Malware Analysis Report

2025-04-19 15:05

Sample ID 240522-zvfegagf44
Target 2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike
SHA256 4f02cb8dc893619c18387387bdaca2ea4b66119fb6b6fdc5d44dd3c77fefc3f2
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f02cb8dc893619c18387387bdaca2ea4b66119fb6b6fdc5d44dd3c77fefc3f2

Threat Level: Known bad

The file 2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Xmrig family

Cobaltstrike

xmrig

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 21:02

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 21:02

Reported

2024-05-22 21:04

Platform

win7-20240220-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ECAODjS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lPuqetT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SWqvjvb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MFbRbix.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ytzGJOh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SilITiw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ltzYfJp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wdnNKsD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fsTwpdx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QAqFsYM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FwkrCeH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uqgGauy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rMvAQdT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\roVrrgk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LpagOpC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HtAPkUX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uVFPRKa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JcWWqvp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QzaSITS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fnBzsjm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bFLxpZu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QAqFsYM.exe
PID 2132 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QAqFsYM.exe
PID 2132 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QAqFsYM.exe
PID 2132 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\JcWWqvp.exe
PID 2132 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\JcWWqvp.exe
PID 2132 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\JcWWqvp.exe
PID 2132 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SWqvjvb.exe
PID 2132 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SWqvjvb.exe
PID 2132 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SWqvjvb.exe
PID 2132 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzaSITS.exe
PID 2132 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzaSITS.exe
PID 2132 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzaSITS.exe
PID 2132 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\MFbRbix.exe
PID 2132 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\MFbRbix.exe
PID 2132 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\MFbRbix.exe
PID 2132 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fnBzsjm.exe
PID 2132 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fnBzsjm.exe
PID 2132 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fnBzsjm.exe
PID 2132 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwkrCeH.exe
PID 2132 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwkrCeH.exe
PID 2132 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwkrCeH.exe
PID 2132 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMvAQdT.exe
PID 2132 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMvAQdT.exe
PID 2132 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMvAQdT.exe
PID 2132 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ytzGJOh.exe
PID 2132 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ytzGJOh.exe
PID 2132 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ytzGJOh.exe
PID 2132 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uqgGauy.exe
PID 2132 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uqgGauy.exe
PID 2132 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uqgGauy.exe
PID 2132 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\roVrrgk.exe
PID 2132 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\roVrrgk.exe
PID 2132 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\roVrrgk.exe
PID 2132 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SilITiw.exe
PID 2132 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SilITiw.exe
PID 2132 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SilITiw.exe
PID 2132 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltzYfJp.exe
PID 2132 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltzYfJp.exe
PID 2132 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltzYfJp.exe
PID 2132 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpagOpC.exe
PID 2132 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpagOpC.exe
PID 2132 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpagOpC.exe
PID 2132 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wdnNKsD.exe
PID 2132 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wdnNKsD.exe
PID 2132 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wdnNKsD.exe
PID 2132 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\HtAPkUX.exe
PID 2132 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\HtAPkUX.exe
PID 2132 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\HtAPkUX.exe
PID 2132 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVFPRKa.exe
PID 2132 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVFPRKa.exe
PID 2132 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVFPRKa.exe
PID 2132 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ECAODjS.exe
PID 2132 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ECAODjS.exe
PID 2132 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ECAODjS.exe
PID 2132 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lPuqetT.exe
PID 2132 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lPuqetT.exe
PID 2132 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lPuqetT.exe
PID 2132 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFLxpZu.exe
PID 2132 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFLxpZu.exe
PID 2132 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFLxpZu.exe
PID 2132 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fsTwpdx.exe
PID 2132 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fsTwpdx.exe
PID 2132 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fsTwpdx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\QAqFsYM.exe

C:\Windows\System\QAqFsYM.exe

C:\Windows\System\JcWWqvp.exe

C:\Windows\System\JcWWqvp.exe

C:\Windows\System\SWqvjvb.exe

C:\Windows\System\SWqvjvb.exe

C:\Windows\System\QzaSITS.exe

C:\Windows\System\QzaSITS.exe

C:\Windows\System\MFbRbix.exe

C:\Windows\System\MFbRbix.exe

C:\Windows\System\fnBzsjm.exe

C:\Windows\System\fnBzsjm.exe

C:\Windows\System\FwkrCeH.exe

C:\Windows\System\FwkrCeH.exe

C:\Windows\System\rMvAQdT.exe

C:\Windows\System\rMvAQdT.exe

C:\Windows\System\ytzGJOh.exe

C:\Windows\System\ytzGJOh.exe

C:\Windows\System\uqgGauy.exe

C:\Windows\System\uqgGauy.exe

C:\Windows\System\roVrrgk.exe

C:\Windows\System\roVrrgk.exe

C:\Windows\System\SilITiw.exe

C:\Windows\System\SilITiw.exe

C:\Windows\System\ltzYfJp.exe

C:\Windows\System\ltzYfJp.exe

C:\Windows\System\LpagOpC.exe

C:\Windows\System\LpagOpC.exe

C:\Windows\System\wdnNKsD.exe

C:\Windows\System\wdnNKsD.exe

C:\Windows\System\HtAPkUX.exe

C:\Windows\System\HtAPkUX.exe

C:\Windows\System\uVFPRKa.exe

C:\Windows\System\uVFPRKa.exe

C:\Windows\System\ECAODjS.exe

C:\Windows\System\ECAODjS.exe

C:\Windows\System\lPuqetT.exe

C:\Windows\System\lPuqetT.exe

C:\Windows\System\bFLxpZu.exe

C:\Windows\System\bFLxpZu.exe

C:\Windows\System\fsTwpdx.exe

C:\Windows\System\fsTwpdx.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2132-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\JcWWqvp.exe

MD5 130621c5cb233c2c5e34a452b595ac77
SHA1 19ce8b25f1eac341757a6b70c4fc354948156309
SHA256 1dbb599485bccdff6e8b7b55b503da9749145343288cf7c7286b1d3d4096e5f8
SHA512 06a39eaed256b9507e529307d1bf74f18da2cb2c422cd5767052c5f52205c17ccd87c28054a5f41af0aaac1def5649b2ee32298406129f519a9d26d4a28623f7

memory/3024-16-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2524-22-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2028-36-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2688-44-0x000000013FA30000-0x000000013FD81000-memory.dmp

C:\Windows\system\rMvAQdT.exe

MD5 4d00f4170c396317fa66ba55b2f3c8b3
SHA1 f4d120116a243040cac4e9aea4f942564aef781e
SHA256 bb59f04e70cc87a847615610ab7b482f4bf8ba37e7677268ca9735f349499ac8
SHA512 7d9396e6ade9cc491bd80001755a5f289735b715716f9ec5ebbd7565ec1662fc58e82a50b8a81cba403a23147ab6606be034320443ca6198e26d1094fbd36722

memory/2704-50-0x000000013FA50000-0x000000013FDA1000-memory.dmp

C:\Windows\system\ytzGJOh.exe

MD5 95e876ba5453657c58ae930cda1c948a
SHA1 5618b26a5b1023516e9d6095c38ba1f57443e909
SHA256 8ee84040c3f0f6a0f05104b2ca795ec63e8d2ab434a627ddead2eb64ac46863b
SHA512 bbae5483ece1a613e56402afad2635406177bedb9f5fbab869fd500002b84084c07d3254c24d080c5b4e3c9daf9e6b2317ded7b344151fcd558a07e22144cc23

C:\Windows\system\uqgGauy.exe

MD5 e079a532debf2aa09ed43399f7482a78
SHA1 d64d769e3852c50693e4939ff3c40188d985ada3
SHA256 f0e2e71cee385e456cf0a137190ff1c1a4b29ed7cc4b5c514e44a5a394624d11
SHA512 8aba5fe4a36db99c5343691e54a7723b5626c7b4bf43886827b3df3f80c7dcb9e6bc850e27458fb5b242f7a701bccc0b53ebc5b21d12d38ba652c2283e9e3d7e

\Windows\system\uqgGauy.exe

MD5 2bb6093b9c782c12625fb574e89aba38
SHA1 66532731c7927a0eb3031cac8dbeff796786176d
SHA256 e17222151a2bbfd23dc9c3f203d22e03aeab38a39bc0105886d5639fbebf12f9
SHA512 cc6b4e23d21fa2d8ae731a24bebd85c5ac0d13d7d1610bcf3d893cdbe2f6e98be34b78c0c24fa861065a9327ac1122cd1023f34b20c8cf03e770443aee58f9be

memory/2132-59-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2444-58-0x000000013F410000-0x000000013F761000-memory.dmp

C:\Windows\system\roVrrgk.exe

MD5 35d4b9b40e9b95b4a75dec06c4c6f979
SHA1 0b088ae4df4f56a63f25ba22b7e936e89c483dcb
SHA256 a2e35e125d8ab4763501772c6c07ab280e15f436019dc190dfa4cb55de62bc7e
SHA512 56c93fd59bffe6df5a120e950c179eec9dfb3eaf7c3f2e9804dbd4886aee0b0f3a2ad0227feedbd311243dfffa198f082d84fd5e6761249fd05b31e51ba2784b

memory/2132-74-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2132-73-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2892-72-0x000000013FF00000-0x0000000140251000-memory.dmp

\Windows\system\SilITiw.exe

MD5 209f4076e0883f6b7179d990252c7ee8
SHA1 b6b12768e48921d07df5a7c90d4666e3314ea26f
SHA256 ec7b7167326b76a9698b1278831484d03ffbf6b57fe6a87f48426f47751b6423
SHA512 36a02217cf0fa8956fe2ced8e9cb6fc2dfc08690443f77e9234912c66037254131dc2d77666e9c787e6a6b3fd6851cf69593d1ae8628c3e31871ffcc51ddadb4

memory/2636-81-0x000000013F2F0000-0x000000013F641000-memory.dmp

C:\Windows\system\ltzYfJp.exe

MD5 a039c64cd8aafca6f281cb86a3694588
SHA1 dcbb0a9307d0124c910b5ce81448b0f32944526b
SHA256 abfabadec5a242036c6dfcff4013c09bc285ce20af1c4cf9554f5f6a1a76fe47
SHA512 2fece4cdd30291029d1f894274e5915c3f3515c3badeb6a8d9b236359b7bacc5d1c2748366769d25ae1bb4d9c97e506c510ccbbf397a570765f69f8535d33e90

memory/2132-87-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2712-88-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2132-80-0x00000000022B0000-0x0000000002601000-memory.dmp

C:\Windows\system\LpagOpC.exe

MD5 fa3e9e1f2e718c5f2d0796bac907e061
SHA1 7e7eca153b07e42ac53140169b19e463101c2403
SHA256 f13df63f21babd73714af110480b6b86c050d4b9e1a336a45e8e9e547173431a
SHA512 4a628f1fa2f988a0e52f07a2893205daf7a89637c427c231ca49d0b52d5a0b118504ad65e76a9539798f479a99058088b78ee72b24d5485544cfe8057eb84451

memory/2768-95-0x000000013F950000-0x000000013FCA1000-memory.dmp

\Windows\system\ECAODjS.exe

MD5 4892d49c14a7e283153698e747ec87c9
SHA1 7822c69037298ccf4e2cd90381d1446721619c85
SHA256 1bbf7ec7dfa34b0d40895a909b82a3a5ff0e7309cdbaab86e0d5c97264357e18
SHA512 822125c120a17f4b7f203a570ed240a57e897b4dcce83658630a5c0833b272b84d104098adb903387f380218356f2efbba086a67aa762dbec174f6c315eb4502

C:\Windows\system\ECAODjS.exe

MD5 6003dcdabdc2275bbdb72d904f6d526d
SHA1 550ff0a398c00087b179d9952119e140b745912a
SHA256 6c8282ca3a8136fa10e3ee9920a9f43efb666346fae6c3c5d737b666fbdc17e4
SHA512 3445788e6f24f565f93e12e3ea8e8d5e87d8bfb644ebf0445251dd413945020e3539d4a0d7c7d8569171ab981dbcfe4fd48101fd65c14a1f0ff3cc73e9bccf18

C:\Windows\system\fsTwpdx.exe

MD5 74e193188ac1465964e222a719c66810
SHA1 d467d7116fb0cc9905d3da11172222b1df8403ed
SHA256 7d5a8593302657f8be55450a25c92f54095d583ec9f5e6a5f54d097c83b0b14a
SHA512 9f17945a977948a1cd3da734d7b680b05756382d6445040ec816f6eea1329797b108d1c96b4aaff0a39909206c1c7cd0a49b5f4099f2cd0718ef24974c8078a6

\Windows\system\uVFPRKa.exe

MD5 780793df4d4b3b6563392e4adb2fe04c
SHA1 b6e81c51432f1af6289cb3878d0fd4ae364ce76f
SHA256 6fa8b6abec7c53a67e1cd91338788a6abcc04b626745550dfa45e45581e789cf
SHA512 a937c8019cf7669e218028e10d68ef03665f9a40fd3464b5f69e84f87cf69c2b2e3657218874539f24ba00b2a0a54d5980e50b16364e1b016897a6e6f444fec9

C:\Windows\system\lPuqetT.exe

MD5 730aabbc4e95ef0b12950ff56d953c5c
SHA1 1f84278c09f207b1889b2a7da212f6b5afde3bbf
SHA256 f18858b35b899e630669f94ce7f78243f7f4b04ed84a46bab35a2391d513eecb
SHA512 f3f26314438fd55a7a09e2406b6305e49b565a7aefdc6aa4b6de5c58f90534132c2e2f184c5448b0d1ccf95b08adfb6a3f5159f841fb4b5977169c0a8a6b9a67

C:\Windows\system\bFLxpZu.exe

MD5 bd298aef44d11295edc79338b7927833
SHA1 ecd3ba72987fac6522940283fb3b729507019bef
SHA256 317682ee315e87576b02e774307b1b2ffe9f51e78f642e0ca06cf35b4398f987
SHA512 47988d1852fd95806f1d30e9db31640a5f6534931c9da73e9e101483ea7779f3e0bf8aa52efba726e2368c9e64ab0a5a46fc7778243be37a3c9671f258f71b7c

C:\Windows\system\HtAPkUX.exe

MD5 18a4980b9653556073f1c51918d007a4
SHA1 724a392e4ff2c636e2b8f7da826d4cc041a06e18
SHA256 5c153e2223da04d75b1ab0d6fd60f410d01a534f252abfe304a9fb78cb8a0ffb
SHA512 25e3098fceb2509a8fd00ce275b47a422738c2fbdcfdb9df07e22662c19eda985246165f0d737796681760b49d95ee7669f278630326d02a3099dbc6e8471e0e

C:\Windows\system\wdnNKsD.exe

MD5 032d5d1284ec32ea021bd1cc38773c1e
SHA1 97eb7bef7a76aae0cbdae7a7db9e81038fc16ecc
SHA256 d3937cc1166dd1965c2d0c3d0bc5a0daa02b2e0d5a41d4088c462dd1b37b02f3
SHA512 bbd8041a498bb1e533aa6d43b6ca4c79326170f534083f905aa656bbe81250197a864b46e8d572788d3a0743a8813d7c67d16dadc43fa8a46b13a9c3ba321c61

memory/2132-99-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2132-94-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2884-70-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2452-69-0x000000013FBE0000-0x000000013FF31000-memory.dmp

\Windows\system\roVrrgk.exe

MD5 9e949e4b85d443d5840ff12696fadbfa
SHA1 13713499ef5a0a559cc9281f4c6b3160e6cdde62
SHA256 213eb04e12ad7678eb81dff92b08f7f3e39a58cf91c808f514b21d9a54ded3c4
SHA512 3e9be6e9e8d93ad25f9f60a02e272ced9f60e95ff56409a1514faf3186ca321fd21d33c7c1a951b4906441742d13ccf454f43469c6c5236f3b5801a83308697d

memory/2168-53-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2568-45-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2132-42-0x000000013FA30000-0x000000013FD81000-memory.dmp

C:\Windows\system\FwkrCeH.exe

MD5 f98b75da98a6e0e1239b5d256b751dcc
SHA1 00401eed244038638d8d6ad80774f798e0600da3
SHA256 e314ae3cffcbc38782d20a9ab40327d9078f1e53bd7a9f960db02831b6fd44bd
SHA512 d6ea0e401769aadbcc2c09e797633094f2ed75b91a32a698e7754312bc496a8aecbfea98f489c47776d8f91992c4116686b2fae9b57f139f7b202558cd9798dc

C:\Windows\system\fnBzsjm.exe

MD5 be3db84189aba2b420ed0bc1e2827f7a
SHA1 eeaec3534fa0587fc4a95d6334728015d2590b06
SHA256 c903be7eae3623a36e7c92f670e10a7faef84bb1516521aa9b7fd43930a9a6a0
SHA512 bcfa6ce225b719e216a67e48e7f9ff16cebf67b1882e8da1168ba775334139d03830f8150ade261f6addb2787d926edd01b0434315421e7d2fbfed8db082c7b4

memory/2132-34-0x000000013F800000-0x000000013FB51000-memory.dmp

C:\Windows\system\SWqvjvb.exe

MD5 38f74c41757c902a43733fe48fb77414
SHA1 7f834cecd277c4d30b55f693243923f789c4382f
SHA256 db7065311327a51f733b3cdcfb4d371189f64f4573a20d4e23adcffcffb2332a
SHA512 f8a3c5410150d745f59e6b85d5002d4c53cc5a55ba0cf7c3129ef59487b29f3824639b65e5dc59ed6da70849633854d503018a1f831eea07adc2a0ee9841bc6e

\Windows\system\MFbRbix.exe

MD5 3b17aaf539cc1857e829ec27f63eb9be
SHA1 07ddc023ea0ba5f75b3524b23e4bfa78751d32d7
SHA256 16ca9cc5275d85391f3f87fb32645498a19480e527ae38794a765b281e2dea57
SHA512 af7c69e1a5877d1d041a2c1b29b55ae27147a05604d12c2412d7ee0c1d4c90788677639532ad5459e100033fa18c9c6cbc053d0434664b531a4d5e5fad3d35a9

C:\Windows\system\JcWWqvp.exe

MD5 e9c222c176dcec93e6f4bcafaecf8dec
SHA1 408284547d48ffa17a35887f077b4f23bb0a0474
SHA256 2d73009204b2c349b2b19e79f38460acaa4db1841a5cf949ece7b4e9234314f6
SHA512 89aa8b430a71579ca84dc7e3a5838ebfe3075c9c3e8efcbf9b6c81ac6851a82e376c9ed8dd121d216a9632ef094a6c84a5f9db3f4d2e69c8d55a20b17f8e42c8

memory/2132-10-0x000000013F490000-0x000000013F7E1000-memory.dmp

C:\Windows\system\QAqFsYM.exe

MD5 b0dd9e57eabba51649d470c2fe6aed06
SHA1 997d34f9584ccba1008fd6e6ce0e76c5d8a405a8
SHA256 7102b66ea5c8fc0ef8702081bd8bb769e89c143002595591d91f307cf7e30039
SHA512 a52a4813d54627e8928021896d4744e4d86360c9e129a7c9311dbfc8ce05dfae20c16a54332cfa3cecb3b2408ea8cbd9ada644e88ade2ceea88985a11b9050b6

\Windows\system\QAqFsYM.exe

MD5 127fc12f6faae6241480d3135e552500
SHA1 801e5edf3a087a26f7d10e6bccde102f07d029e4
SHA256 825915c16780b599c32204b48d20a1fbcb4baf2eb57960853aa1679574121fb8
SHA512 c859058e54b6a916c73c8cfc81b0347195ddc770d4112c2189cb2dc9a6aa8574b3ee3ca67deb659ca1901ed5c0c543ddc2ed6de390260167651487d0bed263fe

memory/2132-0-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2132-131-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2168-133-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2132-132-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2132-134-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2892-145-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2124-149-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2044-155-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/1364-154-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/1256-153-0x000000013F030000-0x000000013F381000-memory.dmp

memory/284-152-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/1192-151-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/556-150-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2132-156-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/3024-201-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2524-203-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2568-207-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2028-209-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2688-206-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/2704-211-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2444-213-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2168-215-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2452-217-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/2884-219-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2892-221-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2636-223-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2712-235-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2768-237-0x000000013F950000-0x000000013FCA1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 21:02

Reported

2024-05-22 21:04

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\AerVpoj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TkKsLzE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eLQesee.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rzMlVvE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SUhvVfw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QQpbzDa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ewuCVMk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BORaANe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PZhbmUR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NABPmTf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nCfKUUR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RAgqzQe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KVLGvfG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BzXWTAY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qubLxoO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mBQLGHn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qptbmWz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cgYMxIr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hwgnORy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GZpPkyb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sCYjzOj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4880 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\TkKsLzE.exe
PID 4880 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\TkKsLzE.exe
PID 4880 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eLQesee.exe
PID 4880 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eLQesee.exe
PID 4880 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BORaANe.exe
PID 4880 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BORaANe.exe
PID 4880 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rzMlVvE.exe
PID 4880 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rzMlVvE.exe
PID 4880 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\cgYMxIr.exe
PID 4880 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\cgYMxIr.exe
PID 4880 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\hwgnORy.exe
PID 4880 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\hwgnORy.exe
PID 4880 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\PZhbmUR.exe
PID 4880 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\PZhbmUR.exe
PID 4880 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SUhvVfw.exe
PID 4880 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SUhvVfw.exe
PID 4880 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\AerVpoj.exe
PID 4880 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\AerVpoj.exe
PID 4880 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GZpPkyb.exe
PID 4880 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GZpPkyb.exe
PID 4880 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\NABPmTf.exe
PID 4880 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\NABPmTf.exe
PID 4880 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RAgqzQe.exe
PID 4880 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RAgqzQe.exe
PID 4880 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\sCYjzOj.exe
PID 4880 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\sCYjzOj.exe
PID 4880 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\nCfKUUR.exe
PID 4880 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\nCfKUUR.exe
PID 4880 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\mBQLGHn.exe
PID 4880 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\mBQLGHn.exe
PID 4880 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QQpbzDa.exe
PID 4880 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QQpbzDa.exe
PID 4880 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\KVLGvfG.exe
PID 4880 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\KVLGvfG.exe
PID 4880 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzXWTAY.exe
PID 4880 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzXWTAY.exe
PID 4880 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ewuCVMk.exe
PID 4880 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ewuCVMk.exe
PID 4880 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qptbmWz.exe
PID 4880 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qptbmWz.exe
PID 4880 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qubLxoO.exe
PID 4880 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qubLxoO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\TkKsLzE.exe

C:\Windows\System\TkKsLzE.exe

C:\Windows\System\eLQesee.exe

C:\Windows\System\eLQesee.exe

C:\Windows\System\BORaANe.exe

C:\Windows\System\BORaANe.exe

C:\Windows\System\rzMlVvE.exe

C:\Windows\System\rzMlVvE.exe

C:\Windows\System\cgYMxIr.exe

C:\Windows\System\cgYMxIr.exe

C:\Windows\System\hwgnORy.exe

C:\Windows\System\hwgnORy.exe

C:\Windows\System\PZhbmUR.exe

C:\Windows\System\PZhbmUR.exe

C:\Windows\System\SUhvVfw.exe

C:\Windows\System\SUhvVfw.exe

C:\Windows\System\AerVpoj.exe

C:\Windows\System\AerVpoj.exe

C:\Windows\System\GZpPkyb.exe

C:\Windows\System\GZpPkyb.exe

C:\Windows\System\NABPmTf.exe

C:\Windows\System\NABPmTf.exe

C:\Windows\System\RAgqzQe.exe

C:\Windows\System\RAgqzQe.exe

C:\Windows\System\sCYjzOj.exe

C:\Windows\System\sCYjzOj.exe

C:\Windows\System\nCfKUUR.exe

C:\Windows\System\nCfKUUR.exe

C:\Windows\System\mBQLGHn.exe

C:\Windows\System\mBQLGHn.exe

C:\Windows\System\QQpbzDa.exe

C:\Windows\System\QQpbzDa.exe

C:\Windows\System\KVLGvfG.exe

C:\Windows\System\KVLGvfG.exe

C:\Windows\System\BzXWTAY.exe

C:\Windows\System\BzXWTAY.exe

C:\Windows\System\ewuCVMk.exe

C:\Windows\System\ewuCVMk.exe

C:\Windows\System\qptbmWz.exe

C:\Windows\System\qptbmWz.exe

C:\Windows\System\qubLxoO.exe

C:\Windows\System\qubLxoO.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.161:443 www.bing.com tcp
US 8.8.8.8:53 161.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 146.61.62.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4880-0-0x00007FF653540000-0x00007FF653891000-memory.dmp

memory/4880-1-0x000001E089070000-0x000001E089080000-memory.dmp

memory/3056-7-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp

C:\Windows\System\TkKsLzE.exe

MD5 195ce6910a886350ecbe6a58daa3517d
SHA1 fb547c21c122d0a2f30ebab6f5f016bb3e51fc6d
SHA256 bb01b8d292cd3715a103bdb23a35220a5da22230ffc73f39f26bed321da1ec97
SHA512 23765276ea6b1a2621ced69d382db6669973e7092e8e8d6d49b5e475bbaaea8cf7aaebb913a275db5252dce7a5e86076dd00a01f11504722bc723d50725475b1

C:\Windows\System\TkKsLzE.exe

MD5 d84891106dad0d7b4c34af85835ec4a8
SHA1 9665f97e962cdc4144cc100086ef9767ced5a5b4
SHA256 e8a5f91c8c2782a6bcd21f33eab10bf4224beef644a32d7ad28b3f57f788882d
SHA512 99ae93fd510de7cfcef873c985249199410b4395cf47a95aa3cb62c05fffe82e1b6c91a6f0f0d5f663e3d94c1f85eb70bf420495bec4261acf83c98b566255fe

C:\Windows\System\BORaANe.exe

MD5 1a0047601d8611e61e69350f657e6f28
SHA1 85c60cf532c6d8a6d9651473eef5786a92160c79
SHA256 83756167eea91d2b94a1a0688e6b3b90fbd6feae350616d445a0c2c33ba9e0a5
SHA512 4540f5f9149a34062d278c1e2a6080c1f5b027b63dd728fd68430e33a531cfc7be6e97aa9e365025c48fac9896d6d17d9d69917e7e72838d0a558ce473b23220

memory/1256-26-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp

C:\Windows\System\RAgqzQe.exe

MD5 dfd2c67e54cfdf354e8bbb29e332ac4c
SHA1 f24c275731b407476a6020a51b76ab1e2e179598
SHA256 c0be5d6112649ab730dd260148056a01227d051b9d17131042f6515fe6c2f010
SHA512 deec41c10fe0e2347f5445324da636126b3be5f85c230d035d5b6983b80abdc078e082d7a6098e2344c9a31a02e70ce3299e88c86063ee89cb6f4bc8de2697ce

C:\Windows\System\sCYjzOj.exe

MD5 3b1eb838a01fe1e43ca67be9e0326b86
SHA1 413824f1385e11fcaeef554eda4421930a30fe99
SHA256 c16538f5b7602b3a7801026403f451d5591c91bac592090cd517ad0412b71b87
SHA512 db1f24b7aef29bd9a61a5ff8e0815d33e2d1d85f87c5666ac0ef1bd01949c0c43a2cf24fdfa9a91e787ea234de34a490ea76c280c4f477fdb150f06fd0240d9e

memory/4408-89-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp

memory/1572-90-0x00007FF7A5F90000-0x00007FF7A62E1000-memory.dmp

memory/1256-91-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp

C:\Windows\System\mBQLGHn.exe

MD5 c75c795d510b861f9f9b558cb79b1fbc
SHA1 d5add5618e5c3a7108967d8d5b9c9510ebec09aa
SHA256 5bec47309a6327ce4ba19196bf252a4b51e899e3d727c2dc2a100e252a0eee08
SHA512 c50063c1c71134f748e573d171811d1f33c168aa105479f20b41f27a816d5fb101e3298bf4d46910a258d07a1655cf0eabe4dc22c77b55d3371cd2a75f6a17b4

memory/632-103-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp

memory/4440-114-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp

C:\Windows\System\qptbmWz.exe

MD5 127fc12f6faae6241480d3135e552500
SHA1 801e5edf3a087a26f7d10e6bccde102f07d029e4
SHA256 825915c16780b599c32204b48d20a1fbcb4baf2eb57960853aa1679574121fb8
SHA512 c859058e54b6a916c73c8cfc81b0347195ddc770d4112c2189cb2dc9a6aa8574b3ee3ca67deb659ca1901ed5c0c543ddc2ed6de390260167651487d0bed263fe

memory/988-128-0x00007FF666780000-0x00007FF666AD1000-memory.dmp

C:\Windows\System\ewuCVMk.exe

MD5 887c4db9c0e731c51c424f25723ca01e
SHA1 ebd4d0fec45790285506992b629378dbdf685bed
SHA256 8bdb3ec24c554b9ccb52964f39def71f5534abceb5aec814c918cc861abcac4a
SHA512 4a80f3d26dcd27c06e3614db59a15e70eda0ed392fc46dcf36320375a85a950d986e150e3f8fe8e6a084ee6d8c9d3a0a1c85df0e3bf8dc0563096df42e12868e

C:\Windows\System\qptbmWz.exe

MD5 6eb84780ec578014fd161168296e315f
SHA1 0f588f5efd7eba784fa3acfd7eb9bee8effcf279
SHA256 1df596e4eaf10d43f9dccf220096764379b5ce8c420de814644ae91c64482a2d
SHA512 7197619ddebc22e6fbbf209701e46c0bac88b967f72e604babbaaffe6e5aa0d17b0d6bdc5da7079d142de6e8ed7a5dfa85e9faa917239010d3e1592882be9149

memory/3996-113-0x00007FF698790000-0x00007FF698AE1000-memory.dmp

C:\Windows\System\BzXWTAY.exe

MD5 6ae8e3926593e737a07cd2ea77e0fe54
SHA1 d5517add33a51384215192f89524b867e6c48a50
SHA256 8ba39d161a5a1842a06809bc59fa0773d59566ac6535ac922a2ff17ae7370c46
SHA512 3ea1d4524aaba87b16261177be91aa6e73f8f3550d4b5f559a1239ff6386016d72050f518faa00db54bb02096a93eee23356dcb600757fc98ef0a68f537c8f3d

memory/2532-110-0x00007FF725340000-0x00007FF725691000-memory.dmp

C:\Windows\System\KVLGvfG.exe

MD5 07cac703e110d9fb4c0579751373869b
SHA1 ad3ba740dad76cd577c59b523a4dab0dca4eeb20
SHA256 d6ec3bb8176e0535544e5780b7b02c3efa96ee294328acd8233e3d6b5b9e497a
SHA512 4cc50e2514ff78785bd1e515c427a26ed165a75d6b13b06fa80ea6306aee83558a9dac5448113070f201b1cc41b922bcb2c94066b8bc88abd74e72953e69f7b9

memory/5096-106-0x00007FF646210000-0x00007FF646561000-memory.dmp

C:\Windows\System\QQpbzDa.exe

MD5 f638c33e4339434eb6ea0009e4ee2063
SHA1 98b52b647ac0147d10cabccc180fc479e9fc5bca
SHA256 8e2e1c9dafaead55a526e3cd38b9260d5052f289072a7fae394f84db8a5acbdd
SHA512 6da1102f76a5778bff074dd5d2f1435bbe9da8dbb018c7e30ea5e63415fa0c37c536c9ea95e159303026d825ee6a852dd08e6c1daa61c8f757620d2f8ce8ff2a

memory/2136-97-0x00007FF664560000-0x00007FF6648B1000-memory.dmp

memory/4308-86-0x00007FF644020000-0x00007FF644371000-memory.dmp

memory/3552-134-0x00007FF7FA540000-0x00007FF7FA891000-memory.dmp

memory/3716-133-0x00007FF7E7430000-0x00007FF7E7781000-memory.dmp

C:\Windows\System\nCfKUUR.exe

MD5 61766f9cc12cf5573a414cdbe6b61b16
SHA1 28729773373596d9f584514c8f67e595dadfb7e1
SHA256 ea519d1ac115be7d6b82e6719d9e683f74ece818f62f43c303e9387ec35a764a
SHA512 8d298316114fb9954fb0bbef0775301287c93ff0e7dce1c95a94e62f06cdab3043b842cdff9f347f3064fe87bebb71640c309ee589364844d0eddbfa04acf432

memory/116-83-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp

memory/1436-80-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp

memory/2068-72-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp

memory/3056-71-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp

C:\Windows\System\RAgqzQe.exe

MD5 34ee7b80d480e878cdd0752548e1e5e4
SHA1 bd71e3bbf5c579dbdc698668a32a08c10af210a3
SHA256 dd7cc67c0b3317c94bfb0eb96de5d4280b6882f859f50dcf9cb8eda6b748117a
SHA512 05fb107cf12ddfd6b2abd14ffb89d860f20c768c96348de27bcf73e382d271373666fc1b96846447de1737fdf368615930778b20432f0a6f13208010e1169046

C:\Windows\System\NABPmTf.exe

MD5 fc7ccf2b7c19c61956cc015595ea3675
SHA1 e3e64b85797348024de32719a9e8f4b2da6422ef
SHA256 1eff488aeb6ba567013583520736b5e074abf50eb288fd915a49533594170272
SHA512 bcdec8c878c69d131730a0fae1a51b0e643359cad0f0e05c6963e5d731d81190eb74c635d9961b0e230da3d064266380e9708cb4e7801ba89f389ad8a82843fb

memory/1452-65-0x00007FF695380000-0x00007FF6956D1000-memory.dmp

memory/4880-60-0x00007FF653540000-0x00007FF653891000-memory.dmp

memory/988-56-0x00007FF666780000-0x00007FF666AD1000-memory.dmp

memory/3996-52-0x00007FF698790000-0x00007FF698AE1000-memory.dmp

C:\Windows\System\SUhvVfw.exe

MD5 c896aff36ae15189bd151386dbcc0d2a
SHA1 1fef15239b2c6965a9aba85b3ffed2975b913e06
SHA256 13490b20bcf7a9c29b3d924906c2830e06c5ea416db703813532cc8665f83a5a
SHA512 1ae382bd76d96b6cc2afc52ebf9a7bed10b4ca9b6da7182342d35e08a12506deb52279991ea536265400a636b57cd67de8dd479d28ce5b0f296bf6bf5e2c3570

memory/2992-47-0x00007FF7CC280000-0x00007FF7CC5D1000-memory.dmp

C:\Windows\System\PZhbmUR.exe

MD5 8bcb05d9bcfba893b0c9a24fb80f6614
SHA1 5787929aa9a028156eff17f3dc6b3534a614751f
SHA256 c2b85fec940454260304826248a9c8767c8fd8661f4d8f9df2d49d53f354b177
SHA512 cd49e4319053da319c5e4d9adfd75fa0a3fa018ac7044e6437f9e748d51fcc424c57ff6b17d63db1f771e2d6057cb98e8c453c049529195658cea1958c0e6804

C:\Windows\System\PZhbmUR.exe

MD5 88e8f420e88d62211c2c582fd715ed73
SHA1 175d4a9e8867d5a4b6ec28fb3bd2cf004d873989
SHA256 22d0e00279243745f5b2fee098f4fd069dc14529fa705d39b43ccff7fb8caa9e
SHA512 cb0a3be81f31f4bf019d7a2e14a9a6b7b4ebb554467e0263a45cab191071560d560eb544a963c4981fa518d1ad465358fe490e9ba1e73aa28beed4b6fcc7408a

memory/3812-40-0x00007FF7F6E70000-0x00007FF7F71C1000-memory.dmp

memory/3272-135-0x00007FF7DE270000-0x00007FF7DE5C1000-memory.dmp

memory/632-32-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp

C:\Windows\System\rzMlVvE.exe

MD5 4302e29560732a68d4ff81b99a9a6728
SHA1 867d3426704c9287d13c44a18f34eb929d02e60f
SHA256 eed7eb266aa3940308760212ce5afbae4e7c432894c30852d3d1775f4c7eed6c
SHA512 2ee8a738ad84db753abd103ff3d354485aa1cf9e249c2ea0fcf0e26edd26120d75a4c9186760b250295587218a1b2d94c1e8013658858f6ad83769cb8dd4057d

memory/4408-19-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp

memory/116-14-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp

C:\Windows\System\eLQesee.exe

MD5 a13a8d0815d860885bfa9dffc2cf3f43
SHA1 ba8ed394c789c67da35f142462ffcb146ba23145
SHA256 37801cac559eef09a2eafcac36911ee601c76d10a22a1e9fbdc475bb69ec2fef
SHA512 3e6ab34661d36946a5104f7f4a8797aed42473fba76921631e0d5bcc8950086db5f33a7e5f5d3fd5d0a18aeaa339c59a05dd30cc8cea91201cf5cf9f392095c2

memory/1436-137-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp

memory/1452-136-0x00007FF695380000-0x00007FF6956D1000-memory.dmp

memory/2068-138-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp

memory/4880-139-0x00007FF653540000-0x00007FF653891000-memory.dmp

memory/4440-157-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp

memory/2136-154-0x00007FF664560000-0x00007FF6648B1000-memory.dmp

memory/2532-156-0x00007FF725340000-0x00007FF725691000-memory.dmp

memory/4880-161-0x00007FF653540000-0x00007FF653891000-memory.dmp

memory/3056-222-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp

memory/116-224-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp

memory/4408-226-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp

memory/1256-228-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp

memory/632-230-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp

memory/3812-234-0x00007FF7F6E70000-0x00007FF7F71C1000-memory.dmp

memory/2992-233-0x00007FF7CC280000-0x00007FF7CC5D1000-memory.dmp

memory/3996-236-0x00007FF698790000-0x00007FF698AE1000-memory.dmp

memory/1452-238-0x00007FF695380000-0x00007FF6956D1000-memory.dmp

memory/988-240-0x00007FF666780000-0x00007FF666AD1000-memory.dmp

memory/2068-245-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp

memory/4308-248-0x00007FF644020000-0x00007FF644371000-memory.dmp

memory/1436-246-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp

memory/1572-243-0x00007FF7A5F90000-0x00007FF7A62E1000-memory.dmp

memory/4440-253-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp

memory/2136-254-0x00007FF664560000-0x00007FF6648B1000-memory.dmp

memory/2532-256-0x00007FF725340000-0x00007FF725691000-memory.dmp

memory/3552-258-0x00007FF7FA540000-0x00007FF7FA891000-memory.dmp

memory/3716-260-0x00007FF7E7430000-0x00007FF7E7781000-memory.dmp

memory/3272-262-0x00007FF7DE270000-0x00007FF7DE5C1000-memory.dmp

memory/5096-251-0x00007FF646210000-0x00007FF646561000-memory.dmp