cobaltstrike | bcd5d71d1793a073dfe7d870bf5cba657ea82d5076346f5e1afa64f54512b5af

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
Size

5.2MB
MD5

26c7c01d881e5043932b5f8eda89971b
SHA1

0ef328fbb328730c56b31f39f5bfd2272029aeb9
SHA256

bcd5d71d1793a073dfe7d870bf5cba657ea82d5076346f5e1afa64f54512b5af
SHA512

60852d342f1acf9ccd53af1574376ffd3330e56051b16924cf5fa225264454a47abfeb728036d22e11540e666fcd4194b7a5e100522bfd316d69fd4549ca3856
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lW:RWWBibf56utgpPFotBER/mQ32lUK

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\zgKZntI.exe	cobalt_reflective_dll
C:\Windows\system\BKUCSjg.exe	cobalt_reflective_dll
C:\Windows\system\WLHrmOD.exe	cobalt_reflective_dll
C:\Windows\system\HDljYsX.exe	cobalt_reflective_dll
\Windows\system\JrZUAFB.exe	cobalt_reflective_dll
\Windows\system\gTmsmZR.exe	cobalt_reflective_dll
C:\Windows\system\OMuYHeX.exe	cobalt_reflective_dll
C:\Windows\system\WawKkYT.exe	cobalt_reflective_dll
\Windows\system\oCTBCqS.exe	cobalt_reflective_dll
C:\Windows\system\XrVuzne.exe	cobalt_reflective_dll
\Windows\system\lnJsvvo.exe	cobalt_reflective_dll
C:\Windows\system\eaUeClr.exe	cobalt_reflective_dll
C:\Windows\system\aTcUzXs.exe	cobalt_reflective_dll
C:\Windows\system\yvIfVcQ.exe	cobalt_reflective_dll
C:\Windows\system\EVFkZRZ.exe	cobalt_reflective_dll
C:\Windows\system\yOzyjKe.exe	cobalt_reflective_dll
C:\Windows\system\ItZIyEV.exe	cobalt_reflective_dll
C:\Windows\system\FbvWwFm.exe	cobalt_reflective_dll
\Windows\system\XzpNIEI.exe	cobalt_reflective_dll
C:\Windows\system\KvSTzrP.exe	cobalt_reflective_dll
C:\Windows\system\ohiIfPo.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1724-11-0x000000013F820000-0x000000013FB71000-memory.dmp	xmrig
behavioral1/memory/2520-27-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/1724-54-0x000000013F820000-0x000000013FB71000-memory.dmp	xmrig
behavioral1/memory/1756-66-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/2916-75-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/2640-79-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2472-81-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/1932-53-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2524-84-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2596-91-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/1932-106-0x000000013F5D0000-0x000000013F921000-memory.dmp	xmrig
behavioral1/memory/2536-103-0x000000013FFD0000-0x0000000140321000-memory.dmp	xmrig
behavioral1/memory/1932-111-0x00000000023D0000-0x0000000002721000-memory.dmp	xmrig
behavioral1/memory/2364-112-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2896-154-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	xmrig
behavioral1/memory/2440-153-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/1500-156-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/1932-157-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/1820-163-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2344-162-0x000000013F5D0000-0x000000013F921000-memory.dmp	xmrig
behavioral1/memory/2176-174-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/1104-173-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2000-176-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/1036-175-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/2744-177-0x000000013F6C0000-0x000000013FA11000-memory.dmp	xmrig
behavioral1/memory/1976-172-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/1932-179-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/1932-200-0x000000013F5D0000-0x000000013F921000-memory.dmp	xmrig
behavioral1/memory/1724-210-0x000000013F820000-0x000000013FB71000-memory.dmp	xmrig
behavioral1/memory/1756-212-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/2520-214-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/2916-216-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/2640-219-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2472-220-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/2524-222-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2596-224-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2536-226-0x000000013FFD0000-0x0000000140321000-memory.dmp	xmrig
behavioral1/memory/2364-228-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2440-238-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/2896-241-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	xmrig
behavioral1/memory/1500-245-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/2344-248-0x000000013F5D0000-0x000000013F921000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

zgKZntI.exeBKUCSjg.exeWLHrmOD.exeHDljYsX.exeJrZUAFB.exeeaUeClr.exegTmsmZR.exeOMuYHeX.exeXrVuzne.exeWawKkYT.exeoCTBCqS.exelnJsvvo.exeaTcUzXs.exeyvIfVcQ.exeEVFkZRZ.exeyOzyjKe.exeFbvWwFm.exeItZIyEV.exeXzpNIEI.exeKvSTzrP.exeohiIfPo.exe

pid	process
1724	zgKZntI.exe
1756	BKUCSjg.exe
2916	WLHrmOD.exe
2520	HDljYsX.exe
2640	JrZUAFB.exe
2472	eaUeClr.exe
2524	gTmsmZR.exe
2596	OMuYHeX.exe
2536	XrVuzne.exe
2364	WawKkYT.exe
2440	oCTBCqS.exe
2896	lnJsvvo.exe
1500	aTcUzXs.exe
2344	yvIfVcQ.exe
1820	EVFkZRZ.exe
1976	yOzyjKe.exe
1104	FbvWwFm.exe
2176	ItZIyEV.exe
1036	XzpNIEI.exe
2000	KvSTzrP.exe
2744	ohiIfPo.exe

Loads dropped DLL 21 IoCs

Processes:

2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe

pid	process
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1932-0-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
\Windows\system\zgKZntI.exe	upx
C:\Windows\system\BKUCSjg.exe	upx
behavioral1/memory/1724-11-0x000000013F820000-0x000000013FB71000-memory.dmp	upx
behavioral1/memory/1756-14-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
C:\Windows\system\WLHrmOD.exe	upx
behavioral1/memory/2916-21-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
C:\Windows\system\HDljYsX.exe	upx
behavioral1/memory/2520-27-0x000000013F400000-0x000000013F751000-memory.dmp	upx
\Windows\system\JrZUAFB.exe	upx
\Windows\system\gTmsmZR.exe	upx
behavioral1/memory/2524-49-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
C:\Windows\system\OMuYHeX.exe	upx
behavioral1/memory/2596-55-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/1724-54-0x000000013F820000-0x000000013FB71000-memory.dmp	upx
C:\Windows\system\WawKkYT.exe	upx
behavioral1/memory/1756-66-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/memory/2364-68-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2916-75-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/2640-79-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2472-81-0x000000013F310000-0x000000013F661000-memory.dmp	upx
\Windows\system\oCTBCqS.exe	upx
behavioral1/memory/2440-82-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/2536-61-0x000000013FFD0000-0x0000000140321000-memory.dmp	upx
C:\Windows\system\XrVuzne.exe	upx
behavioral1/memory/1932-77-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	upx
\Windows\system\lnJsvvo.exe	upx
behavioral1/memory/1932-53-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2472-41-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/memory/2640-38-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
C:\Windows\system\eaUeClr.exe	upx
behavioral1/memory/2896-87-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	upx
behavioral1/memory/2524-84-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/1500-95-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
C:\Windows\system\aTcUzXs.exe	upx
behavioral1/memory/2596-91-0x000000013F430000-0x000000013F781000-memory.dmp	upx
C:\Windows\system\yvIfVcQ.exe	upx
behavioral1/memory/2344-107-0x000000013F5D0000-0x000000013F921000-memory.dmp	upx
behavioral1/memory/2536-103-0x000000013FFD0000-0x0000000140321000-memory.dmp	upx
C:\Windows\system\EVFkZRZ.exe	upx
behavioral1/memory/2364-112-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
C:\Windows\system\yOzyjKe.exe	upx
C:\Windows\system\ItZIyEV.exe	upx
C:\Windows\system\FbvWwFm.exe	upx
\Windows\system\XzpNIEI.exe	upx
C:\Windows\system\KvSTzrP.exe	upx
C:\Windows\system\ohiIfPo.exe	upx
behavioral1/memory/2896-154-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	upx
behavioral1/memory/2440-153-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/1500-156-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/memory/1932-157-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/1820-163-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2344-162-0x000000013F5D0000-0x000000013F921000-memory.dmp	upx
behavioral1/memory/2176-174-0x000000013F4D0000-0x000000013F821000-memory.dmp	upx
behavioral1/memory/1104-173-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/2000-176-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/1036-175-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/memory/2744-177-0x000000013F6C0000-0x000000013FA11000-memory.dmp	upx
behavioral1/memory/1976-172-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/1932-179-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/1724-210-0x000000013F820000-0x000000013FB71000-memory.dmp	upx
behavioral1/memory/1756-212-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/memory/2520-214-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/2916-216-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\JrZUAFB.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\aTcUzXs.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\KvSTzrP.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\ohiIfPo.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\BKUCSjg.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\FbvWwFm.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\ItZIyEV.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\XzpNIEI.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\eaUeClr.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\gTmsmZR.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\WawKkYT.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\EVFkZRZ.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\OMuYHeX.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\WLHrmOD.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\HDljYsX.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\XrVuzne.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\oCTBCqS.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\lnJsvvo.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\yvIfVcQ.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\yOzyjKe.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\zgKZntI.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process
Token: SeLockMemoryPrivilege	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process	target process
PID 1932 wrote to memory of 1724	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	zgKZntI.exe
PID 1932 wrote to memory of 1724	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	zgKZntI.exe
PID 1932 wrote to memory of 1724	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	zgKZntI.exe
PID 1932 wrote to memory of 1756	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	BKUCSjg.exe
PID 1932 wrote to memory of 1756	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	BKUCSjg.exe
PID 1932 wrote to memory of 1756	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	BKUCSjg.exe
PID 1932 wrote to memory of 2916	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	WLHrmOD.exe
PID 1932 wrote to memory of 2916	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	WLHrmOD.exe
PID 1932 wrote to memory of 2916	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	WLHrmOD.exe
PID 1932 wrote to memory of 2520	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	HDljYsX.exe
PID 1932 wrote to memory of 2520	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	HDljYsX.exe
PID 1932 wrote to memory of 2520	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	HDljYsX.exe
PID 1932 wrote to memory of 2640	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	JrZUAFB.exe
PID 1932 wrote to memory of 2640	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	JrZUAFB.exe
PID 1932 wrote to memory of 2640	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	JrZUAFB.exe
PID 1932 wrote to memory of 2472	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	eaUeClr.exe
PID 1932 wrote to memory of 2472	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	eaUeClr.exe
PID 1932 wrote to memory of 2472	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	eaUeClr.exe
PID 1932 wrote to memory of 2596	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	OMuYHeX.exe
PID 1932 wrote to memory of 2596	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	OMuYHeX.exe
PID 1932 wrote to memory of 2596	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	OMuYHeX.exe
PID 1932 wrote to memory of 2524	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	gTmsmZR.exe
PID 1932 wrote to memory of 2524	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	gTmsmZR.exe
PID 1932 wrote to memory of 2524	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	gTmsmZR.exe
PID 1932 wrote to memory of 2536	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	XrVuzne.exe
PID 1932 wrote to memory of 2536	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	XrVuzne.exe
PID 1932 wrote to memory of 2536	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	XrVuzne.exe
PID 1932 wrote to memory of 2364	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	WawKkYT.exe
PID 1932 wrote to memory of 2364	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	WawKkYT.exe
PID 1932 wrote to memory of 2364	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	WawKkYT.exe
PID 1932 wrote to memory of 2440	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	oCTBCqS.exe
PID 1932 wrote to memory of 2440	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	oCTBCqS.exe
PID 1932 wrote to memory of 2440	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	oCTBCqS.exe
PID 1932 wrote to memory of 2896	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	lnJsvvo.exe
PID 1932 wrote to memory of 2896	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	lnJsvvo.exe
PID 1932 wrote to memory of 2896	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	lnJsvvo.exe
PID 1932 wrote to memory of 1500	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	aTcUzXs.exe
PID 1932 wrote to memory of 1500	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	aTcUzXs.exe
PID 1932 wrote to memory of 1500	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	aTcUzXs.exe
PID 1932 wrote to memory of 2344	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	yvIfVcQ.exe
PID 1932 wrote to memory of 2344	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	yvIfVcQ.exe
PID 1932 wrote to memory of 2344	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	yvIfVcQ.exe
PID 1932 wrote to memory of 1820	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	EVFkZRZ.exe
PID 1932 wrote to memory of 1820	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	EVFkZRZ.exe
PID 1932 wrote to memory of 1820	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	EVFkZRZ.exe
PID 1932 wrote to memory of 1976	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	yOzyjKe.exe
PID 1932 wrote to memory of 1976	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	yOzyjKe.exe
PID 1932 wrote to memory of 1976	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	yOzyjKe.exe
PID 1932 wrote to memory of 1104	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	FbvWwFm.exe
PID 1932 wrote to memory of 1104	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	FbvWwFm.exe
PID 1932 wrote to memory of 1104	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	FbvWwFm.exe
PID 1932 wrote to memory of 2176	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	ItZIyEV.exe
PID 1932 wrote to memory of 2176	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	ItZIyEV.exe
PID 1932 wrote to memory of 2176	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	ItZIyEV.exe
PID 1932 wrote to memory of 1036	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	XzpNIEI.exe
PID 1932 wrote to memory of 1036	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	XzpNIEI.exe
PID 1932 wrote to memory of 1036	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	XzpNIEI.exe
PID 1932 wrote to memory of 2000	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	KvSTzrP.exe
PID 1932 wrote to memory of 2000	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	KvSTzrP.exe
PID 1932 wrote to memory of 2000	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	KvSTzrP.exe
PID 1932 wrote to memory of 2744	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	ohiIfPo.exe
PID 1932 wrote to memory of 2744	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	ohiIfPo.exe
PID 1932 wrote to memory of 2744	1932	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	ohiIfPo.exe

C:\Users\Admin\AppData\Local\Temp\2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\System\zgKZntI.exe
C:\Windows\System\zgKZntI.exe
2⤵
- Executes dropped EXE
PID:1724

C:\Windows\System\BKUCSjg.exe
C:\Windows\System\BKUCSjg.exe
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\System\WLHrmOD.exe
C:\Windows\System\WLHrmOD.exe
2⤵
- Executes dropped EXE
PID:2916

C:\Windows\System\HDljYsX.exe
C:\Windows\System\HDljYsX.exe
2⤵
- Executes dropped EXE
PID:2520

C:\Windows\System\JrZUAFB.exe
C:\Windows\System\JrZUAFB.exe
2⤵
- Executes dropped EXE
PID:2640

C:\Windows\System\eaUeClr.exe
C:\Windows\System\eaUeClr.exe
2⤵
- Executes dropped EXE
PID:2472

C:\Windows\System\OMuYHeX.exe
C:\Windows\System\OMuYHeX.exe
2⤵
- Executes dropped EXE
PID:2596

C:\Windows\System\gTmsmZR.exe
C:\Windows\System\gTmsmZR.exe
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\XrVuzne.exe
C:\Windows\System\XrVuzne.exe
2⤵
- Executes dropped EXE
PID:2536

C:\Windows\System\WawKkYT.exe
C:\Windows\System\WawKkYT.exe
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\System\oCTBCqS.exe
C:\Windows\System\oCTBCqS.exe
2⤵
- Executes dropped EXE
PID:2440

C:\Windows\System\lnJsvvo.exe
C:\Windows\System\lnJsvvo.exe
2⤵
- Executes dropped EXE
PID:2896

C:\Windows\System\aTcUzXs.exe
C:\Windows\System\aTcUzXs.exe
2⤵
- Executes dropped EXE
PID:1500

C:\Windows\System\yvIfVcQ.exe
C:\Windows\System\yvIfVcQ.exe
2⤵
- Executes dropped EXE
PID:2344

C:\Windows\System\EVFkZRZ.exe
C:\Windows\System\EVFkZRZ.exe
2⤵
- Executes dropped EXE
PID:1820

C:\Windows\System\yOzyjKe.exe
C:\Windows\System\yOzyjKe.exe
2⤵
- Executes dropped EXE
PID:1976

C:\Windows\System\FbvWwFm.exe
C:\Windows\System\FbvWwFm.exe
2⤵
- Executes dropped EXE
PID:1104

C:\Windows\System\ItZIyEV.exe
C:\Windows\System\ItZIyEV.exe
2⤵
- Executes dropped EXE
PID:2176

C:\Windows\System\XzpNIEI.exe
C:\Windows\System\XzpNIEI.exe
2⤵
- Executes dropped EXE
PID:1036

C:\Windows\System\KvSTzrP.exe
C:\Windows\System\KvSTzrP.exe
2⤵
- Executes dropped EXE
PID:2000

C:\Windows\System\ohiIfPo.exe
C:\Windows\System\ohiIfPo.exe
2⤵
- Executes dropped EXE
PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BKUCSjg.exe
Filesize
5.2MB

MD5
913ae8b701ff7837dd9d7134903cb2cc

SHA1
ac0e8c6c64a5ecd67c0ad5d0d80e152bbf1cfa60

SHA256
144b9750ec4706327cda3e8818b112f85584cb2ff0cb7cc94d777c7e8311eaf6

SHA512
4694a5deb58c4bcb0ff6648ea8fc0d382e3867952a9d6a94620b0c466613adda1caf75870c85ca4f10593fd7d3997aed032e99bc20554e021394794d2f6f78e7

Download Submit
C:\Windows\system\EVFkZRZ.exe
Filesize
5.2MB

MD5
3dd2d60f9e353552fc17db8b6e4f972d

SHA1
a8d7970c9cac3fe5e133e0bd0a5d7c490c8b6709

SHA256
6a35ed469a58c5056543a74df6ddbf86f6734e3291de11674a5693e2e223aa35

SHA512
6d7e909e30688e830574a638b7f5968ad9ef7320d15447bae9a7fdef6964f6d0571341fa49ae2e9d20e0cd78fca5801bae006529c1808b89b6f2e6f7084218dc

Download Submit
C:\Windows\system\FbvWwFm.exe
Filesize
5.2MB

MD5
1ba0f826ef61b16d48001aaf2bf28bcd

SHA1
c58c0f94a16c10b87772dc79a478a65f2c0b2263

SHA256
1bb00ed33b645b016d206b55d1dc07016de3cc06b5cb6948216e75cf5ddcc9a6

SHA512
e894c0c44db5cd707756d4b536cd9fc3330acdcb0a3fd9b12593b47665cd1354e6a78da57d2fc678b87459f49fa2b17b8ec0e033727b2f961825b9d35931cb8f

Download Submit
C:\Windows\system\HDljYsX.exe
Filesize
5.2MB

MD5
c6ca8739143ccc7d7b90e9172d4dec56

SHA1
60a1aaba7db1435459b17d97c4bc8798d3b88b24

SHA256
c8865f9eb18a4a15f79b648d388a8f805ec0a946e834b8dcbd3b2fc843530783

SHA512
54e906cd9c93a9813df436cb84fab8944be59239a86d921c4d2e7aec8a0709184109914550d7e8064084d66a4ff0188b559273c904eaf37bc9c77022d388c433

Download Submit
C:\Windows\system\ItZIyEV.exe
Filesize
5.2MB

MD5
c108a313d75a0139572a9ad020884bd1

SHA1
cd6c49a3931c71b4373be23df4450a6a4cbd4c28

SHA256
cf13add543d4991b2b81a5d312c4b6257b3272e1bdc03c927f7155f51f7e5d3c

SHA512
b937351d3c9150f788a9e5010366d2a86a2d531d326f0a46adffacbac0d9e845101cfe6f42837e809947c3629280c5ff5fb71c9290eff62be2a59b7b5887d484

Download Submit
C:\Windows\system\KvSTzrP.exe
Filesize
5.2MB

MD5
4ab4cc8845bd2010ed11eef7b133bb61

SHA1
15642890cb4c7d27360458237d525f2f6550639a

SHA256
76533eb91a85698da820739f2068588e947cd34c6bc2a0fd62c0264b40a547ea

SHA512
dfda3a5918a35ab648672ddda38af6b879eeaceb26fb648e037f2626d82aeb9f56800ff589291795ee71a38530cf66c51735df07ead4e872cc4cef9b86b41189

Download Submit
C:\Windows\system\OMuYHeX.exe
Filesize
5.2MB

MD5
74edeea306de817bcd422ade3eb40676

SHA1
4e434142d4c8a93592bffafec1aec4c27578cbe9

SHA256
add13199fa4503f532398bf85726bf184809b1aacc2d52892e9aaf494cc4663c

SHA512
bdfafc4c791de0d686bf665b2839312758c8f99f9e09fdc4280a3f7d8cfb34c6fb8ecf50a17ff8d73ef53e64c0c42d4235732ef70e2c6b3dd96a2ffd6a6c949c

Download Submit
C:\Windows\system\WLHrmOD.exe
Filesize
5.2MB

MD5
37209706e7d0282589b4f9b8f940c3f5

SHA1
bd3830f3a496ebbddc0f583892daa8e2f187b829

SHA256
a7fcfa4a5f56cc834a05dc2203e43c4d44bedd94568b38ef9cfa795729423f15

SHA512
6be29cfbc0102a9962570dbdf30b32f80484fefcfb958d11eff631c203695f91031a0c45e28120dde2d851eca13ba7234dfbae2cd34c524df0c71ef85a78516b

Download Submit
C:\Windows\system\WawKkYT.exe
Filesize
5.2MB

MD5
69fffd9e5fdbecde0cf01b33436aa115

SHA1
172ffd189aa84df0023145f207546d7d3ce9836e

SHA256
6de6ee19e93cd9d0da549b5805ef5ffd840335871eff4d892e4815cdfcfcdd2b

SHA512
21261260952dd56dbe9d20b1963c47180b89634e93b54ab43105e6c9e22023709c7ffe2b1657f8e357860a70a9dd5a1ab1000a09e5546e7786174b32c9435ddd

Download Submit
C:\Windows\system\XrVuzne.exe
Filesize
5.2MB

MD5
60a69db78f5fec58f872d1ba44019fd5

SHA1
697fb96f5dd9c62743f2e565461a716db48f1489

SHA256
e156d0acbbc70f9a62c251a62facf25ebe0fe0ca85c162d8ededbb79d74d4271

SHA512
53d4d1568cbd7484743aed741c391ff0d66855d2363e71206f0aa7a500f702bbcdb2e19e63f38107c3f2112e9c9f947a31d6b27e2734eb4344eca93c90df4bed

Download Submit
C:\Windows\system\aTcUzXs.exe
Filesize
5.2MB

MD5
812f7f6b3c75fadc5274b917e526fc3b

SHA1
d200f35e15f535be6d61c530bae66c21debbade8

SHA256
b00c03d9e640e815e68ce833d559dd9260cc1d446df08d34578b9f73bf63b93c

SHA512
1b7cb56286f34a15b3893169825c61fd7fa758939e9dd57f2325479bb24a6f0e9fd6cca16c2fc280b94cea4373cc01a9e40ea1ec12739e08d6ac325eb2c53c83

Download Submit
C:\Windows\system\eaUeClr.exe
Filesize
5.2MB

MD5
d1eb0a4329509edb4204098b6c68b6e6

SHA1
6a49de942f7830d6f094eb9f825e18d0379008da

SHA256
d9d2a55354675853c7fcfe091255e33b5659f2eb3d3e1637d7dfb5cc059ccb8f

SHA512
29e3f8bde61e7f772588ad61aef890cc698a0eab4411afade30ed6b4d1e1ccb4db55a862609afdbda5915b549306f5006dce5ba7a35a23adc0886808a08553cb

Download Submit
C:\Windows\system\ohiIfPo.exe
Filesize
5.2MB

MD5
cf81a5c1f5af5e98bf85f08c9b9c66bc

SHA1
df7b17d177125a71143475dad8a57179996d61a5

SHA256
159a13d933c85919c0f5195607c0a354677992549a50f3c4ffe7a7bcff533e0f

SHA512
b2a237da05c36be5d28f5ccda418a772d57a4938056547ad895addc149880a53bff8180713ed357dcd5d3ddddf8e5ccfc95b78c521d819742ed0aa76f7c158c9

Download Submit
C:\Windows\system\yOzyjKe.exe
Filesize
5.2MB

MD5
21066df5843e717a70cc86c8960188ca

SHA1
15b720c9acad32332ef88a71b542f47364abc7dd

SHA256
55be4aa504231c7d0bc7a57b6186d1df88ea8d7122661650754ebfee0f9c7bc1

SHA512
d63bb793589b3deecaae7bc42e86a9a3866dfe921c919948bd54720041af9684814e1205f968d6ebe7fc163a2ca3280d741f669422e01a0e48c931d66394ed4d

Download Submit
C:\Windows\system\yvIfVcQ.exe
Filesize
5.2MB

MD5
bf6f78af5292fe9a1117018fa5ebd462

SHA1
16ae639c9e0dec6d96f7d83c87f8af4145e746d2

SHA256
c25eb3389fbeeb515dfd80192330b9a9d4b27871f0a62b93b977068ef45a9fae

SHA512
9533c4c61ca0a11ca1e30b5c0c8085cf82dcbd09708d7b27af2f86bdc03f588b9d2b507eb9b6228f58284709c9ea6ebec674ea1a87b2efa2c9038e493b7b6b6d

Download Submit
\Windows\system\JrZUAFB.exe
Filesize
5.2MB

MD5
872f73bec18a3ee7dcb4d09abda5777d

SHA1
2255263387b2f0090c6f348146b96882d2efceb5

SHA256
d72c04034587a7cbb69b98d59838b11c463a34e7b1320b2de8fd7b52dd145dba

SHA512
7fab46968056059a4300b505461bed7bd5fda4c97a50493300e47ada2da20eb3377e0554165762d4946a18a0bf4899c95810a7a970d78c70c8ef9cf66b33d1f6

Download Submit
\Windows\system\XzpNIEI.exe
Filesize
5.2MB

MD5
0f9e427c3b0bb5e2411f426a04044d12

SHA1
8c2acc78e83594ce0870efb74982be8ee3358a89

SHA256
79f1e8ddb291fa7a7bd826213149aa40a25a471d7e78bdc32fb46e886d1df9a7

SHA512
e879f69dfcee7dbeba0c6f64921f22f316768ca7b9114b3428152c3f727b8e05a3e94d678520f2b751cc458a90f02ee230834cfea4ade0a65d8ff4f43537a4da

Download Submit
\Windows\system\gTmsmZR.exe
Filesize
5.2MB

MD5
4031525cc1eeb87b8c26eab49efaf7ec

SHA1
e20c2510957b7488addab4a79c53ca7d11cd5934

SHA256
ceb42088b486025ac923657c7254bd6747866e6f154205a31e0943d7eb460959

SHA512
afe18e0c061f36f1b8e7834456a0a5be5507b07870000f4aaaa3c7a54c7387239989997835a57a6d4db2fff4bda0a8e76e8f360e69d326d6f078af8313273cf5

Download Submit
\Windows\system\lnJsvvo.exe
Filesize
5.2MB

MD5
4e550222fd21429ed75f03a28a5ffba4

SHA1
fc4b7928d5885422d7d96c38d13f07477884e73a

SHA256
f22a004dc4d2d7d7ee9ded3e2b32b1e26a88fb2ba12cc0658beb08fbd0e08ffb

SHA512
d1883a5c7857c29920b0313e61225fcea19b59d3c083d79322bca1c56b26459b7d54bbab19d9666fb21aa9ec66dc4701e3a54161513693e324ddc3ae8ab22059

Download Submit
\Windows\system\oCTBCqS.exe
Filesize
5.2MB

MD5
7316ac3872fcddfc1edc80ba5e88cc88

SHA1
0195adf488a689190b68ce99aca066ef3105e810

SHA256
dd580d87c936812b11319b6622b7f3baf94bd301df610ada43f339c9e0503827

SHA512
e2dfbd66b75333800365d57327d444f191659e0c2ab9fc0e26b2a4559f48d75c6d6c4a7e53dc4c8545e53bd8973894e38470fc12c1b8989f4c8fca33aeb644e9

Download Submit
\Windows\system\zgKZntI.exe
Filesize
5.2MB

MD5
52caf8ef55a6cb2e390bdcbbe6c3a985

SHA1
92eb0c0d7949eb4cbfdfeab476d75687f277d25e

SHA256
afe4e47ecd11ef27f900b5d77a0ba528da82dbc004e232875a8002e2b054f0e7

SHA512
3aab95613d6ed819d602b6e3351a0248edeea53699c6e343a6f79e406bc99c92e7a14d079f4a4175c840f7be11ed962bf01e11e00d04c660a7ff94f0d3bb1c36

Download Submit
memory/1036-175-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1104-173-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/1500-245-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/1500-95-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/1500-156-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/1724-11-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/1724-54-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/1724-210-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/1756-14-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1756-66-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1756-212-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1820-163-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-48-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/1932-111-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/1932-53-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/1932-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1932-67-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/1932-179-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/1932-157-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/1932-201-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-76-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/1932-77-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-155-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/1932-7-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/1932-0-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/1932-106-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/1932-20-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/1932-200-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/1932-33-0x00000000023D0000-0x0000000002721000-memory.dmp

Filesize
3.3MB

Download
memory/1932-78-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/1932-113-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1976-172-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2000-176-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2176-174-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2344-107-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/2344-162-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/2344-248-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/2364-68-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2364-112-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2364-228-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2440-153-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2440-82-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2440-238-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2472-41-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/2472-81-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/2472-220-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/2520-214-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2520-27-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2524-49-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2524-222-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2524-84-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2536-61-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/2536-103-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/2536-226-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/2596-224-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2596-55-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2596-91-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2640-79-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-219-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-38-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2744-177-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/2896-154-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/2896-87-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/2896-241-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/2916-216-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/2916-21-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/2916-75-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download