cobaltstrike | a6b2bec4ef3cb07d405fd89a87e27ee8ff3fa3210959fe7f4d44b727bf072156

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
Size

5.9MB
MD5

12408368b56de052fc02dafe48becfa0
SHA1

08ec24600f8ac95e2a5bda2e43df6a9fa445ddb9
SHA256

a6b2bec4ef3cb07d405fd89a87e27ee8ff3fa3210959fe7f4d44b727bf072156
SHA512

e1d434d9fd32fefdfe1c0e9c73ad75d730d64c253766ee0a2894189ac70685c540b24bae43cb7e578a637820f060dfad1657d1377223a14e43f8e5c3355d1888
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUq:T+856utgpPF8u/7q

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023540-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023548-7.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023547-14.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023549-23.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354a-28.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354b-36.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023544-42.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354d-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354f-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023550-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023552-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023551-75.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002354e-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023553-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023554-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023555-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023556-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023558-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023559-118.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002355a-127.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002355b-130.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/528-0-0x00007FF6EC9D0000-0x00007FF6ECD24000-memory.dmp	xmrig
behavioral2/files/0x0009000000023540-5.dat	xmrig
behavioral2/files/0x0007000000023548-7.dat	xmrig
behavioral2/files/0x0007000000023547-14.dat	xmrig
behavioral2/memory/4672-17-0x00007FF6E43C0000-0x00007FF6E4714000-memory.dmp	xmrig
behavioral2/memory/4808-19-0x00007FF7DBAB0000-0x00007FF7DBE04000-memory.dmp	xmrig
behavioral2/files/0x0007000000023549-23.dat	xmrig
behavioral2/memory/1612-24-0x00007FF7AFAA0000-0x00007FF7AFDF4000-memory.dmp	xmrig
behavioral2/memory/224-9-0x00007FF601AD0000-0x00007FF601E24000-memory.dmp	xmrig
behavioral2/files/0x000700000002354a-28.dat	xmrig
behavioral2/files/0x000700000002354b-36.dat	xmrig
behavioral2/memory/4068-38-0x00007FF7B8CB0000-0x00007FF7B9004000-memory.dmp	xmrig
behavioral2/memory/3540-35-0x00007FF767E80000-0x00007FF7681D4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023544-42.dat	xmrig
behavioral2/files/0x000700000002354d-47.dat	xmrig
behavioral2/files/0x000700000002354f-64.dat	xmrig
behavioral2/memory/528-61-0x00007FF6EC9D0000-0x00007FF6ECD24000-memory.dmp	xmrig
behavioral2/memory/4672-68-0x00007FF6E43C0000-0x00007FF6E4714000-memory.dmp	xmrig
behavioral2/files/0x0007000000023550-73.dat	xmrig
behavioral2/memory/3748-79-0x00007FF611710000-0x00007FF611A64000-memory.dmp	xmrig
behavioral2/files/0x0007000000023552-81.dat	xmrig
behavioral2/files/0x0007000000023551-75.dat	xmrig
behavioral2/memory/3960-71-0x00007FF683DC0000-0x00007FF684114000-memory.dmp	xmrig
behavioral2/memory/224-66-0x00007FF601AD0000-0x00007FF601E24000-memory.dmp	xmrig
behavioral2/memory/4312-63-0x00007FF63B000000-0x00007FF63B354000-memory.dmp	xmrig
behavioral2/memory/3688-57-0x00007FF717730000-0x00007FF717A84000-memory.dmp	xmrig
behavioral2/files/0x000700000002354e-56.dat	xmrig
behavioral2/memory/4832-53-0x00007FF6CD980000-0x00007FF6CDCD4000-memory.dmp	xmrig
behavioral2/memory/4484-46-0x00007FF763630000-0x00007FF763984000-memory.dmp	xmrig
behavioral2/memory/4808-83-0x00007FF7DBAB0000-0x00007FF7DBE04000-memory.dmp	xmrig
behavioral2/memory/1376-84-0x00007FF7A2300000-0x00007FF7A2654000-memory.dmp	xmrig
behavioral2/files/0x0007000000023553-86.dat	xmrig
behavioral2/files/0x0007000000023554-94.dat	xmrig
behavioral2/memory/1612-93-0x00007FF7AFAA0000-0x00007FF7AFDF4000-memory.dmp	xmrig
behavioral2/memory/2928-96-0x00007FF6F2FE0000-0x00007FF6F3334000-memory.dmp	xmrig
behavioral2/memory/3200-98-0x00007FF64D580000-0x00007FF64D8D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023555-101.dat	xmrig
behavioral2/memory/2372-105-0x00007FF648EB0000-0x00007FF649204000-memory.dmp	xmrig
behavioral2/files/0x0007000000023556-107.dat	xmrig
behavioral2/memory/1200-111-0x00007FF66FA90000-0x00007FF66FDE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023558-112.dat	xmrig
behavioral2/files/0x0007000000023559-118.dat	xmrig
behavioral2/memory/3612-124-0x00007FF759E70000-0x00007FF75A1C4000-memory.dmp	xmrig
behavioral2/files/0x000700000002355a-127.dat	xmrig
behavioral2/memory/3688-122-0x00007FF717730000-0x00007FF717A84000-memory.dmp	xmrig
behavioral2/memory/4944-120-0x00007FF70B720000-0x00007FF70BA74000-memory.dmp	xmrig
behavioral2/memory/4312-129-0x00007FF63B000000-0x00007FF63B354000-memory.dmp	xmrig
behavioral2/files/0x000700000002355b-130.dat	xmrig
behavioral2/memory/3228-133-0x00007FF76DBD0000-0x00007FF76DF24000-memory.dmp	xmrig
behavioral2/memory/3960-132-0x00007FF683DC0000-0x00007FF684114000-memory.dmp	xmrig
behavioral2/memory/4448-131-0x00007FF6826C0000-0x00007FF682A14000-memory.dmp	xmrig
behavioral2/memory/3748-136-0x00007FF611710000-0x00007FF611A64000-memory.dmp	xmrig
behavioral2/memory/3228-137-0x00007FF76DBD0000-0x00007FF76DF24000-memory.dmp	xmrig
behavioral2/memory/224-138-0x00007FF601AD0000-0x00007FF601E24000-memory.dmp	xmrig
behavioral2/memory/4672-139-0x00007FF6E43C0000-0x00007FF6E4714000-memory.dmp	xmrig
behavioral2/memory/4808-140-0x00007FF7DBAB0000-0x00007FF7DBE04000-memory.dmp	xmrig
behavioral2/memory/1612-141-0x00007FF7AFAA0000-0x00007FF7AFDF4000-memory.dmp	xmrig
behavioral2/memory/3540-142-0x00007FF767E80000-0x00007FF7681D4000-memory.dmp	xmrig
behavioral2/memory/4068-143-0x00007FF7B8CB0000-0x00007FF7B9004000-memory.dmp	xmrig
behavioral2/memory/4484-144-0x00007FF763630000-0x00007FF763984000-memory.dmp	xmrig
behavioral2/memory/4832-145-0x00007FF6CD980000-0x00007FF6CDCD4000-memory.dmp	xmrig
behavioral2/memory/3688-146-0x00007FF717730000-0x00007FF717A84000-memory.dmp	xmrig
behavioral2/memory/4312-147-0x00007FF63B000000-0x00007FF63B354000-memory.dmp	xmrig
behavioral2/memory/3960-148-0x00007FF683DC0000-0x00007FF684114000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
224	tYqzGgF.exe
4672	OhemptL.exe
4808	wvrhpba.exe
1612	xQoFlRd.exe
3540	oWlZnbQ.exe
4068	uMtKYwd.exe
4484	PSvPXJa.exe
4832	ixUGMYx.exe
3688	WRcJWtt.exe
4312	DdqkFAf.exe
3960	cNnNzjb.exe
3748	NbTZuQZ.exe
1376	hfSZOXE.exe
2928	ECZsVKf.exe
3200	NGIwuRT.exe
2372	QGQqeiU.exe
1200	ZeviRNA.exe
4944	vXMEeGS.exe
3612	yfrOTZT.exe
4448	rUHpFyK.exe
3228	ydOEmAB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/528-0-0x00007FF6EC9D0000-0x00007FF6ECD24000-memory.dmp	upx
behavioral2/files/0x0009000000023540-5.dat	upx
behavioral2/files/0x0007000000023548-7.dat	upx
behavioral2/files/0x0007000000023547-14.dat	upx
behavioral2/memory/4672-17-0x00007FF6E43C0000-0x00007FF6E4714000-memory.dmp	upx
behavioral2/memory/4808-19-0x00007FF7DBAB0000-0x00007FF7DBE04000-memory.dmp	upx
behavioral2/files/0x0007000000023549-23.dat	upx
behavioral2/memory/1612-24-0x00007FF7AFAA0000-0x00007FF7AFDF4000-memory.dmp	upx
behavioral2/memory/224-9-0x00007FF601AD0000-0x00007FF601E24000-memory.dmp	upx
behavioral2/files/0x000700000002354a-28.dat	upx
behavioral2/files/0x000700000002354b-36.dat	upx
behavioral2/memory/4068-38-0x00007FF7B8CB0000-0x00007FF7B9004000-memory.dmp	upx
behavioral2/memory/3540-35-0x00007FF767E80000-0x00007FF7681D4000-memory.dmp	upx
behavioral2/files/0x0008000000023544-42.dat	upx
behavioral2/files/0x000700000002354d-47.dat	upx
behavioral2/files/0x000700000002354f-64.dat	upx
behavioral2/memory/528-61-0x00007FF6EC9D0000-0x00007FF6ECD24000-memory.dmp	upx
behavioral2/memory/4672-68-0x00007FF6E43C0000-0x00007FF6E4714000-memory.dmp	upx
behavioral2/files/0x0007000000023550-73.dat	upx
behavioral2/memory/3748-79-0x00007FF611710000-0x00007FF611A64000-memory.dmp	upx
behavioral2/files/0x0007000000023552-81.dat	upx
behavioral2/files/0x0007000000023551-75.dat	upx
behavioral2/memory/3960-71-0x00007FF683DC0000-0x00007FF684114000-memory.dmp	upx
behavioral2/memory/224-66-0x00007FF601AD0000-0x00007FF601E24000-memory.dmp	upx
behavioral2/memory/4312-63-0x00007FF63B000000-0x00007FF63B354000-memory.dmp	upx
behavioral2/memory/3688-57-0x00007FF717730000-0x00007FF717A84000-memory.dmp	upx
behavioral2/files/0x000700000002354e-56.dat	upx
behavioral2/memory/4832-53-0x00007FF6CD980000-0x00007FF6CDCD4000-memory.dmp	upx
behavioral2/memory/4484-46-0x00007FF763630000-0x00007FF763984000-memory.dmp	upx
behavioral2/memory/4808-83-0x00007FF7DBAB0000-0x00007FF7DBE04000-memory.dmp	upx
behavioral2/memory/1376-84-0x00007FF7A2300000-0x00007FF7A2654000-memory.dmp	upx
behavioral2/files/0x0007000000023553-86.dat	upx
behavioral2/files/0x0007000000023554-94.dat	upx
behavioral2/memory/1612-93-0x00007FF7AFAA0000-0x00007FF7AFDF4000-memory.dmp	upx
behavioral2/memory/2928-96-0x00007FF6F2FE0000-0x00007FF6F3334000-memory.dmp	upx
behavioral2/memory/3200-98-0x00007FF64D580000-0x00007FF64D8D4000-memory.dmp	upx
behavioral2/files/0x0007000000023555-101.dat	upx
behavioral2/memory/2372-105-0x00007FF648EB0000-0x00007FF649204000-memory.dmp	upx
behavioral2/files/0x0007000000023556-107.dat	upx
behavioral2/memory/1200-111-0x00007FF66FA90000-0x00007FF66FDE4000-memory.dmp	upx
behavioral2/files/0x0007000000023558-112.dat	upx
behavioral2/files/0x0007000000023559-118.dat	upx
behavioral2/memory/3612-124-0x00007FF759E70000-0x00007FF75A1C4000-memory.dmp	upx
behavioral2/files/0x000700000002355a-127.dat	upx
behavioral2/memory/3688-122-0x00007FF717730000-0x00007FF717A84000-memory.dmp	upx
behavioral2/memory/4944-120-0x00007FF70B720000-0x00007FF70BA74000-memory.dmp	upx
behavioral2/memory/4312-129-0x00007FF63B000000-0x00007FF63B354000-memory.dmp	upx
behavioral2/files/0x000700000002355b-130.dat	upx
behavioral2/memory/3228-133-0x00007FF76DBD0000-0x00007FF76DF24000-memory.dmp	upx
behavioral2/memory/3960-132-0x00007FF683DC0000-0x00007FF684114000-memory.dmp	upx
behavioral2/memory/4448-131-0x00007FF6826C0000-0x00007FF682A14000-memory.dmp	upx
behavioral2/memory/3748-136-0x00007FF611710000-0x00007FF611A64000-memory.dmp	upx
behavioral2/memory/3228-137-0x00007FF76DBD0000-0x00007FF76DF24000-memory.dmp	upx
behavioral2/memory/224-138-0x00007FF601AD0000-0x00007FF601E24000-memory.dmp	upx
behavioral2/memory/4672-139-0x00007FF6E43C0000-0x00007FF6E4714000-memory.dmp	upx
behavioral2/memory/4808-140-0x00007FF7DBAB0000-0x00007FF7DBE04000-memory.dmp	upx
behavioral2/memory/1612-141-0x00007FF7AFAA0000-0x00007FF7AFDF4000-memory.dmp	upx
behavioral2/memory/3540-142-0x00007FF767E80000-0x00007FF7681D4000-memory.dmp	upx
behavioral2/memory/4068-143-0x00007FF7B8CB0000-0x00007FF7B9004000-memory.dmp	upx
behavioral2/memory/4484-144-0x00007FF763630000-0x00007FF763984000-memory.dmp	upx
behavioral2/memory/4832-145-0x00007FF6CD980000-0x00007FF6CDCD4000-memory.dmp	upx
behavioral2/memory/3688-146-0x00007FF717730000-0x00007FF717A84000-memory.dmp	upx
behavioral2/memory/4312-147-0x00007FF63B000000-0x00007FF63B354000-memory.dmp	upx
behavioral2/memory/3960-148-0x00007FF683DC0000-0x00007FF684114000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ydOEmAB.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\xQoFlRd.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\oWlZnbQ.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\WRcJWtt.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\NGIwuRT.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\rUHpFyK.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\OhemptL.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\DdqkFAf.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\hfSZOXE.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\tYqzGgF.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\ixUGMYx.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\QGQqeiU.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\ECZsVKf.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\ZeviRNA.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\vXMEeGS.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\wvrhpba.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\uMtKYwd.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\PSvPXJa.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\cNnNzjb.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\NbTZuQZ.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
File created	C:\Windows\System\yfrOTZT.exe	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 224	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	92
PID 528 wrote to memory of 224	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	92
PID 528 wrote to memory of 4672	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	93
PID 528 wrote to memory of 4672	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	93
PID 528 wrote to memory of 4808	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	94
PID 528 wrote to memory of 4808	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	94
PID 528 wrote to memory of 1612	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	95
PID 528 wrote to memory of 1612	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	95
PID 528 wrote to memory of 3540	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	96
PID 528 wrote to memory of 3540	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	96
PID 528 wrote to memory of 4068	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	97
PID 528 wrote to memory of 4068	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	97
PID 528 wrote to memory of 4484	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	98
PID 528 wrote to memory of 4484	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	98
PID 528 wrote to memory of 4832	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	99
PID 528 wrote to memory of 4832	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	99
PID 528 wrote to memory of 3688	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	100
PID 528 wrote to memory of 3688	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	100
PID 528 wrote to memory of 4312	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	101
PID 528 wrote to memory of 4312	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	101
PID 528 wrote to memory of 3960	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	102
PID 528 wrote to memory of 3960	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	102
PID 528 wrote to memory of 3748	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	103
PID 528 wrote to memory of 3748	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	103
PID 528 wrote to memory of 1376	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	104
PID 528 wrote to memory of 1376	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	104
PID 528 wrote to memory of 2928	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	105
PID 528 wrote to memory of 2928	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	105
PID 528 wrote to memory of 3200	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	107
PID 528 wrote to memory of 3200	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	107
PID 528 wrote to memory of 2372	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	108
PID 528 wrote to memory of 2372	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	108
PID 528 wrote to memory of 1200	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	109
PID 528 wrote to memory of 1200	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	109
PID 528 wrote to memory of 4944	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	111
PID 528 wrote to memory of 4944	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	111
PID 528 wrote to memory of 3612	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	113
PID 528 wrote to memory of 3612	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	113
PID 528 wrote to memory of 4448	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	114
PID 528 wrote to memory of 4448	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	114
PID 528 wrote to memory of 3228	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	115
PID 528 wrote to memory of 3228	528	12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\12408368b56de052fc02dafe48becfa0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\System\tYqzGgF.exe
  C:\Windows\System\tYqzGgF.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\OhemptL.exe
  C:\Windows\System\OhemptL.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\wvrhpba.exe
  C:\Windows\System\wvrhpba.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\xQoFlRd.exe
  C:\Windows\System\xQoFlRd.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\oWlZnbQ.exe
  C:\Windows\System\oWlZnbQ.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\uMtKYwd.exe
  C:\Windows\System\uMtKYwd.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\PSvPXJa.exe
  C:\Windows\System\PSvPXJa.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\ixUGMYx.exe
  C:\Windows\System\ixUGMYx.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\WRcJWtt.exe
  C:\Windows\System\WRcJWtt.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\DdqkFAf.exe
  C:\Windows\System\DdqkFAf.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System\cNnNzjb.exe
  C:\Windows\System\cNnNzjb.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System\NbTZuQZ.exe
  C:\Windows\System\NbTZuQZ.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\hfSZOXE.exe
  C:\Windows\System\hfSZOXE.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System\ECZsVKf.exe
  C:\Windows\System\ECZsVKf.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\NGIwuRT.exe
  C:\Windows\System\NGIwuRT.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System\QGQqeiU.exe
  C:\Windows\System\QGQqeiU.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\ZeviRNA.exe
  C:\Windows\System\ZeviRNA.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System\vXMEeGS.exe
  C:\Windows\System\vXMEeGS.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\yfrOTZT.exe
  C:\Windows\System\yfrOTZT.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\rUHpFyK.exe
  C:\Windows\System\rUHpFyK.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System\ydOEmAB.exe
  C:\Windows\System\ydOEmAB.exe
  2⤵
  - Executes dropped EXE
  PID:3228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3888,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8
1⤵
PID:1108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DdqkFAf.exe

Filesize
5.9MB

MD5
720a754f9e78d0332dc1da085d3c5103

SHA1
65c390089948c29d3ce9e45c3ac2f3d9c19fe54c

SHA256
2d9c454928c33684f2a8e055c2da7eba13af55ff11c7be70dc1d90292de764d2

SHA512
a256db44b8e82e12a8cd9c89e42d6bd13e4719ad9a0656f8d32ed78889caa0a85080b4f32f6b805dbf5f4a8fa176411b76602118b15db917e943e41a70cb1ca5

Download Submit
C:\Windows\System\ECZsVKf.exe

Filesize
5.9MB

MD5
b35f508c07b517b5ef449cd0b0438789

SHA1
660c0690332d971a91d32ba79bfd2aa55daa6afc

SHA256
3a0011054fe0e8e5b2d138d70e65a15e1dc0fc7cac55fac0a4e34945a90a158a

SHA512
38c4d3da0e859fbd025c0a267aeafb62785eb1cacda931464a0d05d8eb4da502b7265845179c71525ffdfc4becee7288ddb79e02d539c399f5f02332350b4e2d

Download Submit
C:\Windows\System\NGIwuRT.exe

Filesize
5.9MB

MD5
3b93ca4785ea5420014c235d3c49d928

SHA1
102a422074da23262abf02c9a04cfaa969f21775

SHA256
e5c171c7fb8e662aadaced15f399cc248aa30503c7b9da283d8b1e9e411387a9

SHA512
0992fb77b3b7214aace0cfdff0a9515270dcbe6cc1a25fb8c9e4e4cbf2d77934c7dd7400f1c936f7aa29acddfc772c11373b82252c6df9ed9390366c546fab31

Download Submit
C:\Windows\System\NbTZuQZ.exe

Filesize
5.9MB

MD5
41a27714629ab5683b42a8b957ecd876

SHA1
e60b975b209cb18e2d637793e5a9553e0b4c9a0a

SHA256
f67fe4896adad41a0f27b74ab4d874723218c0b6410be1cd146c66f9624e2e63

SHA512
b4344a1e4461bbe2f147ba2c387872892251412de746ca7ae4a59d1ebff15214734a172ed97b25bd14b728cccfad49055969636904834971656b58e0739cbaa1

Download Submit
C:\Windows\System\OhemptL.exe

Filesize
5.9MB

MD5
a9c211c4db50925e722bfd37a2204faa

SHA1
7ff81733a1b2a4bc25fa49c465b48edd5951810a

SHA256
a417eba3ba0c112e3d8daf9d9608a65fcd5c4354ae78b0fca4aaa72bb1a510ce

SHA512
a1deee22a66d6f21429c0db2689929670928144fb52c442b54cc8b9d6a8708403d336d802f91469e03bed62b44747ca5879d3d88f891ac722c3b095ce602487f

Download Submit
C:\Windows\System\PSvPXJa.exe

Filesize
5.9MB

MD5
90baa42950734ed9a4b33c071e5e7cea

SHA1
eaf0565dad6ac7bc95601097e633fd3147514058

SHA256
4bed72efdc3a24e57cca80f1b8efc1d118076ec404dc4ef52ddee60cf5f8ed0b

SHA512
2d3e4894866729e624a883434c4f325153e8c3c97fde0d639a9b1e2f7454c7b059f06ac9f5c8914b17c99d5c602d536e84643ed108444a37d43c4f25dca4ce18

Download Submit
C:\Windows\System\QGQqeiU.exe

Filesize
5.9MB

MD5
d4e83913d787c224bdec03ea25c5ea26

SHA1
a83207e68479e86a4fddfdb687bd92181824243f

SHA256
ec655e1c67d45b6b16d00cb67572e67a98fcc4a335f9ac2bcc7d710a4ebe2d5f

SHA512
394872d493fcbcb26f5fda455092e2eaab0b260efc52acda85d1e0454899dccba00aadc20922fc3c271ceee6f2d3e414af963cd82c3abd2deafc2814162a4b3e

Download Submit
C:\Windows\System\WRcJWtt.exe

Filesize
5.9MB

MD5
1ebcd23f26fb72df6f443da71847eeac

SHA1
e7a9f893c22997de766640c0a332b47f2a11a8f2

SHA256
28b125614c18074c1bbe2e6c947a7e8d828aa692ebbea141b5f3573e234e2013

SHA512
b1279046072f9d0af844de07d17341be4df6d4a71a1db15b5195a2cbc673a3896fc2664419572ed7597839cc6f1b524e90528da8eccacf9442d79a3158ed8576

Download Submit
C:\Windows\System\ZeviRNA.exe

Filesize
5.9MB

MD5
f4eac130c36fd1e2b176f153c349e1d4

SHA1
82bde4c31fe6290b4344cd52826a24e845da3c46

SHA256
97a8e17ec6ce96a8ec3e84ac87162e1a4b77118fd5317997d41b78aa7f3d64d6

SHA512
c243ff2df89eb37bb3d9afeb65f02da8816a26a99f91ca0bf5b6283b224dcf991b982a457a694cf9e5c3cb6a3b75230ad79bd2555466a3dc506e980875164d9a

Download Submit
C:\Windows\System\cNnNzjb.exe

Filesize
5.9MB

MD5
f88b7558f4f004c20c1736e20e68178c

SHA1
e465302257091e208cbb5e36c8d6f75bee7e9b5c

SHA256
abfd0d32266b57d9bf5a1069e90828cfa7da3492c4eba3abe1e8de6ecb3b3eac

SHA512
99dc8f1f47de2a4b04ef1b66bce08d87233ec9bd8abeadb53ff27d87497a0c293a125acf9ad9f4552c90dfea22779ca181b89860a4081fe4ca81ad97a7d3c937

Download Submit
C:\Windows\System\hfSZOXE.exe

Filesize
5.9MB

MD5
5d2cc4e5a641830fcf77d0174ba8e469

SHA1
0932addbf21418a48bfe922c6b8c9d05730322de

SHA256
e59079964ad2468331f54a53d0210cd312bac620a0b60fcf37afeefdc9b8bacf

SHA512
5496bf67bdfea40ac7cd99a7511276b65c856965bce701b1cdc6e21efe071719ca6e4e980e6bd86771ba3e5b5cc9300615773a677685b341fa6ad184bc1f50d9

Download Submit
C:\Windows\System\ixUGMYx.exe

Filesize
5.9MB

MD5
6565c725f59794fa244c2e1fc1692169

SHA1
db4f7abff22d2786ffda36b08fb99766527aa6d2

SHA256
9f63c01dd708e856371792661c2deda0d5f0baeb66fb232871a5a9078592646c

SHA512
3eb3478a60c4a2ae4cd19dab85602dac3b4e3e82ddcdccb14fef3b029ab820544a5e1784dd6c0346163bb07476c9f6935d07d6b78b7b5a5bf9039fb912ab272d

Download Submit
C:\Windows\System\oWlZnbQ.exe

Filesize
5.9MB

MD5
b72df2bedf5697aa8854b75a853334a5

SHA1
4f88a422ee309f32db9e66b7debbc61e35610d44

SHA256
ad86d5809726dd50e407e423d2ef101bcb2d970d9c0f02b3dab17f01b852d405

SHA512
6d54e8b560f47eab48b3d44c43b73d20216808bac4540efe89d515c3746bdf440732cf9a2576c3c638970d551ed5843f34e95a6b300747b2934e1615cc45d37c

Download Submit
C:\Windows\System\rUHpFyK.exe

Filesize
5.9MB

MD5
ddd53b3e1fed0b4ad3e3aab374b26f54

SHA1
3ed10f451a155d0a97516dd2dbf7d66a33e02212

SHA256
849173db60a55d6b77ac0cd8272c5183be7a5a62e70f4b6b1dbcd49120c7e282

SHA512
24014d6eaf6c5260633d7134065ec67f45d84c832481cb88e5c2bbe51f889171dc885c99d27c7e9c838ac8bbd0cae3a8b253f23f283fffa15da985ec24bed84c

Download Submit
C:\Windows\System\tYqzGgF.exe

Filesize
5.9MB

MD5
d2c12ab1d6966a45037fb3caa968e721

SHA1
7c6618f45c4cb225c24b3e8eee409ce03315f4b1

SHA256
038a8b788517947fbde0fda6ea26300243c879016b9e4b2615c59f90cee9e384

SHA512
ac0ebfa49f8a72f2ed3d8b5eae88dc97535c3afde4d8c425488c8a9ce5bf50f557a5b6ea923bb2b7a22bedd97b0e29a9903bd8ffc1ec4ae60189e1210290672a

Download Submit
C:\Windows\System\uMtKYwd.exe

Filesize
5.9MB

MD5
ac1fa53edbc0dc1d8298ea7faf01b5fc

SHA1
51aac6b75e1a1d20989f1ec3f250bec10debcce5

SHA256
dfa7f77e0641522795524dcca427d65a74939b036cd18ed031983199e48a5550

SHA512
7e8454d4dbf7ba7bf971e3ca88e9245195a0458803125a81f04fe8569144c52f1a85614780c106781c414c7d519b534c307c1c4bcfb0a85aae46bf13068c83e2

Download Submit
C:\Windows\System\vXMEeGS.exe

Filesize
5.9MB

MD5
2c11224e4e58d24b0793814b01116dbd

SHA1
6d54831f6de80c368c6be24e9a66bff565861804

SHA256
758550424d9fac95cfe2234017485ece127a566fe396704ac7d5d4aa25a56847

SHA512
e12303b99da9649f572e1b8b25471f73ef0e5f97efd5ffef421cc8cee790f90684e041c2bbaa7ced191245bfac1c0f7f10e1a44012a0d6784fd66f65218f0639

Download Submit
C:\Windows\System\wvrhpba.exe

Filesize
5.9MB

MD5
b8f3f5f44d5066e61f1d79845cc81210

SHA1
4f6ad284149ae2231269f4aba9c518810c9e60fe

SHA256
e746785943d4fd6bab9446bf3643bca4d2064c1c65cd3fed6f3db2e3adc1230d

SHA512
f6b5c26241d978e1709d021a35417963b103d4c24cf60d67dcd763cee657552bd09e18cd4372ca00b9a00adb3514657882e80bfc397d504f2a04c8c7c4c9e937

Download Submit
C:\Windows\System\xQoFlRd.exe

Filesize
5.9MB

MD5
18335487ad32dab562a6ce5190aa61b4

SHA1
4df48e298effa37ebfd21d740c4d1d229208816e

SHA256
205db9b4b36f1d0ada43e1720deb15d98139ff429d1b6e7d1d2ace91f393e9e6

SHA512
f7ac2ef45ac66785df59934f021e11d9af4ef3a54826dc28350604910f6fa69b67ca9acf9760f81fe8a83072e14f6ab91c94e982044df6e730164d11ca561688

Download Submit
C:\Windows\System\ydOEmAB.exe

Filesize
5.9MB

MD5
f257d3b85939813d5d79b9fdd6a68b30

SHA1
278f4b53d4c1d29da5afc0ab564934ba6c767b4d

SHA256
5b7d694d588bd69067c1a640bb1f54b3c6e47e5de5c6822e3207698e0eb552d0

SHA512
39f6826514975d6d471093abbc8af08c943bd9d4a1a948d4513795be28976634ce4918d6b1e48266e418139e719ef323b7b336157fb5388cfaf23db0550f5681

Download Submit
C:\Windows\System\yfrOTZT.exe

Filesize
5.9MB

MD5
18904f3bae5e082eba54127508eeeda4

SHA1
1fdec0d4a6033138616d951fd40df7ebc5b50cdf

SHA256
58dcdc5edca4e68295dbd64a61c861af303e49c874abd5f62d41616edd3d6b27

SHA512
6d55740a1f7c7a74a84f9ec9714799233a3593035e4e55af410df51a56ef5a79b5fee499aca8cfce80e71d2c3eb81dbb5e65db1c2fd7c43057f57e8942d55a1e

Download Submit
memory/224-9-0x00007FF601AD0000-0x00007FF601E24000-memory.dmp

Filesize
3.3MB

Download
memory/224-138-0x00007FF601AD0000-0x00007FF601E24000-memory.dmp

Filesize
3.3MB

Download
memory/224-66-0x00007FF601AD0000-0x00007FF601E24000-memory.dmp

Filesize
3.3MB

Download
memory/528-61-0x00007FF6EC9D0000-0x00007FF6ECD24000-memory.dmp

Filesize
3.3MB

Download
memory/528-0-0x00007FF6EC9D0000-0x00007FF6ECD24000-memory.dmp

Filesize
3.3MB

Download
memory/528-1-0x00000252A95D0000-0x00000252A95E0000-memory.dmp

Filesize
64KB

Download
memory/1200-154-0x00007FF66FA90000-0x00007FF66FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/1200-111-0x00007FF66FA90000-0x00007FF66FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/1376-84-0x00007FF7A2300000-0x00007FF7A2654000-memory.dmp

Filesize
3.3MB

Download
memory/1376-150-0x00007FF7A2300000-0x00007FF7A2654000-memory.dmp

Filesize
3.3MB

Download
memory/1612-24-0x00007FF7AFAA0000-0x00007FF7AFDF4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-93-0x00007FF7AFAA0000-0x00007FF7AFDF4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-141-0x00007FF7AFAA0000-0x00007FF7AFDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-105-0x00007FF648EB0000-0x00007FF649204000-memory.dmp

Filesize
3.3MB

Download
memory/2372-153-0x00007FF648EB0000-0x00007FF649204000-memory.dmp

Filesize
3.3MB

Download
memory/2928-96-0x00007FF6F2FE0000-0x00007FF6F3334000-memory.dmp

Filesize
3.3MB

Download
memory/2928-151-0x00007FF6F2FE0000-0x00007FF6F3334000-memory.dmp

Filesize
3.3MB

Download
memory/3200-152-0x00007FF64D580000-0x00007FF64D8D4000-memory.dmp

Filesize
3.3MB

Download
memory/3200-98-0x00007FF64D580000-0x00007FF64D8D4000-memory.dmp

Filesize
3.3MB

Download
memory/3228-158-0x00007FF76DBD0000-0x00007FF76DF24000-memory.dmp

Filesize
3.3MB

Download
memory/3228-137-0x00007FF76DBD0000-0x00007FF76DF24000-memory.dmp

Filesize
3.3MB

Download
memory/3228-133-0x00007FF76DBD0000-0x00007FF76DF24000-memory.dmp

Filesize
3.3MB

Download
memory/3540-142-0x00007FF767E80000-0x00007FF7681D4000-memory.dmp

Filesize
3.3MB

Download
memory/3540-35-0x00007FF767E80000-0x00007FF7681D4000-memory.dmp

Filesize
3.3MB

Download
memory/3612-124-0x00007FF759E70000-0x00007FF75A1C4000-memory.dmp

Filesize
3.3MB

Download
memory/3612-156-0x00007FF759E70000-0x00007FF75A1C4000-memory.dmp

Filesize
3.3MB

Download
memory/3688-57-0x00007FF717730000-0x00007FF717A84000-memory.dmp

Filesize
3.3MB

Download
memory/3688-122-0x00007FF717730000-0x00007FF717A84000-memory.dmp

Filesize
3.3MB

Download
memory/3688-146-0x00007FF717730000-0x00007FF717A84000-memory.dmp

Filesize
3.3MB

Download
memory/3748-79-0x00007FF611710000-0x00007FF611A64000-memory.dmp

Filesize
3.3MB

Download
memory/3748-149-0x00007FF611710000-0x00007FF611A64000-memory.dmp

Filesize
3.3MB

Download
memory/3748-136-0x00007FF611710000-0x00007FF611A64000-memory.dmp

Filesize
3.3MB

Download
memory/3960-71-0x00007FF683DC0000-0x00007FF684114000-memory.dmp

Filesize
3.3MB

Download
memory/3960-132-0x00007FF683DC0000-0x00007FF684114000-memory.dmp

Filesize
3.3MB

Download
memory/3960-148-0x00007FF683DC0000-0x00007FF684114000-memory.dmp

Filesize
3.3MB

Download
memory/4068-143-0x00007FF7B8CB0000-0x00007FF7B9004000-memory.dmp

Filesize
3.3MB

Download
memory/4068-38-0x00007FF7B8CB0000-0x00007FF7B9004000-memory.dmp

Filesize
3.3MB

Download
memory/4312-129-0x00007FF63B000000-0x00007FF63B354000-memory.dmp

Filesize
3.3MB

Download
memory/4312-63-0x00007FF63B000000-0x00007FF63B354000-memory.dmp

Filesize
3.3MB

Download
memory/4312-147-0x00007FF63B000000-0x00007FF63B354000-memory.dmp

Filesize
3.3MB

Download
memory/4448-131-0x00007FF6826C0000-0x00007FF682A14000-memory.dmp

Filesize
3.3MB

Download
memory/4448-157-0x00007FF6826C0000-0x00007FF682A14000-memory.dmp

Filesize
3.3MB

Download
memory/4484-144-0x00007FF763630000-0x00007FF763984000-memory.dmp

Filesize
3.3MB

Download
memory/4484-46-0x00007FF763630000-0x00007FF763984000-memory.dmp

Filesize
3.3MB

Download
memory/4672-139-0x00007FF6E43C0000-0x00007FF6E4714000-memory.dmp

Filesize
3.3MB

Download
memory/4672-68-0x00007FF6E43C0000-0x00007FF6E4714000-memory.dmp

Filesize
3.3MB

Download
memory/4672-17-0x00007FF6E43C0000-0x00007FF6E4714000-memory.dmp

Filesize
3.3MB

Download
memory/4808-140-0x00007FF7DBAB0000-0x00007FF7DBE04000-memory.dmp

Filesize
3.3MB

Download
memory/4808-19-0x00007FF7DBAB0000-0x00007FF7DBE04000-memory.dmp

Filesize
3.3MB

Download
memory/4808-83-0x00007FF7DBAB0000-0x00007FF7DBE04000-memory.dmp

Filesize
3.3MB

Download
memory/4832-145-0x00007FF6CD980000-0x00007FF6CDCD4000-memory.dmp

Filesize
3.3MB

Download
memory/4832-53-0x00007FF6CD980000-0x00007FF6CDCD4000-memory.dmp

Filesize
3.3MB

Download
memory/4944-155-0x00007FF70B720000-0x00007FF70BA74000-memory.dmp

Filesize
3.3MB

Download
memory/4944-120-0x00007FF70B720000-0x00007FF70BA74000-memory.dmp

Filesize
3.3MB

Download