Analysis Overview
SHA256
d6879d9d7c03a49a4f8e32cf8c5a8ac7bf4d46d5b16e73b659a3720b1172c36c
Threat Level: Known bad
The file 4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike family
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike
xmrig
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 10:32
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 10:32
Reported
2024-05-30 10:35
Platform
win7-20240221-en
Max time kernel
150s
Max time network
139s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\hIfpcCW.exe | N/A |
| N/A | N/A | C:\Windows\System\DJBNnUg.exe | N/A |
| N/A | N/A | C:\Windows\System\gZXoqDE.exe | N/A |
| N/A | N/A | C:\Windows\System\wHKkOvL.exe | N/A |
| N/A | N/A | C:\Windows\System\PUrJgtr.exe | N/A |
| N/A | N/A | C:\Windows\System\WxYXzaH.exe | N/A |
| N/A | N/A | C:\Windows\System\IMypdEL.exe | N/A |
| N/A | N/A | C:\Windows\System\popLwBp.exe | N/A |
| N/A | N/A | C:\Windows\System\johOSve.exe | N/A |
| N/A | N/A | C:\Windows\System\qELoguR.exe | N/A |
| N/A | N/A | C:\Windows\System\azEwTGd.exe | N/A |
| N/A | N/A | C:\Windows\System\SPOBPmF.exe | N/A |
| N/A | N/A | C:\Windows\System\VSBxQpJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jCvqfGx.exe | N/A |
| N/A | N/A | C:\Windows\System\jrlOeSH.exe | N/A |
| N/A | N/A | C:\Windows\System\uuquFxb.exe | N/A |
| N/A | N/A | C:\Windows\System\UwspsDL.exe | N/A |
| N/A | N/A | C:\Windows\System\jSzGcZW.exe | N/A |
| N/A | N/A | C:\Windows\System\PDoLcfj.exe | N/A |
| N/A | N/A | C:\Windows\System\iZDfuKW.exe | N/A |
| N/A | N/A | C:\Windows\System\VMSIIKz.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe"
C:\Windows\System\hIfpcCW.exe
C:\Windows\System\hIfpcCW.exe
C:\Windows\System\DJBNnUg.exe
C:\Windows\System\DJBNnUg.exe
C:\Windows\System\gZXoqDE.exe
C:\Windows\System\gZXoqDE.exe
C:\Windows\System\wHKkOvL.exe
C:\Windows\System\wHKkOvL.exe
C:\Windows\System\PUrJgtr.exe
C:\Windows\System\PUrJgtr.exe
C:\Windows\System\WxYXzaH.exe
C:\Windows\System\WxYXzaH.exe
C:\Windows\System\johOSve.exe
C:\Windows\System\johOSve.exe
C:\Windows\System\IMypdEL.exe
C:\Windows\System\IMypdEL.exe
C:\Windows\System\qELoguR.exe
C:\Windows\System\qELoguR.exe
C:\Windows\System\popLwBp.exe
C:\Windows\System\popLwBp.exe
C:\Windows\System\azEwTGd.exe
C:\Windows\System\azEwTGd.exe
C:\Windows\System\SPOBPmF.exe
C:\Windows\System\SPOBPmF.exe
C:\Windows\System\VSBxQpJ.exe
C:\Windows\System\VSBxQpJ.exe
C:\Windows\System\jCvqfGx.exe
C:\Windows\System\jCvqfGx.exe
C:\Windows\System\jrlOeSH.exe
C:\Windows\System\jrlOeSH.exe
C:\Windows\System\uuquFxb.exe
C:\Windows\System\uuquFxb.exe
C:\Windows\System\UwspsDL.exe
C:\Windows\System\UwspsDL.exe
C:\Windows\System\jSzGcZW.exe
C:\Windows\System\jSzGcZW.exe
C:\Windows\System\PDoLcfj.exe
C:\Windows\System\PDoLcfj.exe
C:\Windows\System\iZDfuKW.exe
C:\Windows\System\iZDfuKW.exe
C:\Windows\System\VMSIIKz.exe
C:\Windows\System\VMSIIKz.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2752-0-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2752-1-0x0000000000380000-0x0000000000390000-memory.dmp
\Windows\system\hIfpcCW.exe
| MD5 | 608d625cd92ce015886c048646707977 |
| SHA1 | 92dc05234f6f45a87077206688816177951ade9b |
| SHA256 | 1c27718d2a999923a4f228496eca8dcfb45a01e2168666fd971ee2439ab0859d |
| SHA512 | b092c57d5ff11b703f9a7af6f1cec9deb22a08d39f5e023b6d3f8251c0852098e3e771c8d927af0c71c440768143e85236ed8c62d5464a7c110da6610afc3d0b |
memory/2636-8-0x000000013FBC0000-0x000000013FF14000-memory.dmp
\Windows\system\DJBNnUg.exe
| MD5 | d434e03b55b214331144355f5135893e |
| SHA1 | 55efa42bf7a9bc563e312a4183899ee3f05e4fd9 |
| SHA256 | a3d60176ede7ae5ce8d1bdbfce13edb6739fee6c83a1a2fe55c425e5c096c751 |
| SHA512 | 3d388218822b016c4b6d067ff91832688ce02ebdfa944b98984404005b87e76c08df25b0141be4d20c3a7efe1d4309abe45443051b99c8d1ee37667d910c793a |
memory/2752-13-0x00000000021E0000-0x0000000002534000-memory.dmp
C:\Windows\system\gZXoqDE.exe
| MD5 | b87f8417c44767b6fc5101a4a2fb08a2 |
| SHA1 | 1257290347b232f7aab633a2c599995b68920d48 |
| SHA256 | d0cf52a1c24373e717213c347df68f3b46ded5f430f128740a66e3c980e06b6a |
| SHA512 | a0cf19acfd532a63fd1d3973962fa10d1af9b61b1376af3234fcb4e0286afdcd60a90d505e809bf4feb6e73ded07f5d7eb6a1aa6975f264bc6044602ae937a5c |
memory/2064-21-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2752-19-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2896-15-0x000000013F9E0000-0x000000013FD34000-memory.dmp
C:\Windows\system\wHKkOvL.exe
| MD5 | 5b4c8d3788aadc6976bb86df1c8bd58d |
| SHA1 | 60400cddc1f71639a2db07721f734462d5b5f0b0 |
| SHA256 | 522be0db8bd389dcffe9afdbda2c919f9f6ce31d6234d238c19ec2767c508b25 |
| SHA512 | 52ca50eb2e7bb4d45547180eb9eec1602d782ce072cb794d11edc36f40edab1bf25ca895805f2d42a0754a80b43c1d6fe93330f3226834f8d2773a7d8a8f06e6 |
memory/2752-27-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2988-29-0x000000013F420000-0x000000013F774000-memory.dmp
C:\Windows\system\PUrJgtr.exe
| MD5 | dc8cec3cb1c9056662694d1a9246aeab |
| SHA1 | 2d7a4a5cd531fa262744e9c1f503f0be63babc3f |
| SHA256 | cc9511552921f8250c43503f5c6a577ed88f7d6e3552e9ff1fb057e8fb51e655 |
| SHA512 | e8024eaf4fd58f7bef1db658a0847299672bba6349e4110188d9f89ac51ea2fe4c59c5786f2ccb0cf9fab469c3893c50a0a29708052efef97e942944ee13b238 |
memory/2752-35-0x00000000021E0000-0x0000000002534000-memory.dmp
C:\Windows\system\WxYXzaH.exe
| MD5 | 5cdd8ddfe0eaaa6e59a9a0a76fc0bec2 |
| SHA1 | 617811b30d54cd930bd194dea03bcf18ccd15599 |
| SHA256 | aa39d7f0690ddda03600daaeb4fb2be009cc84ee1d8144ead2be8527f9453291 |
| SHA512 | 7772054f27a0089ed8053796a0f3143baa3cba42165108f28f8c7b38f35cf26f1dacfd7081c5484a2b1d8197c0f9f06e1353a3def906410ee39220b3a3117183 |
memory/2588-47-0x000000013F880000-0x000000013FBD4000-memory.dmp
C:\Windows\system\popLwBp.exe
| MD5 | 63c5fb0f1818b41fbaa425c7dc20975b |
| SHA1 | e8f551197fee0f193273b805c0d3e8bb12d430c3 |
| SHA256 | 5fcdc508e1e6bb711803c37ac2ecfdbc2d47397b75a4f97b9094b6bbaa1a8535 |
| SHA512 | 9ddc62f36c75e75f08cd95dd4599aa3d6a8ce0bec11928119a3784899c54056abb6047201df0ffadcfc40c5a03b2aa7c4c73035f32eeb1b49db62cfbfb523079 |
memory/2752-62-0x000000013FF60000-0x00000001402B4000-memory.dmp
\Windows\system\SPOBPmF.exe
| MD5 | 56597ca5babfa03a2b1c6c27241cf7c4 |
| SHA1 | f408cf0e9a8dcdad91fbcde6832548e548ce52fc |
| SHA256 | a0c77481d1d9911e6be8686a9813bb38bee62e5ee6582f0abd8788a25f7e6c6b |
| SHA512 | c38331b6c14c52dd96976e3c0c662e6ce4e5456f88236db9263805f50c5014c60d051ae4e988de783ef24ab08fcef7317dca9ff9191d521738e7d86305b9fca9 |
memory/2516-67-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2184-69-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2880-70-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2752-71-0x000000013FF80000-0x00000001402D4000-memory.dmp
C:\Windows\system\qELoguR.exe
| MD5 | 2f7a571c54fe2f391bdff1aa139d22bf |
| SHA1 | eea6c74dbb4325f899c77184580038a2d3259ee5 |
| SHA256 | 54e892fccc0c39b35f13aed31c3e0224bea6d958dd45a28dbe67131dfbaacf02 |
| SHA512 | c9a38b7c9aec1687e21ba74c4c79bb0ac89b6fd46a5becd624a20cf136060607d0c02abeb89e00bfbd323040f21f7775de2cecee77bca867ad4b5cd9d17be2ae |
memory/2752-75-0x000000013FA80000-0x000000013FDD4000-memory.dmp
C:\Windows\system\azEwTGd.exe
| MD5 | 5044e4abaf9df4ac077761d9f68c8d93 |
| SHA1 | 3cb284809dfcca71c2904901a12f01918abd8036 |
| SHA256 | 210a973b65987d9fb6bd14d535889690576169364f572a05924e328bc1764aca |
| SHA512 | 8a3b4d0a1dde4748c51e7003cfcae330d7c0e71eec3dfd118341fe35319052fb68fd28216c1eceb940bcc7637f433e72e8cbfc99dfa18d3d5a2270bb1cf99b9a |
memory/2372-77-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2752-83-0x00000000021E0000-0x0000000002534000-memory.dmp
\Windows\system\jCvqfGx.exe
| MD5 | 8f982621ed7b837a9911b8aea563aef0 |
| SHA1 | 198e7ea53c44a5107a7d92f6806a9c5a4651fee8 |
| SHA256 | 6b9c27288fe0cacd89f8d9c032534ef464ac90047637b6beb4105bc4245b86d7 |
| SHA512 | 833e00ec240996fcb8622de6b5865d02946d74116a35451778bd001853b25fddb3e33d79b5d00ee15c29e78c69dbbc4db0a994f84538e145bfde3c320b64f94d |
memory/2336-92-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2752-106-0x00000000021E0000-0x0000000002534000-memory.dmp
C:\Windows\system\PDoLcfj.exe
| MD5 | 0bd0972d68836478ec279e3769ca2fbc |
| SHA1 | 3238fcb0f0607f8eb15b46acd3d7ead58b878f45 |
| SHA256 | 17cba79ad15cd13de991f6d59e2e5bb3028c3ec61c2d6ae82b0205f2735a59b3 |
| SHA512 | af5c6d3581e883d3d990ee0c0eb8a904333c407d5d0db8dc8100328c3ab56544ef68d8234cf9006cbecb6f6b8b4b99a9d54d0332932897e4c0be24365981f38a |
\Windows\system\VMSIIKz.exe
| MD5 | 86fb12e9a6a4768ba57b27a107fc2b50 |
| SHA1 | 545a976e030068a201e95508b5ba294a2fe45a66 |
| SHA256 | 07b6622a4a9a36824a2c4cdb6b698c67d37c5313ce6b4b9099532d1c41c3a9cd |
| SHA512 | 93387d80cbbc341c43f5ba32fa4324d53e9e0a57528b06b84dab97701e24689afe5f81cea1a0a044d03da5262b63c1add59f088d6d75150bb72a9a4253b81f55 |
C:\Windows\system\iZDfuKW.exe
| MD5 | 2603ce07a797bc94bc41ef9e3352c0aa |
| SHA1 | 9ad5fc50fb65f84aa64a1a32297296ded96943d6 |
| SHA256 | de8b7a2145d81df21af9cb10ee1a8821f13cbd32f2b2de8c9375ea1121749b25 |
| SHA512 | 4383710c4b0cf2d76146f49664d438fe002669c6a3daff3263df8da5d9cb462c54b4985de7ee26d3f84ae5d03aeec0cf636e30b8295187a412d1d6e212891472 |
C:\Windows\system\jSzGcZW.exe
| MD5 | 1782d614ede20e0dd95f410724c2c152 |
| SHA1 | a2f9e199778203aca8c347f5ea70dcba6345a54b |
| SHA256 | 4f62249adeaaef6f30cdc4f831326b1c23ea3624fd8667e9545a3f5da8739ef2 |
| SHA512 | 491d5af5d0a945958c77aeee43d2319275bcd0c8a81ec9893195de27b9eba8cce2847bcd06f3c5f309a2fdb64eb291156441f8683132ca8ede1f8db58573dbee |
C:\Windows\system\UwspsDL.exe
| MD5 | 2ee1aa8537061d75f5f1a98706cc52b5 |
| SHA1 | 2276f2e428c550387872893a765c3815a1dfe508 |
| SHA256 | 64b4bc62a4cc8ddf9171215b4ce9542cac08228d296e9b7a6fb23d8926c7bb7b |
| SHA512 | 0c5202ba5782827ae53d0f4b501c29526818f689b46f1dd8f7c4fd4a03dfbff741798093888543b2028cf61d915a3c73eba701d8a58c8dba99f626154c524835 |
memory/2988-139-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2476-141-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2752-140-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/2752-138-0x000000013F420000-0x000000013F774000-memory.dmp
C:\Windows\system\jrlOeSH.exe
| MD5 | 21bee2d705cc53f68e66f4110fadc3e1 |
| SHA1 | 332fe8caa1425c779182c3db4302f2f32bee3f5b |
| SHA256 | 6ea7c58453ed713181ab6a659f73e670db826b8f31a444c46022c8b3677d9649 |
| SHA512 | 09dce00d8dd2e49eaba0478d033521c44fb8c046853bec473d084c81fd70b108839a09b56351a07f22e88770252babe511dfcbd0e5b14dcfc993ec1104bfa976 |
memory/2588-105-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2064-104-0x000000013F5E0000-0x000000013F934000-memory.dmp
C:\Windows\system\uuquFxb.exe
| MD5 | 7fa95706921cc0ed6d343d56a089df97 |
| SHA1 | f32eac17ad9ca813b632b27057162fc0522c24b7 |
| SHA256 | 44f296971c28ef02eea0441ea1a892661659ba03eccb23cd52be34277bdf8fd4 |
| SHA512 | fcb469ca19a078299c97466d9a9a14b1153f6df1a9dcd16f39a8a86e8a0db1fbd399023fac3402fc7b7c8e9620df7f8b9144855e1b35f0d06c135cabe647a7db |
C:\Windows\system\VSBxQpJ.exe
| MD5 | ffba5c976f969a8476f803c01c17ed11 |
| SHA1 | b7975cf4aab617ee1be3d15760a4440e0aef84fe |
| SHA256 | 3dee86d5538a3e02a3dd6370ec28be04d4f3d16de6d7592e11babb47d7204c86 |
| SHA512 | 0912e2351c93503cd998a8f3cefa1a05cd698d1323e35b5959d5a75b052179c84ee74ac8ce108281c2b61fdc08a3aef5d7b28dc84d582707b01def255f738d38 |
memory/2752-87-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/2896-86-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1012-98-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2752-97-0x000000013F4C0000-0x000000013F814000-memory.dmp
C:\Windows\system\IMypdEL.exe
| MD5 | f6708935c2f5bac273554d8208fa3e8c |
| SHA1 | c028f3759c2db6d95089921caf8e86ae97b18d77 |
| SHA256 | 8e3e83e61fb16dd8d46a3297a10600926db35655b1c6cb1f7b9243ee9560ce21 |
| SHA512 | 3df3dc92e8939748a989f7b3dfced397e74c39ef83e256de06403409f5818eaef32d24a7619504103c3717934a210d8d231fc89195a6f53e1ba881aab1dabbc8 |
memory/2752-84-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/2388-76-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2752-72-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2752-68-0x000000013F260000-0x000000013F5B4000-memory.dmp
C:\Windows\system\johOSve.exe
| MD5 | 3a5e7550a878423a3ea3614b23520e80 |
| SHA1 | a8fc9bd82632bc2428715084781b1f13373758e0 |
| SHA256 | 77cfc32e0f1292b990d0b5fbc23c0609dbb85b360aaff2dc0147714efcca5e74 |
| SHA512 | 535d948b08f9e88da096502f8cffdb93042a964d545f8a207adbcd024c1a1e9263a230d0bee005ee7022c174820f3d2ef2ff065e6ecac7f4668992a794d6bace |
memory/2752-142-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2476-56-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2752-54-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/2388-143-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2372-144-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2420-145-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2752-146-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/2336-147-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2752-148-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/1012-149-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2752-150-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/2636-151-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2896-152-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2064-153-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2988-154-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2588-155-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2516-156-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2184-157-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2476-158-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2880-159-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2372-160-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2388-161-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2420-162-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2336-163-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/1012-164-0x000000013F4C0000-0x000000013F814000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 10:32
Reported
2024-05-30 10:34
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UjmLOzA.exe | N/A |
| N/A | N/A | C:\Windows\System\hRbFXrX.exe | N/A |
| N/A | N/A | C:\Windows\System\EGKUqFj.exe | N/A |
| N/A | N/A | C:\Windows\System\vIDdzXF.exe | N/A |
| N/A | N/A | C:\Windows\System\gAvmjoB.exe | N/A |
| N/A | N/A | C:\Windows\System\NvGUnvK.exe | N/A |
| N/A | N/A | C:\Windows\System\vMshxAC.exe | N/A |
| N/A | N/A | C:\Windows\System\ecxxhfV.exe | N/A |
| N/A | N/A | C:\Windows\System\iXlYHKR.exe | N/A |
| N/A | N/A | C:\Windows\System\edgNUkd.exe | N/A |
| N/A | N/A | C:\Windows\System\hofRLqy.exe | N/A |
| N/A | N/A | C:\Windows\System\SPfDbNO.exe | N/A |
| N/A | N/A | C:\Windows\System\DlguYTF.exe | N/A |
| N/A | N/A | C:\Windows\System\iZRXGtc.exe | N/A |
| N/A | N/A | C:\Windows\System\wiCghTk.exe | N/A |
| N/A | N/A | C:\Windows\System\BntWUUY.exe | N/A |
| N/A | N/A | C:\Windows\System\OlNxAOq.exe | N/A |
| N/A | N/A | C:\Windows\System\uZorvmr.exe | N/A |
| N/A | N/A | C:\Windows\System\hbYPQYD.exe | N/A |
| N/A | N/A | C:\Windows\System\OpwMGAK.exe | N/A |
| N/A | N/A | C:\Windows\System\bmnklaT.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4032db4f21d30a62270723f46fc1c7b0_NeikiAnalytics.exe"
C:\Windows\System\UjmLOzA.exe
C:\Windows\System\UjmLOzA.exe
C:\Windows\System\hRbFXrX.exe
C:\Windows\System\hRbFXrX.exe
C:\Windows\System\EGKUqFj.exe
C:\Windows\System\EGKUqFj.exe
C:\Windows\System\gAvmjoB.exe
C:\Windows\System\gAvmjoB.exe
C:\Windows\System\vIDdzXF.exe
C:\Windows\System\vIDdzXF.exe
C:\Windows\System\NvGUnvK.exe
C:\Windows\System\NvGUnvK.exe
C:\Windows\System\vMshxAC.exe
C:\Windows\System\vMshxAC.exe
C:\Windows\System\ecxxhfV.exe
C:\Windows\System\ecxxhfV.exe
C:\Windows\System\iXlYHKR.exe
C:\Windows\System\iXlYHKR.exe
C:\Windows\System\edgNUkd.exe
C:\Windows\System\edgNUkd.exe
C:\Windows\System\hofRLqy.exe
C:\Windows\System\hofRLqy.exe
C:\Windows\System\SPfDbNO.exe
C:\Windows\System\SPfDbNO.exe
C:\Windows\System\DlguYTF.exe
C:\Windows\System\DlguYTF.exe
C:\Windows\System\iZRXGtc.exe
C:\Windows\System\iZRXGtc.exe
C:\Windows\System\wiCghTk.exe
C:\Windows\System\wiCghTk.exe
C:\Windows\System\BntWUUY.exe
C:\Windows\System\BntWUUY.exe
C:\Windows\System\OlNxAOq.exe
C:\Windows\System\OlNxAOq.exe
C:\Windows\System\uZorvmr.exe
C:\Windows\System\uZorvmr.exe
C:\Windows\System\OpwMGAK.exe
C:\Windows\System\OpwMGAK.exe
C:\Windows\System\hbYPQYD.exe
C:\Windows\System\hbYPQYD.exe
C:\Windows\System\bmnklaT.exe
C:\Windows\System\bmnklaT.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1064-0-0x00007FF6BA5C0000-0x00007FF6BA914000-memory.dmp
memory/1064-1-0x00000200D61B0000-0x00000200D61C0000-memory.dmp
C:\Windows\System\UjmLOzA.exe
| MD5 | bbef2b1fff6de28b1646fbf7d8d2fb86 |
| SHA1 | 7ad57874594741f8259e551aba0d52417a52f99b |
| SHA256 | d6dda0339af07b1f897118fe18cce0a63df07fb76ed802bc70deebdd580d023f |
| SHA512 | 133f2481fdad852a2e94154a590f053dc0ebc7d84469bb49ab65d0b31a0af48deb5795545d1f7292ca76dda5b8f129cc8acf9255fec2f10ca4c912a4ed4503e1 |
C:\Windows\System\hRbFXrX.exe
| MD5 | 896357033ac53bed107b3980247ffa27 |
| SHA1 | 33ba89ec0b08e1ecf44deba44a037a62c5c98543 |
| SHA256 | 05b942cafabcaa6a722c5ca34788e0c14494ff2f0208ab11cf6d8330c70e5c10 |
| SHA512 | 01c961a2bd538e69daadecf1ca13bd58b139e1d019a8c6c55b9ac5ad6754de729263990f46c749d7f13c8f634dbf3a840d249956429695ffcbaf34a5d89fafd9 |
memory/1340-7-0x00007FF7809C0000-0x00007FF780D14000-memory.dmp
C:\Windows\System\EGKUqFj.exe
| MD5 | b2eec5f54a940167d42f73e3e79ca904 |
| SHA1 | f5058c0b1c9209e21040cce37f28e36715b52b74 |
| SHA256 | 3b18623a66cd30e3abc2e7258b26f5f82e74f04a723787379a7e3cb60bfff05e |
| SHA512 | e363da73e7dada330ea82979cf90f5737d5893da323b835fbdbe3278ac3df30834f99cae85de0a4bd695d42a000c4d941f431194e800350e50b21fee9dd8307f |
C:\Windows\System\vIDdzXF.exe
| MD5 | a5d253671dc0e958985e00df5e551738 |
| SHA1 | be551fad8f0515f3fef35cb114921ebd208b41d7 |
| SHA256 | 2196e6ae3839e80e4a94f21e1cf24ad64d3b950a607fb7b14a153749b2eb3139 |
| SHA512 | cbbfd108171c4ba0eac6ae7b20722a5dd655b4491af2127eae236b9d54cfe1ccc3f9b2dbcbc24e444d1a81f6f428cbd15f542c61a345cd5990dc0f6b68a275b0 |
memory/612-30-0x00007FF769700000-0x00007FF769A54000-memory.dmp
memory/744-33-0x00007FF608E90000-0x00007FF6091E4000-memory.dmp
C:\Windows\System\NvGUnvK.exe
| MD5 | fd3bf98c4c25c6df8950c5d99a30edf9 |
| SHA1 | fef34ec0b45ea4b00e38e917ad12e7c8cca29592 |
| SHA256 | 1fe192396799c11ba1f9a3e700ffd0ae2352c05511fdc8b37b124dc0f2cb4fec |
| SHA512 | 9096e7161302ea6e552aa29d78fbc1932f02a4e7f45c0f06749597f8af277cf63c4501b0ec27a62161d37a445720aab91f1ccd162cd4b4300cf5c753c38ecbc0 |
memory/1872-41-0x00007FF77EFE0000-0x00007FF77F334000-memory.dmp
C:\Windows\System\vMshxAC.exe
| MD5 | 9d8ccefec711f620ce2f0c10d3d38c4a |
| SHA1 | 77aeea42d8dba25ba5320c8444f4e5dc2b5328eb |
| SHA256 | 84b86a8a911f49fb7cf985a6630bf4ed2bbee342bb23ec5aac55eaab75f10ea9 |
| SHA512 | 5b59e79c253879a9c6308edfbaedb3659d20f6e77a9328c022e961fbf98cfb623cd449cf77b6b45576ad93ae0a046c79fd560e9c6a56a6068b6879a91f4a141b |
C:\Windows\System\iXlYHKR.exe
| MD5 | 7b1381075de115a99e0d4fe91364257a |
| SHA1 | d8c1d2d0fcf8a93c9a287f3025d708921b33cf7d |
| SHA256 | 8f84d9b615633033c06ea5ae99715ef90c451c20a6c9cff1466c48b2f155dd86 |
| SHA512 | 1bb59622f37e267fd899743353dad1df04fbd66e309357b4b08f2fffecd67a1586afdb895d986b7a534234a61bf4deedfc3575944a6cbee7328522957f330ae5 |
C:\Windows\System\edgNUkd.exe
| MD5 | 88260bae6ea94277dfeb2962d9d99557 |
| SHA1 | b168092fd6d5dd566934b749aec08f6461393fab |
| SHA256 | 34a3eb0f2503642ca50268e1ad0018254ef4c04a3bae9ba37dceb07cbbe3fad0 |
| SHA512 | 00440b06afb86048fcc4428ae98347cc00896961061d11f6a63b9491d807c226f47de45317aecba07c67e3a75b3b6281820391dd1ad0e6190855d874c1f32463 |
memory/816-62-0x00007FF633F50000-0x00007FF6342A4000-memory.dmp
C:\Windows\System\hofRLqy.exe
| MD5 | 1aa60b62fd644a2b3e48e85a12603d61 |
| SHA1 | 9042d1b310dbcc9151dedf30ad4fefa3e1f60ad1 |
| SHA256 | eaf96ef9d547958bec75f6fa713ab26889f6d7f16d7da642827b7aae960ba35d |
| SHA512 | 7352197610ace30fc8ffd484ff872e35f281ee4a9ad64570c38f96643dda219054dc699d5a74f26ce8129cdfa87ce8ae2e4885988eb8007a4e87a2b4abf10ce0 |
memory/4676-78-0x00007FF75F3B0000-0x00007FF75F704000-memory.dmp
C:\Windows\System\iZRXGtc.exe
| MD5 | 00db58e6282b166396d07aeedacb800b |
| SHA1 | bd90a0f47e992a4d793865813916f70b79cc8e9f |
| SHA256 | 6161728edf6f3d07f11856283739ceb91b827423a4d9ece0dcc177f018883cb5 |
| SHA512 | 89f97f699b30e6e467e29378a59688be1f56b0bf907aba696bcd057c0567010cdea002ad86f9e5018f0fb992be0f321ca0b4f08e21cc99fd4937397231484bf3 |
C:\Windows\System\DlguYTF.exe
| MD5 | c2a8433b2034f6693bd4b17d5e2dd8d5 |
| SHA1 | 11932fb8161cded32e38df5e156d84e3f03f9853 |
| SHA256 | 6e3681c67c467b0098705369a970711b40616acde87e3bb2806c6e07e6f5735a |
| SHA512 | f389bcb2b476b5a7150f25cfe70749d016334c5b3237d553c2f26b24632caa4fdac9f2b28600991152a22073d85a00ed06f2faa29a4d87645facddf7739f8add |
C:\Windows\System\SPfDbNO.exe
| MD5 | 69442f17db9e2ff2c9df812df14128b4 |
| SHA1 | a682c37ee0c78e01a1f3aebb69b2bd0f35e1193e |
| SHA256 | c3159248c5e656fe8434bf0f08fa0d80e134efc9e9b471be4628495a258cbcb9 |
| SHA512 | 0ba4ba35873411c7b914696472b814afe9264db48b5a65dc64e5ebe64ff960bb5d215c103d305712a23cf7f9501ea0be4ec0e2c72937fc1a8c891608113de192 |
memory/452-80-0x00007FF652EB0000-0x00007FF653204000-memory.dmp
memory/2776-79-0x00007FF7E8360000-0x00007FF7E86B4000-memory.dmp
memory/4812-75-0x00007FF65DA00000-0x00007FF65DD54000-memory.dmp
memory/4588-66-0x00007FF7C3EA0000-0x00007FF7C41F4000-memory.dmp
memory/3876-63-0x00007FF69D960000-0x00007FF69DCB4000-memory.dmp
memory/4600-60-0x00007FF623270000-0x00007FF6235C4000-memory.dmp
C:\Windows\System\ecxxhfV.exe
| MD5 | 9987e813f19bfe7f1b4f4f8b5074be9b |
| SHA1 | cc3b3022ecf51af3f70e05b1d09ebb21af9a7a9a |
| SHA256 | fe651c7a44d29c4378d55069a98441e7fd8fbe4cea0eb2cb4f94a8d33c2cbf36 |
| SHA512 | 8297bde7c31373be0b86ed036fdd68f225ffde2d3ba0330ee155557dff68ae4deaa0f67cf8f8a52c3c8e457c1b655bf36d55f7116dad044560e6c9067a82a4fc |
memory/3392-37-0x00007FF75E4A0000-0x00007FF75E7F4000-memory.dmp
C:\Windows\System\gAvmjoB.exe
| MD5 | 1b089cad66f8b0aad8b8c700d4b8634e |
| SHA1 | 4afcdf52bdb114658353c873f935c5afbac41d26 |
| SHA256 | c48d5c15a551e2974a9d0696dce8e466bd776f6c394be21c247b086cce8c586e |
| SHA512 | b335ef467665e7aeae22d508aec29975c9e92d6912a6872a9ee760788b84553e2cc3507e4430bdec95407256c506b1fb7f657096e68a0fe0c1b225ce56af270f |
memory/2916-16-0x00007FF78AF00000-0x00007FF78B254000-memory.dmp
C:\Windows\System\wiCghTk.exe
| MD5 | d7db969e5d7cbbc922485928f035182d |
| SHA1 | 32f9a1137c3b2de27b81a4ef4b7c9eb4447266ee |
| SHA256 | 21ee18be018277d299cadcc408b21c076b5d939dc4deea721e9bb614b16334fc |
| SHA512 | 243ad8b630abacc3873645fbbe97257bfdc30dde195b35c47e59ea8c5f1f0ffc779c956eb575db5fe2b3c7c24c991b2e60da6520bdba994d0d974e01aa986d9e |
C:\Windows\System\BntWUUY.exe
| MD5 | e53a5ee5a9984270c0e432d78d231204 |
| SHA1 | 3fba0e08aa81fc22581b99602158b0210e581ac0 |
| SHA256 | 18322150ec70e9a6f779abc61de5c08c37d2913e6aa08bd9fbd7e73ea4592eed |
| SHA512 | 10620f3ae97cb3a69634f2be069fb6db392c6ad7c55bf5fa980c569fa5300b3875ad31daa9df7445ebf78d3ef52f8487e39fc2564d2009d9c672df96716bbcdd |
memory/5032-94-0x00007FF66F320000-0x00007FF66F674000-memory.dmp
memory/4296-99-0x00007FF78F6E0000-0x00007FF78FA34000-memory.dmp
memory/1064-98-0x00007FF6BA5C0000-0x00007FF6BA914000-memory.dmp
C:\Windows\System\OlNxAOq.exe
| MD5 | 3bcad063078a1c27fed4097ddfffd494 |
| SHA1 | fe2478ee8d653551157cea3ffb2c9b2d99a73fc3 |
| SHA256 | 1c6087215b4d1702e4cda1299fca5d8fb7cddbd328c3aa3d65ed9cb126310605 |
| SHA512 | 6b170d5533a40b22ed916a8387bb55b4d579df3c256ab66e4b5712cc60e387691e2323c16fe8d8dc145c2f9875a393a2f0def78e59e643851f7445731f1f99cb |
C:\Windows\System\uZorvmr.exe
| MD5 | f00e3a6ecb85a7551709bded6ebb6639 |
| SHA1 | c8c9bdffdc890725dd7132c706ab67e0c649e94b |
| SHA256 | 33df11718fbfd2426aaf29df47d5da39ff7f98a3a2217fe8941b83b283667649 |
| SHA512 | c20772f658381d03d4f630166d5faad04a8f5216c1edb057f3c7c7f881aa18dc611b93b340a7c18bca97e37af871115594df60f846305aa7a3308359c76c1040 |
memory/3740-106-0x00007FF66DDC0000-0x00007FF66E114000-memory.dmp
memory/1340-103-0x00007FF7809C0000-0x00007FF780D14000-memory.dmp
memory/2916-112-0x00007FF78AF00000-0x00007FF78B254000-memory.dmp
C:\Windows\System\hbYPQYD.exe
| MD5 | a91873d771e20ab8475df771e6d05641 |
| SHA1 | 1e5aa3b808c17a62d4df886fe589bd8bf9ecbaac |
| SHA256 | 8247bf6da45d003609fbce2863e337542c8cfb8651462dd8df92202041535f4a |
| SHA512 | eb87a2add5bfca645bb036f4e75ac1f4db48aa43056a7aa438351b9dc01b3ea7a15bd257b48166aa85bdf2856386d6e66cda20dde1d682afc702c0d3090487cb |
C:\Windows\System\OpwMGAK.exe
| MD5 | caf40009c7cf9a9ebee70e8bfe40a4e6 |
| SHA1 | 2bbd237325271451fb9115ed17a29cc8595abe11 |
| SHA256 | 016ada725e219b446f1c488b1f149c5210491e2c97b14af4d5f0bc8c1a8a0730 |
| SHA512 | 02ec53d34f7a8655d2d9340165440c167368030ce72cc46200cb2f39ec1425bb9c0dc9dc5c601b41a6eb762d679f70a47364275dc76af8f3b8590475b173b4a0 |
memory/912-127-0x00007FF721410000-0x00007FF721764000-memory.dmp
memory/1872-128-0x00007FF77EFE0000-0x00007FF77F334000-memory.dmp
memory/4504-130-0x00007FF785ED0000-0x00007FF786224000-memory.dmp
C:\Windows\System\bmnklaT.exe
| MD5 | 5208ae3328cf0b84cb049feab752b439 |
| SHA1 | df6abcafc1400196dc58649d8d80852c37c2fe5a |
| SHA256 | b55cced7eb2619d2dd4abdbd2c0d0b2e05711b603059353e4c8a3d3d6c4f5148 |
| SHA512 | 1c049a6510c30d634d882dd82cf33c6cf6c64849e65934720f4f0e41940ac9a33c8ad5814d34b44e39cfbfb9f03f80f05df2f1b116ac607456415b711754373d |
memory/2636-126-0x00007FF6DEC50000-0x00007FF6DEFA4000-memory.dmp
memory/2524-117-0x00007FF6DC6F0000-0x00007FF6DCA44000-memory.dmp
memory/3876-132-0x00007FF69D960000-0x00007FF69DCB4000-memory.dmp
memory/4676-133-0x00007FF75F3B0000-0x00007FF75F704000-memory.dmp
memory/2776-134-0x00007FF7E8360000-0x00007FF7E86B4000-memory.dmp
memory/452-135-0x00007FF652EB0000-0x00007FF653204000-memory.dmp
memory/3740-136-0x00007FF66DDC0000-0x00007FF66E114000-memory.dmp
memory/4504-137-0x00007FF785ED0000-0x00007FF786224000-memory.dmp
memory/1340-138-0x00007FF7809C0000-0x00007FF780D14000-memory.dmp
memory/2916-139-0x00007FF78AF00000-0x00007FF78B254000-memory.dmp
memory/612-140-0x00007FF769700000-0x00007FF769A54000-memory.dmp
memory/744-142-0x00007FF608E90000-0x00007FF6091E4000-memory.dmp
memory/3392-141-0x00007FF75E4A0000-0x00007FF75E7F4000-memory.dmp
memory/4600-143-0x00007FF623270000-0x00007FF6235C4000-memory.dmp
memory/1872-144-0x00007FF77EFE0000-0x00007FF77F334000-memory.dmp
memory/4588-145-0x00007FF7C3EA0000-0x00007FF7C41F4000-memory.dmp
memory/816-146-0x00007FF633F50000-0x00007FF6342A4000-memory.dmp
memory/4812-147-0x00007FF65DA00000-0x00007FF65DD54000-memory.dmp
memory/3876-148-0x00007FF69D960000-0x00007FF69DCB4000-memory.dmp
memory/4676-149-0x00007FF75F3B0000-0x00007FF75F704000-memory.dmp
memory/452-150-0x00007FF652EB0000-0x00007FF653204000-memory.dmp
memory/2776-151-0x00007FF7E8360000-0x00007FF7E86B4000-memory.dmp
memory/5032-152-0x00007FF66F320000-0x00007FF66F674000-memory.dmp
memory/4296-153-0x00007FF78F6E0000-0x00007FF78FA34000-memory.dmp
memory/3740-154-0x00007FF66DDC0000-0x00007FF66E114000-memory.dmp
memory/2524-155-0x00007FF6DC6F0000-0x00007FF6DCA44000-memory.dmp
memory/2636-157-0x00007FF6DEC50000-0x00007FF6DEFA4000-memory.dmp
memory/912-156-0x00007FF721410000-0x00007FF721764000-memory.dmp
memory/4504-158-0x00007FF785ED0000-0x00007FF786224000-memory.dmp