Analysis Overview
SHA256
23bc6ed2e970b56a8dbe70ec2ab30d249e5a3bcc88b0dd91fd649e24ccbef656
Threat Level: Known bad
The file b6935bd064792dd1a38baec49c152bc0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike
Xmrig family
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 10:02
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 10:02
Reported
2024-06-14 10:04
Platform
win7-20240220-en
Max time kernel
138s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ccdbabk.exe | N/A |
| N/A | N/A | C:\Windows\System\EeexdnU.exe | N/A |
| N/A | N/A | C:\Windows\System\rzhXWeO.exe | N/A |
| N/A | N/A | C:\Windows\System\djLjjkv.exe | N/A |
| N/A | N/A | C:\Windows\System\eMHYxQn.exe | N/A |
| N/A | N/A | C:\Windows\System\GnafsTs.exe | N/A |
| N/A | N/A | C:\Windows\System\EAOkORa.exe | N/A |
| N/A | N/A | C:\Windows\System\cnySewy.exe | N/A |
| N/A | N/A | C:\Windows\System\dljjWnN.exe | N/A |
| N/A | N/A | C:\Windows\System\vgkfsfu.exe | N/A |
| N/A | N/A | C:\Windows\System\YYkbGGX.exe | N/A |
| N/A | N/A | C:\Windows\System\nNmvTAV.exe | N/A |
| N/A | N/A | C:\Windows\System\CMNstwk.exe | N/A |
| N/A | N/A | C:\Windows\System\LSwVMAU.exe | N/A |
| N/A | N/A | C:\Windows\System\TMImYyu.exe | N/A |
| N/A | N/A | C:\Windows\System\CicloxM.exe | N/A |
| N/A | N/A | C:\Windows\System\CDFWobf.exe | N/A |
| N/A | N/A | C:\Windows\System\ZDpIHJY.exe | N/A |
| N/A | N/A | C:\Windows\System\LiELkpU.exe | N/A |
| N/A | N/A | C:\Windows\System\GgayRXy.exe | N/A |
| N/A | N/A | C:\Windows\System\vaoFWCy.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b6935bd064792dd1a38baec49c152bc0_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b6935bd064792dd1a38baec49c152bc0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b6935bd064792dd1a38baec49c152bc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b6935bd064792dd1a38baec49c152bc0_NeikiAnalytics.exe"
C:\Windows\System\ccdbabk.exe
C:\Windows\System\ccdbabk.exe
C:\Windows\System\EeexdnU.exe
C:\Windows\System\EeexdnU.exe
C:\Windows\System\rzhXWeO.exe
C:\Windows\System\rzhXWeO.exe
C:\Windows\System\djLjjkv.exe
C:\Windows\System\djLjjkv.exe
C:\Windows\System\eMHYxQn.exe
C:\Windows\System\eMHYxQn.exe
C:\Windows\System\GnafsTs.exe
C:\Windows\System\GnafsTs.exe
C:\Windows\System\EAOkORa.exe
C:\Windows\System\EAOkORa.exe
C:\Windows\System\cnySewy.exe
C:\Windows\System\cnySewy.exe
C:\Windows\System\dljjWnN.exe
C:\Windows\System\dljjWnN.exe
C:\Windows\System\vgkfsfu.exe
C:\Windows\System\vgkfsfu.exe
C:\Windows\System\YYkbGGX.exe
C:\Windows\System\YYkbGGX.exe
C:\Windows\System\nNmvTAV.exe
C:\Windows\System\nNmvTAV.exe
C:\Windows\System\CMNstwk.exe
C:\Windows\System\CMNstwk.exe
C:\Windows\System\LSwVMAU.exe
C:\Windows\System\LSwVMAU.exe
C:\Windows\System\TMImYyu.exe
C:\Windows\System\TMImYyu.exe
C:\Windows\System\CicloxM.exe
C:\Windows\System\CicloxM.exe
C:\Windows\System\CDFWobf.exe
C:\Windows\System\CDFWobf.exe
C:\Windows\System\ZDpIHJY.exe
C:\Windows\System\ZDpIHJY.exe
C:\Windows\System\LiELkpU.exe
C:\Windows\System\LiELkpU.exe
C:\Windows\System\GgayRXy.exe
C:\Windows\System\GgayRXy.exe
C:\Windows\System\vaoFWCy.exe
C:\Windows\System\vaoFWCy.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1688-0-0x000000013F410000-0x000000013F764000-memory.dmp
memory/1688-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\ccdbabk.exe
| MD5 | 7aa6e59cd89513a040f0c3c63423822b |
| SHA1 | 9280ebe843d79fd8770b8d7a9bb626cf2e1f8c1c |
| SHA256 | 264d1a55b49c7a79f177e4046af9cc98d9b47fd64f237d952308eb81f81fa6b1 |
| SHA512 | 095b8709c9663d9159d820edabd0ac4d7ddb1bb541820d0f0d52b9ef1730e8a534db441d757fbccc5ac6014e25aff2598fbe1657a07b6377e81bf164b1e9d3c7 |
memory/1688-6-0x0000000002310000-0x0000000002664000-memory.dmp
\Windows\system\EeexdnU.exe
| MD5 | 0804a65dd816028a5f75177aa2abc157 |
| SHA1 | 905ed03d8acbe063d37e268b04f200de5df2f8a7 |
| SHA256 | 458ffc743284be57571205f253b4f187b952e5c46959009df29f8aec25073554 |
| SHA512 | 6a54dad1830097392b9d8d725130613aac055bc8a06ed5293399bd4e2ccc570bbd6ee2ef108d43c2ff7ed0d96ef1881a44f7c55f9c32d4f31c25d30c9f737d6c |
memory/1248-8-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
\Windows\system\rzhXWeO.exe
| MD5 | 9d9efb9f8cb363408be8b33f2342edf3 |
| SHA1 | e67e9b2f945ebfcdc17a9739742a22dee066a438 |
| SHA256 | e4a2bd31264bbddb89caba8e83913f50ba9a90b1d4c5801bba7fd45047ce55e3 |
| SHA512 | 4eb0af7b9104c2793a26a1a3f843436cf1fdf5909ff7af8d852edf2c93420bc80b52f7d82aaba2b295ab358c29b7678cd7cea84f58c791ea3587ae75ab4a3342 |
memory/1688-13-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2156-22-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\djLjjkv.exe
| MD5 | 1b6e523166a02dae7bb6f036170e9b94 |
| SHA1 | b83e5a12800a603ca392c9fbd88895fbb2faa6bb |
| SHA256 | f5c9b6c2cc4e9919a8b5132db61dd527125e6731bb2bcbe7df404e2167e8eaf2 |
| SHA512 | c50a60d52f71a59cabb96dbe4005db66208408f85ef5abddffc0a6818c204d9b84471f5262594817dee946d4fa580eae11d105b1ce69ec9930c80600c7383b6f |
memory/2660-30-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/1688-27-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/1688-20-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2168-19-0x000000013F930000-0x000000013FC84000-memory.dmp
\Windows\system\GnafsTs.exe
| MD5 | be7838d8c01ba92978de45d11962de6c |
| SHA1 | f5f6771f0e3a9f28f6de4cf9a93aac428c49cb27 |
| SHA256 | 7f4f1ca7e0e430e5128aaa96bdef8f4224bc24da90547144b53e4f05fd02c807 |
| SHA512 | e40907abae145e41fa035282e34bcc4d95d4c3ffb23aa3b3fd0d6a89a228059de3d1c389d7c36ccf413fa74ca57e488459355c050aecfbcb7968b06e088cff96 |
C:\Windows\system\eMHYxQn.exe
| MD5 | ceaa648a0f2de41199e4a3c409476b8d |
| SHA1 | 3ff918f796a332ffaab30b39d9b8ddf90e2509e8 |
| SHA256 | a89e599817b1e02c25cff0bad8de828cc7f50cb742811dc16cb8462e3d515cdb |
| SHA512 | 78c04fb0b33a074717b54d71411cba626f59abbe083ebc6f6267a473c572ce306bf93393bdc8b4785787ee52a1c46c189ceb669d157e34e7cb88cf198f49d96b |
memory/1688-34-0x0000000002310000-0x0000000002664000-memory.dmp
\Windows\system\cnySewy.exe
| MD5 | c85197e0fbcb6f0f8fd9ab6450093fa6 |
| SHA1 | ae31e64b3f3b53f92c21987bd5b9e0e590bc8274 |
| SHA256 | b2f27ad5bc7f7cc98eb031c0b1496e0e7d2274742581fc725850af0aba655469 |
| SHA512 | 277c4d7a6c1881a1cd55e75ad02cdf3808c3661c231810fb13265eafbdf2568acb8a81dddaae93c6c5f5bd71e6c64e16a89f30a48a0eb89db4d4325a3f9836c8 |
memory/1688-58-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2620-59-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2640-53-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\vgkfsfu.exe
| MD5 | cd72c9b2a831d7d89baf9ad8b70dcc86 |
| SHA1 | 09453540d81f94a03af3da5480a13d4ab3ec55e0 |
| SHA256 | c9dc88e70e7440d25261597fbdcc4f1655f91f91392cfeefab92b57d14b25096 |
| SHA512 | 232291ae2c0553933e4df3910fad0c00332b8cd8442fd6bed9d1a6ea4bb6dc1ca71925a50d45c1b3d4c974ec36a92c388647c107a7b102dc1feac16170eb8f21 |
memory/1688-72-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2920-73-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2492-66-0x000000013F440000-0x000000013F794000-memory.dmp
memory/1688-84-0x000000013FE10000-0x0000000140164000-memory.dmp
C:\Windows\system\GgayRXy.exe
| MD5 | 40e1ffeca22b21a536b90abc10b73012 |
| SHA1 | 26c09d85f4803854fe4ab4db2545da265336ee8a |
| SHA256 | fafaf06ffcd47cfcf9139b35ea738ac5c6b99cf75e5aff89b5ac2e085c4d7834 |
| SHA512 | fd86ae98d0da6f4f4a251280ef0e7f0d5a8007d32f477d1d6d9a905d9f36968ad142cf72ec22a5d177f378abe01b3d8a46283a443e5290642584f35d3776be78 |
\Windows\system\vaoFWCy.exe
| MD5 | 583cffc3275e1f3a8e6c903723ec0335 |
| SHA1 | 435b49009f84705e8a1208af2923c2a8cce617c5 |
| SHA256 | 4bb0ee6b952dbb792ae159273db6fee59f2027629571dc5606325fbf398e8efb |
| SHA512 | b862546260f5b58c3323ffa1286c6301ac7aa85db8f141611480ae7183a0862a2fb4a733d4b75b29a0de293b956658f8b34a429c2c1a8e6f7d6df9ff31fdc29f |
C:\Windows\system\LiELkpU.exe
| MD5 | 6e13b7e0605ec0da8b105a6bfdf1de27 |
| SHA1 | 8f227b619578a08a0a59f23d60b977843b6618ef |
| SHA256 | 76ecf8e72950979994e97ee705775468a7fc89b7dd9de7292f41fd94bc870791 |
| SHA512 | 082aedea52b9fba54fdfef4627772024fb939a61746a4c3d28deebe9bdf3f11bbac1eaa5bafc5a6639693f21eb7853cd55e63d7e22908acd13d341d7661c9272 |
C:\Windows\system\ZDpIHJY.exe
| MD5 | 6bf4cf983a224c4998c6454889213f25 |
| SHA1 | 7f785a17b773d4cb191b5c45c48db33cbbf46511 |
| SHA256 | 381d3c16f03183a77f50b42eb884a71771cdc31c35d968d63990083698647183 |
| SHA512 | 4330dd02bdb1aa5be38022db09a81d79cf1a219f7f3050a67afde50a7e0ec7b673a0d3d74ec87184cc3c11f6da12d625e6cfc62fd05cca312198b7d60e242294 |
C:\Windows\system\CDFWobf.exe
| MD5 | 3689d0a76c9551aef431ccfc5f9102c4 |
| SHA1 | d434bbd6e469b121e4a6924cccec2b577f1d4135 |
| SHA256 | d9ee390b4305e1c987dfbe38138947f6f76b32e737742ef706364202ff944975 |
| SHA512 | 8c443c87285848c8b2913433cf093f621a5d1ecdf3b74084f8491449aa92838a359e4ec3eccddd113e7a651a5fb71332206a8b9c77130200bdba2e09c7b33f40 |
C:\Windows\system\CicloxM.exe
| MD5 | e6b2c83898a005d3d5f4ec139b51ddc6 |
| SHA1 | 7f554b8b022674d1418c881179dd16df11a20aad |
| SHA256 | 3dd27883c1e68f2c2963588fe36456e125e2aec44af405ff4a5d73f310389017 |
| SHA512 | 00bee514f198cb352b8331510fa0089f038b93167bec714e09510250d5953affe2a7424a51af5a2ad67a5cda8387ae65d350092022ef43b80a2b747c40e1854a |
memory/1688-99-0x000000013F8F0000-0x000000013FC44000-memory.dmp
C:\Windows\system\TMImYyu.exe
| MD5 | 4ddcaac9e5e47b88c1303712c3796ac2 |
| SHA1 | 51ef5e8502ffb4a9c58b9d23e61a5ccd6596ecac |
| SHA256 | 827b261c0f75861c38b8bad7f13f94e2529d6585e0f0508a7af2c6cba4709976 |
| SHA512 | d6b0806d7c3cf89f08dcf0a56654a06157842956f964ab0c69fda76fb09ffd9941188160f214cdc1e92b568ff0106b94cccb6e5c8860940b7187f4a5a192d43f |
memory/2824-95-0x000000013F420000-0x000000013F774000-memory.dmp
memory/1688-94-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\LSwVMAU.exe
| MD5 | b727a1e12a9e142445e056c5b499a15c |
| SHA1 | 83846705f0c628a96ebb5cc57942e92f0c6a0fde |
| SHA256 | 9d6c55fe362b64fd02612e522561eef8abaaecb15c23d3dbcb575b1ecdc3be7d |
| SHA512 | 15f8750662663f7820288689d0baf93999e6611b48c1c2d7b2fe135234d6f4b80816baa79caaac7af19b9c4492444e1fdb71ad2c26cdadbb93a2264342baa936 |
memory/2704-89-0x000000013FF50000-0x00000001402A4000-memory.dmp
C:\Windows\system\CMNstwk.exe
| MD5 | 393616bd421ec78ab9c1b1ec597f0a15 |
| SHA1 | c9d85551163c8df1f97cb17fa0ca049982e13251 |
| SHA256 | d8866f6402e688fad063c036ca7a17344f27827a04dfba79da2788a84b54a5b0 |
| SHA512 | f740ed4cb58e8b45bfddbea396c7cfafa39ace42d5dcb3278c1af8f33756bbf229769c7f46f7cc6cb10e3ca955844343147534f493bcd3b7419bea10510001a5 |
memory/2604-83-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2944-78-0x000000013FA50000-0x000000013FDA4000-memory.dmp
C:\Windows\system\nNmvTAV.exe
| MD5 | 496fa23adc6dbde9f0c6052671126850 |
| SHA1 | d071c57a4b8cc05c88420b7478a0c5d0325fe724 |
| SHA256 | 76456bab0cfe0cc0cb7869b13980d4ab9b05abfd023dcc6268705ef4088f7501 |
| SHA512 | e1a13f5f83f39418e3930d2732e7dd1ab9b63650352760ba209868f7e3248c16330097ef0006bfcafd49f4833a0040b7448149023e4ac1e88b6546ce9403205a |
C:\Windows\system\YYkbGGX.exe
| MD5 | 48504d5637c884fc2091ab66e276f0d7 |
| SHA1 | 78316faaeac99eff41c69c1847db2dd09b157aa8 |
| SHA256 | 9608fa20a7ef0b29842f6c63074a390598e4ddc0e422ecbef0e6eee5efa5c7fd |
| SHA512 | baa8e0a73892fb7f4809afd60fe4a8b84208726d79585772900f7e568279fde6fdc63d6e9600323c5b02fd67ecda7be6bddf445bf6571c3a0496624afecbc617 |
memory/2660-71-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2156-65-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\dljjWnN.exe
| MD5 | 03f94614db44f113a0359f62b9775cf1 |
| SHA1 | 81c67b0b189908f8b4e969fa821b6c272eafcecb |
| SHA256 | f98b62b3c02505d19d603b9109673c467f907d4ef1e08c65f7a3cb4c5609b364 |
| SHA512 | fc43047794119bb4100ccf6b33ad5b619e21ff03d04498770d4eedcbd418debf4f59a8005ddb904c6d7e751cfe653ebeb19c8d17608a9ca072db3ef996ebdb23 |
memory/1688-63-0x0000000002310000-0x0000000002664000-memory.dmp
memory/1248-52-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
C:\Windows\system\EAOkORa.exe
| MD5 | bbb078a7bee1193a4774d4f1230435bd |
| SHA1 | a998c3c4ad104d652cfd4cb440147efafa7b49a2 |
| SHA256 | 0d0d2b5ae355853bb8fd6229421e6e199bf6880f9be9fc027c0965b78d5c23af |
| SHA512 | 8fdd4cbc018d8fb705b9f097f53b023a4511260cfecc5e93a214173c6266ce8c317dbaa5016339fe86015e50ba456aa60e08743d7c2d2572ff64f29af2b94a5c |
memory/1688-50-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2684-49-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/1688-48-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1688-46-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2604-44-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/1688-36-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2620-140-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/1688-139-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/1688-141-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2492-142-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2920-143-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1688-144-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2944-145-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/1688-146-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2744-147-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2704-148-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2824-149-0x000000013F420000-0x000000013F774000-memory.dmp
memory/1688-150-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/1248-151-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2168-152-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2660-154-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2156-153-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2604-155-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2684-156-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2744-158-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2824-160-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2620-159-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2920-157-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2704-164-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2944-163-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2492-162-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2640-161-0x000000013FEA0000-0x00000001401F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 10:02
Reported
2024-06-14 10:04
Platform
win10v2004-20240611-en
Max time kernel
138s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fMxGlBc.exe | N/A |
| N/A | N/A | C:\Windows\System\RNYFgWJ.exe | N/A |
| N/A | N/A | C:\Windows\System\aqRCnpR.exe | N/A |
| N/A | N/A | C:\Windows\System\DrotEMp.exe | N/A |
| N/A | N/A | C:\Windows\System\vnETSyi.exe | N/A |
| N/A | N/A | C:\Windows\System\IwFSGAF.exe | N/A |
| N/A | N/A | C:\Windows\System\OdDMGGj.exe | N/A |
| N/A | N/A | C:\Windows\System\uvkWbGc.exe | N/A |
| N/A | N/A | C:\Windows\System\fOiyCNP.exe | N/A |
| N/A | N/A | C:\Windows\System\HHBoBjX.exe | N/A |
| N/A | N/A | C:\Windows\System\usQstBS.exe | N/A |
| N/A | N/A | C:\Windows\System\nnilHjE.exe | N/A |
| N/A | N/A | C:\Windows\System\IVdENCW.exe | N/A |
| N/A | N/A | C:\Windows\System\ngKATfj.exe | N/A |
| N/A | N/A | C:\Windows\System\KttkbNe.exe | N/A |
| N/A | N/A | C:\Windows\System\LGQpvgO.exe | N/A |
| N/A | N/A | C:\Windows\System\SETFKxK.exe | N/A |
| N/A | N/A | C:\Windows\System\WzMQPie.exe | N/A |
| N/A | N/A | C:\Windows\System\wPwYaIt.exe | N/A |
| N/A | N/A | C:\Windows\System\VYIcFTD.exe | N/A |
| N/A | N/A | C:\Windows\System\GUwcWNP.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b6935bd064792dd1a38baec49c152bc0_NeikiAnalytics.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b6935bd064792dd1a38baec49c152bc0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b6935bd064792dd1a38baec49c152bc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b6935bd064792dd1a38baec49c152bc0_NeikiAnalytics.exe"
C:\Windows\System\fMxGlBc.exe
C:\Windows\System\fMxGlBc.exe
C:\Windows\System\RNYFgWJ.exe
C:\Windows\System\RNYFgWJ.exe
C:\Windows\System\aqRCnpR.exe
C:\Windows\System\aqRCnpR.exe
C:\Windows\System\DrotEMp.exe
C:\Windows\System\DrotEMp.exe
C:\Windows\System\vnETSyi.exe
C:\Windows\System\vnETSyi.exe
C:\Windows\System\IwFSGAF.exe
C:\Windows\System\IwFSGAF.exe
C:\Windows\System\OdDMGGj.exe
C:\Windows\System\OdDMGGj.exe
C:\Windows\System\uvkWbGc.exe
C:\Windows\System\uvkWbGc.exe
C:\Windows\System\fOiyCNP.exe
C:\Windows\System\fOiyCNP.exe
C:\Windows\System\HHBoBjX.exe
C:\Windows\System\HHBoBjX.exe
C:\Windows\System\usQstBS.exe
C:\Windows\System\usQstBS.exe
C:\Windows\System\nnilHjE.exe
C:\Windows\System\nnilHjE.exe
C:\Windows\System\IVdENCW.exe
C:\Windows\System\IVdENCW.exe
C:\Windows\System\ngKATfj.exe
C:\Windows\System\ngKATfj.exe
C:\Windows\System\KttkbNe.exe
C:\Windows\System\KttkbNe.exe
C:\Windows\System\LGQpvgO.exe
C:\Windows\System\LGQpvgO.exe
C:\Windows\System\SETFKxK.exe
C:\Windows\System\SETFKxK.exe
C:\Windows\System\WzMQPie.exe
C:\Windows\System\WzMQPie.exe
C:\Windows\System\wPwYaIt.exe
C:\Windows\System\wPwYaIt.exe
C:\Windows\System\VYIcFTD.exe
C:\Windows\System\VYIcFTD.exe
C:\Windows\System\GUwcWNP.exe
C:\Windows\System\GUwcWNP.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2472-0-0x00007FF7F4A90000-0x00007FF7F4DE4000-memory.dmp
memory/2472-1-0x0000024CC92C0000-0x0000024CC92D0000-memory.dmp
C:\Windows\System\fMxGlBc.exe
| MD5 | 6d0e73c4529db8498a8e27e33f806b46 |
| SHA1 | 5e9e78c34c8298510b181aebc122b304fdc788b8 |
| SHA256 | 5fcda2983bfdf708734cae2769f21abd634f24349c1d53846ebc15b259470897 |
| SHA512 | 8e33b47352d61f97240f9964e7dd7c5a7b7697459825f44e8dda05b653091023f8751654cf05b22f378b7436c98034cd030936791672ba21f4aef3f854cf697c |
memory/3620-8-0x00007FF732A70000-0x00007FF732DC4000-memory.dmp
C:\Windows\System\aqRCnpR.exe
| MD5 | 3633b551e44477635844672db107f512 |
| SHA1 | 0194db791bf365337ba62c13f5ca6509355c15bd |
| SHA256 | 5da0e82a61cf82579ab61aabf779d226aedf3780a90faa2409f9e1ebd6bc005a |
| SHA512 | 317f3155876c88a333ac95394a71b84acc6d8bed4cc69229f90a469e38a5c19fc5bf61a92a04761e51843a30e29838b49f8097fce05b1de7aa6171e91888e8dc |
C:\Windows\System\RNYFgWJ.exe
| MD5 | c3b28b69090899c12b546e4c62158279 |
| SHA1 | 220a420a8e6ab0cea43fe5832084d81ba244428c |
| SHA256 | 3ff05d5eb2dee1f37d3dc2ebe84a02a5240d58c68642e2cbcdef54dc630be269 |
| SHA512 | 684fe78c8085b06f64a85bde46528c81498fcf5a2e1fea2913102a6d3c69a612b863b5b45d30ff84d8c9ec5c7b0720ca6cc2907524fe74795a580bd9c87cb2a7 |
memory/4580-14-0x00007FF6880B0000-0x00007FF688404000-memory.dmp
C:\Windows\System\DrotEMp.exe
| MD5 | ae08bc2b924f8b5223c7c301b492ec4c |
| SHA1 | 80cece3d97c5fc8e38fa3dc1ca28496bd01ba12f |
| SHA256 | 86e0dd89993e1903d5165b8d5e20c1ea1969a9ce5a8d42ff82085088d3cbf310 |
| SHA512 | 7970b9ebb0813699818b7ed0cd3639ecec79cdf089827c52ff031cfce070b7d3e090df4628ec03804d77948bd996fd2439033ccc5d743d4c06c5fbbf0fb215ec |
memory/2768-24-0x00007FF6456B0000-0x00007FF645A04000-memory.dmp
memory/1048-20-0x00007FF66C160000-0x00007FF66C4B4000-memory.dmp
C:\Windows\System\vnETSyi.exe
| MD5 | b8221ba6f0495d772d31846cfc4012fc |
| SHA1 | 95cdcd67747a5bafb6181db17394ba4e1038b208 |
| SHA256 | bca8b53c3fb9b79278eea5da67b780cac10dac87a434833e3a65ea1000e731a9 |
| SHA512 | 5ae82fe91b30df000b544db2d248ddf1ec63b7fa1e568a2dc0fd8950fd00ae26ba7fc879057126a38b9e7ea756bf4569a667d706a93a5ab4ae8bb2866de0bf9f |
memory/2056-32-0x00007FF71F420000-0x00007FF71F774000-memory.dmp
C:\Windows\System\IwFSGAF.exe
| MD5 | 80e8d31f4035c211d68707c18354261d |
| SHA1 | da5f80c4fb6f4e65b04a99c6a3d35a156ba7eb07 |
| SHA256 | 42920d6df413622e1e841e0cd6a4db680417c8514733a802f97db0489e7c3f99 |
| SHA512 | 731128c41d8b3b9b6279ae047a6d5c50a511ba96d7fff48e636356efd1238913dce9ec0bda546e4af1c73898828ef629d9bdc52bf914f44217d1284760e39363 |
memory/3080-38-0x00007FF6695C0000-0x00007FF669914000-memory.dmp
C:\Windows\System\OdDMGGj.exe
| MD5 | 58a2bacdfe85e172d4ca7dc3fba5176b |
| SHA1 | 2da7da9f347641abd9dfafef9b2daccdd8515d38 |
| SHA256 | fb938f3b7dce8f1ac408d4430f4d78cbed91ff78795f1c09a7f1ded6067fc919 |
| SHA512 | 3f4bc831a0cd75af3f5118092e1d5c80ec374f8bee24d2f0b0591804f6a9933a5f30bbdb8df92385dd7534cf6df2e4a46f43722e715e5dd39ed3e577aa59ad63 |
memory/4512-44-0x00007FF69E860000-0x00007FF69EBB4000-memory.dmp
C:\Windows\System\uvkWbGc.exe
| MD5 | 45680382ad6163e9d697d12fe0a30022 |
| SHA1 | bc889b301001a4560b4010b0a1b78a6227f5f5ae |
| SHA256 | d8b70b6879e4e3d6219c3ad698a7dc4c121aad063ba22484a22669dafc2d131c |
| SHA512 | 1f7d657d791c29c9675e84339c3871eb05da085af4139770d1849da38ebce24410fbf6882cf8d26d0f424cb33e9448ee2aad064d52f43022dcd839b5ac6d1b5d |
memory/3216-50-0x00007FF7C6970000-0x00007FF7C6CC4000-memory.dmp
C:\Windows\System\fOiyCNP.exe
| MD5 | c7481bb74c9b3b7cc4ee70eefbc5adbb |
| SHA1 | cbcd53826848d7500f824f0fb893ccbcb71d926c |
| SHA256 | eb51931e70f5e2672a1a1d2d4ef991359882c8da27f7937709923d0b5bfe4c1a |
| SHA512 | 3babdb6ddad7c094261aeb817003694db01032e9dc814dc089b2dde49554a06c00db3ac1396d532ff5e6018a6fdc7aa600657983c3d4fb2131e05e44978ae377 |
C:\Windows\System\HHBoBjX.exe
| MD5 | c5d4889a855d2345dbf113c60d54d136 |
| SHA1 | 67970aba28b1ac44054cd1d388a602b885583c7a |
| SHA256 | 5216597e923f594818308377ffcd88e2efec0e370666635641f855bc86cf3237 |
| SHA512 | 9b9cf6a95eaf068d94fd095ff8cc5a1bb419c430224a511653093c9ba01d45cb6ce6ac32f2b4cbbd8cae7febe16ccde16e9b00229cee8d8429c0215b1ba3eb9e |
C:\Windows\System\usQstBS.exe
| MD5 | a529a65701b71c992f85aec240e1e6c1 |
| SHA1 | c337582094a215addf58c1e768125ca3de7ee6a2 |
| SHA256 | 6ecd65d9fa2994e7f40fb4d50c747d4c06408bd2518e65d1bb82cd60926db002 |
| SHA512 | baca646184622f056e0b77283f7a97fed67c5aecffcea4ff3de1b3b6d7b457992afd6d8724fc931002a831861866a0f60737f532ce21eed239c1e3b6d3bf4e17 |
memory/1644-73-0x00007FF7248E0000-0x00007FF724C34000-memory.dmp
C:\Windows\System\IVdENCW.exe
| MD5 | 7a4afa8f2edd36d1f1f5882a4a76ca0d |
| SHA1 | cd4a8ba05efc061260cc8a0fe7726945a7cdb9b1 |
| SHA256 | 273cff88ae6fa41c5f01e9e4548625be684029af636d79a227776b6e8a147acd |
| SHA512 | 7172ef694b079622c496a8579e4fab9de93dfe519ebd27d2dafdd47387470ccc638a1f2cd5c7e4e06cee3cf490a2d9f8f9ddfe5963db497488615aba0d009294 |
C:\Windows\System\KttkbNe.exe
| MD5 | 35b77622623775e17e3a259bc8c6df90 |
| SHA1 | aa9f64162634c1120235a9dfb386c6fbf2e4b406 |
| SHA256 | f66ba373909c2932b5474a684c883184a24d32899b9eb708ac20a0417502adbb |
| SHA512 | 968ab1a78627a96c753086ebb6bd4e4c8d33d98d8e3afecfc4f3356a50a549330acbc9a350279c6a5f84030c0d6ff7b7774d628e01210647c4f57ce2a02331d9 |
memory/3892-91-0x00007FF7EC370000-0x00007FF7EC6C4000-memory.dmp
C:\Windows\System\ngKATfj.exe
| MD5 | 06b488367b14e6ea33c9db3e12d8d0af |
| SHA1 | 599f3e16cc4118485914ffc7347631a8308d97d8 |
| SHA256 | 175bd1e584834f6f25ab4dae51f07b09d3d40d6d7553d6b89b40b6fc1749667b |
| SHA512 | dacf9b2136c3a881ee1e545e465d1b12cccf3f3ac8bd3cc4152a9629c9dce9000d39b24cdcafd1346b120bd66729e503df5e1a3dd123ad2ef09c38181a3922c5 |
memory/656-89-0x00007FF694D50000-0x00007FF6950A4000-memory.dmp
memory/1048-88-0x00007FF66C160000-0x00007FF66C4B4000-memory.dmp
memory/3952-85-0x00007FF690A70000-0x00007FF690DC4000-memory.dmp
memory/4580-76-0x00007FF6880B0000-0x00007FF688404000-memory.dmp
C:\Windows\System\nnilHjE.exe
| MD5 | 19d571aa6ece9402c75d78567d94c51b |
| SHA1 | ef67b86ede07fb16675d515ea452794dab4c8908 |
| SHA256 | c97210d4a7c301bed75004e96695f1cf0c32cb8042b267298d9dca6929ae0268 |
| SHA512 | d499ac88f5ea01630ad2d51d4989f5dfbe62cf0ece8ca39463192c086fe85df027bd9d419e7863863b03807c732abe8baea4e4d5af426f6744240ebf7e3fb756 |
memory/3620-69-0x00007FF732A70000-0x00007FF732DC4000-memory.dmp
C:\Windows\System\GUwcWNP.exe
| MD5 | c01ff6aa3ab1047c21bd921d9f55f06d |
| SHA1 | 4ce2ff8e5c37f1ae19fd854b3607a9d5e3176f51 |
| SHA256 | 59fef7ac59f48cfc76858b1e352915a799e4183c02c5c4b1c782281c9845aed1 |
| SHA512 | 6398418e9190f1bc18a56dd11e920db7492a6c892bd377e7263acde3e4fdf30ab2677c7c056a5d9282a4004d58b6afe7e90660cd132e289dbe654ba5637cd5c1 |
C:\Windows\System\VYIcFTD.exe
| MD5 | cc98101412de366a88fdafed6bdf5ad7 |
| SHA1 | 81c5ea78aae8ba41e4b2dd015b39deb45c6164c6 |
| SHA256 | b28206876dc5283bee670ece419e3a17e521a792b0044fb715c025a332d3ebb3 |
| SHA512 | e281eafbb9e840533ca803aece800026c1559377d75ce26a53061fd5d21bd8157c08a1d54881f7f76195eb8dc34ac392afcfd6b987f0c317907d99a9bbe8c17e |
memory/2768-114-0x00007FF6456B0000-0x00007FF645A04000-memory.dmp
C:\Windows\System\WzMQPie.exe
| MD5 | 89681aa5e43d72944f38e9cc12d98c77 |
| SHA1 | 36b54d34a8c7ff25e005702e537d276ba462f1a4 |
| SHA256 | 5f6bf17d2f3a1be7b015c07bdc5cdf16a29018a63586ef0a09280e969841a0a1 |
| SHA512 | d25ed9b2b7034eb2abdcc7fa81bf80daf9c7751b504ce772bed068deb2f207c397d0c443a31fa5967630da1eafb9b713ad6678da99f83a8ec54e41487e56a354 |
C:\Windows\System\wPwYaIt.exe
| MD5 | 25de44eef0340883c3418c0ee0e65aca |
| SHA1 | b39911ab2459abfa2bb014a9180d01546f6c43cf |
| SHA256 | 15859161614a0af0d28a5218ec1ca407c076a5d1c4d9472c87ac4cdd3f165ef7 |
| SHA512 | 1c01f408acbdc7da50ad6f1d70a3e9eed92b17b39a465663de5d3b61b019dea1a7cf1cce11e2725f5f3cbe7bc58e4f21d188f15e0359c43878823183f30e490a |
C:\Windows\System\SETFKxK.exe
| MD5 | c1bb54503ec3b71718821296e53c5262 |
| SHA1 | 9e584e9423f8d64d01e8b4ebaf108f69c0317766 |
| SHA256 | bab6e95af410467a3b5e12022e6ba8a01747aba74b0a5582bc461c29cbcf41d3 |
| SHA512 | 7f623b002e07299e52f9a4469eed2612dce37f7675e30e606352c8156d320bf6d3ae8004c5c0676efac3568da10f9666b6805f0162f83676e618f73799820b9c |
C:\Windows\System\LGQpvgO.exe
| MD5 | 313591de7bfe2bcbe21e5fc7251fc632 |
| SHA1 | a58c0894650f794b45bc0323722d392718d81799 |
| SHA256 | 5fa77975c5278b710a2ecfb0c600d3354ae69b5e578ec00015fff1e450f9ecb1 |
| SHA512 | a6fa2816cedf6773d91684b3b3d0e5a5d20947adf97ec99d494d368065c1c7a453fd0daadfafa8e6debf843512569ffb00f6dabc88d07604a1f4aad978d35c40 |
memory/4264-65-0x00007FF7843F0000-0x00007FF784744000-memory.dmp
memory/2472-62-0x00007FF7F4A90000-0x00007FF7F4DE4000-memory.dmp
memory/1916-61-0x00007FF642780000-0x00007FF642AD4000-memory.dmp
memory/2392-126-0x00007FF610700000-0x00007FF610A54000-memory.dmp
memory/628-127-0x00007FF62A290000-0x00007FF62A5E4000-memory.dmp
memory/3256-128-0x00007FF7F7740000-0x00007FF7F7A94000-memory.dmp
memory/2440-129-0x00007FF7A8100000-0x00007FF7A8454000-memory.dmp
memory/3088-130-0x00007FF64D2B0000-0x00007FF64D604000-memory.dmp
memory/4400-131-0x00007FF6993A0000-0x00007FF6996F4000-memory.dmp
memory/3156-132-0x00007FF639890000-0x00007FF639BE4000-memory.dmp
memory/3080-133-0x00007FF6695C0000-0x00007FF669914000-memory.dmp
memory/3216-134-0x00007FF7C6970000-0x00007FF7C6CC4000-memory.dmp
memory/3892-135-0x00007FF7EC370000-0x00007FF7EC6C4000-memory.dmp
memory/3620-136-0x00007FF732A70000-0x00007FF732DC4000-memory.dmp
memory/4580-137-0x00007FF6880B0000-0x00007FF688404000-memory.dmp
memory/1048-138-0x00007FF66C160000-0x00007FF66C4B4000-memory.dmp
memory/2768-139-0x00007FF6456B0000-0x00007FF645A04000-memory.dmp
memory/2056-140-0x00007FF71F420000-0x00007FF71F774000-memory.dmp
memory/3080-141-0x00007FF6695C0000-0x00007FF669914000-memory.dmp
memory/4512-142-0x00007FF69E860000-0x00007FF69EBB4000-memory.dmp
memory/3216-143-0x00007FF7C6970000-0x00007FF7C6CC4000-memory.dmp
memory/1916-144-0x00007FF642780000-0x00007FF642AD4000-memory.dmp
memory/4264-145-0x00007FF7843F0000-0x00007FF784744000-memory.dmp
memory/1644-146-0x00007FF7248E0000-0x00007FF724C34000-memory.dmp
memory/3952-147-0x00007FF690A70000-0x00007FF690DC4000-memory.dmp
memory/656-148-0x00007FF694D50000-0x00007FF6950A4000-memory.dmp
memory/3892-149-0x00007FF7EC370000-0x00007FF7EC6C4000-memory.dmp
memory/3088-151-0x00007FF64D2B0000-0x00007FF64D604000-memory.dmp
memory/2392-152-0x00007FF610700000-0x00007FF610A54000-memory.dmp
memory/2440-153-0x00007FF7A8100000-0x00007FF7A8454000-memory.dmp
memory/4400-154-0x00007FF6993A0000-0x00007FF6996F4000-memory.dmp
memory/3156-150-0x00007FF639890000-0x00007FF639BE4000-memory.dmp
memory/3256-155-0x00007FF7F7740000-0x00007FF7F7A94000-memory.dmp
memory/628-156-0x00007FF62A290000-0x00007FF62A5E4000-memory.dmp