Malware Analysis Report

2025-04-19 15:17

Sample ID 240522-ztkykagd7z
Target 2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike
SHA256 5b8a1fc382326095c107e2f370c775fa125f4a61bd2b7582273eeb9ebcc1d8ff
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b8a1fc382326095c107e2f370c775fa125f4a61bd2b7582273eeb9ebcc1d8ff

Threat Level: Known bad

The file 2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Cobaltstrike

xmrig

Xmrig family

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 21:00

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 21:00

Reported

2024-05-22 21:03

Platform

win7-20240221-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\StxoDWX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MGCctXO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wYNlGCt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ONbrEcr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GIxwDza.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lIzyTVc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rUXJoor.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NKFJXOZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AstbRzv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vcSrlzD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BVjoqgz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VIIwkya.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oEiFSsy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OiQoBPk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wktvGkY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KxEcXvV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\luckzOQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yTHvoVG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DixyUJh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\staLZpx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iGASQkH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\lIzyTVc.exe
PID 2188 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\lIzyTVc.exe
PID 2188 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\lIzyTVc.exe
PID 2188 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUXJoor.exe
PID 2188 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUXJoor.exe
PID 2188 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUXJoor.exe
PID 2188 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KxEcXvV.exe
PID 2188 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KxEcXvV.exe
PID 2188 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KxEcXvV.exe
PID 2188 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NKFJXOZ.exe
PID 2188 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NKFJXOZ.exe
PID 2188 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NKFJXOZ.exe
PID 2188 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\StxoDWX.exe
PID 2188 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\StxoDWX.exe
PID 2188 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\StxoDWX.exe
PID 2188 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AstbRzv.exe
PID 2188 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AstbRzv.exe
PID 2188 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AstbRzv.exe
PID 2188 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGCctXO.exe
PID 2188 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGCctXO.exe
PID 2188 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGCctXO.exe
PID 2188 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\luckzOQ.exe
PID 2188 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\luckzOQ.exe
PID 2188 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\luckzOQ.exe
PID 2188 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\VIIwkya.exe
PID 2188 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\VIIwkya.exe
PID 2188 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\VIIwkya.exe
PID 2188 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\yTHvoVG.exe
PID 2188 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\yTHvoVG.exe
PID 2188 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\yTHvoVG.exe
PID 2188 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DixyUJh.exe
PID 2188 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DixyUJh.exe
PID 2188 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DixyUJh.exe
PID 2188 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vcSrlzD.exe
PID 2188 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vcSrlzD.exe
PID 2188 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vcSrlzD.exe
PID 2188 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEiFSsy.exe
PID 2188 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEiFSsy.exe
PID 2188 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEiFSsy.exe
PID 2188 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\staLZpx.exe
PID 2188 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\staLZpx.exe
PID 2188 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\staLZpx.exe
PID 2188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BVjoqgz.exe
PID 2188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BVjoqgz.exe
PID 2188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BVjoqgz.exe
PID 2188 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GIxwDza.exe
PID 2188 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GIxwDza.exe
PID 2188 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GIxwDza.exe
PID 2188 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OiQoBPk.exe
PID 2188 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OiQoBPk.exe
PID 2188 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OiQoBPk.exe
PID 2188 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\wktvGkY.exe
PID 2188 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\wktvGkY.exe
PID 2188 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\wktvGkY.exe
PID 2188 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\wYNlGCt.exe
PID 2188 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\wYNlGCt.exe
PID 2188 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\wYNlGCt.exe
PID 2188 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGASQkH.exe
PID 2188 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGASQkH.exe
PID 2188 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGASQkH.exe
PID 2188 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ONbrEcr.exe
PID 2188 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ONbrEcr.exe
PID 2188 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ONbrEcr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\lIzyTVc.exe

C:\Windows\System\lIzyTVc.exe

C:\Windows\System\rUXJoor.exe

C:\Windows\System\rUXJoor.exe

C:\Windows\System\KxEcXvV.exe

C:\Windows\System\KxEcXvV.exe

C:\Windows\System\NKFJXOZ.exe

C:\Windows\System\NKFJXOZ.exe

C:\Windows\System\StxoDWX.exe

C:\Windows\System\StxoDWX.exe

C:\Windows\System\AstbRzv.exe

C:\Windows\System\AstbRzv.exe

C:\Windows\System\MGCctXO.exe

C:\Windows\System\MGCctXO.exe

C:\Windows\System\luckzOQ.exe

C:\Windows\System\luckzOQ.exe

C:\Windows\System\VIIwkya.exe

C:\Windows\System\VIIwkya.exe

C:\Windows\System\yTHvoVG.exe

C:\Windows\System\yTHvoVG.exe

C:\Windows\System\DixyUJh.exe

C:\Windows\System\DixyUJh.exe

C:\Windows\System\vcSrlzD.exe

C:\Windows\System\vcSrlzD.exe

C:\Windows\System\oEiFSsy.exe

C:\Windows\System\oEiFSsy.exe

C:\Windows\System\staLZpx.exe

C:\Windows\System\staLZpx.exe

C:\Windows\System\BVjoqgz.exe

C:\Windows\System\BVjoqgz.exe

C:\Windows\System\GIxwDza.exe

C:\Windows\System\GIxwDza.exe

C:\Windows\System\OiQoBPk.exe

C:\Windows\System\OiQoBPk.exe

C:\Windows\System\wktvGkY.exe

C:\Windows\System\wktvGkY.exe

C:\Windows\System\wYNlGCt.exe

C:\Windows\System\wYNlGCt.exe

C:\Windows\System\iGASQkH.exe

C:\Windows\System\iGASQkH.exe

C:\Windows\System\ONbrEcr.exe

C:\Windows\System\ONbrEcr.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2188-0-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2188-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\lIzyTVc.exe

MD5 3f06e9aa3ae1a79ab4e0a06f685a8bf4
SHA1 031aeec050a80542e3feb5fb7aea747268f549ed
SHA256 cb97f58bbd004ef6b0405bff24d03a3c6d25bc3df8ff0e42ea3d85f7922fff08
SHA512 5d22a31df1f3e9530b9081e8e4ca33377f7ec02a4a7da9c07bacec953a7642ec82dcbfa45c5e8e89fe7b945e0737b0c0158e98d89d286f8cb219fd6d66e13284

C:\Windows\system\rUXJoor.exe

MD5 35d4b9b40e9b95b4a75dec06c4c6f979
SHA1 0b088ae4df4f56a63f25ba22b7e936e89c483dcb
SHA256 a2e35e125d8ab4763501772c6c07ab280e15f436019dc190dfa4cb55de62bc7e
SHA512 56c93fd59bffe6df5a120e950c179eec9dfb3eaf7c3f2e9804dbd4886aee0b0f3a2ad0227feedbd311243dfffa198f082d84fd5e6761249fd05b31e51ba2784b

memory/1740-12-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2612-14-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2188-9-0x000000013F870000-0x000000013FBC1000-memory.dmp

\Windows\system\rUXJoor.exe

MD5 c2bb444f676e8f14bf0054f9cdac9830
SHA1 f186f8dc1d8e141ae2c13d699d202e974c7148d5
SHA256 c4943b864fc590ea5275ce80b61f7e085fce9193cf8dd07d382c550edce91343
SHA512 d1e012b03557de70d6407a01e686c558083dfbff8d8cfa523655789ca139c1dda2ee6c2bd7deca2d4f28bd347b2b59d6e37424cf93b27a46723ef7b4e7b93ffb

C:\Windows\system\KxEcXvV.exe

MD5 ebcd1db895d26320d96c796c3cd2574e
SHA1 5c6dfa4e7590f37a0f19f8f62ac3c00b2ad72586
SHA256 53f6c580b45cdb45f748912912664a48f68bbe25c5580644faade964da3904b6
SHA512 95b662116ead28407f8d76791921ddc981d81fdfe52b67aeab333cb8b677aec8ec864beaf690c8415abcaac902e28480cf7bdc2423004ca8ae84da6eaef09f43

\Windows\system\MGCctXO.exe

MD5 76fa58337d1c23881d8c866491b6cab8
SHA1 c00139d85150fb18ba9438c34e76852e65d9db23
SHA256 cacf9a31230f5d5282f14c9ec6d20531f1555ae8075cbe0d1cb12cbaa4aa97a1
SHA512 c89f3fe3425c6b00edf50eb8ed16aeb0243b129458f0c84093e80955347a6001fb88622aaa23a2daedef2d7d566a3f23e947ffd2fb9356f58537f85d86a3a1dd

memory/2188-29-0x000000013F850000-0x000000013FBA1000-memory.dmp

\Windows\system\AstbRzv.exe

MD5 a4b5fc4a9834fcd3151c69a393925610
SHA1 9a625e9edaf2b5c3912fc5295a1551c41f589a4c
SHA256 4cb1f53454e84c34cdf733ae502d41ddba9a18cf6781713b9c39216ae0e03731
SHA512 2110fbe205faddebec56e46ef870a7c78ea5e3f94b53c2d5f7a51ee2978d1a27de0619cff8c71f076be2c5706b34b0ed1bd6f0631430c7d95053ca1c3382eb9a

C:\Windows\system\luckzOQ.exe

MD5 84e797f18419d093ae7c892e22f91c59
SHA1 19336b2547a41815486efd848b35a2a16174270d
SHA256 ca95c67af76b708a4cc78b209c2b95a097edb2a5fb53cf5322cb7d305f10cbb4
SHA512 39a277eb285b1ab8dc5a5037da9024607dc1dd4e0b593f20ca2e99fe65858f355837be320017cde22603da2823117d694d54ace694c838d25d794695617dc007

memory/2564-51-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2188-50-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2424-60-0x000000013F470000-0x000000013F7C1000-memory.dmp

C:\Windows\system\yTHvoVG.exe

MD5 e8329153b5bbfec881b183d0b4c94cda
SHA1 034c52610b5b530443d07d3756eb284141406573
SHA256 bd857b50a541412a5c3da65ccb1fc2150a9095ab63d04307769475a46e467292
SHA512 6f9614e951a4884e84fc187d8edd8763fe1cd834180c7b4be532ad8c28944726932130349ea924c7720768793a3a32fae355259c17003b84834bffffecbd1dbe

memory/2244-84-0x000000013F420000-0x000000013F771000-memory.dmp

C:\Windows\system\oEiFSsy.exe

MD5 6776a0d1d10efe8dce91d3f27f2e0310
SHA1 2dad4cbe8909481854f0bed30332ba5f8a7cc355
SHA256 67cc4d6beb0dc82a80e794987fa0ff2735fce917a533fa858292db77cb9a385b
SHA512 2f2f72463a204f13941aa1f0e349217e59fc7eaf8315926122ec6656b1a250ddf2591a264c534c8d2a6dc2fb7ff8e3c1e7f4ea949c0ca225e5a45e627ae5766d

memory/2980-96-0x000000013F6B0000-0x000000013FA01000-memory.dmp

C:\Windows\system\BVjoqgz.exe

MD5 93fee0215babe824b3d40272a4480973
SHA1 6a4a3463f1c53ad8082e41bcf610b86247fab0b2
SHA256 57d150dec92d0ceb189945bd059399b8c8fe000ac4413b1848d4ee5fbc3bed17
SHA512 708714a836f355e2fcd6c515c126cc3c9eb4617fe176c78dc2857376cf6604df8d82412b61bf04e244f00aa8077e7a92f5b4af34bfc7635b949e9ae874ba7346

C:\Windows\system\ONbrEcr.exe

MD5 955e931a7b1a063c8f17207185298676
SHA1 976e53897cd615ac1aed196bdcb6d9e742946954
SHA256 3a88126fd591175cd9ccc6eebf46dad6be4410954fbf47fc3a8bb076d5220c9a
SHA512 7d75c9f3400ba9d6ddd982ad00cc19ace9f4c9a91029495951b09da1e8ea0ac363b2196ffc6bc9a9df48a6cb5fd04cc59bc44349922f05267cc96d055c1c8421

\Windows\system\ONbrEcr.exe

MD5 4892d49c14a7e283153698e747ec87c9
SHA1 7822c69037298ccf4e2cd90381d1446721619c85
SHA256 1bbf7ec7dfa34b0d40895a909b82a3a5ff0e7309cdbaab86e0d5c97264357e18
SHA512 822125c120a17f4b7f203a570ed240a57e897b4dcce83658630a5c0833b272b84d104098adb903387f380218356f2efbba086a67aa762dbec174f6c315eb4502

C:\Windows\system\iGASQkH.exe

MD5 d409f97db526c9603af9f92e58824084
SHA1 4ba5155030424571b0d17ef77be2d6e82e93e1e0
SHA256 be6ae5a5213ce60518d3ccaea59a24ec7e847bcfb38529d4998f9796d0175771
SHA512 da3ec35a0491e51d1a8064eb20c56ccb919308f79eb44a93b2a68f34dfdb6ff44ae43d2bffe48aa0f1a5a7170bcccb44dab267d4b98028dcfd3f03fb78738d12

C:\Windows\system\wYNlGCt.exe

MD5 eb1c1412c1d57196f97314fe6b21ac67
SHA1 ad3ac31326533b6f768755602ff34fb19574fe94
SHA256 b468939f1efa308584724a62566e34bacb33ba6c2dcabd68e91055b0db5e73ea
SHA512 5d983ac76119d4125787c86e210faf33ee09a86b58768c8a3a6ece559b4be79dc79f205e47241891cd60c33cee5525ee209afc7e41860b43a73e77270ec71add

C:\Windows\system\OiQoBPk.exe

MD5 6607cf3edc67fa769712afa7ef7fb76d
SHA1 e071b6ae7aeee32ff31a03175cd8d64571e4b3ab
SHA256 eb38813be7f9c69ac2e17916e20f6f88116e782715219a412b3e6d95721d5ab7
SHA512 2c3e481bac2ec8f4a6ed3e3d40b0569a2e77bdf3a7d67dc5f32f776d603faca9a062289cb564b5aee8691e41803a352cca0bf061ad4d542966519f60a1f1df53

C:\Windows\system\wktvGkY.exe

MD5 1c4a38b1e11c58bf312f4b6017b881b0
SHA1 da9610e812771c473e912bc64f34f95313c5eb19
SHA256 fdba64f2d1239a918f4b8545f5b35741c8c3bceeb5df9809eb85b657eda14ff3
SHA512 8642494064f90ea517f7c87a7bb9633d9e2eea696f47f695f701cbd6421e8ea663a6143725b21a589dd8c84db9e53a42eef27605d4f28d0a24d064f80b44bc81

memory/2844-103-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2648-102-0x000000013F850000-0x000000013FBA1000-memory.dmp

C:\Windows\system\GIxwDza.exe

MD5 cdbba0fcc8c57092489f1e80557d5a9d
SHA1 8e4c3646d7044e7504afed406d8ef667957ecff1
SHA256 46ec73079b929b6c0d592344a1f0aef5ed9099633c89b11471e6c15fddd0a84b
SHA512 c51bffc90f0602310345662ea6e3e2635ce9a05cd33be93d9d4cb4f26d74a8ff05f970cd69861a9230d3a9e357b5b6fef220ee67d60fb1fd2cec1110a26d605a

memory/2820-89-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2188-95-0x0000000002340000-0x0000000002691000-memory.dmp

C:\Windows\system\staLZpx.exe

MD5 642f3c53569a198c7eebcc3ecaffa0a4
SHA1 da6b3a449a311b85ba7c7980921ffbee6114b90f
SHA256 671b9d87596dfe18ba9f75f3c0017b5386aa041501e0b982c3214dd3ed95fd93
SHA512 c8f573471ec921b868a2a088b4c2e2dff6b2f3dde761e60b1e6390da7f0271b68cb161d075a9679e2f88b24baa91ad3d959d9589a419848f9eb829a166ed36dc

memory/2188-83-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2628-135-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2132-77-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2188-76-0x000000013F8B0000-0x000000013FC01000-memory.dmp

C:\Windows\system\vcSrlzD.exe

MD5 cfc8242234d7a1f7415bc3389f26ced6
SHA1 6eb920d0255e418d5c2752ed74e06469254a1dd3
SHA256 f3f8cd65374e007a473c892276008fe5ef25bf03f61c21ac8f843baffdd95705
SHA512 22cb451acb83eea4efe287466eaf16c514269845f21b7fc5b0bc5383d7679db358736684325d7a3e72ed3de139c650e19324898fd744813562c5b4c45fe0efe8

C:\Windows\system\DixyUJh.exe

MD5 0a10b84e3af08499405bb7b7e2f422de
SHA1 c1585e3e36234afd2bfb0cf14f13de2c5045dae5
SHA256 8f2b9ad16ac6875d7c9823b8a18647f632af863a9be30a778b6c7f62b0076960
SHA512 581c09e3790b2d2810c0fa6fcdf0e5635a5aa24d65b485ae60af96c431b141df252831d39882ef616b9b91793f185396c68ba8f69466e6d9569df4b11b82a6cd

memory/2500-69-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2188-68-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2556-67-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2188-59-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2612-58-0x000000013F060000-0x000000013F3B1000-memory.dmp

C:\Windows\system\VIIwkya.exe

MD5 9ca5093d74a540271f7c622227ac1e30
SHA1 c9447b5865d4ccd6dad3d1233ff544f89b192017
SHA256 b2d48cc4af72b721b530fe39feb50d27ccde0f0a3bd23852064bfe0f827e9e44
SHA512 7891da9aaa7506cc98541a506664f8ce7821c57bc4a841f6c7dad57d4027f8ca99495ef963c3dbe2c19d45178d0de86b33d22f99d62982c4d4c03221b54af9ba

memory/2840-45-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/1740-43-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2844-42-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2628-40-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2188-39-0x000000013F460000-0x000000013F7B1000-memory.dmp

C:\Windows\system\NKFJXOZ.exe

MD5 1fca5c4c86e3159344efa30af95d388f
SHA1 5bbb3a754fa1af9c202fc58ddb46db247df44d98
SHA256 38401ad31139ce7dcf623e1a64908301b960e16c6bd42ee14491a5f8f70199a5
SHA512 3ad928fd77b8823136e5ba09c2b9a9d3b1d5c97ebf8d79eafa8999f4a71faf7746d3d342cbb1c107807506c8d5306ac4dbdd593ba2658294b373450edf8cddf6

memory/2648-36-0x000000013F850000-0x000000013FBA1000-memory.dmp

C:\Windows\system\StxoDWX.exe

MD5 15781732e0bf4031f1f68f4d0bc62884
SHA1 403643fca0742c7337572f095438b369bf02e5ad
SHA256 b2f21e6fac00a02df5e38a9f38dff4141c18ad48acc38a5ec9330b1a0dd9dd8c
SHA512 a499b20e3de724b8b81880d773cd4b030e05b8df65dc7f4892ccd5f8bffaf3ab341e1eed92821607cb6e0343968931658036bed4ffaf3a95f8c93d1a565041bb

\Windows\system\NKFJXOZ.exe

MD5 3ce9749ea53894c34a3ae883115050fb
SHA1 1fa4d482aefeac734d83dc415eeb52babb172a9a
SHA256 df9d41c3ecfdd6bb4a531f6598558eba12e78b3c0228053bf8eaa6f6c5f5d243
SHA512 edc47c56d4dcc3c6a6cb72ce026311824ed27c1be830d8bb4acb030204103aadfe8daf4e432b8a487cb02ee07445a65e7986d93d091bccf131199e81b050d992

memory/2556-25-0x000000013FB20000-0x000000013FE71000-memory.dmp

\Windows\system\StxoDWX.exe

MD5 d7aa29a8c584e0e8f031524c439fc589
SHA1 6a193ff1da239340c85e04c1a00a08fe211016a4
SHA256 938332d961abf52508483b8bf974e327e8109b945c60338c99150a48331e0536
SHA512 8b76323cf878b347746238d181d16e2f00a360e539e39d04be7ce32ecd9f203516de6c90b862f4a5c7c221e12f89756344802789ad4a0ab26dd621edeaf1d681

memory/2564-137-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2188-136-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2188-138-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2500-148-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2424-149-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/1564-158-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/320-160-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2188-161-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/1532-159-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/2668-157-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2412-155-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2984-154-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/1724-156-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2980-153-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2820-152-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2188-162-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2188-163-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2188-171-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2188-186-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/1740-210-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2556-212-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2648-214-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2840-216-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2612-218-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2844-220-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2628-222-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2424-224-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2132-242-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2500-240-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2244-244-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2820-246-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2980-248-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2564-257-0x000000013F3F0000-0x000000013F741000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 21:00

Reported

2024-05-22 21:03

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xkRrvYf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\znOnyLK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nCbyCnn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CdFrBhF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gOJZhWm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vBWJFRN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pwKtynM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yhDFXtw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CzMYPbc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TNSoToC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XleJmEC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qbOoDRj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KnrouMu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TfQYDgY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\msqnfRd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iffTBvj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CKItioc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PnVgTKj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CxHqvZX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DTTUwRa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bFVxGdS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4972 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\iffTBvj.exe
PID 4972 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\iffTBvj.exe
PID 4972 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\XleJmEC.exe
PID 4972 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\XleJmEC.exe
PID 4972 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFVxGdS.exe
PID 4972 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFVxGdS.exe
PID 4972 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\nCbyCnn.exe
PID 4972 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\nCbyCnn.exe
PID 4972 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CKItioc.exe
PID 4972 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CKItioc.exe
PID 4972 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\qbOoDRj.exe
PID 4972 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\qbOoDRj.exe
PID 4972 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CdFrBhF.exe
PID 4972 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CdFrBhF.exe
PID 4972 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KnrouMu.exe
PID 4972 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KnrouMu.exe
PID 4972 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TfQYDgY.exe
PID 4972 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TfQYDgY.exe
PID 4972 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\msqnfRd.exe
PID 4972 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\msqnfRd.exe
PID 4972 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\gOJZhWm.exe
PID 4972 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\gOJZhWm.exe
PID 4972 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBWJFRN.exe
PID 4972 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBWJFRN.exe
PID 4972 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pwKtynM.exe
PID 4972 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pwKtynM.exe
PID 4972 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PnVgTKj.exe
PID 4972 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PnVgTKj.exe
PID 4972 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CxHqvZX.exe
PID 4972 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CxHqvZX.exe
PID 4972 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\xkRrvYf.exe
PID 4972 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\xkRrvYf.exe
PID 4972 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\yhDFXtw.exe
PID 4972 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\yhDFXtw.exe
PID 4972 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\znOnyLK.exe
PID 4972 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\znOnyLK.exe
PID 4972 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CzMYPbc.exe
PID 4972 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CzMYPbc.exe
PID 4972 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TNSoToC.exe
PID 4972 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TNSoToC.exe
PID 4972 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTTUwRa.exe
PID 4972 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DTTUwRa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\iffTBvj.exe

C:\Windows\System\iffTBvj.exe

C:\Windows\System\XleJmEC.exe

C:\Windows\System\XleJmEC.exe

C:\Windows\System\bFVxGdS.exe

C:\Windows\System\bFVxGdS.exe

C:\Windows\System\nCbyCnn.exe

C:\Windows\System\nCbyCnn.exe

C:\Windows\System\CKItioc.exe

C:\Windows\System\CKItioc.exe

C:\Windows\System\qbOoDRj.exe

C:\Windows\System\qbOoDRj.exe

C:\Windows\System\CdFrBhF.exe

C:\Windows\System\CdFrBhF.exe

C:\Windows\System\KnrouMu.exe

C:\Windows\System\KnrouMu.exe

C:\Windows\System\TfQYDgY.exe

C:\Windows\System\TfQYDgY.exe

C:\Windows\System\msqnfRd.exe

C:\Windows\System\msqnfRd.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8

C:\Windows\System\gOJZhWm.exe

C:\Windows\System\gOJZhWm.exe

C:\Windows\System\vBWJFRN.exe

C:\Windows\System\vBWJFRN.exe

C:\Windows\System\pwKtynM.exe

C:\Windows\System\pwKtynM.exe

C:\Windows\System\PnVgTKj.exe

C:\Windows\System\PnVgTKj.exe

C:\Windows\System\CxHqvZX.exe

C:\Windows\System\CxHqvZX.exe

C:\Windows\System\xkRrvYf.exe

C:\Windows\System\xkRrvYf.exe

C:\Windows\System\yhDFXtw.exe

C:\Windows\System\yhDFXtw.exe

C:\Windows\System\znOnyLK.exe

C:\Windows\System\znOnyLK.exe

C:\Windows\System\CzMYPbc.exe

C:\Windows\System\CzMYPbc.exe

C:\Windows\System\TNSoToC.exe

C:\Windows\System\TNSoToC.exe

C:\Windows\System\DTTUwRa.exe

C:\Windows\System\DTTUwRa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
DE 3.120.209.58:8080 tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp

Files

memory/4972-0-0x00007FF607B40000-0x00007FF607E91000-memory.dmp

memory/4972-1-0x000001ADCD100000-0x000001ADCD110000-memory.dmp

C:\Windows\System\iffTBvj.exe

MD5 b6b3f326883f197aaf0b1482993b174a
SHA1 a9269402115bc36c5f159a949df2e9f1d633c922
SHA256 89983b03495b0dd5fa223f1502ad6e730553e34abaa312752637c9a1fe3c8ba8
SHA512 351b0cc30fad439b8039ffcd4341566611f18f642b6e0e64cd0d7cdcba2a4f34944e215a266d3b8595f67abeb80d524e10b18bbeec7b22bb478f49365b8e9adf

memory/2540-7-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp

C:\Windows\System\XleJmEC.exe

MD5 d924cf8107f3787852c17790298d36b3
SHA1 21b0b63fc62eeb4fbc34cfc87fcbb077ff1d360b
SHA256 6c9cb18f8f275c643cf42fdac387f6d3ed8e436afdfd8a2c5bb933b748498b12
SHA512 47e32412230d7440868b188715fd82800384970d35cf8b29c4980b86077b17a9ffdbb06036ea78d2211995f6ab39b4402b733dec1e0400022c4746463ca8d8fa

C:\Windows\System\bFVxGdS.exe

MD5 66a1ccb85c14eb451f5b8c210beda3fa
SHA1 6420dafe8e5c8e4f5396d01c2565326d2f62ed8f
SHA256 988498dbe0a53c91d2f19c4feb5def2cda5ddaa81f9b689fca57cb994c2039a2
SHA512 e951a42b8b365e1cef9a23cc5d6b9eb6236235fe70bbebbc63b692f4af94030deb77080da87fbb15fa3faaf52a72a64cfec78addd45dc1b35ccc16fb299d0350

C:\Windows\System\nCbyCnn.exe

MD5 480810a2ff73751f3e0b4ca4cd4d6e4e
SHA1 1395b12f79395d1198273acc70cc4b5e1c54a3f1
SHA256 f180bc5ddfd6dc3a1978af5cccc040f4c302300695727bfab31e7ab422356e50
SHA512 34378f800d6cb62d03110e2dd291eaed76eed94f5fd45ae7ba46ae5728762e34806cc2432b4145926295e2b5b8df0a8098379434426da0ac2a246ecabeb43920

memory/4844-26-0x00007FF6CF8B0000-0x00007FF6CFC01000-memory.dmp

memory/3496-25-0x00007FF7E8F80000-0x00007FF7E92D1000-memory.dmp

memory/2112-21-0x00007FF6C5A30000-0x00007FF6C5D81000-memory.dmp

C:\Windows\System\CKItioc.exe

MD5 d46a0d9dd5f053217561ed5d8d12620f
SHA1 f5cdbdf6d54efce0a072f9ad5c7badbfcaae0708
SHA256 80aa457828d9aee7eb6bfde247ba942a3650699447a4fa7f67cab6fdeb88b391
SHA512 54f21e3bc08e6f53bf86a4527a73adeeb362b01d978db4690668f9220f73e9d96bb8131bad1c1641454a2f700058e45753ca78381462f01d8f6fd577ddcc0917

memory/924-31-0x00007FF779D30000-0x00007FF77A081000-memory.dmp

C:\Windows\System\qbOoDRj.exe

MD5 91e5ecf37ff2fffb753f7669b198a595
SHA1 ea9efb2e82fd03fcec0797abed636732a07ea17f
SHA256 5a84addee03759b88a8b136f5adcad328ed1bd8ed4b76f5357e96f8fe69f77dc
SHA512 a4855513a067bac3637538e892055d820539ed0762763b15afc616dde35a8e4761110048b4738428c24183af7c3867c84608fb503262a767d9a732c2df49faa7

memory/2708-37-0x00007FF6C1DD0000-0x00007FF6C2121000-memory.dmp

C:\Windows\System\CdFrBhF.exe

MD5 6138064f53142b3a5b25081f7112a7ed
SHA1 4712af1661f0ee96c5b0397a7578a1d2c786d887
SHA256 b8fb4d1dc867f20e36cad15aafcb273d7b341f22c28c25e90fb2f5bc94832fbd
SHA512 664df563f085be15cdd99b107fa0069aa1368e30aa229d2fcb5085b0715e0a65e97b6201cb235c1997f1051ef6ee1c2bc31231988414daf8c7218e4ea3581f28

C:\Windows\System\KnrouMu.exe

MD5 50042b08132bb8e71b6a4b7ab7fc6c99
SHA1 3d0c546c1c01b42c0fec25d74e066c43bef33ca4
SHA256 8260b4e0e05af78d8d63db30f76d14483742ba0651f58eea60b27438576834d7
SHA512 f3c985457cc4767e7ce5593529bff43a2a5ceac38542cd1eb73cc6fb1018da037d7242ead411850d4da79413ad108359630f0d6dafdb05495741de0b16b058ad

memory/2120-48-0x00007FF6DE040000-0x00007FF6DE391000-memory.dmp

memory/4036-53-0x00007FF6B94D0000-0x00007FF6B9821000-memory.dmp

C:\Windows\System\TfQYDgY.exe

MD5 afcfc0b55aaaf7f4a9c4fbc4a5ce42ee
SHA1 24a6ada969170a07c093fe127e692d069a1cdb0f
SHA256 ae82b9394373831430aaeb4ad0eb1b6d43e00cf9e61dd65f8d73d48382248a7a
SHA512 f992393273344ad958d28443944030e2951d29968e2c8a2698c433c8416304894cfbdc956cae2ee50689d98b494306420e3427607b8ba707c44e2c448ec55592

memory/3528-54-0x00007FF63BFE0000-0x00007FF63C331000-memory.dmp

C:\Windows\System\gOJZhWm.exe

MD5 1a17cafb63412561875425c21c0ca08b
SHA1 f983c8d650ca54c816c627fc65a9047aaee1e356
SHA256 10c72721ef89a70123e36dbb204eb4b75891f8a1c9c63f37f25d6b6519cfcd95
SHA512 6695105204497a521d644749980cb64523aa660d89c41a80485eceef7eaa8d5a38fce580a332e3d460126829777c73bd13e573f1685453c64e7b9f8a395cea54

memory/3716-62-0x00007FF74D1D0000-0x00007FF74D521000-memory.dmp

C:\Windows\System\msqnfRd.exe

MD5 b3bd2aa6d373adbbf1840af2152c26f5
SHA1 20f8e9146130bfa1a313580966bafc85f51cf73b
SHA256 93113d674ee17562db1cc76073e55659523cd8ea8241e419d1419ebf60c8d161
SHA512 cfc1b99039ef9bf6cfe1abed7e43590c0c567bb22a6f17fc277fd304046afa64e4336553e76e1c987f4928f16b78c9b160a041762c665da38ba0e81b31e3ffa5

C:\Windows\System\yhDFXtw.exe

MD5 0035e60d0958d078a35e32c04252f755
SHA1 1ab00aab05fcddd481d2eba5215c07dce7bb2aa7
SHA256 3e5d9b97242a89b9d54ecfa99c0ec4f918e0fda0cefbf47cab00a570115fbdbc
SHA512 a39caa158d56ac427dcfdcd4fdaed05cf876da282d89480b00ec54e623001e061f5e367779ddfef1db15b96ea8b1657c86dc7f21881c0a083d354ebfaff6085e

C:\Windows\System\CxHqvZX.exe

MD5 f9f87ec727b3daf9e860ce2e5c4350b0
SHA1 e8ef1c18d8e507012e674bc78e915de2c4ec1736
SHA256 deefc8e9b9f117805d64b0664e738867dbf7166f8b4b9f400bbab5f812363839
SHA512 5ffacfd90c7fa0c666bfc7a7d3cdbb8ca515336293886c8257be4e335dc262f2cfa57da3844eab621e0da33b24f189fe4dc986509f5666a43fc4fc58b3c55525

C:\Windows\System\TNSoToC.exe

MD5 ac44c075b8ee75f80c1a9f0651888f7a
SHA1 aa373f3a12841b450f39049fb659fc11a5c0a8a7
SHA256 a918e6f0d80637c93157b0f8fb62b12d469a8ceb11d3d9cda1532a1d0428f795
SHA512 8d72b34668be4568ec956b66459e9b49e2ee04876dab2dba8094b5fb851d7025a3eb6dada8ee58b55a2c8a8eb9f9c9199d04e08a513dbd566aa259bdc23e7f73

memory/4952-117-0x00007FF670200000-0x00007FF670551000-memory.dmp

memory/3680-119-0x00007FF7B9070000-0x00007FF7B93C1000-memory.dmp

C:\Windows\System\CzMYPbc.exe

MD5 9443e6fa9376f026858e4405a254800d
SHA1 61a84a477bd4744b3ac24c60eb2181f808f2452b
SHA256 041ada35dca8dbb86bacf279b5f4f861e9d2a55336e81818a5df43ae2220ff12
SHA512 c1cdec58c0c96f902b1899ee0bd6e3aa2b3bd481bef3af6a1a5412bbc69c452cb98938d0d88ba8fea5d0c29b7f462955a821ac2b4aba54eab19f2e81115a6f77

C:\Windows\System\znOnyLK.exe

MD5 107ec8f9284446a8066bab4f2645dc32
SHA1 e954333332f471888ca9583fa1683e0dc9e526f4
SHA256 9581692e2446fd90cb754e71553cb7df00045f0307a630e092299280524d6320
SHA512 c7ed11fc9539a82f2bc3abea04ee7aaac2d3ac258ea56b13164e554e7e88155164ed9f0b5da924ae30abc02ae1e17a5bc780e7fbd7d92e1c67ef0eda01721c37

memory/3056-118-0x00007FF6FE2F0000-0x00007FF6FE641000-memory.dmp

memory/3496-116-0x00007FF7E8F80000-0x00007FF7E92D1000-memory.dmp

memory/3324-115-0x00007FF6CB010000-0x00007FF6CB361000-memory.dmp

memory/1716-112-0x00007FF7403A0000-0x00007FF7406F1000-memory.dmp

memory/4728-108-0x00007FF7C13B0000-0x00007FF7C1701000-memory.dmp

C:\Windows\System\xkRrvYf.exe

MD5 5daf744dcafa3918606dc9e7fa24bf09
SHA1 76d10f09dcff2e5f55aa3147281f174dcbcde92b
SHA256 2879d4b3888ddf3137d6d1b0686b0858ebe14de3460f109ea07c44f8dcc5deea
SHA512 e512b2f8db49cf3b2aece61dad68cb98f3af4913f25959792a38a8cf7df19bc8520da3c79c61f2e579dc594985ddb5e522600b226bbef9df54e44c0becaa3bc0

memory/2384-101-0x00007FF773650000-0x00007FF7739A1000-memory.dmp

C:\Windows\System\PnVgTKj.exe

MD5 4d24337636aa61cdf832f09617428665
SHA1 cdf6958f7d6e32c6ac41127f0240e887d2d7be47
SHA256 0c07175e32cbd27323ef0b0af7fef76a2fcd13a915f77f81831c6e6838918b62
SHA512 543ee652c9d334907c25151c391aff3c983f12bc046bbd20aa93b08f077d2084ee58b19a98a11565b6adcd37fb46562d407bec447c5f9b6e5863adb761b1d09b

memory/2540-92-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp

memory/2572-91-0x00007FF6A0ED0000-0x00007FF6A1221000-memory.dmp

C:\Windows\System\pwKtynM.exe

MD5 62b0a9bb614549c5616e0ea621b8153a
SHA1 d8da1721e3e96dde1afdf2cafd845403f3118568
SHA256 87bd10f92304ec910040b87c355ec956011090d4d152ece375ef7dc2379cc1d2
SHA512 e06fe87209aaabfa1aa2917f3176297755e7588d82c27c1b3aa314780f8299fce693cc202726fd208d921e1f2e886210cc4b84dc241a46ba0a7ea07d3f62abb2

memory/3484-84-0x00007FF6AE8C0000-0x00007FF6AEC11000-memory.dmp

C:\Windows\System\vBWJFRN.exe

MD5 e1ec731006e03c3982327e5bb9daeefb
SHA1 dc1b43ab2a125e2028b490dd34421a081bb7c418
SHA256 658cfe20353d36f61e064ea9ea6439cc305a4ef3995bcc45064052d32e637253
SHA512 74601007d39440e417820d5d57ae3e4500ef015508a57ccef400d1ce1c0b2c676d94daaa0084f0468d402e11af2feac140795512d6121dcceb5a8853e8416dff

memory/960-73-0x00007FF7A9F10000-0x00007FF7AA261000-memory.dmp

memory/4972-70-0x00007FF607B40000-0x00007FF607E91000-memory.dmp

C:\Windows\System\DTTUwRa.exe

MD5 e341271e9ec1422882fa35f3fa929277
SHA1 45bb97fbc879af510b0970003bcdcf6ef8a79abf
SHA256 f6690f1acce5c20f5277e904bd8a4b5ae5cc89f2f550c34b041a826bdeeb7cd3
SHA512 96b1428e16f6f15544d8ca967ba86691773972e954d7ddfdf3e425ab23a8ce476eefe0987a7940f383c3a870a09866d0601d4f7359fb7a308ac220f8ef69c7b3

memory/4972-128-0x00007FF607B40000-0x00007FF607E91000-memory.dmp

memory/924-133-0x00007FF779D30000-0x00007FF77A081000-memory.dmp

memory/1892-134-0x00007FF654910000-0x00007FF654C61000-memory.dmp

memory/3716-139-0x00007FF74D1D0000-0x00007FF74D521000-memory.dmp

memory/3484-141-0x00007FF6AE8C0000-0x00007FF6AEC11000-memory.dmp

memory/3324-148-0x00007FF6CB010000-0x00007FF6CB361000-memory.dmp

memory/3056-147-0x00007FF6FE2F0000-0x00007FF6FE641000-memory.dmp

memory/3680-149-0x00007FF7B9070000-0x00007FF7B93C1000-memory.dmp

memory/2572-145-0x00007FF6A0ED0000-0x00007FF6A1221000-memory.dmp

memory/960-140-0x00007FF7A9F10000-0x00007FF7AA261000-memory.dmp

memory/3528-138-0x00007FF63BFE0000-0x00007FF63C331000-memory.dmp

memory/2708-135-0x00007FF6C1DD0000-0x00007FF6C2121000-memory.dmp

memory/4972-151-0x00007FF607B40000-0x00007FF607E91000-memory.dmp

memory/2540-196-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp

memory/2112-198-0x00007FF6C5A30000-0x00007FF6C5D81000-memory.dmp

memory/4844-200-0x00007FF6CF8B0000-0x00007FF6CFC01000-memory.dmp

memory/3496-202-0x00007FF7E8F80000-0x00007FF7E92D1000-memory.dmp

memory/924-206-0x00007FF779D30000-0x00007FF77A081000-memory.dmp

memory/2708-208-0x00007FF6C1DD0000-0x00007FF6C2121000-memory.dmp

memory/2120-210-0x00007FF6DE040000-0x00007FF6DE391000-memory.dmp

memory/4036-212-0x00007FF6B94D0000-0x00007FF6B9821000-memory.dmp

memory/3528-214-0x00007FF63BFE0000-0x00007FF63C331000-memory.dmp

memory/3716-217-0x00007FF74D1D0000-0x00007FF74D521000-memory.dmp

memory/960-230-0x00007FF7A9F10000-0x00007FF7AA261000-memory.dmp

memory/2384-232-0x00007FF773650000-0x00007FF7739A1000-memory.dmp

memory/3484-236-0x00007FF6AE8C0000-0x00007FF6AEC11000-memory.dmp

memory/4728-234-0x00007FF7C13B0000-0x00007FF7C1701000-memory.dmp

memory/1716-238-0x00007FF7403A0000-0x00007FF7406F1000-memory.dmp

memory/2572-240-0x00007FF6A0ED0000-0x00007FF6A1221000-memory.dmp

memory/4952-242-0x00007FF670200000-0x00007FF670551000-memory.dmp

memory/3324-244-0x00007FF6CB010000-0x00007FF6CB361000-memory.dmp

memory/3680-248-0x00007FF7B9070000-0x00007FF7B93C1000-memory.dmp

memory/3056-247-0x00007FF6FE2F0000-0x00007FF6FE641000-memory.dmp

memory/1892-251-0x00007FF654910000-0x00007FF654C61000-memory.dmp