Analysis Overview
SHA256
ceab942ce0f34d496e9bc456dffff321cbe25a88c5872fdd8b59fdf88a89b368
Threat Level: Known bad
The file 2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
Xmrig family
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 01:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 01:43
Reported
2024-06-07 01:56
Platform
win7-20240508-en
Max time kernel
142s
Max time network
160s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZQoQykr.exe | N/A |
| N/A | N/A | C:\Windows\System\yeuSBZC.exe | N/A |
| N/A | N/A | C:\Windows\System\wVBcqVK.exe | N/A |
| N/A | N/A | C:\Windows\System\tSPNrqG.exe | N/A |
| N/A | N/A | C:\Windows\System\MrYcRAI.exe | N/A |
| N/A | N/A | C:\Windows\System\fTKdHwh.exe | N/A |
| N/A | N/A | C:\Windows\System\IciMNyV.exe | N/A |
| N/A | N/A | C:\Windows\System\fRYCedK.exe | N/A |
| N/A | N/A | C:\Windows\System\pRBfYAq.exe | N/A |
| N/A | N/A | C:\Windows\System\yITuXyf.exe | N/A |
| N/A | N/A | C:\Windows\System\BnkMXrr.exe | N/A |
| N/A | N/A | C:\Windows\System\EvgaWoa.exe | N/A |
| N/A | N/A | C:\Windows\System\GNozFdd.exe | N/A |
| N/A | N/A | C:\Windows\System\lmTNXSn.exe | N/A |
| N/A | N/A | C:\Windows\System\WrVzcxN.exe | N/A |
| N/A | N/A | C:\Windows\System\ywTWRQU.exe | N/A |
| N/A | N/A | C:\Windows\System\rrMYrHS.exe | N/A |
| N/A | N/A | C:\Windows\System\nrAKZPi.exe | N/A |
| N/A | N/A | C:\Windows\System\ZojZUZx.exe | N/A |
| N/A | N/A | C:\Windows\System\huyjgfH.exe | N/A |
| N/A | N/A | C:\Windows\System\HcSzbnx.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZQoQykr.exe
C:\Windows\System\ZQoQykr.exe
C:\Windows\System\yeuSBZC.exe
C:\Windows\System\yeuSBZC.exe
C:\Windows\System\wVBcqVK.exe
C:\Windows\System\wVBcqVK.exe
C:\Windows\System\tSPNrqG.exe
C:\Windows\System\tSPNrqG.exe
C:\Windows\System\MrYcRAI.exe
C:\Windows\System\MrYcRAI.exe
C:\Windows\System\fTKdHwh.exe
C:\Windows\System\fTKdHwh.exe
C:\Windows\System\IciMNyV.exe
C:\Windows\System\IciMNyV.exe
C:\Windows\System\fRYCedK.exe
C:\Windows\System\fRYCedK.exe
C:\Windows\System\pRBfYAq.exe
C:\Windows\System\pRBfYAq.exe
C:\Windows\System\yITuXyf.exe
C:\Windows\System\yITuXyf.exe
C:\Windows\System\BnkMXrr.exe
C:\Windows\System\BnkMXrr.exe
C:\Windows\System\EvgaWoa.exe
C:\Windows\System\EvgaWoa.exe
C:\Windows\System\GNozFdd.exe
C:\Windows\System\GNozFdd.exe
C:\Windows\System\lmTNXSn.exe
C:\Windows\System\lmTNXSn.exe
C:\Windows\System\WrVzcxN.exe
C:\Windows\System\WrVzcxN.exe
C:\Windows\System\ywTWRQU.exe
C:\Windows\System\ywTWRQU.exe
C:\Windows\System\rrMYrHS.exe
C:\Windows\System\rrMYrHS.exe
C:\Windows\System\nrAKZPi.exe
C:\Windows\System\nrAKZPi.exe
C:\Windows\System\ZojZUZx.exe
C:\Windows\System\ZojZUZx.exe
C:\Windows\System\huyjgfH.exe
C:\Windows\System\huyjgfH.exe
C:\Windows\System\HcSzbnx.exe
C:\Windows\System\HcSzbnx.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/572-0-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/572-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\ZQoQykr.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
C:\Windows\system\yeuSBZC.exe
| MD5 | 03686cfd6bbb43c8ac4dc50889b137b9 |
| SHA1 | 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee |
| SHA256 | ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471 |
| SHA512 | 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2 |
C:\Windows\system\wVBcqVK.exe
| MD5 | bd55c8a37850d0626737d11717469d79 |
| SHA1 | 53fb884c07b58454b3817a2512669857b9e86703 |
| SHA256 | 0eb0ec4dbf191a3181b21c1417c5a32b7f793d882da7f301a8ece452991bb9af |
| SHA512 | c1186a03a91b6f18a4443f429935f99a90a2866f36a83812558e86e5b67b26cc5da056c7727c190dd31a1adcb8fe79982985e6c2c66bfc39efa36d9c3a74a1e4 |
memory/572-25-0x000000013F2F0000-0x000000013F644000-memory.dmp
\Windows\system\tSPNrqG.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
memory/2824-20-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2136-31-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/572-36-0x000000013F5B0000-0x000000013F904000-memory.dmp
C:\Windows\system\fTKdHwh.exe
| MD5 | 45c6005e9880ef815bd2cc24ba9d29f7 |
| SHA1 | 199e963ebcaf214a938d8a83ba63929c612a41f4 |
| SHA256 | d9d8614b9c3e6832e222f8a885ebebdb81eee31a43b7a0489b01ad99a2dd13cb |
| SHA512 | cfe1021608a188660c18e9fa60ee01b5b971f32e1c7357d8c406ab06dd41c5ec8cd1631d3d4f1ce97259f3fe545f3597d740241f00c18ef1c267cb012dc5fa61 |
memory/2776-37-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2640-38-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/572-41-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2692-49-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2608-54-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/572-55-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
C:\Windows\system\fRYCedK.exe
| MD5 | 5fa795b3b7fbfdb00bd1230752e0c717 |
| SHA1 | c04df1c0104752fc707883394c20b7a38d950291 |
| SHA256 | 824077dfd6a62e9e36be5c206334d0508de5a3b956ad1bd496fa2e71eb9a9179 |
| SHA512 | de08f47b777576f6d8782f91ad503bcf8fdc3c8ebfac425ac7200b990be02ae05d557511a5745c3ce08c930b4d0fe264f704e0ed5826f20f19f9a35af8cd315a |
\Windows\system\fRYCedK.exe
| MD5 | 4f0cb466323d60e5a42b8bbca13af789 |
| SHA1 | 0b0d1d7c3420f9b8951eedc6f694291aa6860683 |
| SHA256 | 14e8c6e62596f8ac3b95156893bec3348d06084f939b1ae4b0666ae0bbad22c1 |
| SHA512 | fe9b813ed2de6a08ddd4b2fb045773ce294012803d0eb1907aa77feef2f33d34b6606370f174e33cd257b2911bac027bcc9256c0387c11941a9dede8f4cf2c8a |
C:\Windows\system\IciMNyV.exe
| MD5 | 98ddbea8b700025cfea6cdb4aa3e43e8 |
| SHA1 | 50ceb41fa98f8da019e896ed8b56fb815ade85c3 |
| SHA256 | f3d04b1b505bbd1edfc225f0ff843d2d6e124620e1863f1cebccc8fb38f1e763 |
| SHA512 | d10c79b9ffe04655d2ed28a606ef98f8550b5560c30acde63f1522d23a06ada25993e4c72d6366952d8876ac8ea72ef7e8996ba2e92abd973881f2d8a97c9a8a |
\Windows\system\fTKdHwh.exe
| MD5 | e8c4508a392ccf08590d3627a36cc3c3 |
| SHA1 | 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2 |
| SHA256 | cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d |
| SHA512 | f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410 |
memory/2796-67-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/572-66-0x0000000002220000-0x0000000002574000-memory.dmp
C:\Windows\system\EvgaWoa.exe
| MD5 | da49f1b1f2b96b49705866203751f59f |
| SHA1 | 1fb490e694febd4abb5609eba7058906c7c62fc1 |
| SHA256 | db17ce16538e3104d76c2865f6043929089867615332842fb4539363fa1e158f |
| SHA512 | 64230d121060a4ecf7e8546c8f3f841eea180c2377add458625a54155c0dd3d899c021538950ea3047fd426aed50dfc97cdf1f7e2bcab143f2777fd079bf8bf0 |
memory/2824-81-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/3052-74-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/3020-82-0x000000013F0C0000-0x000000013F414000-memory.dmp
C:\Windows\system\lmTNXSn.exe
| MD5 | 79cb800fff47a06afebef72028461c94 |
| SHA1 | ff75505398b632020d3756d39d393f7d0d663647 |
| SHA256 | 2760b590a3c4c257a39f7b7571e6c124eaff33574997b2f854f74eb79aa5ddcd |
| SHA512 | 78f1927d2b050cb370b68ab097fb94c3e648811aa84b2fd62943b155b74ce09079cdacc50c8966802fcb433c83f629e8829ddc1d359fa6ac0fd803671d765d22 |
memory/572-95-0x0000000002220000-0x0000000002574000-memory.dmp
C:\Windows\system\huyjgfH.exe
| MD5 | 04d51d193560bd7cbe3c1aa4176588ed |
| SHA1 | 50c403f2cdd24613871102930823a4077a309a84 |
| SHA256 | d2f2e6f71c7392c54365bfeba96646f1b48bfc2b35cee99399fabe8555745a79 |
| SHA512 | 16c84370d3456e4b479306cb1207e32853b3b3dacdc34ee2c06bac6f00e0ed99d27f6c49bc2894052479d03d45c8d3898044a71ee9425a44f4f5a31a42b6918a |
\Windows\system\huyjgfH.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
C:\Windows\system\ZojZUZx.exe
| MD5 | 17fc50ceee2e03d90dc66d1b696ae04c |
| SHA1 | edb9bfabb63dae8151ef58d586ad8bd320e46954 |
| SHA256 | fc4616ed39d09901bce558c977cf8c1b0bb141044fdc081427724967ba6dd3fa |
| SHA512 | d8c3393f993fa67b8b0595df5ee762653e8d56a623f080da9228a5a0d869ef0a7edc1d904724d72b970bf2e625e4a5f9c12c3697e318c3a3b3b8ac5cb30955dc |
\Windows\system\ZojZUZx.exe
| MD5 | 6fc1d2a6aa4e5fec1598640195150caa |
| SHA1 | 163971d08fea512c74e8dc6194438875b3a4e2dd |
| SHA256 | c7702a558c524dcd71e1b49a725b4d00424bcfa78922fa47fa3df7ad8780489b |
| SHA512 | 32242bb3972b6c84fe04251d691d74728217a6789799a7b9b70417f9c92fed40204f2a0597f504eb1e15f95e5fdd6bfa9b9cbc89671f004164b2844ac1ca4ae4 |
\Windows\system\nrAKZPi.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
memory/572-103-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
C:\Windows\system\WrVzcxN.exe
| MD5 | 77dba91fb3c2cde72cb349d9f90ca79c |
| SHA1 | b84a9e63676a0ad38ca01ffd44702e7c9744ca69 |
| SHA256 | ed264866c0bae9fa9d4a16e9bcbd3d21ee672ee0eb5b22b64a5a0fa3926ac6d7 |
| SHA512 | 7688eeb8dd7644b0c13094022c2cf5cb3e8225b2176f2a6c3aa2c5fffd3842d1f2840ab41b990e0e98d17fd029498949a429fd63ec10fb6afac0d993f6b2e67c |
\Windows\system\WrVzcxN.exe
| MD5 | b904aa0b11b0001a5ee4d5f997afb7f9 |
| SHA1 | fe30e7c589efc57d31b042431828ddb0017008a9 |
| SHA256 | dd48781d092db4f763ea1f07dee9fd7d000fa191eaf31eeec77e9202ae4a432a |
| SHA512 | 8ecfd8bd36314ad31f899d583e9568e4017c7e6c80700dd6b0eb9cbec0631adddba3a44e2a90145ed00fa83c71d26062a01424b58e26f9c539d4f9f452a8696d |
C:\Windows\system\ywTWRQU.exe
| MD5 | 2130f4461ba7262c4b9569c7ad362fbe |
| SHA1 | 477f7cc69e47cdff19a52b2da61a04f2127580e1 |
| SHA256 | f68cab9e215b5970b95a91cba35e4b211ac827a19d524f2bf913504bdbf08025 |
| SHA512 | bd19fb9a7b432908f39c8e2a25f78223abf0f155bd219827a4b513d256827c60c965e975a97433d8f252d3353383a04a3ae742b841c52e2f210a05922493b703 |
memory/2692-134-0x000000013F720000-0x000000013FA74000-memory.dmp
\Windows\system\ywTWRQU.exe
| MD5 | 06e7776c45522cd727375134e965e22f |
| SHA1 | b3c6cc8ec21bae0f0aa8708062a4e0f18fd21432 |
| SHA256 | 2e168c5305fc6931df6647569f2eac771398a9fe5bbc1782667bc1c201007bfb |
| SHA512 | 0b18810a5223438d648db6031a4bc963ddc222296395333088b069467dd1914822ad34fd9a3ff6c6694db24c914bdda3b30ab67d7943ad9a074d0ee7d9dc226d |
memory/2860-96-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2640-94-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2728-88-0x000000013FD40000-0x0000000140094000-memory.dmp
C:\Windows\system\GNozFdd.exe
| MD5 | 2e820f8af7aa3bf225d37608a0a87341 |
| SHA1 | b813ceb09756bee341a57c9525bd3abdbe863ab8 |
| SHA256 | de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa |
| SHA512 | 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4 |
memory/2776-93-0x000000013FA80000-0x000000013FDD4000-memory.dmp
\Windows\system\lmTNXSn.exe
| MD5 | 8a74009f7dd9c036cc12b3f189bd9ac6 |
| SHA1 | e53d33c260bb77d6ec7f4c05d6b7a52ccd5f9de0 |
| SHA256 | b349cfcd57c9962c2310b863621992c24963856bb8765a72596762e3d22c0932 |
| SHA512 | 6b058797ebf39246aeec4041256bec3900d2fe258c40c7a628ad2f0a7c71cd84516d0e4598c1b869d273f2d776086698842e42f21ab1a8adea547d9c55a56876 |
memory/572-73-0x000000013F160000-0x000000013F4B4000-memory.dmp
C:\Windows\system\BnkMXrr.exe
| MD5 | b5d6c8b472f6137523570f20868f4041 |
| SHA1 | 61a520c4e5802e3278d223745c0d5b53798489c3 |
| SHA256 | df7d971e23b4ededa31b1693094cae103f35c8a092bea9c558c1e9bba9ccc324 |
| SHA512 | 310f2bca69858a022c70080fd06c881ff6459ee943f0afef48d3fc47591912fad27b5857e0c076a90ca0c03ab0f8ff278f0a7686305712014a6bb182fc4a4229 |
memory/572-80-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2800-59-0x000000013FB50000-0x000000013FEA4000-memory.dmp
C:\Windows\system\pRBfYAq.exe
| MD5 | 3ee04f109da47a1ec064d84e674f1c93 |
| SHA1 | 644e873cc5a86065097d9d560d0304443e10d64c |
| SHA256 | 47d2b26167d01487e92054b74706d3bb25cfa0aef4e9803e369f3581631dce9f |
| SHA512 | 9c1889d4f1db6f15c9ccdb0cc3595e9e8bef5c6661b045295c1ca732b72cf3d8471e82ed02a643342a0e821733243b7d4452a48031e235b596a8367158163fa4 |
memory/2748-29-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2332-13-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2608-135-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
\Windows\system\wVBcqVK.exe
| MD5 | 992e15ebc2245cf970acce9948576d6c |
| SHA1 | 3322f50d4aebf915abc8a5277cd07a23adf5f127 |
| SHA256 | 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5 |
| SHA512 | 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7 |
\Windows\system\yeuSBZC.exe
| MD5 | 948b882543fffcfed1e8fd506bf69b4f |
| SHA1 | 4106171cc4cbd2f2efe65b5c9903b40142dccf78 |
| SHA256 | 14bab81489dca2e1cc74e44d208189e8f32e1a366d57a3f472ef8c9e19634c02 |
| SHA512 | 3128d5caadaea73f75706ba13001ce10cce7e244d6a1a742d007cc416105b76c631483f42081f89f218d68a5a88953bc0714cc853edc5e5dda5141b09235a8c9 |
memory/572-7-0x0000000002220000-0x0000000002574000-memory.dmp
memory/572-136-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2800-137-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2796-139-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/572-138-0x0000000002220000-0x0000000002574000-memory.dmp
memory/572-140-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/3052-141-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/3020-142-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2728-143-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2860-144-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/572-145-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2332-146-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2136-148-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2748-149-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2824-147-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2640-150-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2776-151-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2692-153-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2608-152-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2800-154-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2796-155-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/3052-156-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/3020-157-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2728-158-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2860-159-0x000000013FF10000-0x0000000140264000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 01:43
Reported
2024-06-07 01:57
Platform
win10v2004-20240426-en
Max time kernel
133s
Max time network
151s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LVUxBpM.exe | N/A |
| N/A | N/A | C:\Windows\System\xEonPre.exe | N/A |
| N/A | N/A | C:\Windows\System\OeyFlxe.exe | N/A |
| N/A | N/A | C:\Windows\System\xOrzLHe.exe | N/A |
| N/A | N/A | C:\Windows\System\mMomgcf.exe | N/A |
| N/A | N/A | C:\Windows\System\WobcRnx.exe | N/A |
| N/A | N/A | C:\Windows\System\MfCoHdg.exe | N/A |
| N/A | N/A | C:\Windows\System\eyVKxxT.exe | N/A |
| N/A | N/A | C:\Windows\System\WPccKzt.exe | N/A |
| N/A | N/A | C:\Windows\System\TgTWcfc.exe | N/A |
| N/A | N/A | C:\Windows\System\iYbvcpk.exe | N/A |
| N/A | N/A | C:\Windows\System\iuqHQns.exe | N/A |
| N/A | N/A | C:\Windows\System\JLupGEA.exe | N/A |
| N/A | N/A | C:\Windows\System\Jtdrhcd.exe | N/A |
| N/A | N/A | C:\Windows\System\HCfTmfe.exe | N/A |
| N/A | N/A | C:\Windows\System\ZcrGNoP.exe | N/A |
| N/A | N/A | C:\Windows\System\DfVRHtb.exe | N/A |
| N/A | N/A | C:\Windows\System\pvRluMw.exe | N/A |
| N/A | N/A | C:\Windows\System\slJLaCF.exe | N/A |
| N/A | N/A | C:\Windows\System\xOYVyGL.exe | N/A |
| N/A | N/A | C:\Windows\System\uCSqTCl.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\LVUxBpM.exe
C:\Windows\System\LVUxBpM.exe
C:\Windows\System\xEonPre.exe
C:\Windows\System\xEonPre.exe
C:\Windows\System\OeyFlxe.exe
C:\Windows\System\OeyFlxe.exe
C:\Windows\System\xOrzLHe.exe
C:\Windows\System\xOrzLHe.exe
C:\Windows\System\mMomgcf.exe
C:\Windows\System\mMomgcf.exe
C:\Windows\System\WobcRnx.exe
C:\Windows\System\WobcRnx.exe
C:\Windows\System\MfCoHdg.exe
C:\Windows\System\MfCoHdg.exe
C:\Windows\System\eyVKxxT.exe
C:\Windows\System\eyVKxxT.exe
C:\Windows\System\WPccKzt.exe
C:\Windows\System\WPccKzt.exe
C:\Windows\System\TgTWcfc.exe
C:\Windows\System\TgTWcfc.exe
C:\Windows\System\iYbvcpk.exe
C:\Windows\System\iYbvcpk.exe
C:\Windows\System\iuqHQns.exe
C:\Windows\System\iuqHQns.exe
C:\Windows\System\JLupGEA.exe
C:\Windows\System\JLupGEA.exe
C:\Windows\System\Jtdrhcd.exe
C:\Windows\System\Jtdrhcd.exe
C:\Windows\System\HCfTmfe.exe
C:\Windows\System\HCfTmfe.exe
C:\Windows\System\ZcrGNoP.exe
C:\Windows\System\ZcrGNoP.exe
C:\Windows\System\DfVRHtb.exe
C:\Windows\System\DfVRHtb.exe
C:\Windows\System\pvRluMw.exe
C:\Windows\System\pvRluMw.exe
C:\Windows\System\slJLaCF.exe
C:\Windows\System\slJLaCF.exe
C:\Windows\System\xOYVyGL.exe
C:\Windows\System\xOYVyGL.exe
C:\Windows\System\uCSqTCl.exe
C:\Windows\System\uCSqTCl.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/556-1-0x0000026725680000-0x0000026725690000-memory.dmp
memory/556-0-0x00007FF7CED20000-0x00007FF7CF074000-memory.dmp
C:\Windows\System\LVUxBpM.exe
| MD5 | 0642442db4acbbfb6037e06789624264 |
| SHA1 | 923aee440a6887c7a7a8a78085aa492b2cdcee65 |
| SHA256 | 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85 |
| SHA512 | 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1 |
C:\Windows\System\xEonPre.exe
| MD5 | 7ce4ba1725e83a50f64ba525f8815dcf |
| SHA1 | b1714a2d23cfc42c18c37e1546ac0908d8252c04 |
| SHA256 | 9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908 |
| SHA512 | 2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19 |
memory/1804-20-0x00007FF658BC0000-0x00007FF658F14000-memory.dmp
memory/4812-55-0x00007FF6715B0000-0x00007FF671904000-memory.dmp
memory/3624-67-0x00007FF6FCD70000-0x00007FF6FD0C4000-memory.dmp
memory/940-102-0x00007FF714490000-0x00007FF7147E4000-memory.dmp
memory/3668-105-0x00007FF7E71E0000-0x00007FF7E7534000-memory.dmp
memory/4812-123-0x00007FF6715B0000-0x00007FF671904000-memory.dmp
memory/2888-136-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp
memory/1688-135-0x00007FF78E470000-0x00007FF78E7C4000-memory.dmp
C:\Windows\System\uCSqTCl.exe
| MD5 | 4a486a2a371d8db348dc0ad03e9fd9f0 |
| SHA1 | edd912c5d606628022dc3216eaf2db7c93554ff7 |
| SHA256 | 93ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b |
| SHA512 | deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b |
memory/412-129-0x00007FF7A5760000-0x00007FF7A5AB4000-memory.dmp
memory/636-124-0x00007FF7F8710000-0x00007FF7F8A64000-memory.dmp
memory/740-119-0x00007FF62D4B0000-0x00007FF62D804000-memory.dmp
memory/544-114-0x00007FF635A10000-0x00007FF635D64000-memory.dmp
memory/1496-111-0x00007FF664240000-0x00007FF664594000-memory.dmp
memory/4824-99-0x00007FF65EE10000-0x00007FF65F164000-memory.dmp
memory/4504-94-0x00007FF7D6990000-0x00007FF7D6CE4000-memory.dmp
memory/2292-90-0x00007FF75A2C0000-0x00007FF75A614000-memory.dmp
memory/5108-89-0x00007FF663450000-0x00007FF6637A4000-memory.dmp
memory/1804-86-0x00007FF658BC0000-0x00007FF658F14000-memory.dmp
C:\Windows\System\Jtdrhcd.exe
| MD5 | 6207c08555e637186de329c9179e16d9 |
| SHA1 | 09098b1d2cbfb2ab317439f6c4fc0121d5b8f70a |
| SHA256 | 90e60744ec9da51fba847be626db348bca6bdaf98ac91b116446f5b42433003b |
| SHA512 | a17015ce5be9dbe107f45a5361c78d0722d3574d1684f1ab5a78044304a8f13b281179a8bde4be29c0529678da2d8332817db568d46fd1e81541274c1a2a6ea7 |
memory/4536-78-0x00007FF7773A0000-0x00007FF7776F4000-memory.dmp
memory/1176-74-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp
memory/1688-68-0x00007FF78E470000-0x00007FF78E7C4000-memory.dmp
memory/3660-66-0x00007FF772670000-0x00007FF7729C4000-memory.dmp
memory/556-62-0x00007FF7CED20000-0x00007FF7CF074000-memory.dmp
memory/544-49-0x00007FF635A10000-0x00007FF635D64000-memory.dmp
memory/4688-44-0x00007FF60A7B0000-0x00007FF60AB04000-memory.dmp
memory/4536-137-0x00007FF7773A0000-0x00007FF7776F4000-memory.dmp
memory/3668-39-0x00007FF7E71E0000-0x00007FF7E7534000-memory.dmp
memory/4824-32-0x00007FF65EE10000-0x00007FF65F164000-memory.dmp
memory/208-26-0x00007FF7FBAA0000-0x00007FF7FBDF4000-memory.dmp
memory/1176-14-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp
memory/3624-8-0x00007FF6FCD70000-0x00007FF6FD0C4000-memory.dmp
memory/5108-138-0x00007FF663450000-0x00007FF6637A4000-memory.dmp
memory/4504-139-0x00007FF7D6990000-0x00007FF7D6CE4000-memory.dmp
memory/940-140-0x00007FF714490000-0x00007FF7147E4000-memory.dmp
memory/1496-141-0x00007FF664240000-0x00007FF664594000-memory.dmp
memory/412-142-0x00007FF7A5760000-0x00007FF7A5AB4000-memory.dmp
memory/3624-143-0x00007FF6FCD70000-0x00007FF6FD0C4000-memory.dmp
memory/208-146-0x00007FF7FBAA0000-0x00007FF7FBDF4000-memory.dmp
memory/4824-147-0x00007FF65EE10000-0x00007FF65F164000-memory.dmp
memory/4688-149-0x00007FF60A7B0000-0x00007FF60AB04000-memory.dmp
memory/544-150-0x00007FF635A10000-0x00007FF635D64000-memory.dmp
memory/4812-151-0x00007FF6715B0000-0x00007FF671904000-memory.dmp
memory/3660-152-0x00007FF772670000-0x00007FF7729C4000-memory.dmp
memory/3668-148-0x00007FF7E71E0000-0x00007FF7E7534000-memory.dmp
memory/1688-154-0x00007FF78E470000-0x00007FF78E7C4000-memory.dmp
memory/5108-156-0x00007FF663450000-0x00007FF6637A4000-memory.dmp
memory/2292-155-0x00007FF75A2C0000-0x00007FF75A614000-memory.dmp
memory/940-157-0x00007FF714490000-0x00007FF7147E4000-memory.dmp
memory/4504-158-0x00007FF7D6990000-0x00007FF7D6CE4000-memory.dmp
memory/1496-159-0x00007FF664240000-0x00007FF664594000-memory.dmp
memory/740-160-0x00007FF62D4B0000-0x00007FF62D804000-memory.dmp
memory/636-161-0x00007FF7F8710000-0x00007FF7F8A64000-memory.dmp
memory/412-163-0x00007FF7A5760000-0x00007FF7A5AB4000-memory.dmp
memory/2888-162-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp
memory/4536-153-0x00007FF7773A0000-0x00007FF7776F4000-memory.dmp
memory/1804-145-0x00007FF658BC0000-0x00007FF658F14000-memory.dmp
memory/1176-144-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp