Analysis Overview
SHA256
1af27e2230a7ae8d94ad15f9a0d9d6c25b8f9a7412bdb3fb47ebc8fe3bac709a
Threat Level: Known bad
The file 2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Cobaltstrike
Detects Reflective DLL injection artifacts
xmrig
XMRig Miner payload
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 03:00
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 03:00
Reported
2024-06-09 03:03
Platform
win7-20240508-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZOSjAds.exe | N/A |
| N/A | N/A | C:\Windows\System\deeZsmq.exe | N/A |
| N/A | N/A | C:\Windows\System\LRGDCiX.exe | N/A |
| N/A | N/A | C:\Windows\System\RHXnFcl.exe | N/A |
| N/A | N/A | C:\Windows\System\PbFpdoM.exe | N/A |
| N/A | N/A | C:\Windows\System\SMsRqgO.exe | N/A |
| N/A | N/A | C:\Windows\System\WHAbgyL.exe | N/A |
| N/A | N/A | C:\Windows\System\DqLAJty.exe | N/A |
| N/A | N/A | C:\Windows\System\kffWXoO.exe | N/A |
| N/A | N/A | C:\Windows\System\XPcOhTf.exe | N/A |
| N/A | N/A | C:\Windows\System\LpGrckF.exe | N/A |
| N/A | N/A | C:\Windows\System\kyCzxXM.exe | N/A |
| N/A | N/A | C:\Windows\System\RGtKvny.exe | N/A |
| N/A | N/A | C:\Windows\System\ysDFWXX.exe | N/A |
| N/A | N/A | C:\Windows\System\HMrVTRT.exe | N/A |
| N/A | N/A | C:\Windows\System\UaAPqQQ.exe | N/A |
| N/A | N/A | C:\Windows\System\zIIUcyY.exe | N/A |
| N/A | N/A | C:\Windows\System\RYIwiOR.exe | N/A |
| N/A | N/A | C:\Windows\System\VvFtaHm.exe | N/A |
| N/A | N/A | C:\Windows\System\QInkysK.exe | N/A |
| N/A | N/A | C:\Windows\System\tyTWUUf.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZOSjAds.exe
C:\Windows\System\ZOSjAds.exe
C:\Windows\System\deeZsmq.exe
C:\Windows\System\deeZsmq.exe
C:\Windows\System\RHXnFcl.exe
C:\Windows\System\RHXnFcl.exe
C:\Windows\System\LRGDCiX.exe
C:\Windows\System\LRGDCiX.exe
C:\Windows\System\PbFpdoM.exe
C:\Windows\System\PbFpdoM.exe
C:\Windows\System\SMsRqgO.exe
C:\Windows\System\SMsRqgO.exe
C:\Windows\System\WHAbgyL.exe
C:\Windows\System\WHAbgyL.exe
C:\Windows\System\DqLAJty.exe
C:\Windows\System\DqLAJty.exe
C:\Windows\System\kffWXoO.exe
C:\Windows\System\kffWXoO.exe
C:\Windows\System\XPcOhTf.exe
C:\Windows\System\XPcOhTf.exe
C:\Windows\System\LpGrckF.exe
C:\Windows\System\LpGrckF.exe
C:\Windows\System\kyCzxXM.exe
C:\Windows\System\kyCzxXM.exe
C:\Windows\System\RGtKvny.exe
C:\Windows\System\RGtKvny.exe
C:\Windows\System\ysDFWXX.exe
C:\Windows\System\ysDFWXX.exe
C:\Windows\System\HMrVTRT.exe
C:\Windows\System\HMrVTRT.exe
C:\Windows\System\UaAPqQQ.exe
C:\Windows\System\UaAPqQQ.exe
C:\Windows\System\zIIUcyY.exe
C:\Windows\System\zIIUcyY.exe
C:\Windows\System\RYIwiOR.exe
C:\Windows\System\RYIwiOR.exe
C:\Windows\System\VvFtaHm.exe
C:\Windows\System\VvFtaHm.exe
C:\Windows\System\QInkysK.exe
C:\Windows\System\QInkysK.exe
C:\Windows\System\tyTWUUf.exe
C:\Windows\System\tyTWUUf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1736-0-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/1736-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\ZOSjAds.exe
| MD5 | 0c4fa25607b4370165ec346f1ab5cf33 |
| SHA1 | e793a93cf0e5f3e380ba686a46b04e292ac07498 |
| SHA256 | f680fd2e7e49c6829b698cc5e2e48b3f3ec8ee78dfde1c28c492f9f7a1d1aa8a |
| SHA512 | 57cf1299c34833ccdb24babcc7aeb948098cf922afcd315f5a5058d132d8d7c108e23a581403cea07290b7bffcfee0f7a4aa118bae4b90c90b7ccd5b4bd86e46 |
C:\Windows\system\ZOSjAds.exe
| MD5 | 08eafc1774f698f370d0718289fcd234 |
| SHA1 | 66b83b284ce1d9c4fc471d3e4551706cab8375fe |
| SHA256 | 14085b5a368d46c833885e8e8019623a4fde452e1307b111b230fe8b13333f47 |
| SHA512 | 41a069d761cee4c3d0d86eb44de3cd9c0b7aa5012b0db410f996238976ec9817750ab5bd5744739d63f870ed6252eec49bade9191d8e10f8c3aeeb207e0289fb |
memory/1736-7-0x00000000022B0000-0x0000000002604000-memory.dmp
C:\Windows\system\deeZsmq.exe
| MD5 | af48687689822d5820e79e82ff60116d |
| SHA1 | 9b735584a6b32d5f788e7e7004e33080c80fd469 |
| SHA256 | f8b520209de195a21b7127e4ce870f24844c9e5717cee39aeb5aaec0dce507d9 |
| SHA512 | 8e946bddbf65ba5ea6ec8826dd4d31e5d38abd028e868f38bff9da7e8fe8ca82aa994323c6efc53177353620557f07148ee4ca42ab6fb2a74e8c6647a8e3c108 |
memory/1736-22-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2692-27-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/1676-30-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2864-15-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1736-29-0x000000013F260000-0x000000013F5B4000-memory.dmp
C:\Windows\system\RHXnFcl.exe
| MD5 | 1f998fa697cd8622747a38f64299a573 |
| SHA1 | 492bbb2ea85f471c6ca2e1fe5d05c26642503178 |
| SHA256 | 57338c9fb6668d33eb6ff3885eee80504faa7da870b3ba319d2f3569c94336aa |
| SHA512 | d430b654fac541e8b00cfa42698ab7671c7a46de805e83f4ed6a3124f48ef7f864104c6e4082598264017e555b0bf6556978391f1b8f2ad72d4db1331db1571c |
memory/2604-25-0x000000013F570000-0x000000013F8C4000-memory.dmp
C:\Windows\system\LRGDCiX.exe
| MD5 | ab9b7f419fd2a276a4c460a89170d441 |
| SHA1 | 102f31dcb179d7f22b7bf328e449b251d74ed673 |
| SHA256 | edb8cd63fd2a65550bbe52f25806394e94eb919ddef861a54c41892c32e89632 |
| SHA512 | c32b30203801d6b564309596c05af33d2bfe6d1573fc74ffd40050a63a5850e2879d02ff75377f59d54711687b638b8332efb132e98e801fae307699e076c749 |
\Windows\system\RHXnFcl.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
memory/1736-19-0x000000013F570000-0x000000013F8C4000-memory.dmp
\Windows\system\PbFpdoM.exe
| MD5 | ed0e997a4e2bd44d6cffef178134421e |
| SHA1 | e0bd7edc8371b83e891888ab1a78ef80151d1f83 |
| SHA256 | 68c2ac04b6c388dd16baa7ef6b9af76562dd1aaec6dff14c1cad639af093f1cf |
| SHA512 | a7adb794b5474a373d6dad7dd6f3c1f2bc1e403d9744332189c01caab75a2b5d3b122602e94e3c54bb48a3e96785c69d48df700d88c5445e290a366de011e20c |
\Windows\system\DqLAJty.exe
| MD5 | bf1b8e5e1f1d2494586162de540bad5c |
| SHA1 | fbf2bd329a558f72391f6c28d843d05a17a04440 |
| SHA256 | 54224a3d5a1523da6d82b55f882fa9dac7a24f2f8017a5f473946a6332981a6e |
| SHA512 | a2622afff70973432d33a819bafb070f9b0804644190ea9af2744df7c68badba6c5bf058e0362eff3a678cb5738677984122d3ec888c13c2d38dced38501321f |
memory/2432-57-0x000000013FB00000-0x000000013FE54000-memory.dmp
C:\Windows\system\XPcOhTf.exe
| MD5 | dec6a43021985b77b042d7184920ba19 |
| SHA1 | 95ee1f5371567aad30a8388f0b1055acc094fa68 |
| SHA256 | 549b4f74994c65d217212a32116ec2bc331ac15488ada8d745539d01598848ac |
| SHA512 | 1db803a6c67def2d68eca8823c5aec4f62b0d2511b1e91e57ec4b0ce40b372b71cd2021b3545956a6f74ceefe90c16c921a95a7320101fb10ad823bd4123bcfb |
memory/2836-92-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/1736-107-0x00000000022B0000-0x0000000002604000-memory.dmp
\Windows\system\tyTWUUf.exe
| MD5 | 8a74009f7dd9c036cc12b3f189bd9ac6 |
| SHA1 | e53d33c260bb77d6ec7f4c05d6b7a52ccd5f9de0 |
| SHA256 | b349cfcd57c9962c2310b863621992c24963856bb8765a72596762e3d22c0932 |
| SHA512 | 6b058797ebf39246aeec4041256bec3900d2fe258c40c7a628ad2f0a7c71cd84516d0e4598c1b869d273f2d776086698842e42f21ab1a8adea547d9c55a56876 |
C:\Windows\system\tyTWUUf.exe
| MD5 | c6739666a33a990476e2ff789e179e93 |
| SHA1 | 249b85550a016e28ee0d095a00c5b35435a209f9 |
| SHA256 | 7137a161db4e29a4d976f5c3fcd19c959e2542d95a845cecb635d7dfb9490c5c |
| SHA512 | 66132284d0e97bd63ab44e6fc9772bb321ce05fcfab04044d316eb0273b6e03890a30d633311e5f195f58355514c26acf2a5f9527599935572dbb787f46e6a7e |
C:\Windows\system\QInkysK.exe
| MD5 | 8bf2cc209f6510f3080249e102d752aa |
| SHA1 | b30e5dd4c525bf9c7be91e31b8a5924b94451eea |
| SHA256 | 63f568b4fb0012c97e126693182ecd044ad372800e911c03f7af9ea8081d71e9 |
| SHA512 | 40ff07fc50c5dcd24482e4572d1988160c5021b5376ec300b0a6546f3f6f1223a82136448f52580e992d5cda113de5efa4c2900d448525d835df511e87fc3d33 |
C:\Windows\system\VvFtaHm.exe
| MD5 | 06e7776c45522cd727375134e965e22f |
| SHA1 | b3c6cc8ec21bae0f0aa8708062a4e0f18fd21432 |
| SHA256 | 2e168c5305fc6931df6647569f2eac771398a9fe5bbc1782667bc1c201007bfb |
| SHA512 | 0b18810a5223438d648db6031a4bc963ddc222296395333088b069467dd1914822ad34fd9a3ff6c6694db24c914bdda3b30ab67d7943ad9a074d0ee7d9dc226d |
\Windows\system\VvFtaHm.exe
| MD5 | 240a95cb60c14ce340f2f5434b66d5ce |
| SHA1 | a658fafc8419469abf15f4757791c55f9906191b |
| SHA256 | 14fb1a8344fca61dca7af51c053a3eb59740a4a087a317d91117d91423669367 |
| SHA512 | 063b41bd92b61500310dc6790f764f1ce293ff07d51e4c54628c9d47056b7bd1a4aabd867e95099092a1eb8633312aecad7ecd17af7c91dd16baf071c01435c2 |
C:\Windows\system\RYIwiOR.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
C:\Windows\system\UaAPqQQ.exe
| MD5 | 7a7cd4e734c6f2632f0a46add1b0b648 |
| SHA1 | 7656c873c48bfede449e7dca92f1494455d5ca4d |
| SHA256 | ee4d4bc55661aed842567b033ed6b9f54e0d59c1679bce8cbf404ff16bcd75e3 |
| SHA512 | 135a64e0a52684ab26d5f3b823ff8a9ba6eaa70022c2dbf2fc984bb976ea0ba770dd28317bc1eff31d2ca4bd1d7b5c9d25cb74778a76439a76cb9357d260ec2f |
memory/2520-106-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\HMrVTRT.exe
| MD5 | 392bfb954c8bde1343fc7a4c84ea55e9 |
| SHA1 | aef22e8df745f1d85d6a7a6873b99f38be177585 |
| SHA256 | 4fbdae2eb6e9cd850b7ac0ad5ea56f20ee062e1220b11f1e5fc7e199289e1776 |
| SHA512 | dd814ce86b844ebe188e5c1d5d236af96f5edcd19a9cc995c43144053be0b13f358a0d37c94127475b3c700ee735ed91336e365c7955118fb8bc7e4ae769bf2f |
\Windows\system\HMrVTRT.exe
| MD5 | 67d7d0c360c2defa9a36a47a23af7dd6 |
| SHA1 | efd9d2994e80ef40cbaab5f7ef02420aebe17206 |
| SHA256 | 0521cd0d1d60fc081a5e4d3f28f5a76a962e60920d871e29a2de526b0e72b791 |
| SHA512 | f5338aedc9e177da3d3af04e6946e9f03280307d40c8e1e2e21b270727d9ec57427c8f7861835c62a83f44226e722c786902eaaa4187cfaefc3a81305ca12e2b |
memory/2188-137-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/3000-99-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/1736-98-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/1736-91-0x00000000022B0000-0x0000000002604000-memory.dmp
C:\Windows\system\ysDFWXX.exe
| MD5 | f6ff13f5b74581b4d693140d7ed15d42 |
| SHA1 | b5f72d745d10b4b9c5938885364efade2590a6ab |
| SHA256 | 0632369166c9bc5c9b434ffd89ec9c9f265e35db5f9f6e8b7957c45b2c7683c7 |
| SHA512 | 39ddedcd48f0afefef8b6d9f4c6350246031d6adffaa23199754b30948665cbedbf8af674f3d181d1c85403f8709c1fd9ff92429b133ea7e8be126dcdcc115dd |
\Windows\system\ysDFWXX.exe
| MD5 | ced6503f1c442b215a831868d06a53c4 |
| SHA1 | d1546486e9a0a87544debc9d7cfe00f7d2fcb25b |
| SHA256 | e275615d23ea2865d75a0660f437a7d370977a82d9b793f46f83217faabc1309 |
| SHA512 | 6a0a0fbefffb4e18dbf3cf69b0665c759689d4226cfb687511f02c0243028181f491c0c45e1d040428b7fac5c6352059fa68bd53dd377cd6e8ca55b464eab7e6 |
\Windows\system\RGtKvny.exe
| MD5 | 0c889b2cf4cc08ad6fd922ca312c17e1 |
| SHA1 | f5b45fb9a6def28157e603f9c3cde74ddbe22c2d |
| SHA256 | c03fd608ca3ca8fdff6fcd672a297712dcd914a0feb13d42092191a53962dfa6 |
| SHA512 | 68934fba5ce2ef3490dd2c9f60e7005b8e234a9ad2c46bdce0a867cde65920e6acb902e6287c577b4824d66c818991d87cca4ebbe40755e252ef4ba431ea9b05 |
memory/2256-85-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1736-84-0x000000013F5F0000-0x000000013F944000-memory.dmp
C:\Windows\system\kyCzxXM.exe
| MD5 | 6f576608053fcf29ed404927c5fb26e0 |
| SHA1 | 9070cbacf17ecc2168e221d7e4526388e3a25209 |
| SHA256 | cbd8e45cf18567a54ae4e3ee707a71da40fa2cf9f818cff08c7d101780e56f6c |
| SHA512 | 4b9f8883d8874648c7907a88329ac2618c565ac3623a0d69b3f4c0e9ec1cdc172784065d108077973ed8f696d4285a0844f406c04dff3b72af4c4088078fbf2a |
memory/2392-78-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2864-77-0x000000013FE40000-0x0000000140194000-memory.dmp
C:\Windows\system\LpGrckF.exe
| MD5 | 599ae7f1dfdc3e12d22b505e1579eed5 |
| SHA1 | 44d2434e3fc35ffd8da9fb200647988833d833c1 |
| SHA256 | de913118e473fb6f56d8fdbc6f1a209552cc3230fd0229caab472a65af56fb7d |
| SHA512 | 628c3bd4ddd6da7bad56fe5eb51798d5501d41b4eedb9656e30d55709233fec51e0c08eae61774d36d5107985c40d2f1653f900ea8ad915b3ca4d5d991067f3c |
memory/2680-71-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/1736-70-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2528-64-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/1736-63-0x000000013FC90000-0x000000013FFE4000-memory.dmp
C:\Windows\system\kffWXoO.exe
| MD5 | 4f17e12a53ee5aee4ae8f5a7a959f84a |
| SHA1 | 2f0da666e465db6ff66879c7aab09fc3c4c136d5 |
| SHA256 | e97a388d34e0be6f1ef14a372be34b5315037b66eab49336eaed21bb06854c37 |
| SHA512 | 64c859abe0a6bc9ee388d98cbc819b3026eacaf7755b303a746613aa605c694adfb918fc0cc3bb6673990f91a3867e0f1a9eb5116df6cb8b432a61fb6ab8c238 |
memory/2840-51-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/1736-50-0x00000000022B0000-0x0000000002604000-memory.dmp
C:\Windows\system\WHAbgyL.exe
| MD5 | 8e9a56ccd9e0998e0e10657d2e5b8a28 |
| SHA1 | 62db83deb188b34d0703d5fb5cd345acd948966f |
| SHA256 | f8aadcc13094264527ef90a8e3927233e9510330b8d5b82dbeccb8c03de4b4d3 |
| SHA512 | cd113b3d29f5e540658dbd8735466bf5e8b6ea0abc5d853aa1834e8387348e417887e6b5b0e1969d5e346d49e4aecd12eff3fa370ce80d45d7fd3f7404f02aec |
memory/1736-56-0x00000000022B0000-0x0000000002604000-memory.dmp
memory/2188-42-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/1736-41-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2520-36-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1736-35-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\PbFpdoM.exe
| MD5 | 04d51d193560bd7cbe3c1aa4176588ed |
| SHA1 | 50c403f2cdd24613871102930823a4077a309a84 |
| SHA256 | d2f2e6f71c7392c54365bfeba96646f1b48bfc2b35cee99399fabe8555745a79 |
| SHA512 | 16c84370d3456e4b479306cb1207e32853b3b3dacdc34ee2c06bac6f00e0ed99d27f6c49bc2894052479d03d45c8d3898044a71ee9425a44f4f5a31a42b6918a |
C:\Windows\system\SMsRqgO.exe
| MD5 | faffcf3d398d3fe1bcff9a2c280fa6c4 |
| SHA1 | 7a6a72bfe81ed3ad6258f1efc93dee0c22d4cc59 |
| SHA256 | 36bce5488bd1870aefc42e110b9f27238fbc2170af713fb52c657a711949700c |
| SHA512 | 170895045fd922e2625497da13d6e048e92c7a7b04677856cfeda4d5fbf493f2de84761f3d8a6f2e9c64f453253c9df99985836e8cab3960da0305937d5b0c12 |
memory/2432-138-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2528-140-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/1736-139-0x00000000022B0000-0x0000000002604000-memory.dmp
memory/1736-141-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2680-142-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2392-143-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2256-145-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1736-144-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2836-146-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/3000-148-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/1736-147-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2864-149-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2604-151-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2692-150-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/1676-152-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2520-153-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2840-155-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2188-154-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2432-156-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2528-157-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2680-158-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2392-159-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2256-160-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2836-161-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/3000-162-0x000000013F700000-0x000000013FA54000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 03:00
Reported
2024-06-09 03:03
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZOSjAds.exe | N/A |
| N/A | N/A | C:\Windows\System\deeZsmq.exe | N/A |
| N/A | N/A | C:\Windows\System\RHXnFcl.exe | N/A |
| N/A | N/A | C:\Windows\System\LRGDCiX.exe | N/A |
| N/A | N/A | C:\Windows\System\PbFpdoM.exe | N/A |
| N/A | N/A | C:\Windows\System\SMsRqgO.exe | N/A |
| N/A | N/A | C:\Windows\System\WHAbgyL.exe | N/A |
| N/A | N/A | C:\Windows\System\DqLAJty.exe | N/A |
| N/A | N/A | C:\Windows\System\kffWXoO.exe | N/A |
| N/A | N/A | C:\Windows\System\XPcOhTf.exe | N/A |
| N/A | N/A | C:\Windows\System\LpGrckF.exe | N/A |
| N/A | N/A | C:\Windows\System\kyCzxXM.exe | N/A |
| N/A | N/A | C:\Windows\System\RGtKvny.exe | N/A |
| N/A | N/A | C:\Windows\System\ysDFWXX.exe | N/A |
| N/A | N/A | C:\Windows\System\zIIUcyY.exe | N/A |
| N/A | N/A | C:\Windows\System\HMrVTRT.exe | N/A |
| N/A | N/A | C:\Windows\System\UaAPqQQ.exe | N/A |
| N/A | N/A | C:\Windows\System\RYIwiOR.exe | N/A |
| N/A | N/A | C:\Windows\System\VvFtaHm.exe | N/A |
| N/A | N/A | C:\Windows\System\QInkysK.exe | N/A |
| N/A | N/A | C:\Windows\System\tyTWUUf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_f28ebae94ad4d1c576383ef240194436_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZOSjAds.exe
C:\Windows\System\ZOSjAds.exe
C:\Windows\System\deeZsmq.exe
C:\Windows\System\deeZsmq.exe
C:\Windows\System\RHXnFcl.exe
C:\Windows\System\RHXnFcl.exe
C:\Windows\System\LRGDCiX.exe
C:\Windows\System\LRGDCiX.exe
C:\Windows\System\PbFpdoM.exe
C:\Windows\System\PbFpdoM.exe
C:\Windows\System\SMsRqgO.exe
C:\Windows\System\SMsRqgO.exe
C:\Windows\System\WHAbgyL.exe
C:\Windows\System\WHAbgyL.exe
C:\Windows\System\DqLAJty.exe
C:\Windows\System\DqLAJty.exe
C:\Windows\System\kffWXoO.exe
C:\Windows\System\kffWXoO.exe
C:\Windows\System\XPcOhTf.exe
C:\Windows\System\XPcOhTf.exe
C:\Windows\System\LpGrckF.exe
C:\Windows\System\LpGrckF.exe
C:\Windows\System\kyCzxXM.exe
C:\Windows\System\kyCzxXM.exe
C:\Windows\System\RGtKvny.exe
C:\Windows\System\RGtKvny.exe
C:\Windows\System\ysDFWXX.exe
C:\Windows\System\ysDFWXX.exe
C:\Windows\System\HMrVTRT.exe
C:\Windows\System\HMrVTRT.exe
C:\Windows\System\UaAPqQQ.exe
C:\Windows\System\UaAPqQQ.exe
C:\Windows\System\zIIUcyY.exe
C:\Windows\System\zIIUcyY.exe
C:\Windows\System\RYIwiOR.exe
C:\Windows\System\RYIwiOR.exe
C:\Windows\System\VvFtaHm.exe
C:\Windows\System\VvFtaHm.exe
C:\Windows\System\QInkysK.exe
C:\Windows\System\QInkysK.exe
C:\Windows\System\tyTWUUf.exe
C:\Windows\System\tyTWUUf.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 33.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
memory/724-0-0x00007FF74E2A0000-0x00007FF74E5F4000-memory.dmp
memory/724-1-0x000002A0EF240000-0x000002A0EF250000-memory.dmp
C:\Windows\System\ZOSjAds.exe
| MD5 | 08eafc1774f698f370d0718289fcd234 |
| SHA1 | 66b83b284ce1d9c4fc471d3e4551706cab8375fe |
| SHA256 | 14085b5a368d46c833885e8e8019623a4fde452e1307b111b230fe8b13333f47 |
| SHA512 | 41a069d761cee4c3d0d86eb44de3cd9c0b7aa5012b0db410f996238976ec9817750ab5bd5744739d63f870ed6252eec49bade9191d8e10f8c3aeeb207e0289fb |
memory/2868-8-0x00007FF7EBF50000-0x00007FF7EC2A4000-memory.dmp
C:\Windows\System\RHXnFcl.exe
| MD5 | 1f998fa697cd8622747a38f64299a573 |
| SHA1 | 492bbb2ea85f471c6ca2e1fe5d05c26642503178 |
| SHA256 | 57338c9fb6668d33eb6ff3885eee80504faa7da870b3ba319d2f3569c94336aa |
| SHA512 | d430b654fac541e8b00cfa42698ab7671c7a46de805e83f4ed6a3124f48ef7f864104c6e4082598264017e555b0bf6556978391f1b8f2ad72d4db1331db1571c |
memory/4168-20-0x00007FF7FCFF0000-0x00007FF7FD344000-memory.dmp
C:\Windows\System\LRGDCiX.exe
| MD5 | ab9b7f419fd2a276a4c460a89170d441 |
| SHA1 | 102f31dcb179d7f22b7bf328e449b251d74ed673 |
| SHA256 | edb8cd63fd2a65550bbe52f25806394e94eb919ddef861a54c41892c32e89632 |
| SHA512 | c32b30203801d6b564309596c05af33d2bfe6d1573fc74ffd40050a63a5850e2879d02ff75377f59d54711687b638b8332efb132e98e801fae307699e076c749 |
C:\Windows\System\SMsRqgO.exe
| MD5 | 15c2d97864e8c143fb2518e0d79fe7fc |
| SHA1 | e88572ddf165f0fd9684d13af9c029353692e01c |
| SHA256 | f56dcefe5e943360d37621024dfce55002d169a9fc20a0d3be94d0ceb21ce2ea |
| SHA512 | 81d7f5d1a85d3230d7a4c1df13f6d160a5072ed0dca0e2479f7dc8ebf2b4e78f88b17bc6533f7a3689abd5114e54b7d80f16d54b57382e98466e1e523e170ec0 |
memory/224-37-0x00007FF61BA00000-0x00007FF61BD54000-memory.dmp
C:\Windows\System\WHAbgyL.exe
| MD5 | b5d6c8b472f6137523570f20868f4041 |
| SHA1 | 61a520c4e5802e3278d223745c0d5b53798489c3 |
| SHA256 | df7d971e23b4ededa31b1693094cae103f35c8a092bea9c558c1e9bba9ccc324 |
| SHA512 | 310f2bca69858a022c70080fd06c881ff6459ee943f0afef48d3fc47591912fad27b5857e0c076a90ca0c03ab0f8ff278f0a7686305712014a6bb182fc4a4229 |
C:\Windows\System\DqLAJty.exe
| MD5 | f6ff13f5b74581b4d693140d7ed15d42 |
| SHA1 | b5f72d745d10b4b9c5938885364efade2590a6ab |
| SHA256 | 0632369166c9bc5c9b434ffd89ec9c9f265e35db5f9f6e8b7957c45b2c7683c7 |
| SHA512 | 39ddedcd48f0afefef8b6d9f4c6350246031d6adffaa23199754b30948665cbedbf8af674f3d181d1c85403f8709c1fd9ff92429b133ea7e8be126dcdcc115dd |
C:\Windows\System\DqLAJty.exe
| MD5 | bf1b8e5e1f1d2494586162de540bad5c |
| SHA1 | fbf2bd329a558f72391f6c28d843d05a17a04440 |
| SHA256 | 54224a3d5a1523da6d82b55f882fa9dac7a24f2f8017a5f473946a6332981a6e |
| SHA512 | a2622afff70973432d33a819bafb070f9b0804644190ea9af2744df7c68badba6c5bf058e0362eff3a678cb5738677984122d3ec888c13c2d38dced38501321f |
C:\Windows\System\XPcOhTf.exe
| MD5 | 0c4fa25607b4370165ec346f1ab5cf33 |
| SHA1 | e793a93cf0e5f3e380ba686a46b04e292ac07498 |
| SHA256 | f680fd2e7e49c6829b698cc5e2e48b3f3ec8ee78dfde1c28c492f9f7a1d1aa8a |
| SHA512 | 57cf1299c34833ccdb24babcc7aeb948098cf922afcd315f5a5058d132d8d7c108e23a581403cea07290b7bffcfee0f7a4aa118bae4b90c90b7ccd5b4bd86e46 |
C:\Windows\System\kffWXoO.exe
| MD5 | 1a0e1455de686b8158fbc1e4c92a2f9d |
| SHA1 | 29170fbafb064ea2f4235b38c121cb23ca398b78 |
| SHA256 | 751d7a519550296e44f729642a25deee57e02effc38513cfbd1634914ad4844e |
| SHA512 | 0c3cf17afd7417c22e0ca6141bcc86ad947d316dec4ac51bbf0cfbf64b1e1e9ff9d8ef71b04c70e0dce9d50c4cfc20ef43f31d0c81e2d8a56a7eec0800995807 |
memory/1524-66-0x00007FF7609A0000-0x00007FF760CF4000-memory.dmp
C:\Windows\System\RGtKvny.exe
| MD5 | 0c889b2cf4cc08ad6fd922ca312c17e1 |
| SHA1 | f5b45fb9a6def28157e603f9c3cde74ddbe22c2d |
| SHA256 | c03fd608ca3ca8fdff6fcd672a297712dcd914a0feb13d42092191a53962dfa6 |
| SHA512 | 68934fba5ce2ef3490dd2c9f60e7005b8e234a9ad2c46bdce0a867cde65920e6acb902e6287c577b4824d66c818991d87cca4ebbe40755e252ef4ba431ea9b05 |
C:\Windows\System\ysDFWXX.exe
| MD5 | 17fc50ceee2e03d90dc66d1b696ae04c |
| SHA1 | edb9bfabb63dae8151ef58d586ad8bd320e46954 |
| SHA256 | fc4616ed39d09901bce558c977cf8c1b0bb141044fdc081427724967ba6dd3fa |
| SHA512 | d8c3393f993fa67b8b0595df5ee762653e8d56a623f080da9228a5a0d869ef0a7edc1d904724d72b970bf2e625e4a5f9c12c3697e318c3a3b3b8ac5cb30955dc |
memory/1016-91-0x00007FF7FBC00000-0x00007FF7FBF54000-memory.dmp
memory/2532-95-0x00007FF622100000-0x00007FF622454000-memory.dmp
memory/5092-101-0x00007FF673CA0000-0x00007FF673FF4000-memory.dmp
memory/1756-103-0x00007FF7FA720000-0x00007FF7FAA74000-memory.dmp
memory/412-102-0x00007FF6FA440000-0x00007FF6FA794000-memory.dmp
memory/4000-100-0x00007FF6F78A0000-0x00007FF6F7BF4000-memory.dmp
C:\Windows\System\UaAPqQQ.exe
| MD5 | 64608890dcd212091a87599b2f0612b4 |
| SHA1 | 642cba6fdd06687bf7b84652d1d79a4e1e6a2442 |
| SHA256 | b0713465db08a043a2fc63565826669db6692aab975c0e29a5185ae16112322b |
| SHA512 | 9bdeddb8d2b5d212ce44eb56a90491fbba59fad54bddc0d8b4b8bf820f02cd20cd341a5b8d7dee63bec0cc37a66e5649ab2d3fa0a94759da8902674545d3a347 |
C:\Windows\System\HMrVTRT.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\System\zIIUcyY.exe
| MD5 | 520306f0af217a723b94881629ed2c1f |
| SHA1 | edfebe61571cd3958f1312a9985e7616d97f5058 |
| SHA256 | 753b1655c90b67a0e9ef8ac7f9ad5137a5f68ca7523e64de621b55f82736ad40 |
| SHA512 | 9ac6a96dd03c1ec975477a89483a2d662a3a654c6c49304a4eef6675c320419be317a4ea86000c6b38c10beb98f86f51309fa6427a10328bb6e8081fbc42222e |
memory/4844-92-0x00007FF76F080000-0x00007FF76F3D4000-memory.dmp
C:\Windows\System\UaAPqQQ.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
C:\Windows\System\ysDFWXX.exe
| MD5 | ced6503f1c442b215a831868d06a53c4 |
| SHA1 | d1546486e9a0a87544debc9d7cfe00f7d2fcb25b |
| SHA256 | e275615d23ea2865d75a0660f437a7d370977a82d9b793f46f83217faabc1309 |
| SHA512 | 6a0a0fbefffb4e18dbf3cf69b0665c759689d4226cfb687511f02c0243028181f491c0c45e1d040428b7fac5c6352059fa68bd53dd377cd6e8ca55b464eab7e6 |
C:\Windows\System\HMrVTRT.exe
| MD5 | 7aaed59e81883ccc6a1f51d7ceba8aea |
| SHA1 | ad439da9e172d66fb363ee3ccdeb784403802da7 |
| SHA256 | 60993be56448ec872285aca4f955766be9ffb9322286c54762c862c7bff99a4a |
| SHA512 | a8213af11deee16995da3c584834892588465d8fcd7ba16d1dd81cde7e4051b7f82cc58b51f91d4f9df8d00b1ae51dd7c77c17c0b2f9917f25c200091d3e704c |
memory/3772-86-0x00007FF6F89C0000-0x00007FF6F8D14000-memory.dmp
memory/2240-80-0x00007FF60E930000-0x00007FF60EC84000-memory.dmp
C:\Windows\System\kyCzxXM.exe
| MD5 | 6f576608053fcf29ed404927c5fb26e0 |
| SHA1 | 9070cbacf17ecc2168e221d7e4526388e3a25209 |
| SHA256 | cbd8e45cf18567a54ae4e3ee707a71da40fa2cf9f818cff08c7d101780e56f6c |
| SHA512 | 4b9f8883d8874648c7907a88329ac2618c565ac3623a0d69b3f4c0e9ec1cdc172784065d108077973ed8f696d4285a0844f406c04dff3b72af4c4088078fbf2a |
memory/5024-72-0x00007FF7A45B0000-0x00007FF7A4904000-memory.dmp
C:\Windows\System\LpGrckF.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
memory/1472-67-0x00007FF675B30000-0x00007FF675E84000-memory.dmp
memory/3776-62-0x00007FF773630000-0x00007FF773984000-memory.dmp
C:\Windows\System\LpGrckF.exe
| MD5 | 599ae7f1dfdc3e12d22b505e1579eed5 |
| SHA1 | 44d2434e3fc35ffd8da9fb200647988833d833c1 |
| SHA256 | de913118e473fb6f56d8fdbc6f1a209552cc3230fd0229caab472a65af56fb7d |
| SHA512 | 628c3bd4ddd6da7bad56fe5eb51798d5501d41b4eedb9656e30d55709233fec51e0c08eae61774d36d5107985c40d2f1653f900ea8ad915b3ca4d5d991067f3c |
C:\Windows\System\XPcOhTf.exe
| MD5 | 79cb800fff47a06afebef72028461c94 |
| SHA1 | ff75505398b632020d3756d39d393f7d0d663647 |
| SHA256 | 2760b590a3c4c257a39f7b7571e6c124eaff33574997b2f854f74eb79aa5ddcd |
| SHA512 | 78f1927d2b050cb370b68ab097fb94c3e648811aa84b2fd62943b155b74ce09079cdacc50c8966802fcb433c83f629e8829ddc1d359fa6ac0fd803671d765d22 |
C:\Windows\System\kffWXoO.exe
| MD5 | 4f17e12a53ee5aee4ae8f5a7a959f84a |
| SHA1 | 2f0da666e465db6ff66879c7aab09fc3c4c136d5 |
| SHA256 | e97a388d34e0be6f1ef14a372be34b5315037b66eab49336eaed21bb06854c37 |
| SHA512 | 64c859abe0a6bc9ee388d98cbc819b3026eacaf7755b303a746613aa605c694adfb918fc0cc3bb6673990f91a3867e0f1a9eb5116df6cb8b432a61fb6ab8c238 |
C:\Windows\System\WHAbgyL.exe
| MD5 | 8e9a56ccd9e0998e0e10657d2e5b8a28 |
| SHA1 | 62db83deb188b34d0703d5fb5cd345acd948966f |
| SHA256 | f8aadcc13094264527ef90a8e3927233e9510330b8d5b82dbeccb8c03de4b4d3 |
| SHA512 | cd113b3d29f5e540658dbd8735466bf5e8b6ea0abc5d853aa1834e8387348e417887e6b5b0e1969d5e346d49e4aecd12eff3fa370ce80d45d7fd3f7404f02aec |
C:\Windows\System\SMsRqgO.exe
| MD5 | faffcf3d398d3fe1bcff9a2c280fa6c4 |
| SHA1 | 7a6a72bfe81ed3ad6258f1efc93dee0c22d4cc59 |
| SHA256 | 36bce5488bd1870aefc42e110b9f27238fbc2170af713fb52c657a711949700c |
| SHA512 | 170895045fd922e2625497da13d6e048e92c7a7b04677856cfeda4d5fbf493f2de84761f3d8a6f2e9c64f453253c9df99985836e8cab3960da0305937d5b0c12 |
C:\Windows\System\PbFpdoM.exe
| MD5 | ed0e997a4e2bd44d6cffef178134421e |
| SHA1 | e0bd7edc8371b83e891888ab1a78ef80151d1f83 |
| SHA256 | 68c2ac04b6c388dd16baa7ef6b9af76562dd1aaec6dff14c1cad639af093f1cf |
| SHA512 | a7adb794b5474a373d6dad7dd6f3c1f2bc1e403d9744332189c01caab75a2b5d3b122602e94e3c54bb48a3e96785c69d48df700d88c5445e290a366de011e20c |
memory/2536-23-0x00007FF73FF80000-0x00007FF7402D4000-memory.dmp
C:\Windows\System\deeZsmq.exe
| MD5 | af48687689822d5820e79e82ff60116d |
| SHA1 | 9b735584a6b32d5f788e7e7004e33080c80fd469 |
| SHA256 | f8b520209de195a21b7127e4ce870f24844c9e5717cee39aeb5aaec0dce507d9 |
| SHA512 | 8e946bddbf65ba5ea6ec8826dd4d31e5d38abd028e868f38bff9da7e8fe8ca82aa994323c6efc53177353620557f07148ee4ca42ab6fb2a74e8c6647a8e3c108 |
C:\Windows\System\RHXnFcl.exe
| MD5 | 4b7216d89e20f49e9c16c0253cc47511 |
| SHA1 | 2897390157f4ddd1aa5b6b0434e8fd2685151896 |
| SHA256 | 04a2e3581379ca63394646169e2f7cb8764608261eb5b43957d0130fd0e5013f |
| SHA512 | f54f6e029123d95222d09bc2138897f709e3650dbd2270183df96ad9e927ef303c0844f40a0b5cc26ee82536f2274eb38af1088d33729d685b4f9415ecb7be84 |
C:\Windows\System\RYIwiOR.exe
| MD5 | 170dd624fc04fc3839f9c4b66a089ce7 |
| SHA1 | 689050489367e9d7989856de58d7dae4b3e867bb |
| SHA256 | 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b |
| SHA512 | 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a |
memory/1184-108-0x00007FF798ED0000-0x00007FF799224000-memory.dmp
C:\Windows\System\VvFtaHm.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
C:\Windows\System\QInkysK.exe
| MD5 | df43099f8ecf7fc7231104cc7906f346 |
| SHA1 | 3e71eb14c6e419a455fbd4a3234cbfb9f69fb428 |
| SHA256 | 2fee27d95d784896594fd4c402904f15f7b6e8d0448726197f29a8303072c9e7 |
| SHA512 | 0780e96102ed70b27cdcc7843ce59b45e8d687f99de38cd1f2d8f08d1be12d524f20b3d4f78294edd2ce2d1dc761badaaa437128842e8b787cbe7919b203b90d |
memory/3724-126-0x00007FF626C80000-0x00007FF626FD4000-memory.dmp
memory/724-127-0x00007FF74E2A0000-0x00007FF74E5F4000-memory.dmp
memory/4464-128-0x00007FF640830000-0x00007FF640B84000-memory.dmp
C:\Windows\System\tyTWUUf.exe
| MD5 | e8c4508a392ccf08590d3627a36cc3c3 |
| SHA1 | 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2 |
| SHA256 | cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d |
| SHA512 | f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410 |
C:\Windows\System\tyTWUUf.exe
| MD5 | fbb6a602f644dbf57142122f30692c9a |
| SHA1 | 8158aaa7168744874ea387599d6d2cead21e28a3 |
| SHA256 | 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d |
| SHA512 | 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe |
C:\Windows\System\QInkysK.exe
| MD5 | 182702f8c189f2105671b3b193ea01bd |
| SHA1 | 5cbe4a492c7f661166b4ece7955c0ec73fadc31d |
| SHA256 | a26e7690e7bc3ea344b69a7055744b04ab0a6a6f5efc215cd98698c2786c3f7f |
| SHA512 | 81af6029078315813c434ae562db848bfccfd0ce021093ded729c0431bbbdfab770bb5cf5e5e10bac76b9afc8886a0732e92ae0912c9dff147628a2530f045d1 |
memory/1492-117-0x00007FF63C900000-0x00007FF63CC54000-memory.dmp
memory/2536-129-0x00007FF73FF80000-0x00007FF7402D4000-memory.dmp
memory/2240-130-0x00007FF60E930000-0x00007FF60EC84000-memory.dmp
memory/1184-131-0x00007FF798ED0000-0x00007FF799224000-memory.dmp
memory/2868-132-0x00007FF7EBF50000-0x00007FF7EC2A4000-memory.dmp
memory/4168-133-0x00007FF7FCFF0000-0x00007FF7FD344000-memory.dmp
memory/2536-134-0x00007FF73FF80000-0x00007FF7402D4000-memory.dmp
memory/3772-136-0x00007FF6F89C0000-0x00007FF6F8D14000-memory.dmp
memory/3776-137-0x00007FF773630000-0x00007FF773984000-memory.dmp
memory/224-135-0x00007FF61BA00000-0x00007FF61BD54000-memory.dmp
memory/1016-139-0x00007FF7FBC00000-0x00007FF7FBF54000-memory.dmp
memory/1524-138-0x00007FF7609A0000-0x00007FF760CF4000-memory.dmp
memory/5024-141-0x00007FF7A45B0000-0x00007FF7A4904000-memory.dmp
memory/1472-140-0x00007FF675B30000-0x00007FF675E84000-memory.dmp
memory/2240-142-0x00007FF60E930000-0x00007FF60EC84000-memory.dmp
memory/4844-144-0x00007FF76F080000-0x00007FF76F3D4000-memory.dmp
memory/4000-145-0x00007FF6F78A0000-0x00007FF6F7BF4000-memory.dmp
memory/412-146-0x00007FF6FA440000-0x00007FF6FA794000-memory.dmp
memory/1756-148-0x00007FF7FA720000-0x00007FF7FAA74000-memory.dmp
memory/5092-147-0x00007FF673CA0000-0x00007FF673FF4000-memory.dmp
memory/2532-143-0x00007FF622100000-0x00007FF622454000-memory.dmp
memory/1184-150-0x00007FF798ED0000-0x00007FF799224000-memory.dmp
memory/3724-151-0x00007FF626C80000-0x00007FF626FD4000-memory.dmp
memory/4464-152-0x00007FF640830000-0x00007FF640B84000-memory.dmp
memory/1492-149-0x00007FF63C900000-0x00007FF63CC54000-memory.dmp