cobaltstrike | e676a099c9b89390acbf118ef728ffde42fdc98bbd08c13a3b0b3d0d163986eb

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
Size

5.2MB
MD5

2ded641c530bed74b9a94c14e707963e
SHA1

fef48e255960b4d6632a89a50e6ac9036908ab73
SHA256

e676a099c9b89390acbf118ef728ffde42fdc98bbd08c13a3b0b3d0d163986eb
SHA512

041570d04cf0a3385fd602560f6ce01d804b2a74987ddb1b2144f975c5bf181629ef708dc8c7196fff37fce78b991b227acc9ee44385f07f57668933d13e53d4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lO:RWWBibf56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\KwstYpZ.exe	cobalt_reflective_dll
C:\Windows\System\aMOBwue.exe	cobalt_reflective_dll
C:\Windows\System\tzWrFDm.exe	cobalt_reflective_dll
C:\Windows\System\vbhxnnl.exe	cobalt_reflective_dll
C:\Windows\System\uJwJbbH.exe	cobalt_reflective_dll
C:\Windows\System\GXsQWqY.exe	cobalt_reflective_dll
C:\Windows\System\acZtsOp.exe	cobalt_reflective_dll
C:\Windows\System\qUcARmP.exe	cobalt_reflective_dll
C:\Windows\System\xmgObJL.exe	cobalt_reflective_dll
C:\Windows\System\eeTprBR.exe	cobalt_reflective_dll
C:\Windows\System\qxzRcgC.exe	cobalt_reflective_dll
C:\Windows\System\UwKbyPP.exe	cobalt_reflective_dll
C:\Windows\System\xCKzkhm.exe	cobalt_reflective_dll
C:\Windows\System\VOuAUXa.exe	cobalt_reflective_dll
C:\Windows\System\bEQYKrB.exe	cobalt_reflective_dll
C:\Windows\System\BvSRmPZ.exe	cobalt_reflective_dll
C:\Windows\System\vIxOZij.exe	cobalt_reflective_dll
C:\Windows\System\hvNWcNz.exe	cobalt_reflective_dll
C:\Windows\System\vRivNMR.exe	cobalt_reflective_dll
C:\Windows\System\YbxgIar.exe	cobalt_reflective_dll
C:\Windows\System\rdRCaBa.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1672-25-0x00007FF7E6B80000-0x00007FF7E6ED1000-memory.dmp	xmrig
behavioral2/memory/5016-29-0x00007FF76AD50000-0x00007FF76B0A1000-memory.dmp	xmrig
behavioral2/memory/1892-38-0x00007FF6574E0000-0x00007FF657831000-memory.dmp	xmrig
behavioral2/memory/2216-59-0x00007FF63D5E0000-0x00007FF63D931000-memory.dmp	xmrig
behavioral2/memory/1708-71-0x00007FF613270000-0x00007FF6135C1000-memory.dmp	xmrig
behavioral2/memory/2480-57-0x00007FF720000000-0x00007FF720351000-memory.dmp	xmrig
behavioral2/memory/4428-121-0x00007FF6D3D20000-0x00007FF6D4071000-memory.dmp	xmrig
behavioral2/memory/2568-126-0x00007FF7C4F60000-0x00007FF7C52B1000-memory.dmp	xmrig
behavioral2/memory/636-127-0x00007FF7325C0000-0x00007FF732911000-memory.dmp	xmrig
behavioral2/memory/1604-128-0x00007FF610D40000-0x00007FF611091000-memory.dmp	xmrig
behavioral2/memory/3328-130-0x00007FF60EC40000-0x00007FF60EF91000-memory.dmp	xmrig
behavioral2/memory/3572-132-0x00007FF7A61B0000-0x00007FF7A6501000-memory.dmp	xmrig
behavioral2/memory/1204-133-0x00007FF666FE0000-0x00007FF667331000-memory.dmp	xmrig
behavioral2/memory/2864-131-0x00007FF72E250000-0x00007FF72E5A1000-memory.dmp	xmrig
behavioral2/memory/4924-129-0x00007FF74CE20000-0x00007FF74D171000-memory.dmp	xmrig
behavioral2/memory/4972-124-0x00007FF70ED00000-0x00007FF70F051000-memory.dmp	xmrig
behavioral2/memory/3428-120-0x00007FF7FA7C0000-0x00007FF7FAB11000-memory.dmp	xmrig
behavioral2/memory/636-119-0x00007FF7325C0000-0x00007FF732911000-memory.dmp	xmrig
behavioral2/memory/1636-134-0x00007FF6FB570000-0x00007FF6FB8C1000-memory.dmp	xmrig
behavioral2/memory/4088-139-0x00007FF783880000-0x00007FF783BD1000-memory.dmp	xmrig
behavioral2/memory/3780-137-0x00007FF7C1930000-0x00007FF7C1C81000-memory.dmp	xmrig
behavioral2/memory/4252-148-0x00007FF7041B0000-0x00007FF704501000-memory.dmp	xmrig
behavioral2/memory/1592-147-0x00007FF6F9DA0000-0x00007FF6FA0F1000-memory.dmp	xmrig
behavioral2/memory/636-149-0x00007FF7325C0000-0x00007FF732911000-memory.dmp	xmrig
behavioral2/memory/3428-199-0x00007FF7FA7C0000-0x00007FF7FAB11000-memory.dmp	xmrig
behavioral2/memory/4428-201-0x00007FF6D3D20000-0x00007FF6D4071000-memory.dmp	xmrig
behavioral2/memory/1672-203-0x00007FF7E6B80000-0x00007FF7E6ED1000-memory.dmp	xmrig
behavioral2/memory/5016-205-0x00007FF76AD50000-0x00007FF76B0A1000-memory.dmp	xmrig
behavioral2/memory/1892-207-0x00007FF6574E0000-0x00007FF657831000-memory.dmp	xmrig
behavioral2/memory/4972-209-0x00007FF70ED00000-0x00007FF70F051000-memory.dmp	xmrig
behavioral2/memory/2568-211-0x00007FF7C4F60000-0x00007FF7C52B1000-memory.dmp	xmrig
behavioral2/memory/2480-223-0x00007FF720000000-0x00007FF720351000-memory.dmp	xmrig
behavioral2/memory/2216-225-0x00007FF63D5E0000-0x00007FF63D931000-memory.dmp	xmrig
behavioral2/memory/3780-227-0x00007FF7C1930000-0x00007FF7C1C81000-memory.dmp	xmrig
behavioral2/memory/1708-229-0x00007FF613270000-0x00007FF6135C1000-memory.dmp	xmrig
behavioral2/memory/4088-231-0x00007FF783880000-0x00007FF783BD1000-memory.dmp	xmrig
behavioral2/memory/1604-233-0x00007FF610D40000-0x00007FF611091000-memory.dmp	xmrig
behavioral2/memory/4924-235-0x00007FF74CE20000-0x00007FF74D171000-memory.dmp	xmrig
behavioral2/memory/3328-237-0x00007FF60EC40000-0x00007FF60EF91000-memory.dmp	xmrig
behavioral2/memory/2864-239-0x00007FF72E250000-0x00007FF72E5A1000-memory.dmp	xmrig
behavioral2/memory/1204-242-0x00007FF666FE0000-0x00007FF667331000-memory.dmp	xmrig
behavioral2/memory/3572-243-0x00007FF7A61B0000-0x00007FF7A6501000-memory.dmp	xmrig
behavioral2/memory/1636-245-0x00007FF6FB570000-0x00007FF6FB8C1000-memory.dmp	xmrig
behavioral2/memory/4252-247-0x00007FF7041B0000-0x00007FF704501000-memory.dmp	xmrig
behavioral2/memory/1592-249-0x00007FF6F9DA0000-0x00007FF6FA0F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

KwstYpZ.exeaMOBwue.exetzWrFDm.exevbhxnnl.exeuJwJbbH.exeGXsQWqY.exeacZtsOp.exeqUcARmP.exexmgObJL.exeeeTprBR.exeqxzRcgC.exeUwKbyPP.exexCKzkhm.exerdRCaBa.exeVOuAUXa.exeYbxgIar.exebEQYKrB.exevRivNMR.exehvNWcNz.exeBvSRmPZ.exevIxOZij.exe

pid	process
3428	KwstYpZ.exe
4428	aMOBwue.exe
1672	tzWrFDm.exe
5016	vbhxnnl.exe
4972	uJwJbbH.exe
1892	GXsQWqY.exe
2568	acZtsOp.exe
2480	qUcARmP.exe
2216	xmgObJL.exe
3780	eeTprBR.exe
1708	qxzRcgC.exe
4088	UwKbyPP.exe
1604	xCKzkhm.exe
4924	rdRCaBa.exe
3328	VOuAUXa.exe
2864	YbxgIar.exe
3572	bEQYKrB.exe
1204	vRivNMR.exe
1636	hvNWcNz.exe
1592	BvSRmPZ.exe
4252	vIxOZij.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/636-0-0x00007FF7325C0000-0x00007FF732911000-memory.dmp	upx
C:\Windows\System\KwstYpZ.exe	upx
behavioral2/memory/3428-8-0x00007FF7FA7C0000-0x00007FF7FAB11000-memory.dmp	upx
C:\Windows\System\aMOBwue.exe	upx
C:\Windows\System\tzWrFDm.exe	upx
behavioral2/memory/4428-13-0x00007FF6D3D20000-0x00007FF6D4071000-memory.dmp	upx
C:\Windows\System\vbhxnnl.exe	upx
behavioral2/memory/1672-25-0x00007FF7E6B80000-0x00007FF7E6ED1000-memory.dmp	upx
behavioral2/memory/5016-29-0x00007FF76AD50000-0x00007FF76B0A1000-memory.dmp	upx
C:\Windows\System\uJwJbbH.exe	upx
C:\Windows\System\GXsQWqY.exe	upx
behavioral2/memory/1892-38-0x00007FF6574E0000-0x00007FF657831000-memory.dmp	upx
behavioral2/memory/4972-30-0x00007FF70ED00000-0x00007FF70F051000-memory.dmp	upx
C:\Windows\System\acZtsOp.exe	upx
behavioral2/memory/2568-44-0x00007FF7C4F60000-0x00007FF7C52B1000-memory.dmp	upx
C:\Windows\System\qUcARmP.exe	upx
C:\Windows\System\xmgObJL.exe	upx
behavioral2/memory/2216-59-0x00007FF63D5E0000-0x00007FF63D931000-memory.dmp	upx
C:\Windows\System\eeTprBR.exe	upx
C:\Windows\System\qxzRcgC.exe	upx
behavioral2/memory/1708-71-0x00007FF613270000-0x00007FF6135C1000-memory.dmp	upx
C:\Windows\System\UwKbyPP.exe	upx
C:\Windows\System\xCKzkhm.exe	upx
C:\Windows\System\VOuAUXa.exe	upx
C:\Windows\System\bEQYKrB.exe	upx
C:\Windows\System\BvSRmPZ.exe	upx
C:\Windows\System\vIxOZij.exe	upx
C:\Windows\System\hvNWcNz.exe	upx
C:\Windows\System\vRivNMR.exe	upx
C:\Windows\System\YbxgIar.exe	upx
C:\Windows\System\rdRCaBa.exe	upx
behavioral2/memory/4088-72-0x00007FF783880000-0x00007FF783BD1000-memory.dmp	upx
behavioral2/memory/3780-60-0x00007FF7C1930000-0x00007FF7C1C81000-memory.dmp	upx
behavioral2/memory/2480-57-0x00007FF720000000-0x00007FF720351000-memory.dmp	upx
behavioral2/memory/4428-121-0x00007FF6D3D20000-0x00007FF6D4071000-memory.dmp	upx
behavioral2/memory/2568-126-0x00007FF7C4F60000-0x00007FF7C52B1000-memory.dmp	upx
behavioral2/memory/636-127-0x00007FF7325C0000-0x00007FF732911000-memory.dmp	upx
behavioral2/memory/1604-128-0x00007FF610D40000-0x00007FF611091000-memory.dmp	upx
behavioral2/memory/3328-130-0x00007FF60EC40000-0x00007FF60EF91000-memory.dmp	upx
behavioral2/memory/3572-132-0x00007FF7A61B0000-0x00007FF7A6501000-memory.dmp	upx
behavioral2/memory/1204-133-0x00007FF666FE0000-0x00007FF667331000-memory.dmp	upx
behavioral2/memory/2864-131-0x00007FF72E250000-0x00007FF72E5A1000-memory.dmp	upx
behavioral2/memory/4924-129-0x00007FF74CE20000-0x00007FF74D171000-memory.dmp	upx
behavioral2/memory/4972-124-0x00007FF70ED00000-0x00007FF70F051000-memory.dmp	upx
behavioral2/memory/3428-120-0x00007FF7FA7C0000-0x00007FF7FAB11000-memory.dmp	upx
behavioral2/memory/636-119-0x00007FF7325C0000-0x00007FF732911000-memory.dmp	upx
behavioral2/memory/1636-134-0x00007FF6FB570000-0x00007FF6FB8C1000-memory.dmp	upx
behavioral2/memory/4088-139-0x00007FF783880000-0x00007FF783BD1000-memory.dmp	upx
behavioral2/memory/3780-137-0x00007FF7C1930000-0x00007FF7C1C81000-memory.dmp	upx
behavioral2/memory/4252-148-0x00007FF7041B0000-0x00007FF704501000-memory.dmp	upx
behavioral2/memory/1592-147-0x00007FF6F9DA0000-0x00007FF6FA0F1000-memory.dmp	upx
behavioral2/memory/636-149-0x00007FF7325C0000-0x00007FF732911000-memory.dmp	upx
behavioral2/memory/3428-199-0x00007FF7FA7C0000-0x00007FF7FAB11000-memory.dmp	upx
behavioral2/memory/4428-201-0x00007FF6D3D20000-0x00007FF6D4071000-memory.dmp	upx
behavioral2/memory/1672-203-0x00007FF7E6B80000-0x00007FF7E6ED1000-memory.dmp	upx
behavioral2/memory/5016-205-0x00007FF76AD50000-0x00007FF76B0A1000-memory.dmp	upx
behavioral2/memory/1892-207-0x00007FF6574E0000-0x00007FF657831000-memory.dmp	upx
behavioral2/memory/4972-209-0x00007FF70ED00000-0x00007FF70F051000-memory.dmp	upx
behavioral2/memory/2568-211-0x00007FF7C4F60000-0x00007FF7C52B1000-memory.dmp	upx
behavioral2/memory/2480-223-0x00007FF720000000-0x00007FF720351000-memory.dmp	upx
behavioral2/memory/2216-225-0x00007FF63D5E0000-0x00007FF63D931000-memory.dmp	upx
behavioral2/memory/3780-227-0x00007FF7C1930000-0x00007FF7C1C81000-memory.dmp	upx
behavioral2/memory/1708-229-0x00007FF613270000-0x00007FF6135C1000-memory.dmp	upx
behavioral2/memory/4088-231-0x00007FF783880000-0x00007FF783BD1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\uJwJbbH.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\GXsQWqY.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\qUcARmP.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\rdRCaBa.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\KwstYpZ.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\qxzRcgC.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\bEQYKrB.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\vRivNMR.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\xCKzkhm.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\hvNWcNz.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\BvSRmPZ.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\aMOBwue.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\tzWrFDm.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\vbhxnnl.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\acZtsOp.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\eeTprBR.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\vIxOZij.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\xmgObJL.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\UwKbyPP.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\VOuAUXa.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
File created	C:\Windows\System\YbxgIar.exe	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process
Token: SeLockMemoryPrivilege	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe

description	pid	process	target process
PID 636 wrote to memory of 3428	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	KwstYpZ.exe
PID 636 wrote to memory of 3428	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	KwstYpZ.exe
PID 636 wrote to memory of 4428	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	aMOBwue.exe
PID 636 wrote to memory of 4428	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	aMOBwue.exe
PID 636 wrote to memory of 1672	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	tzWrFDm.exe
PID 636 wrote to memory of 1672	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	tzWrFDm.exe
PID 636 wrote to memory of 5016	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	vbhxnnl.exe
PID 636 wrote to memory of 5016	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	vbhxnnl.exe
PID 636 wrote to memory of 4972	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	uJwJbbH.exe
PID 636 wrote to memory of 4972	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	uJwJbbH.exe
PID 636 wrote to memory of 1892	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	GXsQWqY.exe
PID 636 wrote to memory of 1892	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	GXsQWqY.exe
PID 636 wrote to memory of 2568	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	acZtsOp.exe
PID 636 wrote to memory of 2568	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	acZtsOp.exe
PID 636 wrote to memory of 2480	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	qUcARmP.exe
PID 636 wrote to memory of 2480	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	qUcARmP.exe
PID 636 wrote to memory of 2216	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	xmgObJL.exe
PID 636 wrote to memory of 2216	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	xmgObJL.exe
PID 636 wrote to memory of 3780	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	eeTprBR.exe
PID 636 wrote to memory of 3780	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	eeTprBR.exe
PID 636 wrote to memory of 1708	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	qxzRcgC.exe
PID 636 wrote to memory of 1708	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	qxzRcgC.exe
PID 636 wrote to memory of 4088	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	UwKbyPP.exe
PID 636 wrote to memory of 4088	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	UwKbyPP.exe
PID 636 wrote to memory of 1604	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	xCKzkhm.exe
PID 636 wrote to memory of 1604	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	xCKzkhm.exe
PID 636 wrote to memory of 4924	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	rdRCaBa.exe
PID 636 wrote to memory of 4924	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	rdRCaBa.exe
PID 636 wrote to memory of 3328	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	VOuAUXa.exe
PID 636 wrote to memory of 3328	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	VOuAUXa.exe
PID 636 wrote to memory of 2864	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	YbxgIar.exe
PID 636 wrote to memory of 2864	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	YbxgIar.exe
PID 636 wrote to memory of 3572	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	bEQYKrB.exe
PID 636 wrote to memory of 3572	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	bEQYKrB.exe
PID 636 wrote to memory of 1204	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	vRivNMR.exe
PID 636 wrote to memory of 1204	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	vRivNMR.exe
PID 636 wrote to memory of 1636	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	hvNWcNz.exe
PID 636 wrote to memory of 1636	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	hvNWcNz.exe
PID 636 wrote to memory of 1592	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	BvSRmPZ.exe
PID 636 wrote to memory of 1592	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	BvSRmPZ.exe
PID 636 wrote to memory of 4252	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	vIxOZij.exe
PID 636 wrote to memory of 4252	636	202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe	vIxOZij.exe

C:\Users\Admin\AppData\Local\Temp\202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\202405202ded641c530bed74b9a94c14e707963ecobaltstrikecobaltstrike_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\System\KwstYpZ.exe
C:\Windows\System\KwstYpZ.exe
2⤵
- Executes dropped EXE
PID:3428

C:\Windows\System\aMOBwue.exe
C:\Windows\System\aMOBwue.exe
2⤵
- Executes dropped EXE
PID:4428

C:\Windows\System\tzWrFDm.exe
C:\Windows\System\tzWrFDm.exe
2⤵
- Executes dropped EXE
PID:1672

C:\Windows\System\vbhxnnl.exe
C:\Windows\System\vbhxnnl.exe
2⤵
- Executes dropped EXE
PID:5016

C:\Windows\System\uJwJbbH.exe
C:\Windows\System\uJwJbbH.exe
2⤵
- Executes dropped EXE
PID:4972

C:\Windows\System\GXsQWqY.exe
C:\Windows\System\GXsQWqY.exe
2⤵
- Executes dropped EXE
PID:1892

C:\Windows\System\acZtsOp.exe
C:\Windows\System\acZtsOp.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\qUcARmP.exe
C:\Windows\System\qUcARmP.exe
2⤵
- Executes dropped EXE
PID:2480

C:\Windows\System\xmgObJL.exe
C:\Windows\System\xmgObJL.exe
2⤵
- Executes dropped EXE
PID:2216

C:\Windows\System\eeTprBR.exe
C:\Windows\System\eeTprBR.exe
2⤵
- Executes dropped EXE
PID:3780

C:\Windows\System\qxzRcgC.exe
C:\Windows\System\qxzRcgC.exe
2⤵
- Executes dropped EXE
PID:1708

C:\Windows\System\UwKbyPP.exe
C:\Windows\System\UwKbyPP.exe
2⤵
- Executes dropped EXE
PID:4088

C:\Windows\System\xCKzkhm.exe
C:\Windows\System\xCKzkhm.exe
2⤵
- Executes dropped EXE
PID:1604

C:\Windows\System\rdRCaBa.exe
C:\Windows\System\rdRCaBa.exe
2⤵
- Executes dropped EXE
PID:4924

C:\Windows\System\VOuAUXa.exe
C:\Windows\System\VOuAUXa.exe
2⤵
- Executes dropped EXE
PID:3328

C:\Windows\System\YbxgIar.exe
C:\Windows\System\YbxgIar.exe
2⤵
- Executes dropped EXE
PID:2864

C:\Windows\System\bEQYKrB.exe
C:\Windows\System\bEQYKrB.exe
2⤵
- Executes dropped EXE
PID:3572

C:\Windows\System\vRivNMR.exe
C:\Windows\System\vRivNMR.exe
2⤵
- Executes dropped EXE
PID:1204

C:\Windows\System\hvNWcNz.exe
C:\Windows\System\hvNWcNz.exe
2⤵
- Executes dropped EXE
PID:1636

C:\Windows\System\BvSRmPZ.exe
C:\Windows\System\BvSRmPZ.exe
2⤵
- Executes dropped EXE
PID:1592

C:\Windows\System\vIxOZij.exe
C:\Windows\System\vIxOZij.exe
2⤵
- Executes dropped EXE
PID:4252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BvSRmPZ.exe
Filesize
5.2MB

MD5
5b3f391910d337448157cf00d5bcaa9b

SHA1
0b1001ed3114a0f2463422d06fa8c7050da3314e

SHA256
225462b12c6fdca62195e04004404a2edf3cffd45d251d8bfa206a980cb1e3e3

SHA512
20090134794cce7379b72af39e1eb46f1755d4aec353d8207c565c20afdf9e34e172d305857600dee953540fcb9a06fe7a70e2ecbbf85c02552620008cd3b343

Download Submit
C:\Windows\System\GXsQWqY.exe
Filesize
5.2MB

MD5
625fb10d3ade4fa2e55029f31588099e

SHA1
b2ec5d0c83e808e896461392c39930ad69249993

SHA256
c7877424e0e74a4f24d075fa9f24d34cc40a3b92e6b9ee434b809b8de1fd63bc

SHA512
c09b2a86ed372554a856254ac9975065c5ea6c60a3d5bb1839866f0e6fc736aace56ffd518ec5db069d6c1a45519c8e1653acce1a1463ee50c68ff1792380a8a

Download Submit
C:\Windows\System\KwstYpZ.exe
Filesize
5.2MB

MD5
4b69f709c5a04ddd1e5127ae3212e092

SHA1
c5e5eb2cd2479078f14b1cb1dcdb6c3da0f67cf1

SHA256
4f91b52d423b47ac05f2850d9483567f40d73c7e231e64b8d21700694104b16a

SHA512
a5118bf62f7a121dab85f751d981e15b6577222f79f31a38b2b7f4cca94534704a8686169ac4cffbc6b59156e9b2244fdfc48b3db4e75b3b3e269d1caef50221

Download Submit
C:\Windows\System\UwKbyPP.exe
Filesize
5.2MB

MD5
bdbe082378caaafd30f1d80a8a2c2983

SHA1
84197721431fe34d0c3015e7d2c67299c507549c

SHA256
5cc7484e944ae790613457358d88e54ea8c837e3d7761acd2ab100b71cf9ca8f

SHA512
4c6e8de0bf075f0d7d3256e7e7a3bd8da8e91f25b2fad26462128a11d1f5f674505f416bedb74049fa4021d3815548eaacb8e27af0b8b48a24fdad585175c555

Download Submit
C:\Windows\System\VOuAUXa.exe
Filesize
5.2MB

MD5
4bc8ebd99fa07b303cb21d30842b3794

SHA1
185059f94db825d58d7d691cc36074d2907a7328

SHA256
ac3aee05379264a927fdfc9b6284892cd979affb1c639205e3bc256ad183fcff

SHA512
5020809fe58142b0238b317cf90d03edf648a22622342b1b94d7d183bd238c5e3bc36e13fa77b8404272b4343b6474fec93038312daf9f6c1cac81edd686d0b1

Download Submit
C:\Windows\System\YbxgIar.exe
Filesize
5.2MB

MD5
956e84a0c357e4aa24b73354930de5b9

SHA1
b1ab5f6f29c600f7a93967b4b0ac1d65de67054b

SHA256
7b84c94ddb657754d8dbcb3d069400fda812dbb62f8d70145ae18b87b8527c55

SHA512
4c942ce58a4497af796b5fbb0146888dcf9d587b86767ca522fb2d8e0e8739f813ed0b99337ff8091faa9284d135ec472879dac1907348711ef14c2d85650b2f

Download Submit
C:\Windows\System\aMOBwue.exe
Filesize
5.2MB

MD5
d23c728ae01403d7cbff94a31a5b5d89

SHA1
e56c35552e16189acd3f4c02ff68fce4aa5a9e73

SHA256
ab2f3dad52476755b4a8be0d38333e5b5fda9ce8d6b1d84b084d9fa90da10d55

SHA512
bc97bdc42b78a97b8376867aa7d19d4a6b22af47b69f7ff0dee7f9a2f25edf8d33e8f433e412fdd2e49267bbeece65238c8fc8957272c8a5eb95b17e9b9fc35f

Download Submit
C:\Windows\System\acZtsOp.exe
Filesize
5.2MB

MD5
55dd79de06993fa93f183a0d56980837

SHA1
a8b9eff545fa96d079401dea4ee711f8222a6276

SHA256
cac9bb047f6ab50cccb06e9a10f223b04b9d9e159d6ef8b3eb26c5c8ce4f2f73

SHA512
f14369c5e2958754cc4d9efb38a261860e19e24d36f99f98a4385252af2182e3df760d97b01713604c66da7448e552b06e239b61af6193fa2a6f96e0a235168f

Download Submit
C:\Windows\System\bEQYKrB.exe
Filesize
5.2MB

MD5
73f8e7b3cf48408273a91f0b1e7496c8

SHA1
21da15a604e197fce759f704512046dab1814a6f

SHA256
a87e99dc3401ad5b045a81a324533491361de1fff79a5e5bddcefb742ce1b375

SHA512
eecbf14a4e7fd4eb1f23f2dedcd495f2135613e0c3eac5cdf47ff895d82a37bdd65774031a81696b3fb876dc403b94d2e6fd24dca84db6d1870af621375e4069

Download Submit
C:\Windows\System\eeTprBR.exe
Filesize
5.2MB

MD5
005a3ebaf1c0906d36dedf16dbc870b1

SHA1
240c1f495c8ea18ff9d4a8079a922fa6c3d862b0

SHA256
3bbebb07880413bc1acf384511013df67ed1296b6f84f24f31261f99b349237a

SHA512
ee2e43c1b563970a2ebb3c83202749e7c580ab29518f8431b6f68ce53d626698317bf6ee0609f2444ab971cba67342b19b87d4c0d3e71facb4ba859f18bf9eed

Download Submit
C:\Windows\System\hvNWcNz.exe
Filesize
5.2MB

MD5
2109f15962058e2f8a3b891d7adf9c90

SHA1
dfe10d1add24bdad3507c7ee435e7c2706f42aad

SHA256
3b0b0b93516b8639309b31c39178c63d96452eb8b91b51664809682781013e86

SHA512
f3c5a2a3ff55a47c57a8ae6eb3e8202fdb3a4c8630436c21dc70f96cf7ad1733c5231507388b754f6fad424d0a824316efa01f2c1a95372eacea7ae5e262d1ed

Download Submit
C:\Windows\System\qUcARmP.exe
Filesize
5.2MB

MD5
fd947c168f23888fbf2c2b1ae033928c

SHA1
f1174485026821ba0687860502ef24b697c7c3bd

SHA256
697700e6deb9ec294989c6008f40d1ea000d34a189b56d7d12c8808ab4263d92

SHA512
5a12ecd611baff0e1c89bf8875c9ae49d7787f1589be571b046eb4af4bd0e0a1890f3af4c392aaf3add7cf63b09f946641c53ccd1483c82b0b112444702b5f88

Download Submit
C:\Windows\System\qxzRcgC.exe
Filesize
5.2MB

MD5
3def849d5bf9afb73c49e6a6ad7fb109

SHA1
e47325baa466c0499e6cf41fb9b715833b8f6791

SHA256
01bead1d4f6c8ac154d918ab8f807fe585a67cac12c007a671305a9758f3fcad

SHA512
a17e6ebbad61a2a0c5847f7735c0dd0171b72191de6dfe054377170da059a40672cf57d267f1aa86d62c413b9c75e20bed34c6dccc546fb99892e6cb7667f298

Download Submit
C:\Windows\System\rdRCaBa.exe
Filesize
5.2MB

MD5
afd2ebaee9089ea5bcbcc3cd014603fe

SHA1
898e303d9bdb821c3966f4b91c13ccb531c999fd

SHA256
4136aaac7356a39f089c8e793e9817ce00736cf4982ab39179e2b25ece6d96eb

SHA512
eeb829feca3dc5e18072e9cd77e0d9851605c2f7f1201e7a3c07f8440859ea5c44a748bfb753c6c1a054c61a5d7d2ddad8289445b5bafd0d022fa1b70eeb310f

Download Submit
C:\Windows\System\tzWrFDm.exe
Filesize
5.2MB

MD5
59bfeb2ed4838fd3f041cf7e960fa8d3

SHA1
486094468f99b8a1510ea04fd950e88bf497253f

SHA256
150a01e1302ad336287708f9a5314092f775d097dd9db2bf3c5df2bb2f597d19

SHA512
a278d7d275b671b7658dc27c49df9c02042126b6921d2e705060833e4071116914ca2706e5a4468c68c4a0769bbf32455167a966b8afb21fd17ba6da566e9812

Download Submit
C:\Windows\System\uJwJbbH.exe
Filesize
5.2MB

MD5
b0008f1d36408dce77f64430f51ec172

SHA1
a9f4099aef6f88aaceb941564da9bed8105ecbcf

SHA256
0a1d6a167df1460c9c2eaf389d616e9618e672ea774a29bd85b6bfd244158305

SHA512
5be65723f7a6b8c99c95d0811a6d01f45f1f35445446d387ad2378841dc944ce31e6be6e6ced2f2fa1d9439d900b4831588dd159225d305364feb15a3bd28292

Download Submit
C:\Windows\System\vIxOZij.exe
Filesize
5.2MB

MD5
63e8bd29df331706a041599a8204d4da

SHA1
b9a1ec3d9325532ce3c2260c1a4935986392b64d

SHA256
62bae64d4bfe24cbff8b4c9a2445b8d4e1fc7e11f2961d252ec86df47b9616b3

SHA512
d2f975b4a59fe43f18f5587e8aab491af80d08d9504e63868023f6c0d1be6f6575386b68e74c4e2a6a4cc75056554b28b8c175dcdaa3aefabe5f5e376630edd0

Download Submit
C:\Windows\System\vRivNMR.exe
Filesize
5.2MB

MD5
ecbe645c26dcd9de115840d6e74843d5

SHA1
6d0e2c829bb5efa9cde42fb7b1563b27f51b3d4d

SHA256
d231d28861360a3b849e138822e11d38b05bae95fac3cab540c2aa627c5a78a4

SHA512
3c5d40164fcde3ed8ed3ea6e96bab27bc1677b285d59778f21243e5698b1e1b540346b1df13620307e00339ebf7f2c01b1dfbeaa2727c5c5d723ef75e9a092ef

Download Submit
C:\Windows\System\vbhxnnl.exe
Filesize
5.2MB

MD5
74dc2658e398d54a875ab8d0e8abafd0

SHA1
de90446280c0af9ac19021c7c03c217b65a1852e

SHA256
258bbe06448576ea5b12d01de20b35a5c255972a97077e8323267c2942b813f5

SHA512
21ac60ec35dc7d783995b62dcf9758fef6c4b092ee26f87773350f222289ef3cd7e4e64646bf2eec141f709031d6a00147efdb4e08de2d372cc3d86d8b405663

Download Submit
C:\Windows\System\xCKzkhm.exe
Filesize
5.2MB

MD5
3dabb414f9c3f99cceed7c49c15aa57f

SHA1
55a5c22771b80ef61eabce45e11375655b7a3037

SHA256
33aa70605d6c57b747b573d043115e3380e80751810cfa9fec5f28771e2032e3

SHA512
db1e05b3f77a334acb184e1ecd1f2ea0010749035ab16d00cd2c50b3f8c2a2a6d50e13eec040f77fc61571fee9ed57a650e3cac2f50925f1a300724316187b6c

Download Submit
C:\Windows\System\xmgObJL.exe
Filesize
5.2MB

MD5
1f27d52365cebae1ba47385d1921e2f7

SHA1
b774588fda7073cfc3a05d12fdfeef495532dc97

SHA256
46266d35796c1638bc3ae6e07bef4173abd253133c61fa9f5fbd6e4c121c9061

SHA512
64c3c88cc67c523d54444d00f8006440b42830a88a0c5e8a5aaa17da4f8c9d87101934f697fc21c2ba32a4c962659129e5b7975a9600b8e2144d930447b35d80

Download Submit
memory/636-127-0x00007FF7325C0000-0x00007FF732911000-memory.dmp

Filesize
3.3MB

Download
memory/636-1-0x000001E6B6440000-0x000001E6B6450000-memory.dmp

Filesize
64KB

Download
memory/636-119-0x00007FF7325C0000-0x00007FF732911000-memory.dmp

Filesize
3.3MB

Download
memory/636-149-0x00007FF7325C0000-0x00007FF732911000-memory.dmp

Filesize
3.3MB

Download
memory/636-0-0x00007FF7325C0000-0x00007FF732911000-memory.dmp

Filesize
3.3MB

Download
memory/1204-133-0x00007FF666FE0000-0x00007FF667331000-memory.dmp

Filesize
3.3MB

Download
memory/1204-242-0x00007FF666FE0000-0x00007FF667331000-memory.dmp

Filesize
3.3MB

Download
memory/1592-147-0x00007FF6F9DA0000-0x00007FF6FA0F1000-memory.dmp

Filesize
3.3MB

Download
memory/1592-249-0x00007FF6F9DA0000-0x00007FF6FA0F1000-memory.dmp

Filesize
3.3MB

Download
memory/1604-233-0x00007FF610D40000-0x00007FF611091000-memory.dmp

Filesize
3.3MB

Download
memory/1604-128-0x00007FF610D40000-0x00007FF611091000-memory.dmp

Filesize
3.3MB

Download
memory/1636-134-0x00007FF6FB570000-0x00007FF6FB8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1636-245-0x00007FF6FB570000-0x00007FF6FB8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1672-25-0x00007FF7E6B80000-0x00007FF7E6ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1672-203-0x00007FF7E6B80000-0x00007FF7E6ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-229-0x00007FF613270000-0x00007FF6135C1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-71-0x00007FF613270000-0x00007FF6135C1000-memory.dmp

Filesize
3.3MB

Download
memory/1892-207-0x00007FF6574E0000-0x00007FF657831000-memory.dmp

Filesize
3.3MB

Download
memory/1892-38-0x00007FF6574E0000-0x00007FF657831000-memory.dmp

Filesize
3.3MB

Download
memory/2216-225-0x00007FF63D5E0000-0x00007FF63D931000-memory.dmp

Filesize
3.3MB

Download
memory/2216-59-0x00007FF63D5E0000-0x00007FF63D931000-memory.dmp

Filesize
3.3MB

Download
memory/2480-57-0x00007FF720000000-0x00007FF720351000-memory.dmp

Filesize
3.3MB

Download
memory/2480-223-0x00007FF720000000-0x00007FF720351000-memory.dmp

Filesize
3.3MB

Download
memory/2568-126-0x00007FF7C4F60000-0x00007FF7C52B1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-44-0x00007FF7C4F60000-0x00007FF7C52B1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-211-0x00007FF7C4F60000-0x00007FF7C52B1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-239-0x00007FF72E250000-0x00007FF72E5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-131-0x00007FF72E250000-0x00007FF72E5A1000-memory.dmp

Filesize
3.3MB

Download
memory/3328-130-0x00007FF60EC40000-0x00007FF60EF91000-memory.dmp

Filesize
3.3MB

Download
memory/3328-237-0x00007FF60EC40000-0x00007FF60EF91000-memory.dmp

Filesize
3.3MB

Download
memory/3428-8-0x00007FF7FA7C0000-0x00007FF7FAB11000-memory.dmp

Filesize
3.3MB

Download
memory/3428-120-0x00007FF7FA7C0000-0x00007FF7FAB11000-memory.dmp

Filesize
3.3MB

Download
memory/3428-199-0x00007FF7FA7C0000-0x00007FF7FAB11000-memory.dmp

Filesize
3.3MB

Download
memory/3572-132-0x00007FF7A61B0000-0x00007FF7A6501000-memory.dmp

Filesize
3.3MB

Download
memory/3572-243-0x00007FF7A61B0000-0x00007FF7A6501000-memory.dmp

Filesize
3.3MB

Download
memory/3780-60-0x00007FF7C1930000-0x00007FF7C1C81000-memory.dmp

Filesize
3.3MB

Download
memory/3780-137-0x00007FF7C1930000-0x00007FF7C1C81000-memory.dmp

Filesize
3.3MB

Download
memory/3780-227-0x00007FF7C1930000-0x00007FF7C1C81000-memory.dmp

Filesize
3.3MB

Download
memory/4088-139-0x00007FF783880000-0x00007FF783BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4088-72-0x00007FF783880000-0x00007FF783BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4088-231-0x00007FF783880000-0x00007FF783BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4252-247-0x00007FF7041B0000-0x00007FF704501000-memory.dmp

Filesize
3.3MB

Download
memory/4252-148-0x00007FF7041B0000-0x00007FF704501000-memory.dmp

Filesize
3.3MB

Download
memory/4428-201-0x00007FF6D3D20000-0x00007FF6D4071000-memory.dmp

Filesize
3.3MB

Download
memory/4428-121-0x00007FF6D3D20000-0x00007FF6D4071000-memory.dmp

Filesize
3.3MB

Download
memory/4428-13-0x00007FF6D3D20000-0x00007FF6D4071000-memory.dmp

Filesize
3.3MB

Download
memory/4924-235-0x00007FF74CE20000-0x00007FF74D171000-memory.dmp

Filesize
3.3MB

Download
memory/4924-129-0x00007FF74CE20000-0x00007FF74D171000-memory.dmp

Filesize
3.3MB

Download
memory/4972-30-0x00007FF70ED00000-0x00007FF70F051000-memory.dmp

Filesize
3.3MB

Download
memory/4972-209-0x00007FF70ED00000-0x00007FF70F051000-memory.dmp

Filesize
3.3MB

Download
memory/4972-124-0x00007FF70ED00000-0x00007FF70F051000-memory.dmp

Filesize
3.3MB

Download
memory/5016-29-0x00007FF76AD50000-0x00007FF76B0A1000-memory.dmp

Filesize
3.3MB

Download
memory/5016-205-0x00007FF76AD50000-0x00007FF76B0A1000-memory.dmp

Filesize
3.3MB

Download