Analysis Overview
SHA256
9651d7db8956d136f829b9511d32f6a0ac6b195c62a6ed9647bdd38c2d6c2ea8
Threat Level: Shows suspicious behavior
The file 4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
ASPack v2.12-2.42
Loads dropped DLL
Adds Run key to start application
Enumerates connected drives
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-17 23:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-17 23:04
Reported
2024-05-17 23:07
Platform
win7-20240221-en
Max time kernel
142s
Max time network
123s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QRRLEC.EXE = "C:\\PerfLogs\\services.exe" | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\QQJS.EXE | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Ms7002.dll | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\svchost.exe | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\QQJS.EXE" | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\PerfLogs\\QQJS.EXE %1" | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\QPBYIW.EXE %1" | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\PerfLogs\\XBEI.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Users\\JEGIKZ.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile | C:\Program Files (x86)\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32.exe C:\Windows\system32\Ms7002.dll /s
C:\Program Files (x86)\svchost.exe
"C:\Program Files (x86)\svchost.exe"
Network
Files
memory/2204-0-0x0000000000270000-0x0000000000271000-memory.dmp
C:\PerfLogs\XBEI.EXE
| MD5 | b48ff7e8dc51217b830c68b0465210d5 |
| SHA1 | ea9cd8d35f730ba425c38e4b2c46786d30d6a59d |
| SHA256 | e1e5c4111e1014518b5f126728a4370e47d2563cbb755955790d34083d956b81 |
| SHA512 | 16aafa6cb7863dfb30ab5cb7d908a5872ede26ab502fac9a09e6e625cec0c293f4805a55bb4d8ac9c30ebd9e30423bc11495ded47bf111a4d4c12db9f847a89d |
C:\Windows\SysWOW64\Ms7002.dll
| MD5 | 876a2a99b81968f5b26e3cbe12063d2b |
| SHA1 | 7afa8f33b691b2651b65eb07220cc2fda4b7537c |
| SHA256 | f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0 |
| SHA512 | ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1 |
\Program Files (x86)\svchost.exe
| MD5 | bc0103990bbaaceae05a0e6c637e54ef |
| SHA1 | 22fe86ba0c2c1f22b0554b55c4d28bea536f6ea4 |
| SHA256 | dcb5707fd61af1e1f1edb4ba5273e66873ef024d1ee09c5f89fc4ddae9b8553d |
| SHA512 | 97456426954c7ca94d09012197acee0c5d90377f53a7ccd4e3e5240f3008b97579c13b7ca600a13143d0cb16f57d164d3a7f6a19afc7d22681558da49d4d93d0 |
memory/2580-29-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2580-30-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-17 23:04
Reported
2024-05-17 23:07
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XCMBCG.EXE = "C:\\Users\\unsecapp.exe" | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\LYL.EXE | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Ms7002.dll | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\PerfLogs\\LYL.EXE %1" | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\PerfLogs\\LYL.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\LYL.EXE" | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile | C:\Users\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\PerfLogs\\LYL.EXE %1" | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\PerfLogs\\LYL.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3720 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | C:\Windows\SysWOW64\Regsvr32.exe |
| PID 3720 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | C:\Windows\SysWOW64\Regsvr32.exe |
| PID 3720 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | C:\Windows\SysWOW64\Regsvr32.exe |
| PID 3720 wrote to memory of 388 | N/A | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | C:\Users\explorer.exe |
| PID 3720 wrote to memory of 388 | N/A | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | C:\Users\explorer.exe |
| PID 3720 wrote to memory of 388 | N/A | C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe | C:\Users\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32.exe C:\Windows\system32\Ms7002.dll /s
C:\Users\explorer.exe
C:\Users\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
memory/3720-0-0x0000000002310000-0x0000000002311000-memory.dmp
C:\PerfLogs\LYL.EXE
| MD5 | fd61aa1c3f37a11d8be86f433d1dd342 |
| SHA1 | 3ea7dcd94ce1bb2808545902178b9a392e94a36c |
| SHA256 | 53cf38a73315429cb71392db24de360a51ef914cf13dbefe9ebcd93590f4d85e |
| SHA512 | 69f2aaff02348ca26bc26e71bc19757fc1868cdc600a3eb6289b5a5c6cfeadb9301fb5007652987af5f0b238bae14338ee634115a55ad36cae24263913cff3b0 |
C:\filedebug
| MD5 | 06338706d027037107d12e50050318f8 |
| SHA1 | 8c830ece2974b77116eb2987ccd0fc7f5cda8628 |
| SHA256 | a0cd64ca10c28df358f71d8ddb1fe3f50c702e2195ecd006fa825fa294160d1e |
| SHA512 | d3748f4eda8297470dc45a2aa0d5150cffeec616b8680bfa07e97eca0e07fc17a919051d40a8251910f3bc7fa065843116a0095773cfb8cfb6553134f078c515 |
C:\Windows\SysWOW64\Ms7002.dll
| MD5 | 876a2a99b81968f5b26e3cbe12063d2b |
| SHA1 | 7afa8f33b691b2651b65eb07220cc2fda4b7537c |
| SHA256 | f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0 |
| SHA512 | ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1 |
C:\Users\explorer.exe
| MD5 | 9403747d3b7780e92807f94b9a9ad159 |
| SHA1 | 27406c57f0aebb9204e8cbe94467bbb4b67a0a34 |
| SHA256 | d91a869ad75de735fbf4f4381e63972cc97a9d4e744c234b48402903a355e5b3 |
| SHA512 | ad21dcbb0a3e27509e31db858ffa25eb18172bbd35895e2f62b7f7b93d965aefbe654136d171cfb9daafb5a16ddac7727e5179f77848245a2793e1109e3b0f57 |
memory/388-25-0x0000000000750000-0x0000000000751000-memory.dmp
memory/388-26-0x0000000000750000-0x0000000000751000-memory.dmp