cobaltstrike | 0bc388e40ed41794005de25ca6a27aa6812257832ec026df423a42a37fa9965f

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Size

10.8MB
MD5

f23605e860daf246ec214e95f5dcf553
SHA1

ce34310ecb6523be0110b7f4dd41bcfada5da604
SHA256

0bc388e40ed41794005de25ca6a27aa6812257832ec026df423a42a37fa9965f
SHA512

eb5fed5e6d601bb9e7caaf0d55142e8fdb43bbb5b6bf97b0997e95402f64a2384b169759e30ec7b1adf3e0c5f8c83ee379daf8ccbb5443241107370ae2ac8be2
SSDEEP

196608:dvg6YpjCa8BMHwNuD7PKUNwabNJvmrMQwHEFoWu1:dYXpkG6uDBuQjmrOHN

Score

10^/10

cobaltstrike xmrig backdoor miner trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects executables containing URLs to raw contents of a Github gist 7 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2180-791-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2180-1459-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2180-2191-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2180-2742-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2180-3639-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2180-3667-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	xmrig
behavioral1/memory/2180-791-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2180-1459-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2180-2191-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2180-2742-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2180-3639-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2180-3667-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig

Drops desktop.ini file(s) 9 IoCs

Processes:

2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\desktop.ini	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	D:\autorun.inf	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	F:\autorun.inf	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	F:\autorun.inf	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Mail\wabfind.dll	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\currency.js	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libsatip_plugin.dll	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Rome	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Tell_City	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_over.png	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_zh_TW.properties	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Fortaleza	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Managua	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\bin\decora-sse.dll	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\Solitaire.exe.mui	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\RSSFeeds.js	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe

Modifies Internet Explorer start page 1 TTPs 5 IoCs

stealer

Modify Registry

T1112

Processes:

2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.zFuVwunVcB.com"	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.oYHAJcLCge.com"	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.yQqtuFWGdP.com"	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.SIgjPBYOIJ.com"	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.zeFEoSxHke.com"	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe

description	pid	process
Token: SeLockMemoryPrivilege	2180	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
Token: SeLockMemoryPrivilege	2180	2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_f23605e860daf246ec214e95f5dcf553_cobalt-strike_cobaltstrike_xmrig.exe"
1⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2180

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll.exe
Filesize
11.1MB

MD5
ce68b2a830086491a49acf606fff7e5b

SHA1
b9292ba8177b2c973b197e13f773d7e9fe2d99c9

SHA256
e3d92265ac3f703729282fd6f1a627d7783c53caef411d7e99452ca1298bd8ed

SHA512
a8b765cb53fcc6ca527c11a8a410ebc62d722f695a2faf9c43680761883ebd51770571a9b5b5ca53ceb551a0d274c2bb78ad31f1162fc30a0f7037ae3879605a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
2bb0acf737d0cee5ba38da4380be0ac1

SHA1
eb85afb24b7d1fd2c83a6cd307eaaf8883a573ff

SHA256
e606c2a67c59933c2435d9124784dab968da60775b2a7a82759baa95a9f7beac

SHA512
c8259c286a3ca823517fc8277c32bf06fb98732895794fc7f3906391a308388d55dd05ea2ce000a686fc4eaa1548c263836476e70c2e380b39092db0c803eb68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
26f2c4e710c2360309447f4bf5cdd13b

SHA1
2756955df7fe9c90b02cf1a9c390235b410938c9

SHA256
027952f69cce456c3099e484f5c3ed09189e1f98d82818b4da6cb11b3524b461

SHA512
a4b01fda0e59a0d93d167a104316b89b0bf99dfbf82ea6a2a4c761bcd3352e4b27803e4ae0e6d313c29127f5b9a2b16c900e669c1953c10814cea4fdf55936f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b625023eb6f21e8bc3f78c8ebec22c62

SHA1
bf212319b46ff752d5f57a79c5ff8892a6cb45ff

SHA256
9de933747c19d5d75e09a4c326a71e7b327ac5c2232d1c927aa825dc8c6aa4e7

SHA512
6a64148dd32ef33d80a091b433964a771a112cfcb6da0eccdb7537ecd4e51b58dad4481cb7a553b4aa5df94e34fc0f7cdd798dff83e58d4b8ffa25ccfdcb15c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9ebae11b1736cf2f95dcac6a67c0373f

SHA1
9abbbf6d344fe99bf27c7d60209931ab5ebd4c16

SHA256
a76e5e8f34a5e7c043ce1a2805e501d8874190b30882c30b2892b327ef545e76

SHA512
2545b8eff4768fd2e03b9772669808c9cfdca0c64c965ae24dcc3313a47f62f1eff8547c115a5095b543d947b0a94e5c1929c6a542d7e2f1ba6723cb4d6a3015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
30ca8717c05f316ab22b048e64f0e802

SHA1
e8d4661cd7a29a1aaaf32205d9e4a11d818d9529

SHA256
f1984c9d984322ad725d63cd151a320d647f7de4480a06adf4caed27d24e1871

SHA512
b2ce336bdbf77b042866f85e5e6bd1f0dc636a9250be88b5c6546bd7dab14b354568877706cc4126df06499792afd79e75a26a6b07932db31fe230d04c72edef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
eaba2aafe87545b8514f48f772175d27

SHA1
a810952d43bd8a7573770436953e109addbf6c9e

SHA256
25473d5ab06d857b1ce77cf2b693445ca21f9d94246b53f5dbbb02b0755eee57

SHA512
e3770bafea3b2c8c65df3ef315c32ed6a4deff996d083ac0600dc6df0e43dcf5a1b903fc9342bab6b49d5cb72230bb6e82acb4032adf69115337f7fcbdd2d411

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
06c68094cfac58288e2ec16b02a98673

SHA1
e7e87aa328abe57fae7b232faa70b64eed57e629

SHA256
45c8bd8e7088b58b49fdedd6cce1d467aba7d14948444bb6f43816a9339fa5f1

SHA512
996bf63627934b27348d399a03acd434c41d73e9a49fc9ac74552cdf25a7e3ff7a180fc105466f90df4bc20e6b4fb76bc43e85ba377510ca4eefb02bc0431624

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
48fced9f2f83eedc60ca3bffbed7a219

SHA1
81539b680c559ca118bfaa6fbd41f3dbe99c810d

SHA256
bf1d358f41e1c9d6d116fc92320ff8747891e1e0055bb4b9d50e1ce05e5f49fe

SHA512
75430e2a528502fabbee3ad6faa8086527b9c923e67b29a59d7009a62e1076024a2c3a52f67c5231d9920d42789edecd46936e9514bcc55483772101b9f94177

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1e3dadc1f29d1299349f3bde0923e3ba

SHA1
56ae366c5232c62f039540bac3e96f455cc0ac70

SHA256
ba916bb787a0e216c2de97d125316e8bde6471ec7482c948477c6c9ed41313b8

SHA512
3558bc86d705c2fbf28a3953c1d45663bf75aba21ff2935a0bcbd67ecacadfa21bfe8939c6870853f7b290dd236ed35d8d9041674a498fc8e2007b304dc0df26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab22A0.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar22A2.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2180-791-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2180-2191-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2180-1459-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2180-2742-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2180-0-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2180-3639-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2180-3660-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2180-3662-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2180-3663-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2180-3664-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2180-3665-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/2180-3667-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2180-3668-0x0000000000401000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download