cobaltstrike | 81e589a541c667206447663c273808799e7398eba57987bacebc9347a3214d21

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
Size

5.2MB
MD5

8e3c634227dc0306df558907ca1a4488
SHA1

6cfb101b3996dc47de2d97568334a11245f256e2
SHA256

81e589a541c667206447663c273808799e7398eba57987bacebc9347a3214d21
SHA512

ba63d0c9e61849385d0476ac4f720dde382dd6791d7de15934375f600dd0c80110bc6a9b57f83fab3379a1a46ded283a3387c4419fa06ade10c1176aff2f597e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lj:RWWBibf56utgpPFotBER/mQ32lUP

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\JQIHdKw.exe	cobalt_reflective_dll
C:\Windows\System\pWvztDl.exe	cobalt_reflective_dll
C:\Windows\System\RnKuPUE.exe	cobalt_reflective_dll
C:\Windows\System\suhJWbd.exe	cobalt_reflective_dll
C:\Windows\System\njywYJR.exe	cobalt_reflective_dll
C:\Windows\System\toJnlLr.exe	cobalt_reflective_dll
C:\Windows\System\qNmUNro.exe	cobalt_reflective_dll
C:\Windows\System\qaxaSsd.exe	cobalt_reflective_dll
C:\Windows\System\iQMMJLq.exe	cobalt_reflective_dll
C:\Windows\System\JBvQPws.exe	cobalt_reflective_dll
C:\Windows\System\OfmSPeB.exe	cobalt_reflective_dll
C:\Windows\System\uzUeDeK.exe	cobalt_reflective_dll
C:\Windows\System\LZaxBIg.exe	cobalt_reflective_dll
C:\Windows\System\IXAVSPz.exe	cobalt_reflective_dll
C:\Windows\System\FRfEpwY.exe	cobalt_reflective_dll
C:\Windows\System\jzJgBOr.exe	cobalt_reflective_dll
C:\Windows\System\fsRtQEM.exe	cobalt_reflective_dll
C:\Windows\System\nDMznWk.exe	cobalt_reflective_dll
C:\Windows\System\fkSvvYE.exe	cobalt_reflective_dll
C:\Windows\System\KTBOjjj.exe	cobalt_reflective_dll
C:\Windows\System\FeXBYDg.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2268-68-0x00007FF6C2E30000-0x00007FF6C3181000-memory.dmp	xmrig
behavioral2/memory/4728-76-0x00007FF7CA110000-0x00007FF7CA461000-memory.dmp	xmrig
behavioral2/memory/2964-103-0x00007FF6F62C0000-0x00007FF6F6611000-memory.dmp	xmrig
behavioral2/memory/2492-100-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp	xmrig
behavioral2/memory/2336-86-0x00007FF6644A0000-0x00007FF6647F1000-memory.dmp	xmrig
behavioral2/memory/4396-82-0x00007FF734940000-0x00007FF734C91000-memory.dmp	xmrig
behavioral2/memory/1852-74-0x00007FF619540000-0x00007FF619891000-memory.dmp	xmrig
behavioral2/memory/4616-130-0x00007FF676420000-0x00007FF676771000-memory.dmp	xmrig
behavioral2/memory/3672-131-0x00007FF74F770000-0x00007FF74FAC1000-memory.dmp	xmrig
behavioral2/memory/1260-129-0x00007FF6BEC60000-0x00007FF6BEFB1000-memory.dmp	xmrig
behavioral2/memory/3176-128-0x00007FF7D58A0000-0x00007FF7D5BF1000-memory.dmp	xmrig
behavioral2/memory/4496-126-0x00007FF7EA550000-0x00007FF7EA8A1000-memory.dmp	xmrig
behavioral2/memory/4216-139-0x00007FF7293F0000-0x00007FF729741000-memory.dmp	xmrig
behavioral2/memory/3168-141-0x00007FF6EA2B0000-0x00007FF6EA601000-memory.dmp	xmrig
behavioral2/memory/4872-147-0x00007FF674B50000-0x00007FF674EA1000-memory.dmp	xmrig
behavioral2/memory/4576-151-0x00007FF608470000-0x00007FF6087C1000-memory.dmp	xmrig
behavioral2/memory/4452-150-0x00007FF7E61D0000-0x00007FF7E6521000-memory.dmp	xmrig
behavioral2/memory/1120-149-0x00007FF6A0880000-0x00007FF6A0BD1000-memory.dmp	xmrig
behavioral2/memory/4920-148-0x00007FF6E96E0000-0x00007FF6E9A31000-memory.dmp	xmrig
behavioral2/memory/3472-146-0x00007FF7BD290000-0x00007FF7BD5E1000-memory.dmp	xmrig
behavioral2/memory/1852-152-0x00007FF619540000-0x00007FF619891000-memory.dmp	xmrig
behavioral2/memory/2456-163-0x00007FF797A70000-0x00007FF797DC1000-memory.dmp	xmrig
behavioral2/memory/4312-166-0x00007FF6580E0000-0x00007FF658431000-memory.dmp	xmrig
behavioral2/memory/1852-174-0x00007FF619540000-0x00007FF619891000-memory.dmp	xmrig
behavioral2/memory/4728-197-0x00007FF7CA110000-0x00007FF7CA461000-memory.dmp	xmrig
behavioral2/memory/2336-199-0x00007FF6644A0000-0x00007FF6647F1000-memory.dmp	xmrig
behavioral2/memory/2492-201-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp	xmrig
behavioral2/memory/4396-203-0x00007FF734940000-0x00007FF734C91000-memory.dmp	xmrig
behavioral2/memory/4496-215-0x00007FF7EA550000-0x00007FF7EA8A1000-memory.dmp	xmrig
behavioral2/memory/3176-217-0x00007FF7D58A0000-0x00007FF7D5BF1000-memory.dmp	xmrig
behavioral2/memory/2964-221-0x00007FF6F62C0000-0x00007FF6F6611000-memory.dmp	xmrig
behavioral2/memory/4616-223-0x00007FF676420000-0x00007FF676771000-memory.dmp	xmrig
behavioral2/memory/1260-220-0x00007FF6BEC60000-0x00007FF6BEFB1000-memory.dmp	xmrig
behavioral2/memory/3672-235-0x00007FF74F770000-0x00007FF74FAC1000-memory.dmp	xmrig
behavioral2/memory/2268-234-0x00007FF6C2E30000-0x00007FF6C3181000-memory.dmp	xmrig
behavioral2/memory/3472-237-0x00007FF7BD290000-0x00007FF7BD5E1000-memory.dmp	xmrig
behavioral2/memory/4920-239-0x00007FF6E96E0000-0x00007FF6E9A31000-memory.dmp	xmrig
behavioral2/memory/4872-241-0x00007FF674B50000-0x00007FF674EA1000-memory.dmp	xmrig
behavioral2/memory/1120-243-0x00007FF6A0880000-0x00007FF6A0BD1000-memory.dmp	xmrig
behavioral2/memory/4452-245-0x00007FF7E61D0000-0x00007FF7E6521000-memory.dmp	xmrig
behavioral2/memory/4576-247-0x00007FF608470000-0x00007FF6087C1000-memory.dmp	xmrig
behavioral2/memory/4216-254-0x00007FF7293F0000-0x00007FF729741000-memory.dmp	xmrig
behavioral2/memory/2456-257-0x00007FF797A70000-0x00007FF797DC1000-memory.dmp	xmrig
behavioral2/memory/3168-258-0x00007FF6EA2B0000-0x00007FF6EA601000-memory.dmp	xmrig
behavioral2/memory/4312-260-0x00007FF6580E0000-0x00007FF658431000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

pWvztDl.exeiQMMJLq.exeJQIHdKw.exeqaxaSsd.exenjywYJR.exeRnKuPUE.exesuhJWbd.exetoJnlLr.exeqNmUNro.exeJBvQPws.exeOfmSPeB.exeuzUeDeK.exejzJgBOr.exefsRtQEM.exeIXAVSPz.exeFRfEpwY.exeLZaxBIg.exefkSvvYE.exenDMznWk.exeKTBOjjj.exeFeXBYDg.exe

pid	process
4728	pWvztDl.exe
2336	iQMMJLq.exe
2492	JQIHdKw.exe
4396	qaxaSsd.exe
4496	njywYJR.exe
2964	RnKuPUE.exe
3176	suhJWbd.exe
1260	toJnlLr.exe
4616	qNmUNro.exe
3672	JBvQPws.exe
2268	OfmSPeB.exe
3472	uzUeDeK.exe
4872	jzJgBOr.exe
4920	fsRtQEM.exe
1120	IXAVSPz.exe
4452	FRfEpwY.exe
4576	LZaxBIg.exe
2456	fkSvvYE.exe
4216	nDMznWk.exe
3168	KTBOjjj.exe
4312	FeXBYDg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1852-0-0x00007FF619540000-0x00007FF619891000-memory.dmp	upx
C:\Windows\System\JQIHdKw.exe	upx
behavioral2/memory/4728-10-0x00007FF7CA110000-0x00007FF7CA461000-memory.dmp	upx
C:\Windows\System\pWvztDl.exe	upx
behavioral2/memory/2336-12-0x00007FF6644A0000-0x00007FF6647F1000-memory.dmp	upx
C:\Windows\System\RnKuPUE.exe	upx
C:\Windows\System\suhJWbd.exe	upx
C:\Windows\System\njywYJR.exe	upx
C:\Windows\System\toJnlLr.exe	upx
C:\Windows\System\qNmUNro.exe	upx
behavioral2/memory/4616-54-0x00007FF676420000-0x00007FF676771000-memory.dmp	upx
behavioral2/memory/1260-50-0x00007FF6BEC60000-0x00007FF6BEFB1000-memory.dmp	upx
behavioral2/memory/3176-44-0x00007FF7D58A0000-0x00007FF7D5BF1000-memory.dmp	upx
behavioral2/memory/4496-37-0x00007FF7EA550000-0x00007FF7EA8A1000-memory.dmp	upx
C:\Windows\System\qaxaSsd.exe	upx
behavioral2/memory/2964-31-0x00007FF6F62C0000-0x00007FF6F6611000-memory.dmp	upx
behavioral2/memory/4396-27-0x00007FF734940000-0x00007FF734C91000-memory.dmp	upx
behavioral2/memory/2492-17-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp	upx
C:\Windows\System\iQMMJLq.exe	upx
C:\Windows\System\JBvQPws.exe	upx
behavioral2/memory/3672-60-0x00007FF74F770000-0x00007FF74FAC1000-memory.dmp	upx
C:\Windows\System\OfmSPeB.exe	upx
behavioral2/memory/2268-68-0x00007FF6C2E30000-0x00007FF6C3181000-memory.dmp	upx
C:\Windows\System\uzUeDeK.exe	upx
behavioral2/memory/4728-76-0x00007FF7CA110000-0x00007FF7CA461000-memory.dmp	upx
behavioral2/memory/4872-81-0x00007FF674B50000-0x00007FF674EA1000-memory.dmp	upx
behavioral2/memory/4920-95-0x00007FF6E96E0000-0x00007FF6E9A31000-memory.dmp	upx
C:\Windows\System\LZaxBIg.exe	upx
C:\Windows\System\IXAVSPz.exe	upx
C:\Windows\System\FRfEpwY.exe	upx
behavioral2/memory/2964-103-0x00007FF6F62C0000-0x00007FF6F6611000-memory.dmp	upx
behavioral2/memory/4452-102-0x00007FF7E61D0000-0x00007FF7E6521000-memory.dmp	upx
behavioral2/memory/4576-101-0x00007FF608470000-0x00007FF6087C1000-memory.dmp	upx
behavioral2/memory/2492-100-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp	upx
behavioral2/memory/1120-96-0x00007FF6A0880000-0x00007FF6A0BD1000-memory.dmp	upx
C:\Windows\System\jzJgBOr.exe	upx
C:\Windows\System\fsRtQEM.exe	upx
behavioral2/memory/2336-86-0x00007FF6644A0000-0x00007FF6647F1000-memory.dmp	upx
behavioral2/memory/4396-82-0x00007FF734940000-0x00007FF734C91000-memory.dmp	upx
behavioral2/memory/3472-77-0x00007FF7BD290000-0x00007FF7BD5E1000-memory.dmp	upx
behavioral2/memory/1852-74-0x00007FF619540000-0x00007FF619891000-memory.dmp	upx
behavioral2/memory/4616-130-0x00007FF676420000-0x00007FF676771000-memory.dmp	upx
behavioral2/memory/3672-131-0x00007FF74F770000-0x00007FF74FAC1000-memory.dmp	upx
behavioral2/memory/1260-129-0x00007FF6BEC60000-0x00007FF6BEFB1000-memory.dmp	upx
behavioral2/memory/3176-128-0x00007FF7D58A0000-0x00007FF7D5BF1000-memory.dmp	upx
behavioral2/memory/4496-126-0x00007FF7EA550000-0x00007FF7EA8A1000-memory.dmp	upx
C:\Windows\System\nDMznWk.exe	upx
C:\Windows\System\fkSvvYE.exe	upx
C:\Windows\System\KTBOjjj.exe	upx
behavioral2/memory/4216-139-0x00007FF7293F0000-0x00007FF729741000-memory.dmp	upx
behavioral2/memory/3168-141-0x00007FF6EA2B0000-0x00007FF6EA601000-memory.dmp	upx
C:\Windows\System\FeXBYDg.exe	upx
behavioral2/memory/2456-138-0x00007FF797A70000-0x00007FF797DC1000-memory.dmp	upx
behavioral2/memory/4312-144-0x00007FF6580E0000-0x00007FF658431000-memory.dmp	upx
behavioral2/memory/4872-147-0x00007FF674B50000-0x00007FF674EA1000-memory.dmp	upx
behavioral2/memory/4576-151-0x00007FF608470000-0x00007FF6087C1000-memory.dmp	upx
behavioral2/memory/4452-150-0x00007FF7E61D0000-0x00007FF7E6521000-memory.dmp	upx
behavioral2/memory/1120-149-0x00007FF6A0880000-0x00007FF6A0BD1000-memory.dmp	upx
behavioral2/memory/4920-148-0x00007FF6E96E0000-0x00007FF6E9A31000-memory.dmp	upx
behavioral2/memory/3472-146-0x00007FF7BD290000-0x00007FF7BD5E1000-memory.dmp	upx
behavioral2/memory/1852-152-0x00007FF619540000-0x00007FF619891000-memory.dmp	upx
behavioral2/memory/2456-163-0x00007FF797A70000-0x00007FF797DC1000-memory.dmp	upx
behavioral2/memory/4312-166-0x00007FF6580E0000-0x00007FF658431000-memory.dmp	upx
behavioral2/memory/1852-174-0x00007FF619540000-0x00007FF619891000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\njywYJR.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\FRfEpwY.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\qaxaSsd.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\jzJgBOr.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\LZaxBIg.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\KTBOjjj.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\pWvztDl.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\iQMMJLq.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\JBvQPws.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\OfmSPeB.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\uzUeDeK.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\fsRtQEM.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\IXAVSPz.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\FeXBYDg.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\toJnlLr.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\qNmUNro.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\suhJWbd.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\fkSvvYE.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\nDMznWk.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\JQIHdKw.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\RnKuPUE.exe	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process
Token: SeLockMemoryPrivilege	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process	target process
PID 1852 wrote to memory of 4728	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	pWvztDl.exe
PID 1852 wrote to memory of 4728	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	pWvztDl.exe
PID 1852 wrote to memory of 2336	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	iQMMJLq.exe
PID 1852 wrote to memory of 2336	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	iQMMJLq.exe
PID 1852 wrote to memory of 2492	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	JQIHdKw.exe
PID 1852 wrote to memory of 2492	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	JQIHdKw.exe
PID 1852 wrote to memory of 4396	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	qaxaSsd.exe
PID 1852 wrote to memory of 4396	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	qaxaSsd.exe
PID 1852 wrote to memory of 4496	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	njywYJR.exe
PID 1852 wrote to memory of 4496	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	njywYJR.exe
PID 1852 wrote to memory of 2964	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	RnKuPUE.exe
PID 1852 wrote to memory of 2964	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	RnKuPUE.exe
PID 1852 wrote to memory of 3176	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	suhJWbd.exe
PID 1852 wrote to memory of 3176	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	suhJWbd.exe
PID 1852 wrote to memory of 1260	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	toJnlLr.exe
PID 1852 wrote to memory of 1260	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	toJnlLr.exe
PID 1852 wrote to memory of 4616	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	qNmUNro.exe
PID 1852 wrote to memory of 4616	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	qNmUNro.exe
PID 1852 wrote to memory of 3672	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	JBvQPws.exe
PID 1852 wrote to memory of 3672	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	JBvQPws.exe
PID 1852 wrote to memory of 2268	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	OfmSPeB.exe
PID 1852 wrote to memory of 2268	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	OfmSPeB.exe
PID 1852 wrote to memory of 3472	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	uzUeDeK.exe
PID 1852 wrote to memory of 3472	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	uzUeDeK.exe
PID 1852 wrote to memory of 4872	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	jzJgBOr.exe
PID 1852 wrote to memory of 4872	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	jzJgBOr.exe
PID 1852 wrote to memory of 4920	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	fsRtQEM.exe
PID 1852 wrote to memory of 4920	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	fsRtQEM.exe
PID 1852 wrote to memory of 1120	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	IXAVSPz.exe
PID 1852 wrote to memory of 1120	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	IXAVSPz.exe
PID 1852 wrote to memory of 4452	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	FRfEpwY.exe
PID 1852 wrote to memory of 4452	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	FRfEpwY.exe
PID 1852 wrote to memory of 4576	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	LZaxBIg.exe
PID 1852 wrote to memory of 4576	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	LZaxBIg.exe
PID 1852 wrote to memory of 2456	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	fkSvvYE.exe
PID 1852 wrote to memory of 2456	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	fkSvvYE.exe
PID 1852 wrote to memory of 4216	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	nDMznWk.exe
PID 1852 wrote to memory of 4216	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	nDMznWk.exe
PID 1852 wrote to memory of 3168	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	KTBOjjj.exe
PID 1852 wrote to memory of 3168	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	KTBOjjj.exe
PID 1852 wrote to memory of 4312	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	FeXBYDg.exe
PID 1852 wrote to memory of 4312	1852	202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe	FeXBYDg.exe

C:\Users\Admin\AppData\Local\Temp\202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\202405208e3c634227dc0306df558907ca1a4488cobaltstrikecobaltstrike_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\System\pWvztDl.exe
C:\Windows\System\pWvztDl.exe
2⤵
- Executes dropped EXE
PID:4728

C:\Windows\System\iQMMJLq.exe
C:\Windows\System\iQMMJLq.exe
2⤵
- Executes dropped EXE
PID:2336

C:\Windows\System\JQIHdKw.exe
C:\Windows\System\JQIHdKw.exe
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\System\qaxaSsd.exe
C:\Windows\System\qaxaSsd.exe
2⤵
- Executes dropped EXE
PID:4396

C:\Windows\System\njywYJR.exe
C:\Windows\System\njywYJR.exe
2⤵
- Executes dropped EXE
PID:4496

C:\Windows\System\RnKuPUE.exe
C:\Windows\System\RnKuPUE.exe
2⤵
- Executes dropped EXE
PID:2964

C:\Windows\System\suhJWbd.exe
C:\Windows\System\suhJWbd.exe
2⤵
- Executes dropped EXE
PID:3176

C:\Windows\System\toJnlLr.exe
C:\Windows\System\toJnlLr.exe
2⤵
- Executes dropped EXE
PID:1260

C:\Windows\System\qNmUNro.exe
C:\Windows\System\qNmUNro.exe
2⤵
- Executes dropped EXE
PID:4616

C:\Windows\System\JBvQPws.exe
C:\Windows\System\JBvQPws.exe
2⤵
- Executes dropped EXE
PID:3672

C:\Windows\System\OfmSPeB.exe
C:\Windows\System\OfmSPeB.exe
2⤵
- Executes dropped EXE
PID:2268

C:\Windows\System\uzUeDeK.exe
C:\Windows\System\uzUeDeK.exe
2⤵
- Executes dropped EXE
PID:3472

C:\Windows\System\jzJgBOr.exe
C:\Windows\System\jzJgBOr.exe
2⤵
- Executes dropped EXE
PID:4872

C:\Windows\System\fsRtQEM.exe
C:\Windows\System\fsRtQEM.exe
2⤵
- Executes dropped EXE
PID:4920

C:\Windows\System\IXAVSPz.exe
C:\Windows\System\IXAVSPz.exe
2⤵
- Executes dropped EXE
PID:1120

C:\Windows\System\FRfEpwY.exe
C:\Windows\System\FRfEpwY.exe
2⤵
- Executes dropped EXE
PID:4452

C:\Windows\System\LZaxBIg.exe
C:\Windows\System\LZaxBIg.exe
2⤵
- Executes dropped EXE
PID:4576

C:\Windows\System\fkSvvYE.exe
C:\Windows\System\fkSvvYE.exe
2⤵
- Executes dropped EXE
PID:2456

C:\Windows\System\nDMznWk.exe
C:\Windows\System\nDMznWk.exe
2⤵
- Executes dropped EXE
PID:4216

C:\Windows\System\KTBOjjj.exe
C:\Windows\System\KTBOjjj.exe
2⤵
- Executes dropped EXE
PID:3168

C:\Windows\System\FeXBYDg.exe
C:\Windows\System\FeXBYDg.exe
2⤵
- Executes dropped EXE
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2856,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=3996 /prefetch:8
1⤵
PID:3452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FRfEpwY.exe
Filesize
5.2MB

MD5
c09100593438b1db8a046b615dffde58

SHA1
6f7691d410b7634393a0788ff6a5487581d03bfb

SHA256
a1e288edfc4922a07bdeda43fa1f52031f5bd550486aec6d1b9ae0525d4a25c2

SHA512
07b42b03a048cce71ff356294e80591021f7a15f88e5566c306e5cfeaec52e831fc5c083be1dee54584729583917f26e0d662dd55687d0a7f2e1d4bd95a4f370

Download Submit
C:\Windows\System\FeXBYDg.exe
Filesize
5.2MB

MD5
6f8a55e0a8682b2a5ccb0a5b501723b1

SHA1
b03bf5c7996d433128fa18ae1ccde1016b8769e3

SHA256
e9708e8cde62bf2c3aff5ee248e9f6496fe0efba61bc0a0511f6009aa4d6a289

SHA512
e80785464919aa5f9ee7c3f148f0ff8d86dbfb896e5ce4f2ec8218c9a6a7227facdec09be97d1a863c67c0c7d9f5257473ce73ec0b842e7e3f2acc7489ae2a60

Download Submit
C:\Windows\System\IXAVSPz.exe
Filesize
5.2MB

MD5
fdcac1eaf0a0078713a8e906aa567c83

SHA1
4bd1048bb2a08361721223f340b20c3798766649

SHA256
8a13dc8d2aacfb1be8fdf57d9378bb9a5bcb8a345deb93b76a2b18f2652c42d1

SHA512
e2cd4033374a1f4369df415655154a39a6c5b84d2c449f712d7a208309ce89b0d10914344884dd8727477b61cb5191e1d0111e8cd5de13e1e6b013bc0b4c6bcc

Download Submit
C:\Windows\System\JBvQPws.exe
Filesize
5.2MB

MD5
d586b4d2fba638392d88bc5f9cd5bcf3

SHA1
db01f78fd47e2ec2228efc28172db68c3fd1e98b

SHA256
e8e3ce6804b258ef0453d05cb51be40707d5ab3004f4f7de95332353aa72d00b

SHA512
f0e6509fea222a8557437dd280d586c3d697d31bf4767a7a923539beacbaf6b250001f1f205e2abb26cdd9cf3dac087c466f1c983d54cd01fd9cfba29b27464a

Download Submit
C:\Windows\System\JQIHdKw.exe
Filesize
5.2MB

MD5
534aa3ec079ed8d48e73c9d12663a42f

SHA1
65bca719ecab07be5d23defd78eec71463711e06

SHA256
98c37dffb4b6a9a390aa04b19118ae5b0425ab8a07152a8c24adb98f926420b7

SHA512
d1534d20658da5351453b3d7b956b14dd1a1950dc76ca633ae117ee9fd5c06f58912f0eefceac584a2e5d7eeaf3f7254222fc607916fb3af037ad0ed7231cd83

Download Submit
C:\Windows\System\KTBOjjj.exe
Filesize
5.2MB

MD5
42eb703fdb2937dc983dd379981e1ea8

SHA1
e2e3799a1e005f33932e2d4382b549d27afb6f21

SHA256
0301615271bbd9a4c2245ac5567e5a47e0ccd4cf788345744f33e45b34aca0ee

SHA512
568f796fa1d89b61f35c7b989d30c9d665888ce020a6dc6741e59e90a09674d59bc314552b3a482aa51d588dbda365fdcb282e4041b12fdabd00b70e4b65808e

Download Submit
C:\Windows\System\LZaxBIg.exe
Filesize
5.2MB

MD5
993af938f37082eb12ad88a2a41504a2

SHA1
71ec62c082b80e017942cc969788b461ab32c8a8

SHA256
172c6d3e1959a8b819f99bf484da86726c75c32e866761575fa52cba642348b9

SHA512
7542e1b7468a9255a7f7be11eabddce0ba62d53689f3a2aab7ef59685e4e8ddfb7bb3fdc1677c845ef4acf310256e56f4b89ceefab2ae0828e67e5e12e70c5a4

Download Submit
C:\Windows\System\OfmSPeB.exe
Filesize
5.2MB

MD5
527e3ab9faa4153abccb36d4f08e463f

SHA1
3bd500a18e7effcf6e3883c094f0ce25b01b48d6

SHA256
d642d4ff5f985636f9f343bf9998117530e1fa176a6b92f76f35cb7165fb39c2

SHA512
2959b3933e7adef428c382bb760a72e9b407d93ce9874cdaa37f98d37aec62cd27843c8d0228cf4d0d0c5c3056719e5f6ab2137e129371ad1dd174831aa1f3c1

Download Submit
C:\Windows\System\RnKuPUE.exe
Filesize
5.2MB

MD5
a7683b279843e3f4a53818490fe61d6b

SHA1
535cc3f7b68b5884676a75448f95d8f7825bfa8f

SHA256
0c3719e22cbeb501cc7d37d38e6a0aa475b021d47bdcad7cd18ad4b218e3d745

SHA512
aa24a19dc555231cde05270dca288fda3d05b42d9556c5f740684bf60783aa7283a764e11aca274f420e58fb2d5e6a2705567e0481fd8e97753691af74f3d436

Download Submit
C:\Windows\System\fkSvvYE.exe
Filesize
5.2MB

MD5
f4baa931eaddd07f2a63ce0635ff6aee

SHA1
1544a696d71a3e3f1a4dc5ccc1e96e2a08f0565a

SHA256
2b63b1f6570dd1eaec12dca9699f5b34ca234120fc5abb162968abe11fe729d4

SHA512
a6f6f6e65dc578aaf72ff3461553a6166d007afadf63d77ca46fcdac3b98158e0f8ffbf8588b826c584c402011761643f7884ee65f78e1b2c00844ba9c95abbc

Download Submit
C:\Windows\System\fsRtQEM.exe
Filesize
5.2MB

MD5
c76f6e7bdcce7dcdb7cca6c720f4dcf4

SHA1
7aa65a6ba59ca19ff31c75cc28f1eceaf718e24d

SHA256
478339100edd1955811e0ff4af46bbb43424482ff61812d752ae12241d05c94e

SHA512
619ffcac1a5daa96ebb0845a4e85f809ca67ce706c05eefbcd6b3ffb95b26d99551f1adb118501bc44a80148c110d3a437c15843fa03bcb808d9a988dca10f1e

Download Submit
C:\Windows\System\iQMMJLq.exe
Filesize
5.2MB

MD5
b16e30833f12073a7ed43c8965d60870

SHA1
21d35cf6256c4386a6ef2152c705292617a2fb15

SHA256
3dce50e2812017594f857863b1d0bf1715693598ad74e35d971f88118cceecf6

SHA512
ac6fee921c7e3f9fe51cea119a67f4bd463b7f29062d6017a3523b3ccec00b9d4d3036acf3ce9618fe753ab44a588b9c9a34a7c091dc265e0984aadd3e4d5392

Download Submit
C:\Windows\System\jzJgBOr.exe
Filesize
5.2MB

MD5
e5260c5082efc9dd90fcedf61200eb12

SHA1
7eb8b36764e568428360ae12de85cbbcbf13b353

SHA256
051612e562611e0dea9051ca54c993646c7c474a3132517c3e3a57b73ac52ca2

SHA512
e0adfdc5009cd3d3c33d13498e1d2431cab8ea3a3e7bd2c7ca9d8ccc10daecd703bf026486edfd3b073c7e66e80d86ca1d5b84c1d2d15609ec8049265205e7bd

Download Submit
C:\Windows\System\nDMznWk.exe
Filesize
5.2MB

MD5
5832eafa922514b9cd44e8a7dfc86623

SHA1
24a3688be6a31af6ffa9a8d4e7ee5309310b2633

SHA256
7d91f84b6e0fac1f562ba8048bb9f4bc750ed397e0cc57172c676609132ba47f

SHA512
808e613f180e142cc681f394054b6d28c166d60f77b2f5ae87ab1622a2485336e1239cf34ba4d6feaa62d9337d73827464cf86a0cbb8885801ae4eeabfb7b70f

Download Submit
C:\Windows\System\njywYJR.exe
Filesize
5.2MB

MD5
908453f3340b0f3bdac1f33653ce4ea6

SHA1
a36020318ef5fd45f937595c9794b0649a038651

SHA256
bec6a03fc1adfe19db43829066f00baf07f8fd424c4cab5891e38ba8bbd61b34

SHA512
04dea9392a8098c6f0077f9ebe39208ab3bb91cd52173fd771b7f67d9afa3b095bb1fe2ea53ad808d8ae917228e2fc7aae6143f05549da36ced4ebdf6ce5b2d2

Download Submit
C:\Windows\System\pWvztDl.exe
Filesize
5.2MB

MD5
9650bb560c6290ff5aa3b2b24031f3e0

SHA1
8e116243185e16694eb8311206c6212bd95ea661

SHA256
729400c13285fe4778f1812f27d8a10328462e13214cc94e44dfcc8e20ef1e10

SHA512
a5b6400f8c6fd476b51e35d3b0483c0efc719d2442f697490848096b1e1ec45ba8406d43b21552f6b29d7b39c2b0a772b0372be5c8cb92297778c532833e9383

Download Submit
C:\Windows\System\qNmUNro.exe
Filesize
5.2MB

MD5
68cbd60ba273f64ec357c9265c5f34d0

SHA1
7078c6f8770f9abfe1f1f39dc0b9cc71ee6d9fe5

SHA256
4174bef9db6633bcb7cf954790179db95c7420102c8d130e73d76496f82ec91b

SHA512
afbf9388c1b00de727642f38b0f47cff1b050bbc1dee2982d407238a0c827d38261de14a8a8ccbdc2977870154b61fcc76b7c24036a08f2885cb01e3c9f1bcdc

Download Submit
C:\Windows\System\qaxaSsd.exe
Filesize
5.2MB

MD5
37815f423f6570979a32792da59da425

SHA1
163271e86c90d98d3765889e225b8728b0ec4320

SHA256
055dec971868a60225dc235492b32a4149a8032557aa9f6042857b176d6e6038

SHA512
4e423254781fcbf44ba75fe5ea5cb60a3d9baa70ba97bad355575253bd9b545ab3ded9ec0428e212f70f40a2ad8f744fecf4c171e6f39ee5946b49cdb89987f5

Download Submit
C:\Windows\System\suhJWbd.exe
Filesize
5.2MB

MD5
732466ca846b36731ab8346715275561

SHA1
ee7209c8802431d5b33b45ec00714597f3c38f99

SHA256
7d04a402bc5a2aa32203fc2b5ce2d48248ed34943cdc635dd3fc1cc5ceb7be52

SHA512
60c66cef039d29503047d183b85306db6124925d27066ad8d3375043d877e52a76c544596fe5a8965b2c8a0e5bc6cdf4453bf26f03468dd453a1b00802ac157b

Download Submit
C:\Windows\System\toJnlLr.exe
Filesize
5.2MB

MD5
cb07100df35000d0a7a06738656d8e5b

SHA1
b4f5363c0eb6ab5dd292ad990d9c557e2b6d6c4a

SHA256
8138d78c8bbec7214d8731d9a2037b52343fbb1abd1d14c1b12a0114385bea83

SHA512
1f5b92adda5fc87eb16ef19b0c621df77813a11b4f3aca6bcaf5d65d92344e3a16df4041c7662502e1a4dc18766d2f938947677cf8a5a0009d39b8fbf120bbca

Download Submit
C:\Windows\System\uzUeDeK.exe
Filesize
5.2MB

MD5
bc4b583457f877699180bb9903a9b104

SHA1
0bc40c9c3e6de9ac7ac76a8324bee5436158b62f

SHA256
c9e10e9db2044eb502029cd82179e53a54d52cf374965e47a8b43dc0a81607e7

SHA512
deee5714e752b721abc718e2196263a003799bf13ec2f9555d29de2b912e1136bb1f7dada2fd756112f699d1f1af79a4b7ed1d0c71017a301d3973a7620cf9f9

Download Submit
memory/1120-149-0x00007FF6A0880000-0x00007FF6A0BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1120-96-0x00007FF6A0880000-0x00007FF6A0BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1120-243-0x00007FF6A0880000-0x00007FF6A0BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1260-50-0x00007FF6BEC60000-0x00007FF6BEFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1260-220-0x00007FF6BEC60000-0x00007FF6BEFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1260-129-0x00007FF6BEC60000-0x00007FF6BEFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1852-174-0x00007FF619540000-0x00007FF619891000-memory.dmp

Filesize
3.3MB

Download
memory/1852-152-0x00007FF619540000-0x00007FF619891000-memory.dmp

Filesize
3.3MB

Download
memory/1852-74-0x00007FF619540000-0x00007FF619891000-memory.dmp

Filesize
3.3MB

Download
memory/1852-0-0x00007FF619540000-0x00007FF619891000-memory.dmp

Filesize
3.3MB

Download
memory/1852-1-0x000001C1AD220000-0x000001C1AD230000-memory.dmp

Filesize
64KB

Download
memory/2268-234-0x00007FF6C2E30000-0x00007FF6C3181000-memory.dmp

Filesize
3.3MB

Download
memory/2268-68-0x00007FF6C2E30000-0x00007FF6C3181000-memory.dmp

Filesize
3.3MB

Download
memory/2336-199-0x00007FF6644A0000-0x00007FF6647F1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-12-0x00007FF6644A0000-0x00007FF6647F1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-86-0x00007FF6644A0000-0x00007FF6647F1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-163-0x00007FF797A70000-0x00007FF797DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-257-0x00007FF797A70000-0x00007FF797DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-138-0x00007FF797A70000-0x00007FF797DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2492-17-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp

Filesize
3.3MB

Download
memory/2492-201-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp

Filesize
3.3MB

Download
memory/2492-100-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp

Filesize
3.3MB

Download
memory/2964-221-0x00007FF6F62C0000-0x00007FF6F6611000-memory.dmp

Filesize
3.3MB

Download
memory/2964-31-0x00007FF6F62C0000-0x00007FF6F6611000-memory.dmp

Filesize
3.3MB

Download
memory/2964-103-0x00007FF6F62C0000-0x00007FF6F6611000-memory.dmp

Filesize
3.3MB

Download
memory/3168-258-0x00007FF6EA2B0000-0x00007FF6EA601000-memory.dmp

Filesize
3.3MB

Download
memory/3168-141-0x00007FF6EA2B0000-0x00007FF6EA601000-memory.dmp

Filesize
3.3MB

Download
memory/3176-44-0x00007FF7D58A0000-0x00007FF7D5BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3176-217-0x00007FF7D58A0000-0x00007FF7D5BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3176-128-0x00007FF7D58A0000-0x00007FF7D5BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3472-237-0x00007FF7BD290000-0x00007FF7BD5E1000-memory.dmp

Filesize
3.3MB

Download
memory/3472-77-0x00007FF7BD290000-0x00007FF7BD5E1000-memory.dmp

Filesize
3.3MB

Download
memory/3472-146-0x00007FF7BD290000-0x00007FF7BD5E1000-memory.dmp

Filesize
3.3MB

Download
memory/3672-60-0x00007FF74F770000-0x00007FF74FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/3672-235-0x00007FF74F770000-0x00007FF74FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/3672-131-0x00007FF74F770000-0x00007FF74FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-139-0x00007FF7293F0000-0x00007FF729741000-memory.dmp

Filesize
3.3MB

Download
memory/4216-254-0x00007FF7293F0000-0x00007FF729741000-memory.dmp

Filesize
3.3MB

Download
memory/4312-166-0x00007FF6580E0000-0x00007FF658431000-memory.dmp

Filesize
3.3MB

Download
memory/4312-260-0x00007FF6580E0000-0x00007FF658431000-memory.dmp

Filesize
3.3MB

Download
memory/4312-144-0x00007FF6580E0000-0x00007FF658431000-memory.dmp

Filesize
3.3MB

Download
memory/4396-27-0x00007FF734940000-0x00007FF734C91000-memory.dmp

Filesize
3.3MB

Download
memory/4396-203-0x00007FF734940000-0x00007FF734C91000-memory.dmp

Filesize
3.3MB

Download
memory/4396-82-0x00007FF734940000-0x00007FF734C91000-memory.dmp

Filesize
3.3MB

Download
memory/4452-150-0x00007FF7E61D0000-0x00007FF7E6521000-memory.dmp

Filesize
3.3MB

Download
memory/4452-102-0x00007FF7E61D0000-0x00007FF7E6521000-memory.dmp

Filesize
3.3MB

Download
memory/4452-245-0x00007FF7E61D0000-0x00007FF7E6521000-memory.dmp

Filesize
3.3MB

Download
memory/4496-215-0x00007FF7EA550000-0x00007FF7EA8A1000-memory.dmp

Filesize
3.3MB

Download
memory/4496-126-0x00007FF7EA550000-0x00007FF7EA8A1000-memory.dmp

Filesize
3.3MB

Download
memory/4496-37-0x00007FF7EA550000-0x00007FF7EA8A1000-memory.dmp

Filesize
3.3MB

Download
memory/4576-101-0x00007FF608470000-0x00007FF6087C1000-memory.dmp

Filesize
3.3MB

Download
memory/4576-151-0x00007FF608470000-0x00007FF6087C1000-memory.dmp

Filesize
3.3MB

Download
memory/4576-247-0x00007FF608470000-0x00007FF6087C1000-memory.dmp

Filesize
3.3MB

Download
memory/4616-223-0x00007FF676420000-0x00007FF676771000-memory.dmp

Filesize
3.3MB

Download
memory/4616-54-0x00007FF676420000-0x00007FF676771000-memory.dmp

Filesize
3.3MB

Download
memory/4616-130-0x00007FF676420000-0x00007FF676771000-memory.dmp

Filesize
3.3MB

Download
memory/4728-197-0x00007FF7CA110000-0x00007FF7CA461000-memory.dmp

Filesize
3.3MB

Download
memory/4728-10-0x00007FF7CA110000-0x00007FF7CA461000-memory.dmp

Filesize
3.3MB

Download
memory/4728-76-0x00007FF7CA110000-0x00007FF7CA461000-memory.dmp

Filesize
3.3MB

Download
memory/4872-241-0x00007FF674B50000-0x00007FF674EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4872-81-0x00007FF674B50000-0x00007FF674EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4872-147-0x00007FF674B50000-0x00007FF674EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4920-239-0x00007FF6E96E0000-0x00007FF6E9A31000-memory.dmp

Filesize
3.3MB

Download
memory/4920-95-0x00007FF6E96E0000-0x00007FF6E9A31000-memory.dmp

Filesize
3.3MB

Download
memory/4920-148-0x00007FF6E96E0000-0x00007FF6E9A31000-memory.dmp

Filesize
3.3MB

Download