cobaltstrike | b076c05d25501ff0f9f2c9baafe641d8b38df163666a8bad3966f728dd89e0b4

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
Size

5.2MB
MD5

2789ebac14a266434c13709f2f8bf0c1
SHA1

798d4b52bfa502a9143480fde28d78be09103acd
SHA256

b076c05d25501ff0f9f2c9baafe641d8b38df163666a8bad3966f728dd89e0b4
SHA512

46ad2e2db675ae963cf2d73580cbe3c5294b5ffda5a4d7766043f8dc5b6dcaba11c9856442f2f60653a7f53ed805fe49cca634d23f68b4e0f4a9239c8e832a54
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibf56utgpPFotBER/mQ32lUA

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\vufXqHh.exe	cobalt_reflective_dll
C:\Windows\System\fVAgTrO.exe	cobalt_reflective_dll
C:\Windows\System\ILxzuAp.exe	cobalt_reflective_dll
C:\Windows\System\GVZqXeD.exe	cobalt_reflective_dll
C:\Windows\System\POTblRu.exe	cobalt_reflective_dll
C:\Windows\System\WYyUtkB.exe	cobalt_reflective_dll
C:\Windows\System\EucGiPy.exe	cobalt_reflective_dll
C:\Windows\System\zgeSeMh.exe	cobalt_reflective_dll
C:\Windows\System\ZXGeXhw.exe	cobalt_reflective_dll
C:\Windows\System\YEpKZdk.exe	cobalt_reflective_dll
C:\Windows\System\OIaXlgd.exe	cobalt_reflective_dll
C:\Windows\System\OPaXHkZ.exe	cobalt_reflective_dll
C:\Windows\System\yaxYhiF.exe	cobalt_reflective_dll
C:\Windows\System\sScKPax.exe	cobalt_reflective_dll
C:\Windows\System\zGWfEEC.exe	cobalt_reflective_dll
C:\Windows\System\uwAfZhI.exe	cobalt_reflective_dll
C:\Windows\System\mIhqkan.exe	cobalt_reflective_dll
C:\Windows\System\XOYkIpX.exe	cobalt_reflective_dll
C:\Windows\System\lCMOfKp.exe	cobalt_reflective_dll
C:\Windows\System\ISURJzV.exe	cobalt_reflective_dll
C:\Windows\System\MYkSNqI.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4720-20-0x00007FF7314A0000-0x00007FF7317F1000-memory.dmp	xmrig
behavioral2/memory/3560-32-0x00007FF788070000-0x00007FF7883C1000-memory.dmp	xmrig
behavioral2/memory/5008-40-0x00007FF6EBE50000-0x00007FF6EC1A1000-memory.dmp	xmrig
behavioral2/memory/1984-59-0x00007FF65C780000-0x00007FF65CAD1000-memory.dmp	xmrig
behavioral2/memory/5020-86-0x00007FF63CB60000-0x00007FF63CEB1000-memory.dmp	xmrig
behavioral2/memory/2388-95-0x00007FF6EC0E0000-0x00007FF6EC431000-memory.dmp	xmrig
behavioral2/memory/4372-92-0x00007FF796AA0000-0x00007FF796DF1000-memory.dmp	xmrig
behavioral2/memory/3032-88-0x00007FF66B1E0000-0x00007FF66B531000-memory.dmp	xmrig
behavioral2/memory/1816-87-0x00007FF71DAE0000-0x00007FF71DE31000-memory.dmp	xmrig
behavioral2/memory/3640-85-0x00007FF755580000-0x00007FF7558D1000-memory.dmp	xmrig
behavioral2/memory/2748-64-0x00007FF6DD590000-0x00007FF6DD8E1000-memory.dmp	xmrig
behavioral2/memory/2036-48-0x00007FF7AC4C0000-0x00007FF7AC811000-memory.dmp	xmrig
behavioral2/memory/3640-123-0x00007FF755580000-0x00007FF7558D1000-memory.dmp	xmrig
behavioral2/memory/3380-127-0x00007FF7C7D40000-0x00007FF7C8091000-memory.dmp	xmrig
behavioral2/memory/1600-128-0x00007FF7B0F60000-0x00007FF7B12B1000-memory.dmp	xmrig
behavioral2/memory/4244-132-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp	xmrig
behavioral2/memory/2684-134-0x00007FF6DEFE0000-0x00007FF6DF331000-memory.dmp	xmrig
behavioral2/memory/2828-133-0x00007FF79B6B0000-0x00007FF79BA01000-memory.dmp	xmrig
behavioral2/memory/3476-131-0x00007FF64F680000-0x00007FF64F9D1000-memory.dmp	xmrig
behavioral2/memory/2928-130-0x00007FF697370000-0x00007FF6976C1000-memory.dmp	xmrig
behavioral2/memory/2280-129-0x00007FF67B980000-0x00007FF67BCD1000-memory.dmp	xmrig
behavioral2/memory/1484-125-0x00007FF631180000-0x00007FF6314D1000-memory.dmp	xmrig
behavioral2/memory/2036-137-0x00007FF7AC4C0000-0x00007FF7AC811000-memory.dmp	xmrig
behavioral2/memory/2872-138-0x00007FF631100000-0x00007FF631451000-memory.dmp	xmrig
behavioral2/memory/3560-135-0x00007FF788070000-0x00007FF7883C1000-memory.dmp	xmrig
behavioral2/memory/3640-152-0x00007FF755580000-0x00007FF7558D1000-memory.dmp	xmrig
behavioral2/memory/1600-200-0x00007FF7B0F60000-0x00007FF7B12B1000-memory.dmp	xmrig
behavioral2/memory/1484-202-0x00007FF631180000-0x00007FF6314D1000-memory.dmp	xmrig
behavioral2/memory/4720-204-0x00007FF7314A0000-0x00007FF7317F1000-memory.dmp	xmrig
behavioral2/memory/3380-209-0x00007FF7C7D40000-0x00007FF7C8091000-memory.dmp	xmrig
behavioral2/memory/3560-211-0x00007FF788070000-0x00007FF7883C1000-memory.dmp	xmrig
behavioral2/memory/5008-213-0x00007FF6EBE50000-0x00007FF6EC1A1000-memory.dmp	xmrig
behavioral2/memory/2036-215-0x00007FF7AC4C0000-0x00007FF7AC811000-memory.dmp	xmrig
behavioral2/memory/2872-231-0x00007FF631100000-0x00007FF631451000-memory.dmp	xmrig
behavioral2/memory/1984-233-0x00007FF65C780000-0x00007FF65CAD1000-memory.dmp	xmrig
behavioral2/memory/2748-235-0x00007FF6DD590000-0x00007FF6DD8E1000-memory.dmp	xmrig
behavioral2/memory/1816-240-0x00007FF71DAE0000-0x00007FF71DE31000-memory.dmp	xmrig
behavioral2/memory/5020-241-0x00007FF63CB60000-0x00007FF63CEB1000-memory.dmp	xmrig
behavioral2/memory/4372-243-0x00007FF796AA0000-0x00007FF796DF1000-memory.dmp	xmrig
behavioral2/memory/3032-238-0x00007FF66B1E0000-0x00007FF66B531000-memory.dmp	xmrig
behavioral2/memory/2388-245-0x00007FF6EC0E0000-0x00007FF6EC431000-memory.dmp	xmrig
behavioral2/memory/2280-247-0x00007FF67B980000-0x00007FF67BCD1000-memory.dmp	xmrig
behavioral2/memory/2928-249-0x00007FF697370000-0x00007FF6976C1000-memory.dmp	xmrig
behavioral2/memory/3476-256-0x00007FF64F680000-0x00007FF64F9D1000-memory.dmp	xmrig
behavioral2/memory/2684-257-0x00007FF6DEFE0000-0x00007FF6DF331000-memory.dmp	xmrig
behavioral2/memory/4244-253-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp	xmrig
behavioral2/memory/2828-252-0x00007FF79B6B0000-0x00007FF79BA01000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

vufXqHh.exeILxzuAp.exefVAgTrO.exeGVZqXeD.exePOTblRu.exeWYyUtkB.exeEucGiPy.exezgeSeMh.exeMYkSNqI.exeZXGeXhw.exeYEpKZdk.exeOIaXlgd.exeISURJzV.exeOPaXHkZ.exeyaxYhiF.exelCMOfKp.exesScKPax.exezGWfEEC.exeuwAfZhI.exeXOYkIpX.exemIhqkan.exe

pid	process
1600	vufXqHh.exe
1484	ILxzuAp.exe
4720	fVAgTrO.exe
3380	GVZqXeD.exe
3560	POTblRu.exe
5008	WYyUtkB.exe
2036	EucGiPy.exe
2872	zgeSeMh.exe
1984	MYkSNqI.exe
2748	ZXGeXhw.exe
5020	YEpKZdk.exe
1816	OIaXlgd.exe
3032	ISURJzV.exe
4372	OPaXHkZ.exe
2388	yaxYhiF.exe
2280	lCMOfKp.exe
2928	sScKPax.exe
3476	zGWfEEC.exe
4244	uwAfZhI.exe
2828	XOYkIpX.exe
2684	mIhqkan.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3640-0-0x00007FF755580000-0x00007FF7558D1000-memory.dmp	upx
C:\Windows\System\vufXqHh.exe	upx
behavioral2/memory/1600-6-0x00007FF7B0F60000-0x00007FF7B12B1000-memory.dmp	upx
C:\Windows\System\fVAgTrO.exe	upx
C:\Windows\System\ILxzuAp.exe	upx
behavioral2/memory/4720-20-0x00007FF7314A0000-0x00007FF7317F1000-memory.dmp	upx
behavioral2/memory/1484-14-0x00007FF631180000-0x00007FF6314D1000-memory.dmp	upx
C:\Windows\System\GVZqXeD.exe	upx
behavioral2/memory/3380-24-0x00007FF7C7D40000-0x00007FF7C8091000-memory.dmp	upx
C:\Windows\System\POTblRu.exe	upx
behavioral2/memory/3560-32-0x00007FF788070000-0x00007FF7883C1000-memory.dmp	upx
C:\Windows\System\WYyUtkB.exe	upx
behavioral2/memory/5008-40-0x00007FF6EBE50000-0x00007FF6EC1A1000-memory.dmp	upx
C:\Windows\System\EucGiPy.exe	upx
C:\Windows\System\zgeSeMh.exe	upx
behavioral2/memory/2872-52-0x00007FF631100000-0x00007FF631451000-memory.dmp	upx
C:\Windows\System\ZXGeXhw.exe	upx
behavioral2/memory/1984-59-0x00007FF65C780000-0x00007FF65CAD1000-memory.dmp	upx
C:\Windows\System\YEpKZdk.exe	upx
C:\Windows\System\OIaXlgd.exe	upx
C:\Windows\System\OPaXHkZ.exe	upx
C:\Windows\System\yaxYhiF.exe	upx
behavioral2/memory/5020-86-0x00007FF63CB60000-0x00007FF63CEB1000-memory.dmp	upx
C:\Windows\System\sScKPax.exe	upx
C:\Windows\System\zGWfEEC.exe	upx
C:\Windows\System\uwAfZhI.exe	upx
C:\Windows\System\mIhqkan.exe	upx
C:\Windows\System\XOYkIpX.exe	upx
C:\Windows\System\lCMOfKp.exe	upx
behavioral2/memory/2388-95-0x00007FF6EC0E0000-0x00007FF6EC431000-memory.dmp	upx
behavioral2/memory/4372-92-0x00007FF796AA0000-0x00007FF796DF1000-memory.dmp	upx
behavioral2/memory/3032-88-0x00007FF66B1E0000-0x00007FF66B531000-memory.dmp	upx
behavioral2/memory/1816-87-0x00007FF71DAE0000-0x00007FF71DE31000-memory.dmp	upx
behavioral2/memory/3640-85-0x00007FF755580000-0x00007FF7558D1000-memory.dmp	upx
C:\Windows\System\ISURJzV.exe	upx
behavioral2/memory/2748-64-0x00007FF6DD590000-0x00007FF6DD8E1000-memory.dmp	upx
C:\Windows\System\MYkSNqI.exe	upx
behavioral2/memory/2036-48-0x00007FF7AC4C0000-0x00007FF7AC811000-memory.dmp	upx
behavioral2/memory/3640-123-0x00007FF755580000-0x00007FF7558D1000-memory.dmp	upx
behavioral2/memory/3380-127-0x00007FF7C7D40000-0x00007FF7C8091000-memory.dmp	upx
behavioral2/memory/1600-128-0x00007FF7B0F60000-0x00007FF7B12B1000-memory.dmp	upx
behavioral2/memory/4244-132-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp	upx
behavioral2/memory/2684-134-0x00007FF6DEFE0000-0x00007FF6DF331000-memory.dmp	upx
behavioral2/memory/2828-133-0x00007FF79B6B0000-0x00007FF79BA01000-memory.dmp	upx
behavioral2/memory/3476-131-0x00007FF64F680000-0x00007FF64F9D1000-memory.dmp	upx
behavioral2/memory/2928-130-0x00007FF697370000-0x00007FF6976C1000-memory.dmp	upx
behavioral2/memory/2280-129-0x00007FF67B980000-0x00007FF67BCD1000-memory.dmp	upx
behavioral2/memory/1484-125-0x00007FF631180000-0x00007FF6314D1000-memory.dmp	upx
behavioral2/memory/2036-137-0x00007FF7AC4C0000-0x00007FF7AC811000-memory.dmp	upx
behavioral2/memory/2872-138-0x00007FF631100000-0x00007FF631451000-memory.dmp	upx
behavioral2/memory/3560-135-0x00007FF788070000-0x00007FF7883C1000-memory.dmp	upx
behavioral2/memory/3640-152-0x00007FF755580000-0x00007FF7558D1000-memory.dmp	upx
behavioral2/memory/1600-200-0x00007FF7B0F60000-0x00007FF7B12B1000-memory.dmp	upx
behavioral2/memory/1484-202-0x00007FF631180000-0x00007FF6314D1000-memory.dmp	upx
behavioral2/memory/4720-204-0x00007FF7314A0000-0x00007FF7317F1000-memory.dmp	upx
behavioral2/memory/3380-209-0x00007FF7C7D40000-0x00007FF7C8091000-memory.dmp	upx
behavioral2/memory/3560-211-0x00007FF788070000-0x00007FF7883C1000-memory.dmp	upx
behavioral2/memory/5008-213-0x00007FF6EBE50000-0x00007FF6EC1A1000-memory.dmp	upx
behavioral2/memory/2036-215-0x00007FF7AC4C0000-0x00007FF7AC811000-memory.dmp	upx
behavioral2/memory/2872-231-0x00007FF631100000-0x00007FF631451000-memory.dmp	upx
behavioral2/memory/1984-233-0x00007FF65C780000-0x00007FF65CAD1000-memory.dmp	upx
behavioral2/memory/2748-235-0x00007FF6DD590000-0x00007FF6DD8E1000-memory.dmp	upx
behavioral2/memory/1816-240-0x00007FF71DAE0000-0x00007FF71DE31000-memory.dmp	upx
behavioral2/memory/5020-241-0x00007FF63CB60000-0x00007FF63CEB1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\POTblRu.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\EucGiPy.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\MYkSNqI.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\vufXqHh.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\fVAgTrO.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\mIhqkan.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\OIaXlgd.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\yaxYhiF.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\YEpKZdk.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\OPaXHkZ.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\lCMOfKp.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\sScKPax.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\zGWfEEC.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\uwAfZhI.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\WYyUtkB.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\zgeSeMh.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\XOYkIpX.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\ZXGeXhw.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\ISURJzV.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\ILxzuAp.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\GVZqXeD.exe	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process
Token: SeLockMemoryPrivilege	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process	target process
PID 3640 wrote to memory of 1600	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	vufXqHh.exe
PID 3640 wrote to memory of 1600	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	vufXqHh.exe
PID 3640 wrote to memory of 1484	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	ILxzuAp.exe
PID 3640 wrote to memory of 1484	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	ILxzuAp.exe
PID 3640 wrote to memory of 4720	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	fVAgTrO.exe
PID 3640 wrote to memory of 4720	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	fVAgTrO.exe
PID 3640 wrote to memory of 3380	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	GVZqXeD.exe
PID 3640 wrote to memory of 3380	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	GVZqXeD.exe
PID 3640 wrote to memory of 3560	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	POTblRu.exe
PID 3640 wrote to memory of 3560	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	POTblRu.exe
PID 3640 wrote to memory of 5008	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	WYyUtkB.exe
PID 3640 wrote to memory of 5008	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	WYyUtkB.exe
PID 3640 wrote to memory of 2036	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	EucGiPy.exe
PID 3640 wrote to memory of 2036	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	EucGiPy.exe
PID 3640 wrote to memory of 2872	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	zgeSeMh.exe
PID 3640 wrote to memory of 2872	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	zgeSeMh.exe
PID 3640 wrote to memory of 1984	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	MYkSNqI.exe
PID 3640 wrote to memory of 1984	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	MYkSNqI.exe
PID 3640 wrote to memory of 2748	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	ZXGeXhw.exe
PID 3640 wrote to memory of 2748	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	ZXGeXhw.exe
PID 3640 wrote to memory of 5020	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	YEpKZdk.exe
PID 3640 wrote to memory of 5020	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	YEpKZdk.exe
PID 3640 wrote to memory of 1816	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	OIaXlgd.exe
PID 3640 wrote to memory of 1816	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	OIaXlgd.exe
PID 3640 wrote to memory of 3032	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	ISURJzV.exe
PID 3640 wrote to memory of 3032	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	ISURJzV.exe
PID 3640 wrote to memory of 4372	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	OPaXHkZ.exe
PID 3640 wrote to memory of 4372	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	OPaXHkZ.exe
PID 3640 wrote to memory of 2388	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	yaxYhiF.exe
PID 3640 wrote to memory of 2388	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	yaxYhiF.exe
PID 3640 wrote to memory of 2280	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	lCMOfKp.exe
PID 3640 wrote to memory of 2280	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	lCMOfKp.exe
PID 3640 wrote to memory of 2928	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	sScKPax.exe
PID 3640 wrote to memory of 2928	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	sScKPax.exe
PID 3640 wrote to memory of 3476	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	zGWfEEC.exe
PID 3640 wrote to memory of 3476	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	zGWfEEC.exe
PID 3640 wrote to memory of 4244	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	uwAfZhI.exe
PID 3640 wrote to memory of 4244	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	uwAfZhI.exe
PID 3640 wrote to memory of 2828	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	XOYkIpX.exe
PID 3640 wrote to memory of 2828	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	XOYkIpX.exe
PID 3640 wrote to memory of 2684	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	mIhqkan.exe
PID 3640 wrote to memory of 2684	3640	202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe	mIhqkan.exe

C:\Users\Admin\AppData\Local\Temp\202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\202405202789ebac14a266434c13709f2f8bf0c1cobaltstrikecobaltstrike_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\System\vufXqHh.exe
C:\Windows\System\vufXqHh.exe
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\System\ILxzuAp.exe
C:\Windows\System\ILxzuAp.exe
2⤵
- Executes dropped EXE
PID:1484

C:\Windows\System\fVAgTrO.exe
C:\Windows\System\fVAgTrO.exe
2⤵
- Executes dropped EXE
PID:4720

C:\Windows\System\GVZqXeD.exe
C:\Windows\System\GVZqXeD.exe
2⤵
- Executes dropped EXE
PID:3380

C:\Windows\System\POTblRu.exe
C:\Windows\System\POTblRu.exe
2⤵
- Executes dropped EXE
PID:3560

C:\Windows\System\WYyUtkB.exe
C:\Windows\System\WYyUtkB.exe
2⤵
- Executes dropped EXE
PID:5008

C:\Windows\System\EucGiPy.exe
C:\Windows\System\EucGiPy.exe
2⤵
- Executes dropped EXE
PID:2036

C:\Windows\System\zgeSeMh.exe
C:\Windows\System\zgeSeMh.exe
2⤵
- Executes dropped EXE
PID:2872

C:\Windows\System\MYkSNqI.exe
C:\Windows\System\MYkSNqI.exe
2⤵
- Executes dropped EXE
PID:1984

C:\Windows\System\ZXGeXhw.exe
C:\Windows\System\ZXGeXhw.exe
2⤵
- Executes dropped EXE
PID:2748

C:\Windows\System\YEpKZdk.exe
C:\Windows\System\YEpKZdk.exe
2⤵
- Executes dropped EXE
PID:5020

C:\Windows\System\OIaXlgd.exe
C:\Windows\System\OIaXlgd.exe
2⤵
- Executes dropped EXE
PID:1816

C:\Windows\System\ISURJzV.exe
C:\Windows\System\ISURJzV.exe
2⤵
- Executes dropped EXE
PID:3032

C:\Windows\System\OPaXHkZ.exe
C:\Windows\System\OPaXHkZ.exe
2⤵
- Executes dropped EXE
PID:4372

C:\Windows\System\yaxYhiF.exe
C:\Windows\System\yaxYhiF.exe
2⤵
- Executes dropped EXE
PID:2388

C:\Windows\System\lCMOfKp.exe
C:\Windows\System\lCMOfKp.exe
2⤵
- Executes dropped EXE
PID:2280

C:\Windows\System\sScKPax.exe
C:\Windows\System\sScKPax.exe
2⤵
- Executes dropped EXE
PID:2928

C:\Windows\System\zGWfEEC.exe
C:\Windows\System\zGWfEEC.exe
2⤵
- Executes dropped EXE
PID:3476

C:\Windows\System\uwAfZhI.exe
C:\Windows\System\uwAfZhI.exe
2⤵
- Executes dropped EXE
PID:4244

C:\Windows\System\XOYkIpX.exe
C:\Windows\System\XOYkIpX.exe
2⤵
- Executes dropped EXE
PID:2828

C:\Windows\System\mIhqkan.exe
C:\Windows\System\mIhqkan.exe
2⤵
- Executes dropped EXE
PID:2684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EucGiPy.exe
Filesize
5.2MB

MD5
8592f25264cc74ad01a5018433ccce08

SHA1
49c5d6d281682628d9793a254901d689792f6313

SHA256
b018805f1ffe2b4048b3f8f0e80467a74744a035666a54cf55fe50af36eda6fc

SHA512
3956021ff11110636d1101e3dfcb2c69c31e802d9828ca14c5e1efd8af474f6057ab6a72de9f328dfb13fd91c535316cf129d703ff7b1eea9e9e791aa1e66ffc

Download Submit
C:\Windows\System\GVZqXeD.exe
Filesize
5.2MB

MD5
4179137aa7edde22103f2caf30e737c1

SHA1
dc8a75bb9b3ea063e65285a2922e5d3421d3f3bc

SHA256
ea1dedd1eed5bc58a4cc994ab6ed72165fd289aece8aeb411f42e04ff0f330f6

SHA512
285048ebf0c16625cc678cb956e98e4b70e808bfa4516fa23a84eddd37258b63060082f1d06740421955e1d9b24b43c043aa162c5cf4456978aeb2777284988e

Download Submit
C:\Windows\System\ILxzuAp.exe
Filesize
5.2MB

MD5
c9401da7cc6399dfc6107fe290f2c13f

SHA1
3e8b66eba42119d35d5e5aa97b6b0f7a8c10521f

SHA256
1c79a4959297c5613025aa347b354993fb986317d4762bcc6ffd49bdd86b4aa2

SHA512
7873b758d0278b30e309ef9133b3865f4d5865f23bb6813f57fc7e1bf4ad39dfe3e97b1f55cebb7709c38558d1c0c2c4432caa87b8946b08270dd4b0e18c5522

Download Submit
C:\Windows\System\ISURJzV.exe
Filesize
5.2MB

MD5
37f074237f2c15ec5859cd784c3f6e4a

SHA1
5e56562ad94e1ae67ce384c387e133b387466d05

SHA256
b56878a5ece3057491e3ffd89ed5d85a5bf2338ea9645dd835febc5a665bd20c

SHA512
9f8fc77758ed3dbe62553f99b2b37182db2632e94902c230c3abb83c78070575100f40b6137765e10b94016d3a6b26976b23cbd2383a39faf1a4e944d7fe18a9

Download Submit
C:\Windows\System\MYkSNqI.exe
Filesize
5.2MB

MD5
7445e40833ba2560c1f825e42d990c3e

SHA1
5e26adb446bb1f1cd753791f8e0eecfb1c31a77c

SHA256
085dfdd87b743f8bb9f9d94c9947e0eb8d3d9c4528f2e5bfe75102bae4112f0c

SHA512
8b20c4b553a42a807622e402dec6f71f38c4dfb763e163a21dcc882dcfbff5901d8496b99c573e5b4dec5e0d7e5535f15d2712bda846a1e842102513ba3b6540

Download Submit
C:\Windows\System\OIaXlgd.exe
Filesize
5.2MB

MD5
64dd0640f55ae9c3906dc3878bee2f0a

SHA1
8e569fe214501401cf518e74de5e5a0a50287a16

SHA256
e4190c413628e1f0dbd41547f745ffbf7a470076cc359cf4240c9067200bc116

SHA512
8b1876fa90042314fe6beb91149c7f791d24a7a01c4cf89849687b38548d0dd7a48e53ddc0a5191d296cb57bf96bea57664fa00868e515468334df0993ea5585

Download Submit
C:\Windows\System\OPaXHkZ.exe
Filesize
5.2MB

MD5
e4ee43633110ec54d2f2336ffafb68d4

SHA1
925f6e4d386606549ad686cf158919f39d3b3016

SHA256
f47e6b2e63502e4fbd693ee50dd2d3a7dbb9dd485118f186d341510fdd254b70

SHA512
c25b36ba3ebd84ccfa507a67eaecdc2ec6cf922a989f69dc4a8c169bb3d0d9fac7e9a6851abee97b2a5498bdc97fe893e2376f768da9050c94c0666f0af05b9f

Download Submit
C:\Windows\System\POTblRu.exe
Filesize
5.2MB

MD5
883fc830361f5135ea418581e6bb2ab9

SHA1
e5fe5dfef62d4bb0bfc698de76c7325ee93ae582

SHA256
5d326db289cf5d8951de91e0492e8a64885924aae1ebbd62aaf7a64a7aee6f99

SHA512
214acb4eac72fb7577b1dce10f3ae9caa6905a9008664b63a318fdc2663d28ec5e49ddce9220b2c84425f68eb05b0185b7f151e05a2d64933f46d006b29dfad8

Download Submit
C:\Windows\System\WYyUtkB.exe
Filesize
5.2MB

MD5
f0ca19e61f02caf50975e189329c3ee4

SHA1
60beab1f868b6aa927f30efc46c55aae7bc90485

SHA256
a66ebb60e312bd2e4bd7f679480f31e265a8efe7ee19d9a6240c266df3441fa0

SHA512
a9d0645f9776dad12abe72ed2c380e1b6386d04ff34e5f643dd45a406d97c95ed62b67edf9f2f9d2417aa0c9b06fdef78fdcc23c653700fe9786db9fbb63b147

Download Submit
C:\Windows\System\XOYkIpX.exe
Filesize
5.2MB

MD5
ecf8b5ed44ef0e089d97f4a36a535abd

SHA1
72a279a74d4ecee09b6c0ae4214a6610b69db1cc

SHA256
20dbf5d22ddacea334d81e060b0841954cdbfd6d6d3e9c22ba6b437ffece82e8

SHA512
c3a05f1d6851593fd1217812679109cdd4dee8811df75f4f44b46f9ee75ca9f637cd86a6e750fd9907ff3756d117f913afe8a0e7e773f3976996dcc5b0c5d962

Download Submit
C:\Windows\System\YEpKZdk.exe
Filesize
5.2MB

MD5
c965b900b39d59f63c8735b3157edef2

SHA1
57dde3cfdb43ac17a7ed2345339cc1140663425e

SHA256
22431c5b7ce2285b823e7464420bee96a5c1ceb11ea26e08cb3d53004e8794e1

SHA512
db7b1e37495196caa85076de7ee2ca31369b726651cfcd3d843c71df7a3375e475b8df99b640baac73d5113d12922527a0163305fa6d23f51449053221374449

Download Submit
C:\Windows\System\ZXGeXhw.exe
Filesize
5.2MB

MD5
684d7a0c5099b0bb52efe5b13fc5ec8e

SHA1
9bba560ce06231515284e6a603019b8fa5508457

SHA256
6ee4d6bed08eb41252289ec17c1cba3e294b7effe9ef8ab85028bc4308514f72

SHA512
f162dec3fe58bd67267d4f5de84857091a6dfcdc96808351aaadd49c91d75ffd06f1bf77244d02837da6a3366f4b9e05ccd734a78b5be86332ecbff813419964

Download Submit
C:\Windows\System\fVAgTrO.exe
Filesize
5.2MB

MD5
3eb04c550fc37ac76bdb0222cb57b3d5

SHA1
59605a51caacb50ca8eba2f3aea42bc9d6b82978

SHA256
4d870e1c1e9f577675d7372f31c9a940e96e975eb1b0734a87d344c6382b4583

SHA512
f5d5f1ad22c5b54d90b9259a607c71f093c152dd3b082fe61e2a3819d530e3707c714e5bc28441445240676a46e65d5606a2d72283295972e71ef93f3d410ec0

Download Submit
C:\Windows\System\lCMOfKp.exe
Filesize
5.2MB

MD5
61b3bde93bf0b0f05a1ef7acbfd7c31c

SHA1
342f0f56fa5e1c3156ee13176e2ec197f3d160e0

SHA256
5a167328bbfb9840985ba851b72e739ff1c7e0cb9eb1add05cad32977bdd0f32

SHA512
dce7d2439ecd95c4ce676c12bebe611b0bdbacaea20f7dc9fcb5e81dcd5d3367ec439a0144792e4b9f9ed3cf458265937ad7a5a77b20721f6d6c583fbd2e1ab9

Download Submit
C:\Windows\System\mIhqkan.exe
Filesize
5.2MB

MD5
f1739f80dbfa5046282b9ac912d6229c

SHA1
258e70a7031ba78549d1da6328fbcbbfa1301e32

SHA256
96bca395fe11935904de8951025372d8db08d851d42660ae41576a6e04c64380

SHA512
0d713b4690ca1e533040c218f8652b0f143162976848cb921742a3fd13b4065968d1e060d5cfd23371f259e01dabfc6ad482cfb178ea9d291f187c010a66393f

Download Submit
C:\Windows\System\sScKPax.exe
Filesize
5.2MB

MD5
ee0f2de4b6ac6b29c484981ce11e5c79

SHA1
09d67d29928846e1c4450b43860887dbe6fa934a

SHA256
74457580f6f0df554aa3bd07eb68827d6a80df14f8c95281d94f002aa4d67680

SHA512
8bbcb7225952839212f9d771e7344f4df957cb4bde0d9c0c5fcb99836217bf25bb6c3532df0b95b03b748d33196c19c6050a30db65fb02561bfb634e8775d054

Download Submit
C:\Windows\System\uwAfZhI.exe
Filesize
5.2MB

MD5
8931ef347be81f14c47bd0b1ef94a240

SHA1
34efab21bf60f1b8f28dcad8217e055cca2b2960

SHA256
0151eda02ce660371c3deb649f83b606d6ee47ceca3acc92b6dd9901d7f68fe6

SHA512
367e4458c77eca7f55eb153353b8f9a90983e978e9aea6f50c58e1f431034e5e9b7132b196e1aaabdee696a3c3e0dc6f36dd5835e4b98b85e0c986dd2f7cfe19

Download Submit
C:\Windows\System\vufXqHh.exe
Filesize
5.2MB

MD5
d56cb85667edb0244cfe04bf5e930501

SHA1
f026bb19381ed529208e41c058631df8f4dae734

SHA256
d374d9d89d8bc1725f938ae1a455c282479c7568dd72e6207f7e18225933e92a

SHA512
73079f8ae38513ae652ff011816d9e915ebef5df610159774efd69b4cc2302b3a87a2a2929e9bd0a7a5b3ebb41d877e5a4bc163ddb91185ac7bdc918b47d0e99

Download Submit
C:\Windows\System\yaxYhiF.exe
Filesize
5.2MB

MD5
27690e471953e818ce80b1612a0e2584

SHA1
2011ff3342979eda06b2165bd5613052f3052bb5

SHA256
8a4a69fc9c551de8b5e4510887dbba60335bb5058763fb293daf123f9e9a99f1

SHA512
66f7584663e8cf9123eecc58890c5ec360ee719be110a86ece71adfdec147b0cc485fb7e653a67dc712c8225284a6d2fb91dcdeb042b59bfdab9d24f0c2e0948

Download Submit
C:\Windows\System\zGWfEEC.exe
Filesize
5.2MB

MD5
4ad0b67d09dadaf1580b6579c2a064fa

SHA1
0498159e25d50ce955df037ad2eae6274d016711

SHA256
41fc15e52a521af0be812e8227e0bc3ba1854950291e545bc270af3e808d757e

SHA512
1ae9f8266cb654d971917b166f868d87e420d6d6b99387ea8a220ac569ffa78f6455534707aec3ed5d5bda9ee456566e05d35a21e7d214f76365bf4bb57b6aa0

Download Submit
C:\Windows\System\zgeSeMh.exe
Filesize
5.2MB

MD5
df64b016c127b8e2497e85253ab5f58c

SHA1
8c54949c36b97863877bc1c4427e4b09c3c42419

SHA256
4bedbaf6133d9c2b5e0f4af1a801348f42aa8c255004dbd7ad6f27ddde5ffb4e

SHA512
dbbea9746d38baa0d3d02eff67bb2914fc3a2885a8568a7969600b7c87bbd1e578c9e69c7643d8f205937f61ebea718c25c5c59e27385b4483cdb3e544c95044

Download Submit
memory/1484-125-0x00007FF631180000-0x00007FF6314D1000-memory.dmp

Filesize
3.3MB

Download
memory/1484-14-0x00007FF631180000-0x00007FF6314D1000-memory.dmp

Filesize
3.3MB

Download
memory/1484-202-0x00007FF631180000-0x00007FF6314D1000-memory.dmp

Filesize
3.3MB

Download
memory/1600-200-0x00007FF7B0F60000-0x00007FF7B12B1000-memory.dmp

Filesize
3.3MB

Download
memory/1600-128-0x00007FF7B0F60000-0x00007FF7B12B1000-memory.dmp

Filesize
3.3MB

Download
memory/1600-6-0x00007FF7B0F60000-0x00007FF7B12B1000-memory.dmp

Filesize
3.3MB

Download
memory/1816-87-0x00007FF71DAE0000-0x00007FF71DE31000-memory.dmp

Filesize
3.3MB

Download
memory/1816-240-0x00007FF71DAE0000-0x00007FF71DE31000-memory.dmp

Filesize
3.3MB

Download
memory/1984-59-0x00007FF65C780000-0x00007FF65CAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1984-233-0x00007FF65C780000-0x00007FF65CAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-215-0x00007FF7AC4C0000-0x00007FF7AC811000-memory.dmp

Filesize
3.3MB

Download
memory/2036-137-0x00007FF7AC4C0000-0x00007FF7AC811000-memory.dmp

Filesize
3.3MB

Download
memory/2036-48-0x00007FF7AC4C0000-0x00007FF7AC811000-memory.dmp

Filesize
3.3MB

Download
memory/2280-129-0x00007FF67B980000-0x00007FF67BCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2280-247-0x00007FF67B980000-0x00007FF67BCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-95-0x00007FF6EC0E0000-0x00007FF6EC431000-memory.dmp

Filesize
3.3MB

Download
memory/2388-245-0x00007FF6EC0E0000-0x00007FF6EC431000-memory.dmp

Filesize
3.3MB

Download
memory/2684-134-0x00007FF6DEFE0000-0x00007FF6DF331000-memory.dmp

Filesize
3.3MB

Download
memory/2684-257-0x00007FF6DEFE0000-0x00007FF6DF331000-memory.dmp

Filesize
3.3MB

Download
memory/2748-235-0x00007FF6DD590000-0x00007FF6DD8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-64-0x00007FF6DD590000-0x00007FF6DD8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-133-0x00007FF79B6B0000-0x00007FF79BA01000-memory.dmp

Filesize
3.3MB

Download
memory/2828-252-0x00007FF79B6B0000-0x00007FF79BA01000-memory.dmp

Filesize
3.3MB

Download
memory/2872-52-0x00007FF631100000-0x00007FF631451000-memory.dmp

Filesize
3.3MB

Download
memory/2872-231-0x00007FF631100000-0x00007FF631451000-memory.dmp

Filesize
3.3MB

Download
memory/2872-138-0x00007FF631100000-0x00007FF631451000-memory.dmp

Filesize
3.3MB

Download
memory/2928-249-0x00007FF697370000-0x00007FF6976C1000-memory.dmp

Filesize
3.3MB

Download
memory/2928-130-0x00007FF697370000-0x00007FF6976C1000-memory.dmp

Filesize
3.3MB

Download
memory/3032-238-0x00007FF66B1E0000-0x00007FF66B531000-memory.dmp

Filesize
3.3MB

Download
memory/3032-88-0x00007FF66B1E0000-0x00007FF66B531000-memory.dmp

Filesize
3.3MB

Download
memory/3380-127-0x00007FF7C7D40000-0x00007FF7C8091000-memory.dmp

Filesize
3.3MB

Download
memory/3380-24-0x00007FF7C7D40000-0x00007FF7C8091000-memory.dmp

Filesize
3.3MB

Download
memory/3380-209-0x00007FF7C7D40000-0x00007FF7C8091000-memory.dmp

Filesize
3.3MB

Download
memory/3476-131-0x00007FF64F680000-0x00007FF64F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/3476-256-0x00007FF64F680000-0x00007FF64F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-135-0x00007FF788070000-0x00007FF7883C1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-211-0x00007FF788070000-0x00007FF7883C1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-32-0x00007FF788070000-0x00007FF7883C1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-152-0x00007FF755580000-0x00007FF7558D1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-0-0x00007FF755580000-0x00007FF7558D1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-123-0x00007FF755580000-0x00007FF7558D1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-85-0x00007FF755580000-0x00007FF7558D1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-1-0x0000023542F50000-0x0000023542F60000-memory.dmp

Filesize
64KB

Download
memory/4244-132-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp

Filesize
3.3MB

Download
memory/4244-253-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp

Filesize
3.3MB

Download
memory/4372-92-0x00007FF796AA0000-0x00007FF796DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4372-243-0x00007FF796AA0000-0x00007FF796DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-20-0x00007FF7314A0000-0x00007FF7317F1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-204-0x00007FF7314A0000-0x00007FF7317F1000-memory.dmp

Filesize
3.3MB

Download
memory/5008-213-0x00007FF6EBE50000-0x00007FF6EC1A1000-memory.dmp

Filesize
3.3MB

Download
memory/5008-40-0x00007FF6EBE50000-0x00007FF6EC1A1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-86-0x00007FF63CB60000-0x00007FF63CEB1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-241-0x00007FF63CB60000-0x00007FF63CEB1000-memory.dmp

Filesize
3.3MB

Download