Analysis Overview
SHA256
e75776aefe8fa902924bb874d01081d93068d6e13acf3e4ab7fad5f25a4e4bfa
Threat Level: Known bad
The file fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
Cobaltstrike family
Cobaltstrike
xmrig
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 18:20
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 18:19
Reported
2024-06-08 18:22
Platform
win7-20240220-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yiBMOCx.exe | N/A |
| N/A | N/A | C:\Windows\System\NMrLQBr.exe | N/A |
| N/A | N/A | C:\Windows\System\xlEMjvZ.exe | N/A |
| N/A | N/A | C:\Windows\System\jemfwWm.exe | N/A |
| N/A | N/A | C:\Windows\System\KswJVcP.exe | N/A |
| N/A | N/A | C:\Windows\System\HtIRPNF.exe | N/A |
| N/A | N/A | C:\Windows\System\xseSgMX.exe | N/A |
| N/A | N/A | C:\Windows\System\yhOdUgN.exe | N/A |
| N/A | N/A | C:\Windows\System\pLSanqK.exe | N/A |
| N/A | N/A | C:\Windows\System\KbZupFW.exe | N/A |
| N/A | N/A | C:\Windows\System\JnoaVqQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qxaCrsH.exe | N/A |
| N/A | N/A | C:\Windows\System\APadUiD.exe | N/A |
| N/A | N/A | C:\Windows\System\WuFGDKS.exe | N/A |
| N/A | N/A | C:\Windows\System\BdtlnXv.exe | N/A |
| N/A | N/A | C:\Windows\System\JXyjCEb.exe | N/A |
| N/A | N/A | C:\Windows\System\bmefGLk.exe | N/A |
| N/A | N/A | C:\Windows\System\kownHma.exe | N/A |
| N/A | N/A | C:\Windows\System\WLlHtwr.exe | N/A |
| N/A | N/A | C:\Windows\System\CGjjUKF.exe | N/A |
| N/A | N/A | C:\Windows\System\MsVNxAu.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe"
C:\Windows\System\yiBMOCx.exe
C:\Windows\System\yiBMOCx.exe
C:\Windows\System\NMrLQBr.exe
C:\Windows\System\NMrLQBr.exe
C:\Windows\System\xlEMjvZ.exe
C:\Windows\System\xlEMjvZ.exe
C:\Windows\System\jemfwWm.exe
C:\Windows\System\jemfwWm.exe
C:\Windows\System\KswJVcP.exe
C:\Windows\System\KswJVcP.exe
C:\Windows\System\HtIRPNF.exe
C:\Windows\System\HtIRPNF.exe
C:\Windows\System\xseSgMX.exe
C:\Windows\System\xseSgMX.exe
C:\Windows\System\yhOdUgN.exe
C:\Windows\System\yhOdUgN.exe
C:\Windows\System\pLSanqK.exe
C:\Windows\System\pLSanqK.exe
C:\Windows\System\KbZupFW.exe
C:\Windows\System\KbZupFW.exe
C:\Windows\System\JnoaVqQ.exe
C:\Windows\System\JnoaVqQ.exe
C:\Windows\System\qxaCrsH.exe
C:\Windows\System\qxaCrsH.exe
C:\Windows\System\APadUiD.exe
C:\Windows\System\APadUiD.exe
C:\Windows\System\WuFGDKS.exe
C:\Windows\System\WuFGDKS.exe
C:\Windows\System\BdtlnXv.exe
C:\Windows\System\BdtlnXv.exe
C:\Windows\System\JXyjCEb.exe
C:\Windows\System\JXyjCEb.exe
C:\Windows\System\bmefGLk.exe
C:\Windows\System\bmefGLk.exe
C:\Windows\System\kownHma.exe
C:\Windows\System\kownHma.exe
C:\Windows\System\WLlHtwr.exe
C:\Windows\System\WLlHtwr.exe
C:\Windows\System\CGjjUKF.exe
C:\Windows\System\CGjjUKF.exe
C:\Windows\System\MsVNxAu.exe
C:\Windows\System\MsVNxAu.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3032-0-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/3032-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\yiBMOCx.exe
| MD5 | 1ba083a7f2c6891bd94cd0c533160ba2 |
| SHA1 | 89dfeff30edef71bbbac348935a28a432488ffc3 |
| SHA256 | d2f1ecab8335cc7a10e5c6db167ad5c065769f0782e7e9263e4d5e37faaa468f |
| SHA512 | bd684237c0dc9f5cf46263cb208faf41365be97bd358cb9b2683b07f020c09dddf11f3382e7275e245eccbfc1fbed7544111f7fee1a210fd482a6777b1d722c9 |
C:\Windows\system\xlEMjvZ.exe
| MD5 | ed02b89c7d69de80757182fb4f11c926 |
| SHA1 | e487caeec3f8ae1e40d2131e20b8355712e8e055 |
| SHA256 | 1815189b1e7709d9f041f6632195c751cf4f3ce9a359936f185dcb00bb2b30c1 |
| SHA512 | 3ffedb1557c128a6907ac769ee3573a290125d733861d2b1cc62d86a51389a27f6ed5f08effd3053b9e2c4bef363371bb099b423afe023722f19b5627726a92d |
C:\Windows\system\KswJVcP.exe
| MD5 | 00280c8a750d57fc26397a1265d4eff9 |
| SHA1 | 837aa7eee353e5135b0fca7fe2f63fa2eeda93a3 |
| SHA256 | a7fb3adbcc41e8e46463c064c0ee86058800276ec2704c1ea2ce79725ef26e80 |
| SHA512 | 629c36e9ff33a976344afc6bcb511491a745863189cc81e8702879867d66596467156f8759d3126bba73586372b9dcd2aef21aae69f2dfb3dbd8de703f668ffc |
C:\Windows\system\jemfwWm.exe
| MD5 | f8d51ea8ef81cb8e2c910e38cf520ff2 |
| SHA1 | e14f5a4f5be9ac0eabfaa0da8e4a81c433c9514e |
| SHA256 | d358504d9148166954fb1c5b432bf94b8f373f4a6ec626a393a7d920105d35d2 |
| SHA512 | ea72662a7577979c38417e762373cb8854c55676581165a4a8699f1e06463791962af710152033243e20baba8082dfa01e2818f9ade7f167c9576230a474bb3c |
C:\Windows\system\HtIRPNF.exe
| MD5 | 663bd147529495dac4cdbc9d22358ada |
| SHA1 | 799270247c632a2c8023001bcb0272bff5056fd3 |
| SHA256 | b9b48c68646d8b47ace6c0d4e13a45b89ddefbb1d550fc75249d0733db358ff7 |
| SHA512 | ac6cc42128616d93a28860ebe0e74bc3ec184ab5d1b4fe368a7db8d8bd8909f63b2d917f3756ca5c5daed80464014f5ef6b30d850e57f47d6e8f1530187a873a |
C:\Windows\system\xseSgMX.exe
| MD5 | 320a73e0c3d0b87c4b1a43917ef4fe0a |
| SHA1 | ac0b5b1fe70b6a07048152f5dc0741cce6995416 |
| SHA256 | f8c0426fb320fdf2277772347fd2a79c99ad8cf81c12df24fa755ae8a13b7817 |
| SHA512 | e991730f3f760020bbac138f204c1f24026011d3ee82ebad82c15a6f04b482d278ab6c66dc2b6fd4c746605e60cbe7d9ec5ad0f3fb31f941fc2c79c70d3fed18 |
C:\Windows\system\pLSanqK.exe
| MD5 | 01508583b9d780d2d1269cf6ce6ccf42 |
| SHA1 | d7604386d1b670739144435c1890d32248e8eece |
| SHA256 | 981a6a4c7113153a837595cd66ffc33e87d37fbcfc359ab765831cfe707220cf |
| SHA512 | 8093cfcfa55a246ec6221ec3a3010ac78e18ff3d988c4e26b9e5f1c028514a22ef3a0bc12ec69f15cf9fc6dc9876a3b665fa09c32f7188a7937376ebc460ab59 |
C:\Windows\system\JnoaVqQ.exe
| MD5 | af190da7365024d502bae6a3e956e449 |
| SHA1 | 2d9289d12b775792d61e43f78f790a7eb746f645 |
| SHA256 | 1caf7f6269f51403c1a18da2fcb68cb73ad3957334f51a2cda80a53205dec0a5 |
| SHA512 | d8c381b328a678b91e56a53ca967e5a6105e950824183df2dbf4753f8ed30113dd9895ca7fc68a0ea20d32550365d04df5d4a3107369d264f9f9b05e95338aae |
C:\Windows\system\qxaCrsH.exe
| MD5 | 943a31aea717bc29f783cfbdfce652e5 |
| SHA1 | 8a2ea19f2a322a71984cd6060eb09f5c82f185d6 |
| SHA256 | c4d86124b0ab9f2136e82f4a31689d84046e4440e7cc77e048e174f4ad80152c |
| SHA512 | 923e284bb52a462dd1f7b5b5f279ec34cfa8a77b84f16af17c86c1ad18f6908ef3cfc22763d8d7df8173624778b09fbd863b5196afe352620471512d55d7ac6f |
C:\Windows\system\BdtlnXv.exe
| MD5 | cc7927cc1fdceecb2462d15752f1cdb7 |
| SHA1 | a2ae203ae236ca32eb00c99a32b6b23fe11181c0 |
| SHA256 | f07e15e1d292f540895b66af479ff4e0f8aa4239f8b9605f2b3ae627254f49d8 |
| SHA512 | 04b3449785d8ba9bee336b664f4777725420c4c7089803bc94064d0fee06e4de97a770bd936cc8941b5dc6df784ebb261919be73b315747dca09be4b07f15a2f |
C:\Windows\system\bmefGLk.exe
| MD5 | 5a675a8381c8ea8a6126d0f2284972bf |
| SHA1 | 3589b0e8b28bea062827cc936f3458689f3336cb |
| SHA256 | 2f97279681c7a7c3e22cdf125f0e23ce0728411d9f7b0771141220420fa98318 |
| SHA512 | af889d222664d125388d7cc2a73640d8f92e5174734c62b987e460c372291713b5e51680e250ccd5849da406a8ff377fb31b6e85ad750125940873b8089740a8 |
C:\Windows\system\WLlHtwr.exe
| MD5 | 56c0beb71972e839d9ad59fedb03a2e8 |
| SHA1 | 94d59782b5b87cfb72fbe627713e2a1b2923a959 |
| SHA256 | 3d33d5d04247febc2919eed5174e6c3fa68068ea3dfb21049ab5d54d91495eba |
| SHA512 | 7591d416300ddebcd9fa2662eae610258cb4fd4bdef70c1a26368bd2e7e59c56f2fa6ef0cfb00f8c96ff52547363724fa03d25f10a171b0339b48bcee5191d6b |
C:\Windows\system\MsVNxAu.exe
| MD5 | 1e7f747cdbf4b1f9a1e6920407a12b3d |
| SHA1 | f722c9192585ca11aa6ad7d7610aaa141aec0699 |
| SHA256 | eabdd18a08b46be02881d870c674786b288831f2c775fa41ab7dc7dc53d366a9 |
| SHA512 | 4ad768141dfc14494e1f20a5c7fb090ea3f1dc1132e40ff9aeed6baf2195cf0d3c7b21e2aae4c04999e558198340a2e1d9673082420244985eda748d367aefc5 |
C:\Windows\system\CGjjUKF.exe
| MD5 | d0fc1dd04bd681a706e2512aec04f9cf |
| SHA1 | f0c25636ea457192de521b881791cd91cdc65027 |
| SHA256 | 78204ff3d23bf655092f5ea19f7474c040e3eabac4733f8b14fd0a213adeb839 |
| SHA512 | 4d187b697e1943fa7793c37ec177cc2594f895689c85c53618f1c1174a2117afeeea281ebd54b29847724f44f5c48e3572d5cbad1998e19ecec92c87f83dc935 |
C:\Windows\system\kownHma.exe
| MD5 | eabe14c48e3c791d4cbc0e6c415672ae |
| SHA1 | 7df8ec95f0de2d8c67982ba1b026ddf8d818b3a8 |
| SHA256 | b22d4979c3c3ef63571ccd9b39821c9878ff3076b945bc3b5908c144e9a1a4fe |
| SHA512 | ed2f547b24b8a43051b53fd304568b470b43e82da6a510915513bca10aadb9fd3ba725987d0498b189cb98e6121a43ffeb30862c0943d1b58a31436b7aead057 |
C:\Windows\system\JXyjCEb.exe
| MD5 | 5d2ebc58bce4c6926e5d8079a862c028 |
| SHA1 | 97a45abbdb144e8defd28a2dc82b5a981456bbc9 |
| SHA256 | 2c230064c98710ca5df970957f1676703db2088417d708b59685f3171d65e7a9 |
| SHA512 | 8f22a63aeec6240f4622e7b51651059bce5bf0a9faaea9007a7d60eb4de586971e19b43e2fa34b92d3e6e89f90f31e31abaa43bb6ac51caa8dea5d6457b5293c |
memory/3032-107-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2384-117-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/3032-116-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/3032-122-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2376-124-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/3032-127-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2408-126-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/3032-125-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/3032-133-0x000000013F610000-0x000000013F964000-memory.dmp
memory/3032-134-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2300-132-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/3032-131-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/3008-130-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/3032-129-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2128-128-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2708-121-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2544-123-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/3032-120-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2496-119-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/3032-118-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2504-115-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/3032-114-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2604-113-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/3032-112-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2528-111-0x000000013F600000-0x000000013F954000-memory.dmp
memory/3032-110-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2884-109-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2660-108-0x000000013F6B0000-0x000000013FA04000-memory.dmp
C:\Windows\system\WuFGDKS.exe
| MD5 | 9065792727fe4dc41a9cf204745e23cd |
| SHA1 | 5ac11efe13e5eb55084d4079c00601a841fda25f |
| SHA256 | 269313352bcf965ac18734f56948d2bcdb90ceede8733775d3ad659546de07b4 |
| SHA512 | 50a7a54d6721d07f4d4d673dddb3338c7c148847dca6bb44d947b0bd65cb305d101e73178a8129cd2902aad43eefa90711ca586e110566996d23feb8c11ac989 |
C:\Windows\system\APadUiD.exe
| MD5 | c9a63e49cce5a50bbc0793a253929a95 |
| SHA1 | 3624c035d28b7f045b22bf4e5965080d64149f36 |
| SHA256 | 50928ca0a5690611c5b4aed77a3307eb39882f2d52583ad2200426575203ebb8 |
| SHA512 | 1f2495acc27a6e5761bb3321d9aeaef01cb37b5dc99fe91397d8e685d608497b46dc82880a1486e3736b782a3719b8f3509836846fb8bee77ca6a92b07f74a85 |
C:\Windows\system\KbZupFW.exe
| MD5 | 7955c027b28985acab97352508ccc9f5 |
| SHA1 | 92aa5f9b793c4da0fb9779a1419b106595abfddb |
| SHA256 | e01a174e993fdc0c6578e994194a8b0fcd7c2958beadd14950ee880189e133cf |
| SHA512 | 36ea761d2c00ffb79f0cbbc15e8aa0a207987d0e0035a33d7e2814053483774f8826ac5da599cd423b6149a56b62056609faccab373f117d8e735dc3ead8af90 |
C:\Windows\system\yhOdUgN.exe
| MD5 | 710e760219f328fffa826e9783f1e475 |
| SHA1 | a4f65ccb320a071bb554b0243305db827a3db1ea |
| SHA256 | 75b71cba996c2f4aee08b9155c53d2b46120dcf96346fe7dc9c53fb31ea50167 |
| SHA512 | 86359a05758c7b0b5ad7572c162e6d44957a2bfd0169053c8d9609ebd54b7ac9a39d419b2b60e8820ff3b63b571aee19eaa32c6824bfc855ed50ddb4221ae7dd |
C:\Windows\system\NMrLQBr.exe
| MD5 | 9aa5086bd87c6cc79699df1f51aec170 |
| SHA1 | f22ae6f61dab488763d51d3bc4d6fe37cdc57820 |
| SHA256 | 447df6b84a46015733a17108e24353882b4aac59c6e0e8d2faaa320f5ed009db |
| SHA512 | 323ed91d058823e2ffc05b8f23e347e756233251b65d95b51f1a0c9cb9de541b952d919dc146de554b52d6604fd1b0b9fd6042a44353a16389cc7c4c52ee5e65 |
memory/3032-135-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2528-138-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2884-137-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2660-136-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2604-139-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2504-140-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2384-141-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2708-143-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2496-142-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2544-144-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2376-145-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2408-146-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2128-147-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2300-149-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/3008-148-0x000000013F370000-0x000000013F6C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 18:19
Reported
2024-06-08 18:22
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yiBMOCx.exe | N/A |
| N/A | N/A | C:\Windows\System\NMrLQBr.exe | N/A |
| N/A | N/A | C:\Windows\System\xlEMjvZ.exe | N/A |
| N/A | N/A | C:\Windows\System\jemfwWm.exe | N/A |
| N/A | N/A | C:\Windows\System\KswJVcP.exe | N/A |
| N/A | N/A | C:\Windows\System\HtIRPNF.exe | N/A |
| N/A | N/A | C:\Windows\System\xseSgMX.exe | N/A |
| N/A | N/A | C:\Windows\System\yhOdUgN.exe | N/A |
| N/A | N/A | C:\Windows\System\KbZupFW.exe | N/A |
| N/A | N/A | C:\Windows\System\pLSanqK.exe | N/A |
| N/A | N/A | C:\Windows\System\JnoaVqQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qxaCrsH.exe | N/A |
| N/A | N/A | C:\Windows\System\APadUiD.exe | N/A |
| N/A | N/A | C:\Windows\System\WuFGDKS.exe | N/A |
| N/A | N/A | C:\Windows\System\BdtlnXv.exe | N/A |
| N/A | N/A | C:\Windows\System\JXyjCEb.exe | N/A |
| N/A | N/A | C:\Windows\System\bmefGLk.exe | N/A |
| N/A | N/A | C:\Windows\System\kownHma.exe | N/A |
| N/A | N/A | C:\Windows\System\WLlHtwr.exe | N/A |
| N/A | N/A | C:\Windows\System\CGjjUKF.exe | N/A |
| N/A | N/A | C:\Windows\System\MsVNxAu.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\fc20d4bfb4df25c31c0891e2a2da25e0_NeikiAnalytics.exe"
C:\Windows\System\yiBMOCx.exe
C:\Windows\System\yiBMOCx.exe
C:\Windows\System\NMrLQBr.exe
C:\Windows\System\NMrLQBr.exe
C:\Windows\System\xlEMjvZ.exe
C:\Windows\System\xlEMjvZ.exe
C:\Windows\System\jemfwWm.exe
C:\Windows\System\jemfwWm.exe
C:\Windows\System\KswJVcP.exe
C:\Windows\System\KswJVcP.exe
C:\Windows\System\HtIRPNF.exe
C:\Windows\System\HtIRPNF.exe
C:\Windows\System\xseSgMX.exe
C:\Windows\System\xseSgMX.exe
C:\Windows\System\yhOdUgN.exe
C:\Windows\System\yhOdUgN.exe
C:\Windows\System\pLSanqK.exe
C:\Windows\System\pLSanqK.exe
C:\Windows\System\KbZupFW.exe
C:\Windows\System\KbZupFW.exe
C:\Windows\System\JnoaVqQ.exe
C:\Windows\System\JnoaVqQ.exe
C:\Windows\System\qxaCrsH.exe
C:\Windows\System\qxaCrsH.exe
C:\Windows\System\APadUiD.exe
C:\Windows\System\APadUiD.exe
C:\Windows\System\WuFGDKS.exe
C:\Windows\System\WuFGDKS.exe
C:\Windows\System\BdtlnXv.exe
C:\Windows\System\BdtlnXv.exe
C:\Windows\System\JXyjCEb.exe
C:\Windows\System\JXyjCEb.exe
C:\Windows\System\bmefGLk.exe
C:\Windows\System\bmefGLk.exe
C:\Windows\System\kownHma.exe
C:\Windows\System\kownHma.exe
C:\Windows\System\WLlHtwr.exe
C:\Windows\System\WLlHtwr.exe
C:\Windows\System\CGjjUKF.exe
C:\Windows\System\CGjjUKF.exe
C:\Windows\System\MsVNxAu.exe
C:\Windows\System\MsVNxAu.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| IE | 52.111.236.23:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3192-0-0x00007FF613880000-0x00007FF613BD4000-memory.dmp
memory/3192-1-0x0000027734C60000-0x0000027734C70000-memory.dmp
memory/4616-8-0x00007FF6062D0000-0x00007FF606624000-memory.dmp
C:\Windows\System\yiBMOCx.exe
| MD5 | 1ba083a7f2c6891bd94cd0c533160ba2 |
| SHA1 | 89dfeff30edef71bbbac348935a28a432488ffc3 |
| SHA256 | d2f1ecab8335cc7a10e5c6db167ad5c065769f0782e7e9263e4d5e37faaa468f |
| SHA512 | bd684237c0dc9f5cf46263cb208faf41365be97bd358cb9b2683b07f020c09dddf11f3382e7275e245eccbfc1fbed7544111f7fee1a210fd482a6777b1d722c9 |
C:\Windows\System\NMrLQBr.exe
| MD5 | 9aa5086bd87c6cc79699df1f51aec170 |
| SHA1 | f22ae6f61dab488763d51d3bc4d6fe37cdc57820 |
| SHA256 | 447df6b84a46015733a17108e24353882b4aac59c6e0e8d2faaa320f5ed009db |
| SHA512 | 323ed91d058823e2ffc05b8f23e347e756233251b65d95b51f1a0c9cb9de541b952d919dc146de554b52d6604fd1b0b9fd6042a44353a16389cc7c4c52ee5e65 |
C:\Windows\System\xlEMjvZ.exe
| MD5 | ed02b89c7d69de80757182fb4f11c926 |
| SHA1 | e487caeec3f8ae1e40d2131e20b8355712e8e055 |
| SHA256 | 1815189b1e7709d9f041f6632195c751cf4f3ce9a359936f185dcb00bb2b30c1 |
| SHA512 | 3ffedb1557c128a6907ac769ee3573a290125d733861d2b1cc62d86a51389a27f6ed5f08effd3053b9e2c4bef363371bb099b423afe023722f19b5627726a92d |
memory/3784-20-0x00007FF6DBB70000-0x00007FF6DBEC4000-memory.dmp
C:\Windows\System\jemfwWm.exe
| MD5 | f8d51ea8ef81cb8e2c910e38cf520ff2 |
| SHA1 | e14f5a4f5be9ac0eabfaa0da8e4a81c433c9514e |
| SHA256 | d358504d9148166954fb1c5b432bf94b8f373f4a6ec626a393a7d920105d35d2 |
| SHA512 | ea72662a7577979c38417e762373cb8854c55676581165a4a8699f1e06463791962af710152033243e20baba8082dfa01e2818f9ade7f167c9576230a474bb3c |
memory/3640-22-0x00007FF603080000-0x00007FF6033D4000-memory.dmp
C:\Windows\System\KswJVcP.exe
| MD5 | 00280c8a750d57fc26397a1265d4eff9 |
| SHA1 | 837aa7eee353e5135b0fca7fe2f63fa2eeda93a3 |
| SHA256 | a7fb3adbcc41e8e46463c064c0ee86058800276ec2704c1ea2ce79725ef26e80 |
| SHA512 | 629c36e9ff33a976344afc6bcb511491a745863189cc81e8702879867d66596467156f8759d3126bba73586372b9dcd2aef21aae69f2dfb3dbd8de703f668ffc |
memory/4104-32-0x00007FF762520000-0x00007FF762874000-memory.dmp
memory/4980-27-0x00007FF667270000-0x00007FF6675C4000-memory.dmp
C:\Windows\System\HtIRPNF.exe
| MD5 | 663bd147529495dac4cdbc9d22358ada |
| SHA1 | 799270247c632a2c8023001bcb0272bff5056fd3 |
| SHA256 | b9b48c68646d8b47ace6c0d4e13a45b89ddefbb1d550fc75249d0733db358ff7 |
| SHA512 | ac6cc42128616d93a28860ebe0e74bc3ec184ab5d1b4fe368a7db8d8bd8909f63b2d917f3756ca5c5daed80464014f5ef6b30d850e57f47d6e8f1530187a873a |
C:\Windows\System\xseSgMX.exe
| MD5 | 320a73e0c3d0b87c4b1a43917ef4fe0a |
| SHA1 | ac0b5b1fe70b6a07048152f5dc0741cce6995416 |
| SHA256 | f8c0426fb320fdf2277772347fd2a79c99ad8cf81c12df24fa755ae8a13b7817 |
| SHA512 | e991730f3f760020bbac138f204c1f24026011d3ee82ebad82c15a6f04b482d278ab6c66dc2b6fd4c746605e60cbe7d9ec5ad0f3fb31f941fc2c79c70d3fed18 |
C:\Windows\System\yhOdUgN.exe
| MD5 | 710e760219f328fffa826e9783f1e475 |
| SHA1 | a4f65ccb320a071bb554b0243305db827a3db1ea |
| SHA256 | 75b71cba996c2f4aee08b9155c53d2b46120dcf96346fe7dc9c53fb31ea50167 |
| SHA512 | 86359a05758c7b0b5ad7572c162e6d44957a2bfd0169053c8d9609ebd54b7ac9a39d419b2b60e8820ff3b63b571aee19eaa32c6824bfc855ed50ddb4221ae7dd |
memory/3360-46-0x00007FF622630000-0x00007FF622984000-memory.dmp
C:\Windows\System\pLSanqK.exe
| MD5 | 01508583b9d780d2d1269cf6ce6ccf42 |
| SHA1 | d7604386d1b670739144435c1890d32248e8eece |
| SHA256 | 981a6a4c7113153a837595cd66ffc33e87d37fbcfc359ab765831cfe707220cf |
| SHA512 | 8093cfcfa55a246ec6221ec3a3010ac78e18ff3d988c4e26b9e5f1c028514a22ef3a0bc12ec69f15cf9fc6dc9876a3b665fa09c32f7188a7937376ebc460ab59 |
C:\Windows\System\JnoaVqQ.exe
| MD5 | af190da7365024d502bae6a3e956e449 |
| SHA1 | 2d9289d12b775792d61e43f78f790a7eb746f645 |
| SHA256 | 1caf7f6269f51403c1a18da2fcb68cb73ad3957334f51a2cda80a53205dec0a5 |
| SHA512 | d8c381b328a678b91e56a53ca967e5a6105e950824183df2dbf4753f8ed30113dd9895ca7fc68a0ea20d32550365d04df5d4a3107369d264f9f9b05e95338aae |
C:\Windows\System\qxaCrsH.exe
| MD5 | 943a31aea717bc29f783cfbdfce652e5 |
| SHA1 | 8a2ea19f2a322a71984cd6060eb09f5c82f185d6 |
| SHA256 | c4d86124b0ab9f2136e82f4a31689d84046e4440e7cc77e048e174f4ad80152c |
| SHA512 | 923e284bb52a462dd1f7b5b5f279ec34cfa8a77b84f16af17c86c1ad18f6908ef3cfc22763d8d7df8173624778b09fbd863b5196afe352620471512d55d7ac6f |
memory/1620-71-0x00007FF7D8030000-0x00007FF7D8384000-memory.dmp
memory/4856-73-0x00007FF62FA40000-0x00007FF62FD94000-memory.dmp
memory/3420-74-0x00007FF719D90000-0x00007FF71A0E4000-memory.dmp
C:\Windows\System\APadUiD.exe
| MD5 | c9a63e49cce5a50bbc0793a253929a95 |
| SHA1 | 3624c035d28b7f045b22bf4e5965080d64149f36 |
| SHA256 | 50928ca0a5690611c5b4aed77a3307eb39882f2d52583ad2200426575203ebb8 |
| SHA512 | 1f2495acc27a6e5761bb3321d9aeaef01cb37b5dc99fe91397d8e685d608497b46dc82880a1486e3736b782a3719b8f3509836846fb8bee77ca6a92b07f74a85 |
C:\Windows\System\BdtlnXv.exe
| MD5 | cc7927cc1fdceecb2462d15752f1cdb7 |
| SHA1 | a2ae203ae236ca32eb00c99a32b6b23fe11181c0 |
| SHA256 | f07e15e1d292f540895b66af479ff4e0f8aa4239f8b9605f2b3ae627254f49d8 |
| SHA512 | 04b3449785d8ba9bee336b664f4777725420c4c7089803bc94064d0fee06e4de97a770bd936cc8941b5dc6df784ebb261919be73b315747dca09be4b07f15a2f |
memory/996-92-0x00007FF6E00F0000-0x00007FF6E0444000-memory.dmp
memory/3800-91-0x00007FF7C2420000-0x00007FF7C2774000-memory.dmp
C:\Windows\System\WuFGDKS.exe
| MD5 | 9065792727fe4dc41a9cf204745e23cd |
| SHA1 | 5ac11efe13e5eb55084d4079c00601a841fda25f |
| SHA256 | 269313352bcf965ac18734f56948d2bcdb90ceede8733775d3ad659546de07b4 |
| SHA512 | 50a7a54d6721d07f4d4d673dddb3338c7c148847dca6bb44d947b0bd65cb305d101e73178a8129cd2902aad43eefa90711ca586e110566996d23feb8c11ac989 |
memory/3600-84-0x00007FF7F7960000-0x00007FF7F7CB4000-memory.dmp
memory/1416-72-0x00007FF745600000-0x00007FF745954000-memory.dmp
memory/3588-66-0x00007FF6820A0000-0x00007FF6823F4000-memory.dmp
memory/4492-63-0x00007FF74F030000-0x00007FF74F384000-memory.dmp
C:\Windows\System\KbZupFW.exe
| MD5 | 7955c027b28985acab97352508ccc9f5 |
| SHA1 | 92aa5f9b793c4da0fb9779a1419b106595abfddb |
| SHA256 | e01a174e993fdc0c6578e994194a8b0fcd7c2958beadd14950ee880189e133cf |
| SHA512 | 36ea761d2c00ffb79f0cbbc15e8aa0a207987d0e0035a33d7e2814053483774f8826ac5da599cd423b6149a56b62056609faccab373f117d8e735dc3ead8af90 |
C:\Windows\System\bmefGLk.exe
| MD5 | 5a675a8381c8ea8a6126d0f2284972bf |
| SHA1 | 3589b0e8b28bea062827cc936f3458689f3336cb |
| SHA256 | 2f97279681c7a7c3e22cdf125f0e23ce0728411d9f7b0771141220420fa98318 |
| SHA512 | af889d222664d125388d7cc2a73640d8f92e5174734c62b987e460c372291713b5e51680e250ccd5849da406a8ff377fb31b6e85ad750125940873b8089740a8 |
memory/4988-99-0x00007FF6661D0000-0x00007FF666524000-memory.dmp
memory/4616-117-0x00007FF6062D0000-0x00007FF606624000-memory.dmp
C:\Windows\System\CGjjUKF.exe
| MD5 | d0fc1dd04bd681a706e2512aec04f9cf |
| SHA1 | f0c25636ea457192de521b881791cd91cdc65027 |
| SHA256 | 78204ff3d23bf655092f5ea19f7474c040e3eabac4733f8b14fd0a213adeb839 |
| SHA512 | 4d187b697e1943fa7793c37ec177cc2594f895689c85c53618f1c1174a2117afeeea281ebd54b29847724f44f5c48e3572d5cbad1998e19ecec92c87f83dc935 |
memory/1916-130-0x00007FF794BE0000-0x00007FF794F34000-memory.dmp
memory/3640-128-0x00007FF603080000-0x00007FF6033D4000-memory.dmp
memory/3864-127-0x00007FF600040000-0x00007FF600394000-memory.dmp
C:\Windows\System\MsVNxAu.exe
| MD5 | 1e7f747cdbf4b1f9a1e6920407a12b3d |
| SHA1 | f722c9192585ca11aa6ad7d7610aaa141aec0699 |
| SHA256 | eabdd18a08b46be02881d870c674786b288831f2c775fa41ab7dc7dc53d366a9 |
| SHA512 | 4ad768141dfc14494e1f20a5c7fb090ea3f1dc1132e40ff9aeed6baf2195cf0d3c7b21e2aae4c04999e558198340a2e1d9673082420244985eda748d367aefc5 |
memory/4688-122-0x00007FF65B840000-0x00007FF65BB94000-memory.dmp
C:\Windows\System\WLlHtwr.exe
| MD5 | 56c0beb71972e839d9ad59fedb03a2e8 |
| SHA1 | 94d59782b5b87cfb72fbe627713e2a1b2923a959 |
| SHA256 | 3d33d5d04247febc2919eed5174e6c3fa68068ea3dfb21049ab5d54d91495eba |
| SHA512 | 7591d416300ddebcd9fa2662eae610258cb4fd4bdef70c1a26368bd2e7e59c56f2fa6ef0cfb00f8c96ff52547363724fa03d25f10a171b0339b48bcee5191d6b |
C:\Windows\System\kownHma.exe
| MD5 | eabe14c48e3c791d4cbc0e6c415672ae |
| SHA1 | 7df8ec95f0de2d8c67982ba1b026ddf8d818b3a8 |
| SHA256 | b22d4979c3c3ef63571ccd9b39821c9878ff3076b945bc3b5908c144e9a1a4fe |
| SHA512 | ed2f547b24b8a43051b53fd304568b470b43e82da6a510915513bca10aadb9fd3ba725987d0498b189cb98e6121a43ffeb30862c0943d1b58a31436b7aead057 |
memory/3824-111-0x00007FF6B7790000-0x00007FF6B7AE4000-memory.dmp
memory/2900-105-0x00007FF635AC0000-0x00007FF635E14000-memory.dmp
memory/3192-104-0x00007FF613880000-0x00007FF613BD4000-memory.dmp
C:\Windows\System\JXyjCEb.exe
| MD5 | 5d2ebc58bce4c6926e5d8079a862c028 |
| SHA1 | 97a45abbdb144e8defd28a2dc82b5a981456bbc9 |
| SHA256 | 2c230064c98710ca5df970957f1676703db2088417d708b59685f3171d65e7a9 |
| SHA512 | 8f22a63aeec6240f4622e7b51651059bce5bf0a9faaea9007a7d60eb4de586971e19b43e2fa34b92d3e6e89f90f31e31abaa43bb6ac51caa8dea5d6457b5293c |
memory/4492-131-0x00007FF74F030000-0x00007FF74F384000-memory.dmp
memory/3600-132-0x00007FF7F7960000-0x00007FF7F7CB4000-memory.dmp
memory/3800-133-0x00007FF7C2420000-0x00007FF7C2774000-memory.dmp
memory/4988-134-0x00007FF6661D0000-0x00007FF666524000-memory.dmp
memory/2900-135-0x00007FF635AC0000-0x00007FF635E14000-memory.dmp
memory/3824-136-0x00007FF6B7790000-0x00007FF6B7AE4000-memory.dmp
memory/3864-137-0x00007FF600040000-0x00007FF600394000-memory.dmp
memory/1916-138-0x00007FF794BE0000-0x00007FF794F34000-memory.dmp
memory/4616-139-0x00007FF6062D0000-0x00007FF606624000-memory.dmp
memory/3784-140-0x00007FF6DBB70000-0x00007FF6DBEC4000-memory.dmp
memory/3640-141-0x00007FF603080000-0x00007FF6033D4000-memory.dmp
memory/4980-142-0x00007FF667270000-0x00007FF6675C4000-memory.dmp
memory/4104-143-0x00007FF762520000-0x00007FF762874000-memory.dmp
memory/3360-144-0x00007FF622630000-0x00007FF622984000-memory.dmp
memory/4856-145-0x00007FF62FA40000-0x00007FF62FD94000-memory.dmp
memory/3420-146-0x00007FF719D90000-0x00007FF71A0E4000-memory.dmp
memory/4492-147-0x00007FF74F030000-0x00007FF74F384000-memory.dmp
memory/1620-149-0x00007FF7D8030000-0x00007FF7D8384000-memory.dmp
memory/3588-148-0x00007FF6820A0000-0x00007FF6823F4000-memory.dmp
memory/1416-150-0x00007FF745600000-0x00007FF745954000-memory.dmp
memory/3600-151-0x00007FF7F7960000-0x00007FF7F7CB4000-memory.dmp
memory/3800-152-0x00007FF7C2420000-0x00007FF7C2774000-memory.dmp
memory/996-153-0x00007FF6E00F0000-0x00007FF6E0444000-memory.dmp
memory/4988-154-0x00007FF6661D0000-0x00007FF666524000-memory.dmp
memory/2900-155-0x00007FF635AC0000-0x00007FF635E14000-memory.dmp
memory/3824-156-0x00007FF6B7790000-0x00007FF6B7AE4000-memory.dmp
memory/4688-157-0x00007FF65B840000-0x00007FF65BB94000-memory.dmp
memory/3864-158-0x00007FF600040000-0x00007FF600394000-memory.dmp
memory/1916-159-0x00007FF794BE0000-0x00007FF794F34000-memory.dmp