Analysis Overview
SHA256
b9163a6081b4fe5ff7b0ea12b2fa12849ed0834e891f50276e78900e23caafc0
Threat Level: Known bad
The file b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike
xmrig
Cobaltstrike family
XMRig Miner payload
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 13:58
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 13:58
Reported
2024-06-01 14:01
Platform
win7-20240508-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CXeLslW.exe | N/A |
| N/A | N/A | C:\Windows\System\fQKyHwH.exe | N/A |
| N/A | N/A | C:\Windows\System\bEOJOjv.exe | N/A |
| N/A | N/A | C:\Windows\System\AeOfgOz.exe | N/A |
| N/A | N/A | C:\Windows\System\vGzWCLa.exe | N/A |
| N/A | N/A | C:\Windows\System\spVphMq.exe | N/A |
| N/A | N/A | C:\Windows\System\eiLPTmA.exe | N/A |
| N/A | N/A | C:\Windows\System\xZCoEhc.exe | N/A |
| N/A | N/A | C:\Windows\System\CGaMeuf.exe | N/A |
| N/A | N/A | C:\Windows\System\AyUXNGG.exe | N/A |
| N/A | N/A | C:\Windows\System\AVIjevm.exe | N/A |
| N/A | N/A | C:\Windows\System\uHWTOcw.exe | N/A |
| N/A | N/A | C:\Windows\System\XmSnFXW.exe | N/A |
| N/A | N/A | C:\Windows\System\lErXsTb.exe | N/A |
| N/A | N/A | C:\Windows\System\nhSdKsa.exe | N/A |
| N/A | N/A | C:\Windows\System\spdhnBC.exe | N/A |
| N/A | N/A | C:\Windows\System\BdTkTZJ.exe | N/A |
| N/A | N/A | C:\Windows\System\SKJjNsm.exe | N/A |
| N/A | N/A | C:\Windows\System\bhXhZaC.exe | N/A |
| N/A | N/A | C:\Windows\System\EfGwMyN.exe | N/A |
| N/A | N/A | C:\Windows\System\sHEaJTm.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe"
C:\Windows\System\CXeLslW.exe
C:\Windows\System\CXeLslW.exe
C:\Windows\System\fQKyHwH.exe
C:\Windows\System\fQKyHwH.exe
C:\Windows\System\bEOJOjv.exe
C:\Windows\System\bEOJOjv.exe
C:\Windows\System\AeOfgOz.exe
C:\Windows\System\AeOfgOz.exe
C:\Windows\System\vGzWCLa.exe
C:\Windows\System\vGzWCLa.exe
C:\Windows\System\spVphMq.exe
C:\Windows\System\spVphMq.exe
C:\Windows\System\eiLPTmA.exe
C:\Windows\System\eiLPTmA.exe
C:\Windows\System\xZCoEhc.exe
C:\Windows\System\xZCoEhc.exe
C:\Windows\System\CGaMeuf.exe
C:\Windows\System\CGaMeuf.exe
C:\Windows\System\AyUXNGG.exe
C:\Windows\System\AyUXNGG.exe
C:\Windows\System\AVIjevm.exe
C:\Windows\System\AVIjevm.exe
C:\Windows\System\uHWTOcw.exe
C:\Windows\System\uHWTOcw.exe
C:\Windows\System\XmSnFXW.exe
C:\Windows\System\XmSnFXW.exe
C:\Windows\System\lErXsTb.exe
C:\Windows\System\lErXsTb.exe
C:\Windows\System\nhSdKsa.exe
C:\Windows\System\nhSdKsa.exe
C:\Windows\System\spdhnBC.exe
C:\Windows\System\spdhnBC.exe
C:\Windows\System\BdTkTZJ.exe
C:\Windows\System\BdTkTZJ.exe
C:\Windows\System\SKJjNsm.exe
C:\Windows\System\SKJjNsm.exe
C:\Windows\System\bhXhZaC.exe
C:\Windows\System\bhXhZaC.exe
C:\Windows\System\EfGwMyN.exe
C:\Windows\System\EfGwMyN.exe
C:\Windows\System\sHEaJTm.exe
C:\Windows\System\sHEaJTm.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2244-0-0x0000000000170000-0x0000000000180000-memory.dmp
memory/2244-1-0x000000013F660000-0x000000013F9B4000-memory.dmp
\Windows\system\CXeLslW.exe
| MD5 | f719572011f96f9c598ab63e33c3410b |
| SHA1 | 2af0dbfc35eef5e8a312830bd977775eee1f68ea |
| SHA256 | cbf9587d4609345164b3cb0b8095591fe6899ea01e2afc7c5cb5605c3504d4a9 |
| SHA512 | 3eadf3c416945482f07cfbdfbe5f12c0133d56802c6cd3c66f768e8fe14c74f3f7529c088b03184cf1a9041d0a9dd825062026bec60cd12dc1eca84ce8b08a4f |
memory/2244-8-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2296-9-0x000000013FD50000-0x00000001400A4000-memory.dmp
\Windows\system\fQKyHwH.exe
| MD5 | cb49710d16197e3d7b829f20c48e2f8e |
| SHA1 | 7cf4774f091478ef208f80d7373b7c0b0078e3f7 |
| SHA256 | 3814b46a13b6a1eadbe414c1f3a1a9c7dea2d34083d5abdc6b04e4bb26881690 |
| SHA512 | fce86ab65eabaaf52fdbb6da6de87a85ea547534c98dc17e4b7399527c4d88aa533083920d0743966987d2af68307f89adb49cf285840d98cc35c6ce635dc145 |
memory/2932-14-0x000000013FA80000-0x000000013FDD4000-memory.dmp
C:\Windows\system\bEOJOjv.exe
| MD5 | 550c822aad7492868a2ac2836791a0d6 |
| SHA1 | 503211b6959c332cf606a848c1ca5eaca341381d |
| SHA256 | 4b4ecccfc4e5477e57666cab08f8018a8e384343701972ff0a7d1485e9708be2 |
| SHA512 | b4ae8b6bd4c42095c1316df8549ef05068c062ca6be0d47a78a48ae33cf69802c62349fa5003773dc4362052e3464dc6c2a6a05144169eda1da460197a7003f2 |
memory/2212-22-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2244-20-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2200-29-0x000000013FCC0000-0x0000000140014000-memory.dmp
\Windows\system\spVphMq.exe
| MD5 | a1db6fa5eec0148b49eff06a9cffe2f5 |
| SHA1 | 31cc5424bc4e7f0a3c006424cacae9f73748f0b0 |
| SHA256 | a4815f5d241fa7c79b68852e76d4271e24f8064ec5708c3dc3d5c7eab05242b0 |
| SHA512 | 3cf8aadb40cd6fe7f21e03bdc0a2e8678834a97fb4f9c3019c34244b66e1760d46485a9c4c91c4d265feaaaca475c4bda9f9583c7c42d1730db145fd2cf62987 |
memory/2224-43-0x000000013FD50000-0x00000001400A4000-memory.dmp
C:\Windows\system\vGzWCLa.exe
| MD5 | ccdf0639613dd6384424af746f8b44f7 |
| SHA1 | df7070366b5bf1e68f2640432cfb44e425a833c5 |
| SHA256 | 05a9eb1ecdf6463c7f506eee12a7343b3355e7ca2684e7ca2fcebfe69f0e9d1a |
| SHA512 | 6097f16d51c9a0fc88466190ba69bb9dec01274b959a6ab8cecce6f747c458c36dadf9670f29252565dfd6da3bc5741453e634b9a42bf22b1c063c694244c690 |
memory/2244-55-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/1280-56-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2244-70-0x000000013FDB0000-0x0000000140104000-memory.dmp
C:\Windows\system\lErXsTb.exe
| MD5 | 980c095adc4f78ce87aa2e00df5c3baf |
| SHA1 | 6e1c93b07e8532eb359ce7cf54b1a02bf0ca91a7 |
| SHA256 | 4de7195fd26e1f3d061674717d5bb939103b5d9aa2f744cd81f75c6ad1f56c1e |
| SHA512 | a0640bead7964da7e7f41cd2212b9809780fcf6cb4f70135249ce7d870c581a36edbc2cb0f5b98439f2090ec481382e7a49acd10fe8348b518a7b0cab4908ee4 |
C:\Windows\system\bhXhZaC.exe
| MD5 | 2386254c438d02dff6496e29e5c57f45 |
| SHA1 | 27288d1edb5fbce47dc90d4cd9236797b0bea27c |
| SHA256 | cb42f49e25c7cff0d01d4ce3de552ec6b787ec6b4b44e3b9e30d9b6bf7a9d0d0 |
| SHA512 | 8a40d7c86a310cd91bef3da2ec00d75f4f9a2dd7c0ccadd75c6547add5abadf5e2dd425ea4340fef94dbc19529fc6fad69b13803c424b3082f36e5b5f77d1044 |
\Windows\system\sHEaJTm.exe
| MD5 | 00f77b8828f6f763955b73086b0adf83 |
| SHA1 | 6978052f226275cd22dbbf2c7bf28a11f649cb3a |
| SHA256 | 2b745acc4cbb7eee88706e37a56c6ec071e0de5d453133fc0862c572e1e3a9f5 |
| SHA512 | 1d96f4c77273ca997cba9e61e5fedbffbe7f2c933d398dd42c7073989769e27a2adca3337df0e8acaf177d8797eb2b2790adfad5758d974e7165a172d64d91b2 |
C:\Windows\system\EfGwMyN.exe
| MD5 | 6707b096a6996c5fa0d8d3e078a067c7 |
| SHA1 | f7445df74cfe6b71b2d07f3d899e281e263325c9 |
| SHA256 | 47c29511b915ee5f76cddead6a8318618e75d9479331a61ae4b5d22eeefd0c9e |
| SHA512 | d573bd48d0093276faed0fc38f9ae729d103fbdecd536051a61be39e602377d02b4937c5a6ba0f00997c06cba51ca2bfa10f25b1b828ade928666321c08f09f3 |
C:\Windows\system\SKJjNsm.exe
| MD5 | e701668f2fa9a493878cae6455b2725d |
| SHA1 | 7cb284edac27d8b28c06b1719abf44ca14e2297d |
| SHA256 | e4d4a251d5db4f98abe5bf27014154e405c60f616cfdcfabe22e2114b49abfb4 |
| SHA512 | 79edcd00140448fae3a35ce30596d1f90dd3bd428ed6d7066c5fc6c7ba1ec5a4ca456986ef9a6194a810286998c1a278c49d8b432a647b2dc1de9ef60ab4b432 |
C:\Windows\system\BdTkTZJ.exe
| MD5 | 57943791f27b3fe7f9747aefff235904 |
| SHA1 | 6854f20e23bfdddd91b8f1e952063f5b0085a741 |
| SHA256 | f1858dbaed10db4a966fb6e1b38aad72b3956d7ca609e553b5786ab16329fd01 |
| SHA512 | 39f2ce317922429fe21ac24f66558adf7279d7a440f0c47382255ca6b76ab78d9d54e846a0cff6ae203b49d61a1fd51149d63522d407722fe9372a45e9990ebb |
C:\Windows\system\spdhnBC.exe
| MD5 | 1fc57c70cecca5662c4eb39a33260bec |
| SHA1 | f138602488e1dd52be6b5b901b88d15f151d6d04 |
| SHA256 | b8d921661df154e3c05691bcdf369631aeed53fcf46a83cfb2c8be7509045743 |
| SHA512 | a64005a7028508832cda440ccbd09f2a791b04dd2ea1e06b2b4eb9a6c7d21b27d4375fd9f1682f881b0b061771ae816ddf912f1be72fa48ecd3348ddab6cb980 |
memory/2244-107-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2708-139-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2224-106-0x000000013FD50000-0x00000001400A4000-memory.dmp
C:\Windows\system\nhSdKsa.exe
| MD5 | 9f60d13b2fd466c7ab5c754c30be95fd |
| SHA1 | 281b67e347fe3350cb53d648c11ee2517e179c0e |
| SHA256 | 330d7c5f0dd48f2a900ccbc66966cee3f8b0d15c10d45ac7c085615400f03c48 |
| SHA512 | 149d747950ddd1f328de7047815fc085cc6d48cbc8a377425603b4e145516827ca23ac2c694fe96b1b48ebf08536331e82972bcf0618cbb8bafcd4c33c82464b |
memory/1316-101-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2244-100-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2956-94-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2244-93-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/3060-92-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2244-91-0x000000013F280000-0x000000013F5D4000-memory.dmp
C:\Windows\system\XmSnFXW.exe
| MD5 | 46fb8b2d7a0bfc8e96ddf972953eff84 |
| SHA1 | a536597ce1d655fc309b355dc7f54959780fdd07 |
| SHA256 | 2032a662276c066904b349fdb64425441c4c27e97e26e61d9cadb0af2dbebc4b |
| SHA512 | 6e7af812817e10df87daa1647d96209b147d70b77c8118545ed542d7ec5db208b57a3c777e504aca60fcb060072ec01f13222355f3fe20e101fd74ba7175e4fa |
memory/2548-84-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2244-83-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/1736-78-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2244-77-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2212-76-0x000000013F880000-0x000000013FBD4000-memory.dmp
C:\Windows\system\uHWTOcw.exe
| MD5 | 0d4e6bde391c910b0ab6fbb993576712 |
| SHA1 | b6bf57d610a935bd2699e4366444e304ef433adc |
| SHA256 | 979549aa0f0eb6f20b42e19b23366208ec1b16eff2e260ad7d89cb84b4e4ce81 |
| SHA512 | 4b86adc21944d1cb3431ce7bdb89b21d290110d363f2b530011ddd291f098480c0e30a907e5ff5fcc6cf43d3d58de2a6576f859f6ec5d76fbaca318f61da43cb |
C:\Windows\system\AVIjevm.exe
| MD5 | fc2b1f32ff395ab6e782d2d81ce8100c |
| SHA1 | c0863aa37ce82c391d2627a3fd69f36ec008abc3 |
| SHA256 | a6f6b651dec97f93fd0256282d62cdbaf6b68c523807295a07e19f6e709ad64b |
| SHA512 | abb78a1ff1857ba307e9745b28ef1690132fe68f338b844b417fcadb3bb2fad018712234a0c3861d18dc833c9dfd1f93523cb5a39928f21dc6a91ab290b7272d |
memory/2772-62-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\CGaMeuf.exe
| MD5 | ae92c5e0cb14473b5f722196dac973e6 |
| SHA1 | 551e9b8cf1fb878d868c8e2fdf0ea78593755857 |
| SHA256 | a6b8870e8ced6873a27c58e02392355664c75d5a16e174b2cfdbe7c75bf8bf7f |
| SHA512 | 92761f55dbf8f29034788b30f2825efbe5da2c5e1177c4a74a3de514206df831ac413a055ef57174612c45b1ec2f15ae4dec1df5eb99b02d75fca39f3b71160a |
memory/2980-71-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2932-69-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2708-49-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2244-48-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\eiLPTmA.exe
| MD5 | 4044878c35664fc583419f80b9874a9e |
| SHA1 | cc00eb710aa795922011e1cdee68415522be5676 |
| SHA256 | fd7cc0c4f8042ebf0138c8cdbe9baf4a2e8007bd1c241c97ad306fdd8e047c53 |
| SHA512 | b2e56043a90481a477c9b73a18e374f7a9d94560c65eba532ced120f95260ddad0b86a808cede59cf7fb195c0c21c5197521be824d732da2c9cd8a0c5d5bbbb4 |
C:\Windows\system\AyUXNGG.exe
| MD5 | 7f6e66ce4e251940a8ac93ba3be5a379 |
| SHA1 | d4168688fe196d13becd09d80e5e760b020b0cec |
| SHA256 | 3efa397d0218cd8138b9a327c4f3daf1ae10d5c4b7ed0c01fd04cc0a9e8c09c7 |
| SHA512 | 319f00e9616a7127300129d6ddc1948e8fca726a42b5d3f5a09e004b65494c7b116fd5ee25df048239d932507e137f7a494234f11a2c399e76e0939aee591e36 |
C:\Windows\system\xZCoEhc.exe
| MD5 | d56005d27ddda7af30f944ede235589a |
| SHA1 | f09f1d4c16dd19fd3a0f05e866dd3e66f5f9a103 |
| SHA256 | 892dd01fb87fbbd44d05caa58d4c9efb62e33c1f56c2e00bfab55934a493416b |
| SHA512 | b0cc3fa301c681649613b7fba35ecb9c344b65c29fb51b6d42980ebf8a026b9cc0dda29c8db093988b49c6804f98b714db4ed9bb4aeb56c1620a7f0885bf6417 |
memory/2244-33-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2244-39-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/3060-38-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2244-28-0x000000013FCC0000-0x0000000140014000-memory.dmp
C:\Windows\system\AeOfgOz.exe
| MD5 | dd622464ee2b48f3e936098190d1e70e |
| SHA1 | 5b1db8ab9614ecc89ad4bcc32b1a50ae4627c211 |
| SHA256 | 73315827cd2e16c078ab57e6e9207f01e88eb84647ba560262f70e2b2696e7a4 |
| SHA512 | 8c0477ee68d8c6b6661c75e73358a7bfed8f1dcf27307e1266c8ac21c25d367c25f0ffa462704cf77f66e713385a2f16f2ffd0a3dde8ef1fad499e8ec0238960 |
memory/2772-140-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2244-141-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2244-142-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/1736-143-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2548-144-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2956-145-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2244-146-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/1316-147-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2244-148-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2296-149-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2932-150-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2212-151-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2200-152-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/3060-153-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2224-154-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/1280-155-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2708-156-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2772-157-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2980-158-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/1736-159-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2548-160-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2956-161-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/1316-162-0x000000013FEB0000-0x0000000140204000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 13:58
Reported
2024-06-01 14:01
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MUvJoGA.exe | N/A |
| N/A | N/A | C:\Windows\System\gZqGOqa.exe | N/A |
| N/A | N/A | C:\Windows\System\UXAyGPF.exe | N/A |
| N/A | N/A | C:\Windows\System\ilATiCQ.exe | N/A |
| N/A | N/A | C:\Windows\System\rriHOAS.exe | N/A |
| N/A | N/A | C:\Windows\System\HhIFXJb.exe | N/A |
| N/A | N/A | C:\Windows\System\IgvLvzU.exe | N/A |
| N/A | N/A | C:\Windows\System\BDSkvDw.exe | N/A |
| N/A | N/A | C:\Windows\System\ADJNeEd.exe | N/A |
| N/A | N/A | C:\Windows\System\raUFpTp.exe | N/A |
| N/A | N/A | C:\Windows\System\PMAyzYX.exe | N/A |
| N/A | N/A | C:\Windows\System\mZJiOTE.exe | N/A |
| N/A | N/A | C:\Windows\System\qLPWOoo.exe | N/A |
| N/A | N/A | C:\Windows\System\RcILLIi.exe | N/A |
| N/A | N/A | C:\Windows\System\cKYVMcO.exe | N/A |
| N/A | N/A | C:\Windows\System\bQvCZvC.exe | N/A |
| N/A | N/A | C:\Windows\System\SzpruHL.exe | N/A |
| N/A | N/A | C:\Windows\System\zftBplz.exe | N/A |
| N/A | N/A | C:\Windows\System\qVQTEfK.exe | N/A |
| N/A | N/A | C:\Windows\System\qtDiBnT.exe | N/A |
| N/A | N/A | C:\Windows\System\aoTjYAt.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b7ae42e6243a00ac164e0295a5598290_NeikiAnalytics.exe"
C:\Windows\System\MUvJoGA.exe
C:\Windows\System\MUvJoGA.exe
C:\Windows\System\gZqGOqa.exe
C:\Windows\System\gZqGOqa.exe
C:\Windows\System\UXAyGPF.exe
C:\Windows\System\UXAyGPF.exe
C:\Windows\System\ilATiCQ.exe
C:\Windows\System\ilATiCQ.exe
C:\Windows\System\rriHOAS.exe
C:\Windows\System\rriHOAS.exe
C:\Windows\System\HhIFXJb.exe
C:\Windows\System\HhIFXJb.exe
C:\Windows\System\IgvLvzU.exe
C:\Windows\System\IgvLvzU.exe
C:\Windows\System\BDSkvDw.exe
C:\Windows\System\BDSkvDw.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3768,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
C:\Windows\System\ADJNeEd.exe
C:\Windows\System\ADJNeEd.exe
C:\Windows\System\raUFpTp.exe
C:\Windows\System\raUFpTp.exe
C:\Windows\System\PMAyzYX.exe
C:\Windows\System\PMAyzYX.exe
C:\Windows\System\mZJiOTE.exe
C:\Windows\System\mZJiOTE.exe
C:\Windows\System\qLPWOoo.exe
C:\Windows\System\qLPWOoo.exe
C:\Windows\System\RcILLIi.exe
C:\Windows\System\RcILLIi.exe
C:\Windows\System\cKYVMcO.exe
C:\Windows\System\cKYVMcO.exe
C:\Windows\System\bQvCZvC.exe
C:\Windows\System\bQvCZvC.exe
C:\Windows\System\zftBplz.exe
C:\Windows\System\zftBplz.exe
C:\Windows\System\SzpruHL.exe
C:\Windows\System\SzpruHL.exe
C:\Windows\System\qVQTEfK.exe
C:\Windows\System\qVQTEfK.exe
C:\Windows\System\qtDiBnT.exe
C:\Windows\System\qtDiBnT.exe
C:\Windows\System\aoTjYAt.exe
C:\Windows\System\aoTjYAt.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2208-0-0x00007FF720220000-0x00007FF720574000-memory.dmp
memory/2208-1-0x0000021484F20000-0x0000021484F30000-memory.dmp
memory/4196-10-0x00007FF6461D0000-0x00007FF646524000-memory.dmp
memory/2956-12-0x00007FF7FF3E0000-0x00007FF7FF734000-memory.dmp
C:\Windows\System\gZqGOqa.exe
| MD5 | 068ba5bc4589847d930f6b206f9b5ff0 |
| SHA1 | 44cd2e826248ca947155b071cba8a85b833dfd90 |
| SHA256 | 40552a571df73e4c395c7ec657e3104a27d1605faf9fba81f8909cd33648c383 |
| SHA512 | 6ea1b8872e0f06ca3bed5e5f5e69721b6172fac1a869264ae210a90dd17df69c8fff9a01b133de4cb4b88843dab7e267c29201fa7fc653deaaa4be5218f16e7b |
C:\Windows\System\MUvJoGA.exe
| MD5 | c2f739618d0a5e4a9db5f6ba7e912c03 |
| SHA1 | d754582276439aaba30425eab2df171bf9128730 |
| SHA256 | 51cb3e55c0406efeb88ac8cddffec2f2170bd2e74f98c53fba625850dbb3cb2a |
| SHA512 | e7cefe3ed05c507938b0c4194cc8990c2380342971a74e990d313be49bbdc178c8750f04e8c0b222532ac95ffd936f8e9e987fdad63b96c31e2b96e28cb5e11f |
C:\Windows\System\UXAyGPF.exe
| MD5 | 034198fa4b0864c9a9f6248649fbe92f |
| SHA1 | c9ec49625706bdcd9682a4efa9566527b6d1c005 |
| SHA256 | 74332b70d4b3f02520b028e5b4efdb8a1ace0433533fe3f11807cf6b3cd935e8 |
| SHA512 | 6f041e8009928bca01a77ebe2f70026ac1cd0b4f077bb7fab8b23cda0e9a548b3f4c265be2b0222ec8473844618f88edcd094441ce1a6f96a64b60d9be82249a |
memory/8-18-0x00007FF7D03A0000-0x00007FF7D06F4000-memory.dmp
C:\Windows\System\ilATiCQ.exe
| MD5 | bd3d3ffa9edf3f19412d88c23279be86 |
| SHA1 | 9bac8b6724611674eb9ef8296ff9fa93927f999b |
| SHA256 | bf1c01e82a40aed71cbd13c875b3df5b401f28d718b3c0bd8b47c80a3294b5bd |
| SHA512 | 533fec9ece9e1aff3f9cb01259b2dd37225045ec08bac9a1210135efaec224b2f7094c9533929cbd5a88eb4ae14c2e40ff2278562b63c7d4bb915e318c420adb |
memory/1080-26-0x00007FF684D50000-0x00007FF6850A4000-memory.dmp
C:\Windows\System\rriHOAS.exe
| MD5 | 64f6104d485af470cfc954e474a1d729 |
| SHA1 | 68656e27997ba029795e442697a25ff05bbb9273 |
| SHA256 | 8282e71ce9b226673138dcad4db9fdb41764a69448b5123cddd160040170864e |
| SHA512 | 5d38361a3da3abfe48fd4a5614b32b5483a74daacb0f829b747cfb9c9eb27cdbdb555a36be0ce74b2950a15960c38d4386cef186168aad0a04fe8c60a6af72ee |
C:\Windows\System\HhIFXJb.exe
| MD5 | 412e4e9909a934788b5438b75de061c0 |
| SHA1 | 4bd70858d3be2a75449d011a26fc307125d01468 |
| SHA256 | a4f2acb0ff16306c708757410b99bbb54173d18f17105309242dc36b4f7aef1b |
| SHA512 | afcd53bdbfaf316348cb1983c7bec52db0394346e1d9f4148c3e389ce5216b22ca7cb136b056fb630d84cce56b48eff5272d0f590e5bf25a57df774ec0738c42 |
C:\Windows\System\IgvLvzU.exe
| MD5 | e2a8ced34913d2c87bcec44ddf0c459e |
| SHA1 | a44248e0da847880f6799495333ce39a1c232a3e |
| SHA256 | c68841701459cd62b9d5ba494827703682e9ec53943c0b95d360cb52120500a5 |
| SHA512 | 881e63a676764f4b0e8c8b2b47a60a8c6e0f212dd6d1fefa54d330f295ceea898893233f7f222c5c956b08bdc4de851508b9020ea0b75cdfa4c30cb75f80aab3 |
memory/1472-39-0x00007FF7B5DF0000-0x00007FF7B6144000-memory.dmp
memory/3052-43-0x00007FF6E1180000-0x00007FF6E14D4000-memory.dmp
memory/2416-33-0x00007FF7A3C40000-0x00007FF7A3F94000-memory.dmp
C:\Windows\System\BDSkvDw.exe
| MD5 | 37e998574d19125ed806f5b46e2d320b |
| SHA1 | 66eabe75d66a8ea684265baf05ff87a690655791 |
| SHA256 | 3d4060ec242d626461c6e3e6ea85699e9c198609599dcaa7d6e133d76bb14334 |
| SHA512 | c6d94186afa949aa486ef9196cffcf34b2942962372eab3aa6f9a66fecfb3c040bd3eb15aa22fb777625832c392cafa6d74483bc52a1cf6a2e116d0b41fe3b58 |
C:\Windows\System\ADJNeEd.exe
| MD5 | d03d83592c7109575d15742009ded9a7 |
| SHA1 | ed83dd940c932d17e10ba4d5f3abb7ccdcfee7c0 |
| SHA256 | 77474748be2b6388c4db4328b1683063385a0741fd0ca2db2e80461c226a7f11 |
| SHA512 | ee996f4ac8b641398cdc598e4b529b3c60ebd4613a4905bbccc5f0145680383d9d3881d2cc0c40eb83110d4edbaa7dec2862e1edf99d50bd606ca003d7da3f70 |
memory/3188-54-0x00007FF65DBD0000-0x00007FF65DF24000-memory.dmp
memory/2208-60-0x00007FF720220000-0x00007FF720574000-memory.dmp
memory/3184-62-0x00007FF692250000-0x00007FF6925A4000-memory.dmp
C:\Windows\System\raUFpTp.exe
| MD5 | ca07d1ebd8d51e36622fae711f4d0d77 |
| SHA1 | e50fb8ca860fde61d5f824f5c16e4fdb883fa566 |
| SHA256 | b2f2cf2a5f8a768547dffeb94d79a3be755563d1a96f6beca203156dba7bc23f |
| SHA512 | 44c2914c81226c600708982164e90de7ec2e70a32e719233dd88fd0cc9ef8324a2d9a5872e7000abce350a5d3a47811ef6c05475f34b1443d15a79fed78f3f2f |
memory/4196-61-0x00007FF6461D0000-0x00007FF646524000-memory.dmp
memory/2812-59-0x00007FF6048A0000-0x00007FF604BF4000-memory.dmp
C:\Windows\System\PMAyzYX.exe
| MD5 | 8094d3d4d89c9459708941a2e34984b9 |
| SHA1 | 2deb756eae5fe4a37fa921f87914114c2e29e43c |
| SHA256 | 6e6354829101c07d6fb7ef80e3cbedd1aa5d696cead613660be4abe28e0fcb95 |
| SHA512 | 472d1fe47e740a7070f3417f737d1d4fa2f6544c64cbab209f54c96317666a5acebcf5acca798ea9810af680d3ce366b1c8757ab3f987149532a952549350765 |
C:\Windows\System\mZJiOTE.exe
| MD5 | 6a71f81ccfd6b518ed7b7940774e517d |
| SHA1 | 75198edead37daa1148154f268ae7891b1f60c44 |
| SHA256 | ed2969aa872d96af7afa2abc0c7ce8d2d60a5d0a8dcd984054db44ffaf8ad560 |
| SHA512 | 59944564364e5dcd054b5a5e27a07cfca3dd3a956940d406866cc220a5f40a81130286790d74b3b5225192297407adc90e7efd2acb9847757255954f3a4d0473 |
memory/4524-70-0x00007FF6B3EB0000-0x00007FF6B4204000-memory.dmp
memory/1464-77-0x00007FF745BC0000-0x00007FF745F14000-memory.dmp
memory/2956-76-0x00007FF7FF3E0000-0x00007FF7FF734000-memory.dmp
C:\Windows\System\qLPWOoo.exe
| MD5 | 3f99ecaf3c253bf9491cd2fe67fea3b1 |
| SHA1 | 86d628d45acfb989f143110f8870791f12c50c1f |
| SHA256 | be54b56797a257005033f95a331d7b57077eda58aa368bd059594180177e53de |
| SHA512 | f05f2f75369f71a4ac07fea081ac0502c84202da72a1843daa8a46f7a7bb09dfcd67f06c1bde4950297d498f72044932fc2f5206a9717c6670e989909a6d9f25 |
memory/4456-84-0x00007FF6E00D0000-0x00007FF6E0424000-memory.dmp
memory/8-83-0x00007FF7D03A0000-0x00007FF7D06F4000-memory.dmp
C:\Windows\System\RcILLIi.exe
| MD5 | 70d9d23dd0a62a4ad6055da791874708 |
| SHA1 | 935fed5e2f525e67eba921e081218a6750fb8bd9 |
| SHA256 | 533f5bea0c0cf466400c21bef698de4e7888541634fb5dcb6ac25b7ba12acf7c |
| SHA512 | d5ba6bd73771aa01f1fcf00ef68b81cc837287ebc5aeafa9c5e91be82c62cfb72f6ad7c9cf2412f517022d2f547ec6d23d7a616e2528d8f3a05c1c0d4b043ea6 |
memory/3364-90-0x00007FF7D7700000-0x00007FF7D7A54000-memory.dmp
C:\Windows\System\cKYVMcO.exe
| MD5 | 8477f58ea40f7e1380a32676644ead6a |
| SHA1 | 2fe2b6bf6c2fbaaed141eeebbf5bb2a1cb0af8e4 |
| SHA256 | 20961091a3e29f0926ed23503342a274113f84cbb8cadddccb56070f8ff0503c |
| SHA512 | c19e3057238707e1d49f14ebb95610947f4dd7cb2e6ca74593d8585a5392db90163f46a187183207a6f5d627bce59ae1e90c97bc9ea74537bfaf46017dd139da |
C:\Windows\System\bQvCZvC.exe
| MD5 | 2fb68853b283bfb3ffdc015b72a01581 |
| SHA1 | 088039581f068fc9a23fe8895452a4f70dce2c09 |
| SHA256 | a42a12611f551e6e7a4d78b6e3eb06ff4e08a93e55a3ad84045b352c0b6125e1 |
| SHA512 | 2d1ab9837adf4d7092aa7a330bc96b584c7fb86c76fd1cd0c27773370ca046ea9e913956b2ec3d441e0cadbd9c95e53f9a9544e0f82e8d339de3c1c0e1dc9d7b |
C:\Windows\System\zftBplz.exe
| MD5 | 6c823c36a4e95b3ccf5d328c68e4e872 |
| SHA1 | 5f510e826e32890938c1846c328c4b53560d15dc |
| SHA256 | 93de4b6eadecae24ab4f4b28197a70bfc172a351d642e38f25ae0c2cd34c6a3e |
| SHA512 | 6fd8ae4e453a01d41064d73c11df787e01ee8f92000b78b0e22a37ee727290cd93d52f8ce4f627502dce1ff125279fa7c36c487fb46f4f2228deec94695688c3 |
C:\Windows\System\SzpruHL.exe
| MD5 | 48156cff5d5371709211f8eb177a9c1a |
| SHA1 | 583f3ec8c442a6ec7c1a3ecb19d833ca78ae72a5 |
| SHA256 | b36b6bc619039dd1ef6f6b68b3b1c161958ee50e71b967fad58cfc78d76b8c98 |
| SHA512 | 2e69b980bc548b0b06168f111d14dd769c0cbfedf7947918b64dc7217ebe247b3ca8a946fc9e031618d6fd1aed6c2db72c4fc1dd03528c64e0c75f26598ad1be |
memory/384-97-0x00007FF62E400000-0x00007FF62E754000-memory.dmp
memory/2416-96-0x00007FF7A3C40000-0x00007FF7A3F94000-memory.dmp
C:\Windows\System\qVQTEfK.exe
| MD5 | 7b5f502f086a6b839803bdc3915295c4 |
| SHA1 | ab433f6ff94cf3d7acc0dbeb5c932738b234a4e4 |
| SHA256 | 4bc8adc6478034fd704b2c5f6a5885f6cb76764d3f71f76ce7d830284569c43b |
| SHA512 | 7f8df6377fc021996ef2cedd0fa382da97b18b17b1eb57522c363ea895ea0c7d6534f27b03a739c270d876cd344f507b1fb8fb5132e0b29d65ddd4a2425596f6 |
memory/4564-116-0x00007FF7665D0000-0x00007FF766924000-memory.dmp
memory/4308-122-0x00007FF765A90000-0x00007FF765DE4000-memory.dmp
memory/2596-120-0x00007FF763B60000-0x00007FF763EB4000-memory.dmp
memory/3188-119-0x00007FF65DBD0000-0x00007FF65DF24000-memory.dmp
memory/3052-118-0x00007FF6E1180000-0x00007FF6E14D4000-memory.dmp
memory/2040-114-0x00007FF716DE0000-0x00007FF717134000-memory.dmp
C:\Windows\System\qtDiBnT.exe
| MD5 | ed8e82dd373a150875c9a08f50a4d2d4 |
| SHA1 | a87df053a7c68821d3956c9e85ed90f5570251ad |
| SHA256 | 8c67c10c2b44782347bc7d4f7a9d05e9f0cf5bf485124009cd4b4f36d0b8c827 |
| SHA512 | 7b3274d44680bb328e03fc5354dd808e6c6936d536b8471acd6cdd48fa8b53156a80d6451030d28fd4ff84d0e299351ffd568691cbf1e2c90b02601b9f563f35 |
C:\Windows\System\aoTjYAt.exe
| MD5 | 2c3452f253e3bb3b21562b9161435e1f |
| SHA1 | 643267f30307ab1cee7e5c66c2e0ad64ce62aca4 |
| SHA256 | 1df582abdf4be31b02cf651b5dff5c177ae82f0f15bdb069530c1277cbd1c5be |
| SHA512 | a648131cf06cdd897c6a46774554527939785ec8973c78cd95a9a4e05e47689290db3be5e2e8f724ab26a685df726836f0b701c87f6cf598561a4bb3e478c327 |
memory/3868-133-0x00007FF7551A0000-0x00007FF7554F4000-memory.dmp
memory/4568-134-0x00007FF6F3920000-0x00007FF6F3C74000-memory.dmp
memory/3184-135-0x00007FF692250000-0x00007FF6925A4000-memory.dmp
memory/4308-136-0x00007FF765A90000-0x00007FF765DE4000-memory.dmp
memory/4196-137-0x00007FF6461D0000-0x00007FF646524000-memory.dmp
memory/2956-138-0x00007FF7FF3E0000-0x00007FF7FF734000-memory.dmp
memory/8-139-0x00007FF7D03A0000-0x00007FF7D06F4000-memory.dmp
memory/1080-140-0x00007FF684D50000-0x00007FF6850A4000-memory.dmp
memory/2416-141-0x00007FF7A3C40000-0x00007FF7A3F94000-memory.dmp
memory/1472-142-0x00007FF7B5DF0000-0x00007FF7B6144000-memory.dmp
memory/3052-143-0x00007FF6E1180000-0x00007FF6E14D4000-memory.dmp
memory/2812-144-0x00007FF6048A0000-0x00007FF604BF4000-memory.dmp
memory/3188-145-0x00007FF65DBD0000-0x00007FF65DF24000-memory.dmp
memory/3184-146-0x00007FF692250000-0x00007FF6925A4000-memory.dmp
memory/4524-147-0x00007FF6B3EB0000-0x00007FF6B4204000-memory.dmp
memory/1464-148-0x00007FF745BC0000-0x00007FF745F14000-memory.dmp
memory/4456-149-0x00007FF6E00D0000-0x00007FF6E0424000-memory.dmp
memory/3364-150-0x00007FF7D7700000-0x00007FF7D7A54000-memory.dmp
memory/384-151-0x00007FF62E400000-0x00007FF62E754000-memory.dmp
memory/2040-152-0x00007FF716DE0000-0x00007FF717134000-memory.dmp
memory/4564-154-0x00007FF7665D0000-0x00007FF766924000-memory.dmp
memory/2596-153-0x00007FF763B60000-0x00007FF763EB4000-memory.dmp
memory/4308-155-0x00007FF765A90000-0x00007FF765DE4000-memory.dmp
memory/3868-156-0x00007FF7551A0000-0x00007FF7554F4000-memory.dmp
memory/4568-157-0x00007FF6F3920000-0x00007FF6F3C74000-memory.dmp