Malware Analysis Report

2025-01-22 19:44

Sample ID 240601-q97mtseb4x
Target b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe
SHA256 b9163a6081b4fe5ff7b0ea12b2fa12849ed0834e891f50276e78900e23caafc0
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9163a6081b4fe5ff7b0ea12b2fa12849ed0834e891f50276e78900e23caafc0

Threat Level: Known bad

The file b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike

xmrig

Cobaltstrike family

XMRig Miner payload

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 13:58

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 13:58

Reported

2024-06-01 14:01

Platform

win7-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lErXsTb.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\bEOJOjv.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\vGzWCLa.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\spVphMq.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\AyUXNGG.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\XmSnFXW.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\nhSdKsa.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\spdhnBC.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\bhXhZaC.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\fQKyHwH.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\AeOfgOz.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\eiLPTmA.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\xZCoEhc.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\AVIjevm.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\CXeLslW.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\uHWTOcw.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\BdTkTZJ.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\SKJjNsm.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\EfGwMyN.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\CGaMeuf.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\sHEaJTm.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\CXeLslW.exe
PID 2244 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\CXeLslW.exe
PID 2244 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\CXeLslW.exe
PID 2244 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\fQKyHwH.exe
PID 2244 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\fQKyHwH.exe
PID 2244 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\fQKyHwH.exe
PID 2244 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\bEOJOjv.exe
PID 2244 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\bEOJOjv.exe
PID 2244 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\bEOJOjv.exe
PID 2244 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\AeOfgOz.exe
PID 2244 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\AeOfgOz.exe
PID 2244 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\AeOfgOz.exe
PID 2244 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\vGzWCLa.exe
PID 2244 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\vGzWCLa.exe
PID 2244 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\vGzWCLa.exe
PID 2244 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\spVphMq.exe
PID 2244 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\spVphMq.exe
PID 2244 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\spVphMq.exe
PID 2244 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\eiLPTmA.exe
PID 2244 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\eiLPTmA.exe
PID 2244 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\eiLPTmA.exe
PID 2244 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\xZCoEhc.exe
PID 2244 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\xZCoEhc.exe
PID 2244 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\xZCoEhc.exe
PID 2244 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\CGaMeuf.exe
PID 2244 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\CGaMeuf.exe
PID 2244 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\CGaMeuf.exe
PID 2244 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\AyUXNGG.exe
PID 2244 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\AyUXNGG.exe
PID 2244 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\AyUXNGG.exe
PID 2244 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\AVIjevm.exe
PID 2244 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\AVIjevm.exe
PID 2244 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\AVIjevm.exe
PID 2244 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\uHWTOcw.exe
PID 2244 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\uHWTOcw.exe
PID 2244 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\uHWTOcw.exe
PID 2244 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\XmSnFXW.exe
PID 2244 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\XmSnFXW.exe
PID 2244 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\XmSnFXW.exe
PID 2244 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\lErXsTb.exe
PID 2244 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\lErXsTb.exe
PID 2244 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\lErXsTb.exe
PID 2244 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\nhSdKsa.exe
PID 2244 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\nhSdKsa.exe
PID 2244 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\nhSdKsa.exe
PID 2244 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\spdhnBC.exe
PID 2244 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\spdhnBC.exe
PID 2244 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\spdhnBC.exe
PID 2244 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\BdTkTZJ.exe
PID 2244 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\BdTkTZJ.exe
PID 2244 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\BdTkTZJ.exe
PID 2244 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\SKJjNsm.exe
PID 2244 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\SKJjNsm.exe
PID 2244 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\SKJjNsm.exe
PID 2244 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\bhXhZaC.exe
PID 2244 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\bhXhZaC.exe
PID 2244 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\bhXhZaC.exe
PID 2244 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\EfGwMyN.exe
PID 2244 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\EfGwMyN.exe
PID 2244 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\EfGwMyN.exe
PID 2244 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\sHEaJTm.exe
PID 2244 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\sHEaJTm.exe
PID 2244 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\sHEaJTm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe"

C:\Windows\System\CXeLslW.exe

C:\Windows\System\CXeLslW.exe

C:\Windows\System\fQKyHwH.exe

C:\Windows\System\fQKyHwH.exe

C:\Windows\System\bEOJOjv.exe

C:\Windows\System\bEOJOjv.exe

C:\Windows\System\AeOfgOz.exe

C:\Windows\System\AeOfgOz.exe

C:\Windows\System\vGzWCLa.exe

C:\Windows\System\vGzWCLa.exe

C:\Windows\System\spVphMq.exe

C:\Windows\System\spVphMq.exe

C:\Windows\System\eiLPTmA.exe

C:\Windows\System\eiLPTmA.exe

C:\Windows\System\xZCoEhc.exe

C:\Windows\System\xZCoEhc.exe

C:\Windows\System\CGaMeuf.exe

C:\Windows\System\CGaMeuf.exe

C:\Windows\System\AyUXNGG.exe

C:\Windows\System\AyUXNGG.exe

C:\Windows\System\AVIjevm.exe

C:\Windows\System\AVIjevm.exe

C:\Windows\System\uHWTOcw.exe

C:\Windows\System\uHWTOcw.exe

C:\Windows\System\XmSnFXW.exe

C:\Windows\System\XmSnFXW.exe

C:\Windows\System\lErXsTb.exe

C:\Windows\System\lErXsTb.exe

C:\Windows\System\nhSdKsa.exe

C:\Windows\System\nhSdKsa.exe

C:\Windows\System\spdhnBC.exe

C:\Windows\System\spdhnBC.exe

C:\Windows\System\BdTkTZJ.exe

C:\Windows\System\BdTkTZJ.exe

C:\Windows\System\SKJjNsm.exe

C:\Windows\System\SKJjNsm.exe

C:\Windows\System\bhXhZaC.exe

C:\Windows\System\bhXhZaC.exe

C:\Windows\System\EfGwMyN.exe

C:\Windows\System\EfGwMyN.exe

C:\Windows\System\sHEaJTm.exe

C:\Windows\System\sHEaJTm.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2244-0-0x0000000000170000-0x0000000000180000-memory.dmp

memory/2244-1-0x000000013F660000-0x000000013F9B4000-memory.dmp

\Windows\system\CXeLslW.exe

MD5 f719572011f96f9c598ab63e33c3410b
SHA1 2af0dbfc35eef5e8a312830bd977775eee1f68ea
SHA256 cbf9587d4609345164b3cb0b8095591fe6899ea01e2afc7c5cb5605c3504d4a9
SHA512 3eadf3c416945482f07cfbdfbe5f12c0133d56802c6cd3c66f768e8fe14c74f3f7529c088b03184cf1a9041d0a9dd825062026bec60cd12dc1eca84ce8b08a4f

memory/2244-8-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2296-9-0x000000013FD50000-0x00000001400A4000-memory.dmp

\Windows\system\fQKyHwH.exe

MD5 cb49710d16197e3d7b829f20c48e2f8e
SHA1 7cf4774f091478ef208f80d7373b7c0b0078e3f7
SHA256 3814b46a13b6a1eadbe414c1f3a1a9c7dea2d34083d5abdc6b04e4bb26881690
SHA512 fce86ab65eabaaf52fdbb6da6de87a85ea547534c98dc17e4b7399527c4d88aa533083920d0743966987d2af68307f89adb49cf285840d98cc35c6ce635dc145

memory/2932-14-0x000000013FA80000-0x000000013FDD4000-memory.dmp

C:\Windows\system\bEOJOjv.exe

MD5 550c822aad7492868a2ac2836791a0d6
SHA1 503211b6959c332cf606a848c1ca5eaca341381d
SHA256 4b4ecccfc4e5477e57666cab08f8018a8e384343701972ff0a7d1485e9708be2
SHA512 b4ae8b6bd4c42095c1316df8549ef05068c062ca6be0d47a78a48ae33cf69802c62349fa5003773dc4362052e3464dc6c2a6a05144169eda1da460197a7003f2

memory/2212-22-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2244-20-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2200-29-0x000000013FCC0000-0x0000000140014000-memory.dmp

\Windows\system\spVphMq.exe

MD5 a1db6fa5eec0148b49eff06a9cffe2f5
SHA1 31cc5424bc4e7f0a3c006424cacae9f73748f0b0
SHA256 a4815f5d241fa7c79b68852e76d4271e24f8064ec5708c3dc3d5c7eab05242b0
SHA512 3cf8aadb40cd6fe7f21e03bdc0a2e8678834a97fb4f9c3019c34244b66e1760d46485a9c4c91c4d265feaaaca475c4bda9f9583c7c42d1730db145fd2cf62987

memory/2224-43-0x000000013FD50000-0x00000001400A4000-memory.dmp

C:\Windows\system\vGzWCLa.exe

MD5 ccdf0639613dd6384424af746f8b44f7
SHA1 df7070366b5bf1e68f2640432cfb44e425a833c5
SHA256 05a9eb1ecdf6463c7f506eee12a7343b3355e7ca2684e7ca2fcebfe69f0e9d1a
SHA512 6097f16d51c9a0fc88466190ba69bb9dec01274b959a6ab8cecce6f747c458c36dadf9670f29252565dfd6da3bc5741453e634b9a42bf22b1c063c694244c690

memory/2244-55-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/1280-56-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2244-70-0x000000013FDB0000-0x0000000140104000-memory.dmp

C:\Windows\system\lErXsTb.exe

MD5 980c095adc4f78ce87aa2e00df5c3baf
SHA1 6e1c93b07e8532eb359ce7cf54b1a02bf0ca91a7
SHA256 4de7195fd26e1f3d061674717d5bb939103b5d9aa2f744cd81f75c6ad1f56c1e
SHA512 a0640bead7964da7e7f41cd2212b9809780fcf6cb4f70135249ce7d870c581a36edbc2cb0f5b98439f2090ec481382e7a49acd10fe8348b518a7b0cab4908ee4

C:\Windows\system\bhXhZaC.exe

MD5 2386254c438d02dff6496e29e5c57f45
SHA1 27288d1edb5fbce47dc90d4cd9236797b0bea27c
SHA256 cb42f49e25c7cff0d01d4ce3de552ec6b787ec6b4b44e3b9e30d9b6bf7a9d0d0
SHA512 8a40d7c86a310cd91bef3da2ec00d75f4f9a2dd7c0ccadd75c6547add5abadf5e2dd425ea4340fef94dbc19529fc6fad69b13803c424b3082f36e5b5f77d1044

\Windows\system\sHEaJTm.exe

MD5 00f77b8828f6f763955b73086b0adf83
SHA1 6978052f226275cd22dbbf2c7bf28a11f649cb3a
SHA256 2b745acc4cbb7eee88706e37a56c6ec071e0de5d453133fc0862c572e1e3a9f5
SHA512 1d96f4c77273ca997cba9e61e5fedbffbe7f2c933d398dd42c7073989769e27a2adca3337df0e8acaf177d8797eb2b2790adfad5758d974e7165a172d64d91b2

C:\Windows\system\EfGwMyN.exe

MD5 6707b096a6996c5fa0d8d3e078a067c7
SHA1 f7445df74cfe6b71b2d07f3d899e281e263325c9
SHA256 47c29511b915ee5f76cddead6a8318618e75d9479331a61ae4b5d22eeefd0c9e
SHA512 d573bd48d0093276faed0fc38f9ae729d103fbdecd536051a61be39e602377d02b4937c5a6ba0f00997c06cba51ca2bfa10f25b1b828ade928666321c08f09f3

C:\Windows\system\SKJjNsm.exe

MD5 e701668f2fa9a493878cae6455b2725d
SHA1 7cb284edac27d8b28c06b1719abf44ca14e2297d
SHA256 e4d4a251d5db4f98abe5bf27014154e405c60f616cfdcfabe22e2114b49abfb4
SHA512 79edcd00140448fae3a35ce30596d1f90dd3bd428ed6d7066c5fc6c7ba1ec5a4ca456986ef9a6194a810286998c1a278c49d8b432a647b2dc1de9ef60ab4b432

C:\Windows\system\BdTkTZJ.exe

MD5 57943791f27b3fe7f9747aefff235904
SHA1 6854f20e23bfdddd91b8f1e952063f5b0085a741
SHA256 f1858dbaed10db4a966fb6e1b38aad72b3956d7ca609e553b5786ab16329fd01
SHA512 39f2ce317922429fe21ac24f66558adf7279d7a440f0c47382255ca6b76ab78d9d54e846a0cff6ae203b49d61a1fd51149d63522d407722fe9372a45e9990ebb

C:\Windows\system\spdhnBC.exe

MD5 1fc57c70cecca5662c4eb39a33260bec
SHA1 f138602488e1dd52be6b5b901b88d15f151d6d04
SHA256 b8d921661df154e3c05691bcdf369631aeed53fcf46a83cfb2c8be7509045743
SHA512 a64005a7028508832cda440ccbd09f2a791b04dd2ea1e06b2b4eb9a6c7d21b27d4375fd9f1682f881b0b061771ae816ddf912f1be72fa48ecd3348ddab6cb980

memory/2244-107-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2708-139-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2224-106-0x000000013FD50000-0x00000001400A4000-memory.dmp

C:\Windows\system\nhSdKsa.exe

MD5 9f60d13b2fd466c7ab5c754c30be95fd
SHA1 281b67e347fe3350cb53d648c11ee2517e179c0e
SHA256 330d7c5f0dd48f2a900ccbc66966cee3f8b0d15c10d45ac7c085615400f03c48
SHA512 149d747950ddd1f328de7047815fc085cc6d48cbc8a377425603b4e145516827ca23ac2c694fe96b1b48ebf08536331e82972bcf0618cbb8bafcd4c33c82464b

memory/1316-101-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2244-100-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2956-94-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2244-93-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/3060-92-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2244-91-0x000000013F280000-0x000000013F5D4000-memory.dmp

C:\Windows\system\XmSnFXW.exe

MD5 46fb8b2d7a0bfc8e96ddf972953eff84
SHA1 a536597ce1d655fc309b355dc7f54959780fdd07
SHA256 2032a662276c066904b349fdb64425441c4c27e97e26e61d9cadb0af2dbebc4b
SHA512 6e7af812817e10df87daa1647d96209b147d70b77c8118545ed542d7ec5db208b57a3c777e504aca60fcb060072ec01f13222355f3fe20e101fd74ba7175e4fa

memory/2548-84-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2244-83-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/1736-78-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2244-77-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2212-76-0x000000013F880000-0x000000013FBD4000-memory.dmp

C:\Windows\system\uHWTOcw.exe

MD5 0d4e6bde391c910b0ab6fbb993576712
SHA1 b6bf57d610a935bd2699e4366444e304ef433adc
SHA256 979549aa0f0eb6f20b42e19b23366208ec1b16eff2e260ad7d89cb84b4e4ce81
SHA512 4b86adc21944d1cb3431ce7bdb89b21d290110d363f2b530011ddd291f098480c0e30a907e5ff5fcc6cf43d3d58de2a6576f859f6ec5d76fbaca318f61da43cb

C:\Windows\system\AVIjevm.exe

MD5 fc2b1f32ff395ab6e782d2d81ce8100c
SHA1 c0863aa37ce82c391d2627a3fd69f36ec008abc3
SHA256 a6f6b651dec97f93fd0256282d62cdbaf6b68c523807295a07e19f6e709ad64b
SHA512 abb78a1ff1857ba307e9745b28ef1690132fe68f338b844b417fcadb3bb2fad018712234a0c3861d18dc833c9dfd1f93523cb5a39928f21dc6a91ab290b7272d

memory/2772-62-0x000000013FDF0000-0x0000000140144000-memory.dmp

C:\Windows\system\CGaMeuf.exe

MD5 ae92c5e0cb14473b5f722196dac973e6
SHA1 551e9b8cf1fb878d868c8e2fdf0ea78593755857
SHA256 a6b8870e8ced6873a27c58e02392355664c75d5a16e174b2cfdbe7c75bf8bf7f
SHA512 92761f55dbf8f29034788b30f2825efbe5da2c5e1177c4a74a3de514206df831ac413a055ef57174612c45b1ec2f15ae4dec1df5eb99b02d75fca39f3b71160a

memory/2980-71-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2932-69-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2708-49-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2244-48-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\eiLPTmA.exe

MD5 4044878c35664fc583419f80b9874a9e
SHA1 cc00eb710aa795922011e1cdee68415522be5676
SHA256 fd7cc0c4f8042ebf0138c8cdbe9baf4a2e8007bd1c241c97ad306fdd8e047c53
SHA512 b2e56043a90481a477c9b73a18e374f7a9d94560c65eba532ced120f95260ddad0b86a808cede59cf7fb195c0c21c5197521be824d732da2c9cd8a0c5d5bbbb4

C:\Windows\system\AyUXNGG.exe

MD5 7f6e66ce4e251940a8ac93ba3be5a379
SHA1 d4168688fe196d13becd09d80e5e760b020b0cec
SHA256 3efa397d0218cd8138b9a327c4f3daf1ae10d5c4b7ed0c01fd04cc0a9e8c09c7
SHA512 319f00e9616a7127300129d6ddc1948e8fca726a42b5d3f5a09e004b65494c7b116fd5ee25df048239d932507e137f7a494234f11a2c399e76e0939aee591e36

C:\Windows\system\xZCoEhc.exe

MD5 d56005d27ddda7af30f944ede235589a
SHA1 f09f1d4c16dd19fd3a0f05e866dd3e66f5f9a103
SHA256 892dd01fb87fbbd44d05caa58d4c9efb62e33c1f56c2e00bfab55934a493416b
SHA512 b0cc3fa301c681649613b7fba35ecb9c344b65c29fb51b6d42980ebf8a026b9cc0dda29c8db093988b49c6804f98b714db4ed9bb4aeb56c1620a7f0885bf6417

memory/2244-33-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2244-39-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/3060-38-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2244-28-0x000000013FCC0000-0x0000000140014000-memory.dmp

C:\Windows\system\AeOfgOz.exe

MD5 dd622464ee2b48f3e936098190d1e70e
SHA1 5b1db8ab9614ecc89ad4bcc32b1a50ae4627c211
SHA256 73315827cd2e16c078ab57e6e9207f01e88eb84647ba560262f70e2b2696e7a4
SHA512 8c0477ee68d8c6b6661c75e73358a7bfed8f1dcf27307e1266c8ac21c25d367c25f0ffa462704cf77f66e713385a2f16f2ffd0a3dde8ef1fad499e8ec0238960

memory/2772-140-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2244-141-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2244-142-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/1736-143-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2548-144-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2956-145-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2244-146-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/1316-147-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2244-148-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2296-149-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2932-150-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2212-151-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2200-152-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/3060-153-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2224-154-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/1280-155-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2708-156-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2772-157-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2980-158-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/1736-159-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2548-160-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2956-161-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/1316-162-0x000000013FEB0000-0x0000000140204000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 13:58

Reported

2024-06-01 14:01

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gZqGOqa.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\UXAyGPF.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\HhIFXJb.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\zftBplz.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\MUvJoGA.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\raUFpTp.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\cKYVMcO.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\bQvCZvC.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\qtDiBnT.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\aoTjYAt.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\BDSkvDw.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\ADJNeEd.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\mZJiOTE.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\qLPWOoo.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\RcILLIi.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\SzpruHL.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\rriHOAS.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\IgvLvzU.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\PMAyzYX.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\qVQTEfK.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
File created C:\Windows\System\ilATiCQ.exe C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\MUvJoGA.exe
PID 2208 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\MUvJoGA.exe
PID 2208 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\gZqGOqa.exe
PID 2208 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\gZqGOqa.exe
PID 2208 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\UXAyGPF.exe
PID 2208 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\UXAyGPF.exe
PID 2208 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\ilATiCQ.exe
PID 2208 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\ilATiCQ.exe
PID 2208 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\rriHOAS.exe
PID 2208 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\rriHOAS.exe
PID 2208 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\HhIFXJb.exe
PID 2208 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\HhIFXJb.exe
PID 2208 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\IgvLvzU.exe
PID 2208 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\IgvLvzU.exe
PID 2208 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\BDSkvDw.exe
PID 2208 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\BDSkvDw.exe
PID 2208 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\ADJNeEd.exe
PID 2208 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\ADJNeEd.exe
PID 2208 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\raUFpTp.exe
PID 2208 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\raUFpTp.exe
PID 2208 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\PMAyzYX.exe
PID 2208 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\PMAyzYX.exe
PID 2208 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\mZJiOTE.exe
PID 2208 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\mZJiOTE.exe
PID 2208 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\qLPWOoo.exe
PID 2208 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\qLPWOoo.exe
PID 2208 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\RcILLIi.exe
PID 2208 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\RcILLIi.exe
PID 2208 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\cKYVMcO.exe
PID 2208 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\cKYVMcO.exe
PID 2208 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\bQvCZvC.exe
PID 2208 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\bQvCZvC.exe
PID 2208 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\zftBplz.exe
PID 2208 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\zftBplz.exe
PID 2208 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\SzpruHL.exe
PID 2208 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\SzpruHL.exe
PID 2208 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\qVQTEfK.exe
PID 2208 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\qVQTEfK.exe
PID 2208 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\qtDiBnT.exe
PID 2208 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\qtDiBnT.exe
PID 2208 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\aoTjYAt.exe
PID 2208 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe C:\Windows\System\aoTjYAt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe"

C:\Windows\System\MUvJoGA.exe

C:\Windows\System\MUvJoGA.exe

C:\Windows\System\gZqGOqa.exe

C:\Windows\System\gZqGOqa.exe

C:\Windows\System\UXAyGPF.exe

C:\Windows\System\UXAyGPF.exe

C:\Windows\System\ilATiCQ.exe

C:\Windows\System\ilATiCQ.exe

C:\Windows\System\rriHOAS.exe

C:\Windows\System\rriHOAS.exe

C:\Windows\System\HhIFXJb.exe

C:\Windows\System\HhIFXJb.exe

C:\Windows\System\IgvLvzU.exe

C:\Windows\System\IgvLvzU.exe

C:\Windows\System\BDSkvDw.exe

C:\Windows\System\BDSkvDw.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3768,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8

C:\Windows\System\ADJNeEd.exe

C:\Windows\System\ADJNeEd.exe

C:\Windows\System\raUFpTp.exe

C:\Windows\System\raUFpTp.exe

C:\Windows\System\PMAyzYX.exe

C:\Windows\System\PMAyzYX.exe

C:\Windows\System\mZJiOTE.exe

C:\Windows\System\mZJiOTE.exe

C:\Windows\System\qLPWOoo.exe

C:\Windows\System\qLPWOoo.exe

C:\Windows\System\RcILLIi.exe

C:\Windows\System\RcILLIi.exe

C:\Windows\System\cKYVMcO.exe

C:\Windows\System\cKYVMcO.exe

C:\Windows\System\bQvCZvC.exe

C:\Windows\System\bQvCZvC.exe

C:\Windows\System\zftBplz.exe

C:\Windows\System\zftBplz.exe

C:\Windows\System\SzpruHL.exe

C:\Windows\System\SzpruHL.exe

C:\Windows\System\qVQTEfK.exe

C:\Windows\System\qVQTEfK.exe

C:\Windows\System\qtDiBnT.exe

C:\Windows\System\qtDiBnT.exe

C:\Windows\System\aoTjYAt.exe

C:\Windows\System\aoTjYAt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2208-0-0x00007FF720220000-0x00007FF720574000-memory.dmp

memory/2208-1-0x0000021484F20000-0x0000021484F30000-memory.dmp

memory/4196-10-0x00007FF6461D0000-0x00007FF646524000-memory.dmp

memory/2956-12-0x00007FF7FF3E0000-0x00007FF7FF734000-memory.dmp

C:\Windows\System\gZqGOqa.exe

MD5 068ba5bc4589847d930f6b206f9b5ff0
SHA1 44cd2e826248ca947155b071cba8a85b833dfd90
SHA256 40552a571df73e4c395c7ec657e3104a27d1605faf9fba81f8909cd33648c383
SHA512 6ea1b8872e0f06ca3bed5e5f5e69721b6172fac1a869264ae210a90dd17df69c8fff9a01b133de4cb4b88843dab7e267c29201fa7fc653deaaa4be5218f16e7b

C:\Windows\System\MUvJoGA.exe

MD5 c2f739618d0a5e4a9db5f6ba7e912c03
SHA1 d754582276439aaba30425eab2df171bf9128730
SHA256 51cb3e55c0406efeb88ac8cddffec2f2170bd2e74f98c53fba625850dbb3cb2a
SHA512 e7cefe3ed05c507938b0c4194cc8990c2380342971a74e990d313be49bbdc178c8750f04e8c0b222532ac95ffd936f8e9e987fdad63b96c31e2b96e28cb5e11f

C:\Windows\System\UXAyGPF.exe

MD5 034198fa4b0864c9a9f6248649fbe92f
SHA1 c9ec49625706bdcd9682a4efa9566527b6d1c005
SHA256 74332b70d4b3f02520b028e5b4efdb8a1ace0433533fe3f11807cf6b3cd935e8
SHA512 6f041e8009928bca01a77ebe2f70026ac1cd0b4f077bb7fab8b23cda0e9a548b3f4c265be2b0222ec8473844618f88edcd094441ce1a6f96a64b60d9be82249a

memory/8-18-0x00007FF7D03A0000-0x00007FF7D06F4000-memory.dmp

C:\Windows\System\ilATiCQ.exe

MD5 bd3d3ffa9edf3f19412d88c23279be86
SHA1 9bac8b6724611674eb9ef8296ff9fa93927f999b
SHA256 bf1c01e82a40aed71cbd13c875b3df5b401f28d718b3c0bd8b47c80a3294b5bd
SHA512 533fec9ece9e1aff3f9cb01259b2dd37225045ec08bac9a1210135efaec224b2f7094c9533929cbd5a88eb4ae14c2e40ff2278562b63c7d4bb915e318c420adb

memory/1080-26-0x00007FF684D50000-0x00007FF6850A4000-memory.dmp

C:\Windows\System\rriHOAS.exe

MD5 64f6104d485af470cfc954e474a1d729
SHA1 68656e27997ba029795e442697a25ff05bbb9273
SHA256 8282e71ce9b226673138dcad4db9fdb41764a69448b5123cddd160040170864e
SHA512 5d38361a3da3abfe48fd4a5614b32b5483a74daacb0f829b747cfb9c9eb27cdbdb555a36be0ce74b2950a15960c38d4386cef186168aad0a04fe8c60a6af72ee

C:\Windows\System\HhIFXJb.exe

MD5 412e4e9909a934788b5438b75de061c0
SHA1 4bd70858d3be2a75449d011a26fc307125d01468
SHA256 a4f2acb0ff16306c708757410b99bbb54173d18f17105309242dc36b4f7aef1b
SHA512 afcd53bdbfaf316348cb1983c7bec52db0394346e1d9f4148c3e389ce5216b22ca7cb136b056fb630d84cce56b48eff5272d0f590e5bf25a57df774ec0738c42

C:\Windows\System\IgvLvzU.exe

MD5 e2a8ced34913d2c87bcec44ddf0c459e
SHA1 a44248e0da847880f6799495333ce39a1c232a3e
SHA256 c68841701459cd62b9d5ba494827703682e9ec53943c0b95d360cb52120500a5
SHA512 881e63a676764f4b0e8c8b2b47a60a8c6e0f212dd6d1fefa54d330f295ceea898893233f7f222c5c956b08bdc4de851508b9020ea0b75cdfa4c30cb75f80aab3

memory/1472-39-0x00007FF7B5DF0000-0x00007FF7B6144000-memory.dmp

memory/3052-43-0x00007FF6E1180000-0x00007FF6E14D4000-memory.dmp

memory/2416-33-0x00007FF7A3C40000-0x00007FF7A3F94000-memory.dmp

C:\Windows\System\BDSkvDw.exe

MD5 37e998574d19125ed806f5b46e2d320b
SHA1 66eabe75d66a8ea684265baf05ff87a690655791
SHA256 3d4060ec242d626461c6e3e6ea85699e9c198609599dcaa7d6e133d76bb14334
SHA512 c6d94186afa949aa486ef9196cffcf34b2942962372eab3aa6f9a66fecfb3c040bd3eb15aa22fb777625832c392cafa6d74483bc52a1cf6a2e116d0b41fe3b58

C:\Windows\System\ADJNeEd.exe

MD5 d03d83592c7109575d15742009ded9a7
SHA1 ed83dd940c932d17e10ba4d5f3abb7ccdcfee7c0
SHA256 77474748be2b6388c4db4328b1683063385a0741fd0ca2db2e80461c226a7f11
SHA512 ee996f4ac8b641398cdc598e4b529b3c60ebd4613a4905bbccc5f0145680383d9d3881d2cc0c40eb83110d4edbaa7dec2862e1edf99d50bd606ca003d7da3f70

memory/3188-54-0x00007FF65DBD0000-0x00007FF65DF24000-memory.dmp

memory/2208-60-0x00007FF720220000-0x00007FF720574000-memory.dmp

memory/3184-62-0x00007FF692250000-0x00007FF6925A4000-memory.dmp

C:\Windows\System\raUFpTp.exe

MD5 ca07d1ebd8d51e36622fae711f4d0d77
SHA1 e50fb8ca860fde61d5f824f5c16e4fdb883fa566
SHA256 b2f2cf2a5f8a768547dffeb94d79a3be755563d1a96f6beca203156dba7bc23f
SHA512 44c2914c81226c600708982164e90de7ec2e70a32e719233dd88fd0cc9ef8324a2d9a5872e7000abce350a5d3a47811ef6c05475f34b1443d15a79fed78f3f2f

memory/4196-61-0x00007FF6461D0000-0x00007FF646524000-memory.dmp

memory/2812-59-0x00007FF6048A0000-0x00007FF604BF4000-memory.dmp

C:\Windows\System\PMAyzYX.exe

MD5 8094d3d4d89c9459708941a2e34984b9
SHA1 2deb756eae5fe4a37fa921f87914114c2e29e43c
SHA256 6e6354829101c07d6fb7ef80e3cbedd1aa5d696cead613660be4abe28e0fcb95
SHA512 472d1fe47e740a7070f3417f737d1d4fa2f6544c64cbab209f54c96317666a5acebcf5acca798ea9810af680d3ce366b1c8757ab3f987149532a952549350765

C:\Windows\System\mZJiOTE.exe

MD5 6a71f81ccfd6b518ed7b7940774e517d
SHA1 75198edead37daa1148154f268ae7891b1f60c44
SHA256 ed2969aa872d96af7afa2abc0c7ce8d2d60a5d0a8dcd984054db44ffaf8ad560
SHA512 59944564364e5dcd054b5a5e27a07cfca3dd3a956940d406866cc220a5f40a81130286790d74b3b5225192297407adc90e7efd2acb9847757255954f3a4d0473

memory/4524-70-0x00007FF6B3EB0000-0x00007FF6B4204000-memory.dmp

memory/1464-77-0x00007FF745BC0000-0x00007FF745F14000-memory.dmp

memory/2956-76-0x00007FF7FF3E0000-0x00007FF7FF734000-memory.dmp

C:\Windows\System\qLPWOoo.exe

MD5 3f99ecaf3c253bf9491cd2fe67fea3b1
SHA1 86d628d45acfb989f143110f8870791f12c50c1f
SHA256 be54b56797a257005033f95a331d7b57077eda58aa368bd059594180177e53de
SHA512 f05f2f75369f71a4ac07fea081ac0502c84202da72a1843daa8a46f7a7bb09dfcd67f06c1bde4950297d498f72044932fc2f5206a9717c6670e989909a6d9f25

memory/4456-84-0x00007FF6E00D0000-0x00007FF6E0424000-memory.dmp

memory/8-83-0x00007FF7D03A0000-0x00007FF7D06F4000-memory.dmp

C:\Windows\System\RcILLIi.exe

MD5 70d9d23dd0a62a4ad6055da791874708
SHA1 935fed5e2f525e67eba921e081218a6750fb8bd9
SHA256 533f5bea0c0cf466400c21bef698de4e7888541634fb5dcb6ac25b7ba12acf7c
SHA512 d5ba6bd73771aa01f1fcf00ef68b81cc837287ebc5aeafa9c5e91be82c62cfb72f6ad7c9cf2412f517022d2f547ec6d23d7a616e2528d8f3a05c1c0d4b043ea6

memory/3364-90-0x00007FF7D7700000-0x00007FF7D7A54000-memory.dmp

C:\Windows\System\cKYVMcO.exe

MD5 8477f58ea40f7e1380a32676644ead6a
SHA1 2fe2b6bf6c2fbaaed141eeebbf5bb2a1cb0af8e4
SHA256 20961091a3e29f0926ed23503342a274113f84cbb8cadddccb56070f8ff0503c
SHA512 c19e3057238707e1d49f14ebb95610947f4dd7cb2e6ca74593d8585a5392db90163f46a187183207a6f5d627bce59ae1e90c97bc9ea74537bfaf46017dd139da

C:\Windows\System\bQvCZvC.exe

MD5 2fb68853b283bfb3ffdc015b72a01581
SHA1 088039581f068fc9a23fe8895452a4f70dce2c09
SHA256 a42a12611f551e6e7a4d78b6e3eb06ff4e08a93e55a3ad84045b352c0b6125e1
SHA512 2d1ab9837adf4d7092aa7a330bc96b584c7fb86c76fd1cd0c27773370ca046ea9e913956b2ec3d441e0cadbd9c95e53f9a9544e0f82e8d339de3c1c0e1dc9d7b

C:\Windows\System\zftBplz.exe

MD5 6c823c36a4e95b3ccf5d328c68e4e872
SHA1 5f510e826e32890938c1846c328c4b53560d15dc
SHA256 93de4b6eadecae24ab4f4b28197a70bfc172a351d642e38f25ae0c2cd34c6a3e
SHA512 6fd8ae4e453a01d41064d73c11df787e01ee8f92000b78b0e22a37ee727290cd93d52f8ce4f627502dce1ff125279fa7c36c487fb46f4f2228deec94695688c3

C:\Windows\System\SzpruHL.exe

MD5 48156cff5d5371709211f8eb177a9c1a
SHA1 583f3ec8c442a6ec7c1a3ecb19d833ca78ae72a5
SHA256 b36b6bc619039dd1ef6f6b68b3b1c161958ee50e71b967fad58cfc78d76b8c98
SHA512 2e69b980bc548b0b06168f111d14dd769c0cbfedf7947918b64dc7217ebe247b3ca8a946fc9e031618d6fd1aed6c2db72c4fc1dd03528c64e0c75f26598ad1be

memory/384-97-0x00007FF62E400000-0x00007FF62E754000-memory.dmp

memory/2416-96-0x00007FF7A3C40000-0x00007FF7A3F94000-memory.dmp

C:\Windows\System\qVQTEfK.exe

MD5 7b5f502f086a6b839803bdc3915295c4
SHA1 ab433f6ff94cf3d7acc0dbeb5c932738b234a4e4
SHA256 4bc8adc6478034fd704b2c5f6a5885f6cb76764d3f71f76ce7d830284569c43b
SHA512 7f8df6377fc021996ef2cedd0fa382da97b18b17b1eb57522c363ea895ea0c7d6534f27b03a739c270d876cd344f507b1fb8fb5132e0b29d65ddd4a2425596f6

memory/4564-116-0x00007FF7665D0000-0x00007FF766924000-memory.dmp

memory/4308-122-0x00007FF765A90000-0x00007FF765DE4000-memory.dmp

memory/2596-120-0x00007FF763B60000-0x00007FF763EB4000-memory.dmp

memory/3188-119-0x00007FF65DBD0000-0x00007FF65DF24000-memory.dmp

memory/3052-118-0x00007FF6E1180000-0x00007FF6E14D4000-memory.dmp

memory/2040-114-0x00007FF716DE0000-0x00007FF717134000-memory.dmp

C:\Windows\System\qtDiBnT.exe

MD5 ed8e82dd373a150875c9a08f50a4d2d4
SHA1 a87df053a7c68821d3956c9e85ed90f5570251ad
SHA256 8c67c10c2b44782347bc7d4f7a9d05e9f0cf5bf485124009cd4b4f36d0b8c827
SHA512 7b3274d44680bb328e03fc5354dd808e6c6936d536b8471acd6cdd48fa8b53156a80d6451030d28fd4ff84d0e299351ffd568691cbf1e2c90b02601b9f563f35

C:\Windows\System\aoTjYAt.exe

MD5 2c3452f253e3bb3b21562b9161435e1f
SHA1 643267f30307ab1cee7e5c66c2e0ad64ce62aca4
SHA256 1df582abdf4be31b02cf651b5dff5c177ae82f0f15bdb069530c1277cbd1c5be
SHA512 a648131cf06cdd897c6a46774554527939785ec8973c78cd95a9a4e05e47689290db3be5e2e8f724ab26a685df726836f0b701c87f6cf598561a4bb3e478c327

memory/3868-133-0x00007FF7551A0000-0x00007FF7554F4000-memory.dmp

memory/4568-134-0x00007FF6F3920000-0x00007FF6F3C74000-memory.dmp

memory/3184-135-0x00007FF692250000-0x00007FF6925A4000-memory.dmp

memory/4308-136-0x00007FF765A90000-0x00007FF765DE4000-memory.dmp

memory/4196-137-0x00007FF6461D0000-0x00007FF646524000-memory.dmp

memory/2956-138-0x00007FF7FF3E0000-0x00007FF7FF734000-memory.dmp

memory/8-139-0x00007FF7D03A0000-0x00007FF7D06F4000-memory.dmp

memory/1080-140-0x00007FF684D50000-0x00007FF6850A4000-memory.dmp

memory/2416-141-0x00007FF7A3C40000-0x00007FF7A3F94000-memory.dmp

memory/1472-142-0x00007FF7B5DF0000-0x00007FF7B6144000-memory.dmp

memory/3052-143-0x00007FF6E1180000-0x00007FF6E14D4000-memory.dmp

memory/2812-144-0x00007FF6048A0000-0x00007FF604BF4000-memory.dmp

memory/3188-145-0x00007FF65DBD0000-0x00007FF65DF24000-memory.dmp

memory/3184-146-0x00007FF692250000-0x00007FF6925A4000-memory.dmp

memory/4524-147-0x00007FF6B3EB0000-0x00007FF6B4204000-memory.dmp

memory/1464-148-0x00007FF745BC0000-0x00007FF745F14000-memory.dmp

memory/4456-149-0x00007FF6E00D0000-0x00007FF6E0424000-memory.dmp

memory/3364-150-0x00007FF7D7700000-0x00007FF7D7A54000-memory.dmp

memory/384-151-0x00007FF62E400000-0x00007FF62E754000-memory.dmp

memory/2040-152-0x00007FF716DE0000-0x00007FF717134000-memory.dmp

memory/4564-154-0x00007FF7665D0000-0x00007FF766924000-memory.dmp

memory/2596-153-0x00007FF763B60000-0x00007FF763EB4000-memory.dmp

memory/4308-155-0x00007FF765A90000-0x00007FF765DE4000-memory.dmp

memory/3868-156-0x00007FF7551A0000-0x00007FF7554F4000-memory.dmp

memory/4568-157-0x00007FF6F3920000-0x00007FF6F3C74000-memory.dmp