Malware Analysis Report

2025-01-06 16:51

Sample ID 240527-wcjsdsca7x
Target 2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike
SHA256 451e7d32777061de43a5fb3d3c982ba801cb3ea62fac22d71af49dc52715c2b9
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

451e7d32777061de43a5fb3d3c982ba801cb3ea62fac22d71af49dc52715c2b9

Threat Level: Known bad

The file 2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobaltstrike

xmrig

Cobaltstrike family

Detects Reflective DLL injection artifacts

Xmrig family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-27 17:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 17:46

Reported

2024-05-27 17:49

Platform

win7-20240221-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IAwAoFw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ELCWnaR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eXjyWZh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PifCZwU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JttvypX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dZVLfrN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PUROHti.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hruLRWF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vmipcGq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ohWPxUg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eZyQnBW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bfZHCkG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RyaAart.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HeKDwsb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QrVXtoV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YCiLWEk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UIzvxRu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OApGcMK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nUaTYZA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KcCKmmy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YWhbHMF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RyaAart.exe
PID 2440 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RyaAart.exe
PID 2440 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RyaAart.exe
PID 2440 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELCWnaR.exe
PID 2440 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELCWnaR.exe
PID 2440 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELCWnaR.exe
PID 2440 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\HeKDwsb.exe
PID 2440 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\HeKDwsb.exe
PID 2440 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\HeKDwsb.exe
PID 2440 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXjyWZh.exe
PID 2440 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXjyWZh.exe
PID 2440 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXjyWZh.exe
PID 2440 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QrVXtoV.exe
PID 2440 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QrVXtoV.exe
PID 2440 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QrVXtoV.exe
PID 2440 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OApGcMK.exe
PID 2440 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OApGcMK.exe
PID 2440 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OApGcMK.exe
PID 2440 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nUaTYZA.exe
PID 2440 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nUaTYZA.exe
PID 2440 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nUaTYZA.exe
PID 2440 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PifCZwU.exe
PID 2440 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PifCZwU.exe
PID 2440 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PifCZwU.exe
PID 2440 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YCiLWEk.exe
PID 2440 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YCiLWEk.exe
PID 2440 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YCiLWEk.exe
PID 2440 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\dZVLfrN.exe
PID 2440 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\dZVLfrN.exe
PID 2440 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\dZVLfrN.exe
PID 2440 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KcCKmmy.exe
PID 2440 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KcCKmmy.exe
PID 2440 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KcCKmmy.exe
PID 2440 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JttvypX.exe
PID 2440 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JttvypX.exe
PID 2440 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JttvypX.exe
PID 2440 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmipcGq.exe
PID 2440 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmipcGq.exe
PID 2440 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmipcGq.exe
PID 2440 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohWPxUg.exe
PID 2440 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohWPxUg.exe
PID 2440 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohWPxUg.exe
PID 2440 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PUROHti.exe
PID 2440 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PUROHti.exe
PID 2440 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PUROHti.exe
PID 2440 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YWhbHMF.exe
PID 2440 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YWhbHMF.exe
PID 2440 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YWhbHMF.exe
PID 2440 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eZyQnBW.exe
PID 2440 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eZyQnBW.exe
PID 2440 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eZyQnBW.exe
PID 2440 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bfZHCkG.exe
PID 2440 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bfZHCkG.exe
PID 2440 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bfZHCkG.exe
PID 2440 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hruLRWF.exe
PID 2440 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hruLRWF.exe
PID 2440 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hruLRWF.exe
PID 2440 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UIzvxRu.exe
PID 2440 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UIzvxRu.exe
PID 2440 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UIzvxRu.exe
PID 2440 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IAwAoFw.exe
PID 2440 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IAwAoFw.exe
PID 2440 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IAwAoFw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\RyaAart.exe

C:\Windows\System\RyaAart.exe

C:\Windows\System\ELCWnaR.exe

C:\Windows\System\ELCWnaR.exe

C:\Windows\System\HeKDwsb.exe

C:\Windows\System\HeKDwsb.exe

C:\Windows\System\eXjyWZh.exe

C:\Windows\System\eXjyWZh.exe

C:\Windows\System\QrVXtoV.exe

C:\Windows\System\QrVXtoV.exe

C:\Windows\System\OApGcMK.exe

C:\Windows\System\OApGcMK.exe

C:\Windows\System\nUaTYZA.exe

C:\Windows\System\nUaTYZA.exe

C:\Windows\System\PifCZwU.exe

C:\Windows\System\PifCZwU.exe

C:\Windows\System\YCiLWEk.exe

C:\Windows\System\YCiLWEk.exe

C:\Windows\System\dZVLfrN.exe

C:\Windows\System\dZVLfrN.exe

C:\Windows\System\KcCKmmy.exe

C:\Windows\System\KcCKmmy.exe

C:\Windows\System\JttvypX.exe

C:\Windows\System\JttvypX.exe

C:\Windows\System\vmipcGq.exe

C:\Windows\System\vmipcGq.exe

C:\Windows\System\ohWPxUg.exe

C:\Windows\System\ohWPxUg.exe

C:\Windows\System\PUROHti.exe

C:\Windows\System\PUROHti.exe

C:\Windows\System\YWhbHMF.exe

C:\Windows\System\YWhbHMF.exe

C:\Windows\System\eZyQnBW.exe

C:\Windows\System\eZyQnBW.exe

C:\Windows\System\bfZHCkG.exe

C:\Windows\System\bfZHCkG.exe

C:\Windows\System\hruLRWF.exe

C:\Windows\System\hruLRWF.exe

C:\Windows\System\UIzvxRu.exe

C:\Windows\System\UIzvxRu.exe

C:\Windows\System\IAwAoFw.exe

C:\Windows\System\IAwAoFw.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2440-0-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2440-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\RyaAart.exe

MD5 12a65a7389be8950a3fcf216fc8f1ccf
SHA1 65df17bc39612d95c350a7a703c264360e2e380b
SHA256 f76c556cd10c1f00ae69bc94dc8c8ab96faf433fc5d718befa8a464963295c57
SHA512 62f3f874ff939ccea99cfbbd7028683a19993c2178d79208904ac66b3835c7d6f721bd2f276c607380a6f75c60ee04a4ef75f4a23546711a957b5bfc176c0a9c

\Windows\system\HeKDwsb.exe

MD5 c2ef880df6cf52390a7827e01ba3c628
SHA1 fdebbfef45dd95f2270b4041e67a4425af6c22f9
SHA256 e6fd8fe6642c0a6136615773368f656ac3c66e4793c9b0a654cbe0d9a04179d8
SHA512 7f1330789951cc04730306a82bb7465c7dbc665f79674ba848798c56591181fd5a24568eb0566884fec9178dea779ca137d503689f9a25fa9db604a50a42f7be

C:\Windows\system\ELCWnaR.exe

MD5 cc0d5efe9815bca0ab888bbb92465656
SHA1 b4ffd31c0bd06accee178496c806e2034a8f978c
SHA256 d38d9ce9b71fb587515056239cd02fe8b5b47dad630800a367a5952ef568f929
SHA512 3d9146145d3ae91266ebf260877a8186c837d069be6eba7e3044c0e85e552c60880ede28a03a14b5db9d04780891cbf416c6500468cf5c5f8c9b5cd2af6f4822

memory/2448-19-0x000000013FE70000-0x00000001401C4000-memory.dmp

\Windows\system\QrVXtoV.exe

MD5 f005e7556d56c517f26ff8bf3dc1eb57
SHA1 5ef31fc4d63c69d7a861606a28757f635ed42171
SHA256 bbaac9fa25bf63521b9836d6ce2d877a60a950976e3625204a84d4f3c7ac19a8
SHA512 23a3ddcec88cbf2021b3eb27a6d87e1e6b3eff0e9bdad44d4dbdddf86861dc9610b729946a2e169fec796e5b7277e9cd2d286d51e1714b1e8ca8fbe779e97dc9

\Windows\system\nUaTYZA.exe

MD5 47fe9ea9667334837b35a54cdf0e78e4
SHA1 6e19068e0050f4782a79fa6260ea4c169ba5ba35
SHA256 e60078e459353aa991b93d6a8d0f99ccd67290b38ac881944b174cbcc98a61e9
SHA512 2911a43ff6c243fd477e01b0ce5c85f271653734b1d088c91173a67a4654bf795034db3c4575af86a4900d597e854b5024e19dc26f0753c5043e41909fa25d9e

C:\Windows\system\eXjyWZh.exe

MD5 dcb8e39aa68551bbf3bd31124031587b
SHA1 e9f856bb89da78d527caa6d8ef07edc36da0cf2e
SHA256 7bbba67eec1d7bbbe56bb4750c4923f0923f34baee0272bc7afc7ccb53636c9a
SHA512 426bc62148ca93f3fd96233227198b892eec7b9e231fda2089d559bf34324fb7d2072d4556981c6414e871a16ccd950e7c87ee4f37125f80c26ce73eb8e829a8

memory/2440-26-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2456-49-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2484-46-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2472-44-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2440-42-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2620-40-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2440-39-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2440-55-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2440-67-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2420-68-0x000000013F0B0000-0x000000013F404000-memory.dmp

C:\Windows\system\KcCKmmy.exe

MD5 4a87b2fcac8a5c0c4fad6230d5d7f186
SHA1 b518d15ed6883be00b67f3b38dafcb817bfeb22e
SHA256 817b51b18bd5a36360f807b62c260ea0ee9e9c4445cfc48e036a56bc2e515553
SHA512 3863d3b5fcb2857a810c51fb1c0649a1cba071ac372a560aadcf88ef178446aa67d3cd8e4f89701eaa2d66f0c47d9bf9da92f775bb9cb3d55f838a532a3b59de

\Windows\system\JttvypX.exe

MD5 4303ab8d255b4127bbf6259ba9a072b6
SHA1 bf0f8a9a8f55aa274e6810546337342ea2821ace
SHA256 2b1ad2a3dc39054fe15ac3962e40e2bd101601b6da59217ea2b8a2166fdded54
SHA512 883af0cac920342e634872e37a991f5905077e19f76307d9cda96cf79f43273033c748b208358be7ca03e66634a00c90019d577cf5b6e506a536ccb86a282ea1

C:\Windows\system\dZVLfrN.exe

MD5 d3edda6f5d5203cdc8161e341825e0d3
SHA1 e2d2b0e60f3695045c4e243de5770f58937e3231
SHA256 3c9a3bf28f040a86159dbb30393d38e912e3c47d4e52001bbed6a516055d883c
SHA512 0f80f4e7ddebf20f339f080c9fc056fe16350853f49efca28324426dea6490a0053af390dd69735bf870f1f4c2eb8b0a309d8bcac0d7ae34fac3e15ac96135af

memory/1188-80-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2440-74-0x000000013F240000-0x000000013F594000-memory.dmp

C:\Windows\system\vmipcGq.exe

MD5 bc4e5237e6f105fe33cb38f51ad9556f
SHA1 65febb1207e47f1a6bad435cf487586c3f226c4b
SHA256 04f94ab3ad6b740c24903e69381bb62c29c9bf2f7c53a2e8fa7c46d07433c7db
SHA512 21f2153f48614a00b8bd1d13cb124f0aa3b0e94127ee21aadf6a9c944d6f67930579d9c7427112ef079e6fb2d52b78ecd82ffeb2cbcdd94126401f843a4aaab5

memory/2440-78-0x0000000002360000-0x00000000026B4000-memory.dmp

C:\Windows\system\YWhbHMF.exe

MD5 f29ee1a24414e5b48792b232e89bcbac
SHA1 840fe4d8b44b7fff8b58e3caf442d6cb3b0db406
SHA256 a1553c5dcd988b52d20b401120e3f5332cf17fb351c24fad72920b0c877c4e87
SHA512 7f2d922bb6f6b736cfd96bf97c76a74c8bc9651c700d2a9ce435e0176f366dc561f0439774429fb59474cd3bcc7f7e4e634dfbfc8ed245ffc31eab9ec99a595b

C:\Windows\system\bfZHCkG.exe

MD5 3e28f4aa27beb82dbe1aae116239afc7
SHA1 38b83c01ef0db991961e6dec2634bda2fce19730
SHA256 6d2a5948452bcfaef0b9100361eb75618751b7cf8c6fe9a8f828995e62fd990c
SHA512 51578d9340ea62c09ce98872bd2c50fa2ef1012f803af64c014dd41970eb514126c35742572c8c32edec70c899c5477676741aecb41ef7a13c9363674e4ebc2f

\Windows\system\IAwAoFw.exe

MD5 4224dd054a5dedb0af1ff7e23ea36b6a
SHA1 0e451bc7ffe65cad18aa0a533c8e0e629c1d0e50
SHA256 56e2346f5d27510e74d2747f7e5b62c2f4c9103d31f2189c060b9de4ebc14204
SHA512 acdfe435025217ef4d57147bc581119694c9cd441cb9f876c0da9073672c40f2af151bcdf2fe8d783a696a42bfbf4fb63938c87be13739405aaea40b2f0925b7

C:\Windows\system\UIzvxRu.exe

MD5 2edb40524236c158ba35c621b5041051
SHA1 d2bc13a4486887f1ff3514633d058b488e466023
SHA256 2b31517885a2f4d6d4f3c9792199d1add251924b190fba135b43a464f30b0eb6
SHA512 448b53956c4be2c0474caec560dfe1477c58aa9b0a4e6ceaa341de633c305c30f3c94d31ae91ecbb29356646888f509ec8d4554f52832cac9d3c32c14be6d460

C:\Windows\system\hruLRWF.exe

MD5 2727822e805c5e069ed51389b627ecd4
SHA1 d474ff4869466647600a8adf3b561f0a1cf52655
SHA256 6c5fd6342660ea411c58e6b082d78ea2f12c7401701997ad4bd12157cc874860
SHA512 bf87f46919abc46fc7fc1300b8c602f1025433fb4598d00e2781af7ddd511ab161dd1629451d64928f8a7b0cb8e90e74d89052195aca55cb07fb3759929c2d8d

C:\Windows\system\eZyQnBW.exe

MD5 418a1c7bf99fb7c22e9e783b8f27a5b9
SHA1 0e41a4be4253da24d7b9e4cda8686b92c0769e98
SHA256 e9b47caa341c12caf3e7097575a41add7c726ca0753d0764c6ed92ebc91cbb39
SHA512 37a1c3419e546e4eed855afa442d7d416689693c283e82f89767a7ca8fa4a576950a63fc6b1055d95761cefe65e323230b02176c2b23730c272f39e10af99b38

memory/2440-103-0x0000000002360000-0x00000000026B4000-memory.dmp

C:\Windows\system\PUROHti.exe

MD5 aac88b7ea291c3a409f8eefef3cc41a3
SHA1 ec76555247b8ba38556b9d31d6a23da04bca5403
SHA256 e556a87f4979c6d052813f09461553ea91e386b5a50f7ba510e1643cb00e8eb4
SHA512 a99d0029de2508df5c5cac045e523e76bee3a4c933b44af437db39f5e666e241d51528027118d2f129e95daed28e536bed5a81d23125453651b4c290bf884feb

memory/1452-99-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2440-98-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2484-97-0x000000013FA40000-0x000000013FD94000-memory.dmp

C:\Windows\system\ohWPxUg.exe

MD5 df7cb3490a5cf2f92cb72964dd9d7613
SHA1 ea8f9b395dda41692a2505eaf686434d78ca1300
SHA256 4390c0770ca848391c3c02ccb7db56aae4755bd91f2d9a1d0002a049a2f548ad
SHA512 f0598c40ff370249f16a5fc2d294d9bb8717c66a4099aeb5c8aa60c318866a8f5a5b46bd104705ec53ac761e9351c687d5cef2305c0f1ea9634ec31371311b3d

memory/2672-90-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2440-87-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/1280-86-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2428-63-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2440-62-0x0000000002360000-0x00000000026B4000-memory.dmp

C:\Windows\system\YCiLWEk.exe

MD5 2d70e42bd9a8927f2dcc99983d0528c7
SHA1 27e7297adfdaf13ca8cf24b1d800bad9b0629f47
SHA256 31343b527661a8bc0c69c943dd8b75576c50d3bf087dc7339a3ce8c0d5d756e9
SHA512 1e05db418cb2c2f107418b11cf1a22f1961dad6d9d87b2d74d544e2ac163b1c68445be4c722902711489d35b2898e44fe4b805dbd5a3aa3cc0ddd0eb0f0ad525

memory/2456-135-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2356-56-0x000000013F020000-0x000000013F374000-memory.dmp

C:\Windows\system\PifCZwU.exe

MD5 d85c39225f506efe40860130715aade4
SHA1 313e2aeaa3770b10ea495f95589ecd5f2d4e75a4
SHA256 8ef79355e880b5cb8544af85a2bf56859ea7e4e694515591630938df6af8c361
SHA512 7ecae822fc8c12228033119020a3907098de18e17979c5179d6cde78986403ab6f8268faeca0e6a06677e6656a8b99d5c88c2064b649c62b43af9f0dff89e29b

C:\Windows\system\OApGcMK.exe

MD5 90bd266d9ca5e597bb4c52e52d0cd9fc
SHA1 c6b6a6e301ed2201e0bd88eb447bb37f05ff66fd
SHA256 77d1125c980b7a1d0a548859636d8ce58ad2c2c358dd7a41f10672a2b94e84c7
SHA512 314991cbb9d1d0c00b3ae36877167ab9f7af6fb0e40ff7d8aeed122f6069eefc4c09bf6adfbc4901548037a281444531c265e889ac0676af31acc0cb6afd6968

memory/2588-37-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2440-33-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2912-30-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2440-14-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2440-136-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2420-137-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/1188-138-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/1280-139-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2440-140-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2672-141-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2440-142-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2448-143-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2912-144-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2588-145-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2620-146-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2472-147-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2484-148-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2456-149-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2356-150-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2428-151-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2420-152-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/1188-153-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/1280-154-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2672-155-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/1452-156-0x000000013F960000-0x000000013FCB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 17:46

Reported

2024-05-27 17:49

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pHmTovq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hoibZht.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OACEDIS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jshZuNz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UbugkRm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qWtqFDe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MXNIrBa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QRTuytW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BvzBwUc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ImjuDzu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YcEHKJU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YuwWpJG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gSKSOVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\amZaCWm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aZuYHoW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uaEzJfB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TtDXnQN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xFYDQPB.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ixQyWzp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JModeYO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\huVnOnA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UbugkRm.exe
PID 1948 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UbugkRm.exe
PID 1948 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YuwWpJG.exe
PID 1948 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YuwWpJG.exe
PID 1948 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\qWtqFDe.exe
PID 1948 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\qWtqFDe.exe
PID 1948 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\MXNIrBa.exe
PID 1948 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\MXNIrBa.exe
PID 1948 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gSKSOVQ.exe
PID 1948 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gSKSOVQ.exe
PID 1948 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QRTuytW.exe
PID 1948 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QRTuytW.exe
PID 1948 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xFYDQPB.exe
PID 1948 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xFYDQPB.exe
PID 1948 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ixQyWzp.exe
PID 1948 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ixQyWzp.exe
PID 1948 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\amZaCWm.exe
PID 1948 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\amZaCWm.exe
PID 1948 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pHmTovq.exe
PID 1948 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pHmTovq.exe
PID 1948 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hoibZht.exe
PID 1948 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hoibZht.exe
PID 1948 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JModeYO.exe
PID 1948 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JModeYO.exe
PID 1948 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BvzBwUc.exe
PID 1948 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BvzBwUc.exe
PID 1948 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ImjuDzu.exe
PID 1948 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ImjuDzu.exe
PID 1948 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OACEDIS.exe
PID 1948 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OACEDIS.exe
PID 1948 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\huVnOnA.exe
PID 1948 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\huVnOnA.exe
PID 1948 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uaEzJfB.exe
PID 1948 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uaEzJfB.exe
PID 1948 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YcEHKJU.exe
PID 1948 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YcEHKJU.exe
PID 1948 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\aZuYHoW.exe
PID 1948 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\aZuYHoW.exe
PID 1948 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jshZuNz.exe
PID 1948 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jshZuNz.exe
PID 1948 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtDXnQN.exe
PID 1948 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtDXnQN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UbugkRm.exe

C:\Windows\System\UbugkRm.exe

C:\Windows\System\YuwWpJG.exe

C:\Windows\System\YuwWpJG.exe

C:\Windows\System\qWtqFDe.exe

C:\Windows\System\qWtqFDe.exe

C:\Windows\System\MXNIrBa.exe

C:\Windows\System\MXNIrBa.exe

C:\Windows\System\gSKSOVQ.exe

C:\Windows\System\gSKSOVQ.exe

C:\Windows\System\QRTuytW.exe

C:\Windows\System\QRTuytW.exe

C:\Windows\System\xFYDQPB.exe

C:\Windows\System\xFYDQPB.exe

C:\Windows\System\ixQyWzp.exe

C:\Windows\System\ixQyWzp.exe

C:\Windows\System\amZaCWm.exe

C:\Windows\System\amZaCWm.exe

C:\Windows\System\pHmTovq.exe

C:\Windows\System\pHmTovq.exe

C:\Windows\System\hoibZht.exe

C:\Windows\System\hoibZht.exe

C:\Windows\System\JModeYO.exe

C:\Windows\System\JModeYO.exe

C:\Windows\System\BvzBwUc.exe

C:\Windows\System\BvzBwUc.exe

C:\Windows\System\ImjuDzu.exe

C:\Windows\System\ImjuDzu.exe

C:\Windows\System\OACEDIS.exe

C:\Windows\System\OACEDIS.exe

C:\Windows\System\huVnOnA.exe

C:\Windows\System\huVnOnA.exe

C:\Windows\System\uaEzJfB.exe

C:\Windows\System\uaEzJfB.exe

C:\Windows\System\YcEHKJU.exe

C:\Windows\System\YcEHKJU.exe

C:\Windows\System\aZuYHoW.exe

C:\Windows\System\aZuYHoW.exe

C:\Windows\System\jshZuNz.exe

C:\Windows\System\jshZuNz.exe

C:\Windows\System\TtDXnQN.exe

C:\Windows\System\TtDXnQN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1948-0-0x00007FF6DE490000-0x00007FF6DE7E4000-memory.dmp

memory/1948-1-0x0000025892DC0000-0x0000025892DD0000-memory.dmp

C:\Windows\System\UbugkRm.exe

MD5 f61f4daebd054c93f45a34b7e536e3b2
SHA1 e8cbd2512d750217af9c0a27d58e3f1ad06a10ca
SHA256 13886a270d7c6f618014fc1b6f8a0e00077f0a24ad4b235d50d8f626e32ee0be
SHA512 f10ea7c14d241b9832da3b0de68b9cadbb1aabdf823a8108d13f679755c084194b1ee9f0175bda4a1ed74b4722b010c969640a3b3df7adf6bde117af0674619f

memory/4920-8-0x00007FF7CE470000-0x00007FF7CE7C4000-memory.dmp

C:\Windows\System\qWtqFDe.exe

MD5 85c5497de04831248e726938a53a19d1
SHA1 7e8ef731c0d08398035b2c6d9fc48d2accd03bf7
SHA256 d232c4175aaf69ad5e3f28966c71ad67e035684dfb4929a50ca26d4245f2c2f5
SHA512 1618edeb9a698a847080445ae0a8c388814a8d776a4569bccf34b228907bdbd2218f365b73a31448c0c1fa4f9cc35f4783410432e474820828244a1ed140c5cc

C:\Windows\System\YuwWpJG.exe

MD5 e4ce478b503cf783b05bd64f2d2f7f4d
SHA1 79b10d1aa8360a14b3534ec32d6aa7a2e767405b
SHA256 73b74fe59cc8cbf7c6bb99e86a72d51ec10f9cae76e67777b4d9e911bc77f582
SHA512 53ca42051feda10e6a7604171e74749f9a4aa895aaa30f0460cc355ba8f1d75ad705c5e10b011abd9b6c3589a235ef431157b20f37efb2a57896bcc0361e9150

memory/3372-15-0x00007FF66B150000-0x00007FF66B4A4000-memory.dmp

C:\Windows\System\MXNIrBa.exe

MD5 bba0da8100853b0cadf89b4f75a8c503
SHA1 a535d1fc4906d0f6f5bcba95295ce7fa4caa9e1b
SHA256 dcd60d045af229ce7c527052c6dd4e9989a9317261f91488e55aa3870bf69477
SHA512 200576a96ed9731c4a0f33049510526054671e9e8f331d8aac175fb3f4608d7089c974349fdc895594a21ba5558fcacddbd1b386ceab36341282bb1570c84038

memory/4020-19-0x00007FF7BD9D0000-0x00007FF7BDD24000-memory.dmp

memory/1676-29-0x00007FF72C810000-0x00007FF72CB64000-memory.dmp

C:\Windows\System\gSKSOVQ.exe

MD5 3946e974172c54348ee06d41380fec37
SHA1 7a534d3aab18a67bee96ad212188497675339e08
SHA256 b2ddc793941481fa4b8f2d8dc6d59b3fc8824d57b8b85ee68214b9073ebe9abf
SHA512 78278eb9f9117db29a1b09a241eee3635422f1ae5d495cc8fe5f254bd4ee3666cfe19b96aaad0119fcdbce896a20a814661f2cfe33d031894f99dea4cf639b5e

memory/1724-28-0x00007FF672A60000-0x00007FF672DB4000-memory.dmp

C:\Windows\System\QRTuytW.exe

MD5 6d58af3cb61a270cb1a151182282ed22
SHA1 56b47f888f10872d1237126bc4f694bb691cae79
SHA256 6af66b95603dbc3fcd3fe892a4df20b8d9bb0595bca93449c6faf033e9d76fde
SHA512 84da1769a4368d3ffd5e5cb23f3ac65f1d57e9fecdf73a4c30c22dbd8248c0f1f1dadad324eb93f7c7a4e12a6355f87ac175c163a7013fea90e1871b87b9a993

memory/448-38-0x00007FF7191A0000-0x00007FF7194F4000-memory.dmp

C:\Windows\System\xFYDQPB.exe

MD5 6f234a640267d836c5c0911c7205b5a3
SHA1 5dc0c48ab788bcfb53a0703979bedca4e317e8e8
SHA256 b00b83361ec8f9623a777499444ac49e62d955dc7b0c73aee2968c6d3cf43def
SHA512 14efc04f5853af25591700a0dcbc8ec1917ec1de4ce49df458c60464945d5d2bf4feef16a74c50ce0558176b56382fe3d12eff1ebcd28888eb7f0d3aacbb4c01

memory/3688-42-0x00007FF62B2D0000-0x00007FF62B624000-memory.dmp

C:\Windows\System\ixQyWzp.exe

MD5 e16699fb3526a0b9c85b9327c6bc4821
SHA1 9fdf7727167f45c08d2832d218be378dc03afa2e
SHA256 a4213efd66b2b43187e00601175b7c5fe19462223d378c0f750dce81528c280a
SHA512 513f79bb80968cc71c6a929d7ae6a7fc4c5cb1b1222c19f0df8fb65a2ec5fa1f593dbc84648130cbc4b4d964d9ce8a682610f79ca6819d32f6b67f9003d64d80

memory/1460-48-0x00007FF70A400000-0x00007FF70A754000-memory.dmp

C:\Windows\System\amZaCWm.exe

MD5 d6918215bdf2736dd94e695c9506fd89
SHA1 3d006686a0662136d87f45d622b961a62107cc8c
SHA256 bf924592e508396975860351d6c2c2d2263188980edf889ce3e0dcb8e0d531d6
SHA512 6bc3c07ac602a8513e89140b25000287fa895141704dc82a37009547d6200a2956870059aaa989dc4693ea13f243499c3927cc61f83a841dff9b71bcaa089725

memory/3116-58-0x00007FF715430000-0x00007FF715784000-memory.dmp

C:\Windows\System\pHmTovq.exe

MD5 d11e3815a815edd08e0c98c936f234d5
SHA1 5067e9bbc171c9d8ef03733450963fa54cbe6060
SHA256 ff92aa350f7a9e695cac7936f8b69fd4647e8658f4e4d5f82d539e420fff01dc
SHA512 70bad11e17ab96a8ed519ccfbea216fbadeefbc8c90ba9326729b22e627fb9c6f113ba90dd2768111d08a0cfae247a46d756340b3876952e6a73daceae84fdec

C:\Windows\System\hoibZht.exe

MD5 1921f1a7fcb84cc5affb7f916499b863
SHA1 9cea40aa1b322e2875498d765e3da4cb1fae0a31
SHA256 036012641e87b2e642b9cd92e317bbabcd7cebdac913d1a8d54ed751ac1e5d3b
SHA512 34df64ffcb931c800b2ddbe508eaf5cf6a6d01f1d55c084f403d0fc9906d1a0f99a077a350846214c3bc5d1e852572f5547d7be56b851dd4f3811f564f7a8eee

C:\Windows\System\BvzBwUc.exe

MD5 ab8535111834b686ac580d135a925193
SHA1 f60dcffe53d8c03ffb530bf09935b07e8efede7e
SHA256 02b4703bc115c963bbef3e57d2f79490664ff7a2f66dbf70aea4ebfad1a22647
SHA512 341e07766735ada3a290b7b91885fa2bd46392986ed163ca68009adb09a9bf9de7649d2bb32ff476086d7698c82f946d21b957e3dc28e892c0110c393cc2c4d0

memory/2600-81-0x00007FF6F54F0000-0x00007FF6F5844000-memory.dmp

C:\Windows\System\OACEDIS.exe

MD5 864917b5ff3f46dd4beb4868a966a2b8
SHA1 8aad7b855b81d494908e744365389044ae07acb1
SHA256 5a739eb0a14c00bada179527f4472abc8a207aa1c4b1b0b1fc5d816fdccb3a1c
SHA512 15c84fa37d369dcbb3b98cd6c3a84ae6cacd6c4cc41eef0def1e10d67dea67a5415aec50b648ddf5823deaf01a62bbb95d6b9ca99593bf1bcded6e0920f2e1f3

C:\Windows\System\huVnOnA.exe

MD5 ab432deb4ba114e460a69750a980acf2
SHA1 bf58a6cea329ef4ae8066d981028df9a72b8f963
SHA256 db4fcb8b1a1a8f0c4dde0b349112728a9725459febcfc559c5cc2191fcf3671c
SHA512 74dfcdfb1f0b54cd263bd3a53163a8837ff43e0401dbf874106d57705304751d73868c50900fa3f2d962e07b5f728ffc56ed3da5769ec01e598ec96eab1073fa

C:\Windows\System\YcEHKJU.exe

MD5 129f8a495c73edd351bba5089d2f3afd
SHA1 57446de12e822943ce2d2eb1dc11a8388812fdc2
SHA256 de803301db08b8766427d384d90464d18c95e871993e5b07343f29c8ba0d0801
SHA512 eb5d01432176630f7354ae147a50599ff9ee49f794e6cf0a161028009807152b50c7333895255274bafe2b0a7b5c4a68fcfcf4375ac21a4e2e27d63b216571f7

C:\Windows\System\uaEzJfB.exe

MD5 b1bab5c19c283ba3cdb8eb1677ee304a
SHA1 37899b8bcfac8bbe72980071812165393b39aba4
SHA256 659f2a0d881bdb242beaf682c0ddb6f36dfefc7c999b1d334c0ecca9a8d06ffa
SHA512 a2549d5227433fb61a2eb2f4b34a62d1b51c90cd4ba30645fcd4a0797a8510a6829f3b3c01ec77cc9f05727ce213160c3890676df096f483fdbea22cba4542aa

memory/4020-111-0x00007FF7BD9D0000-0x00007FF7BDD24000-memory.dmp

memory/5080-112-0x00007FF6E3E40000-0x00007FF6E4194000-memory.dmp

memory/3744-110-0x00007FF7FBFB0000-0x00007FF7FC304000-memory.dmp

memory/2320-103-0x00007FF786740000-0x00007FF786A94000-memory.dmp

memory/1692-100-0x00007FF7A1A60000-0x00007FF7A1DB4000-memory.dmp

C:\Windows\System\ImjuDzu.exe

MD5 39da6152117572cf24068341085269ae
SHA1 2c65aecb80f076cb9bb5a896f918ad824790aac7
SHA256 6562e7834fbd11502dc53903ccf4a63fada01eee0e834d7a91b8749f2bbd618e
SHA512 57a691b62338442ec08e683b2ef8da6fd25ebc93a8a70d32b08646ceb2db8821629e5d56114c7d3c633d8af22fa192e230df45b739792cec1bd0d6d569ed3623

memory/5024-94-0x00007FF677AB0000-0x00007FF677E04000-memory.dmp

memory/3372-93-0x00007FF66B150000-0x00007FF66B4A4000-memory.dmp

C:\Windows\System\JModeYO.exe

MD5 c61f845b1b89422dd6dc563f52b3a422
SHA1 e1813e32b3fcfd6e9e14d5ee7f68947b4a67c2de
SHA256 e5157659d5a1cf155ee341252b0da08795849c5111acfa4083918fd5e49f89e4
SHA512 781f3ade96e55a9d23cea2aba26e9a8bd3e24f76fd3ef935dd6cb41a7f1191d840512333ae1fb9101ea184427c029ca8409d1466f0ff47dccb5f869b83d6676b

memory/3216-76-0x00007FF780350000-0x00007FF7806A4000-memory.dmp

memory/3992-70-0x00007FF6179B0000-0x00007FF617D04000-memory.dmp

memory/1948-67-0x00007FF6DE490000-0x00007FF6DE7E4000-memory.dmp

memory/2676-64-0x00007FF7F97D0000-0x00007FF7F9B24000-memory.dmp

C:\Windows\System\aZuYHoW.exe

MD5 9a7fe9d5662a18f7fcc154b76b39c45f
SHA1 813af5677004d10a7f259bfdcfb0e1b0ddfab589
SHA256 30c7ff47aea130fa8bce34e74e60365f117ec828ea9d4dd9ff9213524ef7372a
SHA512 7dd8a4eb29e9a37003e704eb39958315da2a208e88293fc18acced30efb2a4cc67295564ebf0795f30daadafed78abaa0533e229f0b5f9beedcf1dccc7d9e2cf

C:\Windows\System\jshZuNz.exe

MD5 5fd3da96539d8186a78959c37185f007
SHA1 63900ef848052550555f473555a02f6bc7047767
SHA256 c077fedd51d13a8b6d7f57153271f82d6ac3d6c4a8e6bb83e952d109d48f39c1
SHA512 b48210dd55258602ca9547e7f39a90ebf9e6c9e9bce1aa989c4e6b528c13435259fd950d4f1a06b66cd417f7088ad9a832a4be50671f47162d5891cad3ef67ac

memory/1676-119-0x00007FF72C810000-0x00007FF72CB64000-memory.dmp

memory/2440-124-0x00007FF773C20000-0x00007FF773F74000-memory.dmp

C:\Windows\System\TtDXnQN.exe

MD5 86c5ec9f1cf0e225487e97247df78d7f
SHA1 96c9ee94263c3c582d5cf06bb9e09e71214ea564
SHA256 741516b914c5a4ea3ce70cf1b4938a9e8684870eb4f97209a9e7bdc470b843b1
SHA512 99e065c79da2878b22bde648199227b5037564ecf919ea01b694ba1251a0ccc5df8860bd21ee51814585cbafd0ceeed4850d5a6c259af05858c3b176c5a44b0c

memory/3688-131-0x00007FF62B2D0000-0x00007FF62B624000-memory.dmp

memory/2276-132-0x00007FF773580000-0x00007FF7738D4000-memory.dmp

memory/1216-127-0x00007FF629AC0000-0x00007FF629E14000-memory.dmp

memory/1460-133-0x00007FF70A400000-0x00007FF70A754000-memory.dmp

memory/3116-134-0x00007FF715430000-0x00007FF715784000-memory.dmp

memory/3992-135-0x00007FF6179B0000-0x00007FF617D04000-memory.dmp

memory/3216-136-0x00007FF780350000-0x00007FF7806A4000-memory.dmp

memory/2600-137-0x00007FF6F54F0000-0x00007FF6F5844000-memory.dmp

memory/1692-138-0x00007FF7A1A60000-0x00007FF7A1DB4000-memory.dmp

memory/5024-139-0x00007FF677AB0000-0x00007FF677E04000-memory.dmp

memory/2320-140-0x00007FF786740000-0x00007FF786A94000-memory.dmp

memory/3744-141-0x00007FF7FBFB0000-0x00007FF7FC304000-memory.dmp

memory/2440-142-0x00007FF773C20000-0x00007FF773F74000-memory.dmp

memory/4920-143-0x00007FF7CE470000-0x00007FF7CE7C4000-memory.dmp

memory/3372-144-0x00007FF66B150000-0x00007FF66B4A4000-memory.dmp

memory/1724-145-0x00007FF672A60000-0x00007FF672DB4000-memory.dmp

memory/4020-146-0x00007FF7BD9D0000-0x00007FF7BDD24000-memory.dmp

memory/1676-147-0x00007FF72C810000-0x00007FF72CB64000-memory.dmp

memory/448-148-0x00007FF7191A0000-0x00007FF7194F4000-memory.dmp

memory/3688-149-0x00007FF62B2D0000-0x00007FF62B624000-memory.dmp

memory/1460-150-0x00007FF70A400000-0x00007FF70A754000-memory.dmp

memory/3116-151-0x00007FF715430000-0x00007FF715784000-memory.dmp

memory/2676-152-0x00007FF7F97D0000-0x00007FF7F9B24000-memory.dmp

memory/3992-153-0x00007FF6179B0000-0x00007FF617D04000-memory.dmp

memory/3216-154-0x00007FF780350000-0x00007FF7806A4000-memory.dmp

memory/2600-155-0x00007FF6F54F0000-0x00007FF6F5844000-memory.dmp

memory/5024-156-0x00007FF677AB0000-0x00007FF677E04000-memory.dmp

memory/1692-157-0x00007FF7A1A60000-0x00007FF7A1DB4000-memory.dmp

memory/3744-159-0x00007FF7FBFB0000-0x00007FF7FC304000-memory.dmp

memory/5080-158-0x00007FF6E3E40000-0x00007FF6E4194000-memory.dmp

memory/2320-160-0x00007FF786740000-0x00007FF786A94000-memory.dmp

memory/1216-161-0x00007FF629AC0000-0x00007FF629E14000-memory.dmp

memory/2440-162-0x00007FF773C20000-0x00007FF773F74000-memory.dmp

memory/2276-163-0x00007FF773580000-0x00007FF7738D4000-memory.dmp