Analysis Overview
SHA256
f29e66ee2be3e0daabe3053d8d54ab2e82c502c9009d4f8beca0be55681efaab
Threat Level: Known bad
The file 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobalt Strike reflective loader
Cobaltstrike family
xmrig
Xmrig family
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 16:17
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 16:17
Reported
2024-06-08 16:19
Platform
win7-20240508-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\GQzgjbK.exe | N/A |
| N/A | N/A | C:\Windows\System\oIzCHmN.exe | N/A |
| N/A | N/A | C:\Windows\System\rfjxxRc.exe | N/A |
| N/A | N/A | C:\Windows\System\swYuLwA.exe | N/A |
| N/A | N/A | C:\Windows\System\hqWUxrZ.exe | N/A |
| N/A | N/A | C:\Windows\System\OiDOppc.exe | N/A |
| N/A | N/A | C:\Windows\System\nXVGyzj.exe | N/A |
| N/A | N/A | C:\Windows\System\wNzvhMC.exe | N/A |
| N/A | N/A | C:\Windows\System\nqRYbVm.exe | N/A |
| N/A | N/A | C:\Windows\System\cyOLuai.exe | N/A |
| N/A | N/A | C:\Windows\System\YSWigTx.exe | N/A |
| N/A | N/A | C:\Windows\System\JgvpQEi.exe | N/A |
| N/A | N/A | C:\Windows\System\dPAuMmU.exe | N/A |
| N/A | N/A | C:\Windows\System\yOOMcAL.exe | N/A |
| N/A | N/A | C:\Windows\System\XsMGdOL.exe | N/A |
| N/A | N/A | C:\Windows\System\moMTPYd.exe | N/A |
| N/A | N/A | C:\Windows\System\LBVdRdv.exe | N/A |
| N/A | N/A | C:\Windows\System\HXOgalD.exe | N/A |
| N/A | N/A | C:\Windows\System\JvMfNOH.exe | N/A |
| N/A | N/A | C:\Windows\System\mKiEWlD.exe | N/A |
| N/A | N/A | C:\Windows\System\JKuvdJs.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe"
C:\Windows\System\GQzgjbK.exe
C:\Windows\System\GQzgjbK.exe
C:\Windows\System\oIzCHmN.exe
C:\Windows\System\oIzCHmN.exe
C:\Windows\System\rfjxxRc.exe
C:\Windows\System\rfjxxRc.exe
C:\Windows\System\swYuLwA.exe
C:\Windows\System\swYuLwA.exe
C:\Windows\System\hqWUxrZ.exe
C:\Windows\System\hqWUxrZ.exe
C:\Windows\System\OiDOppc.exe
C:\Windows\System\OiDOppc.exe
C:\Windows\System\nXVGyzj.exe
C:\Windows\System\nXVGyzj.exe
C:\Windows\System\wNzvhMC.exe
C:\Windows\System\wNzvhMC.exe
C:\Windows\System\nqRYbVm.exe
C:\Windows\System\nqRYbVm.exe
C:\Windows\System\cyOLuai.exe
C:\Windows\System\cyOLuai.exe
C:\Windows\System\YSWigTx.exe
C:\Windows\System\YSWigTx.exe
C:\Windows\System\JgvpQEi.exe
C:\Windows\System\JgvpQEi.exe
C:\Windows\System\dPAuMmU.exe
C:\Windows\System\dPAuMmU.exe
C:\Windows\System\yOOMcAL.exe
C:\Windows\System\yOOMcAL.exe
C:\Windows\System\moMTPYd.exe
C:\Windows\System\moMTPYd.exe
C:\Windows\System\XsMGdOL.exe
C:\Windows\System\XsMGdOL.exe
C:\Windows\System\LBVdRdv.exe
C:\Windows\System\LBVdRdv.exe
C:\Windows\System\HXOgalD.exe
C:\Windows\System\HXOgalD.exe
C:\Windows\System\JvMfNOH.exe
C:\Windows\System\JvMfNOH.exe
C:\Windows\System\mKiEWlD.exe
C:\Windows\System\mKiEWlD.exe
C:\Windows\System\JKuvdJs.exe
C:\Windows\System\JKuvdJs.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2580-0-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2580-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\GQzgjbK.exe
| MD5 | 6b383d5f107422c6b058654481ec76ac |
| SHA1 | a407a89f527ee7bf21bb9e61855892ae526d6925 |
| SHA256 | 3f5cc4f9234832b4f600de2846a9269cf691bd357d8cc07202a97f65a3511a6d |
| SHA512 | fbeefa85c721505b3fd8ec2112e0fd95f71526eb13781665aeb1b1aaf11601d7f4beb2ea92ded1adf4b7cf8a76a198a81232a1ecb794dc21b65c2ae445d57944 |
memory/2212-8-0x000000013F480000-0x000000013F7D4000-memory.dmp
\Windows\system\oIzCHmN.exe
| MD5 | 00ca85913cb26362a9cdd772942361ac |
| SHA1 | 05814d937475b4ef5aed57911c201bf24bfdbff1 |
| SHA256 | 3de677492e24edf10b6d649ff76f626d50b9d26c2c50c97e6ea591d350c2ef0b |
| SHA512 | eccc2bd1aa3b9e25fa13ef73e0cb2b8b9902e603b0d8b2b602d729277977b926e5d2700add5dce4a69d916bb3f56a4cd758db3cc7fce02fc389b860bcbc63d4d |
memory/2800-13-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\rfjxxRc.exe
| MD5 | 1eeff0dba5b458c255efdb6833580ce5 |
| SHA1 | c0a28b57371b8608203753ce9fba89ece267fc67 |
| SHA256 | 6ee0ee7187c7be114212de31bcfb0830222ecdfb38d7b0d07a5e5908a2047f98 |
| SHA512 | 7b6f2682ca37a972de0842a8e1981870db81237c9ce1ea6a55146ab1c951d6c58001e2b835dc6e642eb5ef2f66b2260ecb4891a7f99c8824f215ac20dabe8d91 |
memory/2640-20-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2700-27-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2580-25-0x000000013F820000-0x000000013FB74000-memory.dmp
C:\Windows\system\OiDOppc.exe
| MD5 | 6c73a9ae5e2df7e08ed49f4a9bbc5210 |
| SHA1 | def015471d0feebae3b04c3109b7aa055dfaba51 |
| SHA256 | ff0d16b54c57b03ddd9917e804074e714aec9aa2e22d032fad3e18c51ef51fa5 |
| SHA512 | 61b97196e92f561a5cc109562caf81743fd0a1cbd727a9b3ad443c2ab63395db82d3b03aae117beb9e30c1d836c109119bc108068d3f036ac180fde8defd9973 |
memory/2580-38-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2628-39-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2648-34-0x000000013FC50000-0x000000013FFA4000-memory.dmp
C:\Windows\system\wNzvhMC.exe
| MD5 | c7fa63502267d0696fcc19b51eb9a8c4 |
| SHA1 | 63f65ae19a52d7a4838b9531b2c879fe71afdefe |
| SHA256 | 9b2650ec6ac2f5ac6a3fcbc203b200d58ad53b0be23e8792d58543a0b8b21953 |
| SHA512 | cf07a7ecc2f571652e0eec480927ce53c50d85a0b94d1b17e6f0eb831d0a89c582a30e622bfc6da2453c1ba182c7010dbf7b090dc942136de6bba67dd814ce7e |
memory/2748-53-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2668-59-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2500-64-0x000000013FA70000-0x000000013FDC4000-memory.dmp
C:\Windows\system\YSWigTx.exe
| MD5 | e1f846a5e907bdb0656e6b6fa735e7e8 |
| SHA1 | 9c16453d21573266776e3380dc621d53a6f9353b |
| SHA256 | 0849fd275dd19676a1433624f0985c667576963479b1b4bae392cf63afe98883 |
| SHA512 | c0132a52296c61274a4ae7c4712265685ab5f8f34bfd2cccdc2353b362e8274f043e68e1f8e64941cd0beb5f0f2cf02a1ad7b82e1ceee7d085cc78de7dcb0983 |
\Windows\system\JgvpQEi.exe
| MD5 | a2c5d922ae1031d3d32e002125bfbce6 |
| SHA1 | dbf0093662ff6d8579c6e58bff8501d22f551b87 |
| SHA256 | 760de03fd641d752a2ed5b50299d682569cf6e79d68b3a4da125cef2f258c661 |
| SHA512 | ecee1b9f4d6595e969f528836cf4e505f18e7d651932dafc8901a041ad790b9738c4032e44c4144ada8fb480640b907e56aba6545d99efa5b04209d073d6bb2b |
memory/2700-85-0x000000013F820000-0x000000013FB74000-memory.dmp
C:\Windows\system\yOOMcAL.exe
| MD5 | d928ce657cf2084416f7d962f39f3843 |
| SHA1 | 9ec858e1d84cb21da4ae12af9c125d30cfa8b92e |
| SHA256 | 0334113744c2b6220f7d28269ac4667d25762654370438a4ce995b8a503e444d |
| SHA512 | 98d2a83466c101b2e3d3833a099f958fcdc973bf27803ad4349fa44a7e316bb69619fdb0176b6e710e04588256d5595032dd634b77730150bdd60f06b1989360 |
memory/2628-99-0x000000013F140000-0x000000013F494000-memory.dmp
\Windows\system\moMTPYd.exe
| MD5 | 0d262b7f54c27855568db67669c7fe42 |
| SHA1 | a8f07d0b7905c378cf0c68c91831bf3ceeee19da |
| SHA256 | 0d0faab1afde0af2b0b8e7a18d7a076e10d99eb2593cebba3e17104d5b778242 |
| SHA512 | 7d10fcc45a4f6b8b90bf7bd9c68ff41a190472916112eebf4239a3c5d44baf6d5d63aa0602c50e69142ba39f934806a79f0d0e869a91611973303966064a5809 |
C:\Windows\system\mKiEWlD.exe
| MD5 | 71717b70205b2f50f0a65368b1afdbd6 |
| SHA1 | 8bfdbf254af73d6734c302fa8b8b94c6a09ae9b7 |
| SHA256 | c24af59abed05f2dc4138462f149f5e535ae0ffa357e51e64dca89e41a4671a1 |
| SHA512 | 6a384298c0bdbe0a18cfe5207e900f3490e858cb19ff4ca8105d3d1d219f9d458519e6e303eedddecb561e71d24899981b1a14f8f97bce8d47d14bbf3806960c |
\Windows\system\JKuvdJs.exe
| MD5 | 70eb635b413bb97b20d90217051b7f31 |
| SHA1 | 82eaba2c36e858f2638b96ece37c0276a5e23d1f |
| SHA256 | 71e6ebab0156def00a1fdf623161b665dd6c33eab5cd3adf4c6023b915aa1d19 |
| SHA512 | 221fc757be968606a1c59235d04f3b46dfa525cb6b9d8d9de5237328762c9a6171ad3c6c15623da9047ce1d68bda32238f3213ac4deb986dc1abc0cc9e4ffb30 |
C:\Windows\system\JvMfNOH.exe
| MD5 | 50e951998ecb8f3a14741c1d7b4ef419 |
| SHA1 | f730750ae291380cf481be5bba1ba2164b50960f |
| SHA256 | ecf00b59176a3178a6085c46f6eec32b864d2684b84fdfa5059708beb69e3776 |
| SHA512 | 873f6235cb080502853eea7d2f1c37431312ce5ea5dda1988f20d4709babfa39f3dcede6e299fdc5cd2295b29baab49f7ab1b9ac077ed59c4715ae946ab5a8dc |
C:\Windows\system\LBVdRdv.exe
| MD5 | 40ff7747609a0a83405281886cfdc277 |
| SHA1 | 82c2a3a716e1d47769549cfafa2a8823a0eb343c |
| SHA256 | 3a5f65f955f0e781c00cfbfbfa97715a9274b8602cd07f056e736dadf321fbbd |
| SHA512 | d883b2cc1f47a8750f56919d00723a6012bac8cc3f7889e9bdf45adf6cd0493a630150aac3f8473b7626eaba5ebaede97628ee5700f6b3e32ff364214fc3142e |
C:\Windows\system\HXOgalD.exe
| MD5 | 5ce1f87b6bf59b103b7b53e6f205b163 |
| SHA1 | 3cc3ddb4410823adb1c18991903abdda8316778f |
| SHA256 | f854ea7c898e8a2e168ee9d7414e473e0bf0da5275d39fe44d6e514e49d5c623 |
| SHA512 | 3780bed5f4c8beb03f3cb1c897c866079b2a2e8517b17353d589779f9b72434e1fad98db6086f83178edc3540345c0fa81a13e535b348a570a317f38030f0637 |
memory/2580-107-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/1936-94-0x000000013FF50000-0x00000001402A4000-memory.dmp
C:\Windows\system\XsMGdOL.exe
| MD5 | 74d628cb25b2fcb798fc8e3f8d55e556 |
| SHA1 | 4dcd6040cf2998322e5b5ad38c9f759b8fbd41f7 |
| SHA256 | 355bec6097c2646d216d60466f91081e0f14ca5f3a224eb6642bfa2e1031304c |
| SHA512 | 0190d0c96802da4f138912152366d4f5b33dbf357c2036acad84320686a93d815393e3fdf5a122b40dbb437632d8b3a0958879e21dbeca2a41d0a56aabf115fd |
memory/2580-93-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/1420-139-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2648-92-0x000000013FC50000-0x000000013FFA4000-memory.dmp
C:\Windows\system\dPAuMmU.exe
| MD5 | b855c422427b12584f2d61d873915709 |
| SHA1 | e005f00295ed3a92548933ece356f6499e023b11 |
| SHA256 | 670f969c1ef9ffe3c3a3ad9a18c61423e51fe0f212535e7f6bbe6bbaa4456ff4 |
| SHA512 | 1245b7eefa36d22015638e2bdf3686fefa0daeec5c3b1260442f438a334a4cc7d27ebcd7ce775ac50d3aa63883ae5904e46d4d5df2b521bdd13a658534e53eb1 |
memory/2096-101-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2580-100-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1144-86-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2580-81-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2640-80-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2560-71-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2580-70-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2800-69-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2212-58-0x000000013F480000-0x000000013F7D4000-memory.dmp
C:\Windows\system\cyOLuai.exe
| MD5 | fd0c291614254b13fe8af5c620939383 |
| SHA1 | a434728b2478a098f941f29af8985718e5df785e |
| SHA256 | 950372ee7bcbab3313cf4ed5fa8a0791cd65fc2e1e9a99c89a7b92373e63b051 |
| SHA512 | 11515a1e203895336fc682a01eb9a2a7fdb5f1016e692c45f7825e25f67ae280ec6654b958664fa27dec4266387cfc4420e002cceefabf23a4f8d875c03a7375 |
C:\Windows\system\nqRYbVm.exe
| MD5 | 5f3018055cc3da8c473ac06afc011f1b |
| SHA1 | a8da2e6d0ed7322e0545cf1ad646c70a8022c623 |
| SHA256 | 2a945337806817637090e7c5b7dcd849dbe17828c5aa080cda01f2b6c3d4c090 |
| SHA512 | 36084382d3fb803b0bf45d9b0c1a2bda56afe8f7cc244331e5fe9bf460555c5abfe00b3a12d035342f0991308843b26a7edd10d06f39520996ebf7dc537f6e75 |
memory/2748-140-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2580-52-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/1420-47-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2580-46-0x000000013FDD0000-0x0000000140124000-memory.dmp
C:\Windows\system\nXVGyzj.exe
| MD5 | dfd20e9622d2839a33f448f8b05541a0 |
| SHA1 | ed394f741605dbb501a9dda799545756c3a136bf |
| SHA256 | 1a11dfb9a3447470fba54e937b8d48bb30c471e9deece0271341936e1cdbfd8d |
| SHA512 | ae2ab1dd5182e98aa4d34928762288efdd1e6676c21350a539ada48defba33f80762c6b3d02c16509b082d41a4e0867784b54414f868b13ed4ffe87eab87699f |
memory/2580-42-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2580-33-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\hqWUxrZ.exe
| MD5 | 37b3462d032cbb79fbfa866eda3589e9 |
| SHA1 | 825b4048cd278a5c78112ff783ed6dd3a4f1e898 |
| SHA256 | 81c4a1b3acf2426a7d886a6c02f4015c45d5c71ea5bac50845f70b5f7e3706b5 |
| SHA512 | 5f3672cf240a4e2cd97b39230f572eb68414cd35232c85bcb94975d3cf54ed52bf8e1f4318a2828504572f50026d8dda4fa65842cdf6771d54697f91510863c2 |
memory/2580-19-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\swYuLwA.exe
| MD5 | a0432f9b1eb602886de2d27e09b0c17c |
| SHA1 | 74799fae20a9b72557fcbdb7b8878c95327a3593 |
| SHA256 | 97b0ee38ff3297b940dd24fad14b970d33ec4a83713aedb95f9f6d5d0173b4c5 |
| SHA512 | 8df2c3b3e9a77896d3cd3b65f60bb73402bc9ad7445a0d33c0b3a765806186e350844a2ccfb5972284685bcc510150e64d2fc793f061ea76325de87aa6483ed4 |
memory/2668-141-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2500-142-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2580-143-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2560-144-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2580-145-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/1144-146-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/1936-147-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2580-148-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2096-149-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2580-150-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2212-151-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2800-152-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2640-153-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2700-154-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2668-156-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2628-155-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2500-159-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2560-158-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2648-161-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2748-160-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/1420-157-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/1144-162-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2096-163-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1936-164-0x000000013FF50000-0x00000001402A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 16:17
Reported
2024-06-08 16:19
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TqsKxeY.exe | N/A |
| N/A | N/A | C:\Windows\System\KAZKQPV.exe | N/A |
| N/A | N/A | C:\Windows\System\TqERGPp.exe | N/A |
| N/A | N/A | C:\Windows\System\IDvsqKD.exe | N/A |
| N/A | N/A | C:\Windows\System\tCCzfNL.exe | N/A |
| N/A | N/A | C:\Windows\System\gjVSBUZ.exe | N/A |
| N/A | N/A | C:\Windows\System\azBnKtE.exe | N/A |
| N/A | N/A | C:\Windows\System\aGAndkA.exe | N/A |
| N/A | N/A | C:\Windows\System\nPspIFl.exe | N/A |
| N/A | N/A | C:\Windows\System\oIXBezu.exe | N/A |
| N/A | N/A | C:\Windows\System\RVvNojd.exe | N/A |
| N/A | N/A | C:\Windows\System\JYdmwdg.exe | N/A |
| N/A | N/A | C:\Windows\System\upVxwIg.exe | N/A |
| N/A | N/A | C:\Windows\System\ArsXBMh.exe | N/A |
| N/A | N/A | C:\Windows\System\awvCMWI.exe | N/A |
| N/A | N/A | C:\Windows\System\HrJWOrO.exe | N/A |
| N/A | N/A | C:\Windows\System\ZMAVJSY.exe | N/A |
| N/A | N/A | C:\Windows\System\EQZoOZi.exe | N/A |
| N/A | N/A | C:\Windows\System\KJFerlg.exe | N/A |
| N/A | N/A | C:\Windows\System\nHVTAeO.exe | N/A |
| N/A | N/A | C:\Windows\System\vkZbstX.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe"
C:\Windows\System\TqsKxeY.exe
C:\Windows\System\TqsKxeY.exe
C:\Windows\System\KAZKQPV.exe
C:\Windows\System\KAZKQPV.exe
C:\Windows\System\TqERGPp.exe
C:\Windows\System\TqERGPp.exe
C:\Windows\System\IDvsqKD.exe
C:\Windows\System\IDvsqKD.exe
C:\Windows\System\tCCzfNL.exe
C:\Windows\System\tCCzfNL.exe
C:\Windows\System\gjVSBUZ.exe
C:\Windows\System\gjVSBUZ.exe
C:\Windows\System\azBnKtE.exe
C:\Windows\System\azBnKtE.exe
C:\Windows\System\aGAndkA.exe
C:\Windows\System\aGAndkA.exe
C:\Windows\System\nPspIFl.exe
C:\Windows\System\nPspIFl.exe
C:\Windows\System\oIXBezu.exe
C:\Windows\System\oIXBezu.exe
C:\Windows\System\RVvNojd.exe
C:\Windows\System\RVvNojd.exe
C:\Windows\System\JYdmwdg.exe
C:\Windows\System\JYdmwdg.exe
C:\Windows\System\upVxwIg.exe
C:\Windows\System\upVxwIg.exe
C:\Windows\System\ArsXBMh.exe
C:\Windows\System\ArsXBMh.exe
C:\Windows\System\awvCMWI.exe
C:\Windows\System\awvCMWI.exe
C:\Windows\System\HrJWOrO.exe
C:\Windows\System\HrJWOrO.exe
C:\Windows\System\ZMAVJSY.exe
C:\Windows\System\ZMAVJSY.exe
C:\Windows\System\EQZoOZi.exe
C:\Windows\System\EQZoOZi.exe
C:\Windows\System\KJFerlg.exe
C:\Windows\System\KJFerlg.exe
C:\Windows\System\nHVTAeO.exe
C:\Windows\System\nHVTAeO.exe
C:\Windows\System\vkZbstX.exe
C:\Windows\System\vkZbstX.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 142.250.179.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 106.179.250.142.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/648-0-0x00007FF677620000-0x00007FF677974000-memory.dmp
memory/648-1-0x0000019DB0D70000-0x0000019DB0D80000-memory.dmp
C:\Windows\System\TqsKxeY.exe
| MD5 | ef98777f47106cdfac665291da42f2ca |
| SHA1 | 1cceda2ad7edcb63a8e299dd5ec78f9e08870598 |
| SHA256 | 9ebf7b3683e6f005c10eae0f1468bacb13e8b6e61c906e489b7cbeef7dd4d71c |
| SHA512 | 997c7bb13157a173ec751e602c1444189dbec9741b8657fc34ebedfa0d37cdbba00176cac8f62c2998dcbd4af1e6ec62ae4c0fbc4849b99ba840b644ff28feb7 |
memory/568-8-0x00007FF66C6B0000-0x00007FF66CA04000-memory.dmp
C:\Windows\System\KAZKQPV.exe
| MD5 | ee6ff1ddddd8967e067f05f011f508a7 |
| SHA1 | afcdbcfba5e86f61e7ca1ed8184a149614467be7 |
| SHA256 | fbfe0a846d1534fa29da0b658bcf702bca4e731e05ef97f793db77c7e144bc95 |
| SHA512 | 854084501f82805943b1c8ec521c78d1d743b2ef4ad58b87af7e0165e4f61f39e30d9efe643d8f8dc36c0c9c1175d2cb50579f3672336ae1cac32a1a6892aa28 |
memory/3296-14-0x00007FF6604D0000-0x00007FF660824000-memory.dmp
C:\Windows\System\TqERGPp.exe
| MD5 | a6f2f2adf5fc97e5ed285aba6cb8cdb3 |
| SHA1 | 2ff949b2770049c6ab202e3609c922d69874ccf2 |
| SHA256 | 285e05e69a29fae46ca74dd96c19f71856a6d56de3802ab717d3e3e15be2ecd2 |
| SHA512 | 02c00079a84be955d51a40809ad286da8899e64c1a13c41e4b4513a0f5d6c23337beb6804ae10ac2f8c64723ba928ff2efae96de59b6d631babca61be84cbf85 |
memory/2876-20-0x00007FF7452C0000-0x00007FF745614000-memory.dmp
C:\Windows\System\IDvsqKD.exe
| MD5 | 79804d3d1c6b2c1b2fdadc5c1f0c9e6a |
| SHA1 | f4569bfc309a9c589b8cab557451197658322851 |
| SHA256 | f4b70ee827b91f9c80b2f928e40a4b036fa3cc816bcca289e04439103eb3c1c5 |
| SHA512 | 81c0d5bfe65199956bd82ca9885a20c2b9cb88350ad688b8ff6c7261acc13cdf3013bc294dad4479be8745338c3d0a22d2762b5bad286c512fba3848b9cd06ee |
C:\Windows\System\tCCzfNL.exe
| MD5 | bb03404ddc702e6d2bc80797f0229b27 |
| SHA1 | ccee1c11291705ca4552a44c45237dd1e8e03a2c |
| SHA256 | bdea32ca3583678c4bf2cd211ad8468048eeca44ae7c30cb6857f54487c5d8e7 |
| SHA512 | eb133661e37d848625d5fafc231f3ed3d4ad3f75a8a0de46f1675f312afddcdedd91c004758c67c9c91f5f39541fd781340651c0c2cfafc2acdcdcf8b53e48ee |
memory/2028-26-0x00007FF7970D0000-0x00007FF797424000-memory.dmp
memory/2560-32-0x00007FF6D83E0000-0x00007FF6D8734000-memory.dmp
C:\Windows\System\gjVSBUZ.exe
| MD5 | aa26dbb1319e92987d35775159e14349 |
| SHA1 | 9764b5838fb70410dd3180caaaa1e4e109522aaa |
| SHA256 | 46c98a2a014eca23f11ca82e3b3e126059c0c0fce2f57472c5d6749cdcb8e7be |
| SHA512 | f4a2e1da486e6fae35093682c8a63e93e6a32d7fc7684f2a772e95eb3d468b93f92d4a3e9e23f3b35fb68a27cbbeac87a3d428ab7da62d640a0e0ba991952bfc |
memory/220-38-0x00007FF670840000-0x00007FF670B94000-memory.dmp
C:\Windows\System\azBnKtE.exe
| MD5 | 6e43bc34086f27f5e355a76e2d8afb77 |
| SHA1 | e485de21b6f1c20828fcf0d5220cc8769ca5ff53 |
| SHA256 | d86b03afef60ae78ca5bc3a64a3e83c79bb8d99750a3980d9f8e6238e63622f6 |
| SHA512 | ad5a0876855bb9ad0b923caff1136a3d8545449c2bf34487e4b1ee010b75407f699e1c350c005c324e557f768606c85d107b9a9c99d16646341f7a27e2d0f4b2 |
memory/1724-42-0x00007FF7211E0000-0x00007FF721534000-memory.dmp
C:\Windows\System\aGAndkA.exe
| MD5 | 31e79ccd5f717f0560ae3bd5681d7728 |
| SHA1 | 3165fd87e636907ac801957136cd11cfc5c66bd1 |
| SHA256 | 61c032182f57fcc5a724c32e024e1ecdec21ab597f7690a4aa164f618b07bb56 |
| SHA512 | d265ec85e05c325032696dba82dcddefb1d890aa9cf913dae2d52e9a1ca413a56ad7fa7c5ead3ad1971d62bf2e47354c8bc0828dbf41db27f5120df1234d7149 |
memory/4864-52-0x00007FF747430000-0x00007FF747784000-memory.dmp
C:\Windows\System\nPspIFl.exe
| MD5 | 3a6b7638960b17f3bcc2dbadfd5ae306 |
| SHA1 | 875ee68df8e62a1c745641d1171f93ba199e2141 |
| SHA256 | 5d97f8dd5a8f0d4da22771952d8f044469010528a712ac45a9acbfea929307b1 |
| SHA512 | 853ecbb70b889c8e3832a7325e1afd812f88803f2f8d80bd8c72b7e2c2f366a2ebb36855ee640847421d9a5cd02959ef2b623320c48ae505461aacb7aeba58a8 |
C:\Windows\System\oIXBezu.exe
| MD5 | 1078ede2b0d344470aa8911b1921cdd9 |
| SHA1 | ee0f9a675b552ec6e37bb5da3d35c620545d2c5f |
| SHA256 | d9a2b72d93d7d3214232743b7aa8a6cbc0bc72e6a587329d03567156350451eb |
| SHA512 | 68acb2235e0aedc0f33c9a796ba5154a463c4cfc531a57a32096f385b0a28a0abbd58f40aeff3027d6ed63e28a64d5124c9df11b4579fa1420cf443c0821587e |
memory/648-60-0x00007FF677620000-0x00007FF677974000-memory.dmp
memory/3956-61-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp
memory/4968-59-0x00007FF671E90000-0x00007FF6721E4000-memory.dmp
C:\Windows\System\RVvNojd.exe
| MD5 | 753f9aa258291d9ac794aa4ca222946e |
| SHA1 | 6cb59e1592db051a700c537886e1025311628702 |
| SHA256 | b9f34b3dda953f3470678d85bb4174fd79ffe02f321fa4b93e27e9c47c56d095 |
| SHA512 | 4d44f67d17b3446bf53596b443a575dbb878242b391d46cc1b0c1e294a99477cfaafafa611361942e6c9eea61e2a9e3e1b05bf6d517e9c425be518fa55cd5e4a |
C:\Windows\System\JYdmwdg.exe
| MD5 | 7160b2652d126e556f39bd02a1dbd9dc |
| SHA1 | c3b576710f504bd49f22d1ed02bbd9abdb0c6e06 |
| SHA256 | 67e091bfd6e9ab60d07d3ceca53e507d91489f4c241efed7624d50b17faa9e12 |
| SHA512 | ba88bb97b737d68bbde336b88569febb484ece4e22aabe03a3ee780319387c93be5baaf171f9a53b9e311482e17da15e446b2fae7a2ae76dea06de27f8023666 |
C:\Windows\System\upVxwIg.exe
| MD5 | f99084a98201f91fefa33f0c35e4cb44 |
| SHA1 | a654c48257d25cfda2f6613651e77b0690083eea |
| SHA256 | 8051ba6385678226a4a037f9ad1fd2c50bccd40f24543a193c461da5eec10321 |
| SHA512 | 61555d3f877a53aa8933e6bf7b6a2cc64251dd83b9d092718c1b880f7c966ed6582ff27d4d4cef5928f30622e8224db6c8cbd08238574b1f2e8ec36c0420de8a |
memory/1248-78-0x00007FF7671E0000-0x00007FF767534000-memory.dmp
memory/3296-79-0x00007FF6604D0000-0x00007FF660824000-memory.dmp
memory/4080-81-0x00007FF6A5700000-0x00007FF6A5A54000-memory.dmp
memory/1048-75-0x00007FF6659B0000-0x00007FF665D04000-memory.dmp
C:\Windows\System\ArsXBMh.exe
| MD5 | ddaa55af632bf6a483245d1e8c10f675 |
| SHA1 | 3fd34f0c77e257bacd76037028bcbb0c590f48eb |
| SHA256 | 9914ba73e59a9630ec2e0844e7481741573ac89de3102b3bc00000ecdd9f3553 |
| SHA512 | 42c1551e5c0d35a0446c4ccbbfcc1cab2c6180703a884a43788c0a7026e8a22f069c21d7cc136e0849860f3ad2d503c1c4a073e8361d62bfa5b1dd373c574e86 |
memory/2876-88-0x00007FF7452C0000-0x00007FF745614000-memory.dmp
C:\Windows\System\awvCMWI.exe
| MD5 | 80694d3a226f1deb7344bb2899d03022 |
| SHA1 | 99cc2c7baf9de031c906e4659909c46e9cdc5b94 |
| SHA256 | 9ca0d0f6655b2c6eb7bd4268e24a8b7b377bd25ce5f6354167262a8deec98d69 |
| SHA512 | 815bcaa6f823b3633f5e4388c59d818d8bd9da88be556867233465669ea15fb979e907d03ea5db7a3a44fcb103448dc50cb01604259a0b39d9fd53b82c901343 |
memory/1776-94-0x00007FF6E6D30000-0x00007FF6E7084000-memory.dmp
memory/2028-97-0x00007FF7970D0000-0x00007FF797424000-memory.dmp
memory/3896-100-0x00007FF7F0C70000-0x00007FF7F0FC4000-memory.dmp
C:\Windows\System\ZMAVJSY.exe
| MD5 | 68a8741639dbbf1b67b9ac5f50252ac9 |
| SHA1 | e2d03dc0083fa3ec834ea37a2e1389f17542ea75 |
| SHA256 | 0b0abc22bc601a8c6e2aa53c282bcd3af8c1c355151a6268ea7036235ae8e898 |
| SHA512 | 9812839d364efea2ea7ea02764b006de6e0ce932fee042cad11cd5d5bc982efff69389d11650c4a264255a560753deb88f8389b8406d16bad682a20dc02256e7 |
memory/636-103-0x00007FF74D3B0000-0x00007FF74D704000-memory.dmp
C:\Windows\System\HrJWOrO.exe
| MD5 | 871d0da222c9d94ead4befb04e33c2ed |
| SHA1 | 82e6e0b77cecdf56992929e2272fa53062e2b2f3 |
| SHA256 | 470ac5b6905dcb1ffb2ef9624b548a34775717ff00044718b917bcdfa6d2f782 |
| SHA512 | 21634ae2d57160b9509a9dd57109044d468ad2a906374f344c74cd23e37399a93775d184ece9c6dcd0b83f5b868923cc72fac6ccc83a7aaf8ee7d4e22e9b8db0 |
memory/2608-104-0x00007FF637C40000-0x00007FF637F94000-memory.dmp
C:\Windows\System\EQZoOZi.exe
| MD5 | 6d6ee21b34db8849f4b15d075aaf6773 |
| SHA1 | 50ea1fcca16d61f9c4d8eb482054719ff6766de1 |
| SHA256 | 126b97c4d64271e7bf66de6b58860b68ee08677a728624e4c17167b7d0c449f5 |
| SHA512 | b7206b9b49fab9cd77c9e7377e0a8eb61ae74782872010d4bfd42a275c08d021fd273d658f6b6e222b868ebe6d8e179fd2d77b78f23bdb3c7327ac2de7927015 |
memory/220-112-0x00007FF670840000-0x00007FF670B94000-memory.dmp
C:\Windows\System\KJFerlg.exe
| MD5 | 532c88093d91a16792249834dac21b93 |
| SHA1 | 65f22bbedb5957ccf912316257398777a471bd99 |
| SHA256 | 7bbfbb702e8cf16187e5a74a30c6c9d2f661fc05495dce8c2d51488de03a4896 |
| SHA512 | dac5e20c59712c49216304bed8587308a6907d3824452f17abb2e1a28c5eb81b05f6a1ac25b29aad72a76f0e2df9ceb3fba5f509cd4cf30299fc845a3b9580e8 |
memory/3480-120-0x00007FF67B720000-0x00007FF67BA74000-memory.dmp
C:\Windows\System\nHVTAeO.exe
| MD5 | 3930fd8d36ea0a45ecfb928841ef1662 |
| SHA1 | fb1c76f018a7f213402a6844c40b95923de6f617 |
| SHA256 | 63fdc043bc1f476a4c9a83efc4a5c91aa17f84725463362d5018e7e16e433bb0 |
| SHA512 | edf26d67f4c354dac7f008dcbb3098903d9e4e1fee5dc6456cb06db7e79ec9c853c4a804113267ac873841c7da10c92d641129a7a87941d3308ec63089fe10b6 |
C:\Windows\System\vkZbstX.exe
| MD5 | a07f7db49e9ae3a782bc06a2fb20ec4d |
| SHA1 | 869801e7c83013df567f0ac773ca1cdf5e1eeb59 |
| SHA256 | 1694fc2b9c196a137976f2455a3375f0f762b6d52b5631ca306a9975cc3bd40e |
| SHA512 | 614c687b58f85833268bc42bd62a829f537f6fca6942e841026b9a90b8354ff6676810bd7a1f29ae86fb39835413f291291f7dd8996a49ec544fc243e322ca4c |
memory/916-123-0x00007FF73BF60000-0x00007FF73C2B4000-memory.dmp
memory/1724-122-0x00007FF7211E0000-0x00007FF721534000-memory.dmp
memory/2652-132-0x00007FF686830000-0x00007FF686B84000-memory.dmp
memory/3956-133-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp
memory/232-134-0x00007FF77AD70000-0x00007FF77B0C4000-memory.dmp
memory/1248-135-0x00007FF7671E0000-0x00007FF767534000-memory.dmp
memory/4080-136-0x00007FF6A5700000-0x00007FF6A5A54000-memory.dmp
memory/636-137-0x00007FF74D3B0000-0x00007FF74D704000-memory.dmp
memory/2608-138-0x00007FF637C40000-0x00007FF637F94000-memory.dmp
memory/916-139-0x00007FF73BF60000-0x00007FF73C2B4000-memory.dmp
memory/2652-140-0x00007FF686830000-0x00007FF686B84000-memory.dmp
memory/568-141-0x00007FF66C6B0000-0x00007FF66CA04000-memory.dmp
memory/3296-142-0x00007FF6604D0000-0x00007FF660824000-memory.dmp
memory/2876-143-0x00007FF7452C0000-0x00007FF745614000-memory.dmp
memory/2028-144-0x00007FF7970D0000-0x00007FF797424000-memory.dmp
memory/2560-145-0x00007FF6D83E0000-0x00007FF6D8734000-memory.dmp
memory/220-146-0x00007FF670840000-0x00007FF670B94000-memory.dmp
memory/1724-147-0x00007FF7211E0000-0x00007FF721534000-memory.dmp
memory/4864-148-0x00007FF747430000-0x00007FF747784000-memory.dmp
memory/4968-149-0x00007FF671E90000-0x00007FF6721E4000-memory.dmp
memory/3956-150-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp
memory/1048-151-0x00007FF6659B0000-0x00007FF665D04000-memory.dmp
memory/1248-152-0x00007FF7671E0000-0x00007FF767534000-memory.dmp
memory/4080-153-0x00007FF6A5700000-0x00007FF6A5A54000-memory.dmp
memory/1776-154-0x00007FF6E6D30000-0x00007FF6E7084000-memory.dmp
memory/3896-155-0x00007FF7F0C70000-0x00007FF7F0FC4000-memory.dmp
memory/636-156-0x00007FF74D3B0000-0x00007FF74D704000-memory.dmp
memory/2608-157-0x00007FF637C40000-0x00007FF637F94000-memory.dmp
memory/3480-158-0x00007FF67B720000-0x00007FF67BA74000-memory.dmp
memory/916-159-0x00007FF73BF60000-0x00007FF73C2B4000-memory.dmp
memory/232-160-0x00007FF77AD70000-0x00007FF77B0C4000-memory.dmp
memory/2652-161-0x00007FF686830000-0x00007FF686B84000-memory.dmp