Malware Analysis Report

2024-10-16 03:08

Sample ID 240608-trd5cadb8y
Target 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe
SHA256 f29e66ee2be3e0daabe3053d8d54ab2e82c502c9009d4f8beca0be55681efaab
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f29e66ee2be3e0daabe3053d8d54ab2e82c502c9009d4f8beca0be55681efaab

Threat Level: Known bad

The file 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

Cobalt Strike reflective loader

Cobaltstrike family

xmrig

Xmrig family

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 16:17

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 16:17

Reported

2024-06-08 16:19

Platform

win7-20240508-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\LBVdRdv.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\JvMfNOH.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\dPAuMmU.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\JKuvdJs.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\nXVGyzj.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\cyOLuai.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\YSWigTx.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\JgvpQEi.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\yOOMcAL.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\moMTPYd.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\GQzgjbK.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\oIzCHmN.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\HXOgalD.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\hqWUxrZ.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\OiDOppc.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\wNzvhMC.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\nqRYbVm.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\XsMGdOL.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\mKiEWlD.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\rfjxxRc.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\swYuLwA.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\GQzgjbK.exe
PID 2580 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\GQzgjbK.exe
PID 2580 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\GQzgjbK.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\oIzCHmN.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\oIzCHmN.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\oIzCHmN.exe
PID 2580 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\rfjxxRc.exe
PID 2580 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\rfjxxRc.exe
PID 2580 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\rfjxxRc.exe
PID 2580 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\swYuLwA.exe
PID 2580 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\swYuLwA.exe
PID 2580 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\swYuLwA.exe
PID 2580 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\hqWUxrZ.exe
PID 2580 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\hqWUxrZ.exe
PID 2580 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\hqWUxrZ.exe
PID 2580 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\OiDOppc.exe
PID 2580 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\OiDOppc.exe
PID 2580 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\OiDOppc.exe
PID 2580 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\nXVGyzj.exe
PID 2580 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\nXVGyzj.exe
PID 2580 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\nXVGyzj.exe
PID 2580 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\wNzvhMC.exe
PID 2580 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\wNzvhMC.exe
PID 2580 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\wNzvhMC.exe
PID 2580 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\nqRYbVm.exe
PID 2580 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\nqRYbVm.exe
PID 2580 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\nqRYbVm.exe
PID 2580 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\cyOLuai.exe
PID 2580 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\cyOLuai.exe
PID 2580 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\cyOLuai.exe
PID 2580 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\YSWigTx.exe
PID 2580 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\YSWigTx.exe
PID 2580 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\YSWigTx.exe
PID 2580 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\JgvpQEi.exe
PID 2580 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\JgvpQEi.exe
PID 2580 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\JgvpQEi.exe
PID 2580 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\dPAuMmU.exe
PID 2580 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\dPAuMmU.exe
PID 2580 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\dPAuMmU.exe
PID 2580 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\yOOMcAL.exe
PID 2580 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\yOOMcAL.exe
PID 2580 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\yOOMcAL.exe
PID 2580 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\moMTPYd.exe
PID 2580 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\moMTPYd.exe
PID 2580 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\moMTPYd.exe
PID 2580 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\XsMGdOL.exe
PID 2580 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\XsMGdOL.exe
PID 2580 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\XsMGdOL.exe
PID 2580 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\LBVdRdv.exe
PID 2580 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\LBVdRdv.exe
PID 2580 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\LBVdRdv.exe
PID 2580 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\HXOgalD.exe
PID 2580 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\HXOgalD.exe
PID 2580 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\HXOgalD.exe
PID 2580 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\JvMfNOH.exe
PID 2580 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\JvMfNOH.exe
PID 2580 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\JvMfNOH.exe
PID 2580 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\mKiEWlD.exe
PID 2580 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\mKiEWlD.exe
PID 2580 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\mKiEWlD.exe
PID 2580 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\JKuvdJs.exe
PID 2580 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\JKuvdJs.exe
PID 2580 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\JKuvdJs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe"

C:\Windows\System\GQzgjbK.exe

C:\Windows\System\GQzgjbK.exe

C:\Windows\System\oIzCHmN.exe

C:\Windows\System\oIzCHmN.exe

C:\Windows\System\rfjxxRc.exe

C:\Windows\System\rfjxxRc.exe

C:\Windows\System\swYuLwA.exe

C:\Windows\System\swYuLwA.exe

C:\Windows\System\hqWUxrZ.exe

C:\Windows\System\hqWUxrZ.exe

C:\Windows\System\OiDOppc.exe

C:\Windows\System\OiDOppc.exe

C:\Windows\System\nXVGyzj.exe

C:\Windows\System\nXVGyzj.exe

C:\Windows\System\wNzvhMC.exe

C:\Windows\System\wNzvhMC.exe

C:\Windows\System\nqRYbVm.exe

C:\Windows\System\nqRYbVm.exe

C:\Windows\System\cyOLuai.exe

C:\Windows\System\cyOLuai.exe

C:\Windows\System\YSWigTx.exe

C:\Windows\System\YSWigTx.exe

C:\Windows\System\JgvpQEi.exe

C:\Windows\System\JgvpQEi.exe

C:\Windows\System\dPAuMmU.exe

C:\Windows\System\dPAuMmU.exe

C:\Windows\System\yOOMcAL.exe

C:\Windows\System\yOOMcAL.exe

C:\Windows\System\moMTPYd.exe

C:\Windows\System\moMTPYd.exe

C:\Windows\System\XsMGdOL.exe

C:\Windows\System\XsMGdOL.exe

C:\Windows\System\LBVdRdv.exe

C:\Windows\System\LBVdRdv.exe

C:\Windows\System\HXOgalD.exe

C:\Windows\System\HXOgalD.exe

C:\Windows\System\JvMfNOH.exe

C:\Windows\System\JvMfNOH.exe

C:\Windows\System\mKiEWlD.exe

C:\Windows\System\mKiEWlD.exe

C:\Windows\System\JKuvdJs.exe

C:\Windows\System\JKuvdJs.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2580-0-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2580-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\GQzgjbK.exe

MD5 6b383d5f107422c6b058654481ec76ac
SHA1 a407a89f527ee7bf21bb9e61855892ae526d6925
SHA256 3f5cc4f9234832b4f600de2846a9269cf691bd357d8cc07202a97f65a3511a6d
SHA512 fbeefa85c721505b3fd8ec2112e0fd95f71526eb13781665aeb1b1aaf11601d7f4beb2ea92ded1adf4b7cf8a76a198a81232a1ecb794dc21b65c2ae445d57944

memory/2212-8-0x000000013F480000-0x000000013F7D4000-memory.dmp

\Windows\system\oIzCHmN.exe

MD5 00ca85913cb26362a9cdd772942361ac
SHA1 05814d937475b4ef5aed57911c201bf24bfdbff1
SHA256 3de677492e24edf10b6d649ff76f626d50b9d26c2c50c97e6ea591d350c2ef0b
SHA512 eccc2bd1aa3b9e25fa13ef73e0cb2b8b9902e603b0d8b2b602d729277977b926e5d2700add5dce4a69d916bb3f56a4cd758db3cc7fce02fc389b860bcbc63d4d

memory/2800-13-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\rfjxxRc.exe

MD5 1eeff0dba5b458c255efdb6833580ce5
SHA1 c0a28b57371b8608203753ce9fba89ece267fc67
SHA256 6ee0ee7187c7be114212de31bcfb0830222ecdfb38d7b0d07a5e5908a2047f98
SHA512 7b6f2682ca37a972de0842a8e1981870db81237c9ce1ea6a55146ab1c951d6c58001e2b835dc6e642eb5ef2f66b2260ecb4891a7f99c8824f215ac20dabe8d91

memory/2640-20-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2700-27-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2580-25-0x000000013F820000-0x000000013FB74000-memory.dmp

C:\Windows\system\OiDOppc.exe

MD5 6c73a9ae5e2df7e08ed49f4a9bbc5210
SHA1 def015471d0feebae3b04c3109b7aa055dfaba51
SHA256 ff0d16b54c57b03ddd9917e804074e714aec9aa2e22d032fad3e18c51ef51fa5
SHA512 61b97196e92f561a5cc109562caf81743fd0a1cbd727a9b3ad443c2ab63395db82d3b03aae117beb9e30c1d836c109119bc108068d3f036ac180fde8defd9973

memory/2580-38-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2628-39-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2648-34-0x000000013FC50000-0x000000013FFA4000-memory.dmp

C:\Windows\system\wNzvhMC.exe

MD5 c7fa63502267d0696fcc19b51eb9a8c4
SHA1 63f65ae19a52d7a4838b9531b2c879fe71afdefe
SHA256 9b2650ec6ac2f5ac6a3fcbc203b200d58ad53b0be23e8792d58543a0b8b21953
SHA512 cf07a7ecc2f571652e0eec480927ce53c50d85a0b94d1b17e6f0eb831d0a89c582a30e622bfc6da2453c1ba182c7010dbf7b090dc942136de6bba67dd814ce7e

memory/2748-53-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2668-59-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2500-64-0x000000013FA70000-0x000000013FDC4000-memory.dmp

C:\Windows\system\YSWigTx.exe

MD5 e1f846a5e907bdb0656e6b6fa735e7e8
SHA1 9c16453d21573266776e3380dc621d53a6f9353b
SHA256 0849fd275dd19676a1433624f0985c667576963479b1b4bae392cf63afe98883
SHA512 c0132a52296c61274a4ae7c4712265685ab5f8f34bfd2cccdc2353b362e8274f043e68e1f8e64941cd0beb5f0f2cf02a1ad7b82e1ceee7d085cc78de7dcb0983

\Windows\system\JgvpQEi.exe

MD5 a2c5d922ae1031d3d32e002125bfbce6
SHA1 dbf0093662ff6d8579c6e58bff8501d22f551b87
SHA256 760de03fd641d752a2ed5b50299d682569cf6e79d68b3a4da125cef2f258c661
SHA512 ecee1b9f4d6595e969f528836cf4e505f18e7d651932dafc8901a041ad790b9738c4032e44c4144ada8fb480640b907e56aba6545d99efa5b04209d073d6bb2b

memory/2700-85-0x000000013F820000-0x000000013FB74000-memory.dmp

C:\Windows\system\yOOMcAL.exe

MD5 d928ce657cf2084416f7d962f39f3843
SHA1 9ec858e1d84cb21da4ae12af9c125d30cfa8b92e
SHA256 0334113744c2b6220f7d28269ac4667d25762654370438a4ce995b8a503e444d
SHA512 98d2a83466c101b2e3d3833a099f958fcdc973bf27803ad4349fa44a7e316bb69619fdb0176b6e710e04588256d5595032dd634b77730150bdd60f06b1989360

memory/2628-99-0x000000013F140000-0x000000013F494000-memory.dmp

\Windows\system\moMTPYd.exe

MD5 0d262b7f54c27855568db67669c7fe42
SHA1 a8f07d0b7905c378cf0c68c91831bf3ceeee19da
SHA256 0d0faab1afde0af2b0b8e7a18d7a076e10d99eb2593cebba3e17104d5b778242
SHA512 7d10fcc45a4f6b8b90bf7bd9c68ff41a190472916112eebf4239a3c5d44baf6d5d63aa0602c50e69142ba39f934806a79f0d0e869a91611973303966064a5809

C:\Windows\system\mKiEWlD.exe

MD5 71717b70205b2f50f0a65368b1afdbd6
SHA1 8bfdbf254af73d6734c302fa8b8b94c6a09ae9b7
SHA256 c24af59abed05f2dc4138462f149f5e535ae0ffa357e51e64dca89e41a4671a1
SHA512 6a384298c0bdbe0a18cfe5207e900f3490e858cb19ff4ca8105d3d1d219f9d458519e6e303eedddecb561e71d24899981b1a14f8f97bce8d47d14bbf3806960c

\Windows\system\JKuvdJs.exe

MD5 70eb635b413bb97b20d90217051b7f31
SHA1 82eaba2c36e858f2638b96ece37c0276a5e23d1f
SHA256 71e6ebab0156def00a1fdf623161b665dd6c33eab5cd3adf4c6023b915aa1d19
SHA512 221fc757be968606a1c59235d04f3b46dfa525cb6b9d8d9de5237328762c9a6171ad3c6c15623da9047ce1d68bda32238f3213ac4deb986dc1abc0cc9e4ffb30

C:\Windows\system\JvMfNOH.exe

MD5 50e951998ecb8f3a14741c1d7b4ef419
SHA1 f730750ae291380cf481be5bba1ba2164b50960f
SHA256 ecf00b59176a3178a6085c46f6eec32b864d2684b84fdfa5059708beb69e3776
SHA512 873f6235cb080502853eea7d2f1c37431312ce5ea5dda1988f20d4709babfa39f3dcede6e299fdc5cd2295b29baab49f7ab1b9ac077ed59c4715ae946ab5a8dc

C:\Windows\system\LBVdRdv.exe

MD5 40ff7747609a0a83405281886cfdc277
SHA1 82c2a3a716e1d47769549cfafa2a8823a0eb343c
SHA256 3a5f65f955f0e781c00cfbfbfa97715a9274b8602cd07f056e736dadf321fbbd
SHA512 d883b2cc1f47a8750f56919d00723a6012bac8cc3f7889e9bdf45adf6cd0493a630150aac3f8473b7626eaba5ebaede97628ee5700f6b3e32ff364214fc3142e

C:\Windows\system\HXOgalD.exe

MD5 5ce1f87b6bf59b103b7b53e6f205b163
SHA1 3cc3ddb4410823adb1c18991903abdda8316778f
SHA256 f854ea7c898e8a2e168ee9d7414e473e0bf0da5275d39fe44d6e514e49d5c623
SHA512 3780bed5f4c8beb03f3cb1c897c866079b2a2e8517b17353d589779f9b72434e1fad98db6086f83178edc3540345c0fa81a13e535b348a570a317f38030f0637

memory/2580-107-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/1936-94-0x000000013FF50000-0x00000001402A4000-memory.dmp

C:\Windows\system\XsMGdOL.exe

MD5 74d628cb25b2fcb798fc8e3f8d55e556
SHA1 4dcd6040cf2998322e5b5ad38c9f759b8fbd41f7
SHA256 355bec6097c2646d216d60466f91081e0f14ca5f3a224eb6642bfa2e1031304c
SHA512 0190d0c96802da4f138912152366d4f5b33dbf357c2036acad84320686a93d815393e3fdf5a122b40dbb437632d8b3a0958879e21dbeca2a41d0a56aabf115fd

memory/2580-93-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/1420-139-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2648-92-0x000000013FC50000-0x000000013FFA4000-memory.dmp

C:\Windows\system\dPAuMmU.exe

MD5 b855c422427b12584f2d61d873915709
SHA1 e005f00295ed3a92548933ece356f6499e023b11
SHA256 670f969c1ef9ffe3c3a3ad9a18c61423e51fe0f212535e7f6bbe6bbaa4456ff4
SHA512 1245b7eefa36d22015638e2bdf3686fefa0daeec5c3b1260442f438a334a4cc7d27ebcd7ce775ac50d3aa63883ae5904e46d4d5df2b521bdd13a658534e53eb1

memory/2096-101-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2580-100-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1144-86-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2580-81-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2640-80-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2560-71-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2580-70-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2800-69-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2212-58-0x000000013F480000-0x000000013F7D4000-memory.dmp

C:\Windows\system\cyOLuai.exe

MD5 fd0c291614254b13fe8af5c620939383
SHA1 a434728b2478a098f941f29af8985718e5df785e
SHA256 950372ee7bcbab3313cf4ed5fa8a0791cd65fc2e1e9a99c89a7b92373e63b051
SHA512 11515a1e203895336fc682a01eb9a2a7fdb5f1016e692c45f7825e25f67ae280ec6654b958664fa27dec4266387cfc4420e002cceefabf23a4f8d875c03a7375

C:\Windows\system\nqRYbVm.exe

MD5 5f3018055cc3da8c473ac06afc011f1b
SHA1 a8da2e6d0ed7322e0545cf1ad646c70a8022c623
SHA256 2a945337806817637090e7c5b7dcd849dbe17828c5aa080cda01f2b6c3d4c090
SHA512 36084382d3fb803b0bf45d9b0c1a2bda56afe8f7cc244331e5fe9bf460555c5abfe00b3a12d035342f0991308843b26a7edd10d06f39520996ebf7dc537f6e75

memory/2748-140-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2580-52-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/1420-47-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2580-46-0x000000013FDD0000-0x0000000140124000-memory.dmp

C:\Windows\system\nXVGyzj.exe

MD5 dfd20e9622d2839a33f448f8b05541a0
SHA1 ed394f741605dbb501a9dda799545756c3a136bf
SHA256 1a11dfb9a3447470fba54e937b8d48bb30c471e9deece0271341936e1cdbfd8d
SHA512 ae2ab1dd5182e98aa4d34928762288efdd1e6676c21350a539ada48defba33f80762c6b3d02c16509b082d41a4e0867784b54414f868b13ed4ffe87eab87699f

memory/2580-42-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2580-33-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\hqWUxrZ.exe

MD5 37b3462d032cbb79fbfa866eda3589e9
SHA1 825b4048cd278a5c78112ff783ed6dd3a4f1e898
SHA256 81c4a1b3acf2426a7d886a6c02f4015c45d5c71ea5bac50845f70b5f7e3706b5
SHA512 5f3672cf240a4e2cd97b39230f572eb68414cd35232c85bcb94975d3cf54ed52bf8e1f4318a2828504572f50026d8dda4fa65842cdf6771d54697f91510863c2

memory/2580-19-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\swYuLwA.exe

MD5 a0432f9b1eb602886de2d27e09b0c17c
SHA1 74799fae20a9b72557fcbdb7b8878c95327a3593
SHA256 97b0ee38ff3297b940dd24fad14b970d33ec4a83713aedb95f9f6d5d0173b4c5
SHA512 8df2c3b3e9a77896d3cd3b65f60bb73402bc9ad7445a0d33c0b3a765806186e350844a2ccfb5972284685bcc510150e64d2fc793f061ea76325de87aa6483ed4

memory/2668-141-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2500-142-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2580-143-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2560-144-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2580-145-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/1144-146-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/1936-147-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2580-148-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2096-149-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2580-150-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2212-151-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2800-152-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2640-153-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2700-154-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2668-156-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2628-155-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2500-159-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2560-158-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2648-161-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2748-160-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/1420-157-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/1144-162-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2096-163-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1936-164-0x000000013FF50000-0x00000001402A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 16:17

Reported

2024-06-08 16:19

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JYdmwdg.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\ArsXBMh.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\HrJWOrO.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\nHVTAeO.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\TqsKxeY.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\TqERGPp.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\RVvNojd.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\awvCMWI.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\EQZoOZi.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\KJFerlg.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\KAZKQPV.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\IDvsqKD.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\tCCzfNL.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\gjVSBUZ.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\azBnKtE.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\aGAndkA.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\ZMAVJSY.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\nPspIFl.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\oIXBezu.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\upVxwIg.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
File created C:\Windows\System\vkZbstX.exe C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 648 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\TqsKxeY.exe
PID 648 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\TqsKxeY.exe
PID 648 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\KAZKQPV.exe
PID 648 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\KAZKQPV.exe
PID 648 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\TqERGPp.exe
PID 648 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\TqERGPp.exe
PID 648 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\IDvsqKD.exe
PID 648 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\IDvsqKD.exe
PID 648 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\tCCzfNL.exe
PID 648 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\tCCzfNL.exe
PID 648 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\gjVSBUZ.exe
PID 648 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\gjVSBUZ.exe
PID 648 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\azBnKtE.exe
PID 648 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\azBnKtE.exe
PID 648 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\aGAndkA.exe
PID 648 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\aGAndkA.exe
PID 648 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\nPspIFl.exe
PID 648 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\nPspIFl.exe
PID 648 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\oIXBezu.exe
PID 648 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\oIXBezu.exe
PID 648 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\RVvNojd.exe
PID 648 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\RVvNojd.exe
PID 648 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\JYdmwdg.exe
PID 648 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\JYdmwdg.exe
PID 648 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\upVxwIg.exe
PID 648 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\upVxwIg.exe
PID 648 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\ArsXBMh.exe
PID 648 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\ArsXBMh.exe
PID 648 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\awvCMWI.exe
PID 648 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\awvCMWI.exe
PID 648 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\HrJWOrO.exe
PID 648 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\HrJWOrO.exe
PID 648 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\ZMAVJSY.exe
PID 648 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\ZMAVJSY.exe
PID 648 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\EQZoOZi.exe
PID 648 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\EQZoOZi.exe
PID 648 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\KJFerlg.exe
PID 648 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\KJFerlg.exe
PID 648 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\nHVTAeO.exe
PID 648 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\nHVTAeO.exe
PID 648 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\vkZbstX.exe
PID 648 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe C:\Windows\System\vkZbstX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe"

C:\Windows\System\TqsKxeY.exe

C:\Windows\System\TqsKxeY.exe

C:\Windows\System\KAZKQPV.exe

C:\Windows\System\KAZKQPV.exe

C:\Windows\System\TqERGPp.exe

C:\Windows\System\TqERGPp.exe

C:\Windows\System\IDvsqKD.exe

C:\Windows\System\IDvsqKD.exe

C:\Windows\System\tCCzfNL.exe

C:\Windows\System\tCCzfNL.exe

C:\Windows\System\gjVSBUZ.exe

C:\Windows\System\gjVSBUZ.exe

C:\Windows\System\azBnKtE.exe

C:\Windows\System\azBnKtE.exe

C:\Windows\System\aGAndkA.exe

C:\Windows\System\aGAndkA.exe

C:\Windows\System\nPspIFl.exe

C:\Windows\System\nPspIFl.exe

C:\Windows\System\oIXBezu.exe

C:\Windows\System\oIXBezu.exe

C:\Windows\System\RVvNojd.exe

C:\Windows\System\RVvNojd.exe

C:\Windows\System\JYdmwdg.exe

C:\Windows\System\JYdmwdg.exe

C:\Windows\System\upVxwIg.exe

C:\Windows\System\upVxwIg.exe

C:\Windows\System\ArsXBMh.exe

C:\Windows\System\ArsXBMh.exe

C:\Windows\System\awvCMWI.exe

C:\Windows\System\awvCMWI.exe

C:\Windows\System\HrJWOrO.exe

C:\Windows\System\HrJWOrO.exe

C:\Windows\System\ZMAVJSY.exe

C:\Windows\System\ZMAVJSY.exe

C:\Windows\System\EQZoOZi.exe

C:\Windows\System\EQZoOZi.exe

C:\Windows\System\KJFerlg.exe

C:\Windows\System\KJFerlg.exe

C:\Windows\System\nHVTAeO.exe

C:\Windows\System\nHVTAeO.exe

C:\Windows\System\vkZbstX.exe

C:\Windows\System\vkZbstX.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 142.250.179.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 106.179.250.142.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/648-0-0x00007FF677620000-0x00007FF677974000-memory.dmp

memory/648-1-0x0000019DB0D70000-0x0000019DB0D80000-memory.dmp

C:\Windows\System\TqsKxeY.exe

MD5 ef98777f47106cdfac665291da42f2ca
SHA1 1cceda2ad7edcb63a8e299dd5ec78f9e08870598
SHA256 9ebf7b3683e6f005c10eae0f1468bacb13e8b6e61c906e489b7cbeef7dd4d71c
SHA512 997c7bb13157a173ec751e602c1444189dbec9741b8657fc34ebedfa0d37cdbba00176cac8f62c2998dcbd4af1e6ec62ae4c0fbc4849b99ba840b644ff28feb7

memory/568-8-0x00007FF66C6B0000-0x00007FF66CA04000-memory.dmp

C:\Windows\System\KAZKQPV.exe

MD5 ee6ff1ddddd8967e067f05f011f508a7
SHA1 afcdbcfba5e86f61e7ca1ed8184a149614467be7
SHA256 fbfe0a846d1534fa29da0b658bcf702bca4e731e05ef97f793db77c7e144bc95
SHA512 854084501f82805943b1c8ec521c78d1d743b2ef4ad58b87af7e0165e4f61f39e30d9efe643d8f8dc36c0c9c1175d2cb50579f3672336ae1cac32a1a6892aa28

memory/3296-14-0x00007FF6604D0000-0x00007FF660824000-memory.dmp

C:\Windows\System\TqERGPp.exe

MD5 a6f2f2adf5fc97e5ed285aba6cb8cdb3
SHA1 2ff949b2770049c6ab202e3609c922d69874ccf2
SHA256 285e05e69a29fae46ca74dd96c19f71856a6d56de3802ab717d3e3e15be2ecd2
SHA512 02c00079a84be955d51a40809ad286da8899e64c1a13c41e4b4513a0f5d6c23337beb6804ae10ac2f8c64723ba928ff2efae96de59b6d631babca61be84cbf85

memory/2876-20-0x00007FF7452C0000-0x00007FF745614000-memory.dmp

C:\Windows\System\IDvsqKD.exe

MD5 79804d3d1c6b2c1b2fdadc5c1f0c9e6a
SHA1 f4569bfc309a9c589b8cab557451197658322851
SHA256 f4b70ee827b91f9c80b2f928e40a4b036fa3cc816bcca289e04439103eb3c1c5
SHA512 81c0d5bfe65199956bd82ca9885a20c2b9cb88350ad688b8ff6c7261acc13cdf3013bc294dad4479be8745338c3d0a22d2762b5bad286c512fba3848b9cd06ee

C:\Windows\System\tCCzfNL.exe

MD5 bb03404ddc702e6d2bc80797f0229b27
SHA1 ccee1c11291705ca4552a44c45237dd1e8e03a2c
SHA256 bdea32ca3583678c4bf2cd211ad8468048eeca44ae7c30cb6857f54487c5d8e7
SHA512 eb133661e37d848625d5fafc231f3ed3d4ad3f75a8a0de46f1675f312afddcdedd91c004758c67c9c91f5f39541fd781340651c0c2cfafc2acdcdcf8b53e48ee

memory/2028-26-0x00007FF7970D0000-0x00007FF797424000-memory.dmp

memory/2560-32-0x00007FF6D83E0000-0x00007FF6D8734000-memory.dmp

C:\Windows\System\gjVSBUZ.exe

MD5 aa26dbb1319e92987d35775159e14349
SHA1 9764b5838fb70410dd3180caaaa1e4e109522aaa
SHA256 46c98a2a014eca23f11ca82e3b3e126059c0c0fce2f57472c5d6749cdcb8e7be
SHA512 f4a2e1da486e6fae35093682c8a63e93e6a32d7fc7684f2a772e95eb3d468b93f92d4a3e9e23f3b35fb68a27cbbeac87a3d428ab7da62d640a0e0ba991952bfc

memory/220-38-0x00007FF670840000-0x00007FF670B94000-memory.dmp

C:\Windows\System\azBnKtE.exe

MD5 6e43bc34086f27f5e355a76e2d8afb77
SHA1 e485de21b6f1c20828fcf0d5220cc8769ca5ff53
SHA256 d86b03afef60ae78ca5bc3a64a3e83c79bb8d99750a3980d9f8e6238e63622f6
SHA512 ad5a0876855bb9ad0b923caff1136a3d8545449c2bf34487e4b1ee010b75407f699e1c350c005c324e557f768606c85d107b9a9c99d16646341f7a27e2d0f4b2

memory/1724-42-0x00007FF7211E0000-0x00007FF721534000-memory.dmp

C:\Windows\System\aGAndkA.exe

MD5 31e79ccd5f717f0560ae3bd5681d7728
SHA1 3165fd87e636907ac801957136cd11cfc5c66bd1
SHA256 61c032182f57fcc5a724c32e024e1ecdec21ab597f7690a4aa164f618b07bb56
SHA512 d265ec85e05c325032696dba82dcddefb1d890aa9cf913dae2d52e9a1ca413a56ad7fa7c5ead3ad1971d62bf2e47354c8bc0828dbf41db27f5120df1234d7149

memory/4864-52-0x00007FF747430000-0x00007FF747784000-memory.dmp

C:\Windows\System\nPspIFl.exe

MD5 3a6b7638960b17f3bcc2dbadfd5ae306
SHA1 875ee68df8e62a1c745641d1171f93ba199e2141
SHA256 5d97f8dd5a8f0d4da22771952d8f044469010528a712ac45a9acbfea929307b1
SHA512 853ecbb70b889c8e3832a7325e1afd812f88803f2f8d80bd8c72b7e2c2f366a2ebb36855ee640847421d9a5cd02959ef2b623320c48ae505461aacb7aeba58a8

C:\Windows\System\oIXBezu.exe

MD5 1078ede2b0d344470aa8911b1921cdd9
SHA1 ee0f9a675b552ec6e37bb5da3d35c620545d2c5f
SHA256 d9a2b72d93d7d3214232743b7aa8a6cbc0bc72e6a587329d03567156350451eb
SHA512 68acb2235e0aedc0f33c9a796ba5154a463c4cfc531a57a32096f385b0a28a0abbd58f40aeff3027d6ed63e28a64d5124c9df11b4579fa1420cf443c0821587e

memory/648-60-0x00007FF677620000-0x00007FF677974000-memory.dmp

memory/3956-61-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp

memory/4968-59-0x00007FF671E90000-0x00007FF6721E4000-memory.dmp

C:\Windows\System\RVvNojd.exe

MD5 753f9aa258291d9ac794aa4ca222946e
SHA1 6cb59e1592db051a700c537886e1025311628702
SHA256 b9f34b3dda953f3470678d85bb4174fd79ffe02f321fa4b93e27e9c47c56d095
SHA512 4d44f67d17b3446bf53596b443a575dbb878242b391d46cc1b0c1e294a99477cfaafafa611361942e6c9eea61e2a9e3e1b05bf6d517e9c425be518fa55cd5e4a

C:\Windows\System\JYdmwdg.exe

MD5 7160b2652d126e556f39bd02a1dbd9dc
SHA1 c3b576710f504bd49f22d1ed02bbd9abdb0c6e06
SHA256 67e091bfd6e9ab60d07d3ceca53e507d91489f4c241efed7624d50b17faa9e12
SHA512 ba88bb97b737d68bbde336b88569febb484ece4e22aabe03a3ee780319387c93be5baaf171f9a53b9e311482e17da15e446b2fae7a2ae76dea06de27f8023666

C:\Windows\System\upVxwIg.exe

MD5 f99084a98201f91fefa33f0c35e4cb44
SHA1 a654c48257d25cfda2f6613651e77b0690083eea
SHA256 8051ba6385678226a4a037f9ad1fd2c50bccd40f24543a193c461da5eec10321
SHA512 61555d3f877a53aa8933e6bf7b6a2cc64251dd83b9d092718c1b880f7c966ed6582ff27d4d4cef5928f30622e8224db6c8cbd08238574b1f2e8ec36c0420de8a

memory/1248-78-0x00007FF7671E0000-0x00007FF767534000-memory.dmp

memory/3296-79-0x00007FF6604D0000-0x00007FF660824000-memory.dmp

memory/4080-81-0x00007FF6A5700000-0x00007FF6A5A54000-memory.dmp

memory/1048-75-0x00007FF6659B0000-0x00007FF665D04000-memory.dmp

C:\Windows\System\ArsXBMh.exe

MD5 ddaa55af632bf6a483245d1e8c10f675
SHA1 3fd34f0c77e257bacd76037028bcbb0c590f48eb
SHA256 9914ba73e59a9630ec2e0844e7481741573ac89de3102b3bc00000ecdd9f3553
SHA512 42c1551e5c0d35a0446c4ccbbfcc1cab2c6180703a884a43788c0a7026e8a22f069c21d7cc136e0849860f3ad2d503c1c4a073e8361d62bfa5b1dd373c574e86

memory/2876-88-0x00007FF7452C0000-0x00007FF745614000-memory.dmp

C:\Windows\System\awvCMWI.exe

MD5 80694d3a226f1deb7344bb2899d03022
SHA1 99cc2c7baf9de031c906e4659909c46e9cdc5b94
SHA256 9ca0d0f6655b2c6eb7bd4268e24a8b7b377bd25ce5f6354167262a8deec98d69
SHA512 815bcaa6f823b3633f5e4388c59d818d8bd9da88be556867233465669ea15fb979e907d03ea5db7a3a44fcb103448dc50cb01604259a0b39d9fd53b82c901343

memory/1776-94-0x00007FF6E6D30000-0x00007FF6E7084000-memory.dmp

memory/2028-97-0x00007FF7970D0000-0x00007FF797424000-memory.dmp

memory/3896-100-0x00007FF7F0C70000-0x00007FF7F0FC4000-memory.dmp

C:\Windows\System\ZMAVJSY.exe

MD5 68a8741639dbbf1b67b9ac5f50252ac9
SHA1 e2d03dc0083fa3ec834ea37a2e1389f17542ea75
SHA256 0b0abc22bc601a8c6e2aa53c282bcd3af8c1c355151a6268ea7036235ae8e898
SHA512 9812839d364efea2ea7ea02764b006de6e0ce932fee042cad11cd5d5bc982efff69389d11650c4a264255a560753deb88f8389b8406d16bad682a20dc02256e7

memory/636-103-0x00007FF74D3B0000-0x00007FF74D704000-memory.dmp

C:\Windows\System\HrJWOrO.exe

MD5 871d0da222c9d94ead4befb04e33c2ed
SHA1 82e6e0b77cecdf56992929e2272fa53062e2b2f3
SHA256 470ac5b6905dcb1ffb2ef9624b548a34775717ff00044718b917bcdfa6d2f782
SHA512 21634ae2d57160b9509a9dd57109044d468ad2a906374f344c74cd23e37399a93775d184ece9c6dcd0b83f5b868923cc72fac6ccc83a7aaf8ee7d4e22e9b8db0

memory/2608-104-0x00007FF637C40000-0x00007FF637F94000-memory.dmp

C:\Windows\System\EQZoOZi.exe

MD5 6d6ee21b34db8849f4b15d075aaf6773
SHA1 50ea1fcca16d61f9c4d8eb482054719ff6766de1
SHA256 126b97c4d64271e7bf66de6b58860b68ee08677a728624e4c17167b7d0c449f5
SHA512 b7206b9b49fab9cd77c9e7377e0a8eb61ae74782872010d4bfd42a275c08d021fd273d658f6b6e222b868ebe6d8e179fd2d77b78f23bdb3c7327ac2de7927015

memory/220-112-0x00007FF670840000-0x00007FF670B94000-memory.dmp

C:\Windows\System\KJFerlg.exe

MD5 532c88093d91a16792249834dac21b93
SHA1 65f22bbedb5957ccf912316257398777a471bd99
SHA256 7bbfbb702e8cf16187e5a74a30c6c9d2f661fc05495dce8c2d51488de03a4896
SHA512 dac5e20c59712c49216304bed8587308a6907d3824452f17abb2e1a28c5eb81b05f6a1ac25b29aad72a76f0e2df9ceb3fba5f509cd4cf30299fc845a3b9580e8

memory/3480-120-0x00007FF67B720000-0x00007FF67BA74000-memory.dmp

C:\Windows\System\nHVTAeO.exe

MD5 3930fd8d36ea0a45ecfb928841ef1662
SHA1 fb1c76f018a7f213402a6844c40b95923de6f617
SHA256 63fdc043bc1f476a4c9a83efc4a5c91aa17f84725463362d5018e7e16e433bb0
SHA512 edf26d67f4c354dac7f008dcbb3098903d9e4e1fee5dc6456cb06db7e79ec9c853c4a804113267ac873841c7da10c92d641129a7a87941d3308ec63089fe10b6

C:\Windows\System\vkZbstX.exe

MD5 a07f7db49e9ae3a782bc06a2fb20ec4d
SHA1 869801e7c83013df567f0ac773ca1cdf5e1eeb59
SHA256 1694fc2b9c196a137976f2455a3375f0f762b6d52b5631ca306a9975cc3bd40e
SHA512 614c687b58f85833268bc42bd62a829f537f6fca6942e841026b9a90b8354ff6676810bd7a1f29ae86fb39835413f291291f7dd8996a49ec544fc243e322ca4c

memory/916-123-0x00007FF73BF60000-0x00007FF73C2B4000-memory.dmp

memory/1724-122-0x00007FF7211E0000-0x00007FF721534000-memory.dmp

memory/2652-132-0x00007FF686830000-0x00007FF686B84000-memory.dmp

memory/3956-133-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp

memory/232-134-0x00007FF77AD70000-0x00007FF77B0C4000-memory.dmp

memory/1248-135-0x00007FF7671E0000-0x00007FF767534000-memory.dmp

memory/4080-136-0x00007FF6A5700000-0x00007FF6A5A54000-memory.dmp

memory/636-137-0x00007FF74D3B0000-0x00007FF74D704000-memory.dmp

memory/2608-138-0x00007FF637C40000-0x00007FF637F94000-memory.dmp

memory/916-139-0x00007FF73BF60000-0x00007FF73C2B4000-memory.dmp

memory/2652-140-0x00007FF686830000-0x00007FF686B84000-memory.dmp

memory/568-141-0x00007FF66C6B0000-0x00007FF66CA04000-memory.dmp

memory/3296-142-0x00007FF6604D0000-0x00007FF660824000-memory.dmp

memory/2876-143-0x00007FF7452C0000-0x00007FF745614000-memory.dmp

memory/2028-144-0x00007FF7970D0000-0x00007FF797424000-memory.dmp

memory/2560-145-0x00007FF6D83E0000-0x00007FF6D8734000-memory.dmp

memory/220-146-0x00007FF670840000-0x00007FF670B94000-memory.dmp

memory/1724-147-0x00007FF7211E0000-0x00007FF721534000-memory.dmp

memory/4864-148-0x00007FF747430000-0x00007FF747784000-memory.dmp

memory/4968-149-0x00007FF671E90000-0x00007FF6721E4000-memory.dmp

memory/3956-150-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp

memory/1048-151-0x00007FF6659B0000-0x00007FF665D04000-memory.dmp

memory/1248-152-0x00007FF7671E0000-0x00007FF767534000-memory.dmp

memory/4080-153-0x00007FF6A5700000-0x00007FF6A5A54000-memory.dmp

memory/1776-154-0x00007FF6E6D30000-0x00007FF6E7084000-memory.dmp

memory/3896-155-0x00007FF7F0C70000-0x00007FF7F0FC4000-memory.dmp

memory/636-156-0x00007FF74D3B0000-0x00007FF74D704000-memory.dmp

memory/2608-157-0x00007FF637C40000-0x00007FF637F94000-memory.dmp

memory/3480-158-0x00007FF67B720000-0x00007FF67BA74000-memory.dmp

memory/916-159-0x00007FF73BF60000-0x00007FF73C2B4000-memory.dmp

memory/232-160-0x00007FF77AD70000-0x00007FF77B0C4000-memory.dmp

memory/2652-161-0x00007FF686830000-0x00007FF686B84000-memory.dmp