Malware Analysis Report

2025-03-15 08:09

Sample ID 240530-mk32kaec7x
Target 4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe
SHA256 d6879d9d7c03a49a4f8e32cf8c5a8ac7bf4d46d5b16e73b659a3720b1172c36c
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6879d9d7c03a49a4f8e32cf8c5a8ac7bf4d46d5b16e73b659a3720b1172c36c

Threat Level: Known bad

The file 4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Cobaltstrike family

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike

xmrig

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 10:32

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 10:32

Reported

2024-05-30 10:35

Platform

win7-20240221-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\azEwTGd.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\jCvqfGx.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\gZXoqDE.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\johOSve.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\IMypdEL.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\popLwBp.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\SPOBPmF.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\UwspsDL.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\jSzGcZW.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\iZDfuKW.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\DJBNnUg.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\wHKkOvL.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\WxYXzaH.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\PDoLcfj.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\hIfpcCW.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\PUrJgtr.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\qELoguR.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\VMSIIKz.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\VSBxQpJ.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\jrlOeSH.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\uuquFxb.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\hIfpcCW.exe
PID 2752 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\hIfpcCW.exe
PID 2752 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\hIfpcCW.exe
PID 2752 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\DJBNnUg.exe
PID 2752 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\DJBNnUg.exe
PID 2752 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\DJBNnUg.exe
PID 2752 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\gZXoqDE.exe
PID 2752 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\gZXoqDE.exe
PID 2752 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\gZXoqDE.exe
PID 2752 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\wHKkOvL.exe
PID 2752 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\wHKkOvL.exe
PID 2752 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\wHKkOvL.exe
PID 2752 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\PUrJgtr.exe
PID 2752 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\PUrJgtr.exe
PID 2752 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\PUrJgtr.exe
PID 2752 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\WxYXzaH.exe
PID 2752 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\WxYXzaH.exe
PID 2752 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\WxYXzaH.exe
PID 2752 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\johOSve.exe
PID 2752 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\johOSve.exe
PID 2752 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\johOSve.exe
PID 2752 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\IMypdEL.exe
PID 2752 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\IMypdEL.exe
PID 2752 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\IMypdEL.exe
PID 2752 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\qELoguR.exe
PID 2752 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\qELoguR.exe
PID 2752 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\qELoguR.exe
PID 2752 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\popLwBp.exe
PID 2752 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\popLwBp.exe
PID 2752 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\popLwBp.exe
PID 2752 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\azEwTGd.exe
PID 2752 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\azEwTGd.exe
PID 2752 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\azEwTGd.exe
PID 2752 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\SPOBPmF.exe
PID 2752 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\SPOBPmF.exe
PID 2752 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\SPOBPmF.exe
PID 2752 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\VSBxQpJ.exe
PID 2752 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\VSBxQpJ.exe
PID 2752 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\VSBxQpJ.exe
PID 2752 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\jCvqfGx.exe
PID 2752 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\jCvqfGx.exe
PID 2752 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\jCvqfGx.exe
PID 2752 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\jrlOeSH.exe
PID 2752 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\jrlOeSH.exe
PID 2752 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\jrlOeSH.exe
PID 2752 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\uuquFxb.exe
PID 2752 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\uuquFxb.exe
PID 2752 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\uuquFxb.exe
PID 2752 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\UwspsDL.exe
PID 2752 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\UwspsDL.exe
PID 2752 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\UwspsDL.exe
PID 2752 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\jSzGcZW.exe
PID 2752 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\jSzGcZW.exe
PID 2752 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\jSzGcZW.exe
PID 2752 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\PDoLcfj.exe
PID 2752 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\PDoLcfj.exe
PID 2752 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\PDoLcfj.exe
PID 2752 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\iZDfuKW.exe
PID 2752 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\iZDfuKW.exe
PID 2752 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\iZDfuKW.exe
PID 2752 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\VMSIIKz.exe
PID 2752 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\VMSIIKz.exe
PID 2752 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\VMSIIKz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe"

C:\Windows\System\hIfpcCW.exe

C:\Windows\System\hIfpcCW.exe

C:\Windows\System\DJBNnUg.exe

C:\Windows\System\DJBNnUg.exe

C:\Windows\System\gZXoqDE.exe

C:\Windows\System\gZXoqDE.exe

C:\Windows\System\wHKkOvL.exe

C:\Windows\System\wHKkOvL.exe

C:\Windows\System\PUrJgtr.exe

C:\Windows\System\PUrJgtr.exe

C:\Windows\System\WxYXzaH.exe

C:\Windows\System\WxYXzaH.exe

C:\Windows\System\johOSve.exe

C:\Windows\System\johOSve.exe

C:\Windows\System\IMypdEL.exe

C:\Windows\System\IMypdEL.exe

C:\Windows\System\qELoguR.exe

C:\Windows\System\qELoguR.exe

C:\Windows\System\popLwBp.exe

C:\Windows\System\popLwBp.exe

C:\Windows\System\azEwTGd.exe

C:\Windows\System\azEwTGd.exe

C:\Windows\System\SPOBPmF.exe

C:\Windows\System\SPOBPmF.exe

C:\Windows\System\VSBxQpJ.exe

C:\Windows\System\VSBxQpJ.exe

C:\Windows\System\jCvqfGx.exe

C:\Windows\System\jCvqfGx.exe

C:\Windows\System\jrlOeSH.exe

C:\Windows\System\jrlOeSH.exe

C:\Windows\System\uuquFxb.exe

C:\Windows\System\uuquFxb.exe

C:\Windows\System\UwspsDL.exe

C:\Windows\System\UwspsDL.exe

C:\Windows\System\jSzGcZW.exe

C:\Windows\System\jSzGcZW.exe

C:\Windows\System\PDoLcfj.exe

C:\Windows\System\PDoLcfj.exe

C:\Windows\System\iZDfuKW.exe

C:\Windows\System\iZDfuKW.exe

C:\Windows\System\VMSIIKz.exe

C:\Windows\System\VMSIIKz.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2752-0-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2752-1-0x0000000000380000-0x0000000000390000-memory.dmp

\Windows\system\hIfpcCW.exe

MD5 608d625cd92ce015886c048646707977
SHA1 92dc05234f6f45a87077206688816177951ade9b
SHA256 1c27718d2a999923a4f228496eca8dcfb45a01e2168666fd971ee2439ab0859d
SHA512 b092c57d5ff11b703f9a7af6f1cec9deb22a08d39f5e023b6d3f8251c0852098e3e771c8d927af0c71c440768143e85236ed8c62d5464a7c110da6610afc3d0b

memory/2636-8-0x000000013FBC0000-0x000000013FF14000-memory.dmp

\Windows\system\DJBNnUg.exe

MD5 d434e03b55b214331144355f5135893e
SHA1 55efa42bf7a9bc563e312a4183899ee3f05e4fd9
SHA256 a3d60176ede7ae5ce8d1bdbfce13edb6739fee6c83a1a2fe55c425e5c096c751
SHA512 3d388218822b016c4b6d067ff91832688ce02ebdfa944b98984404005b87e76c08df25b0141be4d20c3a7efe1d4309abe45443051b99c8d1ee37667d910c793a

memory/2752-13-0x00000000021E0000-0x0000000002534000-memory.dmp

C:\Windows\system\gZXoqDE.exe

MD5 b87f8417c44767b6fc5101a4a2fb08a2
SHA1 1257290347b232f7aab633a2c599995b68920d48
SHA256 d0cf52a1c24373e717213c347df68f3b46ded5f430f128740a66e3c980e06b6a
SHA512 a0cf19acfd532a63fd1d3973962fa10d1af9b61b1376af3234fcb4e0286afdcd60a90d505e809bf4feb6e73ded07f5d7eb6a1aa6975f264bc6044602ae937a5c

memory/2064-21-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2752-19-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2896-15-0x000000013F9E0000-0x000000013FD34000-memory.dmp

C:\Windows\system\wHKkOvL.exe

MD5 5b4c8d3788aadc6976bb86df1c8bd58d
SHA1 60400cddc1f71639a2db07721f734462d5b5f0b0
SHA256 522be0db8bd389dcffe9afdbda2c919f9f6ce31d6234d238c19ec2767c508b25
SHA512 52ca50eb2e7bb4d45547180eb9eec1602d782ce072cb794d11edc36f40edab1bf25ca895805f2d42a0754a80b43c1d6fe93330f3226834f8d2773a7d8a8f06e6

memory/2752-27-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2988-29-0x000000013F420000-0x000000013F774000-memory.dmp

C:\Windows\system\PUrJgtr.exe

MD5 dc8cec3cb1c9056662694d1a9246aeab
SHA1 2d7a4a5cd531fa262744e9c1f503f0be63babc3f
SHA256 cc9511552921f8250c43503f5c6a577ed88f7d6e3552e9ff1fb057e8fb51e655
SHA512 e8024eaf4fd58f7bef1db658a0847299672bba6349e4110188d9f89ac51ea2fe4c59c5786f2ccb0cf9fab469c3893c50a0a29708052efef97e942944ee13b238

memory/2752-35-0x00000000021E0000-0x0000000002534000-memory.dmp

C:\Windows\system\WxYXzaH.exe

MD5 5cdd8ddfe0eaaa6e59a9a0a76fc0bec2
SHA1 617811b30d54cd930bd194dea03bcf18ccd15599
SHA256 aa39d7f0690ddda03600daaeb4fb2be009cc84ee1d8144ead2be8527f9453291
SHA512 7772054f27a0089ed8053796a0f3143baa3cba42165108f28f8c7b38f35cf26f1dacfd7081c5484a2b1d8197c0f9f06e1353a3def906410ee39220b3a3117183

memory/2588-47-0x000000013F880000-0x000000013FBD4000-memory.dmp

C:\Windows\system\popLwBp.exe

MD5 63c5fb0f1818b41fbaa425c7dc20975b
SHA1 e8f551197fee0f193273b805c0d3e8bb12d430c3
SHA256 5fcdc508e1e6bb711803c37ac2ecfdbc2d47397b75a4f97b9094b6bbaa1a8535
SHA512 9ddc62f36c75e75f08cd95dd4599aa3d6a8ce0bec11928119a3784899c54056abb6047201df0ffadcfc40c5a03b2aa7c4c73035f32eeb1b49db62cfbfb523079

memory/2752-62-0x000000013FF60000-0x00000001402B4000-memory.dmp

\Windows\system\SPOBPmF.exe

MD5 56597ca5babfa03a2b1c6c27241cf7c4
SHA1 f408cf0e9a8dcdad91fbcde6832548e548ce52fc
SHA256 a0c77481d1d9911e6be8686a9813bb38bee62e5ee6582f0abd8788a25f7e6c6b
SHA512 c38331b6c14c52dd96976e3c0c662e6ce4e5456f88236db9263805f50c5014c60d051ae4e988de783ef24ab08fcef7317dca9ff9191d521738e7d86305b9fca9

memory/2516-67-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2184-69-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2880-70-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2752-71-0x000000013FF80000-0x00000001402D4000-memory.dmp

C:\Windows\system\qELoguR.exe

MD5 2f7a571c54fe2f391bdff1aa139d22bf
SHA1 eea6c74dbb4325f899c77184580038a2d3259ee5
SHA256 54e892fccc0c39b35f13aed31c3e0224bea6d958dd45a28dbe67131dfbaacf02
SHA512 c9a38b7c9aec1687e21ba74c4c79bb0ac89b6fd46a5becd624a20cf136060607d0c02abeb89e00bfbd323040f21f7775de2cecee77bca867ad4b5cd9d17be2ae

memory/2752-75-0x000000013FA80000-0x000000013FDD4000-memory.dmp

C:\Windows\system\azEwTGd.exe

MD5 5044e4abaf9df4ac077761d9f68c8d93
SHA1 3cb284809dfcca71c2904901a12f01918abd8036
SHA256 210a973b65987d9fb6bd14d535889690576169364f572a05924e328bc1764aca
SHA512 8a3b4d0a1dde4748c51e7003cfcae330d7c0e71eec3dfd118341fe35319052fb68fd28216c1eceb940bcc7637f433e72e8cbfc99dfa18d3d5a2270bb1cf99b9a

memory/2372-77-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2752-83-0x00000000021E0000-0x0000000002534000-memory.dmp

\Windows\system\jCvqfGx.exe

MD5 8f982621ed7b837a9911b8aea563aef0
SHA1 198e7ea53c44a5107a7d92f6806a9c5a4651fee8
SHA256 6b9c27288fe0cacd89f8d9c032534ef464ac90047637b6beb4105bc4245b86d7
SHA512 833e00ec240996fcb8622de6b5865d02946d74116a35451778bd001853b25fddb3e33d79b5d00ee15c29e78c69dbbc4db0a994f84538e145bfde3c320b64f94d

memory/2336-92-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2752-106-0x00000000021E0000-0x0000000002534000-memory.dmp

C:\Windows\system\PDoLcfj.exe

MD5 0bd0972d68836478ec279e3769ca2fbc
SHA1 3238fcb0f0607f8eb15b46acd3d7ead58b878f45
SHA256 17cba79ad15cd13de991f6d59e2e5bb3028c3ec61c2d6ae82b0205f2735a59b3
SHA512 af5c6d3581e883d3d990ee0c0eb8a904333c407d5d0db8dc8100328c3ab56544ef68d8234cf9006cbecb6f6b8b4b99a9d54d0332932897e4c0be24365981f38a

\Windows\system\VMSIIKz.exe

MD5 86fb12e9a6a4768ba57b27a107fc2b50
SHA1 545a976e030068a201e95508b5ba294a2fe45a66
SHA256 07b6622a4a9a36824a2c4cdb6b698c67d37c5313ce6b4b9099532d1c41c3a9cd
SHA512 93387d80cbbc341c43f5ba32fa4324d53e9e0a57528b06b84dab97701e24689afe5f81cea1a0a044d03da5262b63c1add59f088d6d75150bb72a9a4253b81f55

C:\Windows\system\iZDfuKW.exe

MD5 2603ce07a797bc94bc41ef9e3352c0aa
SHA1 9ad5fc50fb65f84aa64a1a32297296ded96943d6
SHA256 de8b7a2145d81df21af9cb10ee1a8821f13cbd32f2b2de8c9375ea1121749b25
SHA512 4383710c4b0cf2d76146f49664d438fe002669c6a3daff3263df8da5d9cb462c54b4985de7ee26d3f84ae5d03aeec0cf636e30b8295187a412d1d6e212891472

C:\Windows\system\jSzGcZW.exe

MD5 1782d614ede20e0dd95f410724c2c152
SHA1 a2f9e199778203aca8c347f5ea70dcba6345a54b
SHA256 4f62249adeaaef6f30cdc4f831326b1c23ea3624fd8667e9545a3f5da8739ef2
SHA512 491d5af5d0a945958c77aeee43d2319275bcd0c8a81ec9893195de27b9eba8cce2847bcd06f3c5f309a2fdb64eb291156441f8683132ca8ede1f8db58573dbee

C:\Windows\system\UwspsDL.exe

MD5 2ee1aa8537061d75f5f1a98706cc52b5
SHA1 2276f2e428c550387872893a765c3815a1dfe508
SHA256 64b4bc62a4cc8ddf9171215b4ce9542cac08228d296e9b7a6fb23d8926c7bb7b
SHA512 0c5202ba5782827ae53d0f4b501c29526818f689b46f1dd8f7c4fd4a03dfbff741798093888543b2028cf61d915a3c73eba701d8a58c8dba99f626154c524835

memory/2988-139-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2476-141-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2752-140-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/2752-138-0x000000013F420000-0x000000013F774000-memory.dmp

C:\Windows\system\jrlOeSH.exe

MD5 21bee2d705cc53f68e66f4110fadc3e1
SHA1 332fe8caa1425c779182c3db4302f2f32bee3f5b
SHA256 6ea7c58453ed713181ab6a659f73e670db826b8f31a444c46022c8b3677d9649
SHA512 09dce00d8dd2e49eaba0478d033521c44fb8c046853bec473d084c81fd70b108839a09b56351a07f22e88770252babe511dfcbd0e5b14dcfc993ec1104bfa976

memory/2588-105-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2064-104-0x000000013F5E0000-0x000000013F934000-memory.dmp

C:\Windows\system\uuquFxb.exe

MD5 7fa95706921cc0ed6d343d56a089df97
SHA1 f32eac17ad9ca813b632b27057162fc0522c24b7
SHA256 44f296971c28ef02eea0441ea1a892661659ba03eccb23cd52be34277bdf8fd4
SHA512 fcb469ca19a078299c97466d9a9a14b1153f6df1a9dcd16f39a8a86e8a0db1fbd399023fac3402fc7b7c8e9620df7f8b9144855e1b35f0d06c135cabe647a7db

C:\Windows\system\VSBxQpJ.exe

MD5 ffba5c976f969a8476f803c01c17ed11
SHA1 b7975cf4aab617ee1be3d15760a4440e0aef84fe
SHA256 3dee86d5538a3e02a3dd6370ec28be04d4f3d16de6d7592e11babb47d7204c86
SHA512 0912e2351c93503cd998a8f3cefa1a05cd698d1323e35b5959d5a75b052179c84ee74ac8ce108281c2b61fdc08a3aef5d7b28dc84d582707b01def255f738d38

memory/2752-87-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/2896-86-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1012-98-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2752-97-0x000000013F4C0000-0x000000013F814000-memory.dmp

C:\Windows\system\IMypdEL.exe

MD5 f6708935c2f5bac273554d8208fa3e8c
SHA1 c028f3759c2db6d95089921caf8e86ae97b18d77
SHA256 8e3e83e61fb16dd8d46a3297a10600926db35655b1c6cb1f7b9243ee9560ce21
SHA512 3df3dc92e8939748a989f7b3dfced397e74c39ef83e256de06403409f5818eaef32d24a7619504103c3717934a210d8d231fc89195a6f53e1ba881aab1dabbc8

memory/2752-84-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/2388-76-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2752-72-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2752-68-0x000000013F260000-0x000000013F5B4000-memory.dmp

C:\Windows\system\johOSve.exe

MD5 3a5e7550a878423a3ea3614b23520e80
SHA1 a8fc9bd82632bc2428715084781b1f13373758e0
SHA256 77cfc32e0f1292b990d0b5fbc23c0609dbb85b360aaff2dc0147714efcca5e74
SHA512 535d948b08f9e88da096502f8cffdb93042a964d545f8a207adbcd024c1a1e9263a230d0bee005ee7022c174820f3d2ef2ff065e6ecac7f4668992a794d6bace

memory/2752-142-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2476-56-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2752-54-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/2388-143-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2372-144-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2420-145-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2752-146-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/2336-147-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2752-148-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/1012-149-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2752-150-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/2636-151-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2896-152-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2064-153-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2988-154-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2588-155-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2516-156-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2184-157-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2476-158-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2880-159-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2372-160-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2388-161-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2420-162-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2336-163-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/1012-164-0x000000013F4C0000-0x000000013F814000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 10:32

Reported

2024-05-30 10:34

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\BntWUUY.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\OpwMGAK.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\bmnklaT.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\hRbFXrX.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\vIDdzXF.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\vMshxAC.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\iXlYHKR.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\UjmLOzA.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\edgNUkd.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\wiCghTk.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\hbYPQYD.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\DlguYTF.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\OlNxAOq.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\uZorvmr.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\gAvmjoB.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\ecxxhfV.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\hofRLqy.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\SPfDbNO.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\EGKUqFj.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\NvGUnvK.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
File created C:\Windows\System\iZRXGtc.exe C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\UjmLOzA.exe
PID 1064 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\UjmLOzA.exe
PID 1064 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\hRbFXrX.exe
PID 1064 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\hRbFXrX.exe
PID 1064 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\EGKUqFj.exe
PID 1064 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\EGKUqFj.exe
PID 1064 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\gAvmjoB.exe
PID 1064 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\gAvmjoB.exe
PID 1064 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\vIDdzXF.exe
PID 1064 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\vIDdzXF.exe
PID 1064 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\NvGUnvK.exe
PID 1064 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\NvGUnvK.exe
PID 1064 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\vMshxAC.exe
PID 1064 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\vMshxAC.exe
PID 1064 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\ecxxhfV.exe
PID 1064 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\ecxxhfV.exe
PID 1064 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\iXlYHKR.exe
PID 1064 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\iXlYHKR.exe
PID 1064 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\edgNUkd.exe
PID 1064 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\edgNUkd.exe
PID 1064 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\hofRLqy.exe
PID 1064 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\hofRLqy.exe
PID 1064 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\SPfDbNO.exe
PID 1064 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\SPfDbNO.exe
PID 1064 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\DlguYTF.exe
PID 1064 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\DlguYTF.exe
PID 1064 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\iZRXGtc.exe
PID 1064 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\iZRXGtc.exe
PID 1064 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\wiCghTk.exe
PID 1064 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\wiCghTk.exe
PID 1064 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\BntWUUY.exe
PID 1064 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\BntWUUY.exe
PID 1064 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\OlNxAOq.exe
PID 1064 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\OlNxAOq.exe
PID 1064 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\uZorvmr.exe
PID 1064 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\uZorvmr.exe
PID 1064 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\OpwMGAK.exe
PID 1064 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\OpwMGAK.exe
PID 1064 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\hbYPQYD.exe
PID 1064 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\hbYPQYD.exe
PID 1064 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\bmnklaT.exe
PID 1064 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe C:\Windows\System\bmnklaT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe"

C:\Windows\System\UjmLOzA.exe

C:\Windows\System\UjmLOzA.exe

C:\Windows\System\hRbFXrX.exe

C:\Windows\System\hRbFXrX.exe

C:\Windows\System\EGKUqFj.exe

C:\Windows\System\EGKUqFj.exe

C:\Windows\System\gAvmjoB.exe

C:\Windows\System\gAvmjoB.exe

C:\Windows\System\vIDdzXF.exe

C:\Windows\System\vIDdzXF.exe

C:\Windows\System\NvGUnvK.exe

C:\Windows\System\NvGUnvK.exe

C:\Windows\System\vMshxAC.exe

C:\Windows\System\vMshxAC.exe

C:\Windows\System\ecxxhfV.exe

C:\Windows\System\ecxxhfV.exe

C:\Windows\System\iXlYHKR.exe

C:\Windows\System\iXlYHKR.exe

C:\Windows\System\edgNUkd.exe

C:\Windows\System\edgNUkd.exe

C:\Windows\System\hofRLqy.exe

C:\Windows\System\hofRLqy.exe

C:\Windows\System\SPfDbNO.exe

C:\Windows\System\SPfDbNO.exe

C:\Windows\System\DlguYTF.exe

C:\Windows\System\DlguYTF.exe

C:\Windows\System\iZRXGtc.exe

C:\Windows\System\iZRXGtc.exe

C:\Windows\System\wiCghTk.exe

C:\Windows\System\wiCghTk.exe

C:\Windows\System\BntWUUY.exe

C:\Windows\System\BntWUUY.exe

C:\Windows\System\OlNxAOq.exe

C:\Windows\System\OlNxAOq.exe

C:\Windows\System\uZorvmr.exe

C:\Windows\System\uZorvmr.exe

C:\Windows\System\OpwMGAK.exe

C:\Windows\System\OpwMGAK.exe

C:\Windows\System\hbYPQYD.exe

C:\Windows\System\hbYPQYD.exe

C:\Windows\System\bmnklaT.exe

C:\Windows\System\bmnklaT.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1064-0-0x00007FF6BA5C0000-0x00007FF6BA914000-memory.dmp

memory/1064-1-0x00000200D61B0000-0x00000200D61C0000-memory.dmp

C:\Windows\System\UjmLOzA.exe

MD5 bbef2b1fff6de28b1646fbf7d8d2fb86
SHA1 7ad57874594741f8259e551aba0d52417a52f99b
SHA256 d6dda0339af07b1f897118fe18cce0a63df07fb76ed802bc70deebdd580d023f
SHA512 133f2481fdad852a2e94154a590f053dc0ebc7d84469bb49ab65d0b31a0af48deb5795545d1f7292ca76dda5b8f129cc8acf9255fec2f10ca4c912a4ed4503e1

C:\Windows\System\hRbFXrX.exe

MD5 896357033ac53bed107b3980247ffa27
SHA1 33ba89ec0b08e1ecf44deba44a037a62c5c98543
SHA256 05b942cafabcaa6a722c5ca34788e0c14494ff2f0208ab11cf6d8330c70e5c10
SHA512 01c961a2bd538e69daadecf1ca13bd58b139e1d019a8c6c55b9ac5ad6754de729263990f46c749d7f13c8f634dbf3a840d249956429695ffcbaf34a5d89fafd9

memory/1340-7-0x00007FF7809C0000-0x00007FF780D14000-memory.dmp

C:\Windows\System\EGKUqFj.exe

MD5 b2eec5f54a940167d42f73e3e79ca904
SHA1 f5058c0b1c9209e21040cce37f28e36715b52b74
SHA256 3b18623a66cd30e3abc2e7258b26f5f82e74f04a723787379a7e3cb60bfff05e
SHA512 e363da73e7dada330ea82979cf90f5737d5893da323b835fbdbe3278ac3df30834f99cae85de0a4bd695d42a000c4d941f431194e800350e50b21fee9dd8307f

C:\Windows\System\vIDdzXF.exe

MD5 a5d253671dc0e958985e00df5e551738
SHA1 be551fad8f0515f3fef35cb114921ebd208b41d7
SHA256 2196e6ae3839e80e4a94f21e1cf24ad64d3b950a607fb7b14a153749b2eb3139
SHA512 cbbfd108171c4ba0eac6ae7b20722a5dd655b4491af2127eae236b9d54cfe1ccc3f9b2dbcbc24e444d1a81f6f428cbd15f542c61a345cd5990dc0f6b68a275b0

memory/612-30-0x00007FF769700000-0x00007FF769A54000-memory.dmp

memory/744-33-0x00007FF608E90000-0x00007FF6091E4000-memory.dmp

C:\Windows\System\NvGUnvK.exe

MD5 fd3bf98c4c25c6df8950c5d99a30edf9
SHA1 fef34ec0b45ea4b00e38e917ad12e7c8cca29592
SHA256 1fe192396799c11ba1f9a3e700ffd0ae2352c05511fdc8b37b124dc0f2cb4fec
SHA512 9096e7161302ea6e552aa29d78fbc1932f02a4e7f45c0f06749597f8af277cf63c4501b0ec27a62161d37a445720aab91f1ccd162cd4b4300cf5c753c38ecbc0

memory/1872-41-0x00007FF77EFE0000-0x00007FF77F334000-memory.dmp

C:\Windows\System\vMshxAC.exe

MD5 9d8ccefec711f620ce2f0c10d3d38c4a
SHA1 77aeea42d8dba25ba5320c8444f4e5dc2b5328eb
SHA256 84b86a8a911f49fb7cf985a6630bf4ed2bbee342bb23ec5aac55eaab75f10ea9
SHA512 5b59e79c253879a9c6308edfbaedb3659d20f6e77a9328c022e961fbf98cfb623cd449cf77b6b45576ad93ae0a046c79fd560e9c6a56a6068b6879a91f4a141b

C:\Windows\System\iXlYHKR.exe

MD5 7b1381075de115a99e0d4fe91364257a
SHA1 d8c1d2d0fcf8a93c9a287f3025d708921b33cf7d
SHA256 8f84d9b615633033c06ea5ae99715ef90c451c20a6c9cff1466c48b2f155dd86
SHA512 1bb59622f37e267fd899743353dad1df04fbd66e309357b4b08f2fffecd67a1586afdb895d986b7a534234a61bf4deedfc3575944a6cbee7328522957f330ae5

C:\Windows\System\edgNUkd.exe

MD5 88260bae6ea94277dfeb2962d9d99557
SHA1 b168092fd6d5dd566934b749aec08f6461393fab
SHA256 34a3eb0f2503642ca50268e1ad0018254ef4c04a3bae9ba37dceb07cbbe3fad0
SHA512 00440b06afb86048fcc4428ae98347cc00896961061d11f6a63b9491d807c226f47de45317aecba07c67e3a75b3b6281820391dd1ad0e6190855d874c1f32463

memory/816-62-0x00007FF633F50000-0x00007FF6342A4000-memory.dmp

C:\Windows\System\hofRLqy.exe

MD5 1aa60b62fd644a2b3e48e85a12603d61
SHA1 9042d1b310dbcc9151dedf30ad4fefa3e1f60ad1
SHA256 eaf96ef9d547958bec75f6fa713ab26889f6d7f16d7da642827b7aae960ba35d
SHA512 7352197610ace30fc8ffd484ff872e35f281ee4a9ad64570c38f96643dda219054dc699d5a74f26ce8129cdfa87ce8ae2e4885988eb8007a4e87a2b4abf10ce0

memory/4676-78-0x00007FF75F3B0000-0x00007FF75F704000-memory.dmp

C:\Windows\System\iZRXGtc.exe

MD5 00db58e6282b166396d07aeedacb800b
SHA1 bd90a0f47e992a4d793865813916f70b79cc8e9f
SHA256 6161728edf6f3d07f11856283739ceb91b827423a4d9ece0dcc177f018883cb5
SHA512 89f97f699b30e6e467e29378a59688be1f56b0bf907aba696bcd057c0567010cdea002ad86f9e5018f0fb992be0f321ca0b4f08e21cc99fd4937397231484bf3

C:\Windows\System\DlguYTF.exe

MD5 c2a8433b2034f6693bd4b17d5e2dd8d5
SHA1 11932fb8161cded32e38df5e156d84e3f03f9853
SHA256 6e3681c67c467b0098705369a970711b40616acde87e3bb2806c6e07e6f5735a
SHA512 f389bcb2b476b5a7150f25cfe70749d016334c5b3237d553c2f26b24632caa4fdac9f2b28600991152a22073d85a00ed06f2faa29a4d87645facddf7739f8add

C:\Windows\System\SPfDbNO.exe

MD5 69442f17db9e2ff2c9df812df14128b4
SHA1 a682c37ee0c78e01a1f3aebb69b2bd0f35e1193e
SHA256 c3159248c5e656fe8434bf0f08fa0d80e134efc9e9b471be4628495a258cbcb9
SHA512 0ba4ba35873411c7b914696472b814afe9264db48b5a65dc64e5ebe64ff960bb5d215c103d305712a23cf7f9501ea0be4ec0e2c72937fc1a8c891608113de192

memory/452-80-0x00007FF652EB0000-0x00007FF653204000-memory.dmp

memory/2776-79-0x00007FF7E8360000-0x00007FF7E86B4000-memory.dmp

memory/4812-75-0x00007FF65DA00000-0x00007FF65DD54000-memory.dmp

memory/4588-66-0x00007FF7C3EA0000-0x00007FF7C41F4000-memory.dmp

memory/3876-63-0x00007FF69D960000-0x00007FF69DCB4000-memory.dmp

memory/4600-60-0x00007FF623270000-0x00007FF6235C4000-memory.dmp

C:\Windows\System\ecxxhfV.exe

MD5 9987e813f19bfe7f1b4f4f8b5074be9b
SHA1 cc3b3022ecf51af3f70e05b1d09ebb21af9a7a9a
SHA256 fe651c7a44d29c4378d55069a98441e7fd8fbe4cea0eb2cb4f94a8d33c2cbf36
SHA512 8297bde7c31373be0b86ed036fdd68f225ffde2d3ba0330ee155557dff68ae4deaa0f67cf8f8a52c3c8e457c1b655bf36d55f7116dad044560e6c9067a82a4fc

memory/3392-37-0x00007FF75E4A0000-0x00007FF75E7F4000-memory.dmp

C:\Windows\System\gAvmjoB.exe

MD5 1b089cad66f8b0aad8b8c700d4b8634e
SHA1 4afcdf52bdb114658353c873f935c5afbac41d26
SHA256 c48d5c15a551e2974a9d0696dce8e466bd776f6c394be21c247b086cce8c586e
SHA512 b335ef467665e7aeae22d508aec29975c9e92d6912a6872a9ee760788b84553e2cc3507e4430bdec95407256c506b1fb7f657096e68a0fe0c1b225ce56af270f

memory/2916-16-0x00007FF78AF00000-0x00007FF78B254000-memory.dmp

C:\Windows\System\wiCghTk.exe

MD5 d7db969e5d7cbbc922485928f035182d
SHA1 32f9a1137c3b2de27b81a4ef4b7c9eb4447266ee
SHA256 21ee18be018277d299cadcc408b21c076b5d939dc4deea721e9bb614b16334fc
SHA512 243ad8b630abacc3873645fbbe97257bfdc30dde195b35c47e59ea8c5f1f0ffc779c956eb575db5fe2b3c7c24c991b2e60da6520bdba994d0d974e01aa986d9e

C:\Windows\System\BntWUUY.exe

MD5 e53a5ee5a9984270c0e432d78d231204
SHA1 3fba0e08aa81fc22581b99602158b0210e581ac0
SHA256 18322150ec70e9a6f779abc61de5c08c37d2913e6aa08bd9fbd7e73ea4592eed
SHA512 10620f3ae97cb3a69634f2be069fb6db392c6ad7c55bf5fa980c569fa5300b3875ad31daa9df7445ebf78d3ef52f8487e39fc2564d2009d9c672df96716bbcdd

memory/5032-94-0x00007FF66F320000-0x00007FF66F674000-memory.dmp

memory/4296-99-0x00007FF78F6E0000-0x00007FF78FA34000-memory.dmp

memory/1064-98-0x00007FF6BA5C0000-0x00007FF6BA914000-memory.dmp

C:\Windows\System\OlNxAOq.exe

MD5 3bcad063078a1c27fed4097ddfffd494
SHA1 fe2478ee8d653551157cea3ffb2c9b2d99a73fc3
SHA256 1c6087215b4d1702e4cda1299fca5d8fb7cddbd328c3aa3d65ed9cb126310605
SHA512 6b170d5533a40b22ed916a8387bb55b4d579df3c256ab66e4b5712cc60e387691e2323c16fe8d8dc145c2f9875a393a2f0def78e59e643851f7445731f1f99cb

C:\Windows\System\uZorvmr.exe

MD5 f00e3a6ecb85a7551709bded6ebb6639
SHA1 c8c9bdffdc890725dd7132c706ab67e0c649e94b
SHA256 33df11718fbfd2426aaf29df47d5da39ff7f98a3a2217fe8941b83b283667649
SHA512 c20772f658381d03d4f630166d5faad04a8f5216c1edb057f3c7c7f881aa18dc611b93b340a7c18bca97e37af871115594df60f846305aa7a3308359c76c1040

memory/3740-106-0x00007FF66DDC0000-0x00007FF66E114000-memory.dmp

memory/1340-103-0x00007FF7809C0000-0x00007FF780D14000-memory.dmp

memory/2916-112-0x00007FF78AF00000-0x00007FF78B254000-memory.dmp

C:\Windows\System\hbYPQYD.exe

MD5 a91873d771e20ab8475df771e6d05641
SHA1 1e5aa3b808c17a62d4df886fe589bd8bf9ecbaac
SHA256 8247bf6da45d003609fbce2863e337542c8cfb8651462dd8df92202041535f4a
SHA512 eb87a2add5bfca645bb036f4e75ac1f4db48aa43056a7aa438351b9dc01b3ea7a15bd257b48166aa85bdf2856386d6e66cda20dde1d682afc702c0d3090487cb

C:\Windows\System\OpwMGAK.exe

MD5 caf40009c7cf9a9ebee70e8bfe40a4e6
SHA1 2bbd237325271451fb9115ed17a29cc8595abe11
SHA256 016ada725e219b446f1c488b1f149c5210491e2c97b14af4d5f0bc8c1a8a0730
SHA512 02ec53d34f7a8655d2d9340165440c167368030ce72cc46200cb2f39ec1425bb9c0dc9dc5c601b41a6eb762d679f70a47364275dc76af8f3b8590475b173b4a0

memory/912-127-0x00007FF721410000-0x00007FF721764000-memory.dmp

memory/1872-128-0x00007FF77EFE0000-0x00007FF77F334000-memory.dmp

memory/4504-130-0x00007FF785ED0000-0x00007FF786224000-memory.dmp

C:\Windows\System\bmnklaT.exe

MD5 5208ae3328cf0b84cb049feab752b439
SHA1 df6abcafc1400196dc58649d8d80852c37c2fe5a
SHA256 b55cced7eb2619d2dd4abdbd2c0d0b2e05711b603059353e4c8a3d3d6c4f5148
SHA512 1c049a6510c30d634d882dd82cf33c6cf6c64849e65934720f4f0e41940ac9a33c8ad5814d34b44e39cfbfb9f03f80f05df2f1b116ac607456415b711754373d

memory/2636-126-0x00007FF6DEC50000-0x00007FF6DEFA4000-memory.dmp

memory/2524-117-0x00007FF6DC6F0000-0x00007FF6DCA44000-memory.dmp

memory/3876-132-0x00007FF69D960000-0x00007FF69DCB4000-memory.dmp

memory/4676-133-0x00007FF75F3B0000-0x00007FF75F704000-memory.dmp

memory/2776-134-0x00007FF7E8360000-0x00007FF7E86B4000-memory.dmp

memory/452-135-0x00007FF652EB0000-0x00007FF653204000-memory.dmp

memory/3740-136-0x00007FF66DDC0000-0x00007FF66E114000-memory.dmp

memory/4504-137-0x00007FF785ED0000-0x00007FF786224000-memory.dmp

memory/1340-138-0x00007FF7809C0000-0x00007FF780D14000-memory.dmp

memory/2916-139-0x00007FF78AF00000-0x00007FF78B254000-memory.dmp

memory/612-140-0x00007FF769700000-0x00007FF769A54000-memory.dmp

memory/744-142-0x00007FF608E90000-0x00007FF6091E4000-memory.dmp

memory/3392-141-0x00007FF75E4A0000-0x00007FF75E7F4000-memory.dmp

memory/4600-143-0x00007FF623270000-0x00007FF6235C4000-memory.dmp

memory/1872-144-0x00007FF77EFE0000-0x00007FF77F334000-memory.dmp

memory/4588-145-0x00007FF7C3EA0000-0x00007FF7C41F4000-memory.dmp

memory/816-146-0x00007FF633F50000-0x00007FF6342A4000-memory.dmp

memory/4812-147-0x00007FF65DA00000-0x00007FF65DD54000-memory.dmp

memory/3876-148-0x00007FF69D960000-0x00007FF69DCB4000-memory.dmp

memory/4676-149-0x00007FF75F3B0000-0x00007FF75F704000-memory.dmp

memory/452-150-0x00007FF652EB0000-0x00007FF653204000-memory.dmp

memory/2776-151-0x00007FF7E8360000-0x00007FF7E86B4000-memory.dmp

memory/5032-152-0x00007FF66F320000-0x00007FF66F674000-memory.dmp

memory/4296-153-0x00007FF78F6E0000-0x00007FF78FA34000-memory.dmp

memory/3740-154-0x00007FF66DDC0000-0x00007FF66E114000-memory.dmp

memory/2524-155-0x00007FF6DC6F0000-0x00007FF6DCA44000-memory.dmp

memory/2636-157-0x00007FF6DEC50000-0x00007FF6DEFA4000-memory.dmp

memory/912-156-0x00007FF721410000-0x00007FF721764000-memory.dmp

memory/4504-158-0x00007FF785ED0000-0x00007FF786224000-memory.dmp