Malware Analysis Report

2025-04-19 18:43

Sample ID 240527-cgngladc92
Target 2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike
SHA256 b3ddfdc6b8488e80f8065e707c814a15e9d880b342adbfc645c30c7de6002339
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b3ddfdc6b8488e80f8065e707c814a15e9d880b342adbfc645c30c7de6002339

Threat Level: Known bad

The file 2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

xmrig

Cobaltstrike family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-27 02:03

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 02:03

Reported

2024-05-27 02:05

Platform

win7-20240221-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HYqrZga.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uPueXWK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wthwNxJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NZSaWXq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FNmKGTC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AeYofRS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EgmjSPv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YRTXbXp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BATULQi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kEFXhyD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AgZunbG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\faDGZqw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pXKQlyd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PCYsZyD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NSbPBrJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FoObuKz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yTmXyup.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SgDAtGt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sCfqrmK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OvNjmRa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YrXdVWD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCYsZyD.exe
PID 2552 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCYsZyD.exe
PID 2552 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCYsZyD.exe
PID 2552 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\NSbPBrJ.exe
PID 2552 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\NSbPBrJ.exe
PID 2552 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\NSbPBrJ.exe
PID 2552 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\HYqrZga.exe
PID 2552 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\HYqrZga.exe
PID 2552 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\HYqrZga.exe
PID 2552 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\FoObuKz.exe
PID 2552 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\FoObuKz.exe
PID 2552 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\FoObuKz.exe
PID 2552 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\sCfqrmK.exe
PID 2552 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\sCfqrmK.exe
PID 2552 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\sCfqrmK.exe
PID 2552 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\YRTXbXp.exe
PID 2552 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\YRTXbXp.exe
PID 2552 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\YRTXbXp.exe
PID 2552 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\OvNjmRa.exe
PID 2552 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\OvNjmRa.exe
PID 2552 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\OvNjmRa.exe
PID 2552 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\YrXdVWD.exe
PID 2552 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\YrXdVWD.exe
PID 2552 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\YrXdVWD.exe
PID 2552 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\uPueXWK.exe
PID 2552 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\uPueXWK.exe
PID 2552 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\uPueXWK.exe
PID 2552 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\wthwNxJ.exe
PID 2552 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\wthwNxJ.exe
PID 2552 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\wthwNxJ.exe
PID 2552 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\BATULQi.exe
PID 2552 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\BATULQi.exe
PID 2552 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\BATULQi.exe
PID 2552 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\AgZunbG.exe
PID 2552 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\AgZunbG.exe
PID 2552 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\AgZunbG.exe
PID 2552 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\kEFXhyD.exe
PID 2552 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\kEFXhyD.exe
PID 2552 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\kEFXhyD.exe
PID 2552 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\faDGZqw.exe
PID 2552 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\faDGZqw.exe
PID 2552 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\faDGZqw.exe
PID 2552 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\yTmXyup.exe
PID 2552 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\yTmXyup.exe
PID 2552 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\yTmXyup.exe
PID 2552 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\NZSaWXq.exe
PID 2552 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\NZSaWXq.exe
PID 2552 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\NZSaWXq.exe
PID 2552 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\pXKQlyd.exe
PID 2552 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\pXKQlyd.exe
PID 2552 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\pXKQlyd.exe
PID 2552 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNmKGTC.exe
PID 2552 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNmKGTC.exe
PID 2552 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNmKGTC.exe
PID 2552 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\AeYofRS.exe
PID 2552 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\AeYofRS.exe
PID 2552 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\AeYofRS.exe
PID 2552 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\EgmjSPv.exe
PID 2552 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\EgmjSPv.exe
PID 2552 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\EgmjSPv.exe
PID 2552 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\SgDAtGt.exe
PID 2552 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\SgDAtGt.exe
PID 2552 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\SgDAtGt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\PCYsZyD.exe

C:\Windows\System\PCYsZyD.exe

C:\Windows\System\NSbPBrJ.exe

C:\Windows\System\NSbPBrJ.exe

C:\Windows\System\HYqrZga.exe

C:\Windows\System\HYqrZga.exe

C:\Windows\System\FoObuKz.exe

C:\Windows\System\FoObuKz.exe

C:\Windows\System\sCfqrmK.exe

C:\Windows\System\sCfqrmK.exe

C:\Windows\System\YRTXbXp.exe

C:\Windows\System\YRTXbXp.exe

C:\Windows\System\OvNjmRa.exe

C:\Windows\System\OvNjmRa.exe

C:\Windows\System\YrXdVWD.exe

C:\Windows\System\YrXdVWD.exe

C:\Windows\System\uPueXWK.exe

C:\Windows\System\uPueXWK.exe

C:\Windows\System\wthwNxJ.exe

C:\Windows\System\wthwNxJ.exe

C:\Windows\System\BATULQi.exe

C:\Windows\System\BATULQi.exe

C:\Windows\System\AgZunbG.exe

C:\Windows\System\AgZunbG.exe

C:\Windows\System\kEFXhyD.exe

C:\Windows\System\kEFXhyD.exe

C:\Windows\System\faDGZqw.exe

C:\Windows\System\faDGZqw.exe

C:\Windows\System\yTmXyup.exe

C:\Windows\System\yTmXyup.exe

C:\Windows\System\NZSaWXq.exe

C:\Windows\System\NZSaWXq.exe

C:\Windows\System\pXKQlyd.exe

C:\Windows\System\pXKQlyd.exe

C:\Windows\System\FNmKGTC.exe

C:\Windows\System\FNmKGTC.exe

C:\Windows\System\AeYofRS.exe

C:\Windows\System\AeYofRS.exe

C:\Windows\System\EgmjSPv.exe

C:\Windows\System\EgmjSPv.exe

C:\Windows\System\SgDAtGt.exe

C:\Windows\System\SgDAtGt.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2552-0-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2552-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\PCYsZyD.exe

MD5 1920ab857005e55129ff78045bdc468e
SHA1 73b23ff1982991f2e74a833a7f32d3c4bb10b923
SHA256 5afbd2cfdcdc28f440abc7f68e3d7cd95e7f59511110589c24dd04e341cf16cc
SHA512 31eaadaa24f489356ee0f7220b7cfe75cb7a1a965b85afe6df0aec6f654ed4864eaa35b8a240267a306a74b55ab233c43afb3cd4f37f9b8809d9991f374f324a

C:\Windows\system\HYqrZga.exe

MD5 077647a25e3097d3bbf4b5d023fcb168
SHA1 405ea42b4a558503e874c9edc24299cd6429b416
SHA256 fc04a56f8f991a528fa66c9f176e19e6f1d4216f745d88707a103e51bc2812bb
SHA512 cced1b6fae0d70282644c277e6f58db217116ce722862b13437ff853d33e375d57477bbe852227b8d08337a8111dfaecf541f11a6e6813a8814eabb9911fd096

C:\Windows\system\NSbPBrJ.exe

MD5 639277c4a10a60616f96671ef03811e6
SHA1 14c0e257f4b3530a8d247dd16b13b42db4c5d363
SHA256 b2e84d2bc5e223e8161c3e2e9feedff3c8b1d8f5a70a66080b1173bf45ba33dd
SHA512 cfb56d03481ce08fe192a88a3b0a608f8bc1913a9801b30f0e0488489fc34f1bfb5c52e9b4690761841bd588458d8de74c11c33a5c2180d3e4db840815c1f04c

memory/2552-8-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2036-17-0x000000013FC80000-0x000000013FFD1000-memory.dmp

\Windows\system\FoObuKz.exe

MD5 e4ad8442a75893e3157c5675a8157db1
SHA1 3fa8b61e1914c84029a25cac9a53a70333f47f95
SHA256 6a60078c6702b06fdc263c01a820c8381951cdea8ba40a85d577aae19f7e37e4
SHA512 c081250fa2905580c997931666738c6c26d5b79f6694cc3bce8125134ad1315f8bc1c633899ecb334a10f7b38d3c797fb6b2d64f4deee9bdc2ee2b026f45159a

C:\Windows\system\sCfqrmK.exe

MD5 2b06db7db3e2c59e9148332d2c4af030
SHA1 d564429ee60edcd052258afada26f4a36f0e5db2
SHA256 50d30772d437e64b2c2d0950a76be438725e410435366db1a5761f238dc22b4b
SHA512 76da6c9905475c695385a8731fe010771ff174e3648cd5676d62865992f2bf9e9e6b42504ffd128eb8c915e6760d8ed9d48b7670aa32d89caa6ef0b65e7f90d4

C:\Windows\system\OvNjmRa.exe

MD5 baa9c14a8248edfff5fcf30cd230ea69
SHA1 b59edc7a5ce0ac56d56ee20833bff058ae7f2d4d
SHA256 3dc36570b68aa073f468bc93690850e6024405fd3e9d3cc03c840490577e0b3f
SHA512 ff98b3b517563f83e9de246a9fdb30d794e39b1afc3fad55b48aa3e63cc59fb3c6d851a3e7aec652f95be99ea4350e5885f2db3388086327fad2b9ccdd4abbe7

memory/2552-44-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2372-48-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2624-46-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2552-49-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2552-50-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2948-63-0x000000013FB50000-0x000000013FEA1000-memory.dmp

C:\Windows\system\wthwNxJ.exe

MD5 63ad101eddbb483bf84c5cef4a015561
SHA1 b0aa3cd6cc5769c349542de4d1956afbeb51bada
SHA256 deb6e3c34060198f140e0b84cfc9c0107180c739cbc6a5e407d81673f80c69f1
SHA512 7b5c031730ed588d5ba80ab8f4766aa5e91ac7f056bccd1f591868629495dfb62804008827fda4c999f8d47042a5daab99c603bbd85670056c3ca31bd0d3cc79

C:\Windows\system\BATULQi.exe

MD5 b8d12b9294c8c6d0fa6d023bd60ec683
SHA1 f4fc3c12c7d50dd36ea6d8cd8e56ad11396366fe
SHA256 9c6d6c38af6855649e92242bb24d0923b7643b69466ca80ee38ceb9474cdb272
SHA512 3cb3c5dfd1a659c182161a4c84aa72aa079de04b887b5af607eaf1a626ec01efd1cbcce25deb5b542a70c8152e02a9e181a990262f84a27b6d149d44d75225a7

C:\Windows\system\AgZunbG.exe

MD5 b7f74c29ef427721b0489924317ac5bf
SHA1 59aa21e18236bbc78d60ee19ed2b59f30167f0ec
SHA256 7faba8401c46a6c90f51c1fc4df20ed787e197e8daf593bbe5af9b6d55efbc63
SHA512 005078726041d8a2643499ff23d27c384344131522334dde29db0e218af9d14a4e093811a9bea568bfe891c3936333ff96d81e79e59cb20116cf4e99ffd10f61

memory/2552-123-0x00000000022D0000-0x0000000002621000-memory.dmp

\Windows\system\FNmKGTC.exe

MD5 a18a6c03fc8ba182ccc619a1f29b971b
SHA1 d40f9d6ae2711e7c710212747b1f3e4b2e62dac6
SHA256 369fcb2447ed490b4b0b431c21480a500f6976a4f9fc620578ad8858ef7012d6
SHA512 925db6b83320294471d9b3ec6a170fff029a250cdb2a54c5c92e701e766293a46b661e89ef4240850ddf2ea82c25046c24029222ab15e9ba81e0f5ef7ec1a40c

memory/2552-116-0x00000000022D0000-0x0000000002621000-memory.dmp

\Windows\system\EgmjSPv.exe

MD5 d50850b68589d606179bb23d7733cc0c
SHA1 49643a4b00725e0180e11b0a274330aa294fafbe
SHA256 0398985c0fb9c8ee0730b9e540039d00cb11ba235cedec0097e65a58896b2406
SHA512 04e5ed6c119824cf4248a14f4d6a61d21ae9bbd0bc8a9433147c25ee428c24540ebdf3ef52987e31760f00941b29a950354d050bf00393b740bb9bcb0a5c8bdb

\Windows\system\NZSaWXq.exe

MD5 9a52fa66b1292ff5e57fa0eb0b405223
SHA1 61fe58bc49d328127e03106b138e1b3cac7af661
SHA256 2b51c112be759a229c5e13ef345641bef4a55977445ce5a13ef6e2da88febbb5
SHA512 1476ac25510896e15e11b8ec34e1221704fd3aea3487f6dde6ce266881372bf3cc921aae02a630f50e5f64466ea275595ae4bbe482f2fcc3225892ba3b0e95b8

memory/2744-127-0x000000013F570000-0x000000013F8C1000-memory.dmp

C:\Windows\system\faDGZqw.exe

MD5 89e31f2ddc062b87965d79d4ec45c94a
SHA1 6c5fe6943c8fe6e4ee7291665d41e4668b638c70
SHA256 0b045102f5971c073162c0c27c0c6db767d4d4dbcf55f175cdb6c92b4741b178
SHA512 a426388a8f1b123e6b426ea1b1c8f2c6b1bb6f3730321850711771a3f96a8e23973c709ec2d4523fcc2b519ce0bb3d7b7bade86ef3d52d91a9e5ea8704fff67c

memory/2552-122-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2716-121-0x000000013F1E0000-0x000000013F531000-memory.dmp

C:\Windows\system\SgDAtGt.exe

MD5 75b97fa9642b8c5585a01223a49e2f2b
SHA1 7a58c2d20d9d75be0ea9eca3485b4164cd55e119
SHA256 9de0f4e275e214d14e3f8e43d28cc1d66567dc65ad4f1844da411d352c3632ab
SHA512 6976d9aa88520ec66d0b35b5d3608c177afad96889e67d8e5c868643e1ce6260a5ea4bd13e8ce06695d845cfde268d8f334589311c09603ec69ec6a73706fefe

C:\Windows\system\AeYofRS.exe

MD5 9b4a2b5176f1da0d88a8927fdba38f3a
SHA1 5622d4ae1cbf324a8cf213a2e606ab094ab97c31
SHA256 4d7695a7b10cabce95d9bbbd298f158f3fd5a079a535986431966daaefbfdd27
SHA512 6a8bf24ac759cd0f8de302192b207de083a20033d38bd17c12dd2df71f14dc42dcf530316cc6e287327b59c0526395447b4f799a030710f10c45f6dcd6d4feca

memory/2596-84-0x000000013F980000-0x000000013FCD1000-memory.dmp

C:\Windows\system\pXKQlyd.exe

MD5 027323bb6129c6d0d1c5ce14dddd2e15
SHA1 89078f01fab3477b6d4cbec8e8d5e97034c4a17a
SHA256 3192438b8fcd7e28a1203f6a3ecc45953335118ccce117351a1d67ab73f96d4e
SHA512 15db42f5fd9e272c44464362d8084819f73ed109d52b4d7239e96dec91826ee6368e6759d693533d8e95128bfee4d3f2e9b2d7779bede05d90612b915a68cad7

memory/2552-83-0x000000013F980000-0x000000013FCD1000-memory.dmp

C:\Windows\system\yTmXyup.exe

MD5 b7e4c5296481b3bd25eb397bc17763cb
SHA1 c3464ff9ea1df0197de1d059f990ce84a3e53952
SHA256 72cfef6b0770161596fb2886ed05ec2676e0bd208590bb20c8923faf22234a8c
SHA512 ccfb6893c4a05c77193cf1985213d065aaede967dd63037579c20507405053514e717264776cbe7afd3c6b2f422998053a7c030fe240cbfba3c1a7119b98da98

C:\Windows\system\kEFXhyD.exe

MD5 06453d7043d1e806f5d81db4ac2ce67f
SHA1 bf423f2399d11a7e522109c9b22d58a7a10b4d3c
SHA256 18d90e7f3842ec838d2055bc6353bca065e7bcab72825d53038f81c195ab80ca
SHA512 f42dbf6e5ad55113dcac4081b3244b58f482885eadf00a165625542a38ebddc9117e1120a90b44963382c802e1ebc7b0f171ba9bd4af71de3ecaa32325948234

memory/2424-78-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2552-74-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/1528-68-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2552-67-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2364-58-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2684-57-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2552-56-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2552-55-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2552-54-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2528-53-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2552-52-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2388-51-0x000000013F540000-0x000000013F891000-memory.dmp

C:\Windows\system\uPueXWK.exe

MD5 92f4fe99cb05ca1f0ad2f22ed6924ea7
SHA1 2d90b84564bb71da4f40ca63100213ff3f0d4b9e
SHA256 503f61643c45f12080c5f5e4d57d0f75a05eb9a8138490e7dff042086e2507f0
SHA512 905bc5df66b13b6ca91082d45f7b8c1ae79f0f12ff6e1fa6f3831292897ba9564f88a5f18282c123aa0e6ad57b627cd462480b2e55069f516061bb34e713e5bf

C:\Windows\system\YrXdVWD.exe

MD5 8768a90f8c5ac0a8207e9e4147419fbd
SHA1 1f34aba63a0cc24509510685ca22ddc43a4ce4c0
SHA256 6e34ac5eb81b972d1e941bd05703920f1c6444c561bc292cf593450f58b2ffe1
SHA512 246ddedc6ea75c2021b9c1443af33d8a540f8421c0bac59caf64f0033be77bbdb2452519bbd7bbcec0542a4595338494b74ecb295b5f3051660f20b7a24a8823

C:\Windows\system\YRTXbXp.exe

MD5 7e875761111e35baeb15ad9bb6fafef0
SHA1 a1a145426f9c2742fafbe694c79458882e9d6b3c
SHA256 81925635a41fcd7133e61c5a53fe15fd3cf918dc86d53d2ca428bd309dd0dec1
SHA512 9f9de190c69ea78e192a388b381e91731b04744ef52431ea5edd4529b12b9e2003b796f2e935dc4c1733f5118384b67b79ada73e4dfac427a6e3c2c0fc39df1e

memory/2640-27-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2640-136-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2552-135-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2552-137-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2552-151-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2596-149-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2424-148-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2712-153-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/1528-147-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2948-146-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2552-150-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/1568-159-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/900-158-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/240-157-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/1584-156-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/500-155-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2100-160-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2552-161-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2036-206-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2372-210-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2624-209-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2640-212-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2684-214-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2388-216-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2528-218-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2364-220-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2948-227-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/1528-238-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2424-240-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2716-242-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2744-244-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2596-246-0x000000013F980000-0x000000013FCD1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 02:03

Reported

2024-05-27 02:05

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VlwcjrN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oyCVMHr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mkLotWD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rZAZnJO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\letaKNC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\atqKYLG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RcpfOeD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sYFEIHu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QjlHeTr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nNZDHWa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cgrBtVY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dsJjUdQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XzRMyiZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jOhGhtQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iwFoQuC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tSVVHzt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VvtCIcg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\utuKXJK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yRMZRyO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OCOyFnm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wzzRLEA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4756 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\iwFoQuC.exe
PID 4756 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\iwFoQuC.exe
PID 4756 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\RcpfOeD.exe
PID 4756 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\RcpfOeD.exe
PID 4756 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSVVHzt.exe
PID 4756 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSVVHzt.exe
PID 4756 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\VvtCIcg.exe
PID 4756 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\VvtCIcg.exe
PID 4756 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\sYFEIHu.exe
PID 4756 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\sYFEIHu.exe
PID 4756 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\utuKXJK.exe
PID 4756 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\utuKXJK.exe
PID 4756 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlwcjrN.exe
PID 4756 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlwcjrN.exe
PID 4756 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\oyCVMHr.exe
PID 4756 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\oyCVMHr.exe
PID 4756 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRMZRyO.exe
PID 4756 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRMZRyO.exe
PID 4756 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\nNZDHWa.exe
PID 4756 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\nNZDHWa.exe
PID 4756 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\mkLotWD.exe
PID 4756 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\mkLotWD.exe
PID 4756 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\rZAZnJO.exe
PID 4756 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\rZAZnJO.exe
PID 4756 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\OCOyFnm.exe
PID 4756 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\OCOyFnm.exe
PID 4756 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\letaKNC.exe
PID 4756 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\letaKNC.exe
PID 4756 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\cgrBtVY.exe
PID 4756 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\cgrBtVY.exe
PID 4756 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\QjlHeTr.exe
PID 4756 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\QjlHeTr.exe
PID 4756 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\dsJjUdQ.exe
PID 4756 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\dsJjUdQ.exe
PID 4756 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\wzzRLEA.exe
PID 4756 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\wzzRLEA.exe
PID 4756 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\XzRMyiZ.exe
PID 4756 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\XzRMyiZ.exe
PID 4756 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\jOhGhtQ.exe
PID 4756 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\jOhGhtQ.exe
PID 4756 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\atqKYLG.exe
PID 4756 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe C:\Windows\System\atqKYLG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\iwFoQuC.exe

C:\Windows\System\iwFoQuC.exe

C:\Windows\System\RcpfOeD.exe

C:\Windows\System\RcpfOeD.exe

C:\Windows\System\tSVVHzt.exe

C:\Windows\System\tSVVHzt.exe

C:\Windows\System\VvtCIcg.exe

C:\Windows\System\VvtCIcg.exe

C:\Windows\System\sYFEIHu.exe

C:\Windows\System\sYFEIHu.exe

C:\Windows\System\utuKXJK.exe

C:\Windows\System\utuKXJK.exe

C:\Windows\System\VlwcjrN.exe

C:\Windows\System\VlwcjrN.exe

C:\Windows\System\oyCVMHr.exe

C:\Windows\System\oyCVMHr.exe

C:\Windows\System\yRMZRyO.exe

C:\Windows\System\yRMZRyO.exe

C:\Windows\System\nNZDHWa.exe

C:\Windows\System\nNZDHWa.exe

C:\Windows\System\mkLotWD.exe

C:\Windows\System\mkLotWD.exe

C:\Windows\System\rZAZnJO.exe

C:\Windows\System\rZAZnJO.exe

C:\Windows\System\OCOyFnm.exe

C:\Windows\System\OCOyFnm.exe

C:\Windows\System\letaKNC.exe

C:\Windows\System\letaKNC.exe

C:\Windows\System\cgrBtVY.exe

C:\Windows\System\cgrBtVY.exe

C:\Windows\System\QjlHeTr.exe

C:\Windows\System\QjlHeTr.exe

C:\Windows\System\dsJjUdQ.exe

C:\Windows\System\dsJjUdQ.exe

C:\Windows\System\wzzRLEA.exe

C:\Windows\System\wzzRLEA.exe

C:\Windows\System\XzRMyiZ.exe

C:\Windows\System\XzRMyiZ.exe

C:\Windows\System\jOhGhtQ.exe

C:\Windows\System\jOhGhtQ.exe

C:\Windows\System\atqKYLG.exe

C:\Windows\System\atqKYLG.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 142.250.179.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 74.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/4756-0-0x00007FF6D6770000-0x00007FF6D6AC1000-memory.dmp

memory/4756-1-0x0000023B527C0000-0x0000023B527D0000-memory.dmp

C:\Windows\System\iwFoQuC.exe

MD5 415898f96ebaf0f3d9d24ecd7a68596b
SHA1 1e90ce80cb1dba3365a9e23271bb2e982cfd11d4
SHA256 d86423acafcebc1089fe320fdd872a7706ad0f3070f8118d3365673e4c9a49a3
SHA512 a7c8b95ecf6f1b220bf20e441f2674502d384ca6957e84c97c83e795f9c18d6b482ad4f92932ee5e5f90b8e02d4a9334879b27be7a23d7bcdece85d87f41a5b7

memory/5028-7-0x00007FF6B3040000-0x00007FF6B3391000-memory.dmp

C:\Windows\System\RcpfOeD.exe

MD5 c71cb3302623e10f07c56b281d7d8444
SHA1 da195a0ed46186b3c92b7fd4b2ce18f0968599f9
SHA256 6fb687651c4dda014706f5c5e4178c76adf4707840086bf344cb60fa48834de0
SHA512 3e7f58cdaaebed84e00a94252573d0841519ed437418d25aed1556930af6055923bc34a931242564d904dbb328c9abcf35758fed768082ef1ddcfd16d1ccad7f

memory/1172-14-0x00007FF65C660000-0x00007FF65C9B1000-memory.dmp

C:\Windows\System\tSVVHzt.exe

MD5 e24e2bbe62e3b2a1fd32172af6f1ccfb
SHA1 d9f529f3a00e32912ca03c55e3b7b88153148666
SHA256 79dd602f9ab06d6157f92c136b4ee38b2b2d3e9487ed05b830943f41e6075068
SHA512 8358582257d570252db93246340d9b1bca82bbc2476693d3123fa3279ec4ec42eaddc839e9e6c0765bfffebda53c34a2c300c49867d781a2c369d4aa83a77383

memory/408-20-0x00007FF6E4660000-0x00007FF6E49B1000-memory.dmp

C:\Windows\System\VvtCIcg.exe

MD5 2769f6786f0d7c4ab9744b2db972f013
SHA1 f2dfabf1b366b8512f4099b959f959d7d6a69f06
SHA256 68356bc24d45069df6ac8dad1aab70b92d6087addf2e59de9db95efc2592be5d
SHA512 c979e926c470616225ea26841848d022863c2fa781d357fded49a26498baffee80820627f6d55a95d70c0a82adbeb5f1e662ba5c3fe3f813756ce00186d98d27

memory/968-25-0x00007FF74FFB0000-0x00007FF750301000-memory.dmp

C:\Windows\System\sYFEIHu.exe

MD5 f46e67264b092aea2e33c2fe0f8f3a53
SHA1 f4986136c37d83969eef7ab692e057451991acca
SHA256 c99f5336322f413a95de2a310deea5880edb54e23b04ec0e297ff5ce4d62e08a
SHA512 f6e7c434a12fe3ae17576529996a0df071dfc92a9c8fcf09967ec7408107c19f142f623321b3508587cbdf6ada2cabbbbd2ba13b4c1bf8199b55253011cce07b

memory/2452-31-0x00007FF7464D0000-0x00007FF746821000-memory.dmp

C:\Windows\System\utuKXJK.exe

MD5 1540ff8b17aa62c4f586f743326fee3e
SHA1 54bdb62fd11c13acc72edf1bcbbddeffb83106e9
SHA256 488c6c9a1037088e99f78f96fa91291238d75f1570e155050f5d595fd430afc0
SHA512 e813b9d09c0f2f881311d3ea66e396ac5102c0bb1a1d6dc432296fde07c6056e3c314e3cf4c88108b999747f8b4c0bf1ffef066b18dc82d6b78449a4e705546b

memory/3380-37-0x00007FF7E1460000-0x00007FF7E17B1000-memory.dmp

C:\Windows\System\VlwcjrN.exe

MD5 d7a5844fbfd5dcccda62d5ce058c76ec
SHA1 73f3734c49fc890904045d1cd51c7823fb818baa
SHA256 2f069e4d5652806c780b9221b3711c37c86fbb79cf93039c3fb0d380ccfd4ed8
SHA512 25bd4d8f17aa47f9d14a25b0835ef7de605e3c6cf1e2b5e2f425fb818d88e9bcef4b3e6398c6a8c29162444a92b059fee955c482edb8341ab0124ec2b603a2c4

memory/3456-44-0x00007FF74DF80000-0x00007FF74E2D1000-memory.dmp

C:\Windows\System\oyCVMHr.exe

MD5 a56b6f00f065d110155cad4e6be7b964
SHA1 c9135e414e4afdafd49ce3a96490cb6e62b792fa
SHA256 983484fa96e7dbf02f93384f47d6f0d53f2790fc32c22314c8ad1c91c917780e
SHA512 35763d6690b900e7c177cc78c58d4be2317cdce89410fb3796ac0a26d77da0dadb9a42424ebeca9d0144e1833b47e91a3f97f44b7d235ba8f5dd4da7d6be9a16

memory/888-50-0x00007FF7EB070000-0x00007FF7EB3C1000-memory.dmp

C:\Windows\System\yRMZRyO.exe

MD5 7fe529b8842a738b0b749f1e49bed706
SHA1 ff28ccb6670fc4885882e1cc90f717d2dea31032
SHA256 b0c629b92f80b50b9f56a4aa6fa2649398d4339823f7d6eefb485878edd3e567
SHA512 1f64488929d562184d6cb5e2c22646b317cee342667b06b717eeeb2bb81d000f3236ece49aec974956df14a74478e01ea493caf848b0436d359fd657c134eaa4

memory/2344-56-0x00007FF76EC50000-0x00007FF76EFA1000-memory.dmp

C:\Windows\System\nNZDHWa.exe

MD5 60c660ac579b4cbc656614021f384335
SHA1 4f365f0a75074d001aefb13bb9288f299c88f40b
SHA256 98bb310d071354d2b14a7c891e79eb12d37e775b1781b77efcf477a9daeb3dbf
SHA512 5c3105d638b7e8a91e6cd3f67a6c54ea77651585f38205ac54eaf86f59ffaba4d41aed5dd3b8ae1aeaa20758cdc9a333f31613d181371579c36a6f6dadcac5ab

memory/4756-62-0x00007FF6D6770000-0x00007FF6D6AC1000-memory.dmp

memory/5056-63-0x00007FF617C90000-0x00007FF617FE1000-memory.dmp

C:\Windows\System\mkLotWD.exe

MD5 2a671f6a57717ba49bdcbdfe9bbb270a
SHA1 3f43752f8794e6be7fd7757b871e54fbbd0a0dfb
SHA256 efd13326f7cfdd80f7d9c07453347f04ef0eb4d3b5d9266be890e93a7d2a6e25
SHA512 2f0d688df6b86c52e1fbd44dc595d53cacc62bf8f780f31383793c166bdf3302c2a23e8fde4a327395b2d82ecdada58e8ed080441091c615f6b7810733926ce3

memory/5028-69-0x00007FF6B3040000-0x00007FF6B3391000-memory.dmp

memory/3856-70-0x00007FF7AF620000-0x00007FF7AF971000-memory.dmp

C:\Windows\System\rZAZnJO.exe

MD5 4bc3c10b199981a4a4e20d65700a6794
SHA1 3010554a32a4f72bc36b0f65967bee14bc22ae2c
SHA256 680a5c1b5e41a1ca8fd658a89aad6dee544dff5e54f019450198ceef13af7b6f
SHA512 5c462470cf5c6c584917d7ef8ea55a5e149bc0dba26dc87531b0b0fa027b7662bf51607424a0815193b119e6ebcf6801ca98545bb30ecce8f1fdd058b751ea32

memory/1624-79-0x00007FF7474C0000-0x00007FF747811000-memory.dmp

memory/1172-76-0x00007FF65C660000-0x00007FF65C9B1000-memory.dmp

memory/408-84-0x00007FF6E4660000-0x00007FF6E49B1000-memory.dmp

C:\Windows\System\OCOyFnm.exe

MD5 49c4165603608ba580d46ac4d5e9ebaa
SHA1 622f240f17971b83ad8bfbcead73411f085bcb82
SHA256 5d33526389be19359a7023ea85d9b5ae8c97a5213ac304357766ea1cda20beee
SHA512 ea9239ac10c38a1c966a46c542131299c9f29eb52a3ed87bc834e7ab279074b21b51246ce738b037b0fb25d0f7c62680b4ed580230029e77e81838effd59f1b2

memory/1844-86-0x00007FF7E2160000-0x00007FF7E24B1000-memory.dmp

C:\Windows\System\letaKNC.exe

MD5 13b35c4ef8f149e6c26847e8a48821f2
SHA1 d5a2d9c6d379741d137037b9e93d6daeacc8ac6a
SHA256 662c44d40e89532ff426be57c477465f351f3b54ae813358f91767ed163ef982
SHA512 d11f6b423f3d4de625e24be0e3fe9257b248e71b95103a2b41884d139d7d743754b822e25da64d89ec54c2d108170149c911aacc1e0680766c3eddcfcaa98c7b

memory/968-91-0x00007FF74FFB0000-0x00007FF750301000-memory.dmp

memory/4780-93-0x00007FF6D20C0000-0x00007FF6D2411000-memory.dmp

C:\Windows\System\cgrBtVY.exe

MD5 9e1983914b3bc0eb613f4f5f2e8a1668
SHA1 e42f6c6dded975dfcbf31e65822c993ae7260d3a
SHA256 58b15d7dd603183a3de2714bbba5748a831f33d5f994def632f21fddca50d41f
SHA512 b5ae54c1ee13fd411621d65e17faba65dda3e2b70140e591dd8af18b638d1ab336e0f8218d54eb34ebca9ea3e2d0ab22857367862e52a553e2e41cc0029bfd4b

memory/2452-103-0x00007FF7464D0000-0x00007FF746821000-memory.dmp

memory/3920-104-0x00007FF681BB0000-0x00007FF681F01000-memory.dmp

C:\Windows\System\QjlHeTr.exe

MD5 752d2902451cc32e4195170d223b2ecc
SHA1 6c1f7e6b1ac86bb1de9998715784c7afc8f1cfc8
SHA256 3178945fbd17d6f81e1bbe5210e176cbc7670b349ece4b61e82177e4356838a5
SHA512 5ec7cfadfcbe248308b3297f0c6d7ad5a9e2aa0d29628ae2a97d825df94a7236917e2aabfafc797ef2d0af92743676ebdd465c4485d31565004d0280083b1c97

memory/2844-112-0x00007FF7A2120000-0x00007FF7A2471000-memory.dmp

memory/3380-110-0x00007FF7E1460000-0x00007FF7E17B1000-memory.dmp

C:\Windows\System\dsJjUdQ.exe

MD5 412076397f35340b518c9ab35d5c7edb
SHA1 f136ce451453689685babafbe169bd1aebd333c5
SHA256 b3a30414726045626e5637f2919545b59da570d5e7fa971e589e7b1d1a63bc11
SHA512 9beb1dccb07eb74f3e99602fe9f810200d418c35fde069bafa29d2d0b090cc1f49f9d8804335a49cb7665d1bb1a089496057dbcbd2b494e9eea24fdd0f419146

memory/3456-117-0x00007FF74DF80000-0x00007FF74E2D1000-memory.dmp

memory/1264-119-0x00007FF623710000-0x00007FF623A61000-memory.dmp

C:\Windows\System\wzzRLEA.exe

MD5 ec35d3ef7652ef29c20713f954088378
SHA1 e49f8a2031a898262025cf65db654b85ffcf6c34
SHA256 6dda8458cc3de3b2f59a9fbe30be45a91067729a6df2f49e35e7e5dde3340054
SHA512 04475fd894be060b430eb652dbb0d7929c419e443726121b80e5684d32ff6840b35d7c7fe2ca1dd4366643517e34fb2866006dc57319b234aef4e91df6d879b3

memory/888-125-0x00007FF7EB070000-0x00007FF7EB3C1000-memory.dmp

memory/4172-127-0x00007FF75EA40000-0x00007FF75ED91000-memory.dmp

C:\Windows\System\XzRMyiZ.exe

MD5 9c20161e60833c8535963d99e0b781a8
SHA1 86c414be02b3172a1e491579657d0c2bf834e2d3
SHA256 82e578ca010cf48f6708c665278724212b2e9d2f7aa1f4f92e0ba66f1c255af5
SHA512 f64a2f25e3862c75113269643fa278c28ce89452c8cbda4f4f712bcd01fd49767f2700d7700f798704174e7ae142f64287cc22060472f5ccf969a47616af6026

memory/2344-133-0x00007FF76EC50000-0x00007FF76EFA1000-memory.dmp

memory/560-135-0x00007FF7EA5D0000-0x00007FF7EA921000-memory.dmp

C:\Windows\System\jOhGhtQ.exe

MD5 574a314bf159c5ef80e4c51e6014fb16
SHA1 e9cd0b6ed10cd10e689018990505f1bb43dfc494
SHA256 dc9111e4077feab32abd3e96a7fe4e0b4534706b38c2df01eea31298825f86af
SHA512 da9a254b17797c50086c4799c3c3bd817c5f59a49c9ad7d50bb91b89152690f22d52194860d1fcede6ee3a0870b8d15a39365052b845e5de9ef44aae12e6a690

memory/2456-141-0x00007FF67EA50000-0x00007FF67EDA1000-memory.dmp

C:\Windows\System\atqKYLG.exe

MD5 b364cdff3b522e3a88c4dbfdfe7cb31f
SHA1 ca2993cfb8060689a63ae38c2b261093c1b4c4a9
SHA256 9d128b234c27d52085415eb0032e1590472f17306fd67cec54f66bbbd82ab05f
SHA512 ef73a1e322937ef68a6361aff365720bf91148a5c8473713cd04f8f3666228f9ec5effdd82992e7cd73004464465c21bac9f63034b6d2365e65b40baf2b4bcce

memory/4856-148-0x00007FF7611E0000-0x00007FF761531000-memory.dmp

memory/4756-149-0x00007FF6D6770000-0x00007FF6D6AC1000-memory.dmp

memory/1624-151-0x00007FF7474C0000-0x00007FF747811000-memory.dmp

memory/1844-152-0x00007FF7E2160000-0x00007FF7E24B1000-memory.dmp

memory/4172-164-0x00007FF75EA40000-0x00007FF75ED91000-memory.dmp

memory/4756-165-0x00007FF6D6770000-0x00007FF6D6AC1000-memory.dmp

memory/2456-171-0x00007FF67EA50000-0x00007FF67EDA1000-memory.dmp

memory/5028-198-0x00007FF6B3040000-0x00007FF6B3391000-memory.dmp

memory/1172-200-0x00007FF65C660000-0x00007FF65C9B1000-memory.dmp

memory/408-207-0x00007FF6E4660000-0x00007FF6E49B1000-memory.dmp

memory/968-209-0x00007FF74FFB0000-0x00007FF750301000-memory.dmp

memory/2452-211-0x00007FF7464D0000-0x00007FF746821000-memory.dmp

memory/3380-213-0x00007FF7E1460000-0x00007FF7E17B1000-memory.dmp

memory/3456-215-0x00007FF74DF80000-0x00007FF74E2D1000-memory.dmp

memory/888-220-0x00007FF7EB070000-0x00007FF7EB3C1000-memory.dmp

memory/2344-222-0x00007FF76EC50000-0x00007FF76EFA1000-memory.dmp

memory/5056-224-0x00007FF617C90000-0x00007FF617FE1000-memory.dmp

memory/3856-232-0x00007FF7AF620000-0x00007FF7AF971000-memory.dmp

memory/1624-234-0x00007FF7474C0000-0x00007FF747811000-memory.dmp

memory/1844-237-0x00007FF7E2160000-0x00007FF7E24B1000-memory.dmp

memory/4780-239-0x00007FF6D20C0000-0x00007FF6D2411000-memory.dmp

memory/3920-242-0x00007FF681BB0000-0x00007FF681F01000-memory.dmp

memory/2844-244-0x00007FF7A2120000-0x00007FF7A2471000-memory.dmp

memory/1264-246-0x00007FF623710000-0x00007FF623A61000-memory.dmp

memory/4172-249-0x00007FF75EA40000-0x00007FF75ED91000-memory.dmp

memory/560-251-0x00007FF7EA5D0000-0x00007FF7EA921000-memory.dmp

memory/2456-255-0x00007FF67EA50000-0x00007FF67EDA1000-memory.dmp

memory/4856-257-0x00007FF7611E0000-0x00007FF761531000-memory.dmp