cobaltstrike | d1ca88bb6b1d8d01c8b090ef65e654b66779606e322ef60527899080aa242720

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
Size

5.2MB
MD5

efe30ff2f84fbab3245b804f15f756d9
SHA1

43a65294eb5ce760d92ea74519c6c8f23ade96f3
SHA256

d1ca88bb6b1d8d01c8b090ef65e654b66779606e322ef60527899080aa242720
SHA512

9e5d909525fbfe7cc56830ecfd940e628d664fb00c81a9bb7095617331eb155daa3ea377881a580b6d6366b6ef08c985e1232124fc9066a7c35fd43e08fdd78a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBibf56utgpPFotBER/mQ32lUZ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\pNXOuVL.exe	cobalt_reflective_dll
C:\Windows\System\ecyaOzf.exe	cobalt_reflective_dll
C:\Windows\System\XxnHVmZ.exe	cobalt_reflective_dll
C:\Windows\System\TSMvzOq.exe	cobalt_reflective_dll
C:\Windows\System\FbLtIuL.exe	cobalt_reflective_dll
C:\Windows\System\ajalKIW.exe	cobalt_reflective_dll
C:\Windows\System\QZjenyZ.exe	cobalt_reflective_dll
C:\Windows\System\AgjCBBK.exe	cobalt_reflective_dll
C:\Windows\System\FCrUugj.exe	cobalt_reflective_dll
C:\Windows\System\IalUBts.exe	cobalt_reflective_dll
C:\Windows\System\SUHzpCi.exe	cobalt_reflective_dll
C:\Windows\System\nrFslvk.exe	cobalt_reflective_dll
C:\Windows\System\GxSgUpG.exe	cobalt_reflective_dll
C:\Windows\System\llAXcoV.exe	cobalt_reflective_dll
C:\Windows\System\HkAgBrH.exe	cobalt_reflective_dll
C:\Windows\System\YgtxuGw.exe	cobalt_reflective_dll
C:\Windows\System\NKNSswo.exe	cobalt_reflective_dll
C:\Windows\System\KqmOHIU.exe	cobalt_reflective_dll
C:\Windows\System\lAMPjxy.exe	cobalt_reflective_dll
C:\Windows\System\yGTASWH.exe	cobalt_reflective_dll
C:\Windows\System\rmCUaEC.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2276-20-0x00007FF614F60000-0x00007FF6152B1000-memory.dmp	xmrig
behavioral2/memory/4360-128-0x00007FF7EE180000-0x00007FF7EE4D1000-memory.dmp	xmrig
behavioral2/memory/1776-127-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp	xmrig
behavioral2/memory/2428-126-0x00007FF774510000-0x00007FF774861000-memory.dmp	xmrig
behavioral2/memory/2384-117-0x00007FF7E7E00000-0x00007FF7E8151000-memory.dmp	xmrig
behavioral2/memory/3552-114-0x00007FF721630000-0x00007FF721981000-memory.dmp	xmrig
behavioral2/memory/952-106-0x00007FF70FC50000-0x00007FF70FFA1000-memory.dmp	xmrig
behavioral2/memory/4248-74-0x00007FF7F8BA0000-0x00007FF7F8EF1000-memory.dmp	xmrig
behavioral2/memory/244-68-0x00007FF6FDAC0000-0x00007FF6FDE11000-memory.dmp	xmrig
behavioral2/memory/1472-51-0x00007FF6FECA0000-0x00007FF6FEFF1000-memory.dmp	xmrig
behavioral2/memory/3616-129-0x00007FF6C2DE0000-0x00007FF6C3131000-memory.dmp	xmrig
behavioral2/memory/316-132-0x00007FF794040000-0x00007FF794391000-memory.dmp	xmrig
behavioral2/memory/1776-130-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp	xmrig
behavioral2/memory/1628-145-0x00007FF7433D0000-0x00007FF743721000-memory.dmp	xmrig
behavioral2/memory/1988-146-0x00007FF642210000-0x00007FF642561000-memory.dmp	xmrig
behavioral2/memory/100-148-0x00007FF6C5E30000-0x00007FF6C6181000-memory.dmp	xmrig
behavioral2/memory/4564-144-0x00007FF6ED1E0000-0x00007FF6ED531000-memory.dmp	xmrig
behavioral2/memory/3244-137-0x00007FF7C8130000-0x00007FF7C8481000-memory.dmp	xmrig
behavioral2/memory/5044-151-0x00007FF62E770000-0x00007FF62EAC1000-memory.dmp	xmrig
behavioral2/memory/1512-142-0x00007FF7F4F50000-0x00007FF7F52A1000-memory.dmp	xmrig
behavioral2/memory/1644-140-0x00007FF7D3440000-0x00007FF7D3791000-memory.dmp	xmrig
behavioral2/memory/2112-136-0x00007FF6E9890000-0x00007FF6E9BE1000-memory.dmp	xmrig
behavioral2/memory/2900-135-0x00007FF76C1A0000-0x00007FF76C4F1000-memory.dmp	xmrig
behavioral2/memory/1776-153-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp	xmrig
behavioral2/memory/3616-198-0x00007FF6C2DE0000-0x00007FF6C3131000-memory.dmp	xmrig
behavioral2/memory/316-200-0x00007FF794040000-0x00007FF794391000-memory.dmp	xmrig
behavioral2/memory/2276-202-0x00007FF614F60000-0x00007FF6152B1000-memory.dmp	xmrig
behavioral2/memory/2112-223-0x00007FF6E9890000-0x00007FF6E9BE1000-memory.dmp	xmrig
behavioral2/memory/1472-225-0x00007FF6FECA0000-0x00007FF6FEFF1000-memory.dmp	xmrig
behavioral2/memory/244-229-0x00007FF6FDAC0000-0x00007FF6FDE11000-memory.dmp	xmrig
behavioral2/memory/1644-231-0x00007FF7D3440000-0x00007FF7D3791000-memory.dmp	xmrig
behavioral2/memory/4248-233-0x00007FF7F8BA0000-0x00007FF7F8EF1000-memory.dmp	xmrig
behavioral2/memory/1512-235-0x00007FF7F4F50000-0x00007FF7F52A1000-memory.dmp	xmrig
behavioral2/memory/952-237-0x00007FF70FC50000-0x00007FF70FFA1000-memory.dmp	xmrig
behavioral2/memory/1988-239-0x00007FF642210000-0x00007FF642561000-memory.dmp	xmrig
behavioral2/memory/3552-243-0x00007FF721630000-0x00007FF721981000-memory.dmp	xmrig
behavioral2/memory/1628-241-0x00007FF7433D0000-0x00007FF743721000-memory.dmp	xmrig
behavioral2/memory/4564-245-0x00007FF6ED1E0000-0x00007FF6ED531000-memory.dmp	xmrig
behavioral2/memory/2384-247-0x00007FF7E7E00000-0x00007FF7E8151000-memory.dmp	xmrig
behavioral2/memory/100-253-0x00007FF6C5E30000-0x00007FF6C6181000-memory.dmp	xmrig
behavioral2/memory/2428-255-0x00007FF774510000-0x00007FF774861000-memory.dmp	xmrig
behavioral2/memory/4360-251-0x00007FF7EE180000-0x00007FF7EE4D1000-memory.dmp	xmrig
behavioral2/memory/5044-249-0x00007FF62E770000-0x00007FF62EAC1000-memory.dmp	xmrig
behavioral2/memory/3244-227-0x00007FF7C8130000-0x00007FF7C8481000-memory.dmp	xmrig
behavioral2/memory/2900-221-0x00007FF76C1A0000-0x00007FF76C4F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

pNXOuVL.exeXxnHVmZ.exeecyaOzf.exeTSMvzOq.exermCUaEC.exeFbLtIuL.exeyGTASWH.exeajalKIW.exeQZjenyZ.exelAMPjxy.exeAgjCBBK.exeKqmOHIU.exeYgtxuGw.exeFCrUugj.exeNKNSswo.exeSUHzpCi.exeIalUBts.exellAXcoV.exeGxSgUpG.exeHkAgBrH.exenrFslvk.exe

pid	process
3616	pNXOuVL.exe
316	XxnHVmZ.exe
2276	ecyaOzf.exe
2900	TSMvzOq.exe
2112	rmCUaEC.exe
3244	FbLtIuL.exe
1472	yGTASWH.exe
244	ajalKIW.exe
1644	QZjenyZ.exe
4248	lAMPjxy.exe
1512	AgjCBBK.exe
952	KqmOHIU.exe
4564	YgtxuGw.exe
1628	FCrUugj.exe
1988	NKNSswo.exe
3552	SUHzpCi.exe
100	IalUBts.exe
2384	llAXcoV.exe
4360	GxSgUpG.exe
5044	HkAgBrH.exe
2428	nrFslvk.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1776-0-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp	upx
C:\Windows\System\pNXOuVL.exe	upx
C:\Windows\System\ecyaOzf.exe	upx
behavioral2/memory/316-12-0x00007FF794040000-0x00007FF794391000-memory.dmp	upx
behavioral2/memory/2276-20-0x00007FF614F60000-0x00007FF6152B1000-memory.dmp	upx
C:\Windows\System\XxnHVmZ.exe	upx
behavioral2/memory/3616-8-0x00007FF6C2DE0000-0x00007FF6C3131000-memory.dmp	upx
C:\Windows\System\TSMvzOq.exe	upx
C:\Windows\System\FbLtIuL.exe	upx
C:\Windows\System\ajalKIW.exe	upx
C:\Windows\System\QZjenyZ.exe	upx
C:\Windows\System\AgjCBBK.exe	upx
C:\Windows\System\FCrUugj.exe	upx
C:\Windows\System\IalUBts.exe	upx
C:\Windows\System\SUHzpCi.exe	upx
behavioral2/memory/4564-113-0x00007FF6ED1E0000-0x00007FF6ED531000-memory.dmp	upx
C:\Windows\System\nrFslvk.exe	upx
C:\Windows\System\GxSgUpG.exe	upx
behavioral2/memory/4360-128-0x00007FF7EE180000-0x00007FF7EE4D1000-memory.dmp	upx
behavioral2/memory/1776-127-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp	upx
behavioral2/memory/2428-126-0x00007FF774510000-0x00007FF774861000-memory.dmp	upx
behavioral2/memory/5044-125-0x00007FF62E770000-0x00007FF62EAC1000-memory.dmp	upx
behavioral2/memory/2384-117-0x00007FF7E7E00000-0x00007FF7E8151000-memory.dmp	upx
C:\Windows\System\llAXcoV.exe	upx
behavioral2/memory/3552-114-0x00007FF721630000-0x00007FF721981000-memory.dmp	upx
C:\Windows\System\HkAgBrH.exe	upx
behavioral2/memory/952-106-0x00007FF70FC50000-0x00007FF70FFA1000-memory.dmp	upx
C:\Windows\System\YgtxuGw.exe	upx
behavioral2/memory/100-102-0x00007FF6C5E30000-0x00007FF6C6181000-memory.dmp	upx
behavioral2/memory/1988-94-0x00007FF642210000-0x00007FF642561000-memory.dmp	upx
C:\Windows\System\NKNSswo.exe	upx
behavioral2/memory/1628-85-0x00007FF7433D0000-0x00007FF743721000-memory.dmp	upx
C:\Windows\System\KqmOHIU.exe	upx
behavioral2/memory/4248-74-0x00007FF7F8BA0000-0x00007FF7F8EF1000-memory.dmp	upx
C:\Windows\System\lAMPjxy.exe	upx
behavioral2/memory/244-68-0x00007FF6FDAC0000-0x00007FF6FDE11000-memory.dmp	upx
behavioral2/memory/1512-62-0x00007FF7F4F50000-0x00007FF7F52A1000-memory.dmp	upx
behavioral2/memory/1644-59-0x00007FF7D3440000-0x00007FF7D3791000-memory.dmp	upx
behavioral2/memory/1472-51-0x00007FF6FECA0000-0x00007FF6FEFF1000-memory.dmp	upx
behavioral2/memory/3244-43-0x00007FF7C8130000-0x00007FF7C8481000-memory.dmp	upx
C:\Windows\System\yGTASWH.exe	upx
behavioral2/memory/2112-37-0x00007FF6E9890000-0x00007FF6E9BE1000-memory.dmp	upx
behavioral2/memory/2900-28-0x00007FF76C1A0000-0x00007FF76C4F1000-memory.dmp	upx
C:\Windows\System\rmCUaEC.exe	upx
behavioral2/memory/3616-129-0x00007FF6C2DE0000-0x00007FF6C3131000-memory.dmp	upx
behavioral2/memory/316-132-0x00007FF794040000-0x00007FF794391000-memory.dmp	upx
behavioral2/memory/1776-130-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp	upx
behavioral2/memory/1628-145-0x00007FF7433D0000-0x00007FF743721000-memory.dmp	upx
behavioral2/memory/1988-146-0x00007FF642210000-0x00007FF642561000-memory.dmp	upx
behavioral2/memory/100-148-0x00007FF6C5E30000-0x00007FF6C6181000-memory.dmp	upx
behavioral2/memory/4564-144-0x00007FF6ED1E0000-0x00007FF6ED531000-memory.dmp	upx
behavioral2/memory/3244-137-0x00007FF7C8130000-0x00007FF7C8481000-memory.dmp	upx
behavioral2/memory/5044-151-0x00007FF62E770000-0x00007FF62EAC1000-memory.dmp	upx
behavioral2/memory/1512-142-0x00007FF7F4F50000-0x00007FF7F52A1000-memory.dmp	upx
behavioral2/memory/1644-140-0x00007FF7D3440000-0x00007FF7D3791000-memory.dmp	upx
behavioral2/memory/2112-136-0x00007FF6E9890000-0x00007FF6E9BE1000-memory.dmp	upx
behavioral2/memory/2900-135-0x00007FF76C1A0000-0x00007FF76C4F1000-memory.dmp	upx
behavioral2/memory/1776-153-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp	upx
behavioral2/memory/3616-198-0x00007FF6C2DE0000-0x00007FF6C3131000-memory.dmp	upx
behavioral2/memory/316-200-0x00007FF794040000-0x00007FF794391000-memory.dmp	upx
behavioral2/memory/2276-202-0x00007FF614F60000-0x00007FF6152B1000-memory.dmp	upx
behavioral2/memory/2112-223-0x00007FF6E9890000-0x00007FF6E9BE1000-memory.dmp	upx
behavioral2/memory/1472-225-0x00007FF6FECA0000-0x00007FF6FEFF1000-memory.dmp	upx
behavioral2/memory/244-229-0x00007FF6FDAC0000-0x00007FF6FDE11000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\AgjCBBK.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\KqmOHIU.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\IalUBts.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\HkAgBrH.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\nrFslvk.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\XxnHVmZ.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\ecyaOzf.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\ajalKIW.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\lAMPjxy.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\SUHzpCi.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\GxSgUpG.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\pNXOuVL.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\QZjenyZ.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\NKNSswo.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\TSMvzOq.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\FbLtIuL.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\yGTASWH.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\YgtxuGw.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\FCrUugj.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\llAXcoV.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\rmCUaEC.exe	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process
Token: SeLockMemoryPrivilege	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process	target process
PID 1776 wrote to memory of 3616	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	pNXOuVL.exe
PID 1776 wrote to memory of 3616	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	pNXOuVL.exe
PID 1776 wrote to memory of 316	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	XxnHVmZ.exe
PID 1776 wrote to memory of 316	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	XxnHVmZ.exe
PID 1776 wrote to memory of 2276	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	ecyaOzf.exe
PID 1776 wrote to memory of 2276	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	ecyaOzf.exe
PID 1776 wrote to memory of 2900	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	TSMvzOq.exe
PID 1776 wrote to memory of 2900	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	TSMvzOq.exe
PID 1776 wrote to memory of 2112	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	rmCUaEC.exe
PID 1776 wrote to memory of 2112	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	rmCUaEC.exe
PID 1776 wrote to memory of 3244	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	FbLtIuL.exe
PID 1776 wrote to memory of 3244	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	FbLtIuL.exe
PID 1776 wrote to memory of 1472	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	yGTASWH.exe
PID 1776 wrote to memory of 1472	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	yGTASWH.exe
PID 1776 wrote to memory of 244	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	ajalKIW.exe
PID 1776 wrote to memory of 244	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	ajalKIW.exe
PID 1776 wrote to memory of 1644	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	QZjenyZ.exe
PID 1776 wrote to memory of 1644	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	QZjenyZ.exe
PID 1776 wrote to memory of 4248	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	lAMPjxy.exe
PID 1776 wrote to memory of 4248	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	lAMPjxy.exe
PID 1776 wrote to memory of 1512	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	AgjCBBK.exe
PID 1776 wrote to memory of 1512	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	AgjCBBK.exe
PID 1776 wrote to memory of 952	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	KqmOHIU.exe
PID 1776 wrote to memory of 952	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	KqmOHIU.exe
PID 1776 wrote to memory of 4564	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	YgtxuGw.exe
PID 1776 wrote to memory of 4564	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	YgtxuGw.exe
PID 1776 wrote to memory of 1628	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	FCrUugj.exe
PID 1776 wrote to memory of 1628	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	FCrUugj.exe
PID 1776 wrote to memory of 1988	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	NKNSswo.exe
PID 1776 wrote to memory of 1988	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	NKNSswo.exe
PID 1776 wrote to memory of 3552	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	SUHzpCi.exe
PID 1776 wrote to memory of 3552	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	SUHzpCi.exe
PID 1776 wrote to memory of 100	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	IalUBts.exe
PID 1776 wrote to memory of 100	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	IalUBts.exe
PID 1776 wrote to memory of 2384	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	llAXcoV.exe
PID 1776 wrote to memory of 2384	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	llAXcoV.exe
PID 1776 wrote to memory of 4360	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	GxSgUpG.exe
PID 1776 wrote to memory of 4360	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	GxSgUpG.exe
PID 1776 wrote to memory of 5044	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	HkAgBrH.exe
PID 1776 wrote to memory of 5044	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	HkAgBrH.exe
PID 1776 wrote to memory of 2428	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	nrFslvk.exe
PID 1776 wrote to memory of 2428	1776	20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe	nrFslvk.exe

C:\Users\Admin\AppData\Local\Temp\20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\20240520efe30ff2f84fbab3245b804f15f756d9cobaltstrikecobaltstrike_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\System\pNXOuVL.exe
C:\Windows\System\pNXOuVL.exe
2⤵
- Executes dropped EXE
PID:3616

C:\Windows\System\XxnHVmZ.exe
C:\Windows\System\XxnHVmZ.exe
2⤵
- Executes dropped EXE
PID:316

C:\Windows\System\ecyaOzf.exe
C:\Windows\System\ecyaOzf.exe
2⤵
- Executes dropped EXE
PID:2276

C:\Windows\System\TSMvzOq.exe
C:\Windows\System\TSMvzOq.exe
2⤵
- Executes dropped EXE
PID:2900

C:\Windows\System\rmCUaEC.exe
C:\Windows\System\rmCUaEC.exe
2⤵
- Executes dropped EXE
PID:2112

C:\Windows\System\FbLtIuL.exe
C:\Windows\System\FbLtIuL.exe
2⤵
- Executes dropped EXE
PID:3244

C:\Windows\System\yGTASWH.exe
C:\Windows\System\yGTASWH.exe
2⤵
- Executes dropped EXE
PID:1472

C:\Windows\System\ajalKIW.exe
C:\Windows\System\ajalKIW.exe
2⤵
- Executes dropped EXE
PID:244

C:\Windows\System\QZjenyZ.exe
C:\Windows\System\QZjenyZ.exe
2⤵
- Executes dropped EXE
PID:1644

C:\Windows\System\lAMPjxy.exe
C:\Windows\System\lAMPjxy.exe
2⤵
- Executes dropped EXE
PID:4248

C:\Windows\System\AgjCBBK.exe
C:\Windows\System\AgjCBBK.exe
2⤵
- Executes dropped EXE
PID:1512

C:\Windows\System\KqmOHIU.exe
C:\Windows\System\KqmOHIU.exe
2⤵
- Executes dropped EXE
PID:952

C:\Windows\System\YgtxuGw.exe
C:\Windows\System\YgtxuGw.exe
2⤵
- Executes dropped EXE
PID:4564

C:\Windows\System\FCrUugj.exe
C:\Windows\System\FCrUugj.exe
2⤵
- Executes dropped EXE
PID:1628

C:\Windows\System\NKNSswo.exe
C:\Windows\System\NKNSswo.exe
2⤵
- Executes dropped EXE
PID:1988

C:\Windows\System\SUHzpCi.exe
C:\Windows\System\SUHzpCi.exe
2⤵
- Executes dropped EXE
PID:3552

C:\Windows\System\IalUBts.exe
C:\Windows\System\IalUBts.exe
2⤵
- Executes dropped EXE
PID:100

C:\Windows\System\llAXcoV.exe
C:\Windows\System\llAXcoV.exe
2⤵
- Executes dropped EXE
PID:2384

C:\Windows\System\GxSgUpG.exe
C:\Windows\System\GxSgUpG.exe
2⤵
- Executes dropped EXE
PID:4360

C:\Windows\System\HkAgBrH.exe
C:\Windows\System\HkAgBrH.exe
2⤵
- Executes dropped EXE
PID:5044

C:\Windows\System\nrFslvk.exe
C:\Windows\System\nrFslvk.exe
2⤵
- Executes dropped EXE
PID:2428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AgjCBBK.exe
Filesize
5.2MB

MD5
c90a47ba4b8b929eb202f84eef87b07d

SHA1
9cc09ee0fafb3d3e9cf3b73f3d2a3b3b7f724e9a

SHA256
5637a06a2fe6e500bd74633936c8802da191ffea33ea889708c07ebd3742e2f3

SHA512
1812c1470eeb54e161ac5a670fec63719b5e73cd74b2bcb32c6d70e6e41f41f47477fab70782a512206310085e093ae91c898e6323c4fb520ffd5472d9f3c0d5

Download Submit
C:\Windows\System\FCrUugj.exe
Filesize
5.2MB

MD5
c7da7a4a2fa9cd329083971879f2adf6

SHA1
27d1a6ec614bca3121879826529239a4418738ff

SHA256
29728829f0661f2615eda22b930309dc6c97e1c379488e434c9a87bbaf9df1fe

SHA512
e32da978814cc401054845cb1cf01139616848d02799137b80733403633332f855d2c00714711aac4d1ddf7fbf3d1a9562258f6e7e8c091afdb41c109d012c68

Download Submit
C:\Windows\System\FbLtIuL.exe
Filesize
5.2MB

MD5
63194d30856605d5eb39953511512784

SHA1
ab7999ed79d1302ead232f5d10395e3ec85ea8c8

SHA256
90279e78c23a97cceda6b91c14e905ee79fd0942665cb853cdbe3249d3a0b0c3

SHA512
f04ce22acecaaa37e88916912f047fbc2c0f5ac0c4314a187928f91241b46d27f19d9b843b2a2e68e729f226dc7a8b49f2a33523e701a89037fe81efc4e8230b

Download Submit
C:\Windows\System\GxSgUpG.exe
Filesize
5.2MB

MD5
4119df558e048d653b4482cfdfdcf67d

SHA1
c9b282805ae70c3deffbc166164bd069b42818a8

SHA256
ebf475e68073ca77b8a7b47b023e403e28cc47a014a2592187783a85427ac4a4

SHA512
55b0de1dd29cc35afe6df9a58faa687bd3ce9523e90b2a322e6ffda580070858cd40a931628bc7067d7604a34488ec323591acacca347778865f4b3465186268

Download Submit
C:\Windows\System\HkAgBrH.exe
Filesize
5.2MB

MD5
fe29a58812140f452934181584bfba45

SHA1
6c07c656fc96040e641269292839b31ecd96a495

SHA256
b15a6b31d2248ed75329ea351c1add856eff83663c29f2007b0f3199c54afa8e

SHA512
1bc893fe40e8747ae4336f02129aee930c339dbdc528f047658f292096db970e0b276882b1e68f6ff6cb299154e09175fa4431ce6af7965118b025e58a997a1a

Download Submit
C:\Windows\System\IalUBts.exe
Filesize
5.2MB

MD5
f3d8ace7704a0969e56695aa6e7cdbff

SHA1
7915f45ec5eec5c71bd19e55f7f2e9b67fbca9d9

SHA256
04eb0aab029c3143a21f5c4696d2a5fe7666cbf4991ae4f4f22da48d92c8d38c

SHA512
4687b438e3f0afbd6dbf176f869040da1536d81d98d5544d38656d53f781b08f14da83f9c0382c37d02f0e1f88608435ce635e06171b41a4e6bc2e048d479321

Download Submit
C:\Windows\System\KqmOHIU.exe
Filesize
5.2MB

MD5
1c4b134a3ab2ad283095680d02e1bd94

SHA1
3340500a14c21d4db5ed7c00de06ab96dabf9418

SHA256
8b895d4aa9da9a436d5f794789cf1d7712a0809aa6072a88457cd6e0f1595dcf

SHA512
98f5ccf6aaebc0205d375f90f59266270a00220a98b438d90e7a8bc6a76e36651b4a796f4dcc70d053ecb0691a7c0f633a3257091c817e87b4c8dbb414b419f5

Download Submit
C:\Windows\System\NKNSswo.exe
Filesize
5.2MB

MD5
14835e224c45a2262d719f4b9ee681fd

SHA1
fea78c54d1c4b02ce7023acceb4a759988f4b843

SHA256
ac1501d25a5ac8a46160e8c0b1628c31cfe0ad4e46aa882aea10d2403eda6cb8

SHA512
1634df7cfa0183e9f002bb3ad9c46830f6631005fa477ec08699a5046d8426525f0b35dcc3c8ec2e00d2d994a57c365ac1934488c2b3050ef9f4bb224b1b3eba

Download Submit
C:\Windows\System\QZjenyZ.exe
Filesize
5.2MB

MD5
d2e1ef0e3239eba38cf5014000048e8a

SHA1
c21d4ab45ddddbf48b8727d1c98740f2688d22b2

SHA256
ebcb471ef74d424e95af44c6d150cf76ef963aeb527cbea4558d8b26889a9882

SHA512
a2e23a3461b18d657b31cd61b28d1687217eb2399e18ec9948d1e914840b94ead387a6d0b9d6d5e126b81397d26eff4c704462a58c70a13aec2933956393a6bf

Download Submit
C:\Windows\System\SUHzpCi.exe
Filesize
5.2MB

MD5
b426e7c7ac4406ec81b36fe9e6c731f3

SHA1
412c7af9903b082c425bb440be9b91c11b910d6e

SHA256
57876d0293593c3a3a84e836aa7d4c549c7730c815319ade38d135e08d7d069e

SHA512
e9b884ba26ee51b2cb3ecd87cc21a40a0436348d7a2089d6f92dadcf551ebb49ac1f28618ca70b694f5bbd3a8f26e871c2f3e2193cd6fe2f246431f8698f743b

Download Submit
C:\Windows\System\TSMvzOq.exe
Filesize
5.2MB

MD5
7c6fba28cba76ec7f0093d06d617de50

SHA1
c6363c557abcca0d3ad6d528f5c6009ae629b618

SHA256
d5375eaa8992a1cf446d9a52b21c44f31e5fe6c2033e449643b5c86e6c739454

SHA512
4b37571c2ad68a1dc55607963845d4b64b35cd5344c055564482b53d20cdf7f019d332d8bb8010d12f414218276a2d14627e5386112b9e0443481e8b67a421ea

Download Submit
C:\Windows\System\XxnHVmZ.exe
Filesize
5.2MB

MD5
ce15368bce63a8929c7a0d4f7c2a0445

SHA1
9725b31caf6cba183dfaf42f67e12f4dbd9a9aec

SHA256
fb828b169f40992ff8924f2d35f3548aa24b49fafc42ddfb1b073cc7635117a1

SHA512
c54f7b81a5c6ef4cf654e4d3c0c5648068cd03cc00d459d61174cb77da867c6fb05921b121545be90c45b2bc05efdee703e3dc3a3ee3505462421e75a52ce754

Download Submit
C:\Windows\System\YgtxuGw.exe
Filesize
5.2MB

MD5
0abead406c38898c27b6d1feaec9f38c

SHA1
3a26f8c22c03f9f5ad8fa31fb81b4015aeaf276b

SHA256
1bf5ccbb4ad38f0f3fcd84d7a1bbdcc6ec6d726afafdd3f58215b79709c6d7e7

SHA512
14f6ea9b4c1bfb3e180bbed6ef44a52cfb24951cd6ec9edd568ac9fbcd3827b99c069761d0884d519e2dc60c45be67c641a787064a7fe59a53c80b1db3c59928

Download Submit
C:\Windows\System\ajalKIW.exe
Filesize
5.2MB

MD5
08eaa0ad1d785fd1cb159dbe1a5de100

SHA1
489aa81655d0896923f666f27cc9de5a94ad5bd1

SHA256
3698bb728fefcbbc6a35af13dbd608d405c399af07e4c681294b1ef7353ed938

SHA512
92f1a6ffe222cdf63ba283b4368eb903815d2e12451a269d15175a6aa41c061490c1d97bc24f9f15776729c2d90b4364e52b7d7d59bd6800178b09e930eebbff

Download Submit
C:\Windows\System\ecyaOzf.exe
Filesize
5.2MB

MD5
5e5883510c9ddc27019cee831b87d675

SHA1
4f6cb8027b10ddcf3a0a6d26a1a78fdc91328d73

SHA256
fff9c99fe9f534201822cbf07d36a8cd3668406adcb6bfa9d5a040b27f6412fc

SHA512
05f17555ce35c3db4f020616dda4859635358e19736f610416d589f278ca38a2b2b0fbc1106dd9f43f0329a84d05dc96479148e1eb2a6d0ecbac17808deb461b

Download Submit
C:\Windows\System\lAMPjxy.exe
Filesize
5.2MB

MD5
e281011e5a4fc0f35797050da80b4b2e

SHA1
927832458adf6ee31db45d74ef92b82287a7f9fb

SHA256
8ca118852db9a54d0281a345a0d6bfc0da6dfb9322c71fdb3b03bf816e3a3a7d

SHA512
e74aae88d4c64b7ad2154029b8397bee4d4be574e952b5125f3f49bbd14631e70f4215276811ba516a0b801452e6c4b008cbd34c440fe318d032dbf01062b114

Download Submit
C:\Windows\System\llAXcoV.exe
Filesize
5.2MB

MD5
f6baf8cac3a69b332730dcab24b24674

SHA1
e083d0b6d7dddf68b6a7aef3f03cba8624e66d39

SHA256
2500af046ee7fd3d99391829e3d8d39942a75d3c413a38fc7675fc775ba93c0d

SHA512
a100d2c4457f1295a896982ed38144d0428829446f9feeb69718c410dd6448acfa3d0db81b4ed9732155851d9329e379ecc57b731f39f8f30c1b707b1b99d49e

Download Submit
C:\Windows\System\nrFslvk.exe
Filesize
5.2MB

MD5
7f8916ba168f8be133b224f12ceb5090

SHA1
db4a3e6f289b10aaeacb349c282ef09599cefe42

SHA256
44db04098be68dee147658f631c5e8c06acc24937bd4beed83c3bf38c1bc251e

SHA512
3cc9c81a0760ae1508d824d9580351c4704913c83aab9bec9613e57697524f696d88af5612842e88cab23afc6281c0a32af62b6ba17d28313fd4ab1df7eb2f21

Download Submit
C:\Windows\System\pNXOuVL.exe
Filesize
5.2MB

MD5
ced99d5aaaa62848c361d7397fd7f168

SHA1
978bb3152ba976792c90c3cfbcc2cd57e4ae93f2

SHA256
3f8e7d63f8dbf348bb360f76abaca013841adcd8ff191fe7853f4653944c0ea9

SHA512
ac683ee1ffa83a55497756ab21625074ead3dc562392a32ea271d7ab2128a9cba07a3d1d45cb65170b5b63e5e60da005eb9abdfd9854a767ce077785f9e091ca

Download Submit
C:\Windows\System\rmCUaEC.exe
Filesize
5.2MB

MD5
e4dde6db923f9b949b2f4b3ae46531d8

SHA1
151c12dca4fe46aa682e014a100d20fa62cfe993

SHA256
87cd82ab47a44aa977973c10f589b0c49eef1edb86641da503a93489fc7b0d04

SHA512
8e40412d4da506183852e0924334adc89212af8d3e5aaa1db85f857c00965c48990488d1803c5768fb29d6682c93efcf98599da2d22938a4aa83165719539077

Download Submit
C:\Windows\System\yGTASWH.exe
Filesize
5.2MB

MD5
605b973f2a0701a25a26f16ec3e0d352

SHA1
f5f5c493d9a5c6d19dc7fc009dcc86a5e93b749a

SHA256
8fd8243aaacbb0828adb73b55f78be0251434d4e2ee086785972c61777ba9aad

SHA512
5a7b23591e4aa1fe562a9a2f135c2557e4058fbc0dcc05a516072c47f7b8760e5d2ea4cc5e55b23ea2ef80bdabebdb551d07fe9fe31763ea18983a566374f055

Download Submit
memory/100-253-0x00007FF6C5E30000-0x00007FF6C6181000-memory.dmp

Filesize
3.3MB

Download
memory/100-102-0x00007FF6C5E30000-0x00007FF6C6181000-memory.dmp

Filesize
3.3MB

Download
memory/100-148-0x00007FF6C5E30000-0x00007FF6C6181000-memory.dmp

Filesize
3.3MB

Download
memory/244-68-0x00007FF6FDAC0000-0x00007FF6FDE11000-memory.dmp

Filesize
3.3MB

Download
memory/244-229-0x00007FF6FDAC0000-0x00007FF6FDE11000-memory.dmp

Filesize
3.3MB

Download
memory/316-200-0x00007FF794040000-0x00007FF794391000-memory.dmp

Filesize
3.3MB

Download
memory/316-132-0x00007FF794040000-0x00007FF794391000-memory.dmp

Filesize
3.3MB

Download
memory/316-12-0x00007FF794040000-0x00007FF794391000-memory.dmp

Filesize
3.3MB

Download
memory/952-106-0x00007FF70FC50000-0x00007FF70FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/952-237-0x00007FF70FC50000-0x00007FF70FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/1472-225-0x00007FF6FECA0000-0x00007FF6FEFF1000-memory.dmp

Filesize
3.3MB

Download
memory/1472-51-0x00007FF6FECA0000-0x00007FF6FEFF1000-memory.dmp

Filesize
3.3MB

Download
memory/1512-142-0x00007FF7F4F50000-0x00007FF7F52A1000-memory.dmp

Filesize
3.3MB

Download
memory/1512-235-0x00007FF7F4F50000-0x00007FF7F52A1000-memory.dmp

Filesize
3.3MB

Download
memory/1512-62-0x00007FF7F4F50000-0x00007FF7F52A1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-85-0x00007FF7433D0000-0x00007FF743721000-memory.dmp

Filesize
3.3MB

Download
memory/1628-145-0x00007FF7433D0000-0x00007FF743721000-memory.dmp

Filesize
3.3MB

Download
memory/1628-241-0x00007FF7433D0000-0x00007FF743721000-memory.dmp

Filesize
3.3MB

Download
memory/1644-140-0x00007FF7D3440000-0x00007FF7D3791000-memory.dmp

Filesize
3.3MB

Download
memory/1644-231-0x00007FF7D3440000-0x00007FF7D3791000-memory.dmp

Filesize
3.3MB

Download
memory/1644-59-0x00007FF7D3440000-0x00007FF7D3791000-memory.dmp

Filesize
3.3MB

Download
memory/1776-0-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1776-153-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1776-127-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1776-130-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1776-1-0x0000023FE02C0000-0x0000023FE02D0000-memory.dmp

Filesize
64KB

Download
memory/1988-239-0x00007FF642210000-0x00007FF642561000-memory.dmp

Filesize
3.3MB

Download
memory/1988-94-0x00007FF642210000-0x00007FF642561000-memory.dmp

Filesize
3.3MB

Download
memory/1988-146-0x00007FF642210000-0x00007FF642561000-memory.dmp

Filesize
3.3MB

Download
memory/2112-37-0x00007FF6E9890000-0x00007FF6E9BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2112-136-0x00007FF6E9890000-0x00007FF6E9BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2112-223-0x00007FF6E9890000-0x00007FF6E9BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-202-0x00007FF614F60000-0x00007FF6152B1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-20-0x00007FF614F60000-0x00007FF6152B1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-117-0x00007FF7E7E00000-0x00007FF7E8151000-memory.dmp

Filesize
3.3MB

Download
memory/2384-247-0x00007FF7E7E00000-0x00007FF7E8151000-memory.dmp

Filesize
3.3MB

Download
memory/2428-126-0x00007FF774510000-0x00007FF774861000-memory.dmp

Filesize
3.3MB

Download
memory/2428-255-0x00007FF774510000-0x00007FF774861000-memory.dmp

Filesize
3.3MB

Download
memory/2900-221-0x00007FF76C1A0000-0x00007FF76C4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-135-0x00007FF76C1A0000-0x00007FF76C4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-28-0x00007FF76C1A0000-0x00007FF76C4F1000-memory.dmp

Filesize
3.3MB

Download
memory/3244-227-0x00007FF7C8130000-0x00007FF7C8481000-memory.dmp

Filesize
3.3MB

Download
memory/3244-43-0x00007FF7C8130000-0x00007FF7C8481000-memory.dmp

Filesize
3.3MB

Download
memory/3244-137-0x00007FF7C8130000-0x00007FF7C8481000-memory.dmp

Filesize
3.3MB

Download
memory/3552-114-0x00007FF721630000-0x00007FF721981000-memory.dmp

Filesize
3.3MB

Download
memory/3552-243-0x00007FF721630000-0x00007FF721981000-memory.dmp

Filesize
3.3MB

Download
memory/3616-198-0x00007FF6C2DE0000-0x00007FF6C3131000-memory.dmp

Filesize
3.3MB

Download
memory/3616-129-0x00007FF6C2DE0000-0x00007FF6C3131000-memory.dmp

Filesize
3.3MB

Download
memory/3616-8-0x00007FF6C2DE0000-0x00007FF6C3131000-memory.dmp

Filesize
3.3MB

Download
memory/4248-233-0x00007FF7F8BA0000-0x00007FF7F8EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4248-74-0x00007FF7F8BA0000-0x00007FF7F8EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4360-128-0x00007FF7EE180000-0x00007FF7EE4D1000-memory.dmp

Filesize
3.3MB

Download
memory/4360-251-0x00007FF7EE180000-0x00007FF7EE4D1000-memory.dmp

Filesize
3.3MB

Download
memory/4564-113-0x00007FF6ED1E0000-0x00007FF6ED531000-memory.dmp

Filesize
3.3MB

Download
memory/4564-245-0x00007FF6ED1E0000-0x00007FF6ED531000-memory.dmp

Filesize
3.3MB

Download
memory/4564-144-0x00007FF6ED1E0000-0x00007FF6ED531000-memory.dmp

Filesize
3.3MB

Download
memory/5044-151-0x00007FF62E770000-0x00007FF62EAC1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-125-0x00007FF62E770000-0x00007FF62EAC1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-249-0x00007FF62E770000-0x00007FF62EAC1000-memory.dmp

Filesize
3.3MB

Download