Analysis Overview
SHA256
e2f50456994d9a302c075d3f2495bb165a1ab78048c797f8df11984e6f23e95f
Threat Level: Known bad
The file 377ea6508a407681b85cb41cc12e3880_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
xmrig
Cobaltstrike
XMRig Miner payload
Cobaltstrike family
Xmrig family
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 14:11
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 14:10
Reported
2024-06-11 14:13
Platform
win7-20240508-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\iIxCBTp.exe | N/A |
| N/A | N/A | C:\Windows\System\PkGVOrv.exe | N/A |
| N/A | N/A | C:\Windows\System\vCzQdhF.exe | N/A |
| N/A | N/A | C:\Windows\System\iYwkfMa.exe | N/A |
| N/A | N/A | C:\Windows\System\YirGNOq.exe | N/A |
| N/A | N/A | C:\Windows\System\XNahEsz.exe | N/A |
| N/A | N/A | C:\Windows\System\OHBDKXd.exe | N/A |
| N/A | N/A | C:\Windows\System\LEkEKLF.exe | N/A |
| N/A | N/A | C:\Windows\System\ahuMsNm.exe | N/A |
| N/A | N/A | C:\Windows\System\JFUeVzv.exe | N/A |
| N/A | N/A | C:\Windows\System\eGLQHie.exe | N/A |
| N/A | N/A | C:\Windows\System\KFaovIT.exe | N/A |
| N/A | N/A | C:\Windows\System\aalxJtP.exe | N/A |
| N/A | N/A | C:\Windows\System\WhIMcVP.exe | N/A |
| N/A | N/A | C:\Windows\System\EmQiaww.exe | N/A |
| N/A | N/A | C:\Windows\System\BFEyJjT.exe | N/A |
| N/A | N/A | C:\Windows\System\udlMBTD.exe | N/A |
| N/A | N/A | C:\Windows\System\rPWqnWy.exe | N/A |
| N/A | N/A | C:\Windows\System\OJMSkqh.exe | N/A |
| N/A | N/A | C:\Windows\System\MVJhCOV.exe | N/A |
| N/A | N/A | C:\Windows\System\PAzfIfz.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\377ea6508a407681b85cb41cc12e3880_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\377ea6508a407681b85cb41cc12e3880_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\377ea6508a407681b85cb41cc12e3880_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\377ea6508a407681b85cb41cc12e3880_NeikiAnalytics.exe"
C:\Windows\System\iIxCBTp.exe
C:\Windows\System\iIxCBTp.exe
C:\Windows\System\PkGVOrv.exe
C:\Windows\System\PkGVOrv.exe
C:\Windows\System\vCzQdhF.exe
C:\Windows\System\vCzQdhF.exe
C:\Windows\System\iYwkfMa.exe
C:\Windows\System\iYwkfMa.exe
C:\Windows\System\YirGNOq.exe
C:\Windows\System\YirGNOq.exe
C:\Windows\System\XNahEsz.exe
C:\Windows\System\XNahEsz.exe
C:\Windows\System\OHBDKXd.exe
C:\Windows\System\OHBDKXd.exe
C:\Windows\System\LEkEKLF.exe
C:\Windows\System\LEkEKLF.exe
C:\Windows\System\ahuMsNm.exe
C:\Windows\System\ahuMsNm.exe
C:\Windows\System\JFUeVzv.exe
C:\Windows\System\JFUeVzv.exe
C:\Windows\System\eGLQHie.exe
C:\Windows\System\eGLQHie.exe
C:\Windows\System\KFaovIT.exe
C:\Windows\System\KFaovIT.exe
C:\Windows\System\aalxJtP.exe
C:\Windows\System\aalxJtP.exe
C:\Windows\System\WhIMcVP.exe
C:\Windows\System\WhIMcVP.exe
C:\Windows\System\EmQiaww.exe
C:\Windows\System\EmQiaww.exe
C:\Windows\System\BFEyJjT.exe
C:\Windows\System\BFEyJjT.exe
C:\Windows\System\udlMBTD.exe
C:\Windows\System\udlMBTD.exe
C:\Windows\System\rPWqnWy.exe
C:\Windows\System\rPWqnWy.exe
C:\Windows\System\OJMSkqh.exe
C:\Windows\System\OJMSkqh.exe
C:\Windows\System\MVJhCOV.exe
C:\Windows\System\MVJhCOV.exe
C:\Windows\System\PAzfIfz.exe
C:\Windows\System\PAzfIfz.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2148-0-0x00000000002F0000-0x0000000000300000-memory.dmp
memory/2148-1-0x000000013F570000-0x000000013F8C4000-memory.dmp
C:\Windows\system\iIxCBTp.exe
| MD5 | edaa272b9c0cab2c08036782a68f6a17 |
| SHA1 | 8da552604ce9b5d79fb876e9dbc16aec1ff3cb26 |
| SHA256 | cd1244409886ec246620ac9975f2e353dd1559a7b12aebf850a17e8fe5a0d8e7 |
| SHA512 | 47bacdb21c89a2a15db1881839bfcfb84bc8f5aa5bddbbad2c8bc764cab499157e8b430c83a63ed2d1ec77cfaf30535f47f05b81e189af9481f92405570524cf |
memory/2280-9-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2148-8-0x000000013FA90000-0x000000013FDE4000-memory.dmp
C:\Windows\system\PkGVOrv.exe
| MD5 | 17fc50ceee2e03d90dc66d1b696ae04c |
| SHA1 | edb9bfabb63dae8151ef58d586ad8bd320e46954 |
| SHA256 | fc4616ed39d09901bce558c977cf8c1b0bb141044fdc081427724967ba6dd3fa |
| SHA512 | d8c3393f993fa67b8b0595df5ee762653e8d56a623f080da9228a5a0d869ef0a7edc1d904724d72b970bf2e625e4a5f9c12c3697e318c3a3b3b8ac5cb30955dc |
\Windows\system\PkGVOrv.exe
| MD5 | f98cd31f83c1b2bc1585b95ed76930d5 |
| SHA1 | 0e76079c7cb3d0eae51c1789effd7a265d730f61 |
| SHA256 | 5a401fa417c6df8712e314d7bd7ed6fa1d072187ef755b4831096aba3d8431b9 |
| SHA512 | 2ee9643ec44130b9aed1d16c65611dd4e80e83612c4e0db16dae6e7d65b99c38ca64c021472ddd36ba99b472b0c5be995e825604393cfa1d1d8645648f4b73ae |
memory/3032-15-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2148-14-0x000000013FFE0000-0x0000000140334000-memory.dmp
C:\Windows\system\vCzQdhF.exe
| MD5 | 6e20c1464f2f11359d03740e39e646c8 |
| SHA1 | e90209ae46e403e71a97b0f056c5611d8850af0f |
| SHA256 | e9593ce32c1f94db36680e392134bf6ea24ae6d0ede4ec413f37566a5f2d14d1 |
| SHA512 | 3c5d83e738534c4ac0713b5c116bdf631b564cab66985488e774409d89d4217b15f7b4d1125192155a4943ff3a81fa41e606de408ffb1a46a6a0a426634ea7fe |
C:\Windows\system\vCzQdhF.exe
| MD5 | b873f363e719f7fd8307464b972e0ea2 |
| SHA1 | 5933d06623608caf66a99d90b8807a1db0b123e6 |
| SHA256 | b2935fa3ba67dd687440a81175c19573eef8db37987f01a0aeb509fa84e95025 |
| SHA512 | 38c29a9eb4e2d917136e77913175d798ea9e185c2ef574f3477f62b861644b25f75bf97abfda90074c29a39e31bcbe4e32ac8788fe94d88fd5cda4d0abfdb531 |
memory/2636-23-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2148-22-0x00000000024B0000-0x0000000002804000-memory.dmp
\Windows\system\iYwkfMa.exe
| MD5 | 35917d5a654325da000f10c85f241e70 |
| SHA1 | ff554168b1296f5160415f6e6366203dda0b10fb |
| SHA256 | 4df81e072e7fc3126a49f290072f63d2f08da6c71e9dfe5044881cb529151722 |
| SHA512 | d8e5a3a9bc6c52a7ce37e7773ae602a0f0ba387f6d16c188876671f1a6924efb5f2ff5d2f13ee89fa27278e6f281c7234769e3810014d616d9c8bd34b71f6557 |
\Windows\system\YirGNOq.exe
| MD5 | 520306f0af217a723b94881629ed2c1f |
| SHA1 | edfebe61571cd3958f1312a9985e7616d97f5058 |
| SHA256 | 753b1655c90b67a0e9ef8ac7f9ad5137a5f68ca7523e64de621b55f82736ad40 |
| SHA512 | 9ac6a96dd03c1ec975477a89483a2d662a3a654c6c49304a4eef6675c320419be317a4ea86000c6b38c10beb98f86f51309fa6427a10328bb6e8081fbc42222e |
C:\Windows\system\XNahEsz.exe
| MD5 | 71cd4b48508c88fa243f7fd5a05af7ae |
| SHA1 | ba929b110eb9a0f7db854a2c3eedc0f573d20f87 |
| SHA256 | c757f4c2829ec77a948ee96a6071cb51db47eb95210e2781b77a7eb1244e9221 |
| SHA512 | 16db380b809ae27affccfa99898af2426df47e09b8426f81c6a30d7220fd2071108a4eb3fdb2465760f270629ab529dc5b0be79c0282dea37e0df8ccc458343a |
memory/2744-32-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\YirGNOq.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/2148-36-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2684-43-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2148-40-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2148-28-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\LEkEKLF.exe
| MD5 | 76bf0466328f407fb8356697751e9d17 |
| SHA1 | ab6d60cc0022bd9fcb09a7b133772948f1b44e71 |
| SHA256 | bc9432097e5cf86f7734fcdba0e6bde844e37f3c7c22e1538d1d567922da9884 |
| SHA512 | 6cf2f8e6b124936088948bc61460f2c7dcf57e07e3b8a91ff6d8b8fbcfd1e6fcee7a878c2ad962cc9277cb4e28a8224410d0fb4788d1a0cedc18fa4f9e3db4a6 |
\Windows\system\PAzfIfz.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\system\PAzfIfz.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
\Windows\system\MVJhCOV.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
\Windows\system\rPWqnWy.exe
| MD5 | 3c4936ba91eaa69f7fdbfccc9b857022 |
| SHA1 | d97c8ba6655ec64594f86192c6bdb9c832040c3a |
| SHA256 | f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10 |
| SHA512 | 327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9 |
\Windows\system\udlMBTD.exe
| MD5 | a280a7a5402c3863d70574a6901c0dfb |
| SHA1 | bd054f52ad73cede4f76893373f955d7de460be4 |
| SHA256 | 88a8dede0cd0a009f724c2fbc543072bb0747a165579ff06b9600e402bfc3c3a |
| SHA512 | 93e53cd27438a07d9e71a56e8d4b6d03812c86146dcbf0f738e32518c270c180802152fdabd384101c633fdf43410350319c2d9758402df5423a3f84bd0492f9 |
C:\Windows\system\EmQiaww.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
\Windows\system\EmQiaww.exe
| MD5 | 9a052edbf884800cc15511a6d24b2e6d |
| SHA1 | 913ed61096002d21d3cf2368d9d3329ad18f93ad |
| SHA256 | 8ab39a76004af1183c24539ac5870a962800538d2f3f1808d7e90cf19837fca3 |
| SHA512 | 2aa4d3962ba2d085d511b19f4d865ba2290ae14946964993c52ff4bd5ed2b8c4f64da53b12f361ab8d7555f041ae0c1cdb181ac7c3c42da21d995778fe13d8ed |
\Windows\system\WhIMcVP.exe
| MD5 | 4e015ad5fef6acc3c9511da22b6704ad |
| SHA1 | 901ac9f7f944d14cf3cc6c8d958fb5b6b40be20a |
| SHA256 | 1c9d354f39400431759759757422427dfaa2955354c709b112294afde055fa84 |
| SHA512 | b616a023d7a49ef277fb1886bc3aaf4fda9d4dc4cbad6b124b789c9cbdeff892a483e997e6558947baa7a27b219064feacb84d01cac3bcac5d18377c95f04ad2 |
\Windows\system\aalxJtP.exe
| MD5 | 182702f8c189f2105671b3b193ea01bd |
| SHA1 | 5cbe4a492c7f661166b4ece7955c0ec73fadc31d |
| SHA256 | a26e7690e7bc3ea344b69a7055744b04ab0a6a6f5efc215cd98698c2786c3f7f |
| SHA512 | 81af6029078315813c434ae562db848bfccfd0ce021093ded729c0431bbbdfab770bb5cf5e5e10bac76b9afc8886a0732e92ae0912c9dff147628a2530f045d1 |
\Windows\system\eGLQHie.exe
| MD5 | c657d200d2a113a9a77a783ea4472eb6 |
| SHA1 | ff759abb9a67277bb0e76bfe513ae16106873c20 |
| SHA256 | 85d36f7770ddb7f47b69a5e54fba0f9f059b93298821df2574c901b29611f5d8 |
| SHA512 | 03d8ccc29c2fe63032a0b3f7115c910f9ba3711055ac817fa0cfb16a95abdb8e0c5fac29afa6c80815ae96070919262aa2f7f6f87f2895abdfd5712e818379cd |
C:\Windows\system\JFUeVzv.exe
| MD5 | cefe7ebbcbdc6a5e5023e2ad8530b25b |
| SHA1 | 6e0d7ab1a6ddd7ee739d050791a70816c80e15a8 |
| SHA256 | 6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475 |
| SHA512 | 93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844 |
\Windows\system\JFUeVzv.exe
| MD5 | b61b4606721c2306c227c56bfa809bd9 |
| SHA1 | be6b60f92de1a462feea0cdd8227e5897db8c973 |
| SHA256 | e8f20cc3f0602f68efdab2d8fb77e466328ea97c66773cfe5ecf387a0451ac17 |
| SHA512 | c2003ad4eff86dff482f7a46a8be7b427690459a9717c4883cb229005c2e1d8ac511ce40dc4d51db1324ba86253c6918bdb4dad07dcc2454181d0d202424f6af |
C:\Windows\system\OHBDKXd.exe
| MD5 | 67d7d0c360c2defa9a36a47a23af7dd6 |
| SHA1 | efd9d2994e80ef40cbaab5f7ef02420aebe17206 |
| SHA256 | 0521cd0d1d60fc081a5e4d3f28f5a76a962e60920d871e29a2de526b0e72b791 |
| SHA512 | f5338aedc9e177da3d3af04e6946e9f03280307d40c8e1e2e21b270727d9ec57427c8f7861835c62a83f44226e722c786902eaaa4187cfaefc3a81305ca12e2b |
\Windows\system\OHBDKXd.exe
| MD5 | 8a74009f7dd9c036cc12b3f189bd9ac6 |
| SHA1 | e53d33c260bb77d6ec7f4c05d6b7a52ccd5f9de0 |
| SHA256 | b349cfcd57c9962c2310b863621992c24963856bb8765a72596762e3d22c0932 |
| SHA512 | 6b058797ebf39246aeec4041256bec3900d2fe258c40c7a628ad2f0a7c71cd84516d0e4598c1b869d273f2d776086698842e42f21ab1a8adea547d9c55a56876 |
memory/2788-118-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2560-119-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2192-122-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2148-125-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/3040-127-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2148-130-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2008-129-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/1812-128-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2604-126-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2540-124-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2148-123-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2148-121-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2840-120-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2148-131-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/3032-133-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2148-132-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2744-134-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2280-135-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2636-136-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/3032-137-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2744-138-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2788-139-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2684-140-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2560-141-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2840-142-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2540-144-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2192-143-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2604-145-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/3040-146-0x000000013F540000-0x000000013F894000-memory.dmp
memory/1812-147-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2008-148-0x000000013F700000-0x000000013FA54000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 14:10
Reported
2024-06-11 14:13
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mtRqLti.exe | N/A |
| N/A | N/A | C:\Windows\System\bbzVQak.exe | N/A |
| N/A | N/A | C:\Windows\System\euavmrI.exe | N/A |
| N/A | N/A | C:\Windows\System\IYavAnL.exe | N/A |
| N/A | N/A | C:\Windows\System\pRoBinl.exe | N/A |
| N/A | N/A | C:\Windows\System\ZXFUSZM.exe | N/A |
| N/A | N/A | C:\Windows\System\YszoCNe.exe | N/A |
| N/A | N/A | C:\Windows\System\dLWIPVb.exe | N/A |
| N/A | N/A | C:\Windows\System\cRmbZng.exe | N/A |
| N/A | N/A | C:\Windows\System\colmeDY.exe | N/A |
| N/A | N/A | C:\Windows\System\ARrpuVR.exe | N/A |
| N/A | N/A | C:\Windows\System\JfWebqK.exe | N/A |
| N/A | N/A | C:\Windows\System\ZiBIlyB.exe | N/A |
| N/A | N/A | C:\Windows\System\ymOrjAl.exe | N/A |
| N/A | N/A | C:\Windows\System\CStYVCg.exe | N/A |
| N/A | N/A | C:\Windows\System\KlsCQSW.exe | N/A |
| N/A | N/A | C:\Windows\System\KervXwj.exe | N/A |
| N/A | N/A | C:\Windows\System\oMBqvvM.exe | N/A |
| N/A | N/A | C:\Windows\System\ziMfbIy.exe | N/A |
| N/A | N/A | C:\Windows\System\bGrLzKa.exe | N/A |
| N/A | N/A | C:\Windows\System\auHuIqQ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\377ea6508a407681b85cb41cc12e3880_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\377ea6508a407681b85cb41cc12e3880_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\377ea6508a407681b85cb41cc12e3880_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\377ea6508a407681b85cb41cc12e3880_NeikiAnalytics.exe"
C:\Windows\System\mtRqLti.exe
C:\Windows\System\mtRqLti.exe
C:\Windows\System\bbzVQak.exe
C:\Windows\System\bbzVQak.exe
C:\Windows\System\euavmrI.exe
C:\Windows\System\euavmrI.exe
C:\Windows\System\IYavAnL.exe
C:\Windows\System\IYavAnL.exe
C:\Windows\System\pRoBinl.exe
C:\Windows\System\pRoBinl.exe
C:\Windows\System\ZXFUSZM.exe
C:\Windows\System\ZXFUSZM.exe
C:\Windows\System\YszoCNe.exe
C:\Windows\System\YszoCNe.exe
C:\Windows\System\dLWIPVb.exe
C:\Windows\System\dLWIPVb.exe
C:\Windows\System\cRmbZng.exe
C:\Windows\System\cRmbZng.exe
C:\Windows\System\colmeDY.exe
C:\Windows\System\colmeDY.exe
C:\Windows\System\ARrpuVR.exe
C:\Windows\System\ARrpuVR.exe
C:\Windows\System\JfWebqK.exe
C:\Windows\System\JfWebqK.exe
C:\Windows\System\ZiBIlyB.exe
C:\Windows\System\ZiBIlyB.exe
C:\Windows\System\ymOrjAl.exe
C:\Windows\System\ymOrjAl.exe
C:\Windows\System\CStYVCg.exe
C:\Windows\System\CStYVCg.exe
C:\Windows\System\KlsCQSW.exe
C:\Windows\System\KlsCQSW.exe
C:\Windows\System\KervXwj.exe
C:\Windows\System\KervXwj.exe
C:\Windows\System\oMBqvvM.exe
C:\Windows\System\oMBqvvM.exe
C:\Windows\System\ziMfbIy.exe
C:\Windows\System\ziMfbIy.exe
C:\Windows\System\bGrLzKa.exe
C:\Windows\System\bGrLzKa.exe
C:\Windows\System\auHuIqQ.exe
C:\Windows\System\auHuIqQ.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4460,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2524-0-0x00007FF645780000-0x00007FF645AD4000-memory.dmp
memory/2524-1-0x00000258310D0000-0x00000258310E0000-memory.dmp
memory/1560-8-0x00007FF729F60000-0x00007FF72A2B4000-memory.dmp
C:\Windows\System\euavmrI.exe
| MD5 | 5ba61fb37e9ee345835d67f61806da46 |
| SHA1 | 80fde97b6c0ec71af8fa038d621afa3aef317a8f |
| SHA256 | a6beef72f67ad2e47def51585b0ca02f732ad6aa88c5ecc9d4a6727caff82200 |
| SHA512 | 717bf786d78022008c041c0a98aafd34156edc1068bbf39a18d0d3c2fb38d05bc112f4dacd85ffcff292985520b416e29815ab7433e92e5afd537f5521b886f0 |
C:\Windows\System\bbzVQak.exe
| MD5 | 5ff4b0f01b0038c4f0dd66ef33ff79f9 |
| SHA1 | cb1bbcd94178163ee0e7ac15a92fac706fcd8acc |
| SHA256 | c993449f2d80ffb29e3d8bf5d1cd695165c85a5dd80640c5daa22040200c744c |
| SHA512 | b8e013bf275619b0982cbceffa2c6b020eb5378328dd9ecd318df40e4aac46cf59eeaedac23ae6a25ca70608349283460b1461ea1fb9ed529a47a8110a5a695c |
memory/4092-15-0x00007FF7EF2D0000-0x00007FF7EF624000-memory.dmp
memory/440-22-0x00007FF795410000-0x00007FF795764000-memory.dmp
C:\Windows\System\pRoBinl.exe
| MD5 | 1a0e1455de686b8158fbc1e4c92a2f9d |
| SHA1 | 29170fbafb064ea2f4235b38c121cb23ca398b78 |
| SHA256 | 751d7a519550296e44f729642a25deee57e02effc38513cfbd1634914ad4844e |
| SHA512 | 0c3cf17afd7417c22e0ca6141bcc86ad947d316dec4ac51bbf0cfbf64b1e1e9ff9d8ef71b04c70e0dce9d50c4cfc20ef43f31d0c81e2d8a56a7eec0800995807 |
C:\Windows\System\ZXFUSZM.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
C:\Windows\System\ZXFUSZM.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/5080-34-0x00007FF718250000-0x00007FF7185A4000-memory.dmp
memory/3224-27-0x00007FF7FC200000-0x00007FF7FC554000-memory.dmp
C:\Windows\System\IYavAnL.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\System\IYavAnL.exe
| MD5 | 80bec893930f1db4fc25da6816fb5d72 |
| SHA1 | 785a61b13d80964f8c3cd6daa5a012e2ed290422 |
| SHA256 | fc200741ad32a94021ebefa3861de8c019ab3b8f79f424a138f7199406c9d52e |
| SHA512 | 7b9800d63c87beaee7285ae18789192d392d7cf4b0aff33241c98e5955fcf6b4c80c026e1922fb84ee984ad6aab5957f92a2e9056bf13af9634b36c8c716dc40 |
C:\Windows\System\euavmrI.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
C:\Windows\System\euavmrI.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
C:\Windows\System\YszoCNe.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
C:\Windows\System\dLWIPVb.exe
| MD5 | af96e0fb3f40ff473e2840d99c072f01 |
| SHA1 | b5507aea16a72a40a99610e5227afb15ed4d3cc1 |
| SHA256 | d04b1a669e006c8cb9ace1d34e94633f62db96e4ca91d2fc3979279bceaa0662 |
| SHA512 | 94685372bf282c724aa945559dd3d882235301055152aaad11a621d049132bd70cc94d14c9692d61492979d08014b45afffde3428434e76f49318a17e5e3bd5f |
memory/3228-50-0x00007FF644260000-0x00007FF6445B4000-memory.dmp
C:\Windows\System\dLWIPVb.exe
| MD5 | e8c4508a392ccf08590d3627a36cc3c3 |
| SHA1 | 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2 |
| SHA256 | cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d |
| SHA512 | f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410 |
memory/2604-44-0x00007FF73C1A0000-0x00007FF73C4F4000-memory.dmp
memory/1908-43-0x00007FF7B0730000-0x00007FF7B0A84000-memory.dmp
C:\Windows\System\cRmbZng.exe
| MD5 | fb7cd1991166aa4584256250bcaddc23 |
| SHA1 | eb0154c8870bb3f88911d4e6487073a7a34b2d6f |
| SHA256 | cd41a4f66f1cd4aa12bc6a2405318724857f62162957f0456f027545780b58cf |
| SHA512 | a464ce139313beed6de85a1e65b59c04d895e54686836b4e9ffa8480141d0a826ac4d71b66337edd0e527c790e002d13ce106237d33375ccd31f4483f1e4d2e5 |
memory/2612-55-0x00007FF7F2C60000-0x00007FF7F2FB4000-memory.dmp
memory/4856-61-0x00007FF7F9980000-0x00007FF7F9CD4000-memory.dmp
memory/2524-60-0x00007FF645780000-0x00007FF645AD4000-memory.dmp
C:\Windows\System\ARrpuVR.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
memory/4324-74-0x00007FF647710000-0x00007FF647A64000-memory.dmp
C:\Windows\System\JfWebqK.exe
| MD5 | 92f98f4ebd14434ec42d1e05134bf52e |
| SHA1 | dcc727d9de6d7a50a6dd14774dff79bded71525a |
| SHA256 | 83bbdcdf9325ee1c4b4736853bbd443a7d7a59e42c9ddbe49bff516eba98ff10 |
| SHA512 | cd0777478a673907bd9cbeed12fb080172459c09ef3ab4f6b32988caf5cd36da4875ebc0739103ff2213a836168475298576b5c6b2df64cc4031080dea2c11ac |
memory/3164-81-0x00007FF6AF310000-0x00007FF6AF664000-memory.dmp
C:\Windows\System\ZiBIlyB.exe
| MD5 | c411549cc265f6c6824418b3aebf0dbf |
| SHA1 | 1a4df5ac6cc15f71bebba261eedf3455dcaf3792 |
| SHA256 | 1fd82e02ec6fd80662640bc92c042c722c43f61116ae74d34ac3c6572e37da20 |
| SHA512 | ecafb0ca557e369e03ccdfe917f0a234ed215bce2948dbf75692e25570d7e11b6c4c766b43bd00ad0b31f3156dc03ed4232643db0e5c7332001356d2156fd3d8 |
memory/4252-75-0x00007FF7D9A30000-0x00007FF7D9D84000-memory.dmp
C:\Windows\System\KlsCQSW.exe
| MD5 | c90cbfe01a30674bac6f56604bc050c9 |
| SHA1 | c5a04c96bd4a4787ce71bd2c1a3f70e8773c208a |
| SHA256 | a48622c8ea3bf49e957b522beb6a95dc17e7471d4833ee402c2ab99bb3c4d545 |
| SHA512 | 96f40907cda9df58d38cb9547b907277fd5a6d53e8364903ac3604baeb91452ef5477b722d69b1d0172ff61e952cd51a136dcf590a06b415243b41872386c502 |
C:\Windows\System\KervXwj.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
memory/2828-99-0x00007FF6D38C0000-0x00007FF6D3C14000-memory.dmp
memory/1236-95-0x00007FF779D40000-0x00007FF77A094000-memory.dmp
memory/4872-87-0x00007FF681C90000-0x00007FF681FE4000-memory.dmp
C:\Windows\System\ymOrjAl.exe
| MD5 | 1d3a027708a48a3c73a911f7d1532fca |
| SHA1 | f960fd40bf0cf951600c386a6a9501a01e54ab51 |
| SHA256 | f4e703d98029a56b7200ca63aefb85a455d5792cd9407b54a0dc1c4762419eda |
| SHA512 | 4c0f2e25c98d407f27d4b0d85d2fe06ea754e657bc939feb907f00109c3d9db11707e7ca2d3e02171201afd527ee2b1673e434c274c030dde555dbb27b53e539 |
memory/4480-105-0x00007FF7EBCC0000-0x00007FF7EC014000-memory.dmp
C:\Windows\System\ziMfbIy.exe
| MD5 | 28f1f982eff3f18fd8edc5c8441b0430 |
| SHA1 | c332fd2e03398445155c4672ddc71ffca3153b76 |
| SHA256 | 5b08c136218d742693723972426c97c3aaffb94dfd21083ab2dfd7ef4d1f3cf7 |
| SHA512 | 46e9f216751be3df9261bed4b61b819191a8c14a49539ea13739673ed84480960b0daa39bc5dfdc375fcf317504fe02d7befc44eb206af486d3cd48ae94d4922 |
C:\Windows\System\bGrLzKa.exe
| MD5 | f8cce34c14b5cab292926ae243003d46 |
| SHA1 | 7b51d7c0b2ef7098f433fb38f163816a6583b855 |
| SHA256 | a7492bd4bf172252454d97dfbb27ba6d1098f055f88c42d2afefd0eae02ea093 |
| SHA512 | ab8bbf69b9f7603ca0fd0483d2d539ec09d72765e0a673244b6fbadc15e79f7db39889bc1ec6225b1bf055a9dd16f162e3e5e0f693dfde402be35df60660f5be |
memory/4508-119-0x00007FF799290000-0x00007FF7995E4000-memory.dmp
C:\Windows\System\oMBqvvM.exe
| MD5 | fc5f1e2bd3482d330d9dd0785b2e7b9f |
| SHA1 | 3f8868e6f433a1c17b61611e8e08f934e6ffc4b5 |
| SHA256 | 263e0eafa50b04613f6a8406b658fb54ddc92d8dfd3cffc183c6c622436dfb4a |
| SHA512 | 619a467cd8432e3e02546b3ef17ee9cfc1731eb6a524291c6053b9775e5f33609c08e7f04e3ca5e0da4ca90fce3b921b2bf3611dd9b70b6ba53e7beff178ec1d |
C:\Windows\System\auHuIqQ.exe
| MD5 | 00587c869c478e1162ffe59f2d587d43 |
| SHA1 | fd288b569333039dce299a663fe3cb5fbbf99ed4 |
| SHA256 | 058bc6dc55a03667c98335bea03aef582d2e56df8a1a6305f30a3e63da9f46ec |
| SHA512 | 7114ef7e7e30d442ae84be8233c0de8fbf978a7c47f7b60ee230eee777aae0cea15d26835f576a10004262c7bceeccddb8d6a92850a99b05b28767f57f8f8f6c |
memory/4180-125-0x00007FF727550000-0x00007FF7278A4000-memory.dmp
memory/4856-124-0x00007FF7F9980000-0x00007FF7F9CD4000-memory.dmp
memory/4820-130-0x00007FF701A90000-0x00007FF701DE4000-memory.dmp
memory/2356-110-0x00007FF635750000-0x00007FF635AA4000-memory.dmp
memory/2612-109-0x00007FF7F2C60000-0x00007FF7F2FB4000-memory.dmp
C:\Windows\System\oMBqvvM.exe
| MD5 | cefe7ebbcbdc6a5e5023e2ad8530b25b |
| SHA1 | 6e0d7ab1a6ddd7ee739d050791a70816c80e15a8 |
| SHA256 | 6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475 |
| SHA512 | 93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844 |
memory/2356-131-0x00007FF635750000-0x00007FF635AA4000-memory.dmp
memory/1560-132-0x00007FF729F60000-0x00007FF72A2B4000-memory.dmp
memory/4092-133-0x00007FF7EF2D0000-0x00007FF7EF624000-memory.dmp
memory/440-134-0x00007FF795410000-0x00007FF795764000-memory.dmp
memory/3224-135-0x00007FF7FC200000-0x00007FF7FC554000-memory.dmp
memory/5080-136-0x00007FF718250000-0x00007FF7185A4000-memory.dmp
memory/1908-137-0x00007FF7B0730000-0x00007FF7B0A84000-memory.dmp
memory/2604-138-0x00007FF73C1A0000-0x00007FF73C4F4000-memory.dmp
memory/3228-139-0x00007FF644260000-0x00007FF6445B4000-memory.dmp
memory/2612-140-0x00007FF7F2C60000-0x00007FF7F2FB4000-memory.dmp
memory/4856-141-0x00007FF7F9980000-0x00007FF7F9CD4000-memory.dmp
memory/4324-142-0x00007FF647710000-0x00007FF647A64000-memory.dmp
memory/4252-143-0x00007FF7D9A30000-0x00007FF7D9D84000-memory.dmp
memory/3164-144-0x00007FF6AF310000-0x00007FF6AF664000-memory.dmp
memory/4872-145-0x00007FF681C90000-0x00007FF681FE4000-memory.dmp
memory/1236-146-0x00007FF779D40000-0x00007FF77A094000-memory.dmp
memory/2828-147-0x00007FF6D38C0000-0x00007FF6D3C14000-memory.dmp
memory/4480-148-0x00007FF7EBCC0000-0x00007FF7EC014000-memory.dmp
memory/2356-149-0x00007FF635750000-0x00007FF635AA4000-memory.dmp
memory/4508-150-0x00007FF799290000-0x00007FF7995E4000-memory.dmp
memory/4180-151-0x00007FF727550000-0x00007FF7278A4000-memory.dmp
memory/4820-152-0x00007FF701A90000-0x00007FF701DE4000-memory.dmp