cobaltstrike | bcd5d71d1793a073dfe7d870bf5cba657ea82d5076346f5e1afa64f54512b5af

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
Size

5.2MB
MD5

26c7c01d881e5043932b5f8eda89971b
SHA1

0ef328fbb328730c56b31f39f5bfd2272029aeb9
SHA256

bcd5d71d1793a073dfe7d870bf5cba657ea82d5076346f5e1afa64f54512b5af
SHA512

60852d342f1acf9ccd53af1574376ffd3330e56051b16924cf5fa225264454a47abfeb728036d22e11540e666fcd4194b7a5e100522bfd316d69fd4549ca3856
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lW:RWWBibf56utgpPFotBER/mQ32lUK

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\AKZhbcw.exe	cobalt_reflective_dll
C:\Windows\System\JzEPsnS.exe	cobalt_reflective_dll
C:\Windows\System\GrCdPJC.exe	cobalt_reflective_dll
C:\Windows\System\mvYESGl.exe	cobalt_reflective_dll
C:\Windows\System\kTFbavs.exe	cobalt_reflective_dll
C:\Windows\System\WtsmntZ.exe	cobalt_reflective_dll
C:\Windows\System\jGSWYLN.exe	cobalt_reflective_dll
C:\Windows\System\ZmeIkek.exe	cobalt_reflective_dll
C:\Windows\System\vDWbiSr.exe	cobalt_reflective_dll
C:\Windows\System\rfKpihE.exe	cobalt_reflective_dll
C:\Windows\System\iEtKbwY.exe	cobalt_reflective_dll
C:\Windows\System\SCBMzJi.exe	cobalt_reflective_dll
C:\Windows\System\QvkmOTf.exe	cobalt_reflective_dll
C:\Windows\System\rscVpIv.exe	cobalt_reflective_dll
C:\Windows\System\WEMWRhJ.exe	cobalt_reflective_dll
C:\Windows\System\xEfrhIx.exe	cobalt_reflective_dll
C:\Windows\System\xRBtTmc.exe	cobalt_reflective_dll
C:\Windows\System\gKHViPJ.exe	cobalt_reflective_dll
C:\Windows\System\vJKfsqW.exe	cobalt_reflective_dll
C:\Windows\System\WJQoMCg.exe	cobalt_reflective_dll
C:\Windows\System\tSmkTKR.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4328-9-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp	xmrig
behavioral2/memory/2916-26-0x00007FF78F070000-0x00007FF78F3C1000-memory.dmp	xmrig
behavioral2/memory/2604-101-0x00007FF6FB5A0000-0x00007FF6FB8F1000-memory.dmp	xmrig
behavioral2/memory/1548-104-0x00007FF626300000-0x00007FF626651000-memory.dmp	xmrig
behavioral2/memory/4856-103-0x00007FF6394A0000-0x00007FF6397F1000-memory.dmp	xmrig
behavioral2/memory/4720-102-0x00007FF781A10000-0x00007FF781D61000-memory.dmp	xmrig
behavioral2/memory/4724-95-0x00007FF65E140000-0x00007FF65E491000-memory.dmp	xmrig
behavioral2/memory/4956-94-0x00007FF67BFA0000-0x00007FF67C2F1000-memory.dmp	xmrig
behavioral2/memory/2136-90-0x00007FF6232F0000-0x00007FF623641000-memory.dmp	xmrig
behavioral2/memory/4328-109-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp	xmrig
behavioral2/memory/2600-111-0x00007FF605940000-0x00007FF605C91000-memory.dmp	xmrig
behavioral2/memory/4432-121-0x00007FF7B3180000-0x00007FF7B34D1000-memory.dmp	xmrig
behavioral2/memory/752-131-0x00007FF784A70000-0x00007FF784DC1000-memory.dmp	xmrig
behavioral2/memory/5104-110-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp	xmrig
behavioral2/memory/3692-108-0x00007FF7FBEC0000-0x00007FF7FC211000-memory.dmp	xmrig
behavioral2/memory/1032-113-0x00007FF6C7EB0000-0x00007FF6C8201000-memory.dmp	xmrig
behavioral2/memory/3184-134-0x00007FF684BC0000-0x00007FF684F11000-memory.dmp	xmrig
behavioral2/memory/3732-135-0x00007FF71FB70000-0x00007FF71FEC1000-memory.dmp	xmrig
behavioral2/memory/2364-140-0x00007FF706F50000-0x00007FF7072A1000-memory.dmp	xmrig
behavioral2/memory/2484-145-0x00007FF75C980000-0x00007FF75CCD1000-memory.dmp	xmrig
behavioral2/memory/5028-136-0x00007FF682FF0000-0x00007FF683341000-memory.dmp	xmrig
behavioral2/memory/3692-147-0x00007FF7FBEC0000-0x00007FF7FC211000-memory.dmp	xmrig
behavioral2/memory/1192-155-0x00007FF70F130000-0x00007FF70F481000-memory.dmp	xmrig
behavioral2/memory/2792-157-0x00007FF630400000-0x00007FF630751000-memory.dmp	xmrig
behavioral2/memory/3692-169-0x00007FF7FBEC0000-0x00007FF7FC211000-memory.dmp	xmrig
behavioral2/memory/4328-197-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp	xmrig
behavioral2/memory/5104-199-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp	xmrig
behavioral2/memory/2600-201-0x00007FF605940000-0x00007FF605C91000-memory.dmp	xmrig
behavioral2/memory/2916-203-0x00007FF78F070000-0x00007FF78F3C1000-memory.dmp	xmrig
behavioral2/memory/1032-209-0x00007FF6C7EB0000-0x00007FF6C8201000-memory.dmp	xmrig
behavioral2/memory/3184-211-0x00007FF684BC0000-0x00007FF684F11000-memory.dmp	xmrig
behavioral2/memory/3732-213-0x00007FF71FB70000-0x00007FF71FEC1000-memory.dmp	xmrig
behavioral2/memory/5028-215-0x00007FF682FF0000-0x00007FF683341000-memory.dmp	xmrig
behavioral2/memory/2604-217-0x00007FF6FB5A0000-0x00007FF6FB8F1000-memory.dmp	xmrig
behavioral2/memory/4956-220-0x00007FF67BFA0000-0x00007FF67C2F1000-memory.dmp	xmrig
behavioral2/memory/2364-223-0x00007FF706F50000-0x00007FF7072A1000-memory.dmp	xmrig
behavioral2/memory/2136-225-0x00007FF6232F0000-0x00007FF623641000-memory.dmp	xmrig
behavioral2/memory/4720-222-0x00007FF781A10000-0x00007FF781D61000-memory.dmp	xmrig
behavioral2/memory/4724-228-0x00007FF65E140000-0x00007FF65E491000-memory.dmp	xmrig
behavioral2/memory/1548-232-0x00007FF626300000-0x00007FF626651000-memory.dmp	xmrig
behavioral2/memory/4856-233-0x00007FF6394A0000-0x00007FF6397F1000-memory.dmp	xmrig
behavioral2/memory/2484-230-0x00007FF75C980000-0x00007FF75CCD1000-memory.dmp	xmrig
behavioral2/memory/4432-237-0x00007FF7B3180000-0x00007FF7B34D1000-memory.dmp	xmrig
behavioral2/memory/752-239-0x00007FF784A70000-0x00007FF784DC1000-memory.dmp	xmrig
behavioral2/memory/1192-241-0x00007FF70F130000-0x00007FF70F481000-memory.dmp	xmrig
behavioral2/memory/2792-243-0x00007FF630400000-0x00007FF630751000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

AKZhbcw.exemvYESGl.exeJzEPsnS.exeGrCdPJC.exekTFbavs.exeWtsmntZ.exejGSWYLN.exeZmeIkek.exexRBtTmc.exevDWbiSr.exexEfrhIx.exeiEtKbwY.exerfKpihE.exeSCBMzJi.exeWEMWRhJ.exeQvkmOTf.exerscVpIv.exetSmkTKR.exegKHViPJ.exeWJQoMCg.exevJKfsqW.exe

pid	process
4328	AKZhbcw.exe
5104	mvYESGl.exe
2600	JzEPsnS.exe
2916	GrCdPJC.exe
1032	kTFbavs.exe
3184	WtsmntZ.exe
3732	jGSWYLN.exe
5028	ZmeIkek.exe
2604	xRBtTmc.exe
4720	vDWbiSr.exe
2364	xEfrhIx.exe
2136	iEtKbwY.exe
4956	rfKpihE.exe
4856	SCBMzJi.exe
4724	WEMWRhJ.exe
1548	QvkmOTf.exe
2484	rscVpIv.exe
4432	tSmkTKR.exe
1192	gKHViPJ.exe
752	WJQoMCg.exe
2792	vJKfsqW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3692-0-0x00007FF7FBEC0000-0x00007FF7FC211000-memory.dmp	upx
C:\Windows\System\AKZhbcw.exe	upx
behavioral2/memory/2600-18-0x00007FF605940000-0x00007FF605C91000-memory.dmp	upx
C:\Windows\System\JzEPsnS.exe	upx
C:\Windows\System\GrCdPJC.exe	upx
C:\Windows\System\mvYESGl.exe	upx
behavioral2/memory/5104-15-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp	upx
behavioral2/memory/4328-9-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp	upx
behavioral2/memory/2916-26-0x00007FF78F070000-0x00007FF78F3C1000-memory.dmp	upx
C:\Windows\System\kTFbavs.exe	upx
C:\Windows\System\WtsmntZ.exe	upx
C:\Windows\System\jGSWYLN.exe	upx
behavioral2/memory/3732-43-0x00007FF71FB70000-0x00007FF71FEC1000-memory.dmp	upx
C:\Windows\System\ZmeIkek.exe	upx
behavioral2/memory/1032-38-0x00007FF6C7EB0000-0x00007FF6C8201000-memory.dmp	upx
behavioral2/memory/3184-54-0x00007FF684BC0000-0x00007FF684F11000-memory.dmp	upx
C:\Windows\System\vDWbiSr.exe	upx
C:\Windows\System\rfKpihE.exe	upx
C:\Windows\System\iEtKbwY.exe	upx
behavioral2/memory/5028-69-0x00007FF682FF0000-0x00007FF683341000-memory.dmp	upx
C:\Windows\System\SCBMzJi.exe	upx
C:\Windows\System\QvkmOTf.exe	upx
behavioral2/memory/2604-101-0x00007FF6FB5A0000-0x00007FF6FB8F1000-memory.dmp	upx
behavioral2/memory/1548-104-0x00007FF626300000-0x00007FF626651000-memory.dmp	upx
behavioral2/memory/4856-103-0x00007FF6394A0000-0x00007FF6397F1000-memory.dmp	upx
behavioral2/memory/4720-102-0x00007FF781A10000-0x00007FF781D61000-memory.dmp	upx
C:\Windows\System\rscVpIv.exe	upx
behavioral2/memory/2484-98-0x00007FF75C980000-0x00007FF75CCD1000-memory.dmp	upx
behavioral2/memory/4724-95-0x00007FF65E140000-0x00007FF65E491000-memory.dmp	upx
behavioral2/memory/4956-94-0x00007FF67BFA0000-0x00007FF67C2F1000-memory.dmp	upx
behavioral2/memory/2136-90-0x00007FF6232F0000-0x00007FF623641000-memory.dmp	upx
C:\Windows\System\WEMWRhJ.exe	upx
behavioral2/memory/2364-76-0x00007FF706F50000-0x00007FF7072A1000-memory.dmp	upx
C:\Windows\System\xEfrhIx.exe	upx
C:\Windows\System\xRBtTmc.exe	upx
behavioral2/memory/4328-109-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp	upx
behavioral2/memory/2600-111-0x00007FF605940000-0x00007FF605C91000-memory.dmp	upx
C:\Windows\System\gKHViPJ.exe	upx
behavioral2/memory/4432-121-0x00007FF7B3180000-0x00007FF7B34D1000-memory.dmp	upx
C:\Windows\System\vJKfsqW.exe	upx
behavioral2/memory/2792-127-0x00007FF630400000-0x00007FF630751000-memory.dmp	upx
C:\Windows\System\WJQoMCg.exe	upx
behavioral2/memory/752-131-0x00007FF784A70000-0x00007FF784DC1000-memory.dmp	upx
behavioral2/memory/1192-122-0x00007FF70F130000-0x00007FF70F481000-memory.dmp	upx
C:\Windows\System\tSmkTKR.exe	upx
behavioral2/memory/5104-110-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp	upx
behavioral2/memory/3692-108-0x00007FF7FBEC0000-0x00007FF7FC211000-memory.dmp	upx
behavioral2/memory/1032-113-0x00007FF6C7EB0000-0x00007FF6C8201000-memory.dmp	upx
behavioral2/memory/3184-134-0x00007FF684BC0000-0x00007FF684F11000-memory.dmp	upx
behavioral2/memory/3732-135-0x00007FF71FB70000-0x00007FF71FEC1000-memory.dmp	upx
behavioral2/memory/2364-140-0x00007FF706F50000-0x00007FF7072A1000-memory.dmp	upx
behavioral2/memory/2484-145-0x00007FF75C980000-0x00007FF75CCD1000-memory.dmp	upx
behavioral2/memory/5028-136-0x00007FF682FF0000-0x00007FF683341000-memory.dmp	upx
behavioral2/memory/3692-147-0x00007FF7FBEC0000-0x00007FF7FC211000-memory.dmp	upx
behavioral2/memory/1192-155-0x00007FF70F130000-0x00007FF70F481000-memory.dmp	upx
behavioral2/memory/2792-157-0x00007FF630400000-0x00007FF630751000-memory.dmp	upx
behavioral2/memory/3692-169-0x00007FF7FBEC0000-0x00007FF7FC211000-memory.dmp	upx
behavioral2/memory/4328-197-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp	upx
behavioral2/memory/5104-199-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp	upx
behavioral2/memory/2600-201-0x00007FF605940000-0x00007FF605C91000-memory.dmp	upx
behavioral2/memory/2916-203-0x00007FF78F070000-0x00007FF78F3C1000-memory.dmp	upx
behavioral2/memory/1032-209-0x00007FF6C7EB0000-0x00007FF6C8201000-memory.dmp	upx
behavioral2/memory/3184-211-0x00007FF684BC0000-0x00007FF684F11000-memory.dmp	upx
behavioral2/memory/3732-213-0x00007FF71FB70000-0x00007FF71FEC1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\kTFbavs.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\xRBtTmc.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\tSmkTKR.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\vDWbiSr.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\rfKpihE.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\SCBMzJi.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\QvkmOTf.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\mvYESGl.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\jGSWYLN.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\iEtKbwY.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\xEfrhIx.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\rscVpIv.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\AKZhbcw.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\GrCdPJC.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\WtsmntZ.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\gKHViPJ.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\WJQoMCg.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\vJKfsqW.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\JzEPsnS.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\ZmeIkek.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\WEMWRhJ.exe	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process
Token: SeLockMemoryPrivilege	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process	target process
PID 3692 wrote to memory of 4328	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	AKZhbcw.exe
PID 3692 wrote to memory of 4328	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	AKZhbcw.exe
PID 3692 wrote to memory of 5104	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	mvYESGl.exe
PID 3692 wrote to memory of 5104	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	mvYESGl.exe
PID 3692 wrote to memory of 2600	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	JzEPsnS.exe
PID 3692 wrote to memory of 2600	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	JzEPsnS.exe
PID 3692 wrote to memory of 2916	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	GrCdPJC.exe
PID 3692 wrote to memory of 2916	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	GrCdPJC.exe
PID 3692 wrote to memory of 1032	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	kTFbavs.exe
PID 3692 wrote to memory of 1032	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	kTFbavs.exe
PID 3692 wrote to memory of 3184	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	WtsmntZ.exe
PID 3692 wrote to memory of 3184	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	WtsmntZ.exe
PID 3692 wrote to memory of 3732	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	jGSWYLN.exe
PID 3692 wrote to memory of 3732	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	jGSWYLN.exe
PID 3692 wrote to memory of 5028	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	ZmeIkek.exe
PID 3692 wrote to memory of 5028	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	ZmeIkek.exe
PID 3692 wrote to memory of 2604	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	xRBtTmc.exe
PID 3692 wrote to memory of 2604	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	xRBtTmc.exe
PID 3692 wrote to memory of 2136	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	iEtKbwY.exe
PID 3692 wrote to memory of 2136	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	iEtKbwY.exe
PID 3692 wrote to memory of 4720	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	vDWbiSr.exe
PID 3692 wrote to memory of 4720	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	vDWbiSr.exe
PID 3692 wrote to memory of 2364	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	xEfrhIx.exe
PID 3692 wrote to memory of 2364	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	xEfrhIx.exe
PID 3692 wrote to memory of 4956	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	rfKpihE.exe
PID 3692 wrote to memory of 4956	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	rfKpihE.exe
PID 3692 wrote to memory of 4856	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	SCBMzJi.exe
PID 3692 wrote to memory of 4856	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	SCBMzJi.exe
PID 3692 wrote to memory of 4724	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	WEMWRhJ.exe
PID 3692 wrote to memory of 4724	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	WEMWRhJ.exe
PID 3692 wrote to memory of 1548	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	QvkmOTf.exe
PID 3692 wrote to memory of 1548	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	QvkmOTf.exe
PID 3692 wrote to memory of 2484	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	rscVpIv.exe
PID 3692 wrote to memory of 2484	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	rscVpIv.exe
PID 3692 wrote to memory of 4432	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	tSmkTKR.exe
PID 3692 wrote to memory of 4432	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	tSmkTKR.exe
PID 3692 wrote to memory of 1192	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	gKHViPJ.exe
PID 3692 wrote to memory of 1192	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	gKHViPJ.exe
PID 3692 wrote to memory of 752	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	WJQoMCg.exe
PID 3692 wrote to memory of 752	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	WJQoMCg.exe
PID 3692 wrote to memory of 2792	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	vJKfsqW.exe
PID 3692 wrote to memory of 2792	3692	2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe	vJKfsqW.exe

C:\Users\Admin\AppData\Local\Temp\2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2024052026c7c01d881e5043932b5f8eda89971bcobaltstrikecobaltstrike_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\System\AKZhbcw.exe
C:\Windows\System\AKZhbcw.exe
2⤵
- Executes dropped EXE
PID:4328

C:\Windows\System\mvYESGl.exe
C:\Windows\System\mvYESGl.exe
2⤵
- Executes dropped EXE
PID:5104

C:\Windows\System\JzEPsnS.exe
C:\Windows\System\JzEPsnS.exe
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\System\GrCdPJC.exe
C:\Windows\System\GrCdPJC.exe
2⤵
- Executes dropped EXE
PID:2916

C:\Windows\System\kTFbavs.exe
C:\Windows\System\kTFbavs.exe
2⤵
- Executes dropped EXE
PID:1032

C:\Windows\System\WtsmntZ.exe
C:\Windows\System\WtsmntZ.exe
2⤵
- Executes dropped EXE
PID:3184

C:\Windows\System\jGSWYLN.exe
C:\Windows\System\jGSWYLN.exe
2⤵
- Executes dropped EXE
PID:3732

C:\Windows\System\ZmeIkek.exe
C:\Windows\System\ZmeIkek.exe
2⤵
- Executes dropped EXE
PID:5028

C:\Windows\System\xRBtTmc.exe
C:\Windows\System\xRBtTmc.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\System\iEtKbwY.exe
C:\Windows\System\iEtKbwY.exe
2⤵
- Executes dropped EXE
PID:2136

C:\Windows\System\vDWbiSr.exe
C:\Windows\System\vDWbiSr.exe
2⤵
- Executes dropped EXE
PID:4720

C:\Windows\System\xEfrhIx.exe
C:\Windows\System\xEfrhIx.exe
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\System\rfKpihE.exe
C:\Windows\System\rfKpihE.exe
2⤵
- Executes dropped EXE
PID:4956

C:\Windows\System\SCBMzJi.exe
C:\Windows\System\SCBMzJi.exe
2⤵
- Executes dropped EXE
PID:4856

C:\Windows\System\WEMWRhJ.exe
C:\Windows\System\WEMWRhJ.exe
2⤵
- Executes dropped EXE
PID:4724

C:\Windows\System\QvkmOTf.exe
C:\Windows\System\QvkmOTf.exe
2⤵
- Executes dropped EXE
PID:1548

C:\Windows\System\rscVpIv.exe
C:\Windows\System\rscVpIv.exe
2⤵
- Executes dropped EXE
PID:2484

C:\Windows\System\tSmkTKR.exe
C:\Windows\System\tSmkTKR.exe
2⤵
- Executes dropped EXE
PID:4432

C:\Windows\System\gKHViPJ.exe
C:\Windows\System\gKHViPJ.exe
2⤵
- Executes dropped EXE
PID:1192

C:\Windows\System\WJQoMCg.exe
C:\Windows\System\WJQoMCg.exe
2⤵
- Executes dropped EXE
PID:752

C:\Windows\System\vJKfsqW.exe
C:\Windows\System\vJKfsqW.exe
2⤵
- Executes dropped EXE
PID:2792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AKZhbcw.exe
Filesize
5.2MB

MD5
32c97d3ebd6ca6caefc5fd881928754e

SHA1
6eb4cfed5f139f7d9e349b337a9f6adcf30ee166

SHA256
69fe9b429690415ca016d9b59c1cfcb77caf3d9d5ac913c241b3ea3cb3250d8f

SHA512
129161c6b59a223feee48357da0e8aa6681d68ee055914bb1b73fb80cf0a9e1952cea3b88d1ec906d0339227f577f200ead607dacb0562ba2fe978bd9af03959

Download Submit
C:\Windows\System\GrCdPJC.exe
Filesize
5.2MB

MD5
fa47532c362513516a067a001ce7c7f5

SHA1
f382347b43f8a3ea6173e68640f08178573fdcb1

SHA256
b6ae0149f7f9525b5fba9da98997a088f839de28242cb039904c39e98394b798

SHA512
47729e0d9453741f34b017e6c1f302e5a5f5a8db38b29290a0af89e72b52995404ec75024e01dbba7328236bb8e2c0ac0d6999eee41d829d4a4c6a309ae32221

Download Submit
C:\Windows\System\JzEPsnS.exe
Filesize
5.2MB

MD5
9914aa9a35c6020e574d76169d2aaaf8

SHA1
8b1378ceca85dd69d3280cc7297f6bb90d3fb642

SHA256
bad72df115a41ad05813aef1810e789c092fc3c8f6b6abf8e99f550644abe522

SHA512
cbf2dee5d458a01138ce966319bc61dac2178b95d8d6c7db505fe3b975dcdc04495cdbd3710aa42fedb36f3907ade72d5fcedb0406c0dd3a48edf42e205c28cc

Download Submit
C:\Windows\System\QvkmOTf.exe
Filesize
5.2MB

MD5
5d9a4367d811a6b5ad0dee94cae5f040

SHA1
762be8c78d4f6491a358c3cb797c3f103f8d6581

SHA256
1e6e6f67aeaa22326b9e0e430440664268868a37faff3eda75135b0e77bb7547

SHA512
453015a93fd76ba8316508c052e5f1e25209f866a0c079ea54f3bd2f234ee883060a90a3c99effb7fa74f6f2b230c98c324c3dbdc035a1b56350ecf0a690c8af

Download Submit
C:\Windows\System\SCBMzJi.exe
Filesize
5.2MB

MD5
2d2c58b8a713ad3a8a463881d19c2954

SHA1
7fc5fd276b7b6f42e18008a58c5c9cc1b40486dd

SHA256
ced3a7a144b39c1ed2e7e35103f2014b4f28623a2698da071e23333173ab9453

SHA512
7060bbb96b093f7d586523e1333d8fdcf87a8699c9deb4d194988a6370a4f07ac022b4c99823d938d6fe32be919ba3e88dbce42044d7c2e5a6b3118370b0dd14

Download Submit
C:\Windows\System\WEMWRhJ.exe
Filesize
5.2MB

MD5
fb36c159f8d55b81e6e1c97735e183dc

SHA1
f62b04765f646352a04a9c2ad0b76e9c8af223c8

SHA256
589bcff7fc44757c5c177abbd6336184bbbbe47efd2c73077d0a6864e561186c

SHA512
ed52ea767abe806e0085c414961c75800c0f82596ad0a767ae63fd48f33293da000156d8e58a065a89543569d2f36ca9ba456f3ff174beb5158e2530f9046585

Download Submit
C:\Windows\System\WJQoMCg.exe
Filesize
5.2MB

MD5
287fa3fb84418122ccd6a2fdd5a6dfb0

SHA1
b447d463cda51b1b1813216739f8bd6993507ce9

SHA256
be98575467d90613424f23b58364687ce2a80ed6bd44fe3300a6548858ce73b0

SHA512
cfd537787c322dc4e093b5f300b1886a9045cb52387c675591d01b87a9d2b059454c19eddaf83f484d4bc818c697ed7141ce8f74eb82e066410bdeb618066c3b

Download Submit
C:\Windows\System\WtsmntZ.exe
Filesize
5.2MB

MD5
a6c6373ee16716abb371296448d9771a

SHA1
9cc80c51ef783dd5ce0c3fb2bcc357ca9af81e88

SHA256
f73f58e366654d1c88c5d01786e758e37c87f882be307e18381a33edea065799

SHA512
6fd2e30287c259ed6b00d4a714c67d822c41e38dcab8160c9d7c3c6ff5ced5e2749b9f09f012b532b9580922a8a4775cbf67ec11b04fabd801b3e784fafab7f5

Download Submit
C:\Windows\System\ZmeIkek.exe
Filesize
5.2MB

MD5
6ae78923f59a7640b9d377b06ddf8ddc

SHA1
2efb666f797dc5c31e8a92227461d8068f828b65

SHA256
7fa4ee86064494c35db6ac244980a736c889f2c884ff53d1d3fca7645449b15b

SHA512
0cf7568dc68d99f44abbf059f93d4cd6ef839f8521c190a5db0991a2243dcada38635456346987a6d616ed6426f757ed057d1f8a011eef95d1128f4f2b400cf8

Download Submit
C:\Windows\System\gKHViPJ.exe
Filesize
5.2MB

MD5
a03e29977cda6cebc4c3ff29cb324d43

SHA1
0cac3a410d72eb4de6edbf3bd3991a867e7ab700

SHA256
f524ac8bbeb4229da7315d57b20aae229233ca944ff941179855a107846eed47

SHA512
f459b30a2bc73a0a7f1516bf4a2e9c58740805e50680be60e857c8ccbef9ae1ecee68da0e333cbceec0f93fb3bb02e795e12f538b68a85f3f4819fe49eae7f4e

Download Submit
C:\Windows\System\iEtKbwY.exe
Filesize
5.2MB

MD5
313b7aaf52fbd421b31d1377240c50f8

SHA1
cc638c912c8e16140c9a93c7aff2508868a3262c

SHA256
aac2b16c4424747d85c957c69b17b40f8a5bfa7ed437adc23e8f8e5666590583

SHA512
87d5d4429a240dbeabb244983feba93d463e1963ddef0a1542bc3e5e99539d738edbb0e1c9d347244f6cae72745e3f29918a52e52908668522b515fae2806e61

Download Submit
C:\Windows\System\jGSWYLN.exe
Filesize
5.2MB

MD5
a0d81e6c68694eda88e49772b6d6c90c

SHA1
e67891a7d763bb0cbec4e6d7a63abeabe08dd29d

SHA256
993c15758a2ff5c3f0d9891bb990c7a13108e76c949c5d512b07118308def294

SHA512
bfa129fa4b297dafcfbd3e4d1ae4a44ca73685c0eb7cc7824a61ecbbc24849ad5acaf3b07945413f715fefe7e795804b604488e614fe19aa62aa467c139c1f5e

Download Submit
C:\Windows\System\kTFbavs.exe
Filesize
5.2MB

MD5
27f68bbc23837dcb317dbabcd134bd2b

SHA1
aa3df02979e5dbb26a9154babf4e78717d2386ed

SHA256
34d706e452caf847f2be47d0b61f6277176c3b8d67fba0113af0fef10165d1e3

SHA512
e0a5bb2991517f2eeba8fbcceb32dc5a56368d205a9c89deed02599debb86d9059923eb680f49c9311e61dc4871a5edfbae0f202d0b178b34918ab0c091a529e

Download Submit
C:\Windows\System\mvYESGl.exe
Filesize
5.2MB

MD5
5518aa3164fb3962cc20dc595380d7c1

SHA1
e5919c18f02631c8d1d8a82e2b4d2d0be429c5fd

SHA256
353c8f40f5dc71fd0a508260248099d63b7bef02fdf85c98fad963e73cdae2bf

SHA512
3a7c3f30205aa5b0c29977796f8c3ff50b5e879a6b003f60439dd84902dade3be4beef562704c04ac5aaf56b2518b21c0b1d4a3c4b9b6d8bcbb9299f72505686

Download Submit
C:\Windows\System\rfKpihE.exe
Filesize
5.2MB

MD5
73bc0ecf87bc3eb67c69c71c9fbb8352

SHA1
7c68285899a34ca78ec1c328c1295a63a8769e6d

SHA256
add6c7b6704c1f45f8d6b9d4b8b5e1411c15bfc5ff373c2cf3bd041341ac67fe

SHA512
c1971d4fbbe2c862fab3cfb2c04176e0e8be55d4b9294a32f46ca0cc3c9a71226044071db310ba90481751fe060a275f3ab3935eba6eac59b8d9a34f9b060743

Download Submit
C:\Windows\System\rscVpIv.exe
Filesize
5.2MB

MD5
db6d3d6b73632b05e13e0b99d9317253

SHA1
88f9ab1d8d5e02ee5a43e4617a8cb78a02f45b4d

SHA256
3e24b9f7e14fe8b41dcb3cc4947131ca8c8b14e4501d539e29b1cd72b6a22e25

SHA512
0aa2681dc0ca240537e9fdf2e3b435040ca6bbf24a8c6793e8dd480435224dc5e2e6856d0f57652986cec56e547ac78513f1c3fe83e2dd2bcf5c164cc8a2cda8

Download Submit
C:\Windows\System\tSmkTKR.exe
Filesize
5.2MB

MD5
db2995c865e967dac987baddd6611c6b

SHA1
4b1e392c879a40132e59da7e35950337a5bfed76

SHA256
f8f2456a5c730118b9b1df3eb68caade0c48458b5131cdc957d29b439a508dd5

SHA512
16b92f405561a39b0662e970398af47ac418e7a3d230f23ccf20b48bb077dff5a5981b56dede405460c833a7a96c152cab769a82acb9064c6c54665a2267d6ee

Download Submit
C:\Windows\System\vDWbiSr.exe
Filesize
5.2MB

MD5
c076e82ae502f63a1145ca78e5d68494

SHA1
02a9533463e8262952e4a8bd33bf695efcd8eff7

SHA256
194893d71cbf1aa055be801096f9585a1b360412d086c80d5f14f77b67a8cbf1

SHA512
7f7eb9fec596f0b38aa27de0be690b6d1ed78301b32a58b33e3c96c6306e4ee15976e690063a9b80dd32250c37b0ffeb250be8a8aa0eed7b7b811e711a12169b

Download Submit
C:\Windows\System\vJKfsqW.exe
Filesize
5.2MB

MD5
14cfb5bd4db43d778f78ba656e6fc231

SHA1
4c15db634790eecba4900e90f8f767a7ace725a2

SHA256
f568c3b5317c988a95c90ec7d21af45401f0165e91152a42a170411611a4de9d

SHA512
890a4c19b8379b280dcafced85737df1e0a5b088551f6560e8e8e69731edf3a4f03ca3818031db9f6df809ac4932132ede5b8bcc44fa7a65fac75d0ca26fd682

Download Submit
C:\Windows\System\xEfrhIx.exe
Filesize
5.2MB

MD5
643007ef8224623a25159bdce9f9a659

SHA1
7e2debc517ee733b145133d67756326d1de1363a

SHA256
b166a08f734865486843e4531c48c6649420abf09c09e7ded4b7a6e750b4fc41

SHA512
e6855008a226b5ac218e8d49e46f9ab0eaf65c7b1159621c52674e7fafc5c9c80d1078e346c47baea1471d75fa6d2f47f29a766253b1abfc85b65e9d69f21e37

Download Submit
C:\Windows\System\xRBtTmc.exe
Filesize
5.2MB

MD5
3721954ec180a28fe352c0e7c022dfc0

SHA1
2f8af9d83abf47594895096e0567a559e177ac60

SHA256
b896478c47353a64ef3c7372339776ba0aeb04d2b76bf7d48a9082f3c60d2271

SHA512
a759826bec5b9b29e2a617267b72809e8d407e5f53981ae356c157c61fd4c1ae263800b563f34d113ec84535f60e5fd500e57f5b48abd0cf6eae7248288e2321

Download Submit
memory/752-239-0x00007FF784A70000-0x00007FF784DC1000-memory.dmp

Filesize
3.3MB

Download
memory/752-131-0x00007FF784A70000-0x00007FF784DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1032-113-0x00007FF6C7EB0000-0x00007FF6C8201000-memory.dmp

Filesize
3.3MB

Download
memory/1032-38-0x00007FF6C7EB0000-0x00007FF6C8201000-memory.dmp

Filesize
3.3MB

Download
memory/1032-209-0x00007FF6C7EB0000-0x00007FF6C8201000-memory.dmp

Filesize
3.3MB

Download
memory/1192-241-0x00007FF70F130000-0x00007FF70F481000-memory.dmp

Filesize
3.3MB

Download
memory/1192-155-0x00007FF70F130000-0x00007FF70F481000-memory.dmp

Filesize
3.3MB

Download
memory/1192-122-0x00007FF70F130000-0x00007FF70F481000-memory.dmp

Filesize
3.3MB

Download
memory/1548-104-0x00007FF626300000-0x00007FF626651000-memory.dmp

Filesize
3.3MB

Download
memory/1548-232-0x00007FF626300000-0x00007FF626651000-memory.dmp

Filesize
3.3MB

Download
memory/2136-225-0x00007FF6232F0000-0x00007FF623641000-memory.dmp

Filesize
3.3MB

Download
memory/2136-90-0x00007FF6232F0000-0x00007FF623641000-memory.dmp

Filesize
3.3MB

Download
memory/2364-76-0x00007FF706F50000-0x00007FF7072A1000-memory.dmp

Filesize
3.3MB

Download
memory/2364-140-0x00007FF706F50000-0x00007FF7072A1000-memory.dmp

Filesize
3.3MB

Download
memory/2364-223-0x00007FF706F50000-0x00007FF7072A1000-memory.dmp

Filesize
3.3MB

Download
memory/2484-230-0x00007FF75C980000-0x00007FF75CCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2484-98-0x00007FF75C980000-0x00007FF75CCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2484-145-0x00007FF75C980000-0x00007FF75CCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-111-0x00007FF605940000-0x00007FF605C91000-memory.dmp

Filesize
3.3MB

Download
memory/2600-18-0x00007FF605940000-0x00007FF605C91000-memory.dmp

Filesize
3.3MB

Download
memory/2600-201-0x00007FF605940000-0x00007FF605C91000-memory.dmp

Filesize
3.3MB

Download
memory/2604-217-0x00007FF6FB5A0000-0x00007FF6FB8F1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-101-0x00007FF6FB5A0000-0x00007FF6FB8F1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-127-0x00007FF630400000-0x00007FF630751000-memory.dmp

Filesize
3.3MB

Download
memory/2792-243-0x00007FF630400000-0x00007FF630751000-memory.dmp

Filesize
3.3MB

Download
memory/2792-157-0x00007FF630400000-0x00007FF630751000-memory.dmp

Filesize
3.3MB

Download
memory/2916-203-0x00007FF78F070000-0x00007FF78F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2916-26-0x00007FF78F070000-0x00007FF78F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/3184-211-0x00007FF684BC0000-0x00007FF684F11000-memory.dmp

Filesize
3.3MB

Download
memory/3184-134-0x00007FF684BC0000-0x00007FF684F11000-memory.dmp

Filesize
3.3MB

Download
memory/3184-54-0x00007FF684BC0000-0x00007FF684F11000-memory.dmp

Filesize
3.3MB

Download
memory/3692-147-0x00007FF7FBEC0000-0x00007FF7FC211000-memory.dmp

Filesize
3.3MB

Download
memory/3692-108-0x00007FF7FBEC0000-0x00007FF7FC211000-memory.dmp

Filesize
3.3MB

Download
memory/3692-1-0x0000018E0D070000-0x0000018E0D080000-memory.dmp

Filesize
64KB

Download
memory/3692-169-0x00007FF7FBEC0000-0x00007FF7FC211000-memory.dmp

Filesize
3.3MB

Download
memory/3692-0-0x00007FF7FBEC0000-0x00007FF7FC211000-memory.dmp

Filesize
3.3MB

Download
memory/3732-135-0x00007FF71FB70000-0x00007FF71FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/3732-43-0x00007FF71FB70000-0x00007FF71FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/3732-213-0x00007FF71FB70000-0x00007FF71FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/4328-197-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp

Filesize
3.3MB

Download
memory/4328-109-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp

Filesize
3.3MB

Download
memory/4328-9-0x00007FF6A3E80000-0x00007FF6A41D1000-memory.dmp

Filesize
3.3MB

Download
memory/4432-121-0x00007FF7B3180000-0x00007FF7B34D1000-memory.dmp

Filesize
3.3MB

Download
memory/4432-237-0x00007FF7B3180000-0x00007FF7B34D1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-102-0x00007FF781A10000-0x00007FF781D61000-memory.dmp

Filesize
3.3MB

Download
memory/4720-222-0x00007FF781A10000-0x00007FF781D61000-memory.dmp

Filesize
3.3MB

Download
memory/4724-95-0x00007FF65E140000-0x00007FF65E491000-memory.dmp

Filesize
3.3MB

Download
memory/4724-228-0x00007FF65E140000-0x00007FF65E491000-memory.dmp

Filesize
3.3MB

Download
memory/4856-233-0x00007FF6394A0000-0x00007FF6397F1000-memory.dmp

Filesize
3.3MB

Download
memory/4856-103-0x00007FF6394A0000-0x00007FF6397F1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-94-0x00007FF67BFA0000-0x00007FF67C2F1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-220-0x00007FF67BFA0000-0x00007FF67C2F1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-215-0x00007FF682FF0000-0x00007FF683341000-memory.dmp

Filesize
3.3MB

Download
memory/5028-136-0x00007FF682FF0000-0x00007FF683341000-memory.dmp

Filesize
3.3MB

Download
memory/5028-69-0x00007FF682FF0000-0x00007FF683341000-memory.dmp

Filesize
3.3MB

Download
memory/5104-15-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp

Filesize
3.3MB

Download
memory/5104-110-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp

Filesize
3.3MB

Download
memory/5104-199-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp

Filesize
3.3MB

Download