Analysis Overview
SHA256
17efb0828b6ab2a1b7b233dae9de80d1c5eefad1425918d597ca31128656ff8d
Threat Level: Known bad
The file 315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Xmrig family
Cobaltstrike family
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 10:14
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 10:14
Reported
2024-06-11 10:17
Platform
win7-20240221-en
Max time kernel
135s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cFsarHy.exe | N/A |
| N/A | N/A | C:\Windows\System\quYtnTN.exe | N/A |
| N/A | N/A | C:\Windows\System\fvEVORI.exe | N/A |
| N/A | N/A | C:\Windows\System\cNfNXoA.exe | N/A |
| N/A | N/A | C:\Windows\System\wfiQsrB.exe | N/A |
| N/A | N/A | C:\Windows\System\xHTAlxb.exe | N/A |
| N/A | N/A | C:\Windows\System\uYnisos.exe | N/A |
| N/A | N/A | C:\Windows\System\vXAZwMA.exe | N/A |
| N/A | N/A | C:\Windows\System\UPmqkyR.exe | N/A |
| N/A | N/A | C:\Windows\System\dJUZpGo.exe | N/A |
| N/A | N/A | C:\Windows\System\JWTDwlc.exe | N/A |
| N/A | N/A | C:\Windows\System\LHrconq.exe | N/A |
| N/A | N/A | C:\Windows\System\Pyzasop.exe | N/A |
| N/A | N/A | C:\Windows\System\jsfBfCQ.exe | N/A |
| N/A | N/A | C:\Windows\System\LFJFumm.exe | N/A |
| N/A | N/A | C:\Windows\System\dgXDDLT.exe | N/A |
| N/A | N/A | C:\Windows\System\iztWucA.exe | N/A |
| N/A | N/A | C:\Windows\System\lbOTzQt.exe | N/A |
| N/A | N/A | C:\Windows\System\akMsPFn.exe | N/A |
| N/A | N/A | C:\Windows\System\bnjwzif.exe | N/A |
| N/A | N/A | C:\Windows\System\QxqbHHK.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe"
C:\Windows\System\cFsarHy.exe
C:\Windows\System\cFsarHy.exe
C:\Windows\System\quYtnTN.exe
C:\Windows\System\quYtnTN.exe
C:\Windows\System\fvEVORI.exe
C:\Windows\System\fvEVORI.exe
C:\Windows\System\cNfNXoA.exe
C:\Windows\System\cNfNXoA.exe
C:\Windows\System\wfiQsrB.exe
C:\Windows\System\wfiQsrB.exe
C:\Windows\System\xHTAlxb.exe
C:\Windows\System\xHTAlxb.exe
C:\Windows\System\uYnisos.exe
C:\Windows\System\uYnisos.exe
C:\Windows\System\vXAZwMA.exe
C:\Windows\System\vXAZwMA.exe
C:\Windows\System\UPmqkyR.exe
C:\Windows\System\UPmqkyR.exe
C:\Windows\System\dJUZpGo.exe
C:\Windows\System\dJUZpGo.exe
C:\Windows\System\JWTDwlc.exe
C:\Windows\System\JWTDwlc.exe
C:\Windows\System\LHrconq.exe
C:\Windows\System\LHrconq.exe
C:\Windows\System\Pyzasop.exe
C:\Windows\System\Pyzasop.exe
C:\Windows\System\jsfBfCQ.exe
C:\Windows\System\jsfBfCQ.exe
C:\Windows\System\LFJFumm.exe
C:\Windows\System\LFJFumm.exe
C:\Windows\System\dgXDDLT.exe
C:\Windows\System\dgXDDLT.exe
C:\Windows\System\iztWucA.exe
C:\Windows\System\iztWucA.exe
C:\Windows\System\lbOTzQt.exe
C:\Windows\System\lbOTzQt.exe
C:\Windows\System\akMsPFn.exe
C:\Windows\System\akMsPFn.exe
C:\Windows\System\bnjwzif.exe
C:\Windows\System\bnjwzif.exe
C:\Windows\System\QxqbHHK.exe
C:\Windows\System\QxqbHHK.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2240-0-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2240-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\cFsarHy.exe
| MD5 | 7092f59456f81d21a72726317d2f3368 |
| SHA1 | 7f8abc1dd2c9dcc72f1765240b6a934d62917a2c |
| SHA256 | 17880c839a19cda55835135aa19fb9e860e6df56eaf4aebad6df83d7bedfafec |
| SHA512 | 3d36924535caed3aa0eff14170052ea45ee45c9c4b929a228cafeec97b8a2138bd31497a35013e251230584a97db1f7acb5778781adc380db6cabd1d5b74b3bc |
\Windows\system\quYtnTN.exe
| MD5 | d4a5bb65e258f70866bf878855dc465d |
| SHA1 | 44ba46ac5b4f903c55bf92e8473152f3322c497c |
| SHA256 | 991f5ee8aeb12b34499e57bc1916f614d0da9d547f3613d5fdd54e3e2f1ba5e0 |
| SHA512 | 054507608f8f534f99493fbdc6f5bf01a7500a5836dc66c7b25190ba412db5811ac316de5f40dec2fa4a8fa52aee9adb52d549403587e4ddf9c7553a0907d6a8 |
memory/2956-13-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/1664-15-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2240-14-0x0000000002450000-0x00000000027A4000-memory.dmp
C:\Windows\system\fvEVORI.exe
| MD5 | 4d62adf5afb5428d9656cf953f6d8f15 |
| SHA1 | 2ac29df2a7be44e3b7d19b6ae33a1ac1ffe241cf |
| SHA256 | 53f30f7b672f2ed53c022cf9ee3bf18e2b6344c3b6a07ab7341b5587485527aa |
| SHA512 | edec609a6b1739fdf0ec633dc6386b369cc1af467dccef286f0c725997aec37950102e6d9bffe4f88d04a77d9d5fd7e2f5c34fab3217a17824b640562df35c8d |
memory/2240-23-0x0000000002450000-0x00000000027A4000-memory.dmp
\Windows\system\cNfNXoA.exe
| MD5 | 40c5924ec2b8c02c0e0833d7cd6bbd1d |
| SHA1 | e9e9a7d50186d7e7f3ffaa26396e233682038ed3 |
| SHA256 | 81dda8d59912d2f3f634703a39267d497540924c36098a197cbbf3e8c605e0f0 |
| SHA512 | 10545b008286c3f4e8570dc3ddc8c82315e2879dfeee52daba1dee94e5a1354eee1b26d4e93bb2d83e2434058e3e6f0d604586d5d4634f2c14d3859545aaff7f |
C:\Windows\system\wfiQsrB.exe
| MD5 | baa6372b9a43003b5f7acc87825e4c6c |
| SHA1 | 1d455d57345d76245718cd17c36a46a3217fd869 |
| SHA256 | 4993933555a5117931cd6eedb757db5c47dd3b7c01ae5a9c848d70ed6dab6a09 |
| SHA512 | 45f804429c96d16b68728aa3792028c30a1efc3af7fc4febffbe35922431ddf074b36f14957d9121c122c8df88479e9b008dd5b8ceb6fe0872751d789336cf03 |
C:\Windows\system\xHTAlxb.exe
| MD5 | dfd61c5241308dd7d020a4c7ca474225 |
| SHA1 | d3f35cd264ebe699b5f40a9854dbfe0fab2beab6 |
| SHA256 | 4428f0a84dd2aa0e593e0c7370c6d765b34cdb4b81dec76938927affb976fc81 |
| SHA512 | 36e3e8a5ade450b31ef9d1e0426f74dc47525fa7c14a9b9a11dfe7bea6ed88abb1c7cae0eabf3c803253f6db29cdff77a416ac4487638a6a1b5adbbd5b8ad83c |
memory/2528-35-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2796-43-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2240-40-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2616-33-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2240-31-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2240-30-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/2568-28-0x000000013FDA0000-0x00000001400F4000-memory.dmp
C:\Windows\system\vXAZwMA.exe
| MD5 | 2199afb580d28ce78acb02cbf4523f8f |
| SHA1 | 363563bf3c09f0a5b65ec3f6236d43f720601c93 |
| SHA256 | 1aa1bca92b52f419fb7bcb8089c1499b29e32134583ff22235581e9fbe63ff26 |
| SHA512 | fa98c05e508b2f33d91613ae3c1905f83d6d3d4e5cf04d97317438d59d3fa0aa8f0b7d20dabb8003f6d339df6744975e7fb54aea69b01c89720ca32187ccf7db |
memory/2240-55-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2396-56-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2240-61-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\UPmqkyR.exe
| MD5 | 7d85cb4594ab7ff992e3adc1b03d4604 |
| SHA1 | 4f7bce8bc157c705c72bfed18d89de6b0f1c0448 |
| SHA256 | 4e52e4793a2d6f9f0b6ded2c2e5cce89ed2fe3ddcf431edfc6dd760ea3e1a325 |
| SHA512 | 052e4fb067a043a099b8ca6bd560271040642f10d3a271137abd4db07e140eafa0eb549202a7186597c3926dda45b5f0ca3ce280e9448c77b9b91ee7f3236471 |
C:\Windows\system\dJUZpGo.exe
| MD5 | fd716008dadd9c66303d997c174d5104 |
| SHA1 | 05c47cc9cda7c91985c6f0a47c16be531fb27f7a |
| SHA256 | 811c84e0c8861fe874725282a7ecafa472edb7195303079c8590d9b204965a90 |
| SHA512 | 7c13623865ac00d0da8892c2d8eb8eb8a82ac925d6f060046427c4896da9076a6c2ce7964702282fb3a2b75c5fb0af82a0f2234a51355a5c83d169eeb984fd85 |
C:\Windows\system\JWTDwlc.exe
| MD5 | fee8617dece58b063a78f1a45f360660 |
| SHA1 | 313dcf05ac286755f64936eea8a7fb15bc9eafee |
| SHA256 | 36c0d52bf30fe5ae36a7ff3785f23601143ea71624876517fd84b80c35239167 |
| SHA512 | ce02606b56ba2e3f6fd10b8e194329db38f7cda7232ffa983a2b822c230c5d9d77f7c66f346423d9dd83e7dd310e2b20f3287491037f8e167877e03d8e099258 |
C:\Windows\system\jsfBfCQ.exe
| MD5 | 3ad46408326cc8cf3d5e0a56c15b06c8 |
| SHA1 | 7f54c9e011336ea5bc574dd560bb55391a13100f |
| SHA256 | 382957bd95a1caed8303b5bc8b0c9047c465ffe375fc5665d82fd4867a1e1517 |
| SHA512 | 916f4362d1c1d197ff5f16090cf001283c8e4989bb0e1de85519e87dd5e549185d47fc20c43a7f3beea5aea165dca411aef055d208e395668b6aac2ba2e6f864 |
C:\Windows\system\Pyzasop.exe
| MD5 | ee71129d3784fa2ae3a367f20a9547b5 |
| SHA1 | 4e0a8009b646c718a3b3b5975262b1ee621f1d72 |
| SHA256 | bba88f35b87a9b8f24439d0760805cc88cf4340270885f2383dd15fd317a1738 |
| SHA512 | 0e0219c5c9ea264cccdd344d6fc88f1c77f7aca0c92ec2696b0a57ada10515e1794274e3c1fdec1395ad1c199cc6b00333731a4ac542ea5d4650b4c20d3f54f8 |
\Windows\system\LFJFumm.exe
| MD5 | fef7357a3032184780d9100ec1bc1dcd |
| SHA1 | e35ade8d3084650f65771cc30730fb4d5438eff3 |
| SHA256 | 826d302ec7a86c3c6a8d9326ee09ffb17cd268c505e78b8f144d67fc1d563a13 |
| SHA512 | 2ed2c042ea60341fe912c4936871aa37359b4ce358f2584c61fcb1fd6d6dc82ab0595af643f71662fa967ac72ee4df0a48b87d4a3fdd323ce0d77b1507e11523 |
C:\Windows\system\iztWucA.exe
| MD5 | 05c37f2a07004aa04bda5ba78283374d |
| SHA1 | aa7d68413f029d75a3f175f76e8e40c1dd817533 |
| SHA256 | 6e89899f13612bd9df55ea111865bb8bfd12825da0481f84c06b6460e079cdc5 |
| SHA512 | d4a6261d1ca8aaa56c3efca0019b388bb6c0aa633243a7f829f9e06a9395daff59dd97aca84b0ed9a40ac94e5feb1d52af85bb991bb55641e8b736f7d613f7ea |
\Windows\system\QxqbHHK.exe
| MD5 | bbd15ec7a20b6caa204ae2f533bb70c1 |
| SHA1 | edba8d9b69ea67074f198694bced259b8c48773b |
| SHA256 | 042812704cd40221ffbe4885bb5dc8d3cacb65b7292a9ef2b049aed49f3a713d |
| SHA512 | 3236d102ba8345b6949d0c5b71f852f34f6c14e820af1cf73aa72d927d1e0afb399ca2cc8f26816805bfb8ec1269548ea84f62a17c4d14bca2394354d6437e09 |
C:\Windows\system\bnjwzif.exe
| MD5 | 8dec217de7ae2a245fb25518b60b048c |
| SHA1 | 13327b3dfa039b78a0e10fab65338377a678ddeb |
| SHA256 | 3fa8dfe9c93f25eb30076b1b6da59c8ada3567780fa03bacb8eadaf500e540a8 |
| SHA512 | 5226857dedc349a80013cec17c0d3c2fd00d1fcfdf23356c7b5ceeb8864e078fc8e783ad1b23e6bba16eb60dff0fbe338f11a4d7cc819847cd6b464a3fa97c86 |
C:\Windows\system\akMsPFn.exe
| MD5 | 2afcc9660f8518b21cda804e69e5475d |
| SHA1 | 67bf4bc551fb55e1b9777eba43a5e5ed9d252df9 |
| SHA256 | d0926fc26b4751e381c09f4607318532e75a36ab8d936697148d9391a36665e3 |
| SHA512 | 6f71951e60ab634b58a3fb162046fb0ccd2113249bd33bad83cac3c08b42c4ea4826e8163bc2fe49ed1fdfdfb0ea1f82673056b67bf3b80a11e52c4f2647bf5a |
C:\Windows\system\lbOTzQt.exe
| MD5 | 30428799294d0f7ff55e5f57a21fc57d |
| SHA1 | 70ee06d5018b06b1acc9f30849a30a39a807bb52 |
| SHA256 | 955246a936941d90edf084d6eaa2a984de2937430da973dd9caf124b4087f531 |
| SHA512 | dc5c399a93b4dac9102f10a293238453196c8c178d35d3f35fefd3c1f50d36ef97967d8492da6cf892ebc8936359b102aef1af46b252b6a381966be578d3e3cd |
C:\Windows\system\dgXDDLT.exe
| MD5 | b89da47d076c9150279fbfc58ab89c37 |
| SHA1 | 262630fbef564d68a593df15857b4bc6daa2e8e2 |
| SHA256 | 234cf3ddc5d3a05cd52d4cbbf196356b886cde81b61a27c1857652ed3f36dfa1 |
| SHA512 | 3f7a18762486dd96c2200ac785480f415d1a8e4236456b48576cbb25cdb9d53cd59667686d296ff90e02c80b946e6deb02da01d491d73aef45400801010b612c |
C:\Windows\system\LHrconq.exe
| MD5 | 8c69dc0306908f99292256a3901d485e |
| SHA1 | 3aab9dfa58cfb91891ae56a5a762c9b300c001e5 |
| SHA256 | 9a406c812f3e6d39e71bdf103a5dfc19bdd34f83e3ea66241c9fd8d1ec8523a2 |
| SHA512 | 4a3abcb8f2d6fdf80482fe34f22357a7beeed37106947b3c93446b1e534f6ccd9a57b23d6a3bac75f3a7498bf24e77b7deadde806240c73182be6be055d4e512 |
memory/2896-124-0x000000013F030000-0x000000013F384000-memory.dmp
memory/1912-126-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2240-125-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/2116-123-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2732-129-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2676-128-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2240-131-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2240-132-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2728-130-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2240-127-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2760-49-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2240-48-0x0000000002450000-0x00000000027A4000-memory.dmp
C:\Windows\system\uYnisos.exe
| MD5 | ff43dadd8b5e76966c64fc60fe464f50 |
| SHA1 | ba990082eb60ccd11060d72f3cb9cf62ad7abd82 |
| SHA256 | f566517ca6e7dc6deb2e340b374deaeec32a5b186d4afdaa9eba39562c109139 |
| SHA512 | 6e8354e2a5a4b20af95cc12f5a0ef021b92d5978146ff6c1b215464d9433b7c1e723daed5f9da4f9b567c2f83456f1dd20bd14c0e5bba5d0e3b0a1a2ce018e52 |
memory/2956-133-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2568-134-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2528-135-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2796-136-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2760-137-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2396-138-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2116-139-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2240-140-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2956-141-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/1664-142-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2568-143-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2616-144-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2796-145-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2528-146-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2760-147-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2396-148-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2896-149-0x000000013F030000-0x000000013F384000-memory.dmp
memory/1912-150-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2676-151-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2732-152-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2728-153-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2116-154-0x000000013FC80000-0x000000013FFD4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 10:14
Reported
2024-06-11 10:17
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\VswPGGN.exe | N/A |
| N/A | N/A | C:\Windows\System\BUkljJj.exe | N/A |
| N/A | N/A | C:\Windows\System\VMtLnoB.exe | N/A |
| N/A | N/A | C:\Windows\System\UNYshlc.exe | N/A |
| N/A | N/A | C:\Windows\System\QVoaJkM.exe | N/A |
| N/A | N/A | C:\Windows\System\sgJYBhv.exe | N/A |
| N/A | N/A | C:\Windows\System\aKtOIJZ.exe | N/A |
| N/A | N/A | C:\Windows\System\KBWhtzB.exe | N/A |
| N/A | N/A | C:\Windows\System\QCuDXGN.exe | N/A |
| N/A | N/A | C:\Windows\System\xAuzfyj.exe | N/A |
| N/A | N/A | C:\Windows\System\QqHNWDm.exe | N/A |
| N/A | N/A | C:\Windows\System\LGHDUfY.exe | N/A |
| N/A | N/A | C:\Windows\System\ChKuwdJ.exe | N/A |
| N/A | N/A | C:\Windows\System\nZUsTsf.exe | N/A |
| N/A | N/A | C:\Windows\System\NAoKvRa.exe | N/A |
| N/A | N/A | C:\Windows\System\LdCvhsW.exe | N/A |
| N/A | N/A | C:\Windows\System\Jyhwulh.exe | N/A |
| N/A | N/A | C:\Windows\System\riETjSZ.exe | N/A |
| N/A | N/A | C:\Windows\System\EcMSaUF.exe | N/A |
| N/A | N/A | C:\Windows\System\wLToOpe.exe | N/A |
| N/A | N/A | C:\Windows\System\uKapstU.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe"
C:\Windows\System\VswPGGN.exe
C:\Windows\System\VswPGGN.exe
C:\Windows\System\BUkljJj.exe
C:\Windows\System\BUkljJj.exe
C:\Windows\System\VMtLnoB.exe
C:\Windows\System\VMtLnoB.exe
C:\Windows\System\UNYshlc.exe
C:\Windows\System\UNYshlc.exe
C:\Windows\System\QVoaJkM.exe
C:\Windows\System\QVoaJkM.exe
C:\Windows\System\sgJYBhv.exe
C:\Windows\System\sgJYBhv.exe
C:\Windows\System\aKtOIJZ.exe
C:\Windows\System\aKtOIJZ.exe
C:\Windows\System\KBWhtzB.exe
C:\Windows\System\KBWhtzB.exe
C:\Windows\System\QCuDXGN.exe
C:\Windows\System\QCuDXGN.exe
C:\Windows\System\xAuzfyj.exe
C:\Windows\System\xAuzfyj.exe
C:\Windows\System\QqHNWDm.exe
C:\Windows\System\QqHNWDm.exe
C:\Windows\System\LGHDUfY.exe
C:\Windows\System\LGHDUfY.exe
C:\Windows\System\ChKuwdJ.exe
C:\Windows\System\ChKuwdJ.exe
C:\Windows\System\nZUsTsf.exe
C:\Windows\System\nZUsTsf.exe
C:\Windows\System\NAoKvRa.exe
C:\Windows\System\NAoKvRa.exe
C:\Windows\System\LdCvhsW.exe
C:\Windows\System\LdCvhsW.exe
C:\Windows\System\Jyhwulh.exe
C:\Windows\System\Jyhwulh.exe
C:\Windows\System\riETjSZ.exe
C:\Windows\System\riETjSZ.exe
C:\Windows\System\EcMSaUF.exe
C:\Windows\System\EcMSaUF.exe
C:\Windows\System\wLToOpe.exe
C:\Windows\System\wLToOpe.exe
C:\Windows\System\uKapstU.exe
C:\Windows\System\uKapstU.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3936-0-0x00007FF7064A0000-0x00007FF7067F4000-memory.dmp
memory/3936-1-0x000002A99E9A0000-0x000002A99E9B0000-memory.dmp
C:\Windows\System\VswPGGN.exe
| MD5 | ba754d2f8de1d28a526e4ba49d78aff7 |
| SHA1 | 0ccd711d7f50f6a0776d7df70496949696eb0c97 |
| SHA256 | 67546f23a305a558386aa53084156193eb7e92c0ef06aaa3e94049e13b9ccc14 |
| SHA512 | e87a15c76c734fda5d8c8ef4694eb927f73d9375b3bca43da7e5c1b63cf25354b6afff951346085f3beb596f46b4bf9af1d7b19b15779bfe1aeca17e6e924795 |
memory/1604-8-0x00007FF631DD0000-0x00007FF632124000-memory.dmp
C:\Windows\System\BUkljJj.exe
| MD5 | 22f01b1633a13affd9c5e3d06a6b703a |
| SHA1 | 14d6714d8c5d1028e6cb4af7e4f3b2810d39cc0c |
| SHA256 | f7184759e288c89cb231d628de61a3c89f573065c4fb3efb1aff7dde1359cacb |
| SHA512 | d3668372635590c20f085809fda3da09a408dea163b47679c1f95c9cb5dff8ac8f084e381275b869e4cf68441c6f37d2df506ad4b0be6ebdab51aa91388f9a59 |
C:\Windows\System\VMtLnoB.exe
| MD5 | 2534d507929d47d035d8734a06c6c064 |
| SHA1 | 87b0ffd293a15c4b93c2987771acbf91cf0f429a |
| SHA256 | b60e63377c1617c9459759f6a248fd325add8e14fa4ba9247981231e3d3d976e |
| SHA512 | a4ae516f217a420e5b2ea276fc96de17bec67adf53de72c62b393f2d74a401d7dd534f99d55f1ce20b74b9660e05aa36256f9e1511bda0421daa816c831b4e6c |
memory/4860-14-0x00007FF7CBEF0000-0x00007FF7CC244000-memory.dmp
C:\Windows\System\QVoaJkM.exe
| MD5 | a2fd8d418faf3ef2e4fdea5f708dae45 |
| SHA1 | eb40648a49cfaf3a476c655de50d9ade3b62e308 |
| SHA256 | efb6c248e27d3bfed1abf9c207c4a8c9d1363057e9bf8a0daa07865f5a27f44f |
| SHA512 | 86f68fa1a0f1d97db2368d8030084fcf8d0e3927086a6054b24ab1cf302e6b5b6465bc378d04fbb9a34cc56ca93bdfd8f47cb2a5300d3eef74494aff970b9bbf |
memory/1516-22-0x00007FF7EEE80000-0x00007FF7EF1D4000-memory.dmp
C:\Windows\System\UNYshlc.exe
| MD5 | 2b6385a8719e7c6d4a9eb2020d8f7390 |
| SHA1 | f65235c40f3fa498cec9052f01077dedef229a00 |
| SHA256 | 9dd486544fb534458066f4af4b626060383d047dfbbd6e54c8620734a0d6c6fa |
| SHA512 | d1b49c505c5407ba5d986198e86a0987483d2756cbde8787b6d4672901533f24052b18aca831d3c4286730367ef49faa7820c5da818fb8c2d7bcc558337e84f4 |
C:\Windows\System\sgJYBhv.exe
| MD5 | 5c0316f41c04d5a0b27525640bb0337c |
| SHA1 | 279ca09cb3b015009d97b9dfa2b65f49c0e7701f |
| SHA256 | f4037393b72791115e9432a64378d2cc5fe6efcd0af7339891fda77eab407bea |
| SHA512 | d16b40f8d3e12b651c4bc083465029bf3712529d74f7fb53769bca645d488706ef416a762049a868b3c54e8f24217d18fa97f2ca6cc7ca42f3be5e0a377ef5b9 |
memory/2768-29-0x00007FF7D5A70000-0x00007FF7D5DC4000-memory.dmp
C:\Windows\System\KBWhtzB.exe
| MD5 | cbb668ea3e5e7662634b086274d4eaec |
| SHA1 | 1e81dde5092c43363c4b89ee35dd9186f6807042 |
| SHA256 | 6dbffe973b933cd71329a2e8effcf21723dddeacf2953a3502ae7566e9c36732 |
| SHA512 | 426323a8d7121dd433de2675d65ff25b06e84dbfcd1d50cb5b835b608352ac53aad74a3e1b5ab9ed74cfc00bf0c40e0ed72ed39ee8d578eeda0ab65d3b3dae7e |
memory/3096-48-0x00007FF6B0770000-0x00007FF6B0AC4000-memory.dmp
memory/4624-47-0x00007FF797620000-0x00007FF797974000-memory.dmp
C:\Windows\System\aKtOIJZ.exe
| MD5 | c43f587b0510422426100cf114a85fdf |
| SHA1 | 7e1258053e2fc7f7338274072efbd10d095f834f |
| SHA256 | 06e2f7b5e8db53bd4dc422abe597e7da4fbe6c335b0e5d6fa5afa88bfb820162 |
| SHA512 | 4e9f0f2db5c6fe97510dab4abe76f87d46db9ec0e34f5642dba59a4b0b58532469102e99bcaafd3f5bf77c7111332fa3d06cd70e06041be35884ff6bac46647a |
memory/2720-38-0x00007FF6140D0000-0x00007FF614424000-memory.dmp
memory/3144-28-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp
C:\Windows\System\QCuDXGN.exe
| MD5 | 0fe9182361256eaf4f8ad023db825522 |
| SHA1 | 3184ed206d38fce541f97fed752e70d6e3e4dbcb |
| SHA256 | 8df49a1ea21940c09eb48eef8a3513d9bf1aa83df39344e99d86adcfc697931e |
| SHA512 | a51f67775c6f8ca3889b74c1bffae2902d9c429887e506303138183350112a679a944bde93586f1bde76b1ce51ea1b500e7c9c82432d79899a65c371a7c27b19 |
memory/2192-54-0x00007FF7DC370000-0x00007FF7DC6C4000-memory.dmp
C:\Windows\System\xAuzfyj.exe
| MD5 | 97aadcf6a7ea72d895cc9cb0c64368b5 |
| SHA1 | a3ed8e71fe44df240798960053f965c28aa86436 |
| SHA256 | 00a0d907a44960052c82cfe265604c932a7cd98d067e60d5ca4ede78acfcf8aa |
| SHA512 | aa58243fb0244e7a86f5c928062ba69bd2ae7d95b456413511f553e63359b1e6a1d14c8705dfe78b621d3e465bec979db5ad14886c3aeadd97b62de4a09da026 |
memory/1508-60-0x00007FF6786F0000-0x00007FF678A44000-memory.dmp
C:\Windows\System\QqHNWDm.exe
| MD5 | f7707a8f1fade9d73ef25297ff8eb7d6 |
| SHA1 | 97ec3452a8109e40a565fa4f483615878ba5adde |
| SHA256 | 699b53f0c17b96643ee16d2c0fe74a50e4c99aaa6f6b669be9771c2a37265032 |
| SHA512 | ab08621e4e6a9c1e24ec2823061f0d5551c6faaeef933b0c2d4a0d42aba97a4370c816d494fa55c1e783c0dc6ae62e12572c578480c1f9f10e3ebd07303a80a4 |
memory/2260-69-0x00007FF7811D0000-0x00007FF781524000-memory.dmp
C:\Windows\System\LGHDUfY.exe
| MD5 | 96e2fd2a19a6d0484a3217050dd7cc08 |
| SHA1 | c306609af3a2ccf7e12f7fc308eb90b4e8fc8c53 |
| SHA256 | e1611139be75e30dbb25b7cdd1fbd4e2accec10c7fc46255ce6a1708373c9f01 |
| SHA512 | d2f911a42114af90d06462c4c9ad1fce4e20d0449f05da851fe01c376b75e3935433636da08bc38c46482d3c3e72d3863962858cd968b646ea1990357afef6f9 |
memory/3936-68-0x00007FF7064A0000-0x00007FF7067F4000-memory.dmp
memory/1604-75-0x00007FF631DD0000-0x00007FF632124000-memory.dmp
C:\Windows\System\ChKuwdJ.exe
| MD5 | 09801ff8123251928a3bdd3a4efd5047 |
| SHA1 | 37f04d5ea27de816671f01bd0bd426c0e9f1d12e |
| SHA256 | 981c00cc2d2c6e8eb6e94582db421c9a55ba4acb9da1f952bce7591d3aada2a9 |
| SHA512 | 7c1a5dceb3afb2b8e0327a5799472334ec28b409eaffcbaa749be81ccf3bf32a03bef3d8a5202d9aec324359c7b1f378aed3ef4b121be705b3371c7dbe4035b0 |
memory/3356-76-0x00007FF723AC0000-0x00007FF723E14000-memory.dmp
C:\Windows\System\nZUsTsf.exe
| MD5 | 8fdea9350e7512e9e75d93e6c32356fc |
| SHA1 | 855e67cc209c2ba1a62f95ece17c35a26cc276b0 |
| SHA256 | ca71a05872d4895472f23c8b54df12c54abf4602d04fe9b2ae928bba724c5b2b |
| SHA512 | 734ec5a6a69e4f96b2b8c462573072a3d0718f9e3eb75a6090e328e0156bdaafa5d6318ac80c41d35810797c9995ae84c9509198db9d69dc54a478fb5463a498 |
memory/1516-84-0x00007FF7EEE80000-0x00007FF7EF1D4000-memory.dmp
memory/3260-88-0x00007FF69B000000-0x00007FF69B354000-memory.dmp
C:\Windows\System\NAoKvRa.exe
| MD5 | 6a23fe7fbd5b3467d6368f0e84867dcd |
| SHA1 | 52fdabff9c6fa080e090c1ca7c4cb1fc19c83990 |
| SHA256 | f22c3bdc442b357fbc3656c1d3c889986ef3592f52cbec2aea181223b7a0d122 |
| SHA512 | 542ee3d81362a45c3ac5524fceb75fc4b2203938310ae16f702bbd1559d7733040f8e2faf76f972b618e5a0eea6ee8db4257ad2ebd9f93e08b13d3c41be61375 |
C:\Windows\System\LdCvhsW.exe
| MD5 | 14075a743ca6314ce117f75043e2e8a1 |
| SHA1 | 40d0dd12a7ec5bc9bdc99d175233d2c775d44c1e |
| SHA256 | 9e0fbac05d33e86698e5854aeab4d6624c76d227ba5f922547612c9b9dc5a6bc |
| SHA512 | 27e769cf6ab9111d9c6b7afbe96fe6af67606f413deedea6653ce526a7ef2359d25cae3229e381da87ead31e15996309bc338ac94dafd5f031d619b25f165818 |
memory/2096-95-0x00007FF730570000-0x00007FF7308C4000-memory.dmp
memory/2024-91-0x00007FF7E01A0000-0x00007FF7E04F4000-memory.dmp
memory/3144-90-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp
memory/5028-103-0x00007FF7B8110000-0x00007FF7B8464000-memory.dmp
memory/2768-102-0x00007FF7D5A70000-0x00007FF7D5DC4000-memory.dmp
C:\Windows\System\Jyhwulh.exe
| MD5 | c51bd396fbd23e4b98e94efdb0707198 |
| SHA1 | 5c161a6f9f55a72ae86a3885cf28fc74f3c24ce2 |
| SHA256 | 23df091600956504ac1acd308bdb1a179c9bac9d5ed40f44964a3049e3b502fb |
| SHA512 | d1061bde34705502e9a87ac2510b5e4a74035983036b22d656a9ea8d1dc1bb8d2dfa16ac9783e5ffd3aa1dda47e129eb2e1dcbf49693fdea1ae1eec961379443 |
C:\Windows\System\riETjSZ.exe
| MD5 | 21dbecf75d78a01ef79a123a8308ba5c |
| SHA1 | 574cca82dd9287dee40faedbf72077b0ce5ab0f2 |
| SHA256 | 1ff5b9416bb9d8b2716306012ff08c9fe468d60b6f9d9aa050fbaf35d49ac6f3 |
| SHA512 | 91aef8dc1dda511ff4656878d917f57e5883aa5793510afe976bb03458a59fc81998d470a082466937a9a21d329a7b436ecd249e686b96c41272da32210a79d8 |
memory/2296-107-0x00007FF716370000-0x00007FF7166C4000-memory.dmp
memory/3096-115-0x00007FF6B0770000-0x00007FF6B0AC4000-memory.dmp
C:\Windows\System\EcMSaUF.exe
| MD5 | 742b4e37238c986c848214f80fe217aa |
| SHA1 | 09ad26929e195747bd10b4fd0858f92a33cb40f0 |
| SHA256 | 06486ca4d0decf9c0a38a552a098441422b070aaa71fb24884185679eef68852 |
| SHA512 | daa50f303038b8f71fd32c5df3d2ef4a2840a63f89aecfc4b0d6cf00ebad199570679d8da220d2579bfafb8b88099b1a5b5789c79607a2ba9d1c731a565ba31c |
memory/1152-117-0x00007FF68A2F0000-0x00007FF68A644000-memory.dmp
memory/3284-123-0x00007FF665600000-0x00007FF665954000-memory.dmp
memory/2192-122-0x00007FF7DC370000-0x00007FF7DC6C4000-memory.dmp
C:\Windows\System\wLToOpe.exe
| MD5 | 355f53640b5c2d72fd6eac526409c63b |
| SHA1 | 88914918c4c4e99b37dc3247400f75487a7db04b |
| SHA256 | b82eca6252eda933074e4e38b4340678caba15fac39f10f96f59e09247f33c65 |
| SHA512 | 02ae540b4ded799b368ef3104bb5a3e9dee2d5973252c95e18eac00e275c2b74a53c1839aad2aa3447bf64101399dc9fc537e494102a0ba32e01fe48b928b955 |
memory/1508-127-0x00007FF6786F0000-0x00007FF678A44000-memory.dmp
memory/2688-132-0x00007FF6532A0000-0x00007FF6535F4000-memory.dmp
C:\Windows\System\uKapstU.exe
| MD5 | 8da045273b9ea489c9b0cecd9ba9dd00 |
| SHA1 | 6bbc2a46a34ab51c695739b6f032587e01929cc9 |
| SHA256 | 7e4cca89799ca8d04fe5e8d58cb33f716b018bddd238dd71f71a487de7c2ca82 |
| SHA512 | ebcfe0a2ae538a936edc7c73bc6b58dd79e09106d1acf69fbc75b1e9830228b03b3379cdfde8249d7ff3edceb1139b3fa66d406bd63e1f8416cc5554142aec2a |
memory/224-133-0x00007FF631340000-0x00007FF631694000-memory.dmp
memory/2096-136-0x00007FF730570000-0x00007FF7308C4000-memory.dmp
memory/2296-137-0x00007FF716370000-0x00007FF7166C4000-memory.dmp
memory/2688-138-0x00007FF6532A0000-0x00007FF6535F4000-memory.dmp
memory/224-139-0x00007FF631340000-0x00007FF631694000-memory.dmp
memory/1604-140-0x00007FF631DD0000-0x00007FF632124000-memory.dmp
memory/4860-141-0x00007FF7CBEF0000-0x00007FF7CC244000-memory.dmp
memory/1516-142-0x00007FF7EEE80000-0x00007FF7EF1D4000-memory.dmp
memory/2768-143-0x00007FF7D5A70000-0x00007FF7D5DC4000-memory.dmp
memory/3144-144-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp
memory/2720-145-0x00007FF6140D0000-0x00007FF614424000-memory.dmp
memory/4624-146-0x00007FF797620000-0x00007FF797974000-memory.dmp
memory/3096-147-0x00007FF6B0770000-0x00007FF6B0AC4000-memory.dmp
memory/2192-148-0x00007FF7DC370000-0x00007FF7DC6C4000-memory.dmp
memory/2260-150-0x00007FF7811D0000-0x00007FF781524000-memory.dmp
memory/1508-149-0x00007FF6786F0000-0x00007FF678A44000-memory.dmp
memory/3356-151-0x00007FF723AC0000-0x00007FF723E14000-memory.dmp
memory/3260-152-0x00007FF69B000000-0x00007FF69B354000-memory.dmp
memory/2024-153-0x00007FF7E01A0000-0x00007FF7E04F4000-memory.dmp
memory/2096-154-0x00007FF730570000-0x00007FF7308C4000-memory.dmp
memory/5028-155-0x00007FF7B8110000-0x00007FF7B8464000-memory.dmp
memory/2296-156-0x00007FF716370000-0x00007FF7166C4000-memory.dmp
memory/1152-157-0x00007FF68A2F0000-0x00007FF68A644000-memory.dmp
memory/3284-158-0x00007FF665600000-0x00007FF665954000-memory.dmp
memory/2688-159-0x00007FF6532A0000-0x00007FF6535F4000-memory.dmp
memory/224-160-0x00007FF631340000-0x00007FF631694000-memory.dmp