Malware Analysis Report

2024-10-16 03:08

Sample ID 240608-wynngafb34
Target fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe
SHA256 e75776aefe8fa902924bb874d01081d93068d6e13acf3e4ab7fad5f25a4e4bfa
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e75776aefe8fa902924bb874d01081d93068d6e13acf3e4ab7fad5f25a4e4bfa

Threat Level: Known bad

The file fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

Cobaltstrike family

Cobaltstrike

xmrig

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 18:20

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 18:19

Reported

2024-06-08 18:22

Platform

win7-20240220-en

Max time kernel

133s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\APadUiD.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\kownHma.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\HtIRPNF.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\JnoaVqQ.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\JXyjCEb.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\WLlHtwr.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\yiBMOCx.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\xseSgMX.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\KbZupFW.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\qxaCrsH.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\BdtlnXv.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\bmefGLk.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\KswJVcP.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\pLSanqK.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\jemfwWm.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\yhOdUgN.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\WuFGDKS.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\CGjjUKF.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\MsVNxAu.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\NMrLQBr.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\xlEMjvZ.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\yiBMOCx.exe
PID 3032 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\yiBMOCx.exe
PID 3032 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\yiBMOCx.exe
PID 3032 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\NMrLQBr.exe
PID 3032 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\NMrLQBr.exe
PID 3032 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\NMrLQBr.exe
PID 3032 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\xlEMjvZ.exe
PID 3032 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\xlEMjvZ.exe
PID 3032 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\xlEMjvZ.exe
PID 3032 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\jemfwWm.exe
PID 3032 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\jemfwWm.exe
PID 3032 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\jemfwWm.exe
PID 3032 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\KswJVcP.exe
PID 3032 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\KswJVcP.exe
PID 3032 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\KswJVcP.exe
PID 3032 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\HtIRPNF.exe
PID 3032 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\HtIRPNF.exe
PID 3032 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\HtIRPNF.exe
PID 3032 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\xseSgMX.exe
PID 3032 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\xseSgMX.exe
PID 3032 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\xseSgMX.exe
PID 3032 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\yhOdUgN.exe
PID 3032 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\yhOdUgN.exe
PID 3032 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\yhOdUgN.exe
PID 3032 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\pLSanqK.exe
PID 3032 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\pLSanqK.exe
PID 3032 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\pLSanqK.exe
PID 3032 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\KbZupFW.exe
PID 3032 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\KbZupFW.exe
PID 3032 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\KbZupFW.exe
PID 3032 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\JnoaVqQ.exe
PID 3032 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\JnoaVqQ.exe
PID 3032 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\JnoaVqQ.exe
PID 3032 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\qxaCrsH.exe
PID 3032 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\qxaCrsH.exe
PID 3032 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\qxaCrsH.exe
PID 3032 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\APadUiD.exe
PID 3032 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\APadUiD.exe
PID 3032 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\APadUiD.exe
PID 3032 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\WuFGDKS.exe
PID 3032 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\WuFGDKS.exe
PID 3032 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\WuFGDKS.exe
PID 3032 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\BdtlnXv.exe
PID 3032 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\BdtlnXv.exe
PID 3032 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\BdtlnXv.exe
PID 3032 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\JXyjCEb.exe
PID 3032 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\JXyjCEb.exe
PID 3032 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\JXyjCEb.exe
PID 3032 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\bmefGLk.exe
PID 3032 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\bmefGLk.exe
PID 3032 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\bmefGLk.exe
PID 3032 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\kownHma.exe
PID 3032 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\kownHma.exe
PID 3032 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\kownHma.exe
PID 3032 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\WLlHtwr.exe
PID 3032 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\WLlHtwr.exe
PID 3032 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\WLlHtwr.exe
PID 3032 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\CGjjUKF.exe
PID 3032 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\CGjjUKF.exe
PID 3032 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\CGjjUKF.exe
PID 3032 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\MsVNxAu.exe
PID 3032 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\MsVNxAu.exe
PID 3032 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\MsVNxAu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe"

C:\Windows\System\yiBMOCx.exe

C:\Windows\System\yiBMOCx.exe

C:\Windows\System\NMrLQBr.exe

C:\Windows\System\NMrLQBr.exe

C:\Windows\System\xlEMjvZ.exe

C:\Windows\System\xlEMjvZ.exe

C:\Windows\System\jemfwWm.exe

C:\Windows\System\jemfwWm.exe

C:\Windows\System\KswJVcP.exe

C:\Windows\System\KswJVcP.exe

C:\Windows\System\HtIRPNF.exe

C:\Windows\System\HtIRPNF.exe

C:\Windows\System\xseSgMX.exe

C:\Windows\System\xseSgMX.exe

C:\Windows\System\yhOdUgN.exe

C:\Windows\System\yhOdUgN.exe

C:\Windows\System\pLSanqK.exe

C:\Windows\System\pLSanqK.exe

C:\Windows\System\KbZupFW.exe

C:\Windows\System\KbZupFW.exe

C:\Windows\System\JnoaVqQ.exe

C:\Windows\System\JnoaVqQ.exe

C:\Windows\System\qxaCrsH.exe

C:\Windows\System\qxaCrsH.exe

C:\Windows\System\APadUiD.exe

C:\Windows\System\APadUiD.exe

C:\Windows\System\WuFGDKS.exe

C:\Windows\System\WuFGDKS.exe

C:\Windows\System\BdtlnXv.exe

C:\Windows\System\BdtlnXv.exe

C:\Windows\System\JXyjCEb.exe

C:\Windows\System\JXyjCEb.exe

C:\Windows\System\bmefGLk.exe

C:\Windows\System\bmefGLk.exe

C:\Windows\System\kownHma.exe

C:\Windows\System\kownHma.exe

C:\Windows\System\WLlHtwr.exe

C:\Windows\System\WLlHtwr.exe

C:\Windows\System\CGjjUKF.exe

C:\Windows\System\CGjjUKF.exe

C:\Windows\System\MsVNxAu.exe

C:\Windows\System\MsVNxAu.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3032-0-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/3032-1-0x0000000000080000-0x0000000000090000-memory.dmp

C:\Windows\system\yiBMOCx.exe

MD5 1ba083a7f2c6891bd94cd0c533160ba2
SHA1 89dfeff30edef71bbbac348935a28a432488ffc3
SHA256 d2f1ecab8335cc7a10e5c6db167ad5c065769f0782e7e9263e4d5e37faaa468f
SHA512 bd684237c0dc9f5cf46263cb208faf41365be97bd358cb9b2683b07f020c09dddf11f3382e7275e245eccbfc1fbed7544111f7fee1a210fd482a6777b1d722c9

C:\Windows\system\xlEMjvZ.exe

MD5 ed02b89c7d69de80757182fb4f11c926
SHA1 e487caeec3f8ae1e40d2131e20b8355712e8e055
SHA256 1815189b1e7709d9f041f6632195c751cf4f3ce9a359936f185dcb00bb2b30c1
SHA512 3ffedb1557c128a6907ac769ee3573a290125d733861d2b1cc62d86a51389a27f6ed5f08effd3053b9e2c4bef363371bb099b423afe023722f19b5627726a92d

C:\Windows\system\KswJVcP.exe

MD5 00280c8a750d57fc26397a1265d4eff9
SHA1 837aa7eee353e5135b0fca7fe2f63fa2eeda93a3
SHA256 a7fb3adbcc41e8e46463c064c0ee86058800276ec2704c1ea2ce79725ef26e80
SHA512 629c36e9ff33a976344afc6bcb511491a745863189cc81e8702879867d66596467156f8759d3126bba73586372b9dcd2aef21aae69f2dfb3dbd8de703f668ffc

C:\Windows\system\jemfwWm.exe

MD5 f8d51ea8ef81cb8e2c910e38cf520ff2
SHA1 e14f5a4f5be9ac0eabfaa0da8e4a81c433c9514e
SHA256 d358504d9148166954fb1c5b432bf94b8f373f4a6ec626a393a7d920105d35d2
SHA512 ea72662a7577979c38417e762373cb8854c55676581165a4a8699f1e06463791962af710152033243e20baba8082dfa01e2818f9ade7f167c9576230a474bb3c

C:\Windows\system\HtIRPNF.exe

MD5 663bd147529495dac4cdbc9d22358ada
SHA1 799270247c632a2c8023001bcb0272bff5056fd3
SHA256 b9b48c68646d8b47ace6c0d4e13a45b89ddefbb1d550fc75249d0733db358ff7
SHA512 ac6cc42128616d93a28860ebe0e74bc3ec184ab5d1b4fe368a7db8d8bd8909f63b2d917f3756ca5c5daed80464014f5ef6b30d850e57f47d6e8f1530187a873a

C:\Windows\system\xseSgMX.exe

MD5 320a73e0c3d0b87c4b1a43917ef4fe0a
SHA1 ac0b5b1fe70b6a07048152f5dc0741cce6995416
SHA256 f8c0426fb320fdf2277772347fd2a79c99ad8cf81c12df24fa755ae8a13b7817
SHA512 e991730f3f760020bbac138f204c1f24026011d3ee82ebad82c15a6f04b482d278ab6c66dc2b6fd4c746605e60cbe7d9ec5ad0f3fb31f941fc2c79c70d3fed18

C:\Windows\system\pLSanqK.exe

MD5 01508583b9d780d2d1269cf6ce6ccf42
SHA1 d7604386d1b670739144435c1890d32248e8eece
SHA256 981a6a4c7113153a837595cd66ffc33e87d37fbcfc359ab765831cfe707220cf
SHA512 8093cfcfa55a246ec6221ec3a3010ac78e18ff3d988c4e26b9e5f1c028514a22ef3a0bc12ec69f15cf9fc6dc9876a3b665fa09c32f7188a7937376ebc460ab59

C:\Windows\system\JnoaVqQ.exe

MD5 af190da7365024d502bae6a3e956e449
SHA1 2d9289d12b775792d61e43f78f790a7eb746f645
SHA256 1caf7f6269f51403c1a18da2fcb68cb73ad3957334f51a2cda80a53205dec0a5
SHA512 d8c381b328a678b91e56a53ca967e5a6105e950824183df2dbf4753f8ed30113dd9895ca7fc68a0ea20d32550365d04df5d4a3107369d264f9f9b05e95338aae

C:\Windows\system\qxaCrsH.exe

MD5 943a31aea717bc29f783cfbdfce652e5
SHA1 8a2ea19f2a322a71984cd6060eb09f5c82f185d6
SHA256 c4d86124b0ab9f2136e82f4a31689d84046e4440e7cc77e048e174f4ad80152c
SHA512 923e284bb52a462dd1f7b5b5f279ec34cfa8a77b84f16af17c86c1ad18f6908ef3cfc22763d8d7df8173624778b09fbd863b5196afe352620471512d55d7ac6f

C:\Windows\system\BdtlnXv.exe

MD5 cc7927cc1fdceecb2462d15752f1cdb7
SHA1 a2ae203ae236ca32eb00c99a32b6b23fe11181c0
SHA256 f07e15e1d292f540895b66af479ff4e0f8aa4239f8b9605f2b3ae627254f49d8
SHA512 04b3449785d8ba9bee336b664f4777725420c4c7089803bc94064d0fee06e4de97a770bd936cc8941b5dc6df784ebb261919be73b315747dca09be4b07f15a2f

C:\Windows\system\bmefGLk.exe

MD5 5a675a8381c8ea8a6126d0f2284972bf
SHA1 3589b0e8b28bea062827cc936f3458689f3336cb
SHA256 2f97279681c7a7c3e22cdf125f0e23ce0728411d9f7b0771141220420fa98318
SHA512 af889d222664d125388d7cc2a73640d8f92e5174734c62b987e460c372291713b5e51680e250ccd5849da406a8ff377fb31b6e85ad750125940873b8089740a8

C:\Windows\system\WLlHtwr.exe

MD5 56c0beb71972e839d9ad59fedb03a2e8
SHA1 94d59782b5b87cfb72fbe627713e2a1b2923a959
SHA256 3d33d5d04247febc2919eed5174e6c3fa68068ea3dfb21049ab5d54d91495eba
SHA512 7591d416300ddebcd9fa2662eae610258cb4fd4bdef70c1a26368bd2e7e59c56f2fa6ef0cfb00f8c96ff52547363724fa03d25f10a171b0339b48bcee5191d6b

C:\Windows\system\MsVNxAu.exe

MD5 1e7f747cdbf4b1f9a1e6920407a12b3d
SHA1 f722c9192585ca11aa6ad7d7610aaa141aec0699
SHA256 eabdd18a08b46be02881d870c674786b288831f2c775fa41ab7dc7dc53d366a9
SHA512 4ad768141dfc14494e1f20a5c7fb090ea3f1dc1132e40ff9aeed6baf2195cf0d3c7b21e2aae4c04999e558198340a2e1d9673082420244985eda748d367aefc5

C:\Windows\system\CGjjUKF.exe

MD5 d0fc1dd04bd681a706e2512aec04f9cf
SHA1 f0c25636ea457192de521b881791cd91cdc65027
SHA256 78204ff3d23bf655092f5ea19f7474c040e3eabac4733f8b14fd0a213adeb839
SHA512 4d187b697e1943fa7793c37ec177cc2594f895689c85c53618f1c1174a2117afeeea281ebd54b29847724f44f5c48e3572d5cbad1998e19ecec92c87f83dc935

C:\Windows\system\kownHma.exe

MD5 eabe14c48e3c791d4cbc0e6c415672ae
SHA1 7df8ec95f0de2d8c67982ba1b026ddf8d818b3a8
SHA256 b22d4979c3c3ef63571ccd9b39821c9878ff3076b945bc3b5908c144e9a1a4fe
SHA512 ed2f547b24b8a43051b53fd304568b470b43e82da6a510915513bca10aadb9fd3ba725987d0498b189cb98e6121a43ffeb30862c0943d1b58a31436b7aead057

C:\Windows\system\JXyjCEb.exe

MD5 5d2ebc58bce4c6926e5d8079a862c028
SHA1 97a45abbdb144e8defd28a2dc82b5a981456bbc9
SHA256 2c230064c98710ca5df970957f1676703db2088417d708b59685f3171d65e7a9
SHA512 8f22a63aeec6240f4622e7b51651059bce5bf0a9faaea9007a7d60eb4de586971e19b43e2fa34b92d3e6e89f90f31e31abaa43bb6ac51caa8dea5d6457b5293c

memory/3032-107-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2384-117-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/3032-116-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/3032-122-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2376-124-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/3032-127-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2408-126-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/3032-125-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/3032-133-0x000000013F610000-0x000000013F964000-memory.dmp

memory/3032-134-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2300-132-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/3032-131-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/3008-130-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/3032-129-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2128-128-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2708-121-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2544-123-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/3032-120-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2496-119-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/3032-118-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2504-115-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/3032-114-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2604-113-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/3032-112-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2528-111-0x000000013F600000-0x000000013F954000-memory.dmp

memory/3032-110-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2884-109-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2660-108-0x000000013F6B0000-0x000000013FA04000-memory.dmp

C:\Windows\system\WuFGDKS.exe

MD5 9065792727fe4dc41a9cf204745e23cd
SHA1 5ac11efe13e5eb55084d4079c00601a841fda25f
SHA256 269313352bcf965ac18734f56948d2bcdb90ceede8733775d3ad659546de07b4
SHA512 50a7a54d6721d07f4d4d673dddb3338c7c148847dca6bb44d947b0bd65cb305d101e73178a8129cd2902aad43eefa90711ca586e110566996d23feb8c11ac989

C:\Windows\system\APadUiD.exe

MD5 c9a63e49cce5a50bbc0793a253929a95
SHA1 3624c035d28b7f045b22bf4e5965080d64149f36
SHA256 50928ca0a5690611c5b4aed77a3307eb39882f2d52583ad2200426575203ebb8
SHA512 1f2495acc27a6e5761bb3321d9aeaef01cb37b5dc99fe91397d8e685d608497b46dc82880a1486e3736b782a3719b8f3509836846fb8bee77ca6a92b07f74a85

C:\Windows\system\KbZupFW.exe

MD5 7955c027b28985acab97352508ccc9f5
SHA1 92aa5f9b793c4da0fb9779a1419b106595abfddb
SHA256 e01a174e993fdc0c6578e994194a8b0fcd7c2958beadd14950ee880189e133cf
SHA512 36ea761d2c00ffb79f0cbbc15e8aa0a207987d0e0035a33d7e2814053483774f8826ac5da599cd423b6149a56b62056609faccab373f117d8e735dc3ead8af90

C:\Windows\system\yhOdUgN.exe

MD5 710e760219f328fffa826e9783f1e475
SHA1 a4f65ccb320a071bb554b0243305db827a3db1ea
SHA256 75b71cba996c2f4aee08b9155c53d2b46120dcf96346fe7dc9c53fb31ea50167
SHA512 86359a05758c7b0b5ad7572c162e6d44957a2bfd0169053c8d9609ebd54b7ac9a39d419b2b60e8820ff3b63b571aee19eaa32c6824bfc855ed50ddb4221ae7dd

C:\Windows\system\NMrLQBr.exe

MD5 9aa5086bd87c6cc79699df1f51aec170
SHA1 f22ae6f61dab488763d51d3bc4d6fe37cdc57820
SHA256 447df6b84a46015733a17108e24353882b4aac59c6e0e8d2faaa320f5ed009db
SHA512 323ed91d058823e2ffc05b8f23e347e756233251b65d95b51f1a0c9cb9de541b952d919dc146de554b52d6604fd1b0b9fd6042a44353a16389cc7c4c52ee5e65

memory/3032-135-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2528-138-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2884-137-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2660-136-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2604-139-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2504-140-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2384-141-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2708-143-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2496-142-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2544-144-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2376-145-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2408-146-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2128-147-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2300-149-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/3008-148-0x000000013F370000-0x000000013F6C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 18:19

Reported

2024-06-08 18:22

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xlEMjvZ.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\HtIRPNF.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\yhOdUgN.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\pLSanqK.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\kownHma.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\NMrLQBr.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\jemfwWm.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\xseSgMX.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\JnoaVqQ.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\qxaCrsH.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\WuFGDKS.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\JXyjCEb.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\WLlHtwr.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\MsVNxAu.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\yiBMOCx.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\KswJVcP.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\KbZupFW.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\APadUiD.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\bmefGLk.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\BdtlnXv.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
File created C:\Windows\System\CGjjUKF.exe C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3192 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\yiBMOCx.exe
PID 3192 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\yiBMOCx.exe
PID 3192 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\NMrLQBr.exe
PID 3192 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\NMrLQBr.exe
PID 3192 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\xlEMjvZ.exe
PID 3192 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\xlEMjvZ.exe
PID 3192 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\jemfwWm.exe
PID 3192 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\jemfwWm.exe
PID 3192 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\KswJVcP.exe
PID 3192 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\KswJVcP.exe
PID 3192 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\HtIRPNF.exe
PID 3192 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\HtIRPNF.exe
PID 3192 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\xseSgMX.exe
PID 3192 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\xseSgMX.exe
PID 3192 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\yhOdUgN.exe
PID 3192 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\yhOdUgN.exe
PID 3192 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\pLSanqK.exe
PID 3192 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\pLSanqK.exe
PID 3192 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\KbZupFW.exe
PID 3192 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\KbZupFW.exe
PID 3192 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\JnoaVqQ.exe
PID 3192 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\JnoaVqQ.exe
PID 3192 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\qxaCrsH.exe
PID 3192 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\qxaCrsH.exe
PID 3192 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\APadUiD.exe
PID 3192 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\APadUiD.exe
PID 3192 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\WuFGDKS.exe
PID 3192 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\WuFGDKS.exe
PID 3192 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\BdtlnXv.exe
PID 3192 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\BdtlnXv.exe
PID 3192 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\JXyjCEb.exe
PID 3192 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\JXyjCEb.exe
PID 3192 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\bmefGLk.exe
PID 3192 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\bmefGLk.exe
PID 3192 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\kownHma.exe
PID 3192 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\kownHma.exe
PID 3192 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\WLlHtwr.exe
PID 3192 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\WLlHtwr.exe
PID 3192 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\CGjjUKF.exe
PID 3192 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\CGjjUKF.exe
PID 3192 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\MsVNxAu.exe
PID 3192 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe C:\Windows\System\MsVNxAu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe"

C:\Windows\System\yiBMOCx.exe

C:\Windows\System\yiBMOCx.exe

C:\Windows\System\NMrLQBr.exe

C:\Windows\System\NMrLQBr.exe

C:\Windows\System\xlEMjvZ.exe

C:\Windows\System\xlEMjvZ.exe

C:\Windows\System\jemfwWm.exe

C:\Windows\System\jemfwWm.exe

C:\Windows\System\KswJVcP.exe

C:\Windows\System\KswJVcP.exe

C:\Windows\System\HtIRPNF.exe

C:\Windows\System\HtIRPNF.exe

C:\Windows\System\xseSgMX.exe

C:\Windows\System\xseSgMX.exe

C:\Windows\System\yhOdUgN.exe

C:\Windows\System\yhOdUgN.exe

C:\Windows\System\pLSanqK.exe

C:\Windows\System\pLSanqK.exe

C:\Windows\System\KbZupFW.exe

C:\Windows\System\KbZupFW.exe

C:\Windows\System\JnoaVqQ.exe

C:\Windows\System\JnoaVqQ.exe

C:\Windows\System\qxaCrsH.exe

C:\Windows\System\qxaCrsH.exe

C:\Windows\System\APadUiD.exe

C:\Windows\System\APadUiD.exe

C:\Windows\System\WuFGDKS.exe

C:\Windows\System\WuFGDKS.exe

C:\Windows\System\BdtlnXv.exe

C:\Windows\System\BdtlnXv.exe

C:\Windows\System\JXyjCEb.exe

C:\Windows\System\JXyjCEb.exe

C:\Windows\System\bmefGLk.exe

C:\Windows\System\bmefGLk.exe

C:\Windows\System\kownHma.exe

C:\Windows\System\kownHma.exe

C:\Windows\System\WLlHtwr.exe

C:\Windows\System\WLlHtwr.exe

C:\Windows\System\CGjjUKF.exe

C:\Windows\System\CGjjUKF.exe

C:\Windows\System\MsVNxAu.exe

C:\Windows\System\MsVNxAu.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
IE 52.111.236.23:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/3192-0-0x00007FF613880000-0x00007FF613BD4000-memory.dmp

memory/3192-1-0x0000027734C60000-0x0000027734C70000-memory.dmp

memory/4616-8-0x00007FF6062D0000-0x00007FF606624000-memory.dmp

C:\Windows\System\yiBMOCx.exe

MD5 1ba083a7f2c6891bd94cd0c533160ba2
SHA1 89dfeff30edef71bbbac348935a28a432488ffc3
SHA256 d2f1ecab8335cc7a10e5c6db167ad5c065769f0782e7e9263e4d5e37faaa468f
SHA512 bd684237c0dc9f5cf46263cb208faf41365be97bd358cb9b2683b07f020c09dddf11f3382e7275e245eccbfc1fbed7544111f7fee1a210fd482a6777b1d722c9

C:\Windows\System\NMrLQBr.exe

MD5 9aa5086bd87c6cc79699df1f51aec170
SHA1 f22ae6f61dab488763d51d3bc4d6fe37cdc57820
SHA256 447df6b84a46015733a17108e24353882b4aac59c6e0e8d2faaa320f5ed009db
SHA512 323ed91d058823e2ffc05b8f23e347e756233251b65d95b51f1a0c9cb9de541b952d919dc146de554b52d6604fd1b0b9fd6042a44353a16389cc7c4c52ee5e65

C:\Windows\System\xlEMjvZ.exe

MD5 ed02b89c7d69de80757182fb4f11c926
SHA1 e487caeec3f8ae1e40d2131e20b8355712e8e055
SHA256 1815189b1e7709d9f041f6632195c751cf4f3ce9a359936f185dcb00bb2b30c1
SHA512 3ffedb1557c128a6907ac769ee3573a290125d733861d2b1cc62d86a51389a27f6ed5f08effd3053b9e2c4bef363371bb099b423afe023722f19b5627726a92d

memory/3784-20-0x00007FF6DBB70000-0x00007FF6DBEC4000-memory.dmp

C:\Windows\System\jemfwWm.exe

MD5 f8d51ea8ef81cb8e2c910e38cf520ff2
SHA1 e14f5a4f5be9ac0eabfaa0da8e4a81c433c9514e
SHA256 d358504d9148166954fb1c5b432bf94b8f373f4a6ec626a393a7d920105d35d2
SHA512 ea72662a7577979c38417e762373cb8854c55676581165a4a8699f1e06463791962af710152033243e20baba8082dfa01e2818f9ade7f167c9576230a474bb3c

memory/3640-22-0x00007FF603080000-0x00007FF6033D4000-memory.dmp

C:\Windows\System\KswJVcP.exe

MD5 00280c8a750d57fc26397a1265d4eff9
SHA1 837aa7eee353e5135b0fca7fe2f63fa2eeda93a3
SHA256 a7fb3adbcc41e8e46463c064c0ee86058800276ec2704c1ea2ce79725ef26e80
SHA512 629c36e9ff33a976344afc6bcb511491a745863189cc81e8702879867d66596467156f8759d3126bba73586372b9dcd2aef21aae69f2dfb3dbd8de703f668ffc

memory/4104-32-0x00007FF762520000-0x00007FF762874000-memory.dmp

memory/4980-27-0x00007FF667270000-0x00007FF6675C4000-memory.dmp

C:\Windows\System\HtIRPNF.exe

MD5 663bd147529495dac4cdbc9d22358ada
SHA1 799270247c632a2c8023001bcb0272bff5056fd3
SHA256 b9b48c68646d8b47ace6c0d4e13a45b89ddefbb1d550fc75249d0733db358ff7
SHA512 ac6cc42128616d93a28860ebe0e74bc3ec184ab5d1b4fe368a7db8d8bd8909f63b2d917f3756ca5c5daed80464014f5ef6b30d850e57f47d6e8f1530187a873a

C:\Windows\System\xseSgMX.exe

MD5 320a73e0c3d0b87c4b1a43917ef4fe0a
SHA1 ac0b5b1fe70b6a07048152f5dc0741cce6995416
SHA256 f8c0426fb320fdf2277772347fd2a79c99ad8cf81c12df24fa755ae8a13b7817
SHA512 e991730f3f760020bbac138f204c1f24026011d3ee82ebad82c15a6f04b482d278ab6c66dc2b6fd4c746605e60cbe7d9ec5ad0f3fb31f941fc2c79c70d3fed18

C:\Windows\System\yhOdUgN.exe

MD5 710e760219f328fffa826e9783f1e475
SHA1 a4f65ccb320a071bb554b0243305db827a3db1ea
SHA256 75b71cba996c2f4aee08b9155c53d2b46120dcf96346fe7dc9c53fb31ea50167
SHA512 86359a05758c7b0b5ad7572c162e6d44957a2bfd0169053c8d9609ebd54b7ac9a39d419b2b60e8820ff3b63b571aee19eaa32c6824bfc855ed50ddb4221ae7dd

memory/3360-46-0x00007FF622630000-0x00007FF622984000-memory.dmp

C:\Windows\System\pLSanqK.exe

MD5 01508583b9d780d2d1269cf6ce6ccf42
SHA1 d7604386d1b670739144435c1890d32248e8eece
SHA256 981a6a4c7113153a837595cd66ffc33e87d37fbcfc359ab765831cfe707220cf
SHA512 8093cfcfa55a246ec6221ec3a3010ac78e18ff3d988c4e26b9e5f1c028514a22ef3a0bc12ec69f15cf9fc6dc9876a3b665fa09c32f7188a7937376ebc460ab59

C:\Windows\System\JnoaVqQ.exe

MD5 af190da7365024d502bae6a3e956e449
SHA1 2d9289d12b775792d61e43f78f790a7eb746f645
SHA256 1caf7f6269f51403c1a18da2fcb68cb73ad3957334f51a2cda80a53205dec0a5
SHA512 d8c381b328a678b91e56a53ca967e5a6105e950824183df2dbf4753f8ed30113dd9895ca7fc68a0ea20d32550365d04df5d4a3107369d264f9f9b05e95338aae

C:\Windows\System\qxaCrsH.exe

MD5 943a31aea717bc29f783cfbdfce652e5
SHA1 8a2ea19f2a322a71984cd6060eb09f5c82f185d6
SHA256 c4d86124b0ab9f2136e82f4a31689d84046e4440e7cc77e048e174f4ad80152c
SHA512 923e284bb52a462dd1f7b5b5f279ec34cfa8a77b84f16af17c86c1ad18f6908ef3cfc22763d8d7df8173624778b09fbd863b5196afe352620471512d55d7ac6f

memory/1620-71-0x00007FF7D8030000-0x00007FF7D8384000-memory.dmp

memory/4856-73-0x00007FF62FA40000-0x00007FF62FD94000-memory.dmp

memory/3420-74-0x00007FF719D90000-0x00007FF71A0E4000-memory.dmp

C:\Windows\System\APadUiD.exe

MD5 c9a63e49cce5a50bbc0793a253929a95
SHA1 3624c035d28b7f045b22bf4e5965080d64149f36
SHA256 50928ca0a5690611c5b4aed77a3307eb39882f2d52583ad2200426575203ebb8
SHA512 1f2495acc27a6e5761bb3321d9aeaef01cb37b5dc99fe91397d8e685d608497b46dc82880a1486e3736b782a3719b8f3509836846fb8bee77ca6a92b07f74a85

C:\Windows\System\BdtlnXv.exe

MD5 cc7927cc1fdceecb2462d15752f1cdb7
SHA1 a2ae203ae236ca32eb00c99a32b6b23fe11181c0
SHA256 f07e15e1d292f540895b66af479ff4e0f8aa4239f8b9605f2b3ae627254f49d8
SHA512 04b3449785d8ba9bee336b664f4777725420c4c7089803bc94064d0fee06e4de97a770bd936cc8941b5dc6df784ebb261919be73b315747dca09be4b07f15a2f

memory/996-92-0x00007FF6E00F0000-0x00007FF6E0444000-memory.dmp

memory/3800-91-0x00007FF7C2420000-0x00007FF7C2774000-memory.dmp

C:\Windows\System\WuFGDKS.exe

MD5 9065792727fe4dc41a9cf204745e23cd
SHA1 5ac11efe13e5eb55084d4079c00601a841fda25f
SHA256 269313352bcf965ac18734f56948d2bcdb90ceede8733775d3ad659546de07b4
SHA512 50a7a54d6721d07f4d4d673dddb3338c7c148847dca6bb44d947b0bd65cb305d101e73178a8129cd2902aad43eefa90711ca586e110566996d23feb8c11ac989

memory/3600-84-0x00007FF7F7960000-0x00007FF7F7CB4000-memory.dmp

memory/1416-72-0x00007FF745600000-0x00007FF745954000-memory.dmp

memory/3588-66-0x00007FF6820A0000-0x00007FF6823F4000-memory.dmp

memory/4492-63-0x00007FF74F030000-0x00007FF74F384000-memory.dmp

C:\Windows\System\KbZupFW.exe

MD5 7955c027b28985acab97352508ccc9f5
SHA1 92aa5f9b793c4da0fb9779a1419b106595abfddb
SHA256 e01a174e993fdc0c6578e994194a8b0fcd7c2958beadd14950ee880189e133cf
SHA512 36ea761d2c00ffb79f0cbbc15e8aa0a207987d0e0035a33d7e2814053483774f8826ac5da599cd423b6149a56b62056609faccab373f117d8e735dc3ead8af90

C:\Windows\System\bmefGLk.exe

MD5 5a675a8381c8ea8a6126d0f2284972bf
SHA1 3589b0e8b28bea062827cc936f3458689f3336cb
SHA256 2f97279681c7a7c3e22cdf125f0e23ce0728411d9f7b0771141220420fa98318
SHA512 af889d222664d125388d7cc2a73640d8f92e5174734c62b987e460c372291713b5e51680e250ccd5849da406a8ff377fb31b6e85ad750125940873b8089740a8

memory/4988-99-0x00007FF6661D0000-0x00007FF666524000-memory.dmp

memory/4616-117-0x00007FF6062D0000-0x00007FF606624000-memory.dmp

C:\Windows\System\CGjjUKF.exe

MD5 d0fc1dd04bd681a706e2512aec04f9cf
SHA1 f0c25636ea457192de521b881791cd91cdc65027
SHA256 78204ff3d23bf655092f5ea19f7474c040e3eabac4733f8b14fd0a213adeb839
SHA512 4d187b697e1943fa7793c37ec177cc2594f895689c85c53618f1c1174a2117afeeea281ebd54b29847724f44f5c48e3572d5cbad1998e19ecec92c87f83dc935

memory/1916-130-0x00007FF794BE0000-0x00007FF794F34000-memory.dmp

memory/3640-128-0x00007FF603080000-0x00007FF6033D4000-memory.dmp

memory/3864-127-0x00007FF600040000-0x00007FF600394000-memory.dmp

C:\Windows\System\MsVNxAu.exe

MD5 1e7f747cdbf4b1f9a1e6920407a12b3d
SHA1 f722c9192585ca11aa6ad7d7610aaa141aec0699
SHA256 eabdd18a08b46be02881d870c674786b288831f2c775fa41ab7dc7dc53d366a9
SHA512 4ad768141dfc14494e1f20a5c7fb090ea3f1dc1132e40ff9aeed6baf2195cf0d3c7b21e2aae4c04999e558198340a2e1d9673082420244985eda748d367aefc5

memory/4688-122-0x00007FF65B840000-0x00007FF65BB94000-memory.dmp

C:\Windows\System\WLlHtwr.exe

MD5 56c0beb71972e839d9ad59fedb03a2e8
SHA1 94d59782b5b87cfb72fbe627713e2a1b2923a959
SHA256 3d33d5d04247febc2919eed5174e6c3fa68068ea3dfb21049ab5d54d91495eba
SHA512 7591d416300ddebcd9fa2662eae610258cb4fd4bdef70c1a26368bd2e7e59c56f2fa6ef0cfb00f8c96ff52547363724fa03d25f10a171b0339b48bcee5191d6b

C:\Windows\System\kownHma.exe

MD5 eabe14c48e3c791d4cbc0e6c415672ae
SHA1 7df8ec95f0de2d8c67982ba1b026ddf8d818b3a8
SHA256 b22d4979c3c3ef63571ccd9b39821c9878ff3076b945bc3b5908c144e9a1a4fe
SHA512 ed2f547b24b8a43051b53fd304568b470b43e82da6a510915513bca10aadb9fd3ba725987d0498b189cb98e6121a43ffeb30862c0943d1b58a31436b7aead057

memory/3824-111-0x00007FF6B7790000-0x00007FF6B7AE4000-memory.dmp

memory/2900-105-0x00007FF635AC0000-0x00007FF635E14000-memory.dmp

memory/3192-104-0x00007FF613880000-0x00007FF613BD4000-memory.dmp

C:\Windows\System\JXyjCEb.exe

MD5 5d2ebc58bce4c6926e5d8079a862c028
SHA1 97a45abbdb144e8defd28a2dc82b5a981456bbc9
SHA256 2c230064c98710ca5df970957f1676703db2088417d708b59685f3171d65e7a9
SHA512 8f22a63aeec6240f4622e7b51651059bce5bf0a9faaea9007a7d60eb4de586971e19b43e2fa34b92d3e6e89f90f31e31abaa43bb6ac51caa8dea5d6457b5293c

memory/4492-131-0x00007FF74F030000-0x00007FF74F384000-memory.dmp

memory/3600-132-0x00007FF7F7960000-0x00007FF7F7CB4000-memory.dmp

memory/3800-133-0x00007FF7C2420000-0x00007FF7C2774000-memory.dmp

memory/4988-134-0x00007FF6661D0000-0x00007FF666524000-memory.dmp

memory/2900-135-0x00007FF635AC0000-0x00007FF635E14000-memory.dmp

memory/3824-136-0x00007FF6B7790000-0x00007FF6B7AE4000-memory.dmp

memory/3864-137-0x00007FF600040000-0x00007FF600394000-memory.dmp

memory/1916-138-0x00007FF794BE0000-0x00007FF794F34000-memory.dmp

memory/4616-139-0x00007FF6062D0000-0x00007FF606624000-memory.dmp

memory/3784-140-0x00007FF6DBB70000-0x00007FF6DBEC4000-memory.dmp

memory/3640-141-0x00007FF603080000-0x00007FF6033D4000-memory.dmp

memory/4980-142-0x00007FF667270000-0x00007FF6675C4000-memory.dmp

memory/4104-143-0x00007FF762520000-0x00007FF762874000-memory.dmp

memory/3360-144-0x00007FF622630000-0x00007FF622984000-memory.dmp

memory/4856-145-0x00007FF62FA40000-0x00007FF62FD94000-memory.dmp

memory/3420-146-0x00007FF719D90000-0x00007FF71A0E4000-memory.dmp

memory/4492-147-0x00007FF74F030000-0x00007FF74F384000-memory.dmp

memory/1620-149-0x00007FF7D8030000-0x00007FF7D8384000-memory.dmp

memory/3588-148-0x00007FF6820A0000-0x00007FF6823F4000-memory.dmp

memory/1416-150-0x00007FF745600000-0x00007FF745954000-memory.dmp

memory/3600-151-0x00007FF7F7960000-0x00007FF7F7CB4000-memory.dmp

memory/3800-152-0x00007FF7C2420000-0x00007FF7C2774000-memory.dmp

memory/996-153-0x00007FF6E00F0000-0x00007FF6E0444000-memory.dmp

memory/4988-154-0x00007FF6661D0000-0x00007FF666524000-memory.dmp

memory/2900-155-0x00007FF635AC0000-0x00007FF635E14000-memory.dmp

memory/3824-156-0x00007FF6B7790000-0x00007FF6B7AE4000-memory.dmp

memory/4688-157-0x00007FF65B840000-0x00007FF65BB94000-memory.dmp

memory/3864-158-0x00007FF600040000-0x00007FF600394000-memory.dmp

memory/1916-159-0x00007FF794BE0000-0x00007FF794F34000-memory.dmp