cobaltstrike | 5705022d3bf360d3c0067f4450ed5c0bba4324294cc018498057c4ec8855b27a

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
Size

5.2MB
MD5

b67ee9c9e52b20b357a7b8a046b258c0
SHA1

c239963813ffbfe8ebbc08f3172424207acbfd63
SHA256

5705022d3bf360d3c0067f4450ed5c0bba4324294cc018498057c4ec8855b27a
SHA512

32f3c6d9b0a68bfdd6c4dba41a064f16b3cad3a66bfa1396f55265dc855e65ece2556a1872bbf0f62b29cee7648f69ee939744cb7e47307954a5afcc7152b3dc
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l/:RWWBibf56utgpPFotBER/mQ32lUr

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\JvzDaqZ.exe	cobalt_reflective_dll
\Windows\system\WLeeVVh.exe	cobalt_reflective_dll
C:\Windows\system\hGlJZCd.exe	cobalt_reflective_dll
\Windows\system\OdsEfbh.exe	cobalt_reflective_dll
\Windows\system\gqJhwFO.exe	cobalt_reflective_dll
C:\Windows\system\MWgAjiH.exe	cobalt_reflective_dll
C:\Windows\system\HqFZWck.exe	cobalt_reflective_dll
\Windows\system\COZnaBz.exe	cobalt_reflective_dll
C:\Windows\system\MgkWaRq.exe	cobalt_reflective_dll
C:\Windows\system\MykYJtP.exe	cobalt_reflective_dll
C:\Windows\system\PXZMlEw.exe	cobalt_reflective_dll
\Windows\system\xJQIxZi.exe	cobalt_reflective_dll
\Windows\system\DLFcxzR.exe	cobalt_reflective_dll
C:\Windows\system\FvzClJk.exe	cobalt_reflective_dll
\Windows\system\AEBeVHG.exe	cobalt_reflective_dll
C:\Windows\system\tLNWlqd.exe	cobalt_reflective_dll
C:\Windows\system\bAiZkBZ.exe	cobalt_reflective_dll
C:\Windows\system\fKATHGm.exe	cobalt_reflective_dll
C:\Windows\system\BIlzDYV.exe	cobalt_reflective_dll
\Windows\system\cbnxXjb.exe	cobalt_reflective_dll
C:\Windows\system\TrWfYGA.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1632-9-0x000000013F530000-0x000000013F881000-memory.dmp	xmrig
behavioral1/memory/2488-20-0x000000013FD90000-0x00000001400E1000-memory.dmp	xmrig
behavioral1/memory/2420-50-0x000000013F120000-0x000000013F471000-memory.dmp	xmrig
behavioral1/memory/2992-48-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/2772-46-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/2776-32-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/2684-57-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2468-64-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/1956-70-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2880-73-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/2644-81-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/2488-80-0x000000013FD90000-0x00000001400E1000-memory.dmp	xmrig
behavioral1/memory/1632-78-0x000000013F530000-0x000000013F881000-memory.dmp	xmrig
behavioral1/memory/2524-71-0x000000013F020000-0x000000013F371000-memory.dmp	xmrig
behavioral1/memory/2776-87-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/2724-101-0x000000013FD20000-0x0000000140071000-memory.dmp	xmrig
behavioral1/memory/1248-113-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/1956-139-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/836-160-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig
behavioral1/memory/2892-161-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/1252-159-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/344-157-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/1552-155-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/2352-158-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig
behavioral1/memory/1596-156-0x000000013FED0000-0x0000000140221000-memory.dmp	xmrig
behavioral1/memory/2852-153-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/1956-162-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/1956-163-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/1632-218-0x000000013F530000-0x000000013F881000-memory.dmp	xmrig
behavioral1/memory/2488-220-0x000000013FD90000-0x00000001400E1000-memory.dmp	xmrig
behavioral1/memory/2524-222-0x000000013F020000-0x000000013F371000-memory.dmp	xmrig
behavioral1/memory/2776-224-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/2772-227-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/2992-228-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/2420-230-0x000000013F120000-0x000000013F471000-memory.dmp	xmrig
behavioral1/memory/2684-232-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2468-234-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/2880-236-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/2644-238-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/2724-247-0x000000013FD20000-0x0000000140071000-memory.dmp	xmrig
behavioral1/memory/2852-249-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/1248-251-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

JvzDaqZ.exeWLeeVVh.exehGlJZCd.exeOdsEfbh.exeHqFZWck.exegqJhwFO.exeMWgAjiH.exeCOZnaBz.exeMgkWaRq.exeMykYJtP.exePXZMlEw.exexJQIxZi.exefKATHGm.exeFvzClJk.exeDLFcxzR.exebAiZkBZ.exetLNWlqd.exeAEBeVHG.exeTrWfYGA.exeBIlzDYV.execbnxXjb.exe

pid	process
1632	JvzDaqZ.exe
2488	WLeeVVh.exe
2524	hGlJZCd.exe
2776	OdsEfbh.exe
2772	HqFZWck.exe
2992	gqJhwFO.exe
2420	MWgAjiH.exe
2684	COZnaBz.exe
2468	MgkWaRq.exe
2880	MykYJtP.exe
2644	PXZMlEw.exe
2724	xJQIxZi.exe
2852	fKATHGm.exe
1248	FvzClJk.exe
1552	DLFcxzR.exe
1596	bAiZkBZ.exe
344	tLNWlqd.exe
2352	AEBeVHG.exe
1252	TrWfYGA.exe
836	BIlzDYV.exe
2892	cbnxXjb.exe

Loads dropped DLL 21 IoCs

Processes:

20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe

pid	process
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1956-0-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
C:\Windows\system\JvzDaqZ.exe	upx
behavioral1/memory/1632-9-0x000000013F530000-0x000000013F881000-memory.dmp	upx
\Windows\system\WLeeVVh.exe	upx
behavioral1/memory/2524-22-0x000000013F020000-0x000000013F371000-memory.dmp	upx
behavioral1/memory/2488-20-0x000000013FD90000-0x00000001400E1000-memory.dmp	upx
C:\Windows\system\hGlJZCd.exe	upx
\Windows\system\OdsEfbh.exe	upx
\Windows\system\gqJhwFO.exe	upx
behavioral1/memory/2420-50-0x000000013F120000-0x000000013F471000-memory.dmp	upx
behavioral1/memory/2992-48-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/memory/2772-46-0x000000013F300000-0x000000013F651000-memory.dmp	upx
C:\Windows\system\MWgAjiH.exe	upx
C:\Windows\system\HqFZWck.exe	upx
behavioral1/memory/2776-32-0x000000013F610000-0x000000013F961000-memory.dmp	upx
\Windows\system\COZnaBz.exe	upx
behavioral1/memory/2684-57-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
C:\Windows\system\MgkWaRq.exe	upx
behavioral1/memory/2468-64-0x000000013F620000-0x000000013F971000-memory.dmp	upx
C:\Windows\system\MykYJtP.exe	upx
behavioral1/memory/1956-70-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/2880-73-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
C:\Windows\system\PXZMlEw.exe	upx
behavioral1/memory/2644-81-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/2488-80-0x000000013FD90000-0x00000001400E1000-memory.dmp	upx
behavioral1/memory/1632-78-0x000000013F530000-0x000000013F881000-memory.dmp	upx
behavioral1/memory/2524-71-0x000000013F020000-0x000000013F371000-memory.dmp	upx
\Windows\system\xJQIxZi.exe	upx
behavioral1/memory/2776-87-0x000000013F610000-0x000000013F961000-memory.dmp	upx
\Windows\system\DLFcxzR.exe	upx
behavioral1/memory/2724-101-0x000000013FD20000-0x0000000140071000-memory.dmp	upx
C:\Windows\system\FvzClJk.exe	upx
behavioral1/memory/1248-113-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
\Windows\system\AEBeVHG.exe	upx
C:\Windows\system\tLNWlqd.exe	upx
C:\Windows\system\bAiZkBZ.exe	upx
behavioral1/memory/2852-93-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
C:\Windows\system\fKATHGm.exe	upx
C:\Windows\system\BIlzDYV.exe	upx
\Windows\system\cbnxXjb.exe	upx
C:\Windows\system\TrWfYGA.exe	upx
behavioral1/memory/1956-139-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/836-160-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
behavioral1/memory/2892-161-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/1252-159-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/344-157-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/1552-155-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/2352-158-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	upx
behavioral1/memory/1596-156-0x000000013FED0000-0x0000000140221000-memory.dmp	upx
behavioral1/memory/2852-153-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/1956-163-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/1632-218-0x000000013F530000-0x000000013F881000-memory.dmp	upx
behavioral1/memory/2488-220-0x000000013FD90000-0x00000001400E1000-memory.dmp	upx
behavioral1/memory/2524-222-0x000000013F020000-0x000000013F371000-memory.dmp	upx
behavioral1/memory/2776-224-0x000000013F610000-0x000000013F961000-memory.dmp	upx
behavioral1/memory/2772-227-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/memory/2992-228-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/memory/2420-230-0x000000013F120000-0x000000013F471000-memory.dmp	upx
behavioral1/memory/2684-232-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/2468-234-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/2880-236-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/memory/2644-238-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/2724-247-0x000000013FD20000-0x0000000140071000-memory.dmp	upx
behavioral1/memory/2852-249-0x000000013FE20000-0x0000000140171000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\AEBeVHG.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\BIlzDYV.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\hGlJZCd.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\HqFZWck.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\MWgAjiH.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\MykYJtP.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\xJQIxZi.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\JvzDaqZ.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\gqJhwFO.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\COZnaBz.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\bAiZkBZ.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\cbnxXjb.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\tLNWlqd.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\WLeeVVh.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\OdsEfbh.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\MgkWaRq.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\fKATHGm.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\DLFcxzR.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\PXZMlEw.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\FvzClJk.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\TrWfYGA.exe	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process
Token: SeLockMemoryPrivilege	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process	target process
PID 1956 wrote to memory of 1632	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	JvzDaqZ.exe
PID 1956 wrote to memory of 1632	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	JvzDaqZ.exe
PID 1956 wrote to memory of 1632	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	JvzDaqZ.exe
PID 1956 wrote to memory of 2488	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	WLeeVVh.exe
PID 1956 wrote to memory of 2488	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	WLeeVVh.exe
PID 1956 wrote to memory of 2488	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	WLeeVVh.exe
PID 1956 wrote to memory of 2524	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	hGlJZCd.exe
PID 1956 wrote to memory of 2524	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	hGlJZCd.exe
PID 1956 wrote to memory of 2524	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	hGlJZCd.exe
PID 1956 wrote to memory of 2776	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	OdsEfbh.exe
PID 1956 wrote to memory of 2776	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	OdsEfbh.exe
PID 1956 wrote to memory of 2776	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	OdsEfbh.exe
PID 1956 wrote to memory of 2772	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	HqFZWck.exe
PID 1956 wrote to memory of 2772	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	HqFZWck.exe
PID 1956 wrote to memory of 2772	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	HqFZWck.exe
PID 1956 wrote to memory of 2992	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	gqJhwFO.exe
PID 1956 wrote to memory of 2992	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	gqJhwFO.exe
PID 1956 wrote to memory of 2992	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	gqJhwFO.exe
PID 1956 wrote to memory of 2420	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	MWgAjiH.exe
PID 1956 wrote to memory of 2420	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	MWgAjiH.exe
PID 1956 wrote to memory of 2420	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	MWgAjiH.exe
PID 1956 wrote to memory of 2684	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	COZnaBz.exe
PID 1956 wrote to memory of 2684	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	COZnaBz.exe
PID 1956 wrote to memory of 2684	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	COZnaBz.exe
PID 1956 wrote to memory of 2468	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	MgkWaRq.exe
PID 1956 wrote to memory of 2468	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	MgkWaRq.exe
PID 1956 wrote to memory of 2468	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	MgkWaRq.exe
PID 1956 wrote to memory of 2880	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	MykYJtP.exe
PID 1956 wrote to memory of 2880	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	MykYJtP.exe
PID 1956 wrote to memory of 2880	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	MykYJtP.exe
PID 1956 wrote to memory of 2644	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	PXZMlEw.exe
PID 1956 wrote to memory of 2644	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	PXZMlEw.exe
PID 1956 wrote to memory of 2644	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	PXZMlEw.exe
PID 1956 wrote to memory of 2724	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	xJQIxZi.exe
PID 1956 wrote to memory of 2724	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	xJQIxZi.exe
PID 1956 wrote to memory of 2724	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	xJQIxZi.exe
PID 1956 wrote to memory of 2852	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	fKATHGm.exe
PID 1956 wrote to memory of 2852	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	fKATHGm.exe
PID 1956 wrote to memory of 2852	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	fKATHGm.exe
PID 1956 wrote to memory of 1248	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	FvzClJk.exe
PID 1956 wrote to memory of 1248	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	FvzClJk.exe
PID 1956 wrote to memory of 1248	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	FvzClJk.exe
PID 1956 wrote to memory of 1552	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	DLFcxzR.exe
PID 1956 wrote to memory of 1552	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	DLFcxzR.exe
PID 1956 wrote to memory of 1552	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	DLFcxzR.exe
PID 1956 wrote to memory of 1596	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	bAiZkBZ.exe
PID 1956 wrote to memory of 1596	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	bAiZkBZ.exe
PID 1956 wrote to memory of 1596	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	bAiZkBZ.exe
PID 1956 wrote to memory of 344	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	tLNWlqd.exe
PID 1956 wrote to memory of 344	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	tLNWlqd.exe
PID 1956 wrote to memory of 344	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	tLNWlqd.exe
PID 1956 wrote to memory of 2352	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	AEBeVHG.exe
PID 1956 wrote to memory of 2352	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	AEBeVHG.exe
PID 1956 wrote to memory of 2352	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	AEBeVHG.exe
PID 1956 wrote to memory of 1252	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	TrWfYGA.exe
PID 1956 wrote to memory of 1252	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	TrWfYGA.exe
PID 1956 wrote to memory of 1252	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	TrWfYGA.exe
PID 1956 wrote to memory of 836	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	BIlzDYV.exe
PID 1956 wrote to memory of 836	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	BIlzDYV.exe
PID 1956 wrote to memory of 836	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	BIlzDYV.exe
PID 1956 wrote to memory of 2892	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	cbnxXjb.exe
PID 1956 wrote to memory of 2892	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	cbnxXjb.exe
PID 1956 wrote to memory of 2892	1956	20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe	cbnxXjb.exe

C:\Users\Admin\AppData\Local\Temp\20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\20240520b67ee9c9e52b20b357a7b8a046b258c0cobaltstrikecobaltstrike_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\System\JvzDaqZ.exe
C:\Windows\System\JvzDaqZ.exe
2⤵
- Executes dropped EXE
PID:1632

C:\Windows\System\WLeeVVh.exe
C:\Windows\System\WLeeVVh.exe
2⤵
- Executes dropped EXE
PID:2488

C:\Windows\System\hGlJZCd.exe
C:\Windows\System\hGlJZCd.exe
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\OdsEfbh.exe
C:\Windows\System\OdsEfbh.exe
2⤵
- Executes dropped EXE
PID:2776

C:\Windows\System\HqFZWck.exe
C:\Windows\System\HqFZWck.exe
2⤵
- Executes dropped EXE
PID:2772

C:\Windows\System\gqJhwFO.exe
C:\Windows\System\gqJhwFO.exe
2⤵
- Executes dropped EXE
PID:2992

C:\Windows\System\MWgAjiH.exe
C:\Windows\System\MWgAjiH.exe
2⤵
- Executes dropped EXE
PID:2420

C:\Windows\System\COZnaBz.exe
C:\Windows\System\COZnaBz.exe
2⤵
- Executes dropped EXE
PID:2684

C:\Windows\System\MgkWaRq.exe
C:\Windows\System\MgkWaRq.exe
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\System\MykYJtP.exe
C:\Windows\System\MykYJtP.exe
2⤵
- Executes dropped EXE
PID:2880

C:\Windows\System\PXZMlEw.exe
C:\Windows\System\PXZMlEw.exe
2⤵
- Executes dropped EXE
PID:2644

C:\Windows\System\xJQIxZi.exe
C:\Windows\System\xJQIxZi.exe
2⤵
- Executes dropped EXE
PID:2724

C:\Windows\System\fKATHGm.exe
C:\Windows\System\fKATHGm.exe
2⤵
- Executes dropped EXE
PID:2852

C:\Windows\System\FvzClJk.exe
C:\Windows\System\FvzClJk.exe
2⤵
- Executes dropped EXE
PID:1248

C:\Windows\System\DLFcxzR.exe
C:\Windows\System\DLFcxzR.exe
2⤵
- Executes dropped EXE
PID:1552

C:\Windows\System\bAiZkBZ.exe
C:\Windows\System\bAiZkBZ.exe
2⤵
- Executes dropped EXE
PID:1596

C:\Windows\System\tLNWlqd.exe
C:\Windows\System\tLNWlqd.exe
2⤵
- Executes dropped EXE
PID:344

C:\Windows\System\AEBeVHG.exe
C:\Windows\System\AEBeVHG.exe
2⤵
- Executes dropped EXE
PID:2352

C:\Windows\System\TrWfYGA.exe
C:\Windows\System\TrWfYGA.exe
2⤵
- Executes dropped EXE
PID:1252

C:\Windows\System\BIlzDYV.exe
C:\Windows\System\BIlzDYV.exe
2⤵
- Executes dropped EXE
PID:836

C:\Windows\System\cbnxXjb.exe
C:\Windows\System\cbnxXjb.exe
2⤵
- Executes dropped EXE
PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BIlzDYV.exe
Filesize
5.2MB

MD5
c9e88a6b6fd29b36fcda695857a6f15c

SHA1
e5435875cca4a65d03fc541956a5e603df509e3f

SHA256
f0803c59e65f8eaa3f45eae8bbc435642cd8c775b5337ea716261cc5ba9ba9d9

SHA512
05cb13d40e7b823b141412cf71827f5a348ee92feb08a0c321d0e690308353762458d7050d67d0f4378fefefc08c18057dd43823bec35d672c9cc0ed5255c84a

Download Submit
C:\Windows\system\FvzClJk.exe
Filesize
5.2MB

MD5
ca55d65ee9dd4a43af62efaca207389e

SHA1
42aa00509da53edf478f4b3302b132e6f233290d

SHA256
a47049fa7124e3db339da6b1a727ebb44e1bb5d7b4fee2b91831031fa3bcb3ef

SHA512
e43e2d032d2c98b6b5bc4c4a827ab63bb5b635344d7c72e586c7774f0f39ca04b12d27f79589e4e085932eea44153194a58ebeda5a1c62b99a94b9fefd887d2e

Download Submit
C:\Windows\system\HqFZWck.exe
Filesize
5.2MB

MD5
293560e65b1c8f60a3929b98714c420c

SHA1
557b447a712263c0b0f28a5720c48fd6fe7b7a19

SHA256
30863e8b5cd72bef96006dbce8a273ecf78405867236660ad9ae9a1eb1802b72

SHA512
b707aca657d7c14d149a3e0a44e61f18754c55dab7be26e38bd4655ec317d05315cca43369844f73e3958dfaa6a67d57034faab425edc34893fe9446ce144b02

Download Submit
C:\Windows\system\JvzDaqZ.exe
Filesize
5.2MB

MD5
de4306ea8f03121bc742dcd16056a1eb

SHA1
d5ad9228243761c4075e8d9669fe5d59ecbfd9bc

SHA256
18570372b31b41b35591d80277e869699eed757046def57a6d58ff0890340d78

SHA512
06536844d4906b9bdcceca831273d811f2e496364719c3b8065b16a12f60aa0308c71c045b2cb427527e2f2a58da30bd7e9ca8deb721a1ba172d3c46c4217802

Download Submit
C:\Windows\system\MWgAjiH.exe
Filesize
5.2MB

MD5
27b08d6d81da2536b4c588c5889c25ec

SHA1
1ee3d820b1dee30e98fffb6e53fe27cc10f9bde4

SHA256
fe7c906217df83ce8f93ded4078f978a9a4d0b30b84ff14d43529900f4486128

SHA512
80b649b7dea84353b4a0c36a6ee4cab1ea37feaf53533cf6dacaf882aa38b589df412a5fbaa0645233922353f1c3e8e4a1aaf34754f36bcfe76324c12748d98e

Download Submit
C:\Windows\system\MgkWaRq.exe
Filesize
5.2MB

MD5
d4cf4e7423aaaf3b3b538c07c04f8c49

SHA1
8e8c8d99c4ec069f7343d29564bacc9751b12f47

SHA256
aeddb2666fbdcdebac1169b220c2ff8da8a426c6c3afd5c11db1dbcc19ceb5a5

SHA512
463bc8785c0c63d2ea1033f5c92cae663b304e943ecaca35dac85c837ac831d06d2db8174be1978eb13ad9b45203fcb3e19d1c81c3bd38caa52ee3ca3df33b97

Download Submit
C:\Windows\system\MykYJtP.exe
Filesize
5.2MB

MD5
63e7be24667af140e795d6faddc1da62

SHA1
1c3155965a2bc59b62fe836ff209b36ea4061690

SHA256
9086d57787602a4a7aa3d401416ec13c2fe9f131a356131ab10c847a8de4b6f1

SHA512
a38685d0439e79fb498f06c1a2d2935c1cc690a9a9bb02dd7201b3a32478c71bb2ce65bf786087f7e0624100033862777751d3c6f75e1cf1f4f977159d021fa7

Download Submit
C:\Windows\system\PXZMlEw.exe
Filesize
5.2MB

MD5
8a7c5470bca941c3e24c80f5f36d0b12

SHA1
58ac38ab465211b81971a14005e1830bfe190618

SHA256
95880606b76db0b1cb2e1b9aafd3a9430c3133c818f6203864a96831f35c0357

SHA512
b2518776ce17297c19feeb2419d4eb90ae68fc1899504a040f06032ce3d2fc3dcb8616b756ce4e8e9f48eca3d2301f1932e760f99f79f3dd299eaad33e5abb66

Download Submit
C:\Windows\system\TrWfYGA.exe
Filesize
5.2MB

MD5
0cf5d6e2d72ae7eca0c1adbe3f8ba49e

SHA1
7ec804373da3036c226762e5900ee9157f0bf3f4

SHA256
09664de468d8b1d54d17426d6b7a7f51574c293aeac0c5540602b70916af56af

SHA512
1de5e5c30ffdf4f0e56fcbf6927b9a6395ffa4a7f9300a52bb278855e30b4e37cbcb87418ff3a7c8b4ceb7420c32bd6cf1d8e506d448cddbafc237e99eea6195

Download Submit
C:\Windows\system\bAiZkBZ.exe
Filesize
5.2MB

MD5
137efecdf494b74f97ca1ab6266115b6

SHA1
b2a102f5c8b74f05223094dbbe9cd753c53996de

SHA256
e05f2a99c4efb87c027cc971cdec24acf02058ad4cc30465235e95a49289956b

SHA512
bf3f15647fc76cf94856a9434ca45754bf023f07820d69336c4108cf3c1787b43972fcfe50443bd52da9f735aa1be19087d2fcbe3f6251384da83b72c7082e89

Download Submit
C:\Windows\system\fKATHGm.exe
Filesize
5.2MB

MD5
8f886e2f29ee21555f1b725bcab3b038

SHA1
a593a245df2a4684d97a2ca049325dc95c58e2ab

SHA256
89f26de67871e85b482e76bbc366893fb8f11040dd9236aea387f3f44b61ca04

SHA512
12c17400e1af325e080c84566f88a400b05047499fa7b48b8f530659589161dcab80d8890efe56765c77ff88d9023b2d9bb824085c07a8efa11e192ccb50cffe

Download Submit
C:\Windows\system\hGlJZCd.exe
Filesize
5.2MB

MD5
be128030af761bc3c6cdc6c7489028e3

SHA1
24e753f0cfb05e54071b901fd4df320c67fc050c

SHA256
ffed9d8219aa77884636e80086a3ca19bebaf1b6c275e1544256f91b79f4dc3c

SHA512
a6e648f1fe4cf7a7b4fccdfa2a5d5da9198df3b6cf968c0b08fa6881a154de36626dd27beb8714f515fb5fc6c2e6bcb85dc8e8e3d6c93aa54c16d0eb954b9647

Download Submit
C:\Windows\system\tLNWlqd.exe
Filesize
5.2MB

MD5
e5f8add314f50016622d30ddeb2fc034

SHA1
1cd50428cf0572f62970691d1b9e97b56426f1dc

SHA256
0879d8387e2ffc8aa11806dfcf3039e1326eb3c680abbd0a6124dd55ba600c35

SHA512
088c7dbbd72a306cc6419619e8ab8109064c35ed7edc99588e7db7e3f7d97cf74931c74b227e63ecd00f621757e149a2f0887ec11e0f968da4ba6f6b1868a2e7

Download Submit
\Windows\system\AEBeVHG.exe
Filesize
5.2MB

MD5
eaa9634f3dd2e1023ff80047e634f9f0

SHA1
7257c8d1f9c516269b81cdd2ec93e8348cc11c8b

SHA256
e882728eb246191e7c072ef7f0a13c3cdcc45664431f348cb6dd7a6058e45ee2

SHA512
54479b6217585f54cb9b479c1594333a5a3680a8493c29837023f69af37dc311924add2a3daa06e18de7a28374aa7e0055fc53cc4506a2de9d07741ba65181d6

Download Submit
\Windows\system\COZnaBz.exe
Filesize
5.2MB

MD5
d2ae35d47f69b07c0ab15424315cce7d

SHA1
ec1c9ab69b355872683e07384bd3fd0e99c33dcd

SHA256
ebfee39e47a94571815e071a8d56987272d31985d9e4e8005fc953f367ca8156

SHA512
acbf0db859becc0dd77bc751a26b9914db6eb38637a91f83bedacbb7fe0c5ee529036caa532df5b246a0a3acd2076283e5016383da7f6b9c0e454136312a69bd

Download Submit
\Windows\system\DLFcxzR.exe
Filesize
5.2MB

MD5
e06d1b15d341cadabe4dce69d61c8daa

SHA1
d57b4a4cc36b8a716bddde7c830becdee69f9940

SHA256
f4974fc8975aa41a208a3cfb42c130d3df321971fbd809a216ec0364ef17680b

SHA512
6cefea6e1c29d2a5c0e67491ca65b3d4aa726db8b8a86d5f6b0a3b894a1c3868551c634badf47404ed78e4482024f332a88443370e3bd66235205d7878401ec8

Download Submit
\Windows\system\OdsEfbh.exe
Filesize
5.2MB

MD5
97433227c10bec7ec614771b335fb045

SHA1
b4ad249eb7a9af1fcea6523c55d25adb5c561cee

SHA256
c9d22c3293b99f225aa7220c7985868aefa85ad5c33561e7eaab4258bdde893b

SHA512
5437074b720672f3e3105827c3854a799cec131988802960427e24acef25fd5ab1321259315340828afbcd506e4b7d8d05aab0d2e37f3c5ee7630713a34929f3

Download Submit
\Windows\system\WLeeVVh.exe
Filesize
5.2MB

MD5
3390e2a819d38bb611c263c61519d481

SHA1
fcebfc6e8494411919730e92feed283e7eed1d39

SHA256
61e58ffafe8b8c7d8b883159b869b21f2cd9754b2278eb5e3daa1e3d8a9a8a4b

SHA512
e2a1adaf91490ecafe33eac7ef2baba341c9bb3814a06aa809b4ad7f8fcc52c90a86c2b3595ee44493466b0470c6bf24475c9261342a3dae11d105399d5d52d1

Download Submit
\Windows\system\cbnxXjb.exe
Filesize
5.2MB

MD5
fc86566ba16a5d1006597e5845604e39

SHA1
a905597b8bd6490d79e6e4379568f58a4e45429e

SHA256
1cd66031bb11b22507d25f3ae5a0c68feb80d6b376c7a606cac2a89456dd66ff

SHA512
855aaeec0b7f272ec28b6d906406742005a35bab26090c73568911ad6c3300df318513c87489b5f3e127360aa1c1a80d6a5ecf3aea53fa9b4afe8a9ff1aae0dd

Download Submit
\Windows\system\gqJhwFO.exe
Filesize
5.2MB

MD5
eb18d37c6ea89241d0cb23de0a5e5b4e

SHA1
8a60f6a668d6a2a83ed484448ff8d644bd440378

SHA256
77894b65463e7a4154b922dd1d5592a4593cf31e77a8f3acaa9fcfa6baf403d5

SHA512
90cd65d37ad2497f01c25d16e6958ff389a7fd0e2019b26545064ae513e5c5842612f44416b8bb38ac9b3012bd119886349c2aee1ea1488ce448a2a5c31d2146

Download Submit
\Windows\system\xJQIxZi.exe
Filesize
5.2MB

MD5
483879ad20768f164c43d496103143b9

SHA1
b06701a800e5e45703744039cc15e66df6833347

SHA256
d03b48eb5d20d344aa6eda2dd1a5933e3f8c47ff4c03c6b44649650373c3a81b

SHA512
94d6eacd201318d00a28d07bc0ef6b414b3a7b978bbc5ae1be6b6be5a0ae68ce348b2a153d76e990ffbefd95e5522732ea7ff1f2c48caca1802940906b49f67d

Download Submit
memory/344-157-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/836-160-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/1248-113-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/1248-251-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/1252-159-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-155-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-156-0x000000013FED0000-0x0000000140221000-memory.dmp

Filesize
3.3MB

Download
memory/1632-78-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/1632-218-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/1632-9-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/1956-185-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/1956-186-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/1956-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1956-7-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/1956-151-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/1956-139-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/1956-56-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/1956-63-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/1956-44-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/1956-163-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/1956-162-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1956-70-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/1956-114-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/1956-49-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/1956-0-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/1956-112-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/1956-110-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/1956-37-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/1956-72-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1956-92-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/1956-23-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download
memory/1956-14-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/2352-158-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-230-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/2420-50-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/2468-234-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2468-64-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2488-220-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-80-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-20-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/2524-222-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download
memory/2524-22-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download
memory/2524-71-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download
memory/2644-81-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2644-238-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2684-232-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2684-57-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2724-101-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/2724-247-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/2772-227-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2772-46-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2776-87-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2776-224-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2776-32-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2852-93-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2852-249-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2852-153-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2880-73-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2880-236-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-161-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-228-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2992-48-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download