cobaltstrike | 17efb0828b6ab2a1b7b233dae9de80d1c5eefad1425918d597ca31128656ff8d

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
Size

5.9MB
MD5

315d370b5e4aaacb1b284ca5ee7ee100
SHA1

5d64b0eb38fb6c5fce7da6ed937731813865b3b5
SHA256

17efb0828b6ab2a1b7b233dae9de80d1c5eefad1425918d597ca31128656ff8d
SHA512

58e19ca958e6cc84cefddf255be691d2aceb1bdd1b5a96f92c7d9bd87d7782163af9178672842dcaa8848542be88abdc97075f7cb116e5fe3455b59975a69660
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lU5:T+856utgpPF8u/75

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\VswPGGN.exe	cobalt_reflective_dll
C:\Windows\System\BUkljJj.exe	cobalt_reflective_dll
C:\Windows\System\VMtLnoB.exe	cobalt_reflective_dll
C:\Windows\System\QVoaJkM.exe	cobalt_reflective_dll
C:\Windows\System\UNYshlc.exe	cobalt_reflective_dll
C:\Windows\System\sgJYBhv.exe	cobalt_reflective_dll
C:\Windows\System\KBWhtzB.exe	cobalt_reflective_dll
C:\Windows\System\aKtOIJZ.exe	cobalt_reflective_dll
C:\Windows\System\QCuDXGN.exe	cobalt_reflective_dll
C:\Windows\System\xAuzfyj.exe	cobalt_reflective_dll
C:\Windows\System\QqHNWDm.exe	cobalt_reflective_dll
C:\Windows\System\LGHDUfY.exe	cobalt_reflective_dll
C:\Windows\System\ChKuwdJ.exe	cobalt_reflective_dll
C:\Windows\System\nZUsTsf.exe	cobalt_reflective_dll
C:\Windows\System\NAoKvRa.exe	cobalt_reflective_dll
C:\Windows\System\LdCvhsW.exe	cobalt_reflective_dll
C:\Windows\System\Jyhwulh.exe	cobalt_reflective_dll
C:\Windows\System\riETjSZ.exe	cobalt_reflective_dll
C:\Windows\System\EcMSaUF.exe	cobalt_reflective_dll
C:\Windows\System\wLToOpe.exe	cobalt_reflective_dll
C:\Windows\System\uKapstU.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3936-0-0x00007FF7064A0000-0x00007FF7067F4000-memory.dmp	xmrig
C:\Windows\System\VswPGGN.exe	xmrig
behavioral2/memory/1604-8-0x00007FF631DD0000-0x00007FF632124000-memory.dmp	xmrig
C:\Windows\System\BUkljJj.exe	xmrig
C:\Windows\System\VMtLnoB.exe	xmrig
behavioral2/memory/4860-14-0x00007FF7CBEF0000-0x00007FF7CC244000-memory.dmp	xmrig
C:\Windows\System\QVoaJkM.exe	xmrig
behavioral2/memory/1516-22-0x00007FF7EEE80000-0x00007FF7EF1D4000-memory.dmp	xmrig
C:\Windows\System\UNYshlc.exe	xmrig
C:\Windows\System\sgJYBhv.exe	xmrig
behavioral2/memory/2768-29-0x00007FF7D5A70000-0x00007FF7D5DC4000-memory.dmp	xmrig
C:\Windows\System\KBWhtzB.exe	xmrig
behavioral2/memory/3096-48-0x00007FF6B0770000-0x00007FF6B0AC4000-memory.dmp	xmrig
behavioral2/memory/4624-47-0x00007FF797620000-0x00007FF797974000-memory.dmp	xmrig
C:\Windows\System\aKtOIJZ.exe	xmrig
behavioral2/memory/2720-38-0x00007FF6140D0000-0x00007FF614424000-memory.dmp	xmrig
behavioral2/memory/3144-28-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp	xmrig
C:\Windows\System\QCuDXGN.exe	xmrig
behavioral2/memory/2192-54-0x00007FF7DC370000-0x00007FF7DC6C4000-memory.dmp	xmrig
C:\Windows\System\xAuzfyj.exe	xmrig
behavioral2/memory/1508-60-0x00007FF6786F0000-0x00007FF678A44000-memory.dmp	xmrig
C:\Windows\System\QqHNWDm.exe	xmrig
behavioral2/memory/2260-69-0x00007FF7811D0000-0x00007FF781524000-memory.dmp	xmrig
C:\Windows\System\LGHDUfY.exe	xmrig
behavioral2/memory/3936-68-0x00007FF7064A0000-0x00007FF7067F4000-memory.dmp	xmrig
behavioral2/memory/1604-75-0x00007FF631DD0000-0x00007FF632124000-memory.dmp	xmrig
C:\Windows\System\ChKuwdJ.exe	xmrig
behavioral2/memory/3356-76-0x00007FF723AC0000-0x00007FF723E14000-memory.dmp	xmrig
C:\Windows\System\nZUsTsf.exe	xmrig
behavioral2/memory/1516-84-0x00007FF7EEE80000-0x00007FF7EF1D4000-memory.dmp	xmrig
behavioral2/memory/3260-88-0x00007FF69B000000-0x00007FF69B354000-memory.dmp	xmrig
C:\Windows\System\NAoKvRa.exe	xmrig
C:\Windows\System\LdCvhsW.exe	xmrig
behavioral2/memory/2096-95-0x00007FF730570000-0x00007FF7308C4000-memory.dmp	xmrig
behavioral2/memory/2024-91-0x00007FF7E01A0000-0x00007FF7E04F4000-memory.dmp	xmrig
behavioral2/memory/3144-90-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp	xmrig
behavioral2/memory/5028-103-0x00007FF7B8110000-0x00007FF7B8464000-memory.dmp	xmrig
behavioral2/memory/2768-102-0x00007FF7D5A70000-0x00007FF7D5DC4000-memory.dmp	xmrig
C:\Windows\System\Jyhwulh.exe	xmrig
C:\Windows\System\riETjSZ.exe	xmrig
behavioral2/memory/2296-107-0x00007FF716370000-0x00007FF7166C4000-memory.dmp	xmrig
behavioral2/memory/3096-115-0x00007FF6B0770000-0x00007FF6B0AC4000-memory.dmp	xmrig
C:\Windows\System\EcMSaUF.exe	xmrig
behavioral2/memory/1152-117-0x00007FF68A2F0000-0x00007FF68A644000-memory.dmp	xmrig
behavioral2/memory/3284-123-0x00007FF665600000-0x00007FF665954000-memory.dmp	xmrig
behavioral2/memory/2192-122-0x00007FF7DC370000-0x00007FF7DC6C4000-memory.dmp	xmrig
C:\Windows\System\wLToOpe.exe	xmrig
behavioral2/memory/1508-127-0x00007FF6786F0000-0x00007FF678A44000-memory.dmp	xmrig
behavioral2/memory/2688-132-0x00007FF6532A0000-0x00007FF6535F4000-memory.dmp	xmrig
C:\Windows\System\uKapstU.exe	xmrig
behavioral2/memory/224-133-0x00007FF631340000-0x00007FF631694000-memory.dmp	xmrig
behavioral2/memory/2096-136-0x00007FF730570000-0x00007FF7308C4000-memory.dmp	xmrig
behavioral2/memory/2296-137-0x00007FF716370000-0x00007FF7166C4000-memory.dmp	xmrig
behavioral2/memory/2688-138-0x00007FF6532A0000-0x00007FF6535F4000-memory.dmp	xmrig
behavioral2/memory/224-139-0x00007FF631340000-0x00007FF631694000-memory.dmp	xmrig
behavioral2/memory/1604-140-0x00007FF631DD0000-0x00007FF632124000-memory.dmp	xmrig
behavioral2/memory/4860-141-0x00007FF7CBEF0000-0x00007FF7CC244000-memory.dmp	xmrig
behavioral2/memory/1516-142-0x00007FF7EEE80000-0x00007FF7EF1D4000-memory.dmp	xmrig
behavioral2/memory/2768-143-0x00007FF7D5A70000-0x00007FF7D5DC4000-memory.dmp	xmrig
behavioral2/memory/3144-144-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp	xmrig
behavioral2/memory/2720-145-0x00007FF6140D0000-0x00007FF614424000-memory.dmp	xmrig
behavioral2/memory/4624-146-0x00007FF797620000-0x00007FF797974000-memory.dmp	xmrig
behavioral2/memory/3096-147-0x00007FF6B0770000-0x00007FF6B0AC4000-memory.dmp	xmrig
behavioral2/memory/2192-148-0x00007FF7DC370000-0x00007FF7DC6C4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

VswPGGN.exeBUkljJj.exeVMtLnoB.exeUNYshlc.exeQVoaJkM.exesgJYBhv.exeaKtOIJZ.exeKBWhtzB.exeQCuDXGN.exexAuzfyj.exeQqHNWDm.exeLGHDUfY.exeChKuwdJ.exenZUsTsf.exeNAoKvRa.exeLdCvhsW.exeJyhwulh.exeriETjSZ.exeEcMSaUF.exewLToOpe.exeuKapstU.exe

pid	process
1604	VswPGGN.exe
4860	BUkljJj.exe
1516	VMtLnoB.exe
3144	UNYshlc.exe
2768	QVoaJkM.exe
2720	sgJYBhv.exe
4624	aKtOIJZ.exe
3096	KBWhtzB.exe
2192	QCuDXGN.exe
1508	xAuzfyj.exe
2260	QqHNWDm.exe
3356	LGHDUfY.exe
3260	ChKuwdJ.exe
2024	nZUsTsf.exe
2096	NAoKvRa.exe
5028	LdCvhsW.exe
2296	Jyhwulh.exe
1152	riETjSZ.exe
3284	EcMSaUF.exe
2688	wLToOpe.exe
224	uKapstU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3936-0-0x00007FF7064A0000-0x00007FF7067F4000-memory.dmp	upx
C:\Windows\System\VswPGGN.exe	upx
behavioral2/memory/1604-8-0x00007FF631DD0000-0x00007FF632124000-memory.dmp	upx
C:\Windows\System\BUkljJj.exe	upx
C:\Windows\System\VMtLnoB.exe	upx
behavioral2/memory/4860-14-0x00007FF7CBEF0000-0x00007FF7CC244000-memory.dmp	upx
C:\Windows\System\QVoaJkM.exe	upx
behavioral2/memory/1516-22-0x00007FF7EEE80000-0x00007FF7EF1D4000-memory.dmp	upx
C:\Windows\System\UNYshlc.exe	upx
C:\Windows\System\sgJYBhv.exe	upx
behavioral2/memory/2768-29-0x00007FF7D5A70000-0x00007FF7D5DC4000-memory.dmp	upx
C:\Windows\System\KBWhtzB.exe	upx
behavioral2/memory/3096-48-0x00007FF6B0770000-0x00007FF6B0AC4000-memory.dmp	upx
behavioral2/memory/4624-47-0x00007FF797620000-0x00007FF797974000-memory.dmp	upx
C:\Windows\System\aKtOIJZ.exe	upx
behavioral2/memory/2720-38-0x00007FF6140D0000-0x00007FF614424000-memory.dmp	upx
behavioral2/memory/3144-28-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp	upx
C:\Windows\System\QCuDXGN.exe	upx
behavioral2/memory/2192-54-0x00007FF7DC370000-0x00007FF7DC6C4000-memory.dmp	upx
C:\Windows\System\xAuzfyj.exe	upx
behavioral2/memory/1508-60-0x00007FF6786F0000-0x00007FF678A44000-memory.dmp	upx
C:\Windows\System\QqHNWDm.exe	upx
behavioral2/memory/2260-69-0x00007FF7811D0000-0x00007FF781524000-memory.dmp	upx
C:\Windows\System\LGHDUfY.exe	upx
behavioral2/memory/3936-68-0x00007FF7064A0000-0x00007FF7067F4000-memory.dmp	upx
behavioral2/memory/1604-75-0x00007FF631DD0000-0x00007FF632124000-memory.dmp	upx
C:\Windows\System\ChKuwdJ.exe	upx
behavioral2/memory/3356-76-0x00007FF723AC0000-0x00007FF723E14000-memory.dmp	upx
C:\Windows\System\nZUsTsf.exe	upx
behavioral2/memory/1516-84-0x00007FF7EEE80000-0x00007FF7EF1D4000-memory.dmp	upx
behavioral2/memory/3260-88-0x00007FF69B000000-0x00007FF69B354000-memory.dmp	upx
C:\Windows\System\NAoKvRa.exe	upx
C:\Windows\System\LdCvhsW.exe	upx
behavioral2/memory/2096-95-0x00007FF730570000-0x00007FF7308C4000-memory.dmp	upx
behavioral2/memory/2024-91-0x00007FF7E01A0000-0x00007FF7E04F4000-memory.dmp	upx
behavioral2/memory/3144-90-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp	upx
behavioral2/memory/5028-103-0x00007FF7B8110000-0x00007FF7B8464000-memory.dmp	upx
behavioral2/memory/2768-102-0x00007FF7D5A70000-0x00007FF7D5DC4000-memory.dmp	upx
C:\Windows\System\Jyhwulh.exe	upx
C:\Windows\System\riETjSZ.exe	upx
behavioral2/memory/2296-107-0x00007FF716370000-0x00007FF7166C4000-memory.dmp	upx
behavioral2/memory/3096-115-0x00007FF6B0770000-0x00007FF6B0AC4000-memory.dmp	upx
C:\Windows\System\EcMSaUF.exe	upx
behavioral2/memory/1152-117-0x00007FF68A2F0000-0x00007FF68A644000-memory.dmp	upx
behavioral2/memory/3284-123-0x00007FF665600000-0x00007FF665954000-memory.dmp	upx
behavioral2/memory/2192-122-0x00007FF7DC370000-0x00007FF7DC6C4000-memory.dmp	upx
C:\Windows\System\wLToOpe.exe	upx
behavioral2/memory/1508-127-0x00007FF6786F0000-0x00007FF678A44000-memory.dmp	upx
behavioral2/memory/2688-132-0x00007FF6532A0000-0x00007FF6535F4000-memory.dmp	upx
C:\Windows\System\uKapstU.exe	upx
behavioral2/memory/224-133-0x00007FF631340000-0x00007FF631694000-memory.dmp	upx
behavioral2/memory/2096-136-0x00007FF730570000-0x00007FF7308C4000-memory.dmp	upx
behavioral2/memory/2296-137-0x00007FF716370000-0x00007FF7166C4000-memory.dmp	upx
behavioral2/memory/2688-138-0x00007FF6532A0000-0x00007FF6535F4000-memory.dmp	upx
behavioral2/memory/224-139-0x00007FF631340000-0x00007FF631694000-memory.dmp	upx
behavioral2/memory/1604-140-0x00007FF631DD0000-0x00007FF632124000-memory.dmp	upx
behavioral2/memory/4860-141-0x00007FF7CBEF0000-0x00007FF7CC244000-memory.dmp	upx
behavioral2/memory/1516-142-0x00007FF7EEE80000-0x00007FF7EF1D4000-memory.dmp	upx
behavioral2/memory/2768-143-0x00007FF7D5A70000-0x00007FF7D5DC4000-memory.dmp	upx
behavioral2/memory/3144-144-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp	upx
behavioral2/memory/2720-145-0x00007FF6140D0000-0x00007FF614424000-memory.dmp	upx
behavioral2/memory/4624-146-0x00007FF797620000-0x00007FF797974000-memory.dmp	upx
behavioral2/memory/3096-147-0x00007FF6B0770000-0x00007FF6B0AC4000-memory.dmp	upx
behavioral2/memory/2192-148-0x00007FF7DC370000-0x00007FF7DC6C4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\VswPGGN.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\QCuDXGN.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\LGHDUfY.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\nZUsTsf.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\BUkljJj.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\QVoaJkM.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\sgJYBhv.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\QqHNWDm.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\riETjSZ.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\EcMSaUF.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\VMtLnoB.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\UNYshlc.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\aKtOIJZ.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\ChKuwdJ.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\LdCvhsW.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\uKapstU.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\KBWhtzB.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\xAuzfyj.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\NAoKvRa.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\Jyhwulh.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
File created	C:\Windows\System\wLToOpe.exe	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe

description	pid	process
Token: SeLockMemoryPrivilege	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe

description	pid	process	target process
PID 3936 wrote to memory of 1604	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	VswPGGN.exe
PID 3936 wrote to memory of 1604	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	VswPGGN.exe
PID 3936 wrote to memory of 4860	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	BUkljJj.exe
PID 3936 wrote to memory of 4860	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	BUkljJj.exe
PID 3936 wrote to memory of 1516	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	VMtLnoB.exe
PID 3936 wrote to memory of 1516	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	VMtLnoB.exe
PID 3936 wrote to memory of 3144	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	UNYshlc.exe
PID 3936 wrote to memory of 3144	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	UNYshlc.exe
PID 3936 wrote to memory of 2768	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	QVoaJkM.exe
PID 3936 wrote to memory of 2768	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	QVoaJkM.exe
PID 3936 wrote to memory of 2720	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	sgJYBhv.exe
PID 3936 wrote to memory of 2720	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	sgJYBhv.exe
PID 3936 wrote to memory of 4624	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	aKtOIJZ.exe
PID 3936 wrote to memory of 4624	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	aKtOIJZ.exe
PID 3936 wrote to memory of 3096	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	KBWhtzB.exe
PID 3936 wrote to memory of 3096	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	KBWhtzB.exe
PID 3936 wrote to memory of 2192	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	QCuDXGN.exe
PID 3936 wrote to memory of 2192	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	QCuDXGN.exe
PID 3936 wrote to memory of 1508	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	xAuzfyj.exe
PID 3936 wrote to memory of 1508	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	xAuzfyj.exe
PID 3936 wrote to memory of 2260	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	QqHNWDm.exe
PID 3936 wrote to memory of 2260	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	QqHNWDm.exe
PID 3936 wrote to memory of 3356	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	LGHDUfY.exe
PID 3936 wrote to memory of 3356	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	LGHDUfY.exe
PID 3936 wrote to memory of 3260	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	ChKuwdJ.exe
PID 3936 wrote to memory of 3260	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	ChKuwdJ.exe
PID 3936 wrote to memory of 2024	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	nZUsTsf.exe
PID 3936 wrote to memory of 2024	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	nZUsTsf.exe
PID 3936 wrote to memory of 2096	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	NAoKvRa.exe
PID 3936 wrote to memory of 2096	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	NAoKvRa.exe
PID 3936 wrote to memory of 5028	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	LdCvhsW.exe
PID 3936 wrote to memory of 5028	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	LdCvhsW.exe
PID 3936 wrote to memory of 2296	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	Jyhwulh.exe
PID 3936 wrote to memory of 2296	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	Jyhwulh.exe
PID 3936 wrote to memory of 1152	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	riETjSZ.exe
PID 3936 wrote to memory of 1152	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	riETjSZ.exe
PID 3936 wrote to memory of 3284	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	EcMSaUF.exe
PID 3936 wrote to memory of 3284	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	EcMSaUF.exe
PID 3936 wrote to memory of 2688	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	wLToOpe.exe
PID 3936 wrote to memory of 2688	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	wLToOpe.exe
PID 3936 wrote to memory of 224	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	uKapstU.exe
PID 3936 wrote to memory of 224	3936	315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe	uKapstU.exe

C:\Users\Admin\AppData\Local\Temp\315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\315d370b5e4aaacb1b284ca5ee7ee100_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\System\VswPGGN.exe
C:\Windows\System\VswPGGN.exe
2⤵
- Executes dropped EXE
PID:1604

C:\Windows\System\BUkljJj.exe
C:\Windows\System\BUkljJj.exe
2⤵
- Executes dropped EXE
PID:4860

C:\Windows\System\VMtLnoB.exe
C:\Windows\System\VMtLnoB.exe
2⤵
- Executes dropped EXE
PID:1516

C:\Windows\System\UNYshlc.exe
C:\Windows\System\UNYshlc.exe
2⤵
- Executes dropped EXE
PID:3144

C:\Windows\System\QVoaJkM.exe
C:\Windows\System\QVoaJkM.exe
2⤵
- Executes dropped EXE
PID:2768

C:\Windows\System\sgJYBhv.exe
C:\Windows\System\sgJYBhv.exe
2⤵
- Executes dropped EXE
PID:2720

C:\Windows\System\aKtOIJZ.exe
C:\Windows\System\aKtOIJZ.exe
2⤵
- Executes dropped EXE
PID:4624

C:\Windows\System\KBWhtzB.exe
C:\Windows\System\KBWhtzB.exe
2⤵
- Executes dropped EXE
PID:3096

C:\Windows\System\QCuDXGN.exe
C:\Windows\System\QCuDXGN.exe
2⤵
- Executes dropped EXE
PID:2192

C:\Windows\System\xAuzfyj.exe
C:\Windows\System\xAuzfyj.exe
2⤵
- Executes dropped EXE
PID:1508

C:\Windows\System\QqHNWDm.exe
C:\Windows\System\QqHNWDm.exe
2⤵
- Executes dropped EXE
PID:2260

C:\Windows\System\LGHDUfY.exe
C:\Windows\System\LGHDUfY.exe
2⤵
- Executes dropped EXE
PID:3356

C:\Windows\System\ChKuwdJ.exe
C:\Windows\System\ChKuwdJ.exe
2⤵
- Executes dropped EXE
PID:3260

C:\Windows\System\nZUsTsf.exe
C:\Windows\System\nZUsTsf.exe
2⤵
- Executes dropped EXE
PID:2024

C:\Windows\System\NAoKvRa.exe
C:\Windows\System\NAoKvRa.exe
2⤵
- Executes dropped EXE
PID:2096

C:\Windows\System\LdCvhsW.exe
C:\Windows\System\LdCvhsW.exe
2⤵
- Executes dropped EXE
PID:5028

C:\Windows\System\Jyhwulh.exe
C:\Windows\System\Jyhwulh.exe
2⤵
- Executes dropped EXE
PID:2296

C:\Windows\System\riETjSZ.exe
C:\Windows\System\riETjSZ.exe
2⤵
- Executes dropped EXE
PID:1152

C:\Windows\System\EcMSaUF.exe
C:\Windows\System\EcMSaUF.exe
2⤵
- Executes dropped EXE
PID:3284

C:\Windows\System\wLToOpe.exe
C:\Windows\System\wLToOpe.exe
2⤵
- Executes dropped EXE
PID:2688

C:\Windows\System\uKapstU.exe
C:\Windows\System\uKapstU.exe
2⤵
- Executes dropped EXE
PID:224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BUkljJj.exe
Filesize
5.9MB

MD5
22f01b1633a13affd9c5e3d06a6b703a

SHA1
14d6714d8c5d1028e6cb4af7e4f3b2810d39cc0c

SHA256
f7184759e288c89cb231d628de61a3c89f573065c4fb3efb1aff7dde1359cacb

SHA512
d3668372635590c20f085809fda3da09a408dea163b47679c1f95c9cb5dff8ac8f084e381275b869e4cf68441c6f37d2df506ad4b0be6ebdab51aa91388f9a59

Download Submit
C:\Windows\System\ChKuwdJ.exe
Filesize
5.9MB

MD5
09801ff8123251928a3bdd3a4efd5047

SHA1
37f04d5ea27de816671f01bd0bd426c0e9f1d12e

SHA256
981c00cc2d2c6e8eb6e94582db421c9a55ba4acb9da1f952bce7591d3aada2a9

SHA512
7c1a5dceb3afb2b8e0327a5799472334ec28b409eaffcbaa749be81ccf3bf32a03bef3d8a5202d9aec324359c7b1f378aed3ef4b121be705b3371c7dbe4035b0

Download Submit
C:\Windows\System\EcMSaUF.exe
Filesize
5.9MB

MD5
742b4e37238c986c848214f80fe217aa

SHA1
09ad26929e195747bd10b4fd0858f92a33cb40f0

SHA256
06486ca4d0decf9c0a38a552a098441422b070aaa71fb24884185679eef68852

SHA512
daa50f303038b8f71fd32c5df3d2ef4a2840a63f89aecfc4b0d6cf00ebad199570679d8da220d2579bfafb8b88099b1a5b5789c79607a2ba9d1c731a565ba31c

Download Submit
C:\Windows\System\Jyhwulh.exe
Filesize
5.9MB

MD5
c51bd396fbd23e4b98e94efdb0707198

SHA1
5c161a6f9f55a72ae86a3885cf28fc74f3c24ce2

SHA256
23df091600956504ac1acd308bdb1a179c9bac9d5ed40f44964a3049e3b502fb

SHA512
d1061bde34705502e9a87ac2510b5e4a74035983036b22d656a9ea8d1dc1bb8d2dfa16ac9783e5ffd3aa1dda47e129eb2e1dcbf49693fdea1ae1eec961379443

Download Submit
C:\Windows\System\KBWhtzB.exe
Filesize
5.9MB

MD5
cbb668ea3e5e7662634b086274d4eaec

SHA1
1e81dde5092c43363c4b89ee35dd9186f6807042

SHA256
6dbffe973b933cd71329a2e8effcf21723dddeacf2953a3502ae7566e9c36732

SHA512
426323a8d7121dd433de2675d65ff25b06e84dbfcd1d50cb5b835b608352ac53aad74a3e1b5ab9ed74cfc00bf0c40e0ed72ed39ee8d578eeda0ab65d3b3dae7e

Download Submit
C:\Windows\System\LGHDUfY.exe
Filesize
5.9MB

MD5
96e2fd2a19a6d0484a3217050dd7cc08

SHA1
c306609af3a2ccf7e12f7fc308eb90b4e8fc8c53

SHA256
e1611139be75e30dbb25b7cdd1fbd4e2accec10c7fc46255ce6a1708373c9f01

SHA512
d2f911a42114af90d06462c4c9ad1fce4e20d0449f05da851fe01c376b75e3935433636da08bc38c46482d3c3e72d3863962858cd968b646ea1990357afef6f9

Download Submit
C:\Windows\System\LdCvhsW.exe
Filesize
5.9MB

MD5
14075a743ca6314ce117f75043e2e8a1

SHA1
40d0dd12a7ec5bc9bdc99d175233d2c775d44c1e

SHA256
9e0fbac05d33e86698e5854aeab4d6624c76d227ba5f922547612c9b9dc5a6bc

SHA512
27e769cf6ab9111d9c6b7afbe96fe6af67606f413deedea6653ce526a7ef2359d25cae3229e381da87ead31e15996309bc338ac94dafd5f031d619b25f165818

Download Submit
C:\Windows\System\NAoKvRa.exe
Filesize
5.9MB

MD5
6a23fe7fbd5b3467d6368f0e84867dcd

SHA1
52fdabff9c6fa080e090c1ca7c4cb1fc19c83990

SHA256
f22c3bdc442b357fbc3656c1d3c889986ef3592f52cbec2aea181223b7a0d122

SHA512
542ee3d81362a45c3ac5524fceb75fc4b2203938310ae16f702bbd1559d7733040f8e2faf76f972b618e5a0eea6ee8db4257ad2ebd9f93e08b13d3c41be61375

Download Submit
C:\Windows\System\QCuDXGN.exe
Filesize
5.9MB

MD5
0fe9182361256eaf4f8ad023db825522

SHA1
3184ed206d38fce541f97fed752e70d6e3e4dbcb

SHA256
8df49a1ea21940c09eb48eef8a3513d9bf1aa83df39344e99d86adcfc697931e

SHA512
a51f67775c6f8ca3889b74c1bffae2902d9c429887e506303138183350112a679a944bde93586f1bde76b1ce51ea1b500e7c9c82432d79899a65c371a7c27b19

Download Submit
C:\Windows\System\QVoaJkM.exe
Filesize
5.9MB

MD5
a2fd8d418faf3ef2e4fdea5f708dae45

SHA1
eb40648a49cfaf3a476c655de50d9ade3b62e308

SHA256
efb6c248e27d3bfed1abf9c207c4a8c9d1363057e9bf8a0daa07865f5a27f44f

SHA512
86f68fa1a0f1d97db2368d8030084fcf8d0e3927086a6054b24ab1cf302e6b5b6465bc378d04fbb9a34cc56ca93bdfd8f47cb2a5300d3eef74494aff970b9bbf

Download Submit
C:\Windows\System\QqHNWDm.exe
Filesize
5.9MB

MD5
f7707a8f1fade9d73ef25297ff8eb7d6

SHA1
97ec3452a8109e40a565fa4f483615878ba5adde

SHA256
699b53f0c17b96643ee16d2c0fe74a50e4c99aaa6f6b669be9771c2a37265032

SHA512
ab08621e4e6a9c1e24ec2823061f0d5551c6faaeef933b0c2d4a0d42aba97a4370c816d494fa55c1e783c0dc6ae62e12572c578480c1f9f10e3ebd07303a80a4

Download Submit
C:\Windows\System\UNYshlc.exe
Filesize
5.9MB

MD5
2b6385a8719e7c6d4a9eb2020d8f7390

SHA1
f65235c40f3fa498cec9052f01077dedef229a00

SHA256
9dd486544fb534458066f4af4b626060383d047dfbbd6e54c8620734a0d6c6fa

SHA512
d1b49c505c5407ba5d986198e86a0987483d2756cbde8787b6d4672901533f24052b18aca831d3c4286730367ef49faa7820c5da818fb8c2d7bcc558337e84f4

Download Submit
C:\Windows\System\VMtLnoB.exe
Filesize
5.9MB

MD5
2534d507929d47d035d8734a06c6c064

SHA1
87b0ffd293a15c4b93c2987771acbf91cf0f429a

SHA256
b60e63377c1617c9459759f6a248fd325add8e14fa4ba9247981231e3d3d976e

SHA512
a4ae516f217a420e5b2ea276fc96de17bec67adf53de72c62b393f2d74a401d7dd534f99d55f1ce20b74b9660e05aa36256f9e1511bda0421daa816c831b4e6c

Download Submit
C:\Windows\System\VswPGGN.exe
Filesize
5.9MB

MD5
ba754d2f8de1d28a526e4ba49d78aff7

SHA1
0ccd711d7f50f6a0776d7df70496949696eb0c97

SHA256
67546f23a305a558386aa53084156193eb7e92c0ef06aaa3e94049e13b9ccc14

SHA512
e87a15c76c734fda5d8c8ef4694eb927f73d9375b3bca43da7e5c1b63cf25354b6afff951346085f3beb596f46b4bf9af1d7b19b15779bfe1aeca17e6e924795

Download Submit
C:\Windows\System\aKtOIJZ.exe
Filesize
5.9MB

MD5
c43f587b0510422426100cf114a85fdf

SHA1
7e1258053e2fc7f7338274072efbd10d095f834f

SHA256
06e2f7b5e8db53bd4dc422abe597e7da4fbe6c335b0e5d6fa5afa88bfb820162

SHA512
4e9f0f2db5c6fe97510dab4abe76f87d46db9ec0e34f5642dba59a4b0b58532469102e99bcaafd3f5bf77c7111332fa3d06cd70e06041be35884ff6bac46647a

Download Submit
C:\Windows\System\nZUsTsf.exe
Filesize
5.9MB

MD5
8fdea9350e7512e9e75d93e6c32356fc

SHA1
855e67cc209c2ba1a62f95ece17c35a26cc276b0

SHA256
ca71a05872d4895472f23c8b54df12c54abf4602d04fe9b2ae928bba724c5b2b

SHA512
734ec5a6a69e4f96b2b8c462573072a3d0718f9e3eb75a6090e328e0156bdaafa5d6318ac80c41d35810797c9995ae84c9509198db9d69dc54a478fb5463a498

Download Submit
C:\Windows\System\riETjSZ.exe
Filesize
5.9MB

MD5
21dbecf75d78a01ef79a123a8308ba5c

SHA1
574cca82dd9287dee40faedbf72077b0ce5ab0f2

SHA256
1ff5b9416bb9d8b2716306012ff08c9fe468d60b6f9d9aa050fbaf35d49ac6f3

SHA512
91aef8dc1dda511ff4656878d917f57e5883aa5793510afe976bb03458a59fc81998d470a082466937a9a21d329a7b436ecd249e686b96c41272da32210a79d8

Download Submit
C:\Windows\System\sgJYBhv.exe
Filesize
5.9MB

MD5
5c0316f41c04d5a0b27525640bb0337c

SHA1
279ca09cb3b015009d97b9dfa2b65f49c0e7701f

SHA256
f4037393b72791115e9432a64378d2cc5fe6efcd0af7339891fda77eab407bea

SHA512
d16b40f8d3e12b651c4bc083465029bf3712529d74f7fb53769bca645d488706ef416a762049a868b3c54e8f24217d18fa97f2ca6cc7ca42f3be5e0a377ef5b9

Download Submit
C:\Windows\System\uKapstU.exe
Filesize
5.9MB

MD5
8da045273b9ea489c9b0cecd9ba9dd00

SHA1
6bbc2a46a34ab51c695739b6f032587e01929cc9

SHA256
7e4cca89799ca8d04fe5e8d58cb33f716b018bddd238dd71f71a487de7c2ca82

SHA512
ebcfe0a2ae538a936edc7c73bc6b58dd79e09106d1acf69fbc75b1e9830228b03b3379cdfde8249d7ff3edceb1139b3fa66d406bd63e1f8416cc5554142aec2a

Download Submit
C:\Windows\System\wLToOpe.exe
Filesize
5.9MB

MD5
355f53640b5c2d72fd6eac526409c63b

SHA1
88914918c4c4e99b37dc3247400f75487a7db04b

SHA256
b82eca6252eda933074e4e38b4340678caba15fac39f10f96f59e09247f33c65

SHA512
02ae540b4ded799b368ef3104bb5a3e9dee2d5973252c95e18eac00e275c2b74a53c1839aad2aa3447bf64101399dc9fc537e494102a0ba32e01fe48b928b955

Download Submit
C:\Windows\System\xAuzfyj.exe
Filesize
5.9MB

MD5
97aadcf6a7ea72d895cc9cb0c64368b5

SHA1
a3ed8e71fe44df240798960053f965c28aa86436

SHA256
00a0d907a44960052c82cfe265604c932a7cd98d067e60d5ca4ede78acfcf8aa

SHA512
aa58243fb0244e7a86f5c928062ba69bd2ae7d95b456413511f553e63359b1e6a1d14c8705dfe78b621d3e465bec979db5ad14886c3aeadd97b62de4a09da026

Download Submit
memory/224-160-0x00007FF631340000-0x00007FF631694000-memory.dmp

Filesize
3.3MB

Download
memory/224-133-0x00007FF631340000-0x00007FF631694000-memory.dmp

Filesize
3.3MB

Download
memory/224-139-0x00007FF631340000-0x00007FF631694000-memory.dmp

Filesize
3.3MB

Download
memory/1152-157-0x00007FF68A2F0000-0x00007FF68A644000-memory.dmp

Filesize
3.3MB

Download
memory/1152-117-0x00007FF68A2F0000-0x00007FF68A644000-memory.dmp

Filesize
3.3MB

Download
memory/1508-127-0x00007FF6786F0000-0x00007FF678A44000-memory.dmp

Filesize
3.3MB

Download
memory/1508-149-0x00007FF6786F0000-0x00007FF678A44000-memory.dmp

Filesize
3.3MB

Download
memory/1508-60-0x00007FF6786F0000-0x00007FF678A44000-memory.dmp

Filesize
3.3MB

Download
memory/1516-22-0x00007FF7EEE80000-0x00007FF7EF1D4000-memory.dmp

Filesize
3.3MB

Download
memory/1516-142-0x00007FF7EEE80000-0x00007FF7EF1D4000-memory.dmp

Filesize
3.3MB

Download
memory/1516-84-0x00007FF7EEE80000-0x00007FF7EF1D4000-memory.dmp

Filesize
3.3MB

Download
memory/1604-140-0x00007FF631DD0000-0x00007FF632124000-memory.dmp

Filesize
3.3MB

Download
memory/1604-75-0x00007FF631DD0000-0x00007FF632124000-memory.dmp

Filesize
3.3MB

Download
memory/1604-8-0x00007FF631DD0000-0x00007FF632124000-memory.dmp

Filesize
3.3MB

Download
memory/2024-91-0x00007FF7E01A0000-0x00007FF7E04F4000-memory.dmp

Filesize
3.3MB

Download
memory/2024-153-0x00007FF7E01A0000-0x00007FF7E04F4000-memory.dmp

Filesize
3.3MB

Download
memory/2096-95-0x00007FF730570000-0x00007FF7308C4000-memory.dmp

Filesize
3.3MB

Download
memory/2096-136-0x00007FF730570000-0x00007FF7308C4000-memory.dmp

Filesize
3.3MB

Download
memory/2096-154-0x00007FF730570000-0x00007FF7308C4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-148-0x00007FF7DC370000-0x00007FF7DC6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-122-0x00007FF7DC370000-0x00007FF7DC6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-54-0x00007FF7DC370000-0x00007FF7DC6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2260-69-0x00007FF7811D0000-0x00007FF781524000-memory.dmp

Filesize
3.3MB

Download
memory/2260-150-0x00007FF7811D0000-0x00007FF781524000-memory.dmp

Filesize
3.3MB

Download
memory/2296-107-0x00007FF716370000-0x00007FF7166C4000-memory.dmp

Filesize
3.3MB

Download
memory/2296-156-0x00007FF716370000-0x00007FF7166C4000-memory.dmp

Filesize
3.3MB

Download
memory/2296-137-0x00007FF716370000-0x00007FF7166C4000-memory.dmp

Filesize
3.3MB

Download
memory/2688-132-0x00007FF6532A0000-0x00007FF6535F4000-memory.dmp

Filesize
3.3MB

Download
memory/2688-159-0x00007FF6532A0000-0x00007FF6535F4000-memory.dmp

Filesize
3.3MB

Download
memory/2688-138-0x00007FF6532A0000-0x00007FF6535F4000-memory.dmp

Filesize
3.3MB

Download
memory/2720-38-0x00007FF6140D0000-0x00007FF614424000-memory.dmp

Filesize
3.3MB

Download
memory/2720-145-0x00007FF6140D0000-0x00007FF614424000-memory.dmp

Filesize
3.3MB

Download
memory/2768-102-0x00007FF7D5A70000-0x00007FF7D5DC4000-memory.dmp

Filesize
3.3MB

Download
memory/2768-29-0x00007FF7D5A70000-0x00007FF7D5DC4000-memory.dmp

Filesize
3.3MB

Download
memory/2768-143-0x00007FF7D5A70000-0x00007FF7D5DC4000-memory.dmp

Filesize
3.3MB

Download
memory/3096-48-0x00007FF6B0770000-0x00007FF6B0AC4000-memory.dmp

Filesize
3.3MB

Download
memory/3096-115-0x00007FF6B0770000-0x00007FF6B0AC4000-memory.dmp

Filesize
3.3MB

Download
memory/3096-147-0x00007FF6B0770000-0x00007FF6B0AC4000-memory.dmp

Filesize
3.3MB

Download
memory/3144-90-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp

Filesize
3.3MB

Download
memory/3144-144-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp

Filesize
3.3MB

Download
memory/3144-28-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp

Filesize
3.3MB

Download
memory/3260-152-0x00007FF69B000000-0x00007FF69B354000-memory.dmp

Filesize
3.3MB

Download
memory/3260-88-0x00007FF69B000000-0x00007FF69B354000-memory.dmp

Filesize
3.3MB

Download
memory/3284-158-0x00007FF665600000-0x00007FF665954000-memory.dmp

Filesize
3.3MB

Download
memory/3284-123-0x00007FF665600000-0x00007FF665954000-memory.dmp

Filesize
3.3MB

Download
memory/3356-76-0x00007FF723AC0000-0x00007FF723E14000-memory.dmp

Filesize
3.3MB

Download
memory/3356-151-0x00007FF723AC0000-0x00007FF723E14000-memory.dmp

Filesize
3.3MB

Download
memory/3936-68-0x00007FF7064A0000-0x00007FF7067F4000-memory.dmp

Filesize
3.3MB

Download
memory/3936-0-0x00007FF7064A0000-0x00007FF7067F4000-memory.dmp

Filesize
3.3MB

Download
memory/3936-1-0x000002A99E9A0000-0x000002A99E9B0000-memory.dmp

Filesize
64KB

Download
memory/4624-146-0x00007FF797620000-0x00007FF797974000-memory.dmp

Filesize
3.3MB

Download
memory/4624-47-0x00007FF797620000-0x00007FF797974000-memory.dmp

Filesize
3.3MB

Download
memory/4860-14-0x00007FF7CBEF0000-0x00007FF7CC244000-memory.dmp

Filesize
3.3MB

Download
memory/4860-141-0x00007FF7CBEF0000-0x00007FF7CC244000-memory.dmp

Filesize
3.3MB

Download
memory/5028-155-0x00007FF7B8110000-0x00007FF7B8464000-memory.dmp

Filesize
3.3MB

Download
memory/5028-103-0x00007FF7B8110000-0x00007FF7B8464000-memory.dmp

Filesize
3.3MB

Download