Analysis Overview
SHA256
e2963245cac4520d3f0ede59c59224028fb2bc3764d6163ad1db7ef2f4eb10a2
Threat Level: Known bad
The file 2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
Xmrig family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 04:25
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 04:19
Reported
2024-06-10 04:41
Platform
win7-20240220-en
Max time kernel
133s
Max time network
140s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WnboJVE.exe | N/A |
| N/A | N/A | C:\Windows\System\ZWDvDKi.exe | N/A |
| N/A | N/A | C:\Windows\System\LfTceUM.exe | N/A |
| N/A | N/A | C:\Windows\System\HdxWZol.exe | N/A |
| N/A | N/A | C:\Windows\System\TJyNqjY.exe | N/A |
| N/A | N/A | C:\Windows\System\YlMnsqK.exe | N/A |
| N/A | N/A | C:\Windows\System\CPWnSWj.exe | N/A |
| N/A | N/A | C:\Windows\System\lQScvDL.exe | N/A |
| N/A | N/A | C:\Windows\System\fmhMZcG.exe | N/A |
| N/A | N/A | C:\Windows\System\TwNQPXs.exe | N/A |
| N/A | N/A | C:\Windows\System\mTNlNTG.exe | N/A |
| N/A | N/A | C:\Windows\System\hxzgwTw.exe | N/A |
| N/A | N/A | C:\Windows\System\SlHeanr.exe | N/A |
| N/A | N/A | C:\Windows\System\qjdXgIa.exe | N/A |
| N/A | N/A | C:\Windows\System\GuHQESQ.exe | N/A |
| N/A | N/A | C:\Windows\System\gjXOaPb.exe | N/A |
| N/A | N/A | C:\Windows\System\LERvhzl.exe | N/A |
| N/A | N/A | C:\Windows\System\WnOgAuC.exe | N/A |
| N/A | N/A | C:\Windows\System\BsSCPMu.exe | N/A |
| N/A | N/A | C:\Windows\System\rWOlEYx.exe | N/A |
| N/A | N/A | C:\Windows\System\VlCPDli.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\WnboJVE.exe
C:\Windows\System\WnboJVE.exe
C:\Windows\System\ZWDvDKi.exe
C:\Windows\System\ZWDvDKi.exe
C:\Windows\System\LfTceUM.exe
C:\Windows\System\LfTceUM.exe
C:\Windows\System\HdxWZol.exe
C:\Windows\System\HdxWZol.exe
C:\Windows\System\TJyNqjY.exe
C:\Windows\System\TJyNqjY.exe
C:\Windows\System\YlMnsqK.exe
C:\Windows\System\YlMnsqK.exe
C:\Windows\System\CPWnSWj.exe
C:\Windows\System\CPWnSWj.exe
C:\Windows\System\lQScvDL.exe
C:\Windows\System\lQScvDL.exe
C:\Windows\System\fmhMZcG.exe
C:\Windows\System\fmhMZcG.exe
C:\Windows\System\TwNQPXs.exe
C:\Windows\System\TwNQPXs.exe
C:\Windows\System\mTNlNTG.exe
C:\Windows\System\mTNlNTG.exe
C:\Windows\System\hxzgwTw.exe
C:\Windows\System\hxzgwTw.exe
C:\Windows\System\SlHeanr.exe
C:\Windows\System\SlHeanr.exe
C:\Windows\System\qjdXgIa.exe
C:\Windows\System\qjdXgIa.exe
C:\Windows\System\GuHQESQ.exe
C:\Windows\System\GuHQESQ.exe
C:\Windows\System\gjXOaPb.exe
C:\Windows\System\gjXOaPb.exe
C:\Windows\System\LERvhzl.exe
C:\Windows\System\LERvhzl.exe
C:\Windows\System\WnOgAuC.exe
C:\Windows\System\WnOgAuC.exe
C:\Windows\System\BsSCPMu.exe
C:\Windows\System\BsSCPMu.exe
C:\Windows\System\rWOlEYx.exe
C:\Windows\System\rWOlEYx.exe
C:\Windows\System\VlCPDli.exe
C:\Windows\System\VlCPDli.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1992-0-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/1992-1-0x0000000000100000-0x0000000000110000-memory.dmp
C:\Windows\system\WnboJVE.exe
| MD5 | e0f258099dcc71eb5136723dc36b2abf |
| SHA1 | 06369204a4e29aa090f08d64ed6c999554293c3f |
| SHA256 | fc3ecae0284f85748e4163e8d74dc23b78b006a385dbce7949b1a3162c04a129 |
| SHA512 | e5e771b58d729c6c2e5be391c3472852275f9809b6a59989d03020b02587a111724b07f4267210e0379988c9bdeb785b25dc195f7e8ce97d17a6e677d81ad615 |
memory/2900-19-0x000000013F420000-0x000000013F774000-memory.dmp
C:\Windows\system\LfTceUM.exe
| MD5 | 4e4e7701c2efaacb44b83f7401796edc |
| SHA1 | 517bc40386696904cd64c07f343efce48c7a07e4 |
| SHA256 | dbdfbf4fdef51e88312f8df7d6ffbe33bed736a3a4d5791a2e70f32f1dccc2bf |
| SHA512 | 896d16d843dd119c27cde9b840c8eb762d10c86c400256b244b3fbb29c6fbf8e519b26224dd40195fb8255930420595f606351704568020f105ff7a08b939d13 |
C:\Windows\system\HdxWZol.exe
| MD5 | 28cb3c70e8875962c8183b5a0e7adc2d |
| SHA1 | d5718aeadf1a0bfb30982d6009c7281d4d8e3561 |
| SHA256 | 024b1c6bd697f3aa6eaf4e8b2ce6dd33ab1cb2e431eebaddc8bf62cb34b30f06 |
| SHA512 | 6ba4e438d3bfbeb43c58d20248ca6e97a26c2055dfd15e3290ecb77aa10783771e0ab83940bf7eb94db314590b1dabf6c76fb80cd2ad7f3b0e866fdcb4e289d2 |
C:\Windows\system\TJyNqjY.exe
| MD5 | aaed74917506ff51fda1b4ba068d1473 |
| SHA1 | 802a3816d35cc14f98b65b76a638423d9adcb4cd |
| SHA256 | 6617ac3071fe6f32c33ca15f02d780325cd05911e16ba4b78369324a2873ca01 |
| SHA512 | 1b4689e9121944286df73477d8e78049eae3105b00021e5db4cd99d6972a523db724b8506ab724991ae5d06bb41b7321453c0a8baccb3958135e2b7a1a086cbf |
C:\Windows\system\CPWnSWj.exe
| MD5 | 98170d407464e45b9846f1db6ea81b1c |
| SHA1 | 0eaf32b5139942c238a79941ec1f2765ebaf37dd |
| SHA256 | 8d80b2103ec71222c641177a015cbcae41c301aeded0f69e47bc175eaf90d7b3 |
| SHA512 | 0617cdf36abe4382ea80a5bf72ed7d27f126f755cab80b7b4103d48ef740a77a9c79de5b8fd70a64cb2726b67580e158c8f9f9391d3a3477a4f56e5a1166e445 |
memory/1992-47-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1960-49-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2652-48-0x000000013FC00000-0x000000013FF54000-memory.dmp
\Windows\system\lQScvDL.exe
| MD5 | b3ef206c831508f45129ddf44a13c9b1 |
| SHA1 | 62b6a5279e986ec5e998149278f27a24663f61b8 |
| SHA256 | 46763f7540dcb808d492abc52d355e64c5f35740b36bbe9058d403396008af82 |
| SHA512 | 468cf3542575ebe225e09b872cf87f32ca6a1e4502775711c84cde78da7434531112c314b9604b39e37e797c7a9b6e8b16c2aa4f9cdd532a3ec974c1211db79c |
C:\Windows\system\lQScvDL.exe
| MD5 | 939d7b9066ecd8485785d90f4a6c868a |
| SHA1 | 00b3e848e692dbb6bc47e441f0529730a4d88bcf |
| SHA256 | 8955b1461e8f7c4b6c57aa6947e35828b8b62c3e070a6c5f9bc6fc66b00c895b |
| SHA512 | 5a89163d0b72a4609c667d4babac5c415f3720a20fb7552d03f98a30533dc097e76124eed770df0f2e571d712cbf590acb12ccf29319d343e0964e24862144a6 |
memory/1992-62-0x0000000002400000-0x0000000002754000-memory.dmp
\Windows\system\TwNQPXs.exe
| MD5 | d2a23b3e0d763e6906bcf6f358a63dc9 |
| SHA1 | e27a46b4c8f9672d01daaa9581f6ea582dc0cf10 |
| SHA256 | 7410338be3c1fdf3d02c7815c1055472e63689283487f6ce879824604f67660e |
| SHA512 | 301b1d78c4af851ea777afa93051a6aa3a7daa561bc4e6bf0fba9b0915880b658080173d6cb872c513e5c3ec8b956a00175cbb2bdfbb566fcb8ceb505ac670d2 |
memory/1656-77-0x000000013F6E0000-0x000000013FA34000-memory.dmp
C:\Windows\system\hxzgwTw.exe
| MD5 | 5cee648fc1a67e17875102caa6b80dbd |
| SHA1 | 591240f685e886235568be1fabea495655c75c6b |
| SHA256 | 1b4562018459f6b6ad47567b6758884cbf63369cca4412684ec6f8315779589e |
| SHA512 | 412d0dac8fbfb05d0f5ea3f23b453b0830514b183970103c1345895266d1b26e83e72035c8ef6c5bf35dc99bac4d5a256f15f7a54b41867b7202103360b81978 |
memory/1896-83-0x000000013F230000-0x000000013F584000-memory.dmp
memory/1992-89-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/1288-94-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2552-97-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/1992-102-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1992-101-0x000000013F090000-0x000000013F3E4000-memory.dmp
\Windows\system\VlCPDli.exe
| MD5 | 3cadf09c977fa98b9eb995b01833e902 |
| SHA1 | 180bf675a54c9de08fda177abf1710211331b2be |
| SHA256 | 0a187e21dced8827fdb28cd0334d25a62ad8b1631e2806bdcdeaddb1bc965a41 |
| SHA512 | f234c0c500a79d30657fd9e56424353a8a4a4e25953c293cddcfd2bfc593ec407e38f80199c10d63371609c3fb2691e74ca49303da8330c53c66823606fe72a6 |
C:\Windows\system\rWOlEYx.exe
| MD5 | 348c49a5a83cb57d6dfe5a500754256a |
| SHA1 | 3759231f358bc2d401032e6fb8f4702dea81ddd5 |
| SHA256 | bb42b044561f7f4bae7103dd0b7cd74461dd6496a36e12470b9ce3b966135728 |
| SHA512 | 7a4b55b1d91c5d4a124fc08dbb01800d60ffa2014df827e7f68f141c73936b4ac6e35475f590acbfc947fc7a2db1524d81adef0798f71c1673f81e2bb69af52c |
\Windows\system\BsSCPMu.exe
| MD5 | 8e842e14620d735ccaa55f74275fe36e |
| SHA1 | ea81ea0d693ac18188a3498c69abb6d7a0981040 |
| SHA256 | da6ac36de6145e066af6c00a7822fd68e58d2a72bc4ce66d668b2b42596fc98e |
| SHA512 | 451feb5305642d21a2ae2ea7da4c1f400d89f505fa99242b509952bf1cb3fd4b29c74473933d328d246b099d40bdb0292cbc8ca10a0c62cafdec9c67a784f6f4 |
C:\Windows\system\WnOgAuC.exe
| MD5 | ce178bd72ed852cee68a120a1b1fdee8 |
| SHA1 | 450b4db3f97e0fa9cf2857aacb158ac3998799fc |
| SHA256 | 09942dda717225533b45ca8503ef26ec7ce53502b28a59820843418dd9c55e48 |
| SHA512 | ac11f5d8bd6a4cdcaadc561628f8aa1e827b567dbb06f407fecd65c0ccc957413ba3aabab14edce8306016a228274a4e07c6e80f331f04c7c924977540fcd45f |
C:\Windows\system\LERvhzl.exe
| MD5 | 0e9f83fabd7c894d32e7c16610777413 |
| SHA1 | d2ad7bdda34eca7891c12b62e64d32f33bbe51ef |
| SHA256 | b2fdc7f9084f5d145b19fc2f087ea34040dd70d143b95505bd58c38b1adc6195 |
| SHA512 | 942da06230af383971b192d07ece9396bc001cc30d784df489e7d5254f2ba8546d3df4e017e00d880ce28d4826ed7a5375c68807ed6e4f97a93cb93951ba7537 |
\Windows\system\LERvhzl.exe
| MD5 | f3b2c88d5d8ea78f4d29143de7a9b3f7 |
| SHA1 | 536c31b9076464b750b829bfb785e03dbd4e1d08 |
| SHA256 | 3a13c120933b8127c622eea6bd3b1254316a74b8371360587e662b97d361e836 |
| SHA512 | 830a54b6ff95b7e4006e1aa234a672fd9b429031d606a5017d9551e2aeb3c248ae1f48af83e74904e91a1de17a563a61ff5bef8d363ab8f2c7019fa530456c95 |
\Windows\system\WnOgAuC.exe
| MD5 | e114b5cee2d6863b24b2f20a9d618b33 |
| SHA1 | c5809fcbddba5a53f7fbfa3c0a00aebc41fd3cce |
| SHA256 | aadba55e663a7b0d3a41a498215bc1f6369e2648abfc05715e660955e452d100 |
| SHA512 | 92ecf09b5b199578d4f4c26ed109282d719faee11a1fe8bcc10d12f1535ebf59da3ced6048dc522c5c3fd02745ee498c00378b7e0e95a29a9b8a4895e8fc6605 |
C:\Windows\system\gjXOaPb.exe
| MD5 | 30fec2098e9905b39e5d81b87fd312fd |
| SHA1 | 2c1f2b248cd4ede3fee5420aa87176ead862df21 |
| SHA256 | cea34fdf4791d61b3966909d853a9f2be87875d60d2a8b8f032de64ebf0f8f31 |
| SHA512 | f115f67a290ec1acd1e7a9cbaeee79febf008db73b12d696a8ecb533730bcd13430e253a74a21e9383fcbc00eca570c861388816731748e6b3445239c626bef9 |
memory/1992-108-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\GuHQESQ.exe
| MD5 | 77935f7fa515e2498097f96e331d34aa |
| SHA1 | 485d7f26bd5cb37bc584d5c8f968f5e9fef298cb |
| SHA256 | a24111205f2806993b03daa9bab173a6d11a16cb18878caa1071fd928980464c |
| SHA512 | 36ce0bab4a0434c7a28f678c10a9627666b81884015f70cf5a1069ddfbb17d42082499c523fc5e2c32acfa6cdf63a0b247d285dc0850603412d2d0c0692584cf |
memory/1468-100-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1992-99-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1992-96-0x000000013F740000-0x000000013FA94000-memory.dmp
C:\Windows\system\qjdXgIa.exe
| MD5 | 9cb050b6bcdf4e136bb58512936c1eb0 |
| SHA1 | edd574c6cb357c2c5cdb608d67e744ace8208a43 |
| SHA256 | a9b5d85de7a650367e0cbcc80ee0f5ceb90ce51d57a346b10d170189224636c1 |
| SHA512 | 2b168ddcd82b2ff1f9e2e7bffad1cd658c08223b93724469eced7b74c6b788191fb6afa29fba75f0657011bb6864449a96662a19f279170067b3132bbc84a107 |
memory/1992-93-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1992-76-0x000000013F6E0000-0x000000013FA34000-memory.dmp
\Windows\system\mTNlNTG.exe
| MD5 | 05c3e8289519b776895ce75d8338437d |
| SHA1 | 3c2baa4c8a06589bd9171c47fa12cbed3d666c18 |
| SHA256 | 7388217fb408b816da0720c3b664c374439a90d770c9679fd0761c0fb4940f81 |
| SHA512 | 959b2aba5e5e4cef55295c9f3be847540af58c1cccd46b3c2460599b9183899e01e1a7c99fa6a952fd82d1312b4d71f71a7227aa95b3ced8b8009f7333c77bd2 |
memory/2456-70-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/1992-69-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2452-63-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2396-56-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/1992-55-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2420-46-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/1992-45-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1992-44-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2536-34-0x000000013FD30000-0x0000000140084000-memory.dmp
\Windows\system\YlMnsqK.exe
| MD5 | ca782e6e0a0804d229da2735af31fd06 |
| SHA1 | 9723e9bc96c63cc03e30f15e6ef819269f1f2475 |
| SHA256 | ba3854cd0a9db88bfaa116cc87b39cc88eaa2db5fbe983ee4a1f94a5d0218c4b |
| SHA512 | 07b94d5d1ef974a4090999815983f7e5b36c85a3213799cf6c31b77a54aef66b9a42096f58731ef03d6bd59ef24aeee37023f9ce335eac6f247402ef24d3b6bf |
memory/1992-138-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/1992-29-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2552-26-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2616-23-0x000000013F740000-0x000000013FA94000-memory.dmp
\Windows\system\LfTceUM.exe
| MD5 | df943514ab006095197fa746516d64e8 |
| SHA1 | 59e94961e0a65d81f3cea6e082d3f85a8185f91a |
| SHA256 | aefa10caec1297f753a1b13ad99bef9cfcf2a64bbba13a4af4a5723bb02829e9 |
| SHA512 | 94f5f93236f69684e5e3af54347ef62d663e81d7c7d99e5cd301e005204f21248d672b30246afc9461f92a228366973e13e60fbfbf3a54ee5c24eaf2f77cc221 |
C:\Windows\system\ZWDvDKi.exe
| MD5 | 586c9547493a88de16fd09ad19df758b |
| SHA1 | 8a50178682c692f204a45b7798c63d3f6375432b |
| SHA256 | 991f4d210c6e659974dd43deb7cc93077b9ed3c337c5951172529c0bae179e02 |
| SHA512 | 63d13596bcc59b486c85cd55cf9779d952b67ccbfc54495f389035c1d68fd043ac79c180dc1fc0d479811fe4e468b78c5250d0acdb5b23ce7e1ec600b69b0629 |
memory/1992-10-0x000000013F420000-0x000000013F774000-memory.dmp
\Windows\system\ZWDvDKi.exe
| MD5 | ed79533d1616ac90eb2f594339f4c3e5 |
| SHA1 | 947c8455b4418b62805a57bbbbb0df9d948363a7 |
| SHA256 | 9d1fb523f3aae4410a1a231b173f9d113336b58924d3a65151b5479f6078a2e4 |
| SHA512 | 9160e43243847662a3efb39c2c20c759012911504d175f4de4ee8f817d176441acddf91fc19866ee2af1f1e1178a586154731ba2126bd953626e9f9295b60987 |
memory/1992-139-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1992-140-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2616-143-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2552-144-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2420-147-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/1960-146-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2652-145-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2396-148-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2452-149-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2456-150-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/1656-151-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/1896-152-0x000000013F230000-0x000000013F584000-memory.dmp
memory/1288-153-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/1468-154-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2536-142-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2900-141-0x000000013F420000-0x000000013F774000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 04:19
Reported
2024-06-10 04:41
Platform
win10v2004-20240226-en
Max time kernel
48s
Max time network
39s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qhQkISL.exe | N/A |
| N/A | N/A | C:\Windows\System\cfRKQxU.exe | N/A |
| N/A | N/A | C:\Windows\System\wiyGNnn.exe | N/A |
| N/A | N/A | C:\Windows\System\fsbpvGS.exe | N/A |
| N/A | N/A | C:\Windows\System\TnYaGMI.exe | N/A |
| N/A | N/A | C:\Windows\System\uNnSgcg.exe | N/A |
| N/A | N/A | C:\Windows\System\CFxgWxP.exe | N/A |
| N/A | N/A | C:\Windows\System\BXqUtoz.exe | N/A |
| N/A | N/A | C:\Windows\System\jgyPSvK.exe | N/A |
| N/A | N/A | C:\Windows\System\KHFgKxB.exe | N/A |
| N/A | N/A | C:\Windows\System\YCxNDZb.exe | N/A |
| N/A | N/A | C:\Windows\System\ZqZLwBD.exe | N/A |
| N/A | N/A | C:\Windows\System\xjIEzca.exe | N/A |
| N/A | N/A | C:\Windows\System\wfSzReg.exe | N/A |
| N/A | N/A | C:\Windows\System\kHDlzuz.exe | N/A |
| N/A | N/A | C:\Windows\System\qtqDpLc.exe | N/A |
| N/A | N/A | C:\Windows\System\zQQVZfZ.exe | N/A |
| N/A | N/A | C:\Windows\System\WZavFfA.exe | N/A |
| N/A | N/A | C:\Windows\System\gVLajcJ.exe | N/A |
| N/A | N/A | C:\Windows\System\WwJAbLS.exe | N/A |
| N/A | N/A | C:\Windows\System\eGxhhrw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_393b9c2df80caf08f819cbaf67025d08_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qhQkISL.exe
C:\Windows\System\qhQkISL.exe
C:\Windows\System\cfRKQxU.exe
C:\Windows\System\cfRKQxU.exe
C:\Windows\System\wiyGNnn.exe
C:\Windows\System\wiyGNnn.exe
C:\Windows\System\fsbpvGS.exe
C:\Windows\System\fsbpvGS.exe
C:\Windows\System\TnYaGMI.exe
C:\Windows\System\TnYaGMI.exe
C:\Windows\System\uNnSgcg.exe
C:\Windows\System\uNnSgcg.exe
C:\Windows\System\CFxgWxP.exe
C:\Windows\System\CFxgWxP.exe
C:\Windows\System\BXqUtoz.exe
C:\Windows\System\BXqUtoz.exe
C:\Windows\System\jgyPSvK.exe
C:\Windows\System\jgyPSvK.exe
C:\Windows\System\KHFgKxB.exe
C:\Windows\System\KHFgKxB.exe
C:\Windows\System\YCxNDZb.exe
C:\Windows\System\YCxNDZb.exe
C:\Windows\System\ZqZLwBD.exe
C:\Windows\System\ZqZLwBD.exe
C:\Windows\System\xjIEzca.exe
C:\Windows\System\xjIEzca.exe
C:\Windows\System\wfSzReg.exe
C:\Windows\System\wfSzReg.exe
C:\Windows\System\kHDlzuz.exe
C:\Windows\System\kHDlzuz.exe
C:\Windows\System\qtqDpLc.exe
C:\Windows\System\qtqDpLc.exe
C:\Windows\System\zQQVZfZ.exe
C:\Windows\System\zQQVZfZ.exe
C:\Windows\System\WZavFfA.exe
C:\Windows\System\WZavFfA.exe
C:\Windows\System\gVLajcJ.exe
C:\Windows\System\gVLajcJ.exe
C:\Windows\System\WwJAbLS.exe
C:\Windows\System\WwJAbLS.exe
C:\Windows\System\eGxhhrw.exe
C:\Windows\System\eGxhhrw.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 13.107.253.64:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3192-0-0x00007FF753940000-0x00007FF753C94000-memory.dmp
memory/3192-1-0x000001D24A020000-0x000001D24A030000-memory.dmp
C:\Windows\System\qhQkISL.exe
| MD5 | 1986081e085842d3f520289f84206395 |
| SHA1 | 4d75553f16b682d786bc8068a15784b46931b901 |
| SHA256 | f2967819f3f3f3975ec4820b1e4e87ab109282d32aa8655701a286e014da5907 |
| SHA512 | 1e6cb88a646df9a430bbd6607b55abd7dd948ebd323400485bcde1016db7e1033a979bbc5b0a1bae8a28a41ec5b4325abae25f3d3d05537f0ef517963a0b2722 |
memory/4036-8-0x00007FF672DE0000-0x00007FF673134000-memory.dmp
C:\Windows\System\cfRKQxU.exe
| MD5 | 9b577ffff6c1f5ffff7f64441d883431 |
| SHA1 | 10ba0bbbec3c90794664c7d383f12f8e5eb6c74b |
| SHA256 | 91f3e82906a538100a99ed926f9fc65724c6b25f34a3a65f82125b966c8582db |
| SHA512 | f8bb3727a9f20749433ece4d83348bcfd5e5e28efa7ccba238d5a6d724481df6d5f37b94f4ffcea847376be6b1b47a9ca7c6e243f6823afe20547eef85d0ed8f |
memory/2128-14-0x00007FF6CA4A0000-0x00007FF6CA7F4000-memory.dmp
C:\Windows\System\cfRKQxU.exe
| MD5 | 5467228a38a1e6f590cbb58455c3474f |
| SHA1 | c523c0f649db22a4a6a3309b20372128ff8f6e0d |
| SHA256 | a817bb69d880a546037740ee854f1c9fa5c9c0c8d083b49b23fda745eeb9595d |
| SHA512 | 6548eef9961a9dfae4cfc23ad96922b5331f5eae80166a20a719ca38af0523147178f5e06c2538478b9b4f0ccb7c5c0376bdebc51ddc30dacfde5f9262c54824 |
C:\Windows\System\wiyGNnn.exe
| MD5 | 460a560d9343614b4f5d3d4dba3f4ee8 |
| SHA1 | b7e4e11f7bd5df3f2363cf6c1fa4d5ae53e0122e |
| SHA256 | fd744e6808c52535a94243828181a8d013638b8f8817cf398b9172e0ee7b110d |
| SHA512 | 1f115a8993e51d1f37533d08960597baad579468fd9fc33ed73870d8dbecffbacf74c482d28ec7d6893e63aba21811f0abf2dfee545d005b933bc73799ad2c80 |
memory/408-20-0x00007FF6216B0000-0x00007FF621A04000-memory.dmp
C:\Windows\System\wiyGNnn.exe
| MD5 | a22964dba57c3c901624bb203a786a20 |
| SHA1 | 2785962844594e8dce7bf2f4085a236e9f71d5ab |
| SHA256 | 5996bde9ba808ebd606acd3fbf109204881337437ef0f4a1b4a3df71fc1a72b0 |
| SHA512 | ebd5acc63df37eb364e2a1912052ab7b48e31e9351ea1ff3f033f185151128e014f8fbd830c8316d49b2e23d6f5f8736e0d78680b3496108c77e8ea417b44062 |
C:\Windows\System\fsbpvGS.exe
| MD5 | 6f79929539cf65dcb1e405ed0a538ec1 |
| SHA1 | 46963681601be609a978fb70a544460fdecbb830 |
| SHA256 | 8292e8db4cea39d46d950b64cc55f87ab625ecdebcbe27f469743b8d918b78e8 |
| SHA512 | e991eb3fcf3d9e8bf2f4b7d6bc5ccb92f66bf173e56c3693b2cbd12083aeda0fcdb439b0c82e3da3f8abfa3d37b16394bcf458c3b338809e1ffa376eff9aa3d0 |
memory/2240-26-0x00007FF6D4AB0000-0x00007FF6D4E04000-memory.dmp
memory/3356-30-0x00007FF7662B0000-0x00007FF766604000-memory.dmp
C:\Windows\System\TnYaGMI.exe
| MD5 | 30fec2098e9905b39e5d81b87fd312fd |
| SHA1 | 2c1f2b248cd4ede3fee5420aa87176ead862df21 |
| SHA256 | cea34fdf4791d61b3966909d853a9f2be87875d60d2a8b8f032de64ebf0f8f31 |
| SHA512 | f115f67a290ec1acd1e7a9cbaeee79febf008db73b12d696a8ecb533730bcd13430e253a74a21e9383fcbc00eca570c861388816731748e6b3445239c626bef9 |
C:\Windows\System\uNnSgcg.exe
| MD5 | dde990a7f8a79781ba2c374cb8601523 |
| SHA1 | f64b5da7c0d051852d9394c446a1cb967f9639ff |
| SHA256 | c2d9abc9e648c29cbe4d2b8a79eaf8e706ce89b4b480fe1585b33b50fc4cc255 |
| SHA512 | 8bcd3483b7804480da618d302052e88e9f46dd7a6f0daccd4640b953083e880f1e4712dfba74458af1c638611d08e1dd590eada8fb960c66d56ddc9ed524d031 |
memory/880-38-0x00007FF750090000-0x00007FF7503E4000-memory.dmp
memory/432-44-0x00007FF7843D0000-0x00007FF784724000-memory.dmp
memory/3476-50-0x00007FF7F26B0000-0x00007FF7F2A04000-memory.dmp
memory/4940-56-0x00007FF74EA70000-0x00007FF74EDC4000-memory.dmp
memory/3192-62-0x00007FF753940000-0x00007FF753C94000-memory.dmp
memory/1624-63-0x00007FF718540000-0x00007FF718894000-memory.dmp
C:\Windows\System\KHFgKxB.exe
| MD5 | 0b4145c2cc110331e4da5e560102704d |
| SHA1 | c566b9a6ceb44b7f1c214b316c08f6bec9d9b2b1 |
| SHA256 | 45685ced1acb15c50a2e82577fa387cda30481d8f7a525239c32c5f5bf6e48b4 |
| SHA512 | abf913119d63f487a6aab21c7aef0828fd1abea0d0c9a3b66bf2a375882b42bf9f76fd9b59dbd74e92020f35616ebd4ca75dc1ea4b5b55a7e8ed17cc28d58dc6 |
memory/2672-70-0x00007FF69F650000-0x00007FF69F9A4000-memory.dmp
memory/4036-69-0x00007FF672DE0000-0x00007FF673134000-memory.dmp
memory/2128-75-0x00007FF6CA4A0000-0x00007FF6CA7F4000-memory.dmp
memory/2940-77-0x00007FF74EB50000-0x00007FF74EEA4000-memory.dmp
memory/408-83-0x00007FF6216B0000-0x00007FF621A04000-memory.dmp
memory/3720-84-0x00007FF699C80000-0x00007FF699FD4000-memory.dmp
C:\Windows\System\wfSzReg.exe
| MD5 | c82368624fc0cbc229c201ce1985bc94 |
| SHA1 | ee5f9762a48551b4aca0f410ce58ba6b3a31c5e7 |
| SHA256 | 931c951679eb1fb702111027aabfe5c2dbae5ee0133b51e3a18f5413cb866a95 |
| SHA512 | a02b7bbdc00adbf81d06cac9c2ff95404ee7daaf391f997518b816e211a80c24bef9f62cfffbf4467be156c5ab3f90c9c19fabf63f6e25a559ab78ca4191369f |
memory/2240-90-0x00007FF6D4AB0000-0x00007FF6D4E04000-memory.dmp
memory/2116-91-0x00007FF609E70000-0x00007FF60A1C4000-memory.dmp
memory/3356-96-0x00007FF7662B0000-0x00007FF766604000-memory.dmp
memory/984-98-0x00007FF6ACD30000-0x00007FF6AD084000-memory.dmp
memory/880-104-0x00007FF750090000-0x00007FF7503E4000-memory.dmp
memory/3584-105-0x00007FF7A8980000-0x00007FF7A8CD4000-memory.dmp
C:\Windows\System\qtqDpLc.exe
| MD5 | b73b9362c43b7c3340b334c1496fe9d4 |
| SHA1 | 0663a477ff6c9708fcc7f3207910e4ad6b54a299 |
| SHA256 | 98d73e674cda0b49faf517360914bb147dbe942876acea3a669cc627eec700c6 |
| SHA512 | 9322db0f530cf71bb7dd5d83fa3ccf6b557840576d2918269e5f0c865093f70757b68d13871d01d128c0d0fe2cd2fda5ce6675a9a07fdbc5c1c051e316e107b2 |
memory/2356-111-0x00007FF7EDE40000-0x00007FF7EE194000-memory.dmp
memory/3476-117-0x00007FF7F26B0000-0x00007FF7F2A04000-memory.dmp
memory/988-118-0x00007FF755F10000-0x00007FF756264000-memory.dmp
C:\Windows\System\eGxhhrw.exe
| MD5 | 11012d922c4962c68391425dc253a7eb |
| SHA1 | 63324103cd8f864ba2bd66ac83917fcf62879288 |
| SHA256 | 2797b80048ed711e303e2630b938cf7527a5fecbef3356e24ab309d27f7ad172 |
| SHA512 | dda70221b131d9ed7b0f7e0894d8c2d35ab271e4499964b52307e3769000c61ab878aad3387628ad0779b2e07c097c88acaf1e855a826b985daccf820cdbd074 |
memory/4432-135-0x00007FF63AF50000-0x00007FF63B2A4000-memory.dmp
memory/4256-136-0x00007FF60A090000-0x00007FF60A3E4000-memory.dmp
C:\Windows\System\WwJAbLS.exe
| MD5 | 37bcf85724b59412e0444016add01a8b |
| SHA1 | 4675f224c6c41b2ca578f40b6b0d788b154087e3 |
| SHA256 | a3638a6b4547c48a6affa2591cc465ac87315dd038fef4115117f68875d6935b |
| SHA512 | e01a5c4c99d0debd687987b277118ffc529f4afb61eaea33ed2778b9b2d4b3ac164fc03bff5d2bf4dec55326f737eb9652c0067bda3931510234b736e5c58695 |
memory/5004-126-0x00007FF7CF590000-0x00007FF7CF8E4000-memory.dmp
memory/4940-124-0x00007FF74EA70000-0x00007FF74EDC4000-memory.dmp
memory/4036-137-0x00007FF672DE0000-0x00007FF673134000-memory.dmp
memory/2128-138-0x00007FF6CA4A0000-0x00007FF6CA7F4000-memory.dmp
memory/408-139-0x00007FF6216B0000-0x00007FF621A04000-memory.dmp
memory/2240-140-0x00007FF6D4AB0000-0x00007FF6D4E04000-memory.dmp
memory/3356-141-0x00007FF7662B0000-0x00007FF766604000-memory.dmp
memory/880-142-0x00007FF750090000-0x00007FF7503E4000-memory.dmp
memory/432-143-0x00007FF7843D0000-0x00007FF784724000-memory.dmp
memory/3476-144-0x00007FF7F26B0000-0x00007FF7F2A04000-memory.dmp
memory/4940-145-0x00007FF74EA70000-0x00007FF74EDC4000-memory.dmp
memory/1624-146-0x00007FF718540000-0x00007FF718894000-memory.dmp
memory/2672-147-0x00007FF69F650000-0x00007FF69F9A4000-memory.dmp
memory/2940-148-0x00007FF74EB50000-0x00007FF74EEA4000-memory.dmp
memory/3720-149-0x00007FF699C80000-0x00007FF699FD4000-memory.dmp
memory/2116-150-0x00007FF609E70000-0x00007FF60A1C4000-memory.dmp
memory/984-151-0x00007FF6ACD30000-0x00007FF6AD084000-memory.dmp
memory/3584-152-0x00007FF7A8980000-0x00007FF7A8CD4000-memory.dmp
memory/2356-153-0x00007FF7EDE40000-0x00007FF7EE194000-memory.dmp
memory/988-154-0x00007FF755F10000-0x00007FF756264000-memory.dmp
memory/5004-155-0x00007FF7CF590000-0x00007FF7CF8E4000-memory.dmp
memory/4432-156-0x00007FF63AF50000-0x00007FF63B2A4000-memory.dmp
memory/4256-157-0x00007FF60A090000-0x00007FF60A3E4000-memory.dmp