cobaltstrike | aa4855f0a01b3ef441b1feb3987a2effcfbccf2e66b7606b231f857494efbe4a

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
Size

5.2MB
MD5

a9d0f8891ed9235c0883644623749ac8
SHA1

59d4c48109875c092abda81a1570335962e6b5e5
SHA256

aa4855f0a01b3ef441b1feb3987a2effcfbccf2e66b7606b231f857494efbe4a
SHA512

9d245f632ea75a1438e2c801abfd753a66f4d19aba023edd9b49bd06c43cd1eb78bb285186b76586d87db90f046380355370d172ea9d7946d572c12a7652e744
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lt:RWWBibf56utgpPFotBER/mQ32lUJ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\JfzIiDL.exe	cobalt_reflective_dll
C:\Windows\System\FlbQNCQ.exe	cobalt_reflective_dll
C:\Windows\System\ChEgSyH.exe	cobalt_reflective_dll
C:\Windows\System\lrzdowM.exe	cobalt_reflective_dll
C:\Windows\System\DCdqUzO.exe	cobalt_reflective_dll
C:\Windows\System\wKqYsbg.exe	cobalt_reflective_dll
C:\Windows\System\MvhXEFd.exe	cobalt_reflective_dll
C:\Windows\System\wMFvXEG.exe	cobalt_reflective_dll
C:\Windows\System\UujKGpB.exe	cobalt_reflective_dll
C:\Windows\System\gAYahEr.exe	cobalt_reflective_dll
C:\Windows\System\CZXnqDd.exe	cobalt_reflective_dll
C:\Windows\System\HzSnOQH.exe	cobalt_reflective_dll
C:\Windows\System\GlJIToY.exe	cobalt_reflective_dll
C:\Windows\System\FSGkRiB.exe	cobalt_reflective_dll
C:\Windows\System\RsXXlwu.exe	cobalt_reflective_dll
C:\Windows\System\MWWXqAn.exe	cobalt_reflective_dll
C:\Windows\System\mLXlksw.exe	cobalt_reflective_dll
C:\Windows\System\vcGmSrj.exe	cobalt_reflective_dll
C:\Windows\System\EWymzHU.exe	cobalt_reflective_dll
C:\Windows\System\NTICuub.exe	cobalt_reflective_dll
C:\Windows\System\laKVtGl.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5104-111-0x00007FF6C5530000-0x00007FF6C5881000-memory.dmp	xmrig
behavioral2/memory/1496-119-0x00007FF67CED0000-0x00007FF67D221000-memory.dmp	xmrig
behavioral2/memory/1484-124-0x00007FF67FEE0000-0x00007FF680231000-memory.dmp	xmrig
behavioral2/memory/4880-127-0x00007FF60CF30000-0x00007FF60D281000-memory.dmp	xmrig
behavioral2/memory/4732-126-0x00007FF67F5B0000-0x00007FF67F901000-memory.dmp	xmrig
behavioral2/memory/4856-125-0x00007FF7E7D20000-0x00007FF7E8071000-memory.dmp	xmrig
behavioral2/memory/2676-123-0x00007FF6F8250000-0x00007FF6F85A1000-memory.dmp	xmrig
behavioral2/memory/2524-120-0x00007FF756770000-0x00007FF756AC1000-memory.dmp	xmrig
behavioral2/memory/3232-110-0x00007FF63A560000-0x00007FF63A8B1000-memory.dmp	xmrig
behavioral2/memory/3608-106-0x00007FF617ED0000-0x00007FF618221000-memory.dmp	xmrig
behavioral2/memory/4848-84-0x00007FF6765A0000-0x00007FF6768F1000-memory.dmp	xmrig
behavioral2/memory/2312-78-0x00007FF6FDBA0000-0x00007FF6FDEF1000-memory.dmp	xmrig
behavioral2/memory/4648-34-0x00007FF60FDB0000-0x00007FF610101000-memory.dmp	xmrig
behavioral2/memory/2668-130-0x00007FF6A5090000-0x00007FF6A53E1000-memory.dmp	xmrig
behavioral2/memory/3652-132-0x00007FF778AD0000-0x00007FF778E21000-memory.dmp	xmrig
behavioral2/memory/4624-136-0x00007FF7D42A0000-0x00007FF7D45F1000-memory.dmp	xmrig
behavioral2/memory/1612-134-0x00007FF7D0670000-0x00007FF7D09C1000-memory.dmp	xmrig
behavioral2/memory/4012-133-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp	xmrig
behavioral2/memory/1852-129-0x00007FF77AAA0000-0x00007FF77ADF1000-memory.dmp	xmrig
behavioral2/memory/2384-139-0x00007FF67B7E0000-0x00007FF67BB31000-memory.dmp	xmrig
behavioral2/memory/1872-135-0x00007FF7734D0000-0x00007FF773821000-memory.dmp	xmrig
behavioral2/memory/444-128-0x00007FF7339C0000-0x00007FF733D11000-memory.dmp	xmrig
behavioral2/memory/444-150-0x00007FF7339C0000-0x00007FF733D11000-memory.dmp	xmrig
behavioral2/memory/444-172-0x00007FF7339C0000-0x00007FF733D11000-memory.dmp	xmrig
behavioral2/memory/1852-196-0x00007FF77AAA0000-0x00007FF77ADF1000-memory.dmp	xmrig
behavioral2/memory/2668-198-0x00007FF6A5090000-0x00007FF6A53E1000-memory.dmp	xmrig
behavioral2/memory/3652-220-0x00007FF778AD0000-0x00007FF778E21000-memory.dmp	xmrig
behavioral2/memory/4648-218-0x00007FF60FDB0000-0x00007FF610101000-memory.dmp	xmrig
behavioral2/memory/1872-223-0x00007FF7734D0000-0x00007FF773821000-memory.dmp	xmrig
behavioral2/memory/1612-226-0x00007FF7D0670000-0x00007FF7D09C1000-memory.dmp	xmrig
behavioral2/memory/4012-225-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp	xmrig
behavioral2/memory/4848-231-0x00007FF6765A0000-0x00007FF6768F1000-memory.dmp	xmrig
behavioral2/memory/2312-232-0x00007FF6FDBA0000-0x00007FF6FDEF1000-memory.dmp	xmrig
behavioral2/memory/4624-229-0x00007FF7D42A0000-0x00007FF7D45F1000-memory.dmp	xmrig
behavioral2/memory/2384-236-0x00007FF67B7E0000-0x00007FF67BB31000-memory.dmp	xmrig
behavioral2/memory/3232-240-0x00007FF63A560000-0x00007FF63A8B1000-memory.dmp	xmrig
behavioral2/memory/1496-244-0x00007FF67CED0000-0x00007FF67D221000-memory.dmp	xmrig
behavioral2/memory/1484-246-0x00007FF67FEE0000-0x00007FF680231000-memory.dmp	xmrig
behavioral2/memory/5104-242-0x00007FF6C5530000-0x00007FF6C5881000-memory.dmp	xmrig
behavioral2/memory/3608-239-0x00007FF617ED0000-0x00007FF618221000-memory.dmp	xmrig
behavioral2/memory/2676-238-0x00007FF6F8250000-0x00007FF6F85A1000-memory.dmp	xmrig
behavioral2/memory/4732-253-0x00007FF67F5B0000-0x00007FF67F901000-memory.dmp	xmrig
behavioral2/memory/2524-254-0x00007FF756770000-0x00007FF756AC1000-memory.dmp	xmrig
behavioral2/memory/4880-251-0x00007FF60CF30000-0x00007FF60D281000-memory.dmp	xmrig
behavioral2/memory/4856-249-0x00007FF7E7D20000-0x00007FF7E8071000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

JfzIiDL.exeFlbQNCQ.exelaKVtGl.exeNTICuub.exeChEgSyH.exelrzdowM.exeEWymzHU.exeDCdqUzO.exevcGmSrj.exemLXlksw.exeRsXXlwu.exeMWWXqAn.exewMFvXEG.exeFSGkRiB.exewKqYsbg.exeMvhXEFd.exeGlJIToY.exeCZXnqDd.exeUujKGpB.exeHzSnOQH.exegAYahEr.exe

pid	process
1852	JfzIiDL.exe
2668	FlbQNCQ.exe
4648	laKVtGl.exe
3652	NTICuub.exe
4012	ChEgSyH.exe
1872	lrzdowM.exe
1612	EWymzHU.exe
4624	DCdqUzO.exe
2312	vcGmSrj.exe
4848	mLXlksw.exe
2384	RsXXlwu.exe
3608	MWWXqAn.exe
2676	wMFvXEG.exe
3232	FSGkRiB.exe
5104	wKqYsbg.exe
1496	MvhXEFd.exe
1484	GlJIToY.exe
4856	CZXnqDd.exe
2524	UujKGpB.exe
4732	HzSnOQH.exe
4880	gAYahEr.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/444-0-0x00007FF7339C0000-0x00007FF733D11000-memory.dmp	upx
C:\Windows\System\JfzIiDL.exe	upx
behavioral2/memory/1852-7-0x00007FF77AAA0000-0x00007FF77ADF1000-memory.dmp	upx
C:\Windows\System\FlbQNCQ.exe	upx
C:\Windows\System\ChEgSyH.exe	upx
C:\Windows\System\lrzdowM.exe	upx
behavioral2/memory/4012-38-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp	upx
C:\Windows\System\DCdqUzO.exe	upx
behavioral2/memory/4624-49-0x00007FF7D42A0000-0x00007FF7D45F1000-memory.dmp	upx
C:\Windows\System\wKqYsbg.exe	upx
C:\Windows\System\MvhXEFd.exe	upx
C:\Windows\System\wMFvXEG.exe	upx
C:\Windows\System\UujKGpB.exe	upx
behavioral2/memory/5104-111-0x00007FF6C5530000-0x00007FF6C5881000-memory.dmp	upx
behavioral2/memory/1496-119-0x00007FF67CED0000-0x00007FF67D221000-memory.dmp	upx
behavioral2/memory/1484-124-0x00007FF67FEE0000-0x00007FF680231000-memory.dmp	upx
behavioral2/memory/4880-127-0x00007FF60CF30000-0x00007FF60D281000-memory.dmp	upx
behavioral2/memory/4732-126-0x00007FF67F5B0000-0x00007FF67F901000-memory.dmp	upx
behavioral2/memory/4856-125-0x00007FF7E7D20000-0x00007FF7E8071000-memory.dmp	upx
behavioral2/memory/2676-123-0x00007FF6F8250000-0x00007FF6F85A1000-memory.dmp	upx
C:\Windows\System\gAYahEr.exe	upx
behavioral2/memory/2524-120-0x00007FF756770000-0x00007FF756AC1000-memory.dmp	upx
C:\Windows\System\CZXnqDd.exe	upx
C:\Windows\System\HzSnOQH.exe	upx
behavioral2/memory/3232-110-0x00007FF63A560000-0x00007FF63A8B1000-memory.dmp	upx
C:\Windows\System\GlJIToY.exe	upx
behavioral2/memory/3608-106-0x00007FF617ED0000-0x00007FF618221000-memory.dmp	upx
behavioral2/memory/2384-96-0x00007FF67B7E0000-0x00007FF67BB31000-memory.dmp	upx
C:\Windows\System\FSGkRiB.exe	upx
C:\Windows\System\RsXXlwu.exe	upx
behavioral2/memory/4848-84-0x00007FF6765A0000-0x00007FF6768F1000-memory.dmp	upx
behavioral2/memory/2312-78-0x00007FF6FDBA0000-0x00007FF6FDEF1000-memory.dmp	upx
C:\Windows\System\MWWXqAn.exe	upx
C:\Windows\System\mLXlksw.exe	upx
C:\Windows\System\vcGmSrj.exe	upx
behavioral2/memory/1872-45-0x00007FF7734D0000-0x00007FF773821000-memory.dmp	upx
C:\Windows\System\EWymzHU.exe	upx
behavioral2/memory/1612-41-0x00007FF7D0670000-0x00007FF7D09C1000-memory.dmp	upx
behavioral2/memory/4648-34-0x00007FF60FDB0000-0x00007FF610101000-memory.dmp	upx
behavioral2/memory/3652-25-0x00007FF778AD0000-0x00007FF778E21000-memory.dmp	upx
C:\Windows\System\NTICuub.exe	upx
C:\Windows\System\laKVtGl.exe	upx
behavioral2/memory/2668-20-0x00007FF6A5090000-0x00007FF6A53E1000-memory.dmp	upx
behavioral2/memory/2668-130-0x00007FF6A5090000-0x00007FF6A53E1000-memory.dmp	upx
behavioral2/memory/3652-132-0x00007FF778AD0000-0x00007FF778E21000-memory.dmp	upx
behavioral2/memory/4624-136-0x00007FF7D42A0000-0x00007FF7D45F1000-memory.dmp	upx
behavioral2/memory/1612-134-0x00007FF7D0670000-0x00007FF7D09C1000-memory.dmp	upx
behavioral2/memory/4012-133-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp	upx
behavioral2/memory/1852-129-0x00007FF77AAA0000-0x00007FF77ADF1000-memory.dmp	upx
behavioral2/memory/2384-139-0x00007FF67B7E0000-0x00007FF67BB31000-memory.dmp	upx
behavioral2/memory/1872-135-0x00007FF7734D0000-0x00007FF773821000-memory.dmp	upx
behavioral2/memory/444-128-0x00007FF7339C0000-0x00007FF733D11000-memory.dmp	upx
behavioral2/memory/444-150-0x00007FF7339C0000-0x00007FF733D11000-memory.dmp	upx
behavioral2/memory/444-172-0x00007FF7339C0000-0x00007FF733D11000-memory.dmp	upx
behavioral2/memory/1852-196-0x00007FF77AAA0000-0x00007FF77ADF1000-memory.dmp	upx
behavioral2/memory/2668-198-0x00007FF6A5090000-0x00007FF6A53E1000-memory.dmp	upx
behavioral2/memory/3652-220-0x00007FF778AD0000-0x00007FF778E21000-memory.dmp	upx
behavioral2/memory/4648-218-0x00007FF60FDB0000-0x00007FF610101000-memory.dmp	upx
behavioral2/memory/1872-223-0x00007FF7734D0000-0x00007FF773821000-memory.dmp	upx
behavioral2/memory/1612-226-0x00007FF7D0670000-0x00007FF7D09C1000-memory.dmp	upx
behavioral2/memory/4012-225-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp	upx
behavioral2/memory/4848-231-0x00007FF6765A0000-0x00007FF6768F1000-memory.dmp	upx
behavioral2/memory/2312-232-0x00007FF6FDBA0000-0x00007FF6FDEF1000-memory.dmp	upx
behavioral2/memory/4624-229-0x00007FF7D42A0000-0x00007FF7D45F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\FlbQNCQ.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\NTICuub.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\FSGkRiB.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\MvhXEFd.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\UujKGpB.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\HzSnOQH.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\JfzIiDL.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\mLXlksw.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\RsXXlwu.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\MWWXqAn.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\wKqYsbg.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\CZXnqDd.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\gAYahEr.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\lrzdowM.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\EWymzHU.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\DCdqUzO.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\wMFvXEG.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\GlJIToY.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\ChEgSyH.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\vcGmSrj.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\laKVtGl.exe	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process
Token: SeLockMemoryPrivilege	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process	target process
PID 444 wrote to memory of 1852	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	JfzIiDL.exe
PID 444 wrote to memory of 1852	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	JfzIiDL.exe
PID 444 wrote to memory of 2668	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	FlbQNCQ.exe
PID 444 wrote to memory of 2668	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	FlbQNCQ.exe
PID 444 wrote to memory of 4648	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	laKVtGl.exe
PID 444 wrote to memory of 4648	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	laKVtGl.exe
PID 444 wrote to memory of 3652	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	NTICuub.exe
PID 444 wrote to memory of 3652	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	NTICuub.exe
PID 444 wrote to memory of 4012	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	ChEgSyH.exe
PID 444 wrote to memory of 4012	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	ChEgSyH.exe
PID 444 wrote to memory of 1612	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	EWymzHU.exe
PID 444 wrote to memory of 1612	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	EWymzHU.exe
PID 444 wrote to memory of 1872	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	lrzdowM.exe
PID 444 wrote to memory of 1872	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	lrzdowM.exe
PID 444 wrote to memory of 4624	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	DCdqUzO.exe
PID 444 wrote to memory of 4624	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	DCdqUzO.exe
PID 444 wrote to memory of 2312	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	vcGmSrj.exe
PID 444 wrote to memory of 2312	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	vcGmSrj.exe
PID 444 wrote to memory of 4848	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	mLXlksw.exe
PID 444 wrote to memory of 4848	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	mLXlksw.exe
PID 444 wrote to memory of 2384	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	RsXXlwu.exe
PID 444 wrote to memory of 2384	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	RsXXlwu.exe
PID 444 wrote to memory of 3608	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	MWWXqAn.exe
PID 444 wrote to memory of 3608	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	MWWXqAn.exe
PID 444 wrote to memory of 2676	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	wMFvXEG.exe
PID 444 wrote to memory of 2676	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	wMFvXEG.exe
PID 444 wrote to memory of 3232	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	FSGkRiB.exe
PID 444 wrote to memory of 3232	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	FSGkRiB.exe
PID 444 wrote to memory of 5104	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	wKqYsbg.exe
PID 444 wrote to memory of 5104	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	wKqYsbg.exe
PID 444 wrote to memory of 1496	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	MvhXEFd.exe
PID 444 wrote to memory of 1496	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	MvhXEFd.exe
PID 444 wrote to memory of 1484	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	GlJIToY.exe
PID 444 wrote to memory of 1484	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	GlJIToY.exe
PID 444 wrote to memory of 4856	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	CZXnqDd.exe
PID 444 wrote to memory of 4856	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	CZXnqDd.exe
PID 444 wrote to memory of 2524	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	UujKGpB.exe
PID 444 wrote to memory of 2524	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	UujKGpB.exe
PID 444 wrote to memory of 4732	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	HzSnOQH.exe
PID 444 wrote to memory of 4732	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	HzSnOQH.exe
PID 444 wrote to memory of 4880	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	gAYahEr.exe
PID 444 wrote to memory of 4880	444	20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe	gAYahEr.exe

C:\Users\Admin\AppData\Local\Temp\20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\20240520a9d0f8891ed9235c0883644623749ac8cobaltstrikecobaltstrike_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\System\JfzIiDL.exe
C:\Windows\System\JfzIiDL.exe
2⤵
- Executes dropped EXE
PID:1852

C:\Windows\System\FlbQNCQ.exe
C:\Windows\System\FlbQNCQ.exe
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\System\laKVtGl.exe
C:\Windows\System\laKVtGl.exe
2⤵
- Executes dropped EXE
PID:4648

C:\Windows\System\NTICuub.exe
C:\Windows\System\NTICuub.exe
2⤵
- Executes dropped EXE
PID:3652

C:\Windows\System\ChEgSyH.exe
C:\Windows\System\ChEgSyH.exe
2⤵
- Executes dropped EXE
PID:4012

C:\Windows\System\EWymzHU.exe
C:\Windows\System\EWymzHU.exe
2⤵
- Executes dropped EXE
PID:1612

C:\Windows\System\lrzdowM.exe
C:\Windows\System\lrzdowM.exe
2⤵
- Executes dropped EXE
PID:1872

C:\Windows\System\DCdqUzO.exe
C:\Windows\System\DCdqUzO.exe
2⤵
- Executes dropped EXE
PID:4624

C:\Windows\System\vcGmSrj.exe
C:\Windows\System\vcGmSrj.exe
2⤵
- Executes dropped EXE
PID:2312

C:\Windows\System\mLXlksw.exe
C:\Windows\System\mLXlksw.exe
2⤵
- Executes dropped EXE
PID:4848

C:\Windows\System\RsXXlwu.exe
C:\Windows\System\RsXXlwu.exe
2⤵
- Executes dropped EXE
PID:2384

C:\Windows\System\MWWXqAn.exe
C:\Windows\System\MWWXqAn.exe
2⤵
- Executes dropped EXE
PID:3608

C:\Windows\System\wMFvXEG.exe
C:\Windows\System\wMFvXEG.exe
2⤵
- Executes dropped EXE
PID:2676

C:\Windows\System\FSGkRiB.exe
C:\Windows\System\FSGkRiB.exe
2⤵
- Executes dropped EXE
PID:3232

C:\Windows\System\wKqYsbg.exe
C:\Windows\System\wKqYsbg.exe
2⤵
- Executes dropped EXE
PID:5104

C:\Windows\System\MvhXEFd.exe
C:\Windows\System\MvhXEFd.exe
2⤵
- Executes dropped EXE
PID:1496

C:\Windows\System\GlJIToY.exe
C:\Windows\System\GlJIToY.exe
2⤵
- Executes dropped EXE
PID:1484

C:\Windows\System\CZXnqDd.exe
C:\Windows\System\CZXnqDd.exe
2⤵
- Executes dropped EXE
PID:4856

C:\Windows\System\UujKGpB.exe
C:\Windows\System\UujKGpB.exe
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\HzSnOQH.exe
C:\Windows\System\HzSnOQH.exe
2⤵
- Executes dropped EXE
PID:4732

C:\Windows\System\gAYahEr.exe
C:\Windows\System\gAYahEr.exe
2⤵
- Executes dropped EXE
PID:4880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CZXnqDd.exe
Filesize
5.2MB

MD5
ad6fefe28ee08c832e73d68224b4a50f

SHA1
858ff51e895c8560874f61d5fd30ac9a8d1d97df

SHA256
da61cbd8436a906281bcef893530aea96807d4009bb4036bfe3b21f90eff7a51

SHA512
f661ebae03ae907f6d054c2a177521ab34f2bcb5e38532db49bf6016b91b941af65b83ade808c687540fdde703f45f60178342f7f674a369fbd82a1d2c09d05b

Download Submit
C:\Windows\System\ChEgSyH.exe
Filesize
5.2MB

MD5
b6ceaccb5cc760ea68f569c407a3a81d

SHA1
d18115ef817e10783a01f4cf2005ec6aeec51619

SHA256
37ad97844a969707452e5fc9b5651c5e13a4d54aacecace5484240eca9f6698e

SHA512
fb1dd8894a13e80111dfcb9d3e024fc21f63e1eabae1ee51f322a425eaadfa2f34195654153588fdda06b44fb778bcd1cd6bb170a14d194a988ba7955cda3edb

Download Submit
C:\Windows\System\DCdqUzO.exe
Filesize
5.2MB

MD5
7e34b4de0134617a93e47bd6e7c81ede

SHA1
509e32917b33d6666b27822cf83f3764830e1d80

SHA256
5da74ab9f0c9889829c83102a131f5a849375a34d8f15603e223eddfb59347bb

SHA512
28e8d1e18cfe6208449886ee8f0363bc10b853a02cfe431df92deedbd39dd284ee22fdb91d69d29667d9802d027163bda1c7b20fd8849648edc3ba2308933024

Download Submit
C:\Windows\System\EWymzHU.exe
Filesize
5.2MB

MD5
96e6c6dfaf55948a4c559782eebebde2

SHA1
6caf5ed0250943bfd7915ce7d7ad716e5a447e47

SHA256
3da92cf5512a7b3ad80cae26e1b0676e736a899b5892ea62a49f0318ec1a60da

SHA512
5316c4bb802f7cb3c8b3957fee01bc978eeea33984db462a581cfe215a918fc1ef43c2ce9dec206317670b6080a007998aa1a248c85beef19349c7f802910c76

Download Submit
C:\Windows\System\FSGkRiB.exe
Filesize
5.2MB

MD5
c28fe28a68da7ea3d3595b4670ac645b

SHA1
66ba06d37539423fbb9376031045f62e8e61b309

SHA256
91fa9cc35bac6d97c821148766ec8605f8773f437206921ab602a48b515d2851

SHA512
3a684a0c1a8f04ef4b4691877215f7292891456c3de1fe06b0a9c8a21d37d275c2a9cd12852eff9ff8c6e56402b5d791dcaa4ea31d9ba893f369b7d676e7d94d

Download Submit
C:\Windows\System\FlbQNCQ.exe
Filesize
5.2MB

MD5
c3b4a8c851745684bde73880ccf5c9c9

SHA1
64d91d8dabed9700a78e4a7eb120ccfd8074a328

SHA256
da81299c1c4e81d97a85b6c548ccef1d253a4ca623232b9ea1345b780458040f

SHA512
bda7c0442f6ec556b60ef3f1b0129da699aa0195f04909c49765e2e6de40edaa4f945d80e58455988f75c7ae246833c9e220924ec4df615b23f9722b0615b179

Download Submit
C:\Windows\System\GlJIToY.exe
Filesize
5.2MB

MD5
5fae3d381aa2fbba17bfd81ba9837653

SHA1
c103fb4ae5f0889c6a3170b84d9787e98e35adb1

SHA256
ff5a520262afcdc60b09ed2420ce106eba6ded80070e9f4b47a5f3e651217f24

SHA512
c8266093c921dccfe48d8f72deb92df83301e40cf12f2760fd32c92dc6655306f09b71d85da4ef5c5ff8c1bd0f4a81a1be5efa2a2da2a9e3f7e576f67c74b1be

Download Submit
C:\Windows\System\HzSnOQH.exe
Filesize
5.2MB

MD5
dbe8090de0e3f2a66fb9e786c72c79ae

SHA1
bae7669fac08402f02784e69827c7f91da4292d5

SHA256
b21b810b866a9227fc127fe421d22d2702df6b46a4040dbf5395118b18a66f7c

SHA512
101a5302f006b8daf73880dc430a9e6049c5f817f379363d65f45a2e64b15368828c21536a08ec2086db97d7e2afdcdf2154e284acef5b9060a89f28e4d322b5

Download Submit
C:\Windows\System\JfzIiDL.exe
Filesize
5.2MB

MD5
f66549a244919a9cfe9ebde3c0c9388e

SHA1
2c01ec5df24f32d279f10cc805add5b1c81e7788

SHA256
29c73be59191e48cd54a868cc00f719a703364d580c261563cb68204b36f868e

SHA512
595c5868eb55330b1f704ad5c2ef9f3a5707aa36f1f8d0a2c9efb676f943ac99ffb9ae1550008ac1894cf2127c6e42bfa99435d4487c224acf84bd24071e67d5

Download Submit
C:\Windows\System\MWWXqAn.exe
Filesize
5.2MB

MD5
5b6c2d47366c3182f23dca124196082f

SHA1
419ca4431d38c9c95b7e25ea084c2353e0ea1cb4

SHA256
3cc26ace805f40473730f3c2172a19995bd70fbe47af7005322812b841d08739

SHA512
105a843b6354efe9e840a4f02ca97921e0142811a6122e5b0dd93ac616704c668d53052c29fbbe5209ddcf334f91563f5014ca1cc240ce636b0e60de0bc4ef27

Download Submit
C:\Windows\System\MvhXEFd.exe
Filesize
5.2MB

MD5
dd27fbea7cf65c2de168ba1463c1d3cf

SHA1
8a8bdd3e023d885c2d9311ac3ef3972126ffc9f5

SHA256
68415f48dae395cd40a89a347cb100f58833526d022cf26b413208389b6c4fff

SHA512
702c8a404460f6888ad28885db6eef12fad58d867379a1e9f689577e405d25dd60eeab699f8ca6e283905d5af0b1c7327536193c7ac79a695024ee18eb1aa684

Download Submit
C:\Windows\System\NTICuub.exe
Filesize
5.2MB

MD5
45aa59a5fc553933b01abbf2c3f86681

SHA1
4f2b3a6d7ad6cc8c2411102a29a991a76782765a

SHA256
ba993b3eec7154eaff80ce2b4090412cbc62dbba6de5562a7822f2595d1b3c6d

SHA512
1f3ecadb5f5bf7910d9c97bad396866273929cc732b9c2f91f9349706fdfed4a2c72adc15fa98fceecee3a0c09a1886f2a0c785cebbc48fc3645e6806af28867

Download Submit
C:\Windows\System\RsXXlwu.exe
Filesize
5.2MB

MD5
97c2d633c382b66c623ddad0197330ea

SHA1
eb8f28205f33fe6fff481073879aae045e1c032a

SHA256
a89a19ebd986d70856f2260018b66b23cf009dc938e69b3d1d15499583352ce9

SHA512
f1ae458981079f02209cd4ded26af150875ca45a51d9a9ebe82981af2cfa0f007916f2471d1e3bb6e290d10a9e0437d02039e9e2d032b55e2f0d80cb0f1cdf1d

Download Submit
C:\Windows\System\UujKGpB.exe
Filesize
5.2MB

MD5
6355632357a3a7160c396b68bd350059

SHA1
6eec8638a0e56982656ee5508d4d6049b918babb

SHA256
0c8851be207a173de0d6872c7af5a5b10508fb59b033613fc6a31f17018e9837

SHA512
354db0f6157f5330db608878e8e94a46fe593256ac3d7453016c7ab88974fe3f94232cb5f6c0054f3c68b96ea8901757c24466911ee24be12a5d940a94e55a36

Download Submit
C:\Windows\System\gAYahEr.exe
Filesize
5.2MB

MD5
a61d94641b3c02563de791f247c6cf1a

SHA1
5fcbec374ef3063ba3be7cfb312005f5480213c7

SHA256
967447889948dc318e97e9983b2c8fe7da0705a53f56ca2a708c667dd1cc7bc6

SHA512
645960af82f393aed086aff2607e68937c177f1b25c4b4f878b81dba9a973022d9e6ad6004d1cc38dd421c3c441a347cb383a7ec84b040a137de1138bff2a7a4

Download Submit
C:\Windows\System\laKVtGl.exe
Filesize
5.2MB

MD5
3936765b036d1fa25f9540d1ef51f1fc

SHA1
3e5923ef36e3a41f0bdb9c2a282c178d946149c9

SHA256
34282cf0b1ca6cc44b18028456d8f25c3ff8aa01b3dca74d6ccfe5d83ddda237

SHA512
02e1593cb8296bec90de229f042a800477f6706dc7acce6877bf0531d3aec203338c9b9446aa5ce1c6c6cd0cbc1b00f51ec32d7624224e05928d85d39e7a85b9

Download Submit
C:\Windows\System\lrzdowM.exe
Filesize
5.2MB

MD5
78d223bd040e2d8a1e83b10830646cb8

SHA1
cc9047d16fdd86393f438fdc5cc6db1c0a0e36d3

SHA256
c6ffcfbb1ce416718f2406df7050bd929fc625f3c106edd169338b7a5f2c5e3d

SHA512
c59437e6c9da919e8c3b727412ebfea3cb6320e8e0d27de558dc0e68b321469e7fef3f81491b315a4eca7808632903c5bbd40c56ba9efb1e58245651e8110178

Download Submit
C:\Windows\System\mLXlksw.exe
Filesize
5.2MB

MD5
ab373625ff6b9e3e0f1d95a8538d81a5

SHA1
62d806cb4dda02ef48403325c46b514a0330a06c

SHA256
d75cbd59a7caf67ada2aad3812af0b05c75cd794e6dcd3849e02415c937de1f9

SHA512
b6c4b0f3a86c4ef84df82b2d6d04b663994e7a822caf83bb31ff73a5917b384e88eceeb700e403936ef924c8cb41e3b998171b8c72b014e02009f1f87eb95223

Download Submit
C:\Windows\System\vcGmSrj.exe
Filesize
5.2MB

MD5
3e9ab7c673255084cdaa07d022710ad3

SHA1
7f57aa717cd520fba5812704cf9e7847c5f77660

SHA256
0568caa41660565f522cc1a2a86c41a1d0d4d2301e1c8e3897aba0911f282d95

SHA512
c2060661571ca68b6b3e6ef09231976d9e7036a5af65fd7c00721d9a2ff52a047d0765e0b745b594429e9ede268e508178402281ad9c6d743239213f6bb5bfe6

Download Submit
C:\Windows\System\wKqYsbg.exe
Filesize
5.2MB

MD5
1c2fcc4bc88982458546002cc136ce4e

SHA1
291f433fea79b10a0c988fad6edcdc31879307cf

SHA256
f3bbcaafadbc869a9c8638caba3fc6757a0ea7177c2cb364569d65182ce84a36

SHA512
7956c36073c262f784ed749952c561d0a438354b34d0a92e165a19f621a4af1b4d9f38886e05f092732252277432b132218623f75efba7fe6d54d0831124cc16

Download Submit
C:\Windows\System\wMFvXEG.exe
Filesize
5.2MB

MD5
f0e479e3b827ca11dc29bec7b9f826b5

SHA1
6142597eada975d07a146e8e5a23af0556741ff1

SHA256
35bb8930e8f4792b4789c05acf9576a0da7a7290c6bf38055b7544df84f16fb4

SHA512
9eeb7c2e6d2a26549799eda456f6db915a9f815d23bc75aa74329b06f17a423ad9d46f91b23b25ddff41a204c27c7f31a1f9b801d6e964400eeb5cfb27044d68

Download Submit
memory/444-150-0x00007FF7339C0000-0x00007FF733D11000-memory.dmp

Filesize
3.3MB

Download
memory/444-0-0x00007FF7339C0000-0x00007FF733D11000-memory.dmp

Filesize
3.3MB

Download
memory/444-128-0x00007FF7339C0000-0x00007FF733D11000-memory.dmp

Filesize
3.3MB

Download
memory/444-172-0x00007FF7339C0000-0x00007FF733D11000-memory.dmp

Filesize
3.3MB

Download
memory/444-1-0x00000116F8A30000-0x00000116F8A40000-memory.dmp

Filesize
64KB

Download
memory/1484-246-0x00007FF67FEE0000-0x00007FF680231000-memory.dmp

Filesize
3.3MB

Download
memory/1484-124-0x00007FF67FEE0000-0x00007FF680231000-memory.dmp

Filesize
3.3MB

Download
memory/1496-244-0x00007FF67CED0000-0x00007FF67D221000-memory.dmp

Filesize
3.3MB

Download
memory/1496-119-0x00007FF67CED0000-0x00007FF67D221000-memory.dmp

Filesize
3.3MB

Download
memory/1612-226-0x00007FF7D0670000-0x00007FF7D09C1000-memory.dmp

Filesize
3.3MB

Download
memory/1612-41-0x00007FF7D0670000-0x00007FF7D09C1000-memory.dmp

Filesize
3.3MB

Download
memory/1612-134-0x00007FF7D0670000-0x00007FF7D09C1000-memory.dmp

Filesize
3.3MB

Download
memory/1852-196-0x00007FF77AAA0000-0x00007FF77ADF1000-memory.dmp

Filesize
3.3MB

Download
memory/1852-7-0x00007FF77AAA0000-0x00007FF77ADF1000-memory.dmp

Filesize
3.3MB

Download
memory/1852-129-0x00007FF77AAA0000-0x00007FF77ADF1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-135-0x00007FF7734D0000-0x00007FF773821000-memory.dmp

Filesize
3.3MB

Download
memory/1872-45-0x00007FF7734D0000-0x00007FF773821000-memory.dmp

Filesize
3.3MB

Download
memory/1872-223-0x00007FF7734D0000-0x00007FF773821000-memory.dmp

Filesize
3.3MB

Download
memory/2312-232-0x00007FF6FDBA0000-0x00007FF6FDEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2312-78-0x00007FF6FDBA0000-0x00007FF6FDEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-236-0x00007FF67B7E0000-0x00007FF67BB31000-memory.dmp

Filesize
3.3MB

Download
memory/2384-96-0x00007FF67B7E0000-0x00007FF67BB31000-memory.dmp

Filesize
3.3MB

Download
memory/2384-139-0x00007FF67B7E0000-0x00007FF67BB31000-memory.dmp

Filesize
3.3MB

Download
memory/2524-120-0x00007FF756770000-0x00007FF756AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2524-254-0x00007FF756770000-0x00007FF756AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2668-130-0x00007FF6A5090000-0x00007FF6A53E1000-memory.dmp

Filesize
3.3MB

Download
memory/2668-20-0x00007FF6A5090000-0x00007FF6A53E1000-memory.dmp

Filesize
3.3MB

Download
memory/2668-198-0x00007FF6A5090000-0x00007FF6A53E1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-123-0x00007FF6F8250000-0x00007FF6F85A1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-238-0x00007FF6F8250000-0x00007FF6F85A1000-memory.dmp

Filesize
3.3MB

Download
memory/3232-240-0x00007FF63A560000-0x00007FF63A8B1000-memory.dmp

Filesize
3.3MB

Download
memory/3232-110-0x00007FF63A560000-0x00007FF63A8B1000-memory.dmp

Filesize
3.3MB

Download
memory/3608-239-0x00007FF617ED0000-0x00007FF618221000-memory.dmp

Filesize
3.3MB

Download
memory/3608-106-0x00007FF617ED0000-0x00007FF618221000-memory.dmp

Filesize
3.3MB

Download
memory/3652-220-0x00007FF778AD0000-0x00007FF778E21000-memory.dmp

Filesize
3.3MB

Download
memory/3652-132-0x00007FF778AD0000-0x00007FF778E21000-memory.dmp

Filesize
3.3MB

Download
memory/3652-25-0x00007FF778AD0000-0x00007FF778E21000-memory.dmp

Filesize
3.3MB

Download
memory/4012-225-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-38-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-133-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-49-0x00007FF7D42A0000-0x00007FF7D45F1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-229-0x00007FF7D42A0000-0x00007FF7D45F1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-136-0x00007FF7D42A0000-0x00007FF7D45F1000-memory.dmp

Filesize
3.3MB

Download
memory/4648-218-0x00007FF60FDB0000-0x00007FF610101000-memory.dmp

Filesize
3.3MB

Download
memory/4648-34-0x00007FF60FDB0000-0x00007FF610101000-memory.dmp

Filesize
3.3MB

Download
memory/4732-253-0x00007FF67F5B0000-0x00007FF67F901000-memory.dmp

Filesize
3.3MB

Download
memory/4732-126-0x00007FF67F5B0000-0x00007FF67F901000-memory.dmp

Filesize
3.3MB

Download
memory/4848-84-0x00007FF6765A0000-0x00007FF6768F1000-memory.dmp

Filesize
3.3MB

Download
memory/4848-231-0x00007FF6765A0000-0x00007FF6768F1000-memory.dmp

Filesize
3.3MB

Download
memory/4856-125-0x00007FF7E7D20000-0x00007FF7E8071000-memory.dmp

Filesize
3.3MB

Download
memory/4856-249-0x00007FF7E7D20000-0x00007FF7E8071000-memory.dmp

Filesize
3.3MB

Download
memory/4880-127-0x00007FF60CF30000-0x00007FF60D281000-memory.dmp

Filesize
3.3MB

Download
memory/4880-251-0x00007FF60CF30000-0x00007FF60D281000-memory.dmp

Filesize
3.3MB

Download
memory/5104-242-0x00007FF6C5530000-0x00007FF6C5881000-memory.dmp

Filesize
3.3MB

Download
memory/5104-111-0x00007FF6C5530000-0x00007FF6C5881000-memory.dmp

Filesize
3.3MB

Download