GEciKnK.exe
C:\Windows\System\GEciKnK.exe
2⤵
PID:6584

C:\Windows\System\gtvcqvH.exe
C:\Windows\System\gtvcqvH.exe
2⤵
PID:6656

C:\Windows\System\KEuDheX.exe
C:\Windows\System\KEuDheX.exe
2⤵
PID:6672

C:\Windows\System\ULAwzxD.exe
C:\Windows\System\ULAwzxD.exe
2⤵
PID:6724

C:\Windows\System\RVHygfq.exe
C:\Windows\System\RVHygfq.exe
2⤵
PID:6792

C:\Windows\System\IQmsywO.exe
C:\Windows\System\IQmsywO.exe
2⤵
PID:6868

C:\Windows\System\OHLNHeg.exe
C:\Windows\System\OHLNHeg.exe
2⤵
PID:6948

C:\Windows\System\tHxjGHh.exe
C:\Windows\System\tHxjGHh.exe
2⤵
PID:6996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AScyYts.exe

Filesize
1.2MB

MD5
0f74bf382cae127a6a0b17a3507e6a28

SHA1
c889c47030e3be3bf341242430b532cabde84de8

SHA256
fb989f89547baa19d9cd37dfba799f30a326b70afec0a2ecf9910ff6150f0ae5

SHA512
35e16c0accf13c7f0f5acfd0dfe0d1fc233dcf4e1bfa1c9bc8f867c03be0270917e81d069d3ca2fff5cf74227289a3541424a04a1646a17f1da140b486759b22

Download Submit
C:\Windows\System\CJvInbW.exe

Filesize
1.2MB

MD5
04062e684659e6b1c4679c91c838fd26

SHA1
33ca0d8cf7363ef01b61a5318bc5a56e740bb868

SHA256
e23ec00f2b584bfc66fd82cac6fae6ef37a94ffb0da4cc1931880045f0e40b98

SHA512
257b30bf1410536235d248c6053360d94440c47cc5f314e491bf4dff3abb2cbbffcf483a3f1a49ac884ad1dc4c23c0911bbaf147c856eca639d253833bad9b77

Download Submit
C:\Windows\System\GQBWgcB.exe

Filesize
1.3MB

MD5
0c26475572c91791496136f88da40f94

SHA1
8ceed1122d25ed5f0d8358681cfee796f24a2925

SHA256
5b9670d7be51203f62c72da35d19c04a40f3db20b0731a05a488ff51a30e213c

SHA512
3f6d3dc53ea0bcfbd41e0b03bdf854761eaa80f14ab3f1a59756ec607d2bd3ca42b720cfdafff1529d8a3fed1f7d800bb270d8fd42318fc87d8fb6ea34ce11bd

Download Submit
C:\Windows\System\GbCXDHt.exe

Filesize
1.3MB

MD5
6e01fa76237b9a5b2b1140e34fea68dd

SHA1
3a356869ce9622d20b14bd1aee7d01e8fa5b7349

SHA256
586754db36a08d82a20d451a978cff6ed3a1b0a7d6823e6fc5802db5f9d82d38

SHA512
175527b3680ad9a706e5940ecf905988d85ba4e2a925e6d3a67dd677db6625d6f7ab4d1b119a03a7f408c2e57d6cb5a9a849cee7671429c483f5caa133af80c1

Download Submit
C:\Windows\System\JikHMWP.exe

Filesize
1.2MB

MD5
cecb9782dc667c6279a6ab6797d2a3d8

SHA1
b636f3d3efb6d4cd56f6ecc6af40a749894ad352

SHA256
71ca32454c601225f182dd0134e64c14ab7eebfbbaa7f361037fcbb24f469402

SHA512
8e62759ccd92bffc0996d8b6c35fadd94da2d7248bf37164c563f83546b642ec0652a2b344be7267a178f6355113ea85652fdb78eb90c0da62fb6a903ee0fb92

Download Submit
C:\Windows\System\MHrfiCQ.exe

Filesize
1.2MB

MD5
236aca563c2196c9ed549bafdb39108b

SHA1
5131c1146d8d4ea08bcf187e1714d9f36e35fd33

SHA256
875b61fc87ccb1d0ba6205c51715ce17fd2ae908700617edabffc7528d96b121

SHA512
8efa8354676f98cee441c58cadc6bd2218c6a3fadf2cbd55b0b433c0ff9e8faa2ec2b6f3755be0e4861860ab836fc0816888e1e703793968bc319b3a2d717cea

Download Submit
C:\Windows\System\OCjZDOJ.exe

Filesize
1.3MB

MD5
939239289494a68fbeac2fa5b1b25519

SHA1
c80ea8270cdc1fbb8acc9e9a723dbe912f2a73be

SHA256
e218202440620f7ab03f74db4aef1d6ec7a217424899fc6281d949343ee9e272

SHA512
9d46fea53cd85fff4824ac53e07f5f0498446a7fbfe6e0321c088753d6057580cce62945c997e5086360da58b3444634068d54500d35632e050ff6b149ffdf4f

Download Submit
C:\Windows\System\OtArqBX.exe

Filesize
1.2MB

MD5
ec9461e350acca816705a1ddf8450057

SHA1
d67353bd205c55637c579af3b5a89b479934b524

SHA256
9d2cb191504948a330c4da62a4d5cea75a5f8129cc7eb2f0759cb48f3b7210b8

SHA512
79fe3ffc26609c4497d2d37a4831e89b933c9640ec51654853c55e58ec83d406641d9520759b6ad5b7a0f1be66d65c40c8198084fc7f9eda8fba3a4b46812879

Download Submit
C:\Windows\System\QcqckyQ.exe

Filesize
1.2MB

MD5
5a029bf6971138e76cba0532406f1ae4

SHA1
6c5c3fb234ce8db4968ab05d75b80ab751ec4de9

SHA256
99f78d0ebc59a5043add7620cdcdf848a5fd9e953007d2456b4363c16ff45537

SHA512
58af9253a3955a1155a558e197f49d07fba796903b0877e8be171c4b6c0f0a971242e0cd28d02a2f99e755346fc34375c872e4de1326471a6603183bde68bf13

Download Submit
C:\Windows\System\QoNPbjZ.exe

Filesize
1.2MB

MD5
8d0d19da593ef4aac24a2190a91afb13

SHA1
df871348b8c9bd475abb9882081a8c1b5b2a02ec

SHA256
1e0c14a750333f4dcd3fd6818fef8d4de4ae788d781bd74092b82c34417b1236

SHA512
c61caea342b41cada49538657b3ab0bfbd3b73d364997c6a3b73b911342e70f9634d6e13986ac3c919c757947ec82e57ab7c847fd9cc2cc62cd302217d136d50

Download Submit
C:\Windows\System\SgkIfHr.exe

Filesize
1.2MB

MD5
9245a2fdd69b01bd5fdcc4822ada1d4f

SHA1
4e785dbb43138657bdc7fc33f86bd6cd7b366057

SHA256
0b75239deabb3734b4cf838b0ae95115860185a48d6618fda90eb5d1a9cb0a5f

SHA512
56df3bbe98affa8ad0cf7a510945b11e0c8dc69385907d2f153fac6aba967ea9faa8269edcd940895784132327c32a5d1e4000056d971aac8c3ac3db98615642

Download Submit
C:\Windows\System\UEEHtvl.exe

Filesize
1.2MB

MD5
918c80d99c7d6713664de945a34a686c

SHA1
4e72d5f44e07378456c03ce16761333a35b86aaf

SHA256
f29740a3855da78f14599ba37a83ef5d66124c30d041cbd889b513ff25b8fafc

SHA512
84646dda2a3038272941b93a613b003940eb19bd49707c864846eb1212922835a5178247f24bc49c3cd0a3d3227dd362ce00627a23e59fc990d9433f93385c9a

Download Submit
C:\Windows\System\UYajUuq.exe

Filesize
1.2MB

MD5
fc15921b77ac20944f66dc4fb1fad197

SHA1
070ad193655c241ff76ad9f95ff8f944f9cf3484

SHA256
949e623c8dc0f1c24ce44f24b366648069e6d2d393dfe17cdb800dde4b7488db

SHA512
5178f5bd4700f0d3a765823ee7087364cfe0a6dc25d2511ad916790eba6773d12b143c0ce887f22ddbc170e7516de70db2eda3d6a6e3e26cdb293cb0f36b6762

Download Submit
C:\Windows\System\UatfSYc.exe

Filesize
1.3MB

MD5
988e9a7a60d07ee797f00068653661e3

SHA1
3e3d70c1eb70602e0ec1a21e17fc9b6d5221cc7d

SHA256
3253b1f8178fb8f661d91d2af7638711ec76538b9c43b5500086843eda481df4

SHA512
ce8bf66330dc6a2c2916964482086915ec207430ccc9ea138a02ac7a84954795df6bd8f4a4a3af9a601ae646f34575f8178f0bbe27ed84fd02b2d2ff65c2de95

Download Submit
C:\Windows\System\bWXBygW.exe

Filesize
1.3MB

MD5
df73a688de4f6ab959d0e318e76e65e5

SHA1
bd447ce84c1758d5f0cb4c6c7e7491ace64b24dd

SHA256
fc25c402819a6332142a916170aa8798cc47b20938139b16c7c76522fedeba4a

SHA512
47ff7d5b398197f77366119f278f1ff1a5bcf0a457c85d7a36cfb9184442b0cec39d1d3f72a0e345b3e88757300775717a9e42da6f95538f2c7525af0fa19393

Download Submit
C:\Windows\System\cQmUSzZ.exe

Filesize
1.2MB

MD5
60f73dc1fd5af3c7bdced1c479432371

SHA1
20991ade951f6aac125eed9f35f3c3dcf45e1e00

SHA256
202b71f93a4ebd7f0f92ce8de120fb92364b330a7669703f9a306bdee5738119

SHA512
3b2adf3a1a7f8724b163d9539f7f8bf7540ec88b3378d28d8fc65d033b71ae4cec6e28c5b36af43197cb5a7fdaf3f5160ef4c69da27b94f677cd6ffafc1dea4a

Download Submit
C:\Windows\System\dHRNrGU.exe

Filesize
1.2MB

MD5
0b1816d72005e5957ce93df9e8a1fc37

SHA1
2a8ea53172e6fdde3e9e4f2b3cfaa7a6f64c79a1

SHA256
e8435a0b66819a7dd4959c0b9c67d9bf95a689696f3cdc16b8d66d72c2755f6b

SHA512
8bd12b917dfa87d2c4db78230afdc52bb576be60686177edff066dbc45b823d9e32a4c6eabe135555d913c50257e0a5bb01598d043bca1eadd42a6d2152a3530

Download Submit
C:\Windows\System\eDfHXqE.exe

Filesize
1.2MB

MD5
d330d5729b10cfc5cf35c9b3816338b2

SHA1
c6c3ac79a872a79cf362a1188431ea2f8da12aa7

SHA256
c70ef7a82ee5bfe1f51d6a638fa8d37e9de2d0e52fe7af879edff9c1e4fcf7d4

SHA512
2f96bd3c57cea3163d50ee4a5ac00697589566a013c7b1347212f18c3565fb0209f0e70b3626960ed55ac598d5ba667e4660b348a8cea258a6ba2d1a7f8fddc9

Download Submit
C:\Windows\System\ejoTZwg.exe

Filesize
1.3MB

MD5
ed69f7f59ac2599c218ef83c5e51be0d

SHA1
b3813f167caa47e3283312245f4b493bec689296

SHA256
2783aeeb0311e9f0f3cbcfb5b2ef7b656b1b7766234b51d8bb3cd33a237df466

SHA512
506501e60248af29f2805bba44c401b35567590ae9ac7b6b41abe2f519b6f6255387dfae779ed4109a6247bbfaec501b2831d91a0c7c6810e5d7a5aa426c7088

Download Submit
C:\Windows\System\ghwSdcj.exe

Filesize
1.2MB

MD5
0605b450dca5b85bb5692fa59045e551

SHA1
5f620605e0d291b744d53cd692e9ea5e7581747e

SHA256
0de4e224d8830eae7d37c9062b357f65480b2cdb40f3eccdafac4b222288122f

SHA512
7d45dd89bc764e1a2b986671106046f629a5fdbbe856831d1abf616b3535c62be808c3b8c42c996a9cbb4e7ca02ad4641c77257556b61134ca96402c3724ec4e

Download Submit
C:\Windows\System\iHLZVCB.exe

Filesize
1.2MB

MD5
26050ea41c85bcc81647365769c4923d

SHA1
33d89c44eff98ae7004bc707aa6de6b38e09dd4b

SHA256
c2e30e437b0676a9ba2646581c676f99cc6bb959e7b5bb4273e29a9a9fc8eae3

SHA512
b11b65087996812b3bf36648fd74d8a461fa40dbe4be7b8152d74241eb12dd5f95fd07a3d2eb3dc6113ad6e73db79b28365df237cf647f3aefc29a874241934f

Download Submit
C:\Windows\System\jnBUGha.exe

Filesize
1.2MB

MD5
81807501065e49cb5c932c78b929a55b

SHA1
e0cb0f5aee98be1477a3cee0e8389f94903cc014

SHA256
9a3d874ddec301bb8e702b11870b130875975676d11a5337d6fe0e484fd5d981

SHA512
7bfa310b31cabf0358ae143b9ae52d5cce207e3a731732cb2ac46279ff939c7b153a492ed5384d958d563677b0bf4d1c29d024300d822427269936065a399aef

Download Submit
C:\Windows\System\koljfsD.exe

Filesize
1.3MB

MD5
4d7bb273bbf5179a4d1c30c3e8577c14

SHA1
d3b42a92c8679d05651346054270d076d682f030

SHA256
7b7eb1b3e110a34651ca6a660ba4d907c2bc8d918753fcfe8fdfd9e2fc2e256a

SHA512
ae609eec722ae5f8f2b08bee5380e8f1226bb1db42908d1d220299495285e8b2d3770f3b931c50ecee35a64d889cd8ca6117f21f37bdcd7b7a691ba1a817d378

Download Submit
C:\Windows\System\lamLRYl.exe

Filesize
1.2MB

MD5
0849e8895992b7fca29df2cca22702b5

SHA1
9c8834b59431de0bb8060769f5348e6b3eb8d9cb

SHA256
44a4e551336eeb746602e61f5d7b6f62737adedf68a9e1b59a5bde45bfbfa091

SHA512
d72f7716244de0a6a993cca6197abca1ea9fc3fb4db039b5f11cca4509d459b67a7549c419725c8d91351fda5870b943ff423b6d74b4fdf241be98c6a51a8f33

Download Submit
C:\Windows\System\lrOqHyt.exe

Filesize
1.3MB

MD5
f62ab75041acd4a881641bb1a6a1b7fd

SHA1
e9c135dfd00e9e448e701732f32612f80e6aa260

SHA256
3433ad0a56997d071b160d29010ac1ac3ccde385b9eca358ecfd42a981c09fbd

SHA512
4bb4f662977fe810b0ecfd939dde30773c2cbcaa5b427220ac84eb4a798e95a5c0bb782fe3171ce0cd0c6195cde96bef2262e5fb45fea4bff3f62e39c25320ac

Download Submit
C:\Windows\System\lrkrlkX.exe

Filesize
1.3MB

MD5
c28a770bb0510f3e529e436df0a95091

SHA1
81d98c0209f39d2421666fbeb77a47d3adcb1dc5

SHA256
94842ab6c51cf8194f0cb9371a4a9c3504d413d4a15f5ce7ea2f079bdc2af358

SHA512
99a30f9237a8d83acafad19d5c18584dcd829624f58616eb4c9eac8e0c5aca922d66a83a35e3772f944b7328bbdb7b9e9c837aeabcbcabeacb60c2f3acf75719

Download Submit
C:\Windows\System\nIjqEMA.exe

Filesize
1.3MB

MD5
fc371aaf7255084aabab3039ca5901a0

SHA1
26b728ce15be29ea1bd909f2d1d789734c2650b4

SHA256
35f05b04c64e0caf6de455dc13c242295054e109beee5ac1a2ec5f1dd297ec46

SHA512
2597c820568002cfe45205afc4028de5b41f40dc78dc7119d95da562c5d830508c2863eba5a772435a45dcdbeb174193834e687475a606af5c322c7b0252d4e3

Download Submit
C:\Windows\System\nbVUPPF.exe

Filesize
1.2MB

MD5
a16243fe2c724e3d4f9502aaa05c1b10

SHA1
9513b3f588eb4bb52466bb5b3f3e9fe63a43cc2e

SHA256
f4b6452868dc734c99e351294289719e8ba102a100d523f19ec6ad34881866d0

SHA512
9388cc2dab82b7a7daa511d4627b746ad5373008db260d6f178c07b7a9ecda73afd0d941ceefb114c292edf6b2d146dc822595aba6d70484b042f70509c924ba

Download Submit
C:\Windows\System\nzXsynn.exe

Filesize
1.3MB

MD5
7072c76630eb473b0743eb74b85a37db

SHA1
c6398e501d1023d2016e899e33809892f7b25fa2

SHA256
24d6c0bf04afff80e372b81e8c66491d1539383a31320bf17f4df7c26ba45fbd

SHA512
07e0d6046c00bd9e47eb41f2fb65ad4282cf72b3c5d406e2797f5bbd2f0e9de354cd048d3db586b92a285950958c9fb5e16c3b04688136b06ce658f1e972554e

Download Submit
C:\Windows\System\pKCisxQ.exe

Filesize
1.2MB

MD5
d2d2643c0b6066c445b58efdf3cef570

SHA1
3bd9d489802acbbb7c5936cee4ac05daed5a4c58

SHA256
9c7b3e0356a91243bec0838674c1f90e5fc5dd079deb3a9f267bd458a7028ae5

SHA512
4b8ad7779e19d8a5879d0397f5064cb34a1a7ec3cedb9577d8bff3c3a42b6e974710a1b921a61ea0ad959d30640ce4bed28158a62f6567c5aaa723a0196efbc5

Download Submit
C:\Windows\System\sBcoBkP.exe

Filesize
1.2MB

MD5
403e15e296847c212a78f18edf8640e1

SHA1
d33d54b7e54552254ddaf4f6f5dbf8a727ce3715

SHA256
e3dfa496d22b762736d30c10cf73bc0df3faeae7cc5212a2d4fd06792927b7d7

SHA512
3cb153ad5bc8e267a65348691e3bd02cfb2a156d49656be2982958e39583fcb53301a06bb03c1d092541e47f62911eda47c8e4efe3b784567934344f465b7a7f

Download Submit
C:\Windows\System\xClgQoZ.exe

Filesize
1.2MB

MD5
08b73e7847b946f19aba82b31c95557b

SHA1
db852fd392bba7a73fdb0fdacd497e25a46ee7c1

SHA256
a62bcee032614394d91818c728e72877088db7926c89f2f940e3a8e446e4f7bd

SHA512
8c7a98bc044a497243f55562c720d3405858b1fa747c083f30392a111f22bad40ac67b5aee0b2b25e445ff767e6020917a0ef3ef8642b63cba0f3f52d3fb1d89

Download Submit
C:\Windows\System\xiquoOp.exe

Filesize
1.2MB

MD5
9fd399eeb2d5a2e77fb8b971954f3943

SHA1
78469bcc57e94324c818c092a7f36b49ebf99902

SHA256
bb1c9d5751911b00fc73936585b25a05472731d437a04cadfd4a69bb9ec0820b

SHA512
6042b6fdec17bc20b420cbe796c0dc89236bbf780dfdbb4243b32a922f2496b3791aae574d9ed83429543b1a663f9bc2ae44611503609da0515dd244fca6b8a3

Download Submit
memory/3688-0-0x000001FC34240000-0x000001FC34250000-memory.dmp

Filesize
64KB

Download