xmrig | c0f1568bdf5d5fb3ef1beb5e7da9648ddca67b90d176cb0494007871e0f9ceda

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
Size

1.3MB
MD5

71ddb467024c6c846404b47dd76173c0
SHA1

f543003998974661435cb47edc1e1a60489da9d8
SHA256

c0f1568bdf5d5fb3ef1beb5e7da9648ddca67b90d176cb0494007871e0f9ceda
SHA512

59e4b4886114e8e61e928b7a98f833863458a153610c3904fb627d30e5fa597ad75cf95fc13f7f21ccdf07bc6b6ebfcf893d2589f1edb4c62212a24f0b968ae2
SSDEEP

24576:GezaTnG99Q8FcNrpyNdfE0bLBgDOp2iSLz9LbBwlKensYKkzGUfiI7pXu3ajGEw4:GezaTF8FcNkNdfE0pZ9oztFwI6KQGyXt

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 32 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\System\fCGxhqg.exe	xmrig
C:\Windows\System\OwusLSc.exe	xmrig
C:\Windows\System\GELgfmo.exe	xmrig
C:\Windows\System\UmcrZBV.exe	xmrig
C:\Windows\System\YZrmgnY.exe	xmrig
C:\Windows\System\oeviJzh.exe	xmrig
C:\Windows\System\jdYtJRz.exe	xmrig
C:\Windows\System\jxzkwOz.exe	xmrig
C:\Windows\System\nHdpiob.exe	xmrig
C:\Windows\System\EzWXMMb.exe	xmrig
C:\Windows\System\APRYMpR.exe	xmrig
C:\Windows\System\FyTYXXz.exe	xmrig
C:\Windows\System\GTZnlqZ.exe	xmrig
C:\Windows\System\grNFrze.exe	xmrig
C:\Windows\System\QSmqKui.exe	xmrig
C:\Windows\System\HFpASJp.exe	xmrig
C:\Windows\System\JxTqOlD.exe	xmrig
C:\Windows\System\IUXCESf.exe	xmrig
C:\Windows\System\pVwrNVx.exe	xmrig
C:\Windows\System\RexqEwi.exe	xmrig
C:\Windows\System\uyeNSxI.exe	xmrig
C:\Windows\System\naSUvgz.exe	xmrig
C:\Windows\System\nVFScDe.exe	xmrig
C:\Windows\System\FsEGebl.exe	xmrig
C:\Windows\System\IfIaoxD.exe	xmrig
C:\Windows\System\dyOXSmI.exe	xmrig
C:\Windows\System\GzxsJWa.exe	xmrig
C:\Windows\System\pVaUZEg.exe	xmrig
C:\Windows\System\fopNymp.exe	xmrig
C:\Windows\System\ABIXWGy.exe	xmrig
C:\Windows\System\MaaEQWQ.exe	xmrig
C:\Windows\System\IVyMzCY.exe	xmrig

Executes dropped EXE 64 IoCs

Processes:

fCGxhqg.exeGELgfmo.exeOwusLSc.exeIVyMzCY.exeUmcrZBV.exeYZrmgnY.exeMaaEQWQ.exeABIXWGy.exefopNymp.exepVaUZEg.exeGzxsJWa.exedyOXSmI.exeIfIaoxD.exeFsEGebl.exeoeviJzh.exejdYtJRz.exenVFScDe.exenaSUvgz.exeuyeNSxI.exeRexqEwi.exepVwrNVx.exeJxTqOlD.exejxzkwOz.exeHFpASJp.exeIUXCESf.exeQSmqKui.exegrNFrze.exeGTZnlqZ.exenHdpiob.exeFyTYXXz.exeAPRYMpR.exeEzWXMMb.exeIqCytCy.exeBjkmWuP.exenIjgXAw.exeCqDdWwN.execXvgVdP.exeePLvUZU.exeeyqbOrM.exeDFUIeZV.exegKhmtDO.exeqZKLDLE.exeZVXjBpz.exeVfgfjiE.execWfbMGc.exeTPJVgXo.exeECuunJG.exeyrqvBlp.exetCNdPgu.exeTORHZgy.exeiTnsyUF.exeauflOFu.exeJvnoplp.exeIZbXEwG.exemrCIXvn.exetegqxQJ.exesicqCuf.exegVwNDMv.exeSnjKtIV.exejvcRFdN.exesUYSULo.exegZPUjGZ.exebpAoZZd.exeztIrcEk.exe

pid	process
2720	fCGxhqg.exe
4424	GELgfmo.exe
3340	OwusLSc.exe
4996	IVyMzCY.exe
1168	UmcrZBV.exe
3008	YZrmgnY.exe
1404	MaaEQWQ.exe
2996	ABIXWGy.exe
3776	fopNymp.exe
4940	pVaUZEg.exe
1368	GzxsJWa.exe
1688	dyOXSmI.exe
2044	IfIaoxD.exe
2976	FsEGebl.exe
4412	oeviJzh.exe
4716	jdYtJRz.exe
4488	nVFScDe.exe
4188	naSUvgz.exe
2276	uyeNSxI.exe
3576	RexqEwi.exe
2440	pVwrNVx.exe
4612	JxTqOlD.exe
2392	jxzkwOz.exe
2272	HFpASJp.exe
1232	IUXCESf.exe
1960	QSmqKui.exe
3588	grNFrze.exe
2172	GTZnlqZ.exe
3420	nHdpiob.exe
1352	FyTYXXz.exe
1436	APRYMpR.exe
1648	EzWXMMb.exe
2612	IqCytCy.exe
3892	BjkmWuP.exe
1488	nIjgXAw.exe
3556	CqDdWwN.exe
912	cXvgVdP.exe
1824	ePLvUZU.exe
2400	eyqbOrM.exe
4348	DFUIeZV.exe
2248	gKhmtDO.exe
4924	qZKLDLE.exe
2352	ZVXjBpz.exe
3196	VfgfjiE.exe
3044	cWfbMGc.exe
4784	TPJVgXo.exe
4588	ECuunJG.exe
3364	yrqvBlp.exe
1288	tCNdPgu.exe
4520	TORHZgy.exe
4056	iTnsyUF.exe
4968	auflOFu.exe
4848	Jvnoplp.exe
516	IZbXEwG.exe
4320	mrCIXvn.exe
1608	tegqxQJ.exe
2684	sicqCuf.exe
4712	gVwNDMv.exe
1820	SnjKtIV.exe
3524	jvcRFdN.exe
2260	sUYSULo.exe
4148	gZPUjGZ.exe
3620	bpAoZZd.exe
3184	ztIrcEk.exe

Drops file in Windows directory 64 IoCs

Processes:

71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\UrNFLRq.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\uQchJQs.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\mQFHFzG.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\IVyMzCY.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\TVaJiGu.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\cXEHgCe.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\nHdpiob.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\iTnsyUF.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\mrSVriM.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\APRYMpR.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\jwapIdg.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\oeviJzh.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\IUXCESf.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\dlLSPZg.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\rGAjbKf.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\uyeNSxI.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\RexqEwi.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\dvmcwWd.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\ZvILqDP.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\nIjgXAw.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\BqpmuMh.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\cWfbMGc.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\hJHiuXH.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\hlPWiad.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\usdewLz.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\YtsDtbQ.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\UmcrZBV.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\ZVXjBpz.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\dKHIqqm.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\rLwjMzz.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\AYgwLKk.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\JLtYohE.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\jdYtJRz.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\jbIoFtp.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\uWgdepW.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\qsiLKrM.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\AZIwLpm.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\gJULFoC.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\KCxSQPL.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\jrqlggw.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\QmhTeGy.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\EtHncYX.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\MQbksby.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\IZbXEwG.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\GELgfmo.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\UHfyPyl.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\JdLMNOz.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\kzXfUkt.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\kOhoPhE.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\Onvgkfn.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\BoqywYn.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\HGBYmfj.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\fCGxhqg.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\cXvgVdP.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\DFUIeZV.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\znsiyJO.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\nmGqEXf.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\XnZAyOG.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\JDHgwmk.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\tEstueu.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\JYNsNNr.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\JIELNWb.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\uyKLNWR.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
File created	C:\Windows\System\XlAYZkg.exe	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe

description	pid	process
Token: SeLockMemoryPrivilege	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe

description	pid	process	target process
PID 1868 wrote to memory of 2720	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	fCGxhqg.exe
PID 1868 wrote to memory of 2720	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	fCGxhqg.exe
PID 1868 wrote to memory of 4424	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	GELgfmo.exe
PID 1868 wrote to memory of 4424	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	GELgfmo.exe
PID 1868 wrote to memory of 3340	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	OwusLSc.exe
PID 1868 wrote to memory of 3340	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	OwusLSc.exe
PID 1868 wrote to memory of 4996	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	IVyMzCY.exe
PID 1868 wrote to memory of 4996	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	IVyMzCY.exe
PID 1868 wrote to memory of 1168	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	UmcrZBV.exe
PID 1868 wrote to memory of 1168	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	UmcrZBV.exe
PID 1868 wrote to memory of 3008	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	YZrmgnY.exe
PID 1868 wrote to memory of 3008	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	YZrmgnY.exe
PID 1868 wrote to memory of 1404	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	MaaEQWQ.exe
PID 1868 wrote to memory of 1404	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	MaaEQWQ.exe
PID 1868 wrote to memory of 2996	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	ABIXWGy.exe
PID 1868 wrote to memory of 2996	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	ABIXWGy.exe
PID 1868 wrote to memory of 3776	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	fopNymp.exe
PID 1868 wrote to memory of 3776	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	fopNymp.exe
PID 1868 wrote to memory of 4940	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	pVaUZEg.exe
PID 1868 wrote to memory of 4940	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	pVaUZEg.exe
PID 1868 wrote to memory of 2976	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	FsEGebl.exe
PID 1868 wrote to memory of 2976	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	FsEGebl.exe
PID 1868 wrote to memory of 1368	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	GzxsJWa.exe
PID 1868 wrote to memory of 1368	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	GzxsJWa.exe
PID 1868 wrote to memory of 1688	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	dyOXSmI.exe
PID 1868 wrote to memory of 1688	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	dyOXSmI.exe
PID 1868 wrote to memory of 2044	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	IfIaoxD.exe
PID 1868 wrote to memory of 2044	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	IfIaoxD.exe
PID 1868 wrote to memory of 4412	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	oeviJzh.exe
PID 1868 wrote to memory of 4412	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	oeviJzh.exe
PID 1868 wrote to memory of 4716	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	jdYtJRz.exe
PID 1868 wrote to memory of 4716	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	jdYtJRz.exe
PID 1868 wrote to memory of 4488	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	nVFScDe.exe
PID 1868 wrote to memory of 4488	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	nVFScDe.exe
PID 1868 wrote to memory of 4188	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	naSUvgz.exe
PID 1868 wrote to memory of 4188	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	naSUvgz.exe
PID 1868 wrote to memory of 2276	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	uyeNSxI.exe
PID 1868 wrote to memory of 2276	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	uyeNSxI.exe
PID 1868 wrote to memory of 3576	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	RexqEwi.exe
PID 1868 wrote to memory of 3576	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	RexqEwi.exe
PID 1868 wrote to memory of 2440	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	pVwrNVx.exe
PID 1868 wrote to memory of 2440	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	pVwrNVx.exe
PID 1868 wrote to memory of 4612	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	JxTqOlD.exe
PID 1868 wrote to memory of 4612	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	JxTqOlD.exe
PID 1868 wrote to memory of 2392	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	jxzkwOz.exe
PID 1868 wrote to memory of 2392	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	jxzkwOz.exe
PID 1868 wrote to memory of 2272	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	HFpASJp.exe
PID 1868 wrote to memory of 2272	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	HFpASJp.exe
PID 1868 wrote to memory of 1232	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	IUXCESf.exe
PID 1868 wrote to memory of 1232	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	IUXCESf.exe
PID 1868 wrote to memory of 1960	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	QSmqKui.exe
PID 1868 wrote to memory of 1960	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	QSmqKui.exe
PID 1868 wrote to memory of 3588	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	grNFrze.exe
PID 1868 wrote to memory of 3588	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	grNFrze.exe
PID 1868 wrote to memory of 2172	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	GTZnlqZ.exe
PID 1868 wrote to memory of 2172	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	GTZnlqZ.exe
PID 1868 wrote to memory of 3420	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	nHdpiob.exe
PID 1868 wrote to memory of 3420	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	nHdpiob.exe
PID 1868 wrote to memory of 1352	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	FyTYXXz.exe
PID 1868 wrote to memory of 1352	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	FyTYXXz.exe
PID 1868 wrote to memory of 1436	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	APRYMpR.exe
PID 1868 wrote to memory of 1436	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	APRYMpR.exe
PID 1868 wrote to memory of 1648	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	EzWXMMb.exe
PID 1868 wrote to memory of 1648	1868	71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe	EzWXMMb.exe

C:\Users\Admin\AppData\Local\Temp\71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\71ddb467024c6c846404b47dd76173c0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\System\fCGxhqg.exe
C:\Windows\System\fCGxhqg.exe
2⤵
- Executes dropped EXE
PID:2720

C:\Windows\System\GELgfmo.exe
C:\Windows\System\GELgfmo.exe
2⤵
- Executes dropped EXE
PID:4424

C:\Windows\System\OwusLSc.exe
C:\Windows\System\OwusLSc.exe
2⤵
- Executes dropped EXE
PID:3340

C:\Windows\System\IVyMzCY.exe
C:\Windows\System\IVyMzCY.exe
2⤵
- Executes dropped EXE
PID:4996

C:\Windows\System\UmcrZBV.exe
C:\Windows\System\UmcrZBV.exe
2⤵
- Executes dropped EXE
PID:1168

C:\Windows\System\YZrmgnY.exe
C:\Windows\System\YZrmgnY.exe
2⤵
- Executes dropped EXE
PID:3008

C:\Windows\System\MaaEQWQ.exe
C:\Windows\System\MaaEQWQ.exe
2⤵
- Executes dropped EXE
PID:1404

C:\Windows\System\ABIXWGy.exe
C:\Windows\System\ABIXWGy.exe
2⤵
- Executes dropped EXE
PID:2996

C:\Windows\System\fopNymp.exe
C:\Windows\System\fopNymp.exe
2⤵
- Executes dropped EXE
PID:3776

C:\Windows\System\pVaUZEg.exe
C:\Windows\System\pVaUZEg.exe
2⤵
- Executes dropped EXE
PID:4940

C:\Windows\System\FsEGebl.exe
C:\Windows\System\FsEGebl.exe
2⤵
- Executes dropped EXE
PID:2976

C:\Windows\System\GzxsJWa.exe
C:\Windows\System\GzxsJWa.exe
2⤵
- Executes dropped EXE
PID:1368

C:\Windows\System\dyOXSmI.exe
C:\Windows\System\dyOXSmI.exe
2⤵
- Executes dropped EXE
PID:1688

C:\Windows\System\IfIaoxD.exe
C:\Windows\System\IfIaoxD.exe
2⤵
- Executes dropped EXE
PID:2044

C:\Windows\System\oeviJzh.exe
C:\Windows\System\oeviJzh.exe
2⤵
- Executes dropped EXE
PID:4412

C:\Windows\System\jdYtJRz.exe
C:\Windows\System\jdYtJRz.exe
2⤵
- Executes dropped EXE
PID:4716

C:\Windows\System\nVFScDe.exe
C:\Windows\System\nVFScDe.exe
2⤵
- Executes dropped EXE
PID:4488

C:\Windows\System\naSUvgz.exe
C:\Windows\System\naSUvgz.exe
2⤵
- Executes dropped EXE
PID:4188

C:\Windows\System\uyeNSxI.exe
C:\Windows\System\uyeNSxI.exe
2⤵
- Executes dropped EXE
PID:2276

C:\Windows\System\RexqEwi.exe
C:\Windows\System\RexqEwi.exe
2⤵
- Executes dropped EXE
PID:3576

C:\Windows\System\pVwrNVx.exe
C:\Windows\System\pVwrNVx.exe
2⤵
- Executes dropped EXE
PID:2440

C:\Windows\System\JxTqOlD.exe
C:\Windows\System\JxTqOlD.exe
2⤵
- Executes dropped EXE
PID:4612

C:\Windows\System\jxzkwOz.exe
C:\Windows\System\jxzkwOz.exe
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\System\HFpASJp.exe
C:\Windows\System\HFpASJp.exe
2⤵
- Executes dropped EXE
PID:2272

C:\Windows\System\IUXCESf.exe
C:\Windows\System\IUXCESf.exe
2⤵
- Executes dropped EXE
PID:1232

C:\Windows\System\QSmqKui.exe
C:\Windows\System\QSmqKui.exe
2⤵
- Executes dropped EXE
PID:1960

C:\Windows\System\grNFrze.exe
C:\Windows\System\grNFrze.exe
2⤵
- Executes dropped EXE
PID:3588

C:\Windows\System\GTZnlqZ.exe
C:\Windows\System\GTZnlqZ.exe
2⤵
- Executes dropped EXE
PID:2172

C:\Windows\System\nHdpiob.exe
C:\Windows\System\nHdpiob.exe
2⤵
- Executes dropped EXE
PID:3420

C:\Windows\System\FyTYXXz.exe
C:\Windows\System\FyTYXXz.exe
2⤵
- Executes dropped EXE
PID:1352

C:\Windows\System\APRYMpR.exe
C:\Windows\System\APRYMpR.exe
2⤵
- Executes dropped EXE
PID:1436

C:\Windows\System\EzWXMMb.exe
C:\Windows\System\EzWXMMb.exe
2⤵
- Executes dropped EXE
PID:1648

C:\Windows\System\IqCytCy.exe
C:\Windows\System\IqCytCy.exe
2⤵
- Executes dropped EXE
PID:2612

C:\Windows\System\BjkmWuP.exe
C:\Windows\System\BjkmWuP.exe
2⤵
- Executes dropped EXE
PID:3892

C:\Windows\System\nIjgXAw.exe
C:\Windows\System\nIjgXAw.exe
2⤵
- Executes dropped EXE
PID:1488

C:\Windows\System\CqDdWwN.exe
C:\Windows\System\CqDdWwN.exe
2⤵
- Executes dropped EXE
PID:3556

C:\Windows\System\cXvgVdP.exe
C:\Windows\System\cXvgVdP.exe
2⤵
- Executes dropped EXE
PID:912

C:\Windows\System\ePLvUZU.exe
C:\Windows\System\ePLvUZU.exe
2⤵
- Executes dropped EXE
PID:1824

C:\Windows\System\eyqbOrM.exe
C:\Windows\System\eyqbOrM.exe
2⤵
- Executes dropped EXE
PID:2400

C:\Windows\System\DFUIeZV.exe
C:\Windows\System\DFUIeZV.exe
2⤵
- Executes dropped EXE
PID:4348

C:\Windows\System\gKhmtDO.exe
C:\Windows\System\gKhmtDO.exe
2⤵
- Executes dropped EXE
PID:2248

C:\Windows\System\qZKLDLE.exe
C:\Windows\System\qZKLDLE.exe
2⤵
- Executes dropped EXE
PID:4924

C:\Windows\System\ZVXjBpz.exe
C:\Windows\System\ZVXjBpz.exe
2⤵
- Executes dropped EXE
PID:2352

C:\Windows\System\VfgfjiE.exe
C:\Windows\System\VfgfjiE.exe
2⤵
- Executes dropped EXE
PID:3196

C:\Windows\System\cWfbMGc.exe
C:\Windows\System\cWfbMGc.exe
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\System\TPJVgXo.exe
C:\Windows\System\TPJVgXo.exe
2⤵
- Executes dropped EXE
PID:4784

C:\Windows\System\ECuunJG.exe
C:\Windows\System\ECuunJG.exe
2⤵
- Executes dropped EXE
PID:4588

C:\Windows\System\yrqvBlp.exe
C:\Windows\System\yrqvBlp.exe
2⤵
- Executes dropped EXE
PID:3364

C:\Windows\System\tCNdPgu.exe
C:\Windows\System\tCNdPgu.exe
2⤵
- Executes dropped EXE
PID:1288

C:\Windows\System\TORHZgy.exe
C:\Windows\System\TORHZgy.exe
2⤵
- Executes dropped EXE
PID:4520

C:\Windows\System\iTnsyUF.exe
C:\Windows\System\iTnsyUF.exe
2⤵
- Executes dropped EXE
PID:4056

C:\Windows\System\auflOFu.exe
C:\Windows\System\auflOFu.exe
2⤵
- Executes dropped EXE
PID:4968

C:\Windows\System\Jvnoplp.exe
C:\Windows\System\Jvnoplp.exe
2⤵
- Executes dropped EXE
PID:4848

C:\Windows\System\IZbXEwG.exe
C:\Windows\System\IZbXEwG.exe
2⤵
- Executes dropped EXE
PID:516

C:\Windows\System\mrCIXvn.exe
C:\Windows\System\mrCIXvn.exe
2⤵
- Executes dropped EXE
PID:4320

C:\Windows\System\tegqxQJ.exe
C:\Windows\System\tegqxQJ.exe
2⤵
- Executes dropped EXE
PID:1608

C:\Windows\System\sicqCuf.exe
C:\Windows\System\sicqCuf.exe
2⤵
- Executes dropped EXE
PID:2684

C:\Windows\System\gVwNDMv.exe
C:\Windows\System\gVwNDMv.exe
2⤵
- Executes dropped EXE
PID:4712

C:\Windows\System\SnjKtIV.exe
C:\Windows\System\SnjKtIV.exe
2⤵
- Executes dropped EXE
PID:1820

C:\Windows\System\jvcRFdN.exe
C:\Windows\System\jvcRFdN.exe
2⤵
- Executes dropped EXE
PID:3524

C:\Windows\System\sUYSULo.exe
C:\Windows\System\sUYSULo.exe
2⤵
- Executes dropped EXE
PID:2260

C:\Windows\System\gZPUjGZ.exe
C:\Windows\System\gZPUjGZ.exe
2⤵
- Executes dropped EXE
PID:4148

C:\Windows\System\bpAoZZd.exe
C:\Windows\System\bpAoZZd.exe
2⤵
- Executes dropped EXE
PID:3620

C:\Windows\System\ztIrcEk.exe
C:\Windows\System\ztIrcEk.exe
2⤵
- Executes dropped EXE
PID:3184

C:\Windows\System\dlLSPZg.exe
C:\Windows\System\dlLSPZg.exe
2⤵
PID:2384

C:\Windows\System\tNpkIaT.exe
C:\Windows\System\tNpkIaT.exe
2⤵
PID:4800

C:\Windows\System\GaGkCWV.exe
C:\Windows\System\GaGkCWV.exe
2⤵
PID:4304

C:\Windows\System\OuVNDpT.exe
C:\Windows\System\OuVNDpT.exe
2⤵
PID:2884

C:\Windows\System\dKHIqqm.exe
C:\Windows\System\dKHIqqm.exe
2⤵
PID:3772

C:\Windows\System\kpXNeVl.exe
C:\Windows\System\kpXNeVl.exe
2⤵
PID:4404

C:\Windows\System\tVqwAJf.exe
C:\Windows\System\tVqwAJf.exe
2⤵
PID:3168

C:\Windows\System\fNjkDjp.exe
C:\Windows\System\fNjkDjp.exe
2⤵
PID:3160

C:\Windows\System\DNzqerV.exe
C:\Windows\System\DNzqerV.exe
2⤵
PID:1528

C:\Windows\System\xnwIQtq.exe
C:\Windows\System\xnwIQtq.exe
2⤵
PID:1300

C:\Windows\System\RTmKlDa.exe
C:\Windows\System\RTmKlDa.exe
2⤵
PID:4812

C:\Windows\System\zuzLxnC.exe
C:\Windows\System\zuzLxnC.exe
2⤵
PID:3848

C:\Windows\System\QmhTeGy.exe
C:\Windows\System\QmhTeGy.exe
2⤵
PID:2788

C:\Windows\System\BlNDXEb.exe
C:\Windows\System\BlNDXEb.exe
2⤵
PID:4480

C:\Windows\System\MpDTGIK.exe
C:\Windows\System\MpDTGIK.exe
2⤵
PID:1448

C:\Windows\System\EtHncYX.exe
C:\Windows\System\EtHncYX.exe
2⤵
PID:768

C:\Windows\System\jIAvhKA.exe
C:\Windows\System\jIAvhKA.exe
2⤵
PID:4804

C:\Windows\System\UHfyPyl.exe
C:\Windows\System\UHfyPyl.exe
2⤵
PID:3732

C:\Windows\System\TVaJiGu.exe
C:\Windows\System\TVaJiGu.exe
2⤵
PID:2952

C:\Windows\System\jbIoFtp.exe
C:\Windows\System\jbIoFtp.exe
2⤵
PID:2316

C:\Windows\System\wjkotmz.exe
C:\Windows\System\wjkotmz.exe
2⤵
PID:2240

C:\Windows\System\HGBYmfj.exe
C:\Windows\System\HGBYmfj.exe
2⤵
PID:4452

C:\Windows\System\LqeTlMp.exe
C:\Windows\System\LqeTlMp.exe
2⤵
PID:3408

C:\Windows\System\hJHiuXH.exe
C:\Windows\System\hJHiuXH.exe
2⤵
PID:3172

C:\Windows\System\rLwjMzz.exe
C:\Windows\System\rLwjMzz.exe
2⤵
PID:4232

C:\Windows\System\gVPFuyD.exe
C:\Windows\System\gVPFuyD.exe
2⤵
PID:4316

C:\Windows\System\fGyEaja.exe
C:\Windows\System\fGyEaja.exe
2⤵
PID:1924

C:\Windows\System\nwWGYDI.exe
C:\Windows\System\nwWGYDI.exe
2⤵
PID:3596

C:\Windows\System\xyyWOaE.exe
C:\Windows\System\xyyWOaE.exe
2⤵
PID:4464

C:\Windows\System\RGvphff.exe
C:\Windows\System\RGvphff.exe
2⤵
PID:2424

C:\Windows\System\jzHHMOV.exe
C:\Windows\System\jzHHMOV.exe
2⤵
PID:1732

C:\Windows\System\HJyuJsR.exe
C:\Windows\System\HJyuJsR.exe
2⤵
PID:3436

C:\Windows\System\AYgwLKk.exe
C:\Windows\System\AYgwLKk.exe
2⤵
PID:836

C:\Windows\System\DFkzwca.exe
C:\Windows\System\DFkzwca.exe
2⤵
PID:1712

C:\Windows\System\mrSVriM.exe
C:\Windows\System\mrSVriM.exe
2⤵
PID:2524

C:\Windows\System\znsiyJO.exe
C:\Windows\System\znsiyJO.exe
2⤵
PID:464

C:\Windows\System\uyKLNWR.exe
C:\Windows\System\uyKLNWR.exe
2⤵
PID:5144

C:\Windows\System\MHBlaAc.exe
C:\Windows\System\MHBlaAc.exe
2⤵
PID:5172

C:\Windows\System\jrqlggw.exe
C:\Windows\System\jrqlggw.exe
2⤵
PID:5192

C:\Windows\System\nmGqEXf.exe
C:\Windows\System\nmGqEXf.exe
2⤵
PID:5212

C:\Windows\System\ghzJiGq.exe
C:\Windows\System\ghzJiGq.exe
2⤵
PID:5248

C:\Windows\System\sOQbNkq.exe
C:\Windows\System\sOQbNkq.exe
2⤵
PID:5280

C:\Windows\System\OXRKypx.exe
C:\Windows\System\OXRKypx.exe
2⤵
PID:5304

C:\Windows\System\jwapIdg.exe
C:\Windows\System\jwapIdg.exe
2⤵
PID:5328

C:\Windows\System\CfYfpve.exe
C:\Windows\System\CfYfpve.exe
2⤵
PID:5356

C:\Windows\System\JLtYohE.exe
C:\Windows\System\JLtYohE.exe
2⤵
PID:5376

C:\Windows\System\XhTjcwR.exe
C:\Windows\System\XhTjcwR.exe
2⤵
PID:5404

C:\Windows\System\RGNZGET.exe
C:\Windows\System\RGNZGET.exe
2⤵
PID:5436

C:\Windows\System\oRJdvza.exe
C:\Windows\System\oRJdvza.exe
2⤵
PID:5472

C:\Windows\System\gLcySwM.exe
C:\Windows\System\gLcySwM.exe
2⤵
PID:5496

C:\Windows\System\XnZAyOG.exe
C:\Windows\System\XnZAyOG.exe
2⤵
PID:5520

C:\Windows\System\rGAjbKf.exe
C:\Windows\System\rGAjbKf.exe
2⤵
PID:5548

C:\Windows\System\JDHgwmk.exe
C:\Windows\System\JDHgwmk.exe
2⤵
PID:5572

C:\Windows\System\JOiNITr.exe
C:\Windows\System\JOiNITr.exe
2⤵
PID:5588

C:\Windows\System\uWgdepW.exe
C:\Windows\System\uWgdepW.exe
2⤵
PID:5620

C:\Windows\System\TSUVKUO.exe
C:\Windows\System\TSUVKUO.exe
2⤵
PID:5644

C:\Windows\System\UrNFLRq.exe
C:\Windows\System\UrNFLRq.exe
2⤵
PID:5680

C:\Windows\System\mqmcCoh.exe
C:\Windows\System\mqmcCoh.exe
2⤵
PID:5700

C:\Windows\System\zZgnjLr.exe
C:\Windows\System\zZgnjLr.exe
2⤵
PID:5728

C:\Windows\System\BqpmuMh.exe
C:\Windows\System\BqpmuMh.exe
2⤵
PID:5764

C:\Windows\System\KMMcIHw.exe
C:\Windows\System\KMMcIHw.exe
2⤵
PID:5796

C:\Windows\System\pCqrUUB.exe
C:\Windows\System\pCqrUUB.exe
2⤵
PID:5824

C:\Windows\System\JdLMNOz.exe
C:\Windows\System\JdLMNOz.exe
2⤵
PID:5876

C:\Windows\System\oBclkUb.exe
C:\Windows\System\oBclkUb.exe
2⤵
PID:5912

C:\Windows\System\dvmcwWd.exe
C:\Windows\System\dvmcwWd.exe
2⤵
PID:5940

C:\Windows\System\qfcHzWF.exe
C:\Windows\System\qfcHzWF.exe
2⤵
PID:5964

C:\Windows\System\hlPWiad.exe
C:\Windows\System\hlPWiad.exe
2⤵
PID:5996

C:\Windows\System\tEstueu.exe
C:\Windows\System\tEstueu.exe
2⤵
PID:6028

C:\Windows\System\UjCyxic.exe
C:\Windows\System\UjCyxic.exe
2⤵
PID:6060

C:\Windows\System\BlCAjFD.exe
C:\Windows\System\BlCAjFD.exe
2⤵
PID:6092

C:\Windows\System\fcJbxAQ.exe
C:\Windows\System\fcJbxAQ.exe
2⤵
PID:6116

C:\Windows\System\KTQmBbq.exe
C:\Windows\System\KTQmBbq.exe
2⤵
PID:2776

C:\Windows\System\giQHRpq.exe
C:\Windows\System\giQHRpq.exe
2⤵
PID:5132

C:\Windows\System\ZjfrtlW.exe
C:\Windows\System\ZjfrtlW.exe
2⤵
PID:5168

C:\Windows\System\PLEhxzd.exe
C:\Windows\System\PLEhxzd.exe
2⤵
PID:5220

C:\Windows\System\KRRTohv.exe
C:\Windows\System\KRRTohv.exe
2⤵
PID:5272

C:\Windows\System\zKZgAxv.exe
C:\Windows\System\zKZgAxv.exe
2⤵
PID:5344

C:\Windows\System\XlAYZkg.exe
C:\Windows\System\XlAYZkg.exe
2⤵
PID:5448

C:\Windows\System\qsiLKrM.exe
C:\Windows\System\qsiLKrM.exe
2⤵
PID:5416

C:\Windows\System\VxmoIWC.exe
C:\Windows\System\VxmoIWC.exe
2⤵
PID:5532

C:\Windows\System\JYNsNNr.exe
C:\Windows\System\JYNsNNr.exe
2⤵
PID:5600

C:\Windows\System\EgAVlUe.exe
C:\Windows\System\EgAVlUe.exe
2⤵
PID:5564

C:\Windows\System\vpneYZW.exe
C:\Windows\System\vpneYZW.exe
2⤵
PID:5736

C:\Windows\System\LjuBlXY.exe
C:\Windows\System\LjuBlXY.exe
2⤵
PID:5808

C:\Windows\System\ZvILqDP.exe
C:\Windows\System\ZvILqDP.exe
2⤵
PID:5804

C:\Windows\System\qnamuGb.exe
C:\Windows\System\qnamuGb.exe
2⤵
PID:5924

C:\Windows\System\YyEbhkR.exe
C:\Windows\System\YyEbhkR.exe
2⤵
PID:5984

C:\Windows\System\ruyxQtX.exe
C:\Windows\System\ruyxQtX.exe
2⤵
PID:6008

C:\Windows\System\AZIwLpm.exe
C:\Windows\System\AZIwLpm.exe
2⤵
PID:6140

C:\Windows\System\oZNWLBv.exe
C:\Windows\System\oZNWLBv.exe
2⤵
PID:6132

C:\Windows\System\ZfrQjRi.exe
C:\Windows\System\ZfrQjRi.exe
2⤵
PID:5156

C:\Windows\System\tliCvZo.exe
C:\Windows\System\tliCvZo.exe
2⤵
PID:5256

C:\Windows\System\SeIJPao.exe
C:\Windows\System\SeIJPao.exe
2⤵
PID:5544

C:\Windows\System\usdewLz.exe
C:\Windows\System\usdewLz.exe
2⤵
PID:5488

C:\Windows\System\kzXfUkt.exe
C:\Windows\System\kzXfUkt.exe
2⤵
PID:5900

C:\Windows\System\OrXDsLS.exe
C:\Windows\System\OrXDsLS.exe
2⤵
PID:5960

C:\Windows\System\KCxSQPL.exe
C:\Windows\System\KCxSQPL.exe
2⤵
PID:5296

C:\Windows\System\gjiXQlX.exe
C:\Windows\System\gjiXQlX.exe
2⤵
PID:5276

C:\Windows\System\JnBUsLn.exe
C:\Windows\System\JnBUsLn.exe
2⤵
PID:5972

C:\Windows\System\JIELNWb.exe
C:\Windows\System\JIELNWb.exe
2⤵
PID:5776

C:\Windows\System\ABuZDRp.exe
C:\Windows\System\ABuZDRp.exe
2⤵
PID:6168

C:\Windows\System\kOhoPhE.exe
C:\Windows\System\kOhoPhE.exe
2⤵
PID:6196

C:\Windows\System\CjwOiKs.exe
C:\Windows\System\CjwOiKs.exe
2⤵
PID:6216

C:\Windows\System\ywRBHdE.exe
C:\Windows\System\ywRBHdE.exe
2⤵
PID:6244

C:\Windows\System\Onvgkfn.exe
C:\Windows\System\Onvgkfn.exe
2⤵
PID:6264

C:\Windows\System\uQchJQs.exe
C:\Windows\System\uQchJQs.exe
2⤵
PID:6292

C:\Windows\System\CBPzudm.exe
C:\Windows\System\CBPzudm.exe
2⤵
PID:6324

C:\Windows\System\WwjKdtl.exe
C:\Windows\System\WwjKdtl.exe
2⤵
PID:6348

C:\Windows\System\BoqywYn.exe
C:\Windows\System\BoqywYn.exe
2⤵
PID:6372

C:\Windows\System\gJULFoC.exe
C:\Windows\System\gJULFoC.exe
2⤵
PID:6396

C:\Windows\System\MQbksby.exe
C:\Windows\System\MQbksby.exe
2⤵
PID:6420

C:\Windows\System\MpCcmeb.exe
C:\Windows\System\MpCcmeb.exe
2⤵
PID:6452

C:\Windows\System\loAenkQ.exe
C:\Windows\System\loAenkQ.exe
2⤵
PID:6480

C:\Windows\System\YtsDtbQ.exe
C:\Windows\System\YtsDtbQ.exe
2⤵
PID:6508

C:\Windows\System\mQFHFzG.exe
C:\Windows\System\mQFHFzG.exe
2⤵
PID:6532

C:\Windows\System\KqrwXBo.exe
C:\Windows\System\KqrwXBo.exe
2⤵
PID:6564

C:\Windows\System\QtwLAqV.exe
C:\Windows\System\QtwLAqV.exe
2⤵
PID:6588

C:\Windows\System\HlAbgWG.exe
C:\Windows\System\HlAbgWG.exe
2⤵
PID:6624

C:\Windows\System\oURXwfy.exe
C:\Windows\System\oURXwfy.exe
2⤵
PID:6648

C:\Windows\System\dsxWVft.exe
C:\Windows\System\dsxWVft.exe
2⤵
PID:6676

C:\Windows\System\tvowkyr.exe
C:\Windows\System\tvowkyr.exe
2⤵
PID:6700

C:\Windows\System\sIVcOPm.exe
C:\Windows\System\sIVcOPm.exe
2⤵
PID:6724

C:\Windows\System\PslPOVT.exe
C:\Windows\System\PslPOVT.exe
2⤵
PID:6748

C:\Windows\System\coxUHVp.exe
C:\Windows\System\coxUHVp.exe
2⤵
PID:6772

C:\Windows\System\PUMoChM.exe
C:\Windows\System\PUMoChM.exe
2⤵
PID:6796

C:\Windows\System\wWPiUoh.exe
C:\Windows\System\wWPiUoh.exe
2⤵
PID:6832

C:\Windows\System\QUlschB.exe
C:\Windows\System\QUlschB.exe
2⤵
PID:6860

C:\Windows\System\JPChpip.exe
C:\Windows\System\JPChpip.exe
2⤵
PID:6884

C:\Windows\System\GxIGxDD.exe
C:\Windows\System\GxIGxDD.exe
2⤵
PID:6908

C:\Windows\System\sWMznNi.exe
C:\Windows\System\sWMznNi.exe
2⤵
PID:6936

C:\Windows\System\gOIOkwP.exe
C:\Windows\System\gOIOkwP.exe
2⤵
PID:6964

C:\Windows\System\OAVmyYZ.exe
C:\Windows\System\OAVmyYZ.exe
2⤵
PID:6988

C:\Windows\System\kVifSNZ.exe
C:\Windows\System\kVifSNZ.exe
2⤵
PID:7012

C:\Windows\System\cXEHgCe.exe
C:\Windows\System\cXEHgCe.exe
2⤵
PID:7036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ABIXWGy.exe
Filesize
1.3MB

MD5
7187fe143978edbb8a6cf95839c02589

SHA1
7558146b21f6faf6091557edbf8b111dc602d5d4

SHA256
6c0def0080042a5698be6ba1a41f896a2f49dca51b05e141c1426cf19bf54174

SHA512
32d53a1461232664c95095df19f49e6dc1172120a7b455cca0b2e046404b5a320f30f91ed5dede2c140eb3b7173ccf7523f3f5bd74b4dd40a1a10ac6f8a0e026

Download Submit
C:\Windows\System\APRYMpR.exe
Filesize
1.3MB

MD5
dfbdde9e58c9a284dc574627ac26b6f2

SHA1
1ceb7462b1031744763b492a1b5f8a024a697907

SHA256
a7306f2f8a17d2be4bb4c7680f780d03f5cda75d275f109d11013917f40b976f

SHA512
e6cbc30b77cbaf2dfc960eb5c473c62f853706ebc954b57bebfb3185a9fd66c778a99892ebe54ea7c5ef0ba43807a9a93d2b2ada00398656078129eb84e67944

Download Submit
C:\Windows\System\EzWXMMb.exe
Filesize
1.3MB

MD5
9117b290222e8499e3ddfc0366e601f7

SHA1
f5fd529a9b6dd61339c7ae47fbcb27471594c80e

SHA256
851f6a07c200b63fe1e38ac75f6364028d095f8aff036df595924843b1bfeb89

SHA512
367791359724a6ea31ab146986fd3e141205ad5e34abf9e1bf81ecac228d5cb41f13ef97c23bfe11a8f50db2f1ee38e4778e357bf33061d0a02ea7f791278857

Download Submit
C:\Windows\System\FsEGebl.exe
Filesize
1.3MB

MD5
670deda0c2856d64523c20f795f02bbe

SHA1
569d93a3bf09b013fcb56b223ebe41db0920feb9

SHA256
3e198fbcc9609f344f750df6c698684d5d4a9e8ace0827d1eecc6fe1b76c9839

SHA512
2e919917b478542362dac26a859f8257646a39d5ec511bce0651de1edf9669df6e2e4f7d5bbf227a09fc441055e33d0ef4237e0a23ed5f7793fbf6d96c4f4426

Download Submit
C:\Windows\System\FyTYXXz.exe
Filesize
1.3MB

MD5
69be4c61162fc5a9c8da34bd650741d5

SHA1
7a9ff7f794135f99df9146f2080eec6f2282fbad

SHA256
58fbda3e19938b23f5dc448a17611724246419b5c3fd41fd129fa4359dfd8f65

SHA512
79739dd6efa62cd67d6b497528e07b02fcfa1be7430e0239bbaa953b8f15143c47319e97b8d89927de14ed76154b5bc0a9e48cff7f473c95ac02b55a275162f4

Download Submit
C:\Windows\System\GELgfmo.exe
Filesize
1.3MB

MD5
1f741f002bc0c4fc52a4415ccbdf0c51

SHA1
d23d49025f5ab8e3d60294d6dd896fe2180d8a8f

SHA256
51bc4f9ef3df6b9eca61417a6cdb2208502205a930547c25a1a94db4dadb2d4e

SHA512
9b094eebe405b8b5afd5c2d8bcddf4b799838541698c1f8e87dc8ead2e95b8f8bbb00f96691b1b0da2b5893fe4f4948f4c3e2e5a8fe2ee7d6cb72b2e8d13d129

Download Submit
C:\Windows\System\GTZnlqZ.exe
Filesize
1.3MB

MD5
c12a66fdf9c75e1bb5957e78037cbf3b

SHA1
eac5b77e88da0ac96b3d6933b43314e3a670891a

SHA256
7951cc26373bebbfae915181fa9e35dee5c920f419044c62c1e1d7932f5b75f1

SHA512
628122529a978f94ff2b0b7440aac4a41d41d74537ca39144c2a8330fa4169f4b81874dfdc620ef89ed44844db338ffe63e5c4a5a8459cc3e7111bc5ec3a9d67

Download Submit
C:\Windows\System\GzxsJWa.exe
Filesize
1.3MB

MD5
18c8673579b9c69d620de94783d5946d

SHA1
265ce264570f6d9676a497d332d7b96538b065b5

SHA256
ed14b40f649ca10fdea4d0e545a46b6dc149b60c607e36fbfeb14e77c6bcbbb1

SHA512
5d14da31d664ff1912d29450f61485dda120d16d6b627e891b9594b49ee5296ebc888fa2e344127106aed74cf560a193ad08f35e8eb87178fde28dc893f3defe

Download Submit
C:\Windows\System\HFpASJp.exe
Filesize
1.3MB

MD5
78f19a15e48cc44f15decad3bc13e108

SHA1
1fa758d0c23963ef7b9914922f13fcaf513c7fdb

SHA256
80c7b24504821a1194d979636e205414e00c8db1dc58d90381060558722acee5

SHA512
24593b4a071e64e5dfd96a77aab382381a9eb2f669304a25bd360af247894fa60309a288d7e5f37f0350c7e728050b0d5285397c65fad255d9207b05e5042a24

Download Submit
C:\Windows\System\IUXCESf.exe
Filesize
1.3MB

MD5
fee88b3f87dcecd4574b2653f2afda4a

SHA1
705e9e08f616cf803a864ac1ae99a9a587857692

SHA256
f22ded37bf8267c4734e30cc891c6bb67a81a868693994691daaaeac28a0037e

SHA512
0407bc013fa418721c9d24262676b6aea8e5aece0a7ecfe026244af86997a4955ad1e37a24f0179e856df0ee30a38529812fc2cbb7eb6131c2160b10d94157a1

Download Submit
C:\Windows\System\IVyMzCY.exe
Filesize
1.3MB

MD5
c6f2797918405f88182ec23dcc789b37

SHA1
8830c3eaca3c1e803599f38df16d6af0b823d7a3

SHA256
da8c1f2c703cdf4ca8d9b418c02c528cf4b2d82b669fd886130052b2dc4ab6ab

SHA512
1682f5afb914761febedecde41890cf3a3d6fd52fd3e094df5df9f439b045f4d7fc82190fba0e6682b5fa7370c733f46e3b9d9de74f703d2cc01bc33a107c9c8

Download Submit
C:\Windows\System\IfIaoxD.exe
Filesize
1.3MB

MD5
4a84ad0baed9dde82034993d7d836ff3

SHA1
239d31149b8cd642225ce8ef286f611d7579cf31

SHA256
2581fefa56a7d053c1664682bf711ba5999fff1e5d1ebb16ee4b290584de7767

SHA512
c01a582f22d1570e959c6f1ca526b24cc9dadce10148fa1e10b287d5753088464d19b7af29bdf591f6a47d7900ab8a3b0f277693e3d1827f625cbb5d5c771522

Download Submit
C:\Windows\System\JxTqOlD.exe
Filesize
1.3MB

MD5
5b398053880727b56818a43444da15c7

SHA1
ccac7626fe9786f56114f80bab5204c1ebfd4bf4

SHA256
17ae70611a46a36c41f51ca2269bdf7217959b724718c2d422eb47a8b4211e4d

SHA512
1b406ed40277313f975c6722ab61331961605a78da92645306c62a0e1827eaa1c4891fa9028ce4245283389e11fa9e6ae0ae5614be1538310c85afc00dd114f4

Download Submit
C:\Windows\System\MaaEQWQ.exe
Filesize
1.3MB

MD5
2a5fa0f2310920afd1a2b8ba3f58d2ec

SHA1
a70b9698bd7fcd996a5109466a083bbe756905b7

SHA256
e3fadbe285c2624740040e325665189b128e2628a76c79a1dd1cb5de30010aac

SHA512
13c7ae20c08e88c3193e9a7ddc3f3e6931eecf014989ad9a21f7188283a04beea5770182545ba163c0d4ae368c5cf7533b5d16ba4ff82ceb131a24052beae662

Download Submit
C:\Windows\System\OwusLSc.exe
Filesize
1.3MB

MD5
feaa28d3e69d71b72e3dcaf83c648375

SHA1
8db3a65d14aecd395b2c36b5c7a50f203745446f

SHA256
c271135f9c265554d8339cf5964bd42544d6ba579087a399ff129d16894b307e

SHA512
cc60149fb7bb2904a339300a613b6dd424e1e2405580eb97f991e3d3eea5ab44e9d8d1549da5deac75e87fe1c4d4a5efd6273fbf8a6cb347c1b56db100024b78

Download Submit
C:\Windows\System\QSmqKui.exe
Filesize
1.3MB

MD5
4440df631c50963c3f5f000973fff089

SHA1
7d139a4f384136b092801a22f4c93de6b72c52ce

SHA256
2fb9aa5e3f039edeebab3da5315881f6d234133c2deabf6bbe26eea579b08e42

SHA512
b79e4bde972143cbb8afaa7bd3f1b52d8c2bb0d9034cf98c139c7af342200cf3b77896a3c228d329624037e50bd8f33d66971654c65cb706db3cda55c0875c9a

Download Submit
C:\Windows\System\RexqEwi.exe
Filesize
1.3MB

MD5
835dbe1117378621e6138668658ba8b8

SHA1
9a4909ac48d5ab9a827d81ec27db58c7cdb4785e

SHA256
f5b27e0466f65dbf4711421db88c4cb1e1d4ff1e3e60a2345e85d1ab3315344d

SHA512
92adecbb90b40521a4b4c5925efe98196d19f03f62bef175865156a3704cfecbe4e4f2c1964f224fad2d97f55543310d4b5555160fcb10fe67325a4f75a94f16

Download Submit
C:\Windows\System\UmcrZBV.exe
Filesize
1.3MB

MD5
aea0284802bf9a9f954fb63aa6278faf

SHA1
53a8dbbfd8d81246bd3bf9eccff87c6fcdddaa65

SHA256
d50d7e9fd59d96d480d926e1ad753aaa351ae804895360a69b88cb20f9f5197c

SHA512
f14f3cb7ed791711d9fcb7215c5208e329a99eeb455be915623f7b61746239c34e7ad1db12db283fb5b0f790a82af220989275f3c7258013ee57a8cac3c34e31

Download Submit
C:\Windows\System\YZrmgnY.exe
Filesize
1.3MB

MD5
f4293c3aee8290ffc26570d3b81dbeec

SHA1
cd366c22f24ffde1a342d477433049f2dcabc60e

SHA256
2095c5bb3e581a6f0d06bd9b77dc769aad5d2903cacb77143a489244d1ae06ff

SHA512
a5bdf4ac36e3488f5a32afc9b39ab1fa06378c2bf0ffeb4e6e6325e51a954b1076359fc12cb5e5184c55cb37d0fc8fd3e4f3dc16867190a14bc5f634ee0e6679

Download Submit
C:\Windows\System\dyOXSmI.exe
Filesize
1.3MB

MD5
07eab24c7ce50cf751af36a48cb5eb8c

SHA1
418a5f1375ad8366c46c804b429bc2de4dcbc61f

SHA256
ba3c10cf5e4d3e5c83da9726bebf27f63e041ac7192d8499967bbb984e64273a

SHA512
a667188d0873db2b872d8731c48018e098513ca71a7ee099db830e3cba7c0ec9f1e56d3d90bad494987f47a0dc341cbeb7e57295a883c6b81610d726dc811c5d

Download Submit
C:\Windows\System\fCGxhqg.exe
Filesize
1.3MB

MD5
e2ba1749d76f87f7bb3ec71b18d7ef79

SHA1
c4810678b553d6fee0084701f03524a0f20b7012

SHA256
7e4501f972095014380e5a30fe581509a61ec3a38083fe3674cbf1190fb26cd4

SHA512
9beb81838cc99a7549f50ebb8638761ef790072b40617ce2b91b9e16e283e126eccd69515b115d1dc0ca24ceede9786a04746f46ba7aded331e5b365f2896e82

Download Submit
C:\Windows\System\fopNymp.exe
Filesize
1.3MB

MD5
c2c0c07f2ded8f4f6a2d4f151e74e701

SHA1
d91b817c909ef3b8f447ff9d3ec538c07e6d7be9

SHA256
21e839bfe538d4ac6523d55ab8478347f9681fd2bb09bb263105e4a9c6799b38

SHA512
a6c3ab5efe0b57a04ba61547b306660db3b8c015ab328f809dda36bbf59c7f2a8a183ede0ac8a921723a9a236983cd378286ea1004e47c74e28e9bda8d6f5935

Download Submit
C:\Windows\System\grNFrze.exe
Filesize
1.3MB

MD5
70baff4c6f929eac654d5eff1d967d6f

SHA1
ccc8a4bacbb89c5115b29ca3c85650bb0d64bdb9

SHA256
5aaee93999fbb56ca7f906e0863197d2f07c22a00ea8911038ee40500f924ee3

SHA512
48aadfaecc7678ec44462f7e746b14261478ac5adfb9fab9f87006cabe24d023f9198ad72e6f1f92741b9be4598eba837a15b097354d544c5a7352414ebc975d

Download Submit
C:\Windows\System\jdYtJRz.exe
Filesize
1.3MB

MD5
f928fd6d20495033c9094d0467a25012

SHA1
5347ed0b7fd3736c9abd2de6761fcec8776bffcf

SHA256
44765d6a4cdd9866e13239ccaef81f140fd251e34dff25f177e89e8e3aa7d669

SHA512
e28eeb0ebc4ca9d52f5497fb41837f04437c18ca68f145fcf19a02d2864fe759349ff6511dc62fb34bb2824656cd7810168661b8070a73f8893de6b643399bcc

Download Submit
C:\Windows\System\jxzkwOz.exe
Filesize
1.3MB

MD5
a2aa90d1c3fac6045119a0ed1198db3b

SHA1
fc7e02be85691d503f95fb299f83f0a32bf2f243

SHA256
2070efe49a70158ed4140e76a1d60341195653ac0e1384f761fefef7ba8ee8f6

SHA512
b6ab4196720cdb614089b885c3b70e14ec30cbafee6202ebb1e0960a2805701534ef833ca1262c23def522f9d2f273bc3b47f1c7c8649ad9547cb467d2822171

Download Submit
C:\Windows\System\nHdpiob.exe
Filesize
1.3MB

MD5
37d0c06ffa6749d41253b529f423a2ce

SHA1
424b7472248d401926dd8618ed27727cd840079a

SHA256
b30b56c107e39f821bba19bc3103069e57da0188072a1b5cd84a5b894f93183d

SHA512
aa192c0cbb97389f716ffc0c0b59861685a889f610f503061d433eec57a0866fc96a22cad02209a1b0bf8249845d70b0605acaa3538d67a570c3ecf8b6dca0fa

Download Submit
C:\Windows\System\nVFScDe.exe
Filesize
1.3MB

MD5
6d68bc94e2b5545ae17589c6d45610e8

SHA1
fa1b5c4d03d49e8a0612656aa7617d61b5678096

SHA256
05f058def3edfb5ac23361a45bd8b93a55deec26d6c0761e9ac8525d04110919

SHA512
3a5ec617a9c569a7fa4a99334bbb1914f303c2046f52457d6b5ac369605d1a7b007cfd74a4a7c728ee606a676d6ae3652bf6963ff63c2b7458a2cd48bead5439

Download Submit
C:\Windows\System\naSUvgz.exe
Filesize
1.3MB

MD5
99b9c59b92e9c671961c12a77133c639

SHA1
c6d5eb5bdbc233e93cf418d33599ac014c52612d

SHA256
7da5a4037044ebecfa9064355e651fd9714c7469bfbf280aa2a36313d1548f0b

SHA512
1148fad7c164a84a697c5ce4e5dbedd029473d518b9ed20f8c55090d431f885f81a4f4d9c996aea5f3c38dae660db2e341a7ecf5cd2e456561c450826ec2db32

Download Submit
C:\Windows\System\oeviJzh.exe
Filesize
1.3MB

MD5
16e69503c09ae607a64c94902a764a79

SHA1
4070bc673801ecb0e882a30fef993362f9756235

SHA256
35ae33a60ed485fe5801a37c073665310fe55de3c628b16a70d6ba19b8e296eb

SHA512
28d1b0b339509ac16545ea9c80f5c1fabaf0f8df12562bf120e9006b503090e43d4f2e555e5ed19a326ccdaed76bec6a96566b63e6dc5e4e66b285d8dda98df6

Download Submit
C:\Windows\System\pVaUZEg.exe
Filesize
1.3MB

MD5
1c21a804d062dd9c28a9e062d623770f

SHA1
0ee8c1079c054d12ff3da03737f4f92a5582f846

SHA256
6eecd8535c410505205b1b5a0943a46bf0e16497246a22b998f703123b563ab1

SHA512
ade6c86cabbb368ed05ae42445730c89b590e5e755958461adb5299386779b32e33d842c6c08c6ba3ee9f9bae3e6d5941db8dc9c2140a365270ad23e09246233

Download Submit
C:\Windows\System\pVwrNVx.exe
Filesize
1.3MB

MD5
5c37402ef81fa41bc7d13a69e205624d

SHA1
e566675651e74eebc246e0569df5cfa8ce24005a

SHA256
8ca1132e7b54d339b4107e626450967af7d75c5072def07c667948c87c8a3e83

SHA512
e01088e64df0a6b3b3ecb3a55640abf669a8872317995f4e7af10f28077c4831ed9363b260fc51037e6f22b349160f8c1757a716ad0ebc454a7de15a06a633c0

Download Submit
C:\Windows\System\uyeNSxI.exe
Filesize
1.3MB

MD5
92edb7e5beab98eded53aa60ae74a121

SHA1
47cd9051ffd3722d6e9e941c2101de347bae876f

SHA256
9285c17e04d02d9319bdf7cb7e8dbfbcf7aeffb8f002f5388916da7d5de11883

SHA512
5f8906082cb1cd3b72e2ad9d90d39b9aae0d03774511cbbebecafbbc3e166b3d0cf95815a6a97add6a389fcd4be459aa2433e4da1f8a3b8d60b35988d1499f81

Download Submit
memory/1868-0-0x00000237B9E40000-0x00000237B9E50000-memory.dmp

Filesize
64KB

Download