Malware Analysis Report

2025-04-19 15:04

Sample ID 240522-zk3f9agb52
Target 2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike
SHA256 abb45d556c049eb62735f5b413c427c261f6caea26aef41bdb0a6699e0e87fd3
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abb45d556c049eb62735f5b413c427c261f6caea26aef41bdb0a6699e0e87fd3

Threat Level: Known bad

The file 2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

xmrig

XMRig Miner payload

UPX dump on OEP (original entry point)

Xmrig family

Detects Reflective DLL injection artifacts

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 20:47

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 20:47

Reported

2024-05-22 20:50

Platform

win7-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\CSvRHWv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GNOFWQj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EHmzHxC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kVLcQmU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\orsiCaC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dUThcSH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HfQADJE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CuzcdgM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QeFlYYc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xEUWKqc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\huXBrSN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gAiWIbG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MFYmUVf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EiulBln.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DMRYCvM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NSJhZEs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xucWIbm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pmXFEtO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mIzkjbC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tZdEyNI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JiPbDRs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\CSvRHWv.exe
PID 2108 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\CSvRHWv.exe
PID 2108 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\CSvRHWv.exe
PID 2108 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\CuzcdgM.exe
PID 2108 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\CuzcdgM.exe
PID 2108 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\CuzcdgM.exe
PID 2108 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NSJhZEs.exe
PID 2108 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NSJhZEs.exe
PID 2108 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NSJhZEs.exe
PID 2108 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\MFYmUVf.exe
PID 2108 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\MFYmUVf.exe
PID 2108 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\MFYmUVf.exe
PID 2108 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\xucWIbm.exe
PID 2108 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\xucWIbm.exe
PID 2108 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\xucWIbm.exe
PID 2108 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\GNOFWQj.exe
PID 2108 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\GNOFWQj.exe
PID 2108 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\GNOFWQj.exe
PID 2108 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\EHmzHxC.exe
PID 2108 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\EHmzHxC.exe
PID 2108 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\EHmzHxC.exe
PID 2108 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiulBln.exe
PID 2108 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiulBln.exe
PID 2108 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiulBln.exe
PID 2108 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\QeFlYYc.exe
PID 2108 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\QeFlYYc.exe
PID 2108 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\QeFlYYc.exe
PID 2108 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\xEUWKqc.exe
PID 2108 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\xEUWKqc.exe
PID 2108 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\xEUWKqc.exe
PID 2108 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\huXBrSN.exe
PID 2108 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\huXBrSN.exe
PID 2108 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\huXBrSN.exe
PID 2108 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pmXFEtO.exe
PID 2108 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pmXFEtO.exe
PID 2108 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pmXFEtO.exe
PID 2108 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVLcQmU.exe
PID 2108 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVLcQmU.exe
PID 2108 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVLcQmU.exe
PID 2108 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\orsiCaC.exe
PID 2108 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\orsiCaC.exe
PID 2108 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\orsiCaC.exe
PID 2108 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIzkjbC.exe
PID 2108 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIzkjbC.exe
PID 2108 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIzkjbC.exe
PID 2108 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMRYCvM.exe
PID 2108 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMRYCvM.exe
PID 2108 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMRYCvM.exe
PID 2108 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dUThcSH.exe
PID 2108 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dUThcSH.exe
PID 2108 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dUThcSH.exe
PID 2108 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\tZdEyNI.exe
PID 2108 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\tZdEyNI.exe
PID 2108 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\tZdEyNI.exe
PID 2108 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\HfQADJE.exe
PID 2108 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\HfQADJE.exe
PID 2108 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\HfQADJE.exe
PID 2108 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\JiPbDRs.exe
PID 2108 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\JiPbDRs.exe
PID 2108 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\JiPbDRs.exe
PID 2108 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\gAiWIbG.exe
PID 2108 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\gAiWIbG.exe
PID 2108 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\gAiWIbG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\CSvRHWv.exe

C:\Windows\System\CSvRHWv.exe

C:\Windows\System\CuzcdgM.exe

C:\Windows\System\CuzcdgM.exe

C:\Windows\System\NSJhZEs.exe

C:\Windows\System\NSJhZEs.exe

C:\Windows\System\MFYmUVf.exe

C:\Windows\System\MFYmUVf.exe

C:\Windows\System\xucWIbm.exe

C:\Windows\System\xucWIbm.exe

C:\Windows\System\GNOFWQj.exe

C:\Windows\System\GNOFWQj.exe

C:\Windows\System\EHmzHxC.exe

C:\Windows\System\EHmzHxC.exe

C:\Windows\System\EiulBln.exe

C:\Windows\System\EiulBln.exe

C:\Windows\System\QeFlYYc.exe

C:\Windows\System\QeFlYYc.exe

C:\Windows\System\xEUWKqc.exe

C:\Windows\System\xEUWKqc.exe

C:\Windows\System\huXBrSN.exe

C:\Windows\System\huXBrSN.exe

C:\Windows\System\pmXFEtO.exe

C:\Windows\System\pmXFEtO.exe

C:\Windows\System\kVLcQmU.exe

C:\Windows\System\kVLcQmU.exe

C:\Windows\System\orsiCaC.exe

C:\Windows\System\orsiCaC.exe

C:\Windows\System\mIzkjbC.exe

C:\Windows\System\mIzkjbC.exe

C:\Windows\System\DMRYCvM.exe

C:\Windows\System\DMRYCvM.exe

C:\Windows\System\dUThcSH.exe

C:\Windows\System\dUThcSH.exe

C:\Windows\System\tZdEyNI.exe

C:\Windows\System\tZdEyNI.exe

C:\Windows\System\HfQADJE.exe

C:\Windows\System\HfQADJE.exe

C:\Windows\System\JiPbDRs.exe

C:\Windows\System\JiPbDRs.exe

C:\Windows\System\gAiWIbG.exe

C:\Windows\System\gAiWIbG.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2108-0-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2108-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\CSvRHWv.exe

MD5 161a594aa7c36b12fa6e5b353034feb7
SHA1 f5e787e6be395c63fdd5d76a158ce3d3c9be4ced
SHA256 5ac4a72f34df45a6403ab8309a85b6eaa39bff9c233bd743f04bd4f685e07f4f
SHA512 7f8291a7baa954f75f05bdda55b3619e1efb5b16e5fcac0fa9e1ff1e3ad0bd667d9c03cc9b296e090667e04ff5a40cfb9e92cbe60ff357f994ea685cd6e6a033

C:\Windows\system\CuzcdgM.exe

MD5 009c1b1d14306b20ffbcc2707fd427fb
SHA1 9d894a98162246a6fe420bfe92c1d80990dbe63d
SHA256 f2673f300e466a24af889362c8505efd9cb7cb1dfe958e424f51cc0be5bbf741
SHA512 062e6c0e2e5eea5a631615bd9fa80ec3eea622917bcbd9a244e028d329b857d95efcd125f0e73c83bd0543a582f1d9d68c4722c74125f56da3da4a01111158ab

C:\Windows\system\NSJhZEs.exe

MD5 d20d44aa66cd4d7d1d68cbc449729750
SHA1 8e778f0605fb76fa5b04b989ad52ed629e66c37d
SHA256 6c2ec75da5faee5eb45f15872b9092def6806d1fe9245d353f57c6dfa740a09b
SHA512 30dd8f8df97c5a031b4b452f3503abd9221a10060033176582f3094b095142a1307489c01b0069b9aa0f39bc67af2cae1d3a23a9b2b4fac03ba6f69e1263a59e

memory/2108-6-0x0000000002280000-0x00000000025D1000-memory.dmp

C:\Windows\system\MFYmUVf.exe

MD5 4182bf5ff9a472d4d1af2ff9bc4d2da8
SHA1 5fb99eb76f2d93c997e89e0831d9e01c68692342
SHA256 feca8994e94c01d1c0f6170677e6d4f7d7a905791945b71ec4c00a9daaddbc2b
SHA512 f64487fc0fad7228258ce21961fbb0cded74bfd349331e4311ce6bacdbec5d402f37670b5dff19cea48f4a5f626e7628007a067de72ff5eea88c916d3a64071f

memory/2728-29-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2108-28-0x0000000002280000-0x00000000025D1000-memory.dmp

C:\Windows\system\GNOFWQj.exe

MD5 0e6a432987ff65f52902aa5cb5f7bbc0
SHA1 20f4d1a4eb838b943b81361487812bd50c47cc17
SHA256 949c3aef865d944d9c87cc3336ef0d6cd14e886de2ed209440f4742545399c6b
SHA512 ad136f6590938eae2dc15028d0b0e9e7431e4ea67587c6bf9c68d76d2045d21c3766cdc04bae66c875aab4c8a21450f634a0c0dbc82b55082e671dad92be0cfd

memory/2660-40-0x000000013F2F0000-0x000000013F641000-memory.dmp

C:\Windows\system\xucWIbm.exe

MD5 1dd5486a5307f0b0b446539b5fa63d13
SHA1 b30d7763f7b4e282d717c428cf920edbfd082cfa
SHA256 2b478017d9c0c1b5b204b8f9566aa6b0dedade872a7c872f53e55ea1edbe9f6d
SHA512 ef63a5d479a3449585df5d791c7fa3fc876b564ad1dcaa54d6722dc9e04e88a43ce1e17ac3eec5f1d07c0b6da5e182d07c9cf72a3bffae71b1f13177d4bdd768

memory/2108-34-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2876-42-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/2108-41-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/2700-22-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2108-20-0x000000013F270000-0x000000013F5C1000-memory.dmp

C:\Windows\system\EiulBln.exe

MD5 55fcac6919c2fe97607b8985f854db29
SHA1 2608198dc855ea7e16d1c15a8a9bd75914af7787
SHA256 7a2e93d0754eedeebfa8959fc44aa658f88eda3e240343477187d810f4d62d17
SHA512 2c88c4fac66b898a7fd01abc3b37052547b4f0fd4057712704b6bbb126880b3e2c598b6f7c70cd2d14339b352c8b308e01cca49f584f37774a9d08b30309f514

C:\Windows\system\xEUWKqc.exe

MD5 90b3e64342ea8a2823aeb8eaf1731f48
SHA1 50b15dd0451ffaddf2da2fd10875c5f09cbbc68c
SHA256 07114661fbfe1b813cd059985a2ae3c243e6fd2df9152dbe17aa126ce3ee61c1
SHA512 6797af0ef61761f86c86f967b6161076f31fe8cdf278df32c574d508886b0f0e8482466d0da914c508abb6796903a64b8db819beb41da38d3a6a8f7201f6cd1d

memory/2504-71-0x000000013FC00000-0x000000013FF51000-memory.dmp

C:\Windows\system\pmXFEtO.exe

MD5 c6c7445616c3d42b28927ee97dbb4a0a
SHA1 de77643b5ccfcc5c237e301c2d3834b5c4240082
SHA256 589b7b2e4a076de3fc175f45f2e9bfe945dd01097d37fdbba5078a6b22063db5
SHA512 dabad0de13767c0db0690acdcff88e8f7ded06f863e9cefac82be629b6c45a9f0882064e3b51c3d9f6765222a74d634b188e83ef117c2bd5253a3bf74024e751

memory/2676-64-0x000000013FFD0000-0x0000000140321000-memory.dmp

C:\Windows\system\orsiCaC.exe

MD5 434ca68b14a1e370a375b2b840111a6b
SHA1 7928f80c8f4dc11c753467c381a506c15f83b6c1
SHA256 3dfe26604c20ff97ec9b0db05007957c20ea68864078d06c165c43b5bd659d3a
SHA512 e078dec4be50ba9c938d3b4e86f10c306a1032063e45d7760942b192e7d90c9471f6895d48093d6b9f9815be35b14b742742d25d15182588974ecb3c58055e49

memory/2728-94-0x000000013FB10000-0x000000013FE61000-memory.dmp

C:\Windows\system\HfQADJE.exe

MD5 d99f7c7a82b706545f9e732fcfaf55da
SHA1 859c609498ea0ce002904c05e6a8467780c96918
SHA256 aee98be518b0565cb7a0ab03bd6057cb5226836275db2b70709e8101dba4b539
SHA512 5dc157330d30ab299b1389095556fccc4691d5c206d6c934b7fa322a92b24daf9fbdbe754acd5c78b3742fa0c3cdd4f4e85f6d6bcad1fe6596f882ab79fe80bd

\Windows\system\gAiWIbG.exe

MD5 62e94cb807f5a227d9c7c81e578aa4c5
SHA1 95ce5d55add9ec6c5af9adcbe31787f68498fe6e
SHA256 64815a8d62f6a0aebbe72874d5b12a2fc9defbb41a7fb0be50e4138ba4b29f09
SHA512 147a6dd8af872e8c8d3f73b939a4c67d4efbafb17b18911a54ebb42da7d62b066693bdea6eff876f8894cc494f059e9be3361b032a843bffeb5ceb4eab695c4a

C:\Windows\system\JiPbDRs.exe

MD5 64a4f45238c67bda1e759f268d1d40c2
SHA1 69ae0137c81f328274b70638396a4b3c2950e42f
SHA256 752a9a33506dfdf573f667f91fdaffed17f45cd148b1b623ca20f9c175ee788a
SHA512 995e68732103419a6ed52e06b05d67a563081e0e98bdd5b493a83a9cc020efbb9c3170f143ab332231e8a8038ab0eb31fda656b3d19da0a7b71387912639b90d

C:\Windows\system\tZdEyNI.exe

MD5 1ba2c231a08d99057c24ff54ebc09f64
SHA1 d3d82efe315b8f9c14687461fbd64d81180133bf
SHA256 840dae24b4892585d241cb898e56d21dddb803ae0f92b8d43838af2118b3889a
SHA512 03dc9dbe61d32f60e32310d5636eb0827d2067c248e632bfdb6afa00da65f971d38739f120dd3d6cf9a9afc76a5099e470b0d9e31652b812a3c396335ea58c6c

C:\Windows\system\dUThcSH.exe

MD5 efbcd7c1ec864c4b1c0efed747ddbf42
SHA1 fd5b783cec7d10c27dbcf188badd8c8250ee9230
SHA256 132b08c3d0eee4e4732a0841744d4febc5d724ba9b2ae448b8925f3b0a4036ca
SHA512 dd3906d3485a742830b4673cbb79108fa93dea247b3a682bf540b51077f4040d17159197623a309a6934cc5153f14cde5d3f399299d93c408622aff4a315d1a9

C:\Windows\system\DMRYCvM.exe

MD5 5f54eaaa694a65accbb64578da7e5f8b
SHA1 cebcd02c0caa9ff445f51f232bf9633b0c200c7b
SHA256 7e209e8c5011d74159dd54fe81359822a19a7f872996df5959581d40a3658b6c
SHA512 5a85008ad0cd80db336ad40d0602a6d49da8c54d58447aebd3589bd13d4505dafa09a404761d912084864ff420304ae3e582908b17f6e1eeb965b57b79e9b38e

memory/2792-139-0x000000013F9E0000-0x000000013FD31000-memory.dmp

C:\Windows\system\mIzkjbC.exe

MD5 7ac041d0faff083de8c6987cf8315829
SHA1 2fd67fb501b60125593be628206be763ff0d967c
SHA256 b6c8e51ab20e82d04a5cebad328bc046dfb9fee44e88bd6b8922dad7bb2c5bca
SHA512 c44b6fe7969d715e2a25931fced8dc74237769f394127c90efe147f10a40f3b4c42f5dc17673fff9766b8acd75c123267c6448996d93ab11a6e78027b3abbb69

memory/2108-106-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/2876-105-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/1240-95-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

C:\Windows\system\kVLcQmU.exe

MD5 93bec035d275917e899abf362bf9cd23
SHA1 51912603539212a4b195a32f17c7299d760bfb0a
SHA256 5405338cd18198d8f72c52f8d4de7b3761bec53215601c88a93e013535502379
SHA512 20add1fd3c962b2be32f08bc8cb8fe4561d0a480ae55862c5d5398e6a5abbe9a534c916029f87c417a39da4f6736995e0eb940044d2fa4a9c2d048e5c6dffcdd

memory/2108-90-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2700-89-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2624-78-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2108-77-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/1920-100-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2108-99-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2696-140-0x000000013FF30000-0x0000000140281000-memory.dmp

C:\Windows\system\huXBrSN.exe

MD5 01ea54a7c0278f0ec69059f9f5ad1e21
SHA1 ab4c04fadfb63638b10a3855a18f9bc8d3019ca8
SHA256 a0604c3e313db1df756d9fae4ee52c0e3368a7396d6f7bd805c58676bb846f3b
SHA512 937f2a764b1bfb0b93e5f510b2b34e8c12a56f6fb5f0c86ed5aea7d151d5f5b7b14c632e1bca97ede8c591c954195711e0f39fcb0386a697a12ed3f729652657

memory/2392-84-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2108-83-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/1700-70-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2108-63-0x000000013F8F0000-0x000000013FC41000-memory.dmp

C:\Windows\system\QeFlYYc.exe

MD5 6878154b0d07382926928b77135fa9b1
SHA1 265bd0c9df1d98dae76f1fa26fcd64115fb9b175
SHA256 f119e669a5b9db979401e95d251b0ae6132fc798fc1fe2c60226eed93e96a136
SHA512 a7f52e6a16c231d552a428380fa6613ee8c3358a0333140c7a58064f4ff4343ed72f9c47da92d346683f8f26a995195f6d06204ea60f7b30371e78e016161840

memory/2696-56-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2108-55-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2792-50-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2676-141-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2108-49-0x0000000002280000-0x00000000025D1000-memory.dmp

C:\Windows\system\EHmzHxC.exe

MD5 5195f0870ca444aba20dbf5bcfaad45b
SHA1 0f0b39ec7840616314f96cf9a23a7993822933c5
SHA256 856f8ce2848f0f3f0d21549a35604924078d4c64cf8173f63615466eab86f2eb
SHA512 4916a9331cd782ab3589fdd41aa74197dd4c50a36a9db176c551df86bd89849e68278501e712c328da933f29c894803332e619c54979c6ebf3ef698cfad39bab

memory/2856-19-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2108-18-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/1700-17-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2108-142-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2504-151-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/2496-158-0x000000013F630000-0x000000013F981000-memory.dmp

memory/304-160-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/1324-162-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2108-165-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/2428-163-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/1440-161-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2820-159-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/1920-157-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2392-155-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2624-154-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2440-164-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2108-166-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2108-167-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2108-189-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2856-215-0x000000013F620000-0x000000013F971000-memory.dmp

memory/1700-214-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2700-217-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2728-219-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2660-221-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2876-223-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/2792-234-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2696-243-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2676-245-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2504-247-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/2624-249-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2392-251-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/1240-253-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/1920-255-0x000000013F400000-0x000000013F751000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 20:47

Reported

2024-05-22 20:50

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nLfjoKu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DnxHQxo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JfsckXg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LoYhGfH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dFDvcyi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VPmgZGK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vSeMODb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pmOeQBg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pmzHMxA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kNVfhwW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rUmchyq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XBUrHZy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YVgTrVM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MroXsQg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iajrRAD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KemHcIR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dmIZkun.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dEWMrij.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pERkvxl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UMgPKYK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sJDrOcn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3200 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\JfsckXg.exe
PID 3200 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\JfsckXg.exe
PID 3200 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUmchyq.exe
PID 3200 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUmchyq.exe
PID 3200 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\XBUrHZy.exe
PID 3200 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\XBUrHZy.exe
PID 3200 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMgPKYK.exe
PID 3200 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMgPKYK.exe
PID 3200 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dEWMrij.exe
PID 3200 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dEWMrij.exe
PID 3200 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\LoYhGfH.exe
PID 3200 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\LoYhGfH.exe
PID 3200 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\YVgTrVM.exe
PID 3200 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\YVgTrVM.exe
PID 3200 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pERkvxl.exe
PID 3200 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pERkvxl.exe
PID 3200 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\MroXsQg.exe
PID 3200 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\MroXsQg.exe
PID 3200 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dFDvcyi.exe
PID 3200 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dFDvcyi.exe
PID 3200 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\iajrRAD.exe
PID 3200 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\iajrRAD.exe
PID 3200 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pmOeQBg.exe
PID 3200 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pmOeQBg.exe
PID 3200 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pmzHMxA.exe
PID 3200 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pmzHMxA.exe
PID 3200 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\sJDrOcn.exe
PID 3200 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\sJDrOcn.exe
PID 3200 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\kNVfhwW.exe
PID 3200 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\kNVfhwW.exe
PID 3200 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VPmgZGK.exe
PID 3200 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VPmgZGK.exe
PID 3200 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KemHcIR.exe
PID 3200 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KemHcIR.exe
PID 3200 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\vSeMODb.exe
PID 3200 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\vSeMODb.exe
PID 3200 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dmIZkun.exe
PID 3200 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dmIZkun.exe
PID 3200 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\nLfjoKu.exe
PID 3200 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\nLfjoKu.exe
PID 3200 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DnxHQxo.exe
PID 3200 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DnxHQxo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\JfsckXg.exe

C:\Windows\System\JfsckXg.exe

C:\Windows\System\rUmchyq.exe

C:\Windows\System\rUmchyq.exe

C:\Windows\System\XBUrHZy.exe

C:\Windows\System\XBUrHZy.exe

C:\Windows\System\UMgPKYK.exe

C:\Windows\System\UMgPKYK.exe

C:\Windows\System\dEWMrij.exe

C:\Windows\System\dEWMrij.exe

C:\Windows\System\LoYhGfH.exe

C:\Windows\System\LoYhGfH.exe

C:\Windows\System\YVgTrVM.exe

C:\Windows\System\YVgTrVM.exe

C:\Windows\System\pERkvxl.exe

C:\Windows\System\pERkvxl.exe

C:\Windows\System\MroXsQg.exe

C:\Windows\System\MroXsQg.exe

C:\Windows\System\dFDvcyi.exe

C:\Windows\System\dFDvcyi.exe

C:\Windows\System\iajrRAD.exe

C:\Windows\System\iajrRAD.exe

C:\Windows\System\pmOeQBg.exe

C:\Windows\System\pmOeQBg.exe

C:\Windows\System\pmzHMxA.exe

C:\Windows\System\pmzHMxA.exe

C:\Windows\System\sJDrOcn.exe

C:\Windows\System\sJDrOcn.exe

C:\Windows\System\kNVfhwW.exe

C:\Windows\System\kNVfhwW.exe

C:\Windows\System\VPmgZGK.exe

C:\Windows\System\VPmgZGK.exe

C:\Windows\System\KemHcIR.exe

C:\Windows\System\KemHcIR.exe

C:\Windows\System\vSeMODb.exe

C:\Windows\System\vSeMODb.exe

C:\Windows\System\dmIZkun.exe

C:\Windows\System\dmIZkun.exe

C:\Windows\System\nLfjoKu.exe

C:\Windows\System\nLfjoKu.exe

C:\Windows\System\DnxHQxo.exe

C:\Windows\System\DnxHQxo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 udp

Files

memory/3200-0-0x00007FF7E7230000-0x00007FF7E7581000-memory.dmp

memory/3200-1-0x000001AA3CAC0000-0x000001AA3CAD0000-memory.dmp

C:\Windows\System\JfsckXg.exe

MD5 14259bf3729c09b816c82b51a0fbfbf1
SHA1 7e9d3688eac7b6432fd68f5f1a2ddb72e9daaf7c
SHA256 8159b95a70b6e2e68612bb2a418b97ea659d8e0a2f26b1e6f2fc723abe95dc30
SHA512 871d5837b75b9fd95be54a93c44d1d2ee71cd29a2ee034817c3357fb700e27ba6d302df3e845c4a05b5c770e2b750d9663664500152f5f605f86c22a4b4a09e3

memory/4000-7-0x00007FF6F0D80000-0x00007FF6F10D1000-memory.dmp

C:\Windows\System\XBUrHZy.exe

MD5 c1ecdde6c9b6be3884c2b78480d3b628
SHA1 951cb33fbb8031b50f884742a3f8b4780b66b696
SHA256 231bb173c66558f0508f23a7ff10ea41e83eb11e0b29809d4fa1cd374c25e496
SHA512 9e11b32b73c9ba91f43935f7376b98c623376e3e7b7a4b63423a6566273f6df31eecf4d751d478f5b1aab7539292de1c5b6673e78d0d555bf457fb21076b661c

memory/3592-14-0x00007FF6F8D90000-0x00007FF6F90E1000-memory.dmp

C:\Windows\System\rUmchyq.exe

MD5 b23363373171e4b30d433a891e900234
SHA1 4bdfccbdb1e7febcf15c9f547ae7cb4992b3d759
SHA256 f45a2e192e242fb8d897ca41a08fc45807e0644dd6fbbae4bf6b8f177811dc90
SHA512 4510a8d2e3fc7a0ccb4471eb23bb2fa9fc02c04a905117b1d9dc8cfaaa4fe8f7ad8cb9da04d1aa11965400be197ddaa1243f30d04616c79309835356d27d53b1

memory/2196-18-0x00007FF72F6A0000-0x00007FF72F9F1000-memory.dmp

C:\Windows\System\UMgPKYK.exe

MD5 56ef7b18695887c0248703bfd01f9c6e
SHA1 e6084d90504508d5448af44cf5b36b96acb8a48e
SHA256 dc6eb9b9065c6c476eab26c15905243b1f090504639653b7e763f31aed709087
SHA512 521d7bec0135806c22f361da746ded485dd2bb028ce6d4fe59ffd8c4466425fc8b6aba09f0c127132e2f02a1b1c5edef23d1950c5b0158ea38b0f3195da78fc1

memory/1880-24-0x00007FF6B6790000-0x00007FF6B6AE1000-memory.dmp

C:\Windows\System\dEWMrij.exe

MD5 c3f72750c34a384ef838a72645a8eca7
SHA1 00eb22fa9684677c30f2ab177f173e33242576d1
SHA256 7ba53ff7d0d641e6360b69f51937b6195046d6bb1281c202cb68ede3a8e652b8
SHA512 84fbf335598a87a71007dfd295a635a019959b8cbcab3f379639d33c73865ba53617dd29ea1432942b143803f28916f9e473bb1dd46ed969c2669f85a8956cff

C:\Windows\System\LoYhGfH.exe

MD5 b48abd456a47a06ea9a6660ef54119a9
SHA1 58945c729e8cb7ed43f504b582b69d6a809bf30a
SHA256 6db6581fc56568c009dca3850ad33b08e104b510126f5fa4ac3eb70c11d88951
SHA512 1c98f693f3dfea915c6e6be361c9b9b93af788c6f377093171cd6407bd10fba2ae06981774c0893d2d50161246714babaddb182de486c11c08eb634c28152cb9

memory/2384-37-0x00007FF6EB980000-0x00007FF6EBCD1000-memory.dmp

memory/912-36-0x00007FF638C40000-0x00007FF638F91000-memory.dmp

C:\Windows\System\YVgTrVM.exe

MD5 d33b550f8319d6c11e0248c2edb56635
SHA1 232b9bf49a95acbb7f2070f1ef545cc32cd29d17
SHA256 93a682aa4c4c3b23203f00ca8793fc997983f07463ad40d1cdb9374fcdbae463
SHA512 9f53547f84c597b49e43845f8fc67711a618dbc83d2621c7e3ff59a60634b339f50e4f292eaf072c7b8d6487fb664e9b29c5b9972b28c06267590a35fccf8b87

memory/4092-44-0x00007FF673BD0000-0x00007FF673F21000-memory.dmp

memory/1232-49-0x00007FF63D020000-0x00007FF63D371000-memory.dmp

memory/3192-56-0x00007FF77C990000-0x00007FF77CCE1000-memory.dmp

C:\Windows\System\dFDvcyi.exe

MD5 1d244fa645cc23bee402599ac70c80d9
SHA1 0deafb2944f7194c20f8224cfa86906053ed2370
SHA256 d394db777575dcc3a5e570a0a5b6bb090b1c91925571a3cee2f8e053db36784c
SHA512 a7126e4795f936c7de6dc938607eaf26a652bfb81d3abc393a8969834fd507a692c70b387db166a87055e09e1f3a2f07de3de81d2b0e8c2b7c929dba1a628dd7

memory/4844-68-0x00007FF765320000-0x00007FF765671000-memory.dmp

memory/4052-71-0x00007FF78DF40000-0x00007FF78E291000-memory.dmp

C:\Windows\System\pmOeQBg.exe

MD5 cb548981c61a404fa382c629a5a027b4
SHA1 14e02d06c28817c95f958631acca1f741643bb19
SHA256 284b7d5b91f3e994a86120dcee673d7f57063809015a0824e11f929e06a1e423
SHA512 7826290ad66c27129540c89446f7b80b73c8e11b172d3d8ba544916d1bfd36674e6bd3133550292496b6102eb14e7476c19564880157f671f5378481281f1b11

memory/3592-75-0x00007FF6F8D90000-0x00007FF6F90E1000-memory.dmp

memory/848-74-0x00007FF754D90000-0x00007FF7550E1000-memory.dmp

memory/4000-73-0x00007FF6F0D80000-0x00007FF6F10D1000-memory.dmp

C:\Windows\System\iajrRAD.exe

MD5 89afa7e718ac47e574b433d6114bcc42
SHA1 394851751969bd925f3fa453daa14c59fbfe72e5
SHA256 ddf8b01b8739e9037b0c3f19d35f6010615370d6b54a7c51ee58c1c03290b94d
SHA512 eeaeade3feb17082e8cb8d034a5cfa207a4646ea149b6d4373b0a030f6c5af1a7dbc57990b8e278fd29658ef376c96eb81306d4ca31b7557fbefac3c62323c38

memory/3200-65-0x00007FF7E7230000-0x00007FF7E7581000-memory.dmp

C:\Windows\System\MroXsQg.exe

MD5 07415ed6173fd38c2248a4738508b1b7
SHA1 56a03d2f59092994a59e2a363495c937bea23e5f
SHA256 39c6ea4e8879e8b39e8282ae5af99931cd6a0860cae3f8e44007185d4c19dae3
SHA512 963883d4051e8be1a8154b1e830cf9b6b874f5f147120408a79d74f4f22a0a45fdd9922d3d6c4c865a0139cf62cff7e547aab5c5b2289a8415dbc1561c0610c8

C:\Windows\System\pERkvxl.exe

MD5 1c3637bc4976eeed1660f782b402184a
SHA1 d14667cb7c77c609a9d207809de873352a3fa662
SHA256 05a6c6cd542df763737719f47104b580e66bb192eb1ab72f30b5014f4c8b352f
SHA512 729f9d96cbbba86e76125563c953082b59b152e15ee19fd2ee69b2ee4c2b1187a2c4d3f114d18e1e1cc4311b6ddba2da50931a85a1238f1a0c10267a0430fdbb

memory/2196-81-0x00007FF72F6A0000-0x00007FF72F9F1000-memory.dmp

C:\Windows\System\pmzHMxA.exe

MD5 5bc1a92a60296174bcdc0c53531c2a67
SHA1 49bea84190892af8e64f640681a4078c76a19ea5
SHA256 7b436eaa88b0059aba6a451ecbc8336ade21cef4499d3d763f33e379e03b8fec
SHA512 dd8c4d615701b131031ecd4d0a0b5dc0b7c8d8ee0b114b5e80cae823c9890454cd8cfa2fac8b415d9120cbfdaa75d56e47377236644665dc512ac3fea161e208

memory/1428-95-0x00007FF6E5270000-0x00007FF6E55C1000-memory.dmp

C:\Windows\System\kNVfhwW.exe

MD5 0b7695a28af95c6fb50b89a2a10d2262
SHA1 46ade0c50a17d5e557f469f52038de152691e6c2
SHA256 dffdc06bb08853b929d7374f32699959d81776e238e5430149f0c4248a160420
SHA512 80525d2eb33d3b90150653a06ffa3c1314b6e0ec1e5976560cc3f1c9aa94a90fdf5faf907c1c0ffad06eae50e5d5b66b4afc3b7ef0b54cc2f0dd15dfb49ab5be

memory/3772-94-0x00007FF765F40000-0x00007FF766291000-memory.dmp

C:\Windows\System\sJDrOcn.exe

MD5 1eda768d9b036f5c95050278dd411bd4
SHA1 5981f511162cb7ebc11e7fe651e47bca3981bd71
SHA256 f3a160a94703dba4d1ca8373959b17b1bb0ea97cde2fab90714d24dbad099333
SHA512 d4847d19ebfc63c81fb93069326daa45fce8798c4c9013cf1ee2ceb199cd73d8043a6381fd1a4ccda479dee566487924bcb7bcb3adb17aa56704dc258418735e

memory/1880-89-0x00007FF6B6790000-0x00007FF6B6AE1000-memory.dmp

memory/4072-84-0x00007FF63BC50000-0x00007FF63BFA1000-memory.dmp

C:\Windows\System\KemHcIR.exe

MD5 96622b51b612ed7699d91d6b89942dc4
SHA1 dbf8ee589d091c91f1f840747d7f587856e37d6a
SHA256 ece758a4e6a136a6d90f0fcf42892da4306b9b0fb4fa79eed73d7bbd862e04d7
SHA512 f6b23a2af5215c7d6b7f7925d38abed6c8c6037a6de3be28f7d794bc0a650f082a85ce2e988aaee95c3cb4e5dc0237418e0c13047101f1dae1e8b97a432b3514

memory/4092-112-0x00007FF673BD0000-0x00007FF673F21000-memory.dmp

C:\Windows\System\dmIZkun.exe

MD5 96019c76d7f9ba8676daed3cd28106b6
SHA1 1dbf651628a6a67865259282b86b5e1a400ea64e
SHA256 348be8e7f2487f76ad3ba6d7738a026c37500d9cb2f4c8ba75d630fc5d43aff3
SHA512 1998c1127d728369a4b50d3240535c11303eaca12c6e06fa297cb310bf9228430cf694a96ee09a5e295419bd681cde3d66f79f40ff86cf0ee174828bff003918

memory/1812-124-0x00007FF6E74E0000-0x00007FF6E7831000-memory.dmp

memory/3192-123-0x00007FF77C990000-0x00007FF77CCE1000-memory.dmp

C:\Windows\System\vSeMODb.exe

MD5 11546ec2076cd88b126f23d213000476
SHA1 b7d818dbd0c4d9ebec066cd4af40856760564ca2
SHA256 8c16b716d55c48119a43e7d79ce8539ae35b303b6bcaf8877b88144317cc63f7
SHA512 a803f3dcf9037e07f4bad291d68bdd8382bc9e2f33c8a3de05439ead57006339962cadb47fbd4bdfd73e750aa12b654ea7c0d199c71ca7959b08f71244b3d4f8

memory/1232-117-0x00007FF63D020000-0x00007FF63D371000-memory.dmp

memory/4312-116-0x00007FF71D450000-0x00007FF71D7A1000-memory.dmp

memory/3028-111-0x00007FF7BBB10000-0x00007FF7BBE61000-memory.dmp

memory/2424-109-0x00007FF6162E0000-0x00007FF616631000-memory.dmp

memory/2384-108-0x00007FF6EB980000-0x00007FF6EBCD1000-memory.dmp

C:\Windows\System\VPmgZGK.exe

MD5 94035829afab5bf4a99414b1ce251005
SHA1 e087d1a7462fe2b2189787c78b64c96efce92f28
SHA256 52042d61cea63e075b25a93f9047f61e49657af93e4d3946422d2da72eb7f0ee
SHA512 74fc9e0711c0da5777bb4a38495bf180cd6e8442dc65a6575b51fdfe4851b542e79cba93c0e5f5fbb77ff5f7b62d2c7a0e48637c776db19e94437d6ff93d50da

C:\Windows\System\nLfjoKu.exe

MD5 06df3866de86d8da9b016acd0d8a06b4
SHA1 a769886b3eaf3a2a7b1480bd0ddd93868eaf3747
SHA256 f451a6694cea1e4f1cfe3bc28db980d1eab1e4324ae6562da0100545ea876fe4
SHA512 4e20856d6b74cc0804bdadc5c9140bc8d223c6e8b9a606d523e88a2a9893076d6daae1c1037a65b1f7690582d6ca1a4b3a3f29dec0a8a10f211d9ea6e3b307b1

C:\Windows\System\DnxHQxo.exe

MD5 8f26e0777168cfdb72c503a0b8dab0c8
SHA1 b956917c1f8951084dc057ae2142fc1b9ed6c061
SHA256 305e57fd8082c442b1b5eff852e7c9c2ed8cce091513a8e98b6382afdad69b71
SHA512 a2903bf8a1cdf69170c3b26bc731409138c41aaef930d9d453aa199948a5c2ad3f039a603c765238e41d3cb1b22db51879573a8ac55e688628b2e5e381c8a0e7

memory/3712-134-0x00007FF6940E0000-0x00007FF694431000-memory.dmp

memory/2288-132-0x00007FF6BD9B0000-0x00007FF6BDD01000-memory.dmp

memory/848-137-0x00007FF754D90000-0x00007FF7550E1000-memory.dmp

memory/3200-138-0x00007FF7E7230000-0x00007FF7E7581000-memory.dmp

memory/3772-147-0x00007FF765F40000-0x00007FF766291000-memory.dmp

memory/4072-146-0x00007FF63BC50000-0x00007FF63BFA1000-memory.dmp

memory/1428-155-0x00007FF6E5270000-0x00007FF6E55C1000-memory.dmp

memory/4312-158-0x00007FF71D450000-0x00007FF71D7A1000-memory.dmp

memory/2288-160-0x00007FF6BD9B0000-0x00007FF6BDD01000-memory.dmp

memory/3712-161-0x00007FF6940E0000-0x00007FF694431000-memory.dmp

memory/3028-157-0x00007FF7BBB10000-0x00007FF7BBE61000-memory.dmp

memory/3200-162-0x00007FF7E7230000-0x00007FF7E7581000-memory.dmp

memory/4000-207-0x00007FF6F0D80000-0x00007FF6F10D1000-memory.dmp

memory/3592-209-0x00007FF6F8D90000-0x00007FF6F90E1000-memory.dmp

memory/2196-211-0x00007FF72F6A0000-0x00007FF72F9F1000-memory.dmp

memory/1880-213-0x00007FF6B6790000-0x00007FF6B6AE1000-memory.dmp

memory/912-215-0x00007FF638C40000-0x00007FF638F91000-memory.dmp

memory/2384-225-0x00007FF6EB980000-0x00007FF6EBCD1000-memory.dmp

memory/4092-228-0x00007FF673BD0000-0x00007FF673F21000-memory.dmp

memory/1232-230-0x00007FF63D020000-0x00007FF63D371000-memory.dmp

memory/3192-232-0x00007FF77C990000-0x00007FF77CCE1000-memory.dmp

memory/4844-234-0x00007FF765320000-0x00007FF765671000-memory.dmp

memory/4052-236-0x00007FF78DF40000-0x00007FF78E291000-memory.dmp

memory/848-238-0x00007FF754D90000-0x00007FF7550E1000-memory.dmp

memory/4072-241-0x00007FF63BC50000-0x00007FF63BFA1000-memory.dmp

memory/3772-242-0x00007FF765F40000-0x00007FF766291000-memory.dmp

memory/1428-244-0x00007FF6E5270000-0x00007FF6E55C1000-memory.dmp

memory/2424-249-0x00007FF6162E0000-0x00007FF616631000-memory.dmp

memory/3028-251-0x00007FF7BBB10000-0x00007FF7BBE61000-memory.dmp

memory/1812-253-0x00007FF6E74E0000-0x00007FF6E7831000-memory.dmp

memory/4312-255-0x00007FF71D450000-0x00007FF71D7A1000-memory.dmp

memory/2288-257-0x00007FF6BD9B0000-0x00007FF6BDD01000-memory.dmp

memory/3712-259-0x00007FF6940E0000-0x00007FF694431000-memory.dmp