Analysis Overview
SHA256
01067f3d3d36924125e9cdb4f8202d86d866263c86a09c7049b4660b995210c1
Threat Level: Known bad
The file 31711f3522edff5d7b292a752af6e030_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike
xmrig
Cobaltstrike family
Xmrig family
XMRig Miner payload
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 10:16
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 10:16
Reported
2024-06-11 10:19
Platform
win7-20240221-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UtrfUJX.exe | N/A |
| N/A | N/A | C:\Windows\System\zxxCpHH.exe | N/A |
| N/A | N/A | C:\Windows\System\uDEdvzU.exe | N/A |
| N/A | N/A | C:\Windows\System\ODirQzx.exe | N/A |
| N/A | N/A | C:\Windows\System\YWXgTlc.exe | N/A |
| N/A | N/A | C:\Windows\System\CKOoUFK.exe | N/A |
| N/A | N/A | C:\Windows\System\MxAFbuJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ihRzBvk.exe | N/A |
| N/A | N/A | C:\Windows\System\HwOgKVX.exe | N/A |
| N/A | N/A | C:\Windows\System\PhnnmLm.exe | N/A |
| N/A | N/A | C:\Windows\System\zKXLQsh.exe | N/A |
| N/A | N/A | C:\Windows\System\IccFhru.exe | N/A |
| N/A | N/A | C:\Windows\System\NjXcfjP.exe | N/A |
| N/A | N/A | C:\Windows\System\YwBMKVR.exe | N/A |
| N/A | N/A | C:\Windows\System\wwhCpiL.exe | N/A |
| N/A | N/A | C:\Windows\System\biHZlPQ.exe | N/A |
| N/A | N/A | C:\Windows\System\boFhjEQ.exe | N/A |
| N/A | N/A | C:\Windows\System\VqRfjDl.exe | N/A |
| N/A | N/A | C:\Windows\System\aCQqSen.exe | N/A |
| N/A | N/A | C:\Windows\System\equsSMw.exe | N/A |
| N/A | N/A | C:\Windows\System\lTTUmne.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\31711f3522edff5d7b292a752af6e030_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\31711f3522edff5d7b292a752af6e030_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\31711f3522edff5d7b292a752af6e030_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\31711f3522edff5d7b292a752af6e030_NeikiAnalytics.exe"
C:\Windows\System\UtrfUJX.exe
C:\Windows\System\UtrfUJX.exe
C:\Windows\System\zxxCpHH.exe
C:\Windows\System\zxxCpHH.exe
C:\Windows\System\ODirQzx.exe
C:\Windows\System\ODirQzx.exe
C:\Windows\System\uDEdvzU.exe
C:\Windows\System\uDEdvzU.exe
C:\Windows\System\YWXgTlc.exe
C:\Windows\System\YWXgTlc.exe
C:\Windows\System\CKOoUFK.exe
C:\Windows\System\CKOoUFK.exe
C:\Windows\System\MxAFbuJ.exe
C:\Windows\System\MxAFbuJ.exe
C:\Windows\System\ihRzBvk.exe
C:\Windows\System\ihRzBvk.exe
C:\Windows\System\HwOgKVX.exe
C:\Windows\System\HwOgKVX.exe
C:\Windows\System\PhnnmLm.exe
C:\Windows\System\PhnnmLm.exe
C:\Windows\System\zKXLQsh.exe
C:\Windows\System\zKXLQsh.exe
C:\Windows\System\IccFhru.exe
C:\Windows\System\IccFhru.exe
C:\Windows\System\NjXcfjP.exe
C:\Windows\System\NjXcfjP.exe
C:\Windows\System\YwBMKVR.exe
C:\Windows\System\YwBMKVR.exe
C:\Windows\System\wwhCpiL.exe
C:\Windows\System\wwhCpiL.exe
C:\Windows\System\biHZlPQ.exe
C:\Windows\System\biHZlPQ.exe
C:\Windows\System\boFhjEQ.exe
C:\Windows\System\boFhjEQ.exe
C:\Windows\System\VqRfjDl.exe
C:\Windows\System\VqRfjDl.exe
C:\Windows\System\aCQqSen.exe
C:\Windows\System\aCQqSen.exe
C:\Windows\System\equsSMw.exe
C:\Windows\System\equsSMw.exe
C:\Windows\System\lTTUmne.exe
C:\Windows\System\lTTUmne.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2400-1-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2400-0-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\UtrfUJX.exe
| MD5 | e58264044c1c3abb39a099c9373349e5 |
| SHA1 | d29fa3c0dfc30f9088e412503603448204982c4f |
| SHA256 | 5f023621d3028fd9936875655fe527e8cb079907883db38ca7200e1e3ff5dde3 |
| SHA512 | 2dbe7fafd0e0ec21c74a527b06394f84c24ff538e3720d3a542f565b1847610c81b4b72dccb899a30c33b7129d7073329b688b29592f61d93dc0cc42d73ab0be |
\Windows\system\zxxCpHH.exe
| MD5 | 10641e165b4655f8ef7cdc1b0a4c76ef |
| SHA1 | 1681cf2acc605967f983641dab7f675ab19e3f35 |
| SHA256 | 1c3c56ce5b3037192dfe4becb15bdf5fff9d37b3aa172a78c67f8a5ea8fd09b5 |
| SHA512 | f09c96d5fddfa396efa55405d2dc4d645d73f214bb7649980f25a16d897f9741d367d8f3f1bd704eae74805bd28e640df90abcfbd85b19cb31fe425cb0492500 |
memory/3036-13-0x000000013F620000-0x000000013F974000-memory.dmp
C:\Windows\system\uDEdvzU.exe
| MD5 | e72a6950741ee38d84d4d51a5aa8fba3 |
| SHA1 | c6f1f0bd7834090f664d0f3ded911df5143c1951 |
| SHA256 | 159845457caffd6057052a7960c4de61ed1efa3cf826e50dee095b3590a2e9d4 |
| SHA512 | 6fbec4b54d3a7450633e1758cc0dfbb53b1394d57308772e3b49d11db3b6c27835d0f8f40f2bebb63b3e9ede576638856d95e8c2c48656b3fdbdba575fe7c43d |
C:\Windows\system\ODirQzx.exe
| MD5 | 639c0a5e87ef590e377778ccd2904e57 |
| SHA1 | 4357b283cf8f7191fb46211a10537180bd6cd77d |
| SHA256 | cfda5828736d436ebe20d4ceda4c26514b83a5fc8adfa6c4bdc4eceadb5a46b0 |
| SHA512 | bd094312b3ed4b8ab99a567cc06c826c704b72cc482dc45a10bd63a9093d97c575fe5236cf405a64f38c537da25c84bdc59b4088d703789060a922dab8f05d49 |
memory/2400-17-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2664-28-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2704-26-0x000000013F370000-0x000000013F6C4000-memory.dmp
\Windows\system\YWXgTlc.exe
| MD5 | 9f81c3f276c30b41c7dd28eda09a6ffd |
| SHA1 | 3e7915422ba8499292d6ab311517f9a6106c73f5 |
| SHA256 | 9516bfff6b19b3847cc3a4218d76281723b6c43776a445d5676a10779619fd53 |
| SHA512 | 954cf4f2a37885b83ea968a05f98023ad17f37c8c51b345d399936d25bbca3786b4a0ad75bdac1b7eac1e27574b5e59109336e9b09a519d368091fb68698968e |
C:\Windows\system\CKOoUFK.exe
| MD5 | cce8e112ed227ec52508ae9cc34a26aa |
| SHA1 | 637c56dab4c1ec0279266262a8323a73db5624a6 |
| SHA256 | 4e27e5953b6d8598b1a035b0bc0600f4f19bd21833182b60025350275849173f |
| SHA512 | 65f997d618cee358fe555111e1cd824ce98064f6184ede214cf0a045d7bfacf6b3ab248a3036fe5522d92556d8ef4330bd5aac16632ad4d1a824749d79071fea |
memory/2504-41-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2400-40-0x000000013F410000-0x000000013F764000-memory.dmp
C:\Windows\system\MxAFbuJ.exe
| MD5 | 8e84ed509d38ca25b40f11f613dc5d96 |
| SHA1 | dd76eb2f7347a8d9869bded36d24d55417a8d34f |
| SHA256 | d7479076290f2b4891109f742c25b21f61bb9b079548e1f8e77642e7287766fe |
| SHA512 | 7af1330c833084cf25adc9dd9f0fc837b9a49c6ae548c98af2d77fb42a6e1dc208ac49074e1a615c8bb618e9cac3d45b69c8b5f353a1afbba4174059ff716617 |
memory/2400-56-0x000000013F620000-0x000000013F974000-memory.dmp
memory/3064-57-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2468-60-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2400-58-0x000000013F410000-0x000000013F764000-memory.dmp
memory/552-51-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2400-50-0x000000013FD60000-0x00000001400B4000-memory.dmp
C:\Windows\system\ihRzBvk.exe
| MD5 | 28cbd2cd44ce6f21e01f33c9aa226181 |
| SHA1 | 857923f5ff9c2fb79440810737615b1a8a41457e |
| SHA256 | 9241bad8b8ad2289756295bc45df9649e71710cfe183096e3a8c306bfe7fbbdc |
| SHA512 | d1106d42cb4af3427ec237388b1a2e4d5eee4fc34127e290e5ca456134ac371461336b32a34bbe12e84ff33717dce61ff699226a3076e725ff8343d7052de844 |
memory/2400-45-0x000000013F2D0000-0x000000013F624000-memory.dmp
C:\Windows\system\PhnnmLm.exe
| MD5 | 6d48db61b347094c6c3c9a6506a8a4fa |
| SHA1 | b2166af6a8f6db3348429bdc1942a80231469605 |
| SHA256 | 303d18e9056175632ea0fc90a09113d74f0356aeb0e3adeebc2b422830f0a2ad |
| SHA512 | 260fce04f57d432f385dfbf76d4a3f55bd87c6be1ffb00388674def0f0f86b362daf386e6f02b1426993d22c8a8200655d65f4de23bc5651f721cb3b9eff9684 |
memory/2848-74-0x000000013F930000-0x000000013FC84000-memory.dmp
\Windows\system\zKXLQsh.exe
| MD5 | eae5f39eb74c3d28af3b071d494a9267 |
| SHA1 | 8e64b2ff6ec106956fac08bbeba272b5e84cfd0d |
| SHA256 | 0a6e25e3ad93e427ed96bdf7e06fe2eb278778b6e335f0e09832be6b4b69f7a1 |
| SHA512 | 8e770e994afca7d326ff1a37d53f12afc205779119f177593cb92233baffcca6df1ee856bd6851a7307dbade473e428d412ac436a379f176e07d3d00950a0e29 |
memory/2880-87-0x000000013F4F0000-0x000000013F844000-memory.dmp
C:\Windows\system\wwhCpiL.exe
| MD5 | 4b6b86da3e9ad801fc54b307dd78900b |
| SHA1 | 6cb8699bd6701f08358654495577b621447e2dd0 |
| SHA256 | 66b0d3fd6d76c236909e1c041c71f4806c773536fcc000e1f093b16789b84315 |
| SHA512 | c733210a1eb9718544267329eee81d08a8677918eb7916d67ca3ca4ef0a61c187bb3b3c170aaa53a98f4034ab609145fd7685a0b1941c157297cae3dfe886488 |
C:\Windows\system\equsSMw.exe
| MD5 | c1da2d64a0af883ba795044dfd025b8b |
| SHA1 | f733cbfd75020cbccbdc0bd4aeb34c6d4de0f598 |
| SHA256 | 7390d3245dad119771b094ef8fb31a346c42cbaf635318536feaac722d313217 |
| SHA512 | 9b1bcc672e8ace6f1d0cd4279719bbe3e2604282caf9c34d3fe61f8e6b0c03d2085f8fb0bc73af478b8da098164ec4014b928cea8c3d7962a0647a2b3fbabad8 |
\Windows\system\lTTUmne.exe
| MD5 | d137c303628b069b37d2f5a1570cc808 |
| SHA1 | 38987ba25010820edf7387d33fd61aa3e8ac5bc6 |
| SHA256 | be6d09f2d1323450df41dc72f009006e0a6d4ee07da0c2a9258e55f5e514502c |
| SHA512 | 8b3013703459d1d3ae852f3ee97e5034dfd24e0e40ad7dfb7dfb51104c120734d53f6889fc3ec2a39e8f040473613a25c113b54d689a6ab735d5a98aa4e8dd55 |
C:\Windows\system\aCQqSen.exe
| MD5 | a7744f415d70234b5ea0223d7d70350b |
| SHA1 | 2ea5375faeedff049c30bcbf7b1de42c0a3b02ae |
| SHA256 | c101a49325c97a775f695cc62765aa6fa7fd53b191d71270685ca244183505f2 |
| SHA512 | fd61adb76b91f53cafe5b87a47ebc03dfe23eb5e049c335a8dd872bd5c2908fc09b065c0b685409eca4a9ece6c4a26bd17a89cc2f69b4737f2b458197fc47b15 |
C:\Windows\system\VqRfjDl.exe
| MD5 | 5e258a4c97325e1b3fc2f89dbc2da3fd |
| SHA1 | 0023b3ace6d325d98fa976dd78330a7ec99c0e32 |
| SHA256 | 652186723fd426290cbd1deaf0902ac72bf56f8bb51822d7abccb7c0ed74af60 |
| SHA512 | 6491f22055ddadd8adefa9e71795d275db487086c00f9dca437fd722130b04d3ec8159205210503f17321a640fff2a6db67a04ad34d79fe1c0ca765f823da3f5 |
C:\Windows\system\boFhjEQ.exe
| MD5 | e109fd5ff72ab5531f8a3a80b603ff7d |
| SHA1 | 8c44cc2357e064e289cc3a9e19ac11bcf3f8ca13 |
| SHA256 | b6fc48506977f625115f581f5ac14ce6be4bd1d29cc9148256b29a2bc462996f |
| SHA512 | 8e0bc6644693ae91e1f0295a40a9909a64d80ff2c809c1dc01509132fec84276a7f12f864d2e7f7509c1145b7ca18f87f1faa192af10f8b58202df0a559febab |
C:\Windows\system\biHZlPQ.exe
| MD5 | e86dac802e77ff08928b8008720ab867 |
| SHA1 | 17e7c008bfd0964e84a7ffc8063e9cacf061bb1d |
| SHA256 | ee8e3a2561dbabf0418d1c4ca016ed8d53d2acfee4c2b71888b6d513f65f5f4c |
| SHA512 | 776b740943ef1217f793efd4ebfdd09ecec07b67277d5d955d9f80a78402b04f0f9f188cc92f14c9f2fc047ae5fbfc4bec1b411462069adbf387cd582cae7c72 |
memory/2468-129-0x000000013F410000-0x000000013F764000-memory.dmp
memory/1608-101-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2400-100-0x00000000025F0000-0x0000000002944000-memory.dmp
C:\Windows\system\YwBMKVR.exe
| MD5 | f88b42656cd9d092e304b2f34ff518cd |
| SHA1 | b3fdc94c5607fba8a86539e18b8353ee43c1be2a |
| SHA256 | 8125bb6bac6473211b2c2b86c367d4317fc592fa7b0a6ab1ac49fbc973934f2c |
| SHA512 | 766b205042c939f8ea7982d7aa6affb908cda9a0517c70458fc9488ee38e16bf1230e034f8d6ec92647715bf983b282ffa8531bc82481a3ae0b2e0fd8304b569 |
memory/2796-95-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2400-94-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2504-93-0x000000013F410000-0x000000013F764000-memory.dmp
C:\Windows\system\NjXcfjP.exe
| MD5 | 00f13d6401c7476487eaa481966d3aca |
| SHA1 | 6d1e3710cd9e2edc77886abf86ad3c3d0525827b |
| SHA256 | 2dc5646f0cec521e929362aa4e134084d922503568efc3bb464fbc01955c48dd |
| SHA512 | 3b0275408fac0b36d283c6b63b829e81ace8ca381d3ad6028c6fa8cc1cb1e33feefc34bee238dccf1e607ccde98c1688ab901f6ec2c89b9e29116a871755c587 |
memory/2568-88-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\IccFhru.exe
| MD5 | d1a5bd42993856a893e0d86c1a007e9f |
| SHA1 | f11ca005f63b69ccf41be041c60410760a06efb0 |
| SHA256 | ee69babf24837e389df3ba64daf21441f49fa9fef9ecd2e9bdefd1607effc1a7 |
| SHA512 | 5783f5de4cb31969291854066e9798e40b58a9d2c9b9f8f80e93f514c8a88538125bfd224f70b6a391197069b77a7de6067616ae07926dbb3a3171ba1e92b8e2 |
memory/2400-83-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2940-81-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2400-80-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2664-79-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2592-142-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2592-66-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/3036-65-0x000000013F620000-0x000000013F974000-memory.dmp
C:\Windows\system\HwOgKVX.exe
| MD5 | 6887c2bf883bf1c6b6b7472e9f987fd6 |
| SHA1 | 338862b55c8a4b29482ab19dcb2b1b539060cd96 |
| SHA256 | 7540a1cf7921b3b7015e8ec3a8bf9d4ecc862eb09b28ee6f35db6a3d20ef8191 |
| SHA512 | 597be681c6c96c108b4dfd1f927e1465a525c44ae916656a743b53d828e5cd4986216ea6316baf1d7bcbafbe50eec46e637a9a40d9f6d892c8c09d083fd533a1 |
memory/2704-73-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2400-70-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2880-35-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2400-25-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2400-23-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/3064-22-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2400-6-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2400-143-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2848-144-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2400-145-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2940-146-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2400-147-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2568-148-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2400-149-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2796-150-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2400-151-0x00000000025F0000-0x0000000002944000-memory.dmp
memory/1608-152-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/3036-153-0x000000013F620000-0x000000013F974000-memory.dmp
memory/3064-154-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2704-156-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2664-155-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2880-157-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2504-158-0x000000013F410000-0x000000013F764000-memory.dmp
memory/552-159-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2468-160-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2592-161-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/1608-163-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2568-162-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2940-165-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2796-166-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2848-164-0x000000013F930000-0x000000013FC84000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 10:16
Reported
2024-06-11 10:19
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kLEoBfl.exe | N/A |
| N/A | N/A | C:\Windows\System\hYRRATM.exe | N/A |
| N/A | N/A | C:\Windows\System\YGeqhzV.exe | N/A |
| N/A | N/A | C:\Windows\System\kLEloqQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ARAGOhS.exe | N/A |
| N/A | N/A | C:\Windows\System\WdLnuKT.exe | N/A |
| N/A | N/A | C:\Windows\System\CKeWnen.exe | N/A |
| N/A | N/A | C:\Windows\System\ghDnveD.exe | N/A |
| N/A | N/A | C:\Windows\System\JFgLYXZ.exe | N/A |
| N/A | N/A | C:\Windows\System\maNmYga.exe | N/A |
| N/A | N/A | C:\Windows\System\OhcPTDA.exe | N/A |
| N/A | N/A | C:\Windows\System\AvGtBrT.exe | N/A |
| N/A | N/A | C:\Windows\System\lQHjrKM.exe | N/A |
| N/A | N/A | C:\Windows\System\BmkKoNB.exe | N/A |
| N/A | N/A | C:\Windows\System\blBapvT.exe | N/A |
| N/A | N/A | C:\Windows\System\cNlClbN.exe | N/A |
| N/A | N/A | C:\Windows\System\yAyQxPZ.exe | N/A |
| N/A | N/A | C:\Windows\System\PYGugHd.exe | N/A |
| N/A | N/A | C:\Windows\System\MyJunTd.exe | N/A |
| N/A | N/A | C:\Windows\System\CYPltuM.exe | N/A |
| N/A | N/A | C:\Windows\System\qnyPRia.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\31711f3522edff5d7b292a752af6e030_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\31711f3522edff5d7b292a752af6e030_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\31711f3522edff5d7b292a752af6e030_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\31711f3522edff5d7b292a752af6e030_NeikiAnalytics.exe"
C:\Windows\System\kLEoBfl.exe
C:\Windows\System\kLEoBfl.exe
C:\Windows\System\hYRRATM.exe
C:\Windows\System\hYRRATM.exe
C:\Windows\System\YGeqhzV.exe
C:\Windows\System\YGeqhzV.exe
C:\Windows\System\kLEloqQ.exe
C:\Windows\System\kLEloqQ.exe
C:\Windows\System\ARAGOhS.exe
C:\Windows\System\ARAGOhS.exe
C:\Windows\System\WdLnuKT.exe
C:\Windows\System\WdLnuKT.exe
C:\Windows\System\CKeWnen.exe
C:\Windows\System\CKeWnen.exe
C:\Windows\System\ghDnveD.exe
C:\Windows\System\ghDnveD.exe
C:\Windows\System\JFgLYXZ.exe
C:\Windows\System\JFgLYXZ.exe
C:\Windows\System\maNmYga.exe
C:\Windows\System\maNmYga.exe
C:\Windows\System\OhcPTDA.exe
C:\Windows\System\OhcPTDA.exe
C:\Windows\System\AvGtBrT.exe
C:\Windows\System\AvGtBrT.exe
C:\Windows\System\lQHjrKM.exe
C:\Windows\System\lQHjrKM.exe
C:\Windows\System\BmkKoNB.exe
C:\Windows\System\BmkKoNB.exe
C:\Windows\System\blBapvT.exe
C:\Windows\System\blBapvT.exe
C:\Windows\System\cNlClbN.exe
C:\Windows\System\cNlClbN.exe
C:\Windows\System\yAyQxPZ.exe
C:\Windows\System\yAyQxPZ.exe
C:\Windows\System\PYGugHd.exe
C:\Windows\System\PYGugHd.exe
C:\Windows\System\MyJunTd.exe
C:\Windows\System\MyJunTd.exe
C:\Windows\System\CYPltuM.exe
C:\Windows\System\CYPltuM.exe
C:\Windows\System\qnyPRia.exe
C:\Windows\System\qnyPRia.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.204.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4340-0-0x00007FF731650000-0x00007FF7319A4000-memory.dmp
memory/4340-1-0x0000014BD5EC0000-0x0000014BD5ED0000-memory.dmp
C:\Windows\System\kLEoBfl.exe
| MD5 | 90b64551c7dd70875b0eed09c78476b5 |
| SHA1 | 371cbe550e95c62ac6901fc8a5c5b918815f9bc4 |
| SHA256 | dd1f00884047499a99116be126d1db1e0dcd95ab836b8a7749fec10d4ec2d34c |
| SHA512 | a69a7b02f6b1b9a144e5a9625c2ace9f9f4ce31c111a401b666d31e1676931b3f5fae58a3d3e13247bb0dae772b0da26b59c75d9e459f78f9af025ca0931633f |
memory/448-8-0x00007FF6C9B50000-0x00007FF6C9EA4000-memory.dmp
C:\Windows\System\hYRRATM.exe
| MD5 | 6abcad393febf0a6b8b4cd7c98756498 |
| SHA1 | edc98c414179be45503df50bb74634cf918b2b0d |
| SHA256 | efe348b0913740d931e1b606e3d7789a56a0df6bba0523ae06078db9e499517c |
| SHA512 | cba19d4175281e8f9db678bde1f9d525f13fd8d4af8461e746bc34ad226251ee15ecf3f782c4a2e9abcf945bc2d2040ab3cbf3a1bdc81543907154d2b7474ff2 |
C:\Windows\System\YGeqhzV.exe
| MD5 | ff738f8e36895dc4abd4b8772fb50142 |
| SHA1 | 8b6e46628baebca6c860f672484c5fba431d52fb |
| SHA256 | b376458910fbbf90be9d7d747973b534cee63ad48c125d55c55b72a57e84badd |
| SHA512 | e4996f26549177a52b51bb2fbb25ff0e7d819060ebc8f38d8cd7da0af6a8365287cc5558eef8f37e4622391b2cb7e033ed7de947290879759ededef2bafd767a |
memory/3128-14-0x00007FF61CEE0000-0x00007FF61D234000-memory.dmp
memory/4928-20-0x00007FF660400000-0x00007FF660754000-memory.dmp
C:\Windows\System\kLEloqQ.exe
| MD5 | 58fc1c9df377796ee8550180c47423c6 |
| SHA1 | 2bb1f199a6c6f1a854c270978d80f77ef175b727 |
| SHA256 | 6806dcc3df78779f49d01daf7922c4615f298ec1201667049bcfe4680e6ebdf2 |
| SHA512 | e66ee9ef20ecc6009f8a60ccdb32f90d5a10ffa1092ee6bde40ed355ab1d07ab28b1a93b4339d7005d1a77b7d56a0b7a34acfc697e1918cbb435f977046f90c3 |
memory/456-26-0x00007FF617960000-0x00007FF617CB4000-memory.dmp
C:\Windows\System\ARAGOhS.exe
| MD5 | 05d711c42b74498f7fc678a14ad1f577 |
| SHA1 | 3ea3187f715c68903fa2fc4f7f508a75e69d0add |
| SHA256 | c122316b4ecb5fa600c23444cc11a4b7c35681bb67d82219b4909ec8b0cf6ca4 |
| SHA512 | d456944aacc89c06c90a4fcb884b26ffeeff6119919b4ba7d29be6ff40bf7e9a5de909b3d71301a162286579f7b4106a796cecd5004610fccdbe62419179c26a |
C:\Windows\System\WdLnuKT.exe
| MD5 | 8b3de0be30f453e6c64addc457dbe042 |
| SHA1 | 689247fe308cd31d2b997fcdb4b2bfca3b7425cf |
| SHA256 | 85f1387ed2a569fc4b59c596573291beac94a54140b17ee3be16cc01686d72c4 |
| SHA512 | 8dc8f4d2d5111f390b85c25529fac2b4485708fb5cf6d2b8b68f782111f7cb1bdb6cbe74efe65205d40335284fa1b710fa89372ae57e5b1267268a918159abff |
C:\Windows\System\CKeWnen.exe
| MD5 | 4bf3b4106790557f11714fe46fbd1adf |
| SHA1 | 6e650aec68794e0360fdce7b8b169e3a11d020b1 |
| SHA256 | 3bd90508bdafb2cd1993dd0337c95ff65c5893773c78556d916f3d3075d16304 |
| SHA512 | e65549635c2f345db9023322d8c4abd876a4fe6c2e9b93a089019cea9405dc71261e645b6de83266f4935d3d58a9e68ada83562ede446768179eb400cbf1f78f |
C:\Windows\System\ghDnveD.exe
| MD5 | 0dfb441a9542163cf511c44df634ff3e |
| SHA1 | 1c9a5d4d000e8bf52eaa53c3a0de215aad25d2ae |
| SHA256 | 0d15f9813571cb104b4658262da3a0bcf7a9458ea2cfb72b1b88d17585b183bc |
| SHA512 | 84fd64fceb590ee36d22d496521e2747de46b1b82dc05a1b5350e77e0dbd7ebf984135b1c3beacfc353ef587d9dcfa9b17d4a184ae97a407683dcd25cd9895cd |
C:\Windows\System\JFgLYXZ.exe
| MD5 | e684215598465301691be7cd87317d2b |
| SHA1 | 5fcc937e7883489ad4d5082d3563732c518385a5 |
| SHA256 | 1e5b0a837575b4d4834bdf606db18393c499fff77b5880229965c616575c3cbb |
| SHA512 | 36437d545f6750416afa71891c8e7a448c5d92f6fe227bb7695fb59cd948487c04fd0cfb71441fef139c0af20ed873ed41346c242483e54669c2daa134be3e1a |
C:\Windows\System\maNmYga.exe
| MD5 | 4611ff5b72982dd7993f075454fea52b |
| SHA1 | 8c4897c24082e8915b354b70c0117b898f346882 |
| SHA256 | 9c3c47ada566c15becbffc41a5a625cc8e59fd91f488dd5ec800805525728183 |
| SHA512 | 25d86cfb7c74907d736cebe60c04a9cd93f0d0daa5d2f4d076747e3917fd2cd40e01429a8f3924595694c15207891b92d2f1ccf48c3ceae1f76148e88a2b1945 |
C:\Windows\System\OhcPTDA.exe
| MD5 | 21a120dbb8fcfbb58a7cffc0a741f920 |
| SHA1 | 0d825fc16e5afce87091f850244f52227a42b398 |
| SHA256 | e350c1cad60261a49a3444b26edfa8a1220ecb69b204f3b0b6db88ecf3ecad46 |
| SHA512 | 2a7c596fff211d7659d92e277c63a4ab51d0d7df033336d3754c2d63e3e6129fc54d134a80f1223ecbcc6f6364715ba8582c8f94b5501e42e342c0099053d4e8 |
C:\Windows\System\AvGtBrT.exe
| MD5 | c0237f5d8b2729a82c6b693c3a2d569b |
| SHA1 | 21362fc841f62d095f83398b2ff59579a18ede39 |
| SHA256 | 30b62d2d02cefe30838f8033b11e04cc61de9058eb4666f0bcdeb48a544695e5 |
| SHA512 | a87e3bbd62aa455944620d1c328a641c12b46efb1ae2b426af165ca060583aa362fcb5b398ec69ac1d482042a1d73c98ba35a36ba7a140d7e0b9196ef85afa24 |
C:\Windows\System\lQHjrKM.exe
| MD5 | 31fa30d4d97dc7a9cc51f954e545490e |
| SHA1 | 96eeee7fff38729cd1405e7feff1a35f8b675f01 |
| SHA256 | 1b2c810670f4c36662a28dd3e4ae229b046bc0b6893994302e98141da70ba4f9 |
| SHA512 | 13722987a98b473a428b33ed16b941be92c73f90cb7607ea2623b247cbe8a822f1df16ac89b9e1499782ee0d603deb39f417cfc1d82c752b9a8aed4e057023fe |
C:\Windows\System\BmkKoNB.exe
| MD5 | 4ad680d40054c60a95fcd565aaeb99c4 |
| SHA1 | 24a679013c54cfca24531de70a03a2529bbd89ff |
| SHA256 | f9b73f87b64653b26e0a4569ece21f0b533dc2e9aa7345b78cb6be9adfc59841 |
| SHA512 | 5965a7d1384038d7cd53d03d99b1a61f3794c4bfe83339468896a2d3e184a5e3551ba9d8516cc2301a5dac868e627aeda303807c2ec1c6226e1f3c940f32aece |
C:\Windows\System\cNlClbN.exe
| MD5 | 42ad9d53bc16a46f9ee0672b86e21ccf |
| SHA1 | 3307977fd5d8ee92b3410309e372db39db680f63 |
| SHA256 | de610f13159fd5770edcb4643ffa73343fb30e2a9050d95dbe3b71995e4445de |
| SHA512 | 8771cc4508acc55c6563421d761941c85f4daa5c5aab458125e0fa90234eec0a55d00f1c1c084eed21f66c82835e1e96b9cbe0c7a232fb6e0cb5ab666789f1d8 |
C:\Windows\System\PYGugHd.exe
| MD5 | 49f316ff3e1e5da45c537103cd3bf88d |
| SHA1 | 8aada067f742a80d366df188ea0e98685cdc44ce |
| SHA256 | 2c931343515fed9897e370a91c0e3b2712d3ad826a15ea381b19f997f394f382 |
| SHA512 | 0c76cce7fb636fb6c1a4f9a00bf2dc0994bf50f9fe784abfb07fdd46af78985ed5f2ad0f9514d4fa0398f5bfec5cb46e6e7729881c59f8010b3713dcd4cf524d |
C:\Windows\System\MyJunTd.exe
| MD5 | 9d2def5b3be2ca8b9a2854f204f06527 |
| SHA1 | d8cf5ea462eac19d5ae122d9e0edfc04d094765c |
| SHA256 | 54c63c057e55c40799294b49c27854ff3d6bb160fc5e466c4e328c66533349c0 |
| SHA512 | 4a620ea201fc483c0b50f206c96852fe2efaa48a7de20b5a1506011691d9852be10e869005554b7e8ca4b1da73414a10859a72ca27b1ee5900df840690d23773 |
C:\Windows\System\CYPltuM.exe
| MD5 | cef527ab345f4a318b99438fc7ba9f9a |
| SHA1 | dd1cb1089a4197567b57bd2fd8fbd4ebf4ef24a2 |
| SHA256 | 9bd3f0896429d32f62ef4932f9c5c8953c06665826d167f74826b3bbea03ab80 |
| SHA512 | f3fa4d15145591ec875159210e38ae885e72ebf548c4f0e576a9ebff52f455c7c25187637da129e8f20862b85f01c285ca4d8cb238c020c05e68d72e4ba29212 |
C:\Windows\System\qnyPRia.exe
| MD5 | 5b084a57800ec939edcfaab5c690a4b3 |
| SHA1 | e8f797c547a485d6eaffd9dfaadbdfa51c950895 |
| SHA256 | f019d4285ce3db5f4ed85eefd01e4a872931185cdd4b03510e82514a5b25eb53 |
| SHA512 | cc97ccc998efc156766c4d8f6197505a2b118bba30f7659c14a88648d1c3c80bf6186bf5cceb96b2cdcd9e9b4ffe279c06edcf9962b47d78fe20b66a18d61098 |
C:\Windows\System\yAyQxPZ.exe
| MD5 | 252f6862edd25661899d2bde2ac2d05a |
| SHA1 | 6cd183c49382c0a666f64c562b33e7f74e4477c8 |
| SHA256 | db3808a5b61dcea8b4d43ce44b3d8d09ce1bda4260cd6ae612c9279547d9d546 |
| SHA512 | 67989e6c3978f552735d8220132284d17afdfbbce5fd5dd7e66ddf1f498b0fb66ecbba30401534fc04e70f4842115c3dd7116277f6b84c79aeca5339f767c66a |
C:\Windows\System\blBapvT.exe
| MD5 | 38a66a9f68417eea96c5d155bc71f04e |
| SHA1 | 930da0533a11f346ca388dd380a390dfdd4538a7 |
| SHA256 | c3b26b73a1ab9514f212959153925b945b4786dd0948d18cda4c384491357f04 |
| SHA512 | 8fd52b4d977f0068601f5becf008efc5daf0cf61a03bcd5ebbc9a8ed570680120d451699adfb628606de88e2d037c60d3878f7806a30ab016d6e7bc97249d2e7 |
memory/5088-111-0x00007FF624A30000-0x00007FF624D84000-memory.dmp
memory/1060-113-0x00007FF711490000-0x00007FF7117E4000-memory.dmp
memory/3116-114-0x00007FF69F490000-0x00007FF69F7E4000-memory.dmp
memory/1012-116-0x00007FF6A8B30000-0x00007FF6A8E84000-memory.dmp
memory/3944-117-0x00007FF781600000-0x00007FF781954000-memory.dmp
memory/508-118-0x00007FF7FC810000-0x00007FF7FCB64000-memory.dmp
memory/2616-119-0x00007FF7BE320000-0x00007FF7BE674000-memory.dmp
memory/3924-121-0x00007FF7D2590000-0x00007FF7D28E4000-memory.dmp
memory/4164-120-0x00007FF70CC10000-0x00007FF70CF64000-memory.dmp
memory/5040-122-0x00007FF6C1CD0000-0x00007FF6C2024000-memory.dmp
memory/1648-115-0x00007FF71E100000-0x00007FF71E454000-memory.dmp
memory/4324-112-0x00007FF6FDBF0000-0x00007FF6FDF44000-memory.dmp
memory/4640-123-0x00007FF78F4F0000-0x00007FF78F844000-memory.dmp
memory/3692-124-0x00007FF613D30000-0x00007FF614084000-memory.dmp
memory/4912-125-0x00007FF798070000-0x00007FF7983C4000-memory.dmp
memory/4064-126-0x00007FF742960000-0x00007FF742CB4000-memory.dmp
memory/2988-127-0x00007FF75A860000-0x00007FF75ABB4000-memory.dmp
memory/4340-128-0x00007FF731650000-0x00007FF7319A4000-memory.dmp
memory/3128-129-0x00007FF61CEE0000-0x00007FF61D234000-memory.dmp
memory/448-130-0x00007FF6C9B50000-0x00007FF6C9EA4000-memory.dmp
memory/3128-131-0x00007FF61CEE0000-0x00007FF61D234000-memory.dmp
memory/4928-132-0x00007FF660400000-0x00007FF660754000-memory.dmp
memory/456-133-0x00007FF617960000-0x00007FF617CB4000-memory.dmp
memory/5088-134-0x00007FF624A30000-0x00007FF624D84000-memory.dmp
memory/4324-135-0x00007FF6FDBF0000-0x00007FF6FDF44000-memory.dmp
memory/1060-136-0x00007FF711490000-0x00007FF7117E4000-memory.dmp
memory/3116-137-0x00007FF69F490000-0x00007FF69F7E4000-memory.dmp
memory/1648-138-0x00007FF71E100000-0x00007FF71E454000-memory.dmp
memory/1012-139-0x00007FF6A8B30000-0x00007FF6A8E84000-memory.dmp
memory/3944-140-0x00007FF781600000-0x00007FF781954000-memory.dmp
memory/508-141-0x00007FF7FC810000-0x00007FF7FCB64000-memory.dmp
memory/2616-142-0x00007FF7BE320000-0x00007FF7BE674000-memory.dmp
memory/4164-143-0x00007FF70CC10000-0x00007FF70CF64000-memory.dmp
memory/3924-144-0x00007FF7D2590000-0x00007FF7D28E4000-memory.dmp
memory/3692-146-0x00007FF613D30000-0x00007FF614084000-memory.dmp
memory/4912-147-0x00007FF798070000-0x00007FF7983C4000-memory.dmp
memory/4640-145-0x00007FF78F4F0000-0x00007FF78F844000-memory.dmp
memory/5040-148-0x00007FF6C1CD0000-0x00007FF6C2024000-memory.dmp
memory/4064-150-0x00007FF742960000-0x00007FF742CB4000-memory.dmp
memory/2988-149-0x00007FF75A860000-0x00007FF75ABB4000-memory.dmp