cobaltstrike | efc87cd611b6744e4c759195947b061abd3862bb617c47cc123a2d7c5410fb38

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
Size

5.2MB
MD5

4f52ed49a877f185ebe060adc9bf6e5c
SHA1

45351d2d819e1da70c6d99854d78c613230b7842
SHA256

efc87cd611b6744e4c759195947b061abd3862bb617c47cc123a2d7c5410fb38
SHA512

56931ad70194852308677ade6e59972db9a0d644429e02211be91781ce20dd6cee065b32c03ff5cbfa357f4513a6106d4412929e316ce4eb247bbc64a1c8c2da
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ld:RWWBibf56utgpPFotBER/mQ32lUh

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\ZfWrYXD.exe	cobalt_reflective_dll
C:\Windows\System\yOMLACc.exe	cobalt_reflective_dll
C:\Windows\System\KttynxX.exe	cobalt_reflective_dll
C:\Windows\System\IIByYKq.exe	cobalt_reflective_dll
C:\Windows\System\ERwDEAs.exe	cobalt_reflective_dll
C:\Windows\System\RyDxXOG.exe	cobalt_reflective_dll
C:\Windows\System\VFczplE.exe	cobalt_reflective_dll
C:\Windows\System\PeJbwSz.exe	cobalt_reflective_dll
C:\Windows\System\gGxtnXQ.exe	cobalt_reflective_dll
C:\Windows\System\vISCsFU.exe	cobalt_reflective_dll
C:\Windows\System\GgTOEsd.exe	cobalt_reflective_dll
C:\Windows\System\HczvEyb.exe	cobalt_reflective_dll
C:\Windows\System\PJyDlOg.exe	cobalt_reflective_dll
C:\Windows\System\hjhacJn.exe	cobalt_reflective_dll
C:\Windows\System\dheBoXX.exe	cobalt_reflective_dll
C:\Windows\System\bXUPUTj.exe	cobalt_reflective_dll
C:\Windows\System\WFPDtWD.exe	cobalt_reflective_dll
C:\Windows\System\kiuXhHb.exe	cobalt_reflective_dll
C:\Windows\System\JCzHVzT.exe	cobalt_reflective_dll
C:\Windows\System\gaOfobq.exe	cobalt_reflective_dll
C:\Windows\System\OUCYoou.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1904-47-0x00007FF712CE0000-0x00007FF713031000-memory.dmp	xmrig
behavioral2/memory/2040-34-0x00007FF611C30000-0x00007FF611F81000-memory.dmp	xmrig
behavioral2/memory/2656-26-0x00007FF718420000-0x00007FF718771000-memory.dmp	xmrig
behavioral2/memory/4536-22-0x00007FF7DC1D0000-0x00007FF7DC521000-memory.dmp	xmrig
behavioral2/memory/4588-16-0x00007FF7F9BD0000-0x00007FF7F9F21000-memory.dmp	xmrig
behavioral2/memory/1564-71-0x00007FF626990000-0x00007FF626CE1000-memory.dmp	xmrig
behavioral2/memory/3988-68-0x00007FF7C2770000-0x00007FF7C2AC1000-memory.dmp	xmrig
behavioral2/memory/948-89-0x00007FF6C8210000-0x00007FF6C8561000-memory.dmp	xmrig
behavioral2/memory/3404-91-0x00007FF77C530000-0x00007FF77C881000-memory.dmp	xmrig
behavioral2/memory/624-90-0x00007FF64A760000-0x00007FF64AAB1000-memory.dmp	xmrig
behavioral2/memory/3208-104-0x00007FF6DB2B0000-0x00007FF6DB601000-memory.dmp	xmrig
behavioral2/memory/3960-129-0x00007FF66D8B0000-0x00007FF66DC01000-memory.dmp	xmrig
behavioral2/memory/1532-133-0x00007FF76A970000-0x00007FF76ACC1000-memory.dmp	xmrig
behavioral2/memory/4784-135-0x00007FF77E350000-0x00007FF77E6A1000-memory.dmp	xmrig
behavioral2/memory/2072-136-0x00007FF76E430000-0x00007FF76E781000-memory.dmp	xmrig
behavioral2/memory/2264-132-0x00007FF7CF030000-0x00007FF7CF381000-memory.dmp	xmrig
behavioral2/memory/1368-127-0x00007FF737570000-0x00007FF7378C1000-memory.dmp	xmrig
behavioral2/memory/4440-140-0x00007FF692390000-0x00007FF6926E1000-memory.dmp	xmrig
behavioral2/memory/1880-145-0x00007FF6AFEB0000-0x00007FF6B0201000-memory.dmp	xmrig
behavioral2/memory/5084-142-0x00007FF6EC030000-0x00007FF6EC381000-memory.dmp	xmrig
behavioral2/memory/4248-146-0x00007FF620930000-0x00007FF620C81000-memory.dmp	xmrig
behavioral2/memory/1564-147-0x00007FF626990000-0x00007FF626CE1000-memory.dmp	xmrig
behavioral2/memory/1540-161-0x00007FF698C20000-0x00007FF698F71000-memory.dmp	xmrig
behavioral2/memory/1564-169-0x00007FF626990000-0x00007FF626CE1000-memory.dmp	xmrig
behavioral2/memory/948-195-0x00007FF6C8210000-0x00007FF6C8561000-memory.dmp	xmrig
behavioral2/memory/4588-197-0x00007FF7F9BD0000-0x00007FF7F9F21000-memory.dmp	xmrig
behavioral2/memory/4536-199-0x00007FF7DC1D0000-0x00007FF7DC521000-memory.dmp	xmrig
behavioral2/memory/2040-203-0x00007FF611C30000-0x00007FF611F81000-memory.dmp	xmrig
behavioral2/memory/2656-202-0x00007FF718420000-0x00007FF718771000-memory.dmp	xmrig
behavioral2/memory/1904-206-0x00007FF712CE0000-0x00007FF713031000-memory.dmp	xmrig
behavioral2/memory/3208-207-0x00007FF6DB2B0000-0x00007FF6DB601000-memory.dmp	xmrig
behavioral2/memory/1368-209-0x00007FF737570000-0x00007FF7378C1000-memory.dmp	xmrig
behavioral2/memory/2264-217-0x00007FF7CF030000-0x00007FF7CF381000-memory.dmp	xmrig
behavioral2/memory/4440-219-0x00007FF692390000-0x00007FF6926E1000-memory.dmp	xmrig
behavioral2/memory/3988-221-0x00007FF7C2770000-0x00007FF7C2AC1000-memory.dmp	xmrig
behavioral2/memory/5084-223-0x00007FF6EC030000-0x00007FF6EC381000-memory.dmp	xmrig
behavioral2/memory/624-225-0x00007FF64A760000-0x00007FF64AAB1000-memory.dmp	xmrig
behavioral2/memory/3404-229-0x00007FF77C530000-0x00007FF77C881000-memory.dmp	xmrig
behavioral2/memory/1880-232-0x00007FF6AFEB0000-0x00007FF6B0201000-memory.dmp	xmrig
behavioral2/memory/4248-235-0x00007FF620930000-0x00007FF620C81000-memory.dmp	xmrig
behavioral2/memory/2072-237-0x00007FF76E430000-0x00007FF76E781000-memory.dmp	xmrig
behavioral2/memory/1532-240-0x00007FF76A970000-0x00007FF76ACC1000-memory.dmp	xmrig
behavioral2/memory/3960-243-0x00007FF66D8B0000-0x00007FF66DC01000-memory.dmp	xmrig
behavioral2/memory/4784-242-0x00007FF77E350000-0x00007FF77E6A1000-memory.dmp	xmrig
behavioral2/memory/1540-246-0x00007FF698C20000-0x00007FF698F71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ZfWrYXD.exeKttynxX.exeyOMLACc.exeIIByYKq.exeERwDEAs.exeRyDxXOG.exeVFczplE.exePeJbwSz.exegGxtnXQ.exevISCsFU.exeGgTOEsd.exeHczvEyb.exePJyDlOg.exehjhacJn.exedheBoXX.exegaOfobq.exeJCzHVzT.exekiuXhHb.exebXUPUTj.exeWFPDtWD.exeOUCYoou.exe

pid	process
948	ZfWrYXD.exe
4588	KttynxX.exe
4536	yOMLACc.exe
2656	IIByYKq.exe
2040	ERwDEAs.exe
3208	RyDxXOG.exe
1904	VFczplE.exe
1368	PeJbwSz.exe
2264	gGxtnXQ.exe
4440	vISCsFU.exe
3988	GgTOEsd.exe
5084	HczvEyb.exe
624	PJyDlOg.exe
3404	hjhacJn.exe
1880	dheBoXX.exe
4248	gaOfobq.exe
3960	JCzHVzT.exe
1532	kiuXhHb.exe
4784	bXUPUTj.exe
2072	WFPDtWD.exe
1540	OUCYoou.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1564-0-0x00007FF626990000-0x00007FF626CE1000-memory.dmp	upx
C:\Windows\System\ZfWrYXD.exe	upx
C:\Windows\System\yOMLACc.exe	upx
behavioral2/memory/948-10-0x00007FF6C8210000-0x00007FF6C8561000-memory.dmp	upx
C:\Windows\System\KttynxX.exe	upx
C:\Windows\System\IIByYKq.exe	upx
C:\Windows\System\ERwDEAs.exe	upx
C:\Windows\System\RyDxXOG.exe	upx
C:\Windows\System\VFczplE.exe	upx
C:\Windows\System\PeJbwSz.exe	upx
behavioral2/memory/1904-47-0x00007FF712CE0000-0x00007FF713031000-memory.dmp	upx
behavioral2/memory/1368-48-0x00007FF737570000-0x00007FF7378C1000-memory.dmp	upx
behavioral2/memory/3208-38-0x00007FF6DB2B0000-0x00007FF6DB601000-memory.dmp	upx
behavioral2/memory/2040-34-0x00007FF611C30000-0x00007FF611F81000-memory.dmp	upx
behavioral2/memory/2656-26-0x00007FF718420000-0x00007FF718771000-memory.dmp	upx
behavioral2/memory/4536-22-0x00007FF7DC1D0000-0x00007FF7DC521000-memory.dmp	upx
behavioral2/memory/4588-16-0x00007FF7F9BD0000-0x00007FF7F9F21000-memory.dmp	upx
C:\Windows\System\gGxtnXQ.exe	upx
behavioral2/memory/2264-57-0x00007FF7CF030000-0x00007FF7CF381000-memory.dmp	upx
C:\Windows\System\vISCsFU.exe	upx
behavioral2/memory/4440-60-0x00007FF692390000-0x00007FF6926E1000-memory.dmp	upx
C:\Windows\System\GgTOEsd.exe	upx
C:\Windows\System\HczvEyb.exe	upx
behavioral2/memory/5084-73-0x00007FF6EC030000-0x00007FF6EC381000-memory.dmp	upx
C:\Windows\System\PJyDlOg.exe	upx
behavioral2/memory/1564-71-0x00007FF626990000-0x00007FF626CE1000-memory.dmp	upx
behavioral2/memory/3988-68-0x00007FF7C2770000-0x00007FF7C2AC1000-memory.dmp	upx
C:\Windows\System\hjhacJn.exe	upx
behavioral2/memory/948-89-0x00007FF6C8210000-0x00007FF6C8561000-memory.dmp	upx
behavioral2/memory/1880-92-0x00007FF6AFEB0000-0x00007FF6B0201000-memory.dmp	upx
C:\Windows\System\dheBoXX.exe	upx
behavioral2/memory/3404-91-0x00007FF77C530000-0x00007FF77C881000-memory.dmp	upx
behavioral2/memory/624-90-0x00007FF64A760000-0x00007FF64AAB1000-memory.dmp	upx
behavioral2/memory/3208-104-0x00007FF6DB2B0000-0x00007FF6DB601000-memory.dmp	upx
C:\Windows\System\bXUPUTj.exe	upx
C:\Windows\System\WFPDtWD.exe	upx
C:\Windows\System\kiuXhHb.exe	upx
C:\Windows\System\JCzHVzT.exe	upx
C:\Windows\System\gaOfobq.exe	upx
behavioral2/memory/4248-107-0x00007FF620930000-0x00007FF620C81000-memory.dmp	upx
behavioral2/memory/3960-129-0x00007FF66D8B0000-0x00007FF66DC01000-memory.dmp	upx
behavioral2/memory/1532-133-0x00007FF76A970000-0x00007FF76ACC1000-memory.dmp	upx
behavioral2/memory/4784-135-0x00007FF77E350000-0x00007FF77E6A1000-memory.dmp	upx
behavioral2/memory/2072-136-0x00007FF76E430000-0x00007FF76E781000-memory.dmp	upx
behavioral2/memory/1540-138-0x00007FF698C20000-0x00007FF698F71000-memory.dmp	upx
C:\Windows\System\OUCYoou.exe	upx
behavioral2/memory/2264-132-0x00007FF7CF030000-0x00007FF7CF381000-memory.dmp	upx
behavioral2/memory/1368-127-0x00007FF737570000-0x00007FF7378C1000-memory.dmp	upx
behavioral2/memory/4440-140-0x00007FF692390000-0x00007FF6926E1000-memory.dmp	upx
behavioral2/memory/1880-145-0x00007FF6AFEB0000-0x00007FF6B0201000-memory.dmp	upx
behavioral2/memory/5084-142-0x00007FF6EC030000-0x00007FF6EC381000-memory.dmp	upx
behavioral2/memory/4248-146-0x00007FF620930000-0x00007FF620C81000-memory.dmp	upx
behavioral2/memory/1564-147-0x00007FF626990000-0x00007FF626CE1000-memory.dmp	upx
behavioral2/memory/1540-161-0x00007FF698C20000-0x00007FF698F71000-memory.dmp	upx
behavioral2/memory/1564-169-0x00007FF626990000-0x00007FF626CE1000-memory.dmp	upx
behavioral2/memory/948-195-0x00007FF6C8210000-0x00007FF6C8561000-memory.dmp	upx
behavioral2/memory/4588-197-0x00007FF7F9BD0000-0x00007FF7F9F21000-memory.dmp	upx
behavioral2/memory/4536-199-0x00007FF7DC1D0000-0x00007FF7DC521000-memory.dmp	upx
behavioral2/memory/2040-203-0x00007FF611C30000-0x00007FF611F81000-memory.dmp	upx
behavioral2/memory/2656-202-0x00007FF718420000-0x00007FF718771000-memory.dmp	upx
behavioral2/memory/1904-206-0x00007FF712CE0000-0x00007FF713031000-memory.dmp	upx
behavioral2/memory/3208-207-0x00007FF6DB2B0000-0x00007FF6DB601000-memory.dmp	upx
behavioral2/memory/1368-209-0x00007FF737570000-0x00007FF7378C1000-memory.dmp	upx
behavioral2/memory/2264-217-0x00007FF7CF030000-0x00007FF7CF381000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\dheBoXX.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\yOMLACc.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\ERwDEAs.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\RyDxXOG.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\kiuXhHb.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\WFPDtWD.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\ZfWrYXD.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\KttynxX.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\VFczplE.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\PeJbwSz.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\hjhacJn.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\gaOfobq.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\IIByYKq.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\gGxtnXQ.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\vISCsFU.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\GgTOEsd.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\HczvEyb.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\PJyDlOg.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\bXUPUTj.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\JCzHVzT.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\OUCYoou.exe	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process
Token: SeLockMemoryPrivilege	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process	target process
PID 1564 wrote to memory of 948	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	ZfWrYXD.exe
PID 1564 wrote to memory of 948	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	ZfWrYXD.exe
PID 1564 wrote to memory of 4588	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	KttynxX.exe
PID 1564 wrote to memory of 4588	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	KttynxX.exe
PID 1564 wrote to memory of 4536	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	yOMLACc.exe
PID 1564 wrote to memory of 4536	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	yOMLACc.exe
PID 1564 wrote to memory of 2656	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	IIByYKq.exe
PID 1564 wrote to memory of 2656	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	IIByYKq.exe
PID 1564 wrote to memory of 2040	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	ERwDEAs.exe
PID 1564 wrote to memory of 2040	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	ERwDEAs.exe
PID 1564 wrote to memory of 3208	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	RyDxXOG.exe
PID 1564 wrote to memory of 3208	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	RyDxXOG.exe
PID 1564 wrote to memory of 1904	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	VFczplE.exe
PID 1564 wrote to memory of 1904	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	VFczplE.exe
PID 1564 wrote to memory of 1368	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	PeJbwSz.exe
PID 1564 wrote to memory of 1368	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	PeJbwSz.exe
PID 1564 wrote to memory of 2264	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	gGxtnXQ.exe
PID 1564 wrote to memory of 2264	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	gGxtnXQ.exe
PID 1564 wrote to memory of 4440	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	vISCsFU.exe
PID 1564 wrote to memory of 4440	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	vISCsFU.exe
PID 1564 wrote to memory of 3988	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	GgTOEsd.exe
PID 1564 wrote to memory of 3988	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	GgTOEsd.exe
PID 1564 wrote to memory of 5084	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	HczvEyb.exe
PID 1564 wrote to memory of 5084	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	HczvEyb.exe
PID 1564 wrote to memory of 624	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	PJyDlOg.exe
PID 1564 wrote to memory of 624	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	PJyDlOg.exe
PID 1564 wrote to memory of 3404	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	hjhacJn.exe
PID 1564 wrote to memory of 3404	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	hjhacJn.exe
PID 1564 wrote to memory of 1880	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	dheBoXX.exe
PID 1564 wrote to memory of 1880	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	dheBoXX.exe
PID 1564 wrote to memory of 4248	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	gaOfobq.exe
PID 1564 wrote to memory of 4248	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	gaOfobq.exe
PID 1564 wrote to memory of 4784	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	bXUPUTj.exe
PID 1564 wrote to memory of 4784	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	bXUPUTj.exe
PID 1564 wrote to memory of 3960	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	JCzHVzT.exe
PID 1564 wrote to memory of 3960	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	JCzHVzT.exe
PID 1564 wrote to memory of 1532	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	kiuXhHb.exe
PID 1564 wrote to memory of 1532	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	kiuXhHb.exe
PID 1564 wrote to memory of 2072	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	WFPDtWD.exe
PID 1564 wrote to memory of 2072	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	WFPDtWD.exe
PID 1564 wrote to memory of 1540	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	OUCYoou.exe
PID 1564 wrote to memory of 1540	1564	202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe	OUCYoou.exe

C:\Users\Admin\AppData\Local\Temp\202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\202405204f52ed49a877f185ebe060adc9bf6e5ccobaltstrikecobaltstrike_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\System\ZfWrYXD.exe
C:\Windows\System\ZfWrYXD.exe
2⤵
- Executes dropped EXE
PID:948

C:\Windows\System\KttynxX.exe
C:\Windows\System\KttynxX.exe
2⤵
- Executes dropped EXE
PID:4588

C:\Windows\System\yOMLACc.exe
C:\Windows\System\yOMLACc.exe
2⤵
- Executes dropped EXE
PID:4536

C:\Windows\System\IIByYKq.exe
C:\Windows\System\IIByYKq.exe
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\System\ERwDEAs.exe
C:\Windows\System\ERwDEAs.exe
2⤵
- Executes dropped EXE
PID:2040

C:\Windows\System\RyDxXOG.exe
C:\Windows\System\RyDxXOG.exe
2⤵
- Executes dropped EXE
PID:3208

C:\Windows\System\VFczplE.exe
C:\Windows\System\VFczplE.exe
2⤵
- Executes dropped EXE
PID:1904

C:\Windows\System\PeJbwSz.exe
C:\Windows\System\PeJbwSz.exe
2⤵
- Executes dropped EXE
PID:1368

C:\Windows\System\gGxtnXQ.exe
C:\Windows\System\gGxtnXQ.exe
2⤵
- Executes dropped EXE
PID:2264

C:\Windows\System\vISCsFU.exe
C:\Windows\System\vISCsFU.exe
2⤵
- Executes dropped EXE
PID:4440

C:\Windows\System\GgTOEsd.exe
C:\Windows\System\GgTOEsd.exe
2⤵
- Executes dropped EXE
PID:3988

C:\Windows\System\HczvEyb.exe
C:\Windows\System\HczvEyb.exe
2⤵
- Executes dropped EXE
PID:5084

C:\Windows\System\PJyDlOg.exe
C:\Windows\System\PJyDlOg.exe
2⤵
- Executes dropped EXE
PID:624

C:\Windows\System\hjhacJn.exe
C:\Windows\System\hjhacJn.exe
2⤵
- Executes dropped EXE
PID:3404

C:\Windows\System\dheBoXX.exe
C:\Windows\System\dheBoXX.exe
2⤵
- Executes dropped EXE
PID:1880

C:\Windows\System\gaOfobq.exe
C:\Windows\System\gaOfobq.exe
2⤵
- Executes dropped EXE
PID:4248

C:\Windows\System\bXUPUTj.exe
C:\Windows\System\bXUPUTj.exe
2⤵
- Executes dropped EXE
PID:4784

C:\Windows\System\JCzHVzT.exe
C:\Windows\System\JCzHVzT.exe
2⤵
- Executes dropped EXE
PID:3960

C:\Windows\System\kiuXhHb.exe
C:\Windows\System\kiuXhHb.exe
2⤵
- Executes dropped EXE
PID:1532

C:\Windows\System\WFPDtWD.exe
C:\Windows\System\WFPDtWD.exe
2⤵
- Executes dropped EXE
PID:2072

C:\Windows\System\OUCYoou.exe
C:\Windows\System\OUCYoou.exe
2⤵
- Executes dropped EXE
PID:1540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ERwDEAs.exe
Filesize
5.2MB

MD5
e4b6d3a0c650199740f76674d1b876e6

SHA1
a6d1d5999b54e587f0a84a73dac74f6cd3c46ec3

SHA256
8ba8636ef455c26d084f79682eea1021adeb57d077a83bd99339460ba385d5cf

SHA512
4af041a1035cda9229d0e46b514ae56aee2838b71091551158c1350285b733a7032280818cf67234c35e4ef624979d663ae59f76828f6fc12605f6f44c2049f5

Download Submit
C:\Windows\System\GgTOEsd.exe
Filesize
5.2MB

MD5
4da642b303a8caffc1e5ac1c7c6565c9

SHA1
cdc802ccab7153d0191b0221a55e9b4e6a3033ca

SHA256
c3fe1960a0f0282833a4f74ea8fb6307a0936f43d3dc2feba0f758b8b5b63706

SHA512
288659cc38d025a8d283e3caf57e4f64a05d8678ec0da315c86a234ddc9095e9c66dacf6b9ea191cc49435b7151bd3e9d5dddb90307eaeeb4f83cf9c7e8e70cf

Download Submit
C:\Windows\System\HczvEyb.exe
Filesize
5.2MB

MD5
b6ce26304d1e864e4cde9ad8ff3d8562

SHA1
d20456a2bfc63511c61d98e8b727bb1a2281e955

SHA256
be2c705a69a3c36535091a95661322ed612ba1c11f5287389e0d789948df79a0

SHA512
19bdd7b76753d8dd36db4732d9544dfbc086d38f951b0239d8229019b416f55173c22954e5bb0ec28128d4eee49413d13cc7b81a674261219a1f5da738422589

Download Submit
C:\Windows\System\IIByYKq.exe
Filesize
5.2MB

MD5
02cce5e7601daaa1ee681ac21d4fa701

SHA1
437f7fbcade411003a9e58998be29b5498beb8cc

SHA256
d9b3c93d3306fdd686644e4588e2a07cca54dd0d3916634ff8c0d126a4b845bb

SHA512
4e2131ee9b254c9810be5c9feb40042942d32f3f64a81f7284fefbfd897013d0747302942dfcc99ea0c8f6eb4f34134f8ac6ba7ae73a327568bfa144b15276d3

Download Submit
C:\Windows\System\JCzHVzT.exe
Filesize
5.2MB

MD5
5d4bc37fd713f9b42c45205f5123271d

SHA1
a065a8bfc85206ad9ee07f6d26b6c026d5ce7870

SHA256
e3e87178c80b384cfa4a23e1e15b69ac99e25adbf0aa8fb1fd5f0ddddd9e95af

SHA512
1f6d013401cba961b1da9992e14b92e843f191ce6283658bb50a57b03bbbe6a12820651b7b8c3b6c8b6049c9645405f6853653e3fa2a29995176e44cec480663

Download Submit
C:\Windows\System\KttynxX.exe
Filesize
5.2MB

MD5
19025ea02496000383135bea47ace043

SHA1
9f782c9dec8ac9dbaf271f826e9617b9cf733aa6

SHA256
3ec448c7c5f04f1f72135001fb49c837a56778b0c4a34a5868e0d3e686905bfc

SHA512
8581df12900d8d4b18741a224286941f056780ee180be78ff1f78ce3e40443c9091df28e7612016ad91b32ffcb198ad02345e248920e775ba88fcbe52d10f70d

Download Submit
C:\Windows\System\OUCYoou.exe
Filesize
5.2MB

MD5
13452d8569134108fbb63637a73f54bf

SHA1
bd437324e0d80360281ffeb22fae3b917525b773

SHA256
ed877f83dff83ab3255dbb841022bfbf535ab9ce25940cbe8092159fa2b774ae

SHA512
a36f3c57752e73780288665bfd999636f8ceaddcd2821c3d6b387e70311656d72b666649cfa9287eb471780f3fee0d948bc57b67e4a0a691cbffd4b7ae1289a3

Download Submit
C:\Windows\System\PJyDlOg.exe
Filesize
5.2MB

MD5
6f59b9f34d9cffee48373f4e2dfeca2d

SHA1
017e3d5c568e26bfbf390e609a3fc36f0d1c5a85

SHA256
9d960e4ce24405897a7dde8d5fa5333f7037a9b74cb48b63b1a00a4b805ec180

SHA512
2461d0c65e7b3fcb9ff08dec1216001535083af4aed7366ab96c0d6fda94e716efc281416f31f25ef4532f4751de83d8657c95fd18fafbdf1a8827c70ad0b4e1

Download Submit
C:\Windows\System\PeJbwSz.exe
Filesize
5.2MB

MD5
fd7683e519816576d4879054946a7829

SHA1
0a11e67b4792864b2cc135de1e04c0a94a0ad107

SHA256
c3e20db2b312777bbf39ed647b5ff07aeb165df9cdd32b176647804536b1b0ed

SHA512
41327bf9ab55656fe5d259445047710a4ad44e4df2c8a76c5aabb11d274245d45ca524d8330ae1f8bf1225498555c7031acf5f5b8a004944ac3a87f92a2075f8

Download Submit
C:\Windows\System\RyDxXOG.exe
Filesize
5.2MB

MD5
e4d81246b079800679ae05f3d8f0dcf5

SHA1
10c0c0bee1ceac8a17055962274f92a3d8ccd539

SHA256
bb8b2fd3c70fa42b539b203f98064ecbf50e1a5e43425284d96305249610b28b

SHA512
b56e56cc4249081b43664fd2b69927f8c1824f5ea6efeb77a3b7564f314cf17d1e0b05159dd45b48ec4998d70d8242d0acdb6b44c000727dbdd8011f6ae7a5a7

Download Submit
C:\Windows\System\VFczplE.exe
Filesize
5.2MB

MD5
c7235dfe051bc16ac573266dd2f181f3

SHA1
25c349c6e4d8d21e61113b2992fc76d7b7c25480

SHA256
5d2dfd8cdfb413503f448282c453a56631839cb43cd85570698802126ee00fce

SHA512
3dd5f19158e685f65dc4e7fefd59c1e265f3edc8c353002bf083195ae9a537f4273e90096f6a0d1730ba670638b344dcaee00ea8723aaa4c857a0bb10bde8bb8

Download Submit
C:\Windows\System\WFPDtWD.exe
Filesize
5.2MB

MD5
9c62642fcd40dfd569cd49e853c64e81

SHA1
860f3ad8e628f51e4a786b5d467003b49fa535a0

SHA256
d1695a909fc84cca82be5d1c6676d910cdb3f0af16911eaad2a456820f606c49

SHA512
1dd51c8a79b2dfe03840aa82d76da834081d0d0a3946b6bc67890cf9492ae25bdd14dd27f7cf4486eb7d3f98aebdfcfe4bd0a268fcaae9b6b6ab02b5a82e8a45

Download Submit
C:\Windows\System\ZfWrYXD.exe
Filesize
5.2MB

MD5
909940a92da425aa891462026a4b83a5

SHA1
939ae11e998ab0f2b2422b2b352b51240b205580

SHA256
23eff44edaae279248a90a387887ceead845ef7d9ac8aa8d38d0f400a1b02c7d

SHA512
9a6d9ea3371d4b7691ae1a4abe96c00c62e3c5d318aeb0d58aba8440eef7a73e3677e623e97002b659c5d2e1073e9359669710cd163867219a83593749fc519a

Download Submit
C:\Windows\System\bXUPUTj.exe
Filesize
5.2MB

MD5
08fe903cc13c7b0c35f1d104fd6fcc8c

SHA1
3e05724abd3348549d29bc7fda069d713d45d1d1

SHA256
fd98f42a840af354eac0ae68244ad57f817077ffb6f43dc01ef5267374cbf915

SHA512
116cea70742983c89ff7136a4acdfbc5bf5472d1dfd6d913808e939b34bf8a69dc13b4b3e62f7bab4e94ca087b8a034aad8e54bece890d09141bb4e1d334a00c

Download Submit
C:\Windows\System\dheBoXX.exe
Filesize
5.2MB

MD5
8ca2e588ae8af3d5a5a2bd5910fe4789

SHA1
6b0fabb0fdf0f134b7c90119b793a4249db8efaf

SHA256
a12f11157d05d783f88f40a8acac8860091361c1c85fce63b7c7ad5338a8922a

SHA512
df2665e481e08a07d7b4278e78ff9171d276630bfb38995b6bb9c763a106d6e28d9d2f4dc5c816a2746d8553702f0f7ee53ce40aacd8ec0be5fc09f6585bcc15

Download Submit
C:\Windows\System\gGxtnXQ.exe
Filesize
5.2MB

MD5
0522178ed67102c1510a635162657e34

SHA1
b49d0dad6776626920b00d81785a7f6e1cfb557d

SHA256
6d8b130c089433a6d1f416f43f766bb9cd5d714aa1b08238bfa02b36882d8445

SHA512
3571972c7ed662a42c0660584618b88ed7b0714d77d8e7085d9d4bc706e24b4a9bd7445b3f54bfbd5b8fa7d524d1bc29aa8ed60351ac7a9098dcca6e5a7217e1

Download Submit
C:\Windows\System\gaOfobq.exe
Filesize
5.2MB

MD5
ba4067d9eb977db4bcf077fd00272577

SHA1
ae8da92046349090d0c9d0d3d7dc06124fe35aa1

SHA256
22e678d70ce6eaddb64b9b925e244798866f086840904faef2240cd726292b51

SHA512
4d59b48a9c7762ff60d5f7a0c34d39b268a47429278142acc74d22456fd8539fcb451c116125f953dea660e19045974ff0d4cd5f2d23a4bd75a984c07874c8e8

Download Submit
C:\Windows\System\hjhacJn.exe
Filesize
5.2MB

MD5
de2b0bde4dd7dddef1ab5fcf9ae6543d

SHA1
6ccd2ceff0123be9fd3d7d32bcef6ba70209ab4b

SHA256
2b2107775f93fa6f892a4db8239139c1d85bed4fff9c37563e8133cd39287160

SHA512
3a14c88bb44ac99b14dee7c997e0c4e6ee32f5527215a5c9f8bbd47359e55ea43e531da705e63d082bce4724f485a9d7236b49917ee6d491dad0a08dbd6d7b54

Download Submit
C:\Windows\System\kiuXhHb.exe
Filesize
5.2MB

MD5
389b4f438505129c672fc6bd658db91e

SHA1
9ed81fce52f5a911923d73295ae32d3246160e7b

SHA256
8c0b9e99bdd2d060fbf51bc12e8ca0dfecaac36b0f767b83a6ec420af389e2b0

SHA512
518c1591d83db0956e1e34d90789d4b03c8feb9f2414529f3f1c829bf384846ae15de5283d075af9e7f3a403fbd593d207aa400487481f5ec7f9bb693fb15807

Download Submit
C:\Windows\System\vISCsFU.exe
Filesize
5.2MB

MD5
eb8ccc2fc32adfb93843e70cc9042d68

SHA1
a94a43e1191992a6677b989c695c90f0de70ac32

SHA256
cb2fcd6ef01010b01c953f04fb73fea974b544f12cbfc3820514aac184a0bbaf

SHA512
7fe0b9923636f3d62219b86448ce899fbd110445f6fdf34159eeaf32c640e65fdc2f787106cd4bee34e7cd5ded9abedefe11a67fd795aa0dd06a1c9308c7d914

Download Submit
C:\Windows\System\yOMLACc.exe
Filesize
5.2MB

MD5
8d641c17891c01b4af3c9fff06f2e29c

SHA1
73e485bc98d53c3b63d9c479bf50a906a64a5ed3

SHA256
4550d7cecdb3ae6ec71dc51cf64a44af2cfdde1f3a9aaa6f0b662067099f0eac

SHA512
0435fbe951ca44fc9a08f650ea618a49de9977074df285d5b50e959909adc7ca2497e5ac57d0c491ffa9c0ca0f5c95bcb1979b9cc4e6b0b5a33c4c2949f4192f

Download Submit
memory/624-90-0x00007FF64A760000-0x00007FF64AAB1000-memory.dmp

Filesize
3.3MB

Download
memory/624-225-0x00007FF64A760000-0x00007FF64AAB1000-memory.dmp

Filesize
3.3MB

Download
memory/948-89-0x00007FF6C8210000-0x00007FF6C8561000-memory.dmp

Filesize
3.3MB

Download
memory/948-10-0x00007FF6C8210000-0x00007FF6C8561000-memory.dmp

Filesize
3.3MB

Download
memory/948-195-0x00007FF6C8210000-0x00007FF6C8561000-memory.dmp

Filesize
3.3MB

Download
memory/1368-209-0x00007FF737570000-0x00007FF7378C1000-memory.dmp

Filesize
3.3MB

Download
memory/1368-48-0x00007FF737570000-0x00007FF7378C1000-memory.dmp

Filesize
3.3MB

Download
memory/1368-127-0x00007FF737570000-0x00007FF7378C1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-133-0x00007FF76A970000-0x00007FF76ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-240-0x00007FF76A970000-0x00007FF76ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-246-0x00007FF698C20000-0x00007FF698F71000-memory.dmp

Filesize
3.3MB

Download
memory/1540-138-0x00007FF698C20000-0x00007FF698F71000-memory.dmp

Filesize
3.3MB

Download
memory/1540-161-0x00007FF698C20000-0x00007FF698F71000-memory.dmp

Filesize
3.3MB

Download
memory/1564-0-0x00007FF626990000-0x00007FF626CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-71-0x00007FF626990000-0x00007FF626CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-1-0x00000252B0200000-0x00000252B0210000-memory.dmp

Filesize
64KB

Download
memory/1564-147-0x00007FF626990000-0x00007FF626CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-169-0x00007FF626990000-0x00007FF626CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1880-92-0x00007FF6AFEB0000-0x00007FF6B0201000-memory.dmp

Filesize
3.3MB

Download
memory/1880-145-0x00007FF6AFEB0000-0x00007FF6B0201000-memory.dmp

Filesize
3.3MB

Download
memory/1880-232-0x00007FF6AFEB0000-0x00007FF6B0201000-memory.dmp

Filesize
3.3MB

Download
memory/1904-47-0x00007FF712CE0000-0x00007FF713031000-memory.dmp

Filesize
3.3MB

Download
memory/1904-206-0x00007FF712CE0000-0x00007FF713031000-memory.dmp

Filesize
3.3MB

Download
memory/2040-203-0x00007FF611C30000-0x00007FF611F81000-memory.dmp

Filesize
3.3MB

Download
memory/2040-34-0x00007FF611C30000-0x00007FF611F81000-memory.dmp

Filesize
3.3MB

Download
memory/2072-237-0x00007FF76E430000-0x00007FF76E781000-memory.dmp

Filesize
3.3MB

Download
memory/2072-136-0x00007FF76E430000-0x00007FF76E781000-memory.dmp

Filesize
3.3MB

Download
memory/2264-132-0x00007FF7CF030000-0x00007FF7CF381000-memory.dmp

Filesize
3.3MB

Download
memory/2264-57-0x00007FF7CF030000-0x00007FF7CF381000-memory.dmp

Filesize
3.3MB

Download
memory/2264-217-0x00007FF7CF030000-0x00007FF7CF381000-memory.dmp

Filesize
3.3MB

Download
memory/2656-202-0x00007FF718420000-0x00007FF718771000-memory.dmp

Filesize
3.3MB

Download
memory/2656-26-0x00007FF718420000-0x00007FF718771000-memory.dmp

Filesize
3.3MB

Download
memory/3208-38-0x00007FF6DB2B0000-0x00007FF6DB601000-memory.dmp

Filesize
3.3MB

Download
memory/3208-104-0x00007FF6DB2B0000-0x00007FF6DB601000-memory.dmp

Filesize
3.3MB

Download
memory/3208-207-0x00007FF6DB2B0000-0x00007FF6DB601000-memory.dmp

Filesize
3.3MB

Download
memory/3404-229-0x00007FF77C530000-0x00007FF77C881000-memory.dmp

Filesize
3.3MB

Download
memory/3404-91-0x00007FF77C530000-0x00007FF77C881000-memory.dmp

Filesize
3.3MB

Download
memory/3960-243-0x00007FF66D8B0000-0x00007FF66DC01000-memory.dmp

Filesize
3.3MB

Download
memory/3960-129-0x00007FF66D8B0000-0x00007FF66DC01000-memory.dmp

Filesize
3.3MB

Download
memory/3988-68-0x00007FF7C2770000-0x00007FF7C2AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3988-221-0x00007FF7C2770000-0x00007FF7C2AC1000-memory.dmp

Filesize
3.3MB

Download
memory/4248-235-0x00007FF620930000-0x00007FF620C81000-memory.dmp

Filesize
3.3MB

Download
memory/4248-146-0x00007FF620930000-0x00007FF620C81000-memory.dmp

Filesize
3.3MB

Download
memory/4248-107-0x00007FF620930000-0x00007FF620C81000-memory.dmp

Filesize
3.3MB

Download
memory/4440-219-0x00007FF692390000-0x00007FF6926E1000-memory.dmp

Filesize
3.3MB

Download
memory/4440-140-0x00007FF692390000-0x00007FF6926E1000-memory.dmp

Filesize
3.3MB

Download
memory/4440-60-0x00007FF692390000-0x00007FF6926E1000-memory.dmp

Filesize
3.3MB

Download
memory/4536-199-0x00007FF7DC1D0000-0x00007FF7DC521000-memory.dmp

Filesize
3.3MB

Download
memory/4536-22-0x00007FF7DC1D0000-0x00007FF7DC521000-memory.dmp

Filesize
3.3MB

Download
memory/4588-197-0x00007FF7F9BD0000-0x00007FF7F9F21000-memory.dmp

Filesize
3.3MB

Download
memory/4588-16-0x00007FF7F9BD0000-0x00007FF7F9F21000-memory.dmp

Filesize
3.3MB

Download
memory/4784-135-0x00007FF77E350000-0x00007FF77E6A1000-memory.dmp

Filesize
3.3MB

Download
memory/4784-242-0x00007FF77E350000-0x00007FF77E6A1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-223-0x00007FF6EC030000-0x00007FF6EC381000-memory.dmp

Filesize
3.3MB

Download
memory/5084-73-0x00007FF6EC030000-0x00007FF6EC381000-memory.dmp

Filesize
3.3MB

Download
memory/5084-142-0x00007FF6EC030000-0x00007FF6EC381000-memory.dmp

Filesize
3.3MB

Download