Malware Analysis Report

2025-03-15 08:11

Sample ID 240529-3e89dsdh4x
Target 2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike
SHA256 0a3bc85494ca8b965809a2f66e561e7408ee221018b84b35d3dcaacedbd68be8
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a3bc85494ca8b965809a2f66e561e7408ee221018b84b35d3dcaacedbd68be8

Threat Level: Known bad

The file 2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Cobaltstrike

XMRig Miner payload

xmrig

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 23:26

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 23:26

Reported

2024-05-29 23:29

Platform

win7-20240215-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ovUTmZI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wOKqZIa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mgzfuox.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SJOpNxI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xerWHfg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gWjGfra.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MaFkiLG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rqOzfbj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ROnOsuy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zMWeGFl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EEBdJPW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gXAAFkQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ybjboAA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CusqdIE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bLmJiAC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZbBxvEh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oNdNLbC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sUVdhGi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MnvECHm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vEQXKgX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xkkNkxz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MnvECHm.exe
PID 2892 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MnvECHm.exe
PID 2892 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MnvECHm.exe
PID 2892 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xerWHfg.exe
PID 2892 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xerWHfg.exe
PID 2892 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xerWHfg.exe
PID 2892 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gWjGfra.exe
PID 2892 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gWjGfra.exe
PID 2892 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gWjGfra.exe
PID 2892 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MaFkiLG.exe
PID 2892 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MaFkiLG.exe
PID 2892 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MaFkiLG.exe
PID 2892 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqOzfbj.exe
PID 2892 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqOzfbj.exe
PID 2892 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqOzfbj.exe
PID 2892 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ybjboAA.exe
PID 2892 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ybjboAA.exe
PID 2892 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ybjboAA.exe
PID 2892 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CusqdIE.exe
PID 2892 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CusqdIE.exe
PID 2892 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CusqdIE.exe
PID 2892 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vEQXKgX.exe
PID 2892 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vEQXKgX.exe
PID 2892 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vEQXKgX.exe
PID 2892 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovUTmZI.exe
PID 2892 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovUTmZI.exe
PID 2892 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovUTmZI.exe
PID 2892 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOKqZIa.exe
PID 2892 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOKqZIa.exe
PID 2892 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOKqZIa.exe
PID 2892 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLmJiAC.exe
PID 2892 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLmJiAC.exe
PID 2892 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLmJiAC.exe
PID 2892 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ROnOsuy.exe
PID 2892 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ROnOsuy.exe
PID 2892 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ROnOsuy.exe
PID 2892 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbBxvEh.exe
PID 2892 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbBxvEh.exe
PID 2892 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbBxvEh.exe
PID 2892 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oNdNLbC.exe
PID 2892 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oNdNLbC.exe
PID 2892 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oNdNLbC.exe
PID 2892 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zMWeGFl.exe
PID 2892 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zMWeGFl.exe
PID 2892 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zMWeGFl.exe
PID 2892 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EEBdJPW.exe
PID 2892 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EEBdJPW.exe
PID 2892 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EEBdJPW.exe
PID 2892 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgzfuox.exe
PID 2892 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgzfuox.exe
PID 2892 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgzfuox.exe
PID 2892 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gXAAFkQ.exe
PID 2892 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gXAAFkQ.exe
PID 2892 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gXAAFkQ.exe
PID 2892 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xkkNkxz.exe
PID 2892 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xkkNkxz.exe
PID 2892 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xkkNkxz.exe
PID 2892 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUVdhGi.exe
PID 2892 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUVdhGi.exe
PID 2892 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUVdhGi.exe
PID 2892 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\SJOpNxI.exe
PID 2892 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\SJOpNxI.exe
PID 2892 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\SJOpNxI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\MnvECHm.exe

C:\Windows\System\MnvECHm.exe

C:\Windows\System\xerWHfg.exe

C:\Windows\System\xerWHfg.exe

C:\Windows\System\gWjGfra.exe

C:\Windows\System\gWjGfra.exe

C:\Windows\System\MaFkiLG.exe

C:\Windows\System\MaFkiLG.exe

C:\Windows\System\rqOzfbj.exe

C:\Windows\System\rqOzfbj.exe

C:\Windows\System\ybjboAA.exe

C:\Windows\System\ybjboAA.exe

C:\Windows\System\CusqdIE.exe

C:\Windows\System\CusqdIE.exe

C:\Windows\System\vEQXKgX.exe

C:\Windows\System\vEQXKgX.exe

C:\Windows\System\ovUTmZI.exe

C:\Windows\System\ovUTmZI.exe

C:\Windows\System\wOKqZIa.exe

C:\Windows\System\wOKqZIa.exe

C:\Windows\System\bLmJiAC.exe

C:\Windows\System\bLmJiAC.exe

C:\Windows\System\ROnOsuy.exe

C:\Windows\System\ROnOsuy.exe

C:\Windows\System\ZbBxvEh.exe

C:\Windows\System\ZbBxvEh.exe

C:\Windows\System\oNdNLbC.exe

C:\Windows\System\oNdNLbC.exe

C:\Windows\System\zMWeGFl.exe

C:\Windows\System\zMWeGFl.exe

C:\Windows\System\EEBdJPW.exe

C:\Windows\System\EEBdJPW.exe

C:\Windows\System\mgzfuox.exe

C:\Windows\System\mgzfuox.exe

C:\Windows\System\gXAAFkQ.exe

C:\Windows\System\gXAAFkQ.exe

C:\Windows\System\xkkNkxz.exe

C:\Windows\System\xkkNkxz.exe

C:\Windows\System\sUVdhGi.exe

C:\Windows\System\sUVdhGi.exe

C:\Windows\System\SJOpNxI.exe

C:\Windows\System\SJOpNxI.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2892-0-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2892-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\MnvECHm.exe

MD5 9c13f4567a0e8c38e393890e95a14f88
SHA1 a76725a9c4ec810b70923c2d497c215aa9089399
SHA256 1b742ebfe60531c40defbe97447d88f76ac47601ddc0d7f28d45e262d6beb1dd
SHA512 5183ad238d10a30b35f751c7f29887dac021c94d39148d3eed4b13c7abad7377d5bc5d7f25d648b8b2f3ad0ceb6ef978c2761c4af53383a4989eb6f90e450fa8

C:\Windows\system\xerWHfg.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

C:\Windows\system\gWjGfra.exe

MD5 5f9688397e3722848dc2f1bcc367bfb6
SHA1 d68924740bee5f86870aa185d16f334b4204f7d5
SHA256 360c1bf6f5eb37e2436b90a7de40e8ea85cab8d52c9d705eb6f886c7dde048fa
SHA512 258d97e2541fa40c1eb3445b8fca83c22468ae8546317efb3a5f79661534ae303c89e18c2858d8b86a660fca3954e24786492fd95ffc8fd5e8af31ca95507627

memory/2228-14-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2892-22-0x000000013F860000-0x000000013FBB4000-memory.dmp

C:\Windows\system\MaFkiLG.exe

MD5 4cc475d2c50805c731eb0ff901123bb8
SHA1 3e1666bf57c7530085e4ec4a3ee81080a3b6c4d3
SHA256 e4258e4551dd0c8bc4733c1741bb18f957d136f6009ea6b4cbeb2a10aa12f0ad
SHA512 a4ec7ea9f48629bd38e6b45ff822d9e089844efb492547a87099175c0a903e5fd2aeb6807ed26ba1a520a3d0f329002fbd2151cbc6e14a4711c0440db705a80c

memory/2496-27-0x000000013F860000-0x000000013FBB4000-memory.dmp

\Windows\system\rqOzfbj.exe

MD5 66dba6cb47b98bfd75c71eb073616496
SHA1 26a8d67cb142f13422e0d17d702b629546f69ebb
SHA256 d003783798ac8bc8dcb51fcb30830645a7718f5365532469da1540f970e3211b
SHA512 6744106c3b825a82fb172a278dd1ff09d05f5f8a070964f5b696c19799697b29c6b6edd6405d8f0608948d2a26425d5706ef27ea58b6def2384e0c40efd0ffcb

memory/2892-118-0x000000013FFE0000-0x0000000140334000-memory.dmp

C:\Windows\system\mgzfuox.exe

MD5 e96adc9521aa7e14d74b1ed9e17b0a71
SHA1 0cddabde7d5a1e38a7e35c87593a038d43761fef
SHA256 9b1e5223862f5ecc82e70721841c459e07240711fad80fc1272dbc172e1520c0
SHA512 e3ac3f188a6ce7b7eae9bfda25ab5d756b7e512c8cf80468841746f95f0ae540667511fa568d78737258e78acf7d411bfd75a37c12988a528ee736dda9697274

C:\Windows\system\sUVdhGi.exe

MD5 76bf0466328f407fb8356697751e9d17
SHA1 ab6d60cc0022bd9fcb09a7b133772948f1b44e71
SHA256 bc9432097e5cf86f7734fcdba0e6bde844e37f3c7c22e1538d1d567922da9884
SHA512 6cf2f8e6b124936088948bc61460f2c7dcf57e07e3b8a91ff6d8b8fbcfd1e6fcee7a878c2ad962cc9277cb4e28a8224410d0fb4788d1a0cedc18fa4f9e3db4a6

C:\Windows\system\SJOpNxI.exe

MD5 1c5a19510dade4cf2c91f568fe5e392d
SHA1 2e6333e505076dbb6977a4a8654ce30cca29a0d0
SHA256 db922c1d889c77bc1e34eabd36d8704f5030bb424c2a1954b1e86262ef89a919
SHA512 0a29828ba1d91c559caacfb0e85377879b603e709dab5093bde01602a147e4a8de477db52cfa8492e663eeecc036d5ebbdc17f376e96f8d78643f321f11000e6

\Windows\system\sUVdhGi.exe

MD5 58645dfe0a667966648ab5e4d9191cf5
SHA1 d0d3fbc5a24ffb72f69606ffc3f43349c46574fa
SHA256 88e855fb73fe828b738156cbd16619bd210df24cb794b25371217744c118633c
SHA512 d695849f83979b4598ec811efcd96bd2a535beb4146b0b91b5f76d40d6fdf95c3c2655994c05a7e5665d53ca3d6c5e55f0cc801a8aeeb81dc1357e3e62cc0784

\Windows\system\gXAAFkQ.exe

MD5 d1c3344df12b9c002dfe1f2185feb5c4
SHA1 cf7ace9bc05921217b95e4b62fbee6957ee660b2
SHA256 7c2e2dcc6771058b5e19d10949b9271fe69778fd71687fd52efab1ad6a641417
SHA512 47fff1a0da3538c0181b7b012feac5fd619fa55ba9c53f1553bb42771500abb11a33b24dcfefb88885135248acd28acb23e57ff971092ca233b44fb39bf21438

C:\Windows\system\gXAAFkQ.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

\Windows\system\EEBdJPW.exe

MD5 3dc3ac8c50ffb134380d5ec88c86c55c
SHA1 1ad6c4211909eba9decaec7460f12a0e156b8c11
SHA256 5b23075c9491066c94959ee4114a9a6abdfe6cf62166c7d17d219e937861a94d
SHA512 2c659e43955fdedd1e64c9f7f4d7c3b51460494bc26e42557e6d87d765ad48eb86c578c59c792eeb546f4d4632119aa4933463d2980aa78c9f5ddf69e908bb27

memory/2892-120-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/1268-119-0x000000013FFE0000-0x0000000140334000-memory.dmp

\Windows\system\oNdNLbC.exe

MD5 634c833b9cc9181462972574bfa4b43c
SHA1 3a826a05115194e74905ecf77d0ce94756b2d72a
SHA256 c5ce31a9ea0f2849108440fe526cc905418a80f7a955ff248e87b1d60fd62098
SHA512 09ee90fc9f594a61ace5198b932dd62876646eaf4913a1083cf714b30be8bd6a335c6d63c3a3020c490451f776da31b38e2793f1e0560fe2b498484440e742cb

memory/2892-117-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2892-115-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2892-114-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2892-113-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2424-112-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2972-111-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2892-81-0x000000013FC10000-0x000000013FF64000-memory.dmp

\Windows\system\wOKqZIa.exe

MD5 80ff9c861f0f407e92f68378086a560b
SHA1 7d130a23b1d85eaa367185f27c7c69f3b86f751a
SHA256 99ed648ec6ccef6f3ba9d1d89a89aa11c1994690d833dfbae657fd327e52d81b
SHA512 ce3798b721b9503febe53c9d6ab31e38b1de4899b16588f828870224d32a1bfe0c7c0922a08204820df48d71629c6046d2b3e4ae4cc0baf49186c700475b3984

memory/2876-77-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2892-110-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\xkkNkxz.exe

MD5 2f24430f105ad5ee5054deb47a5e8331
SHA1 9875f5346f345022153d1680cde52261cb47132e
SHA256 d065f400499b7c4b73a8fa2267dc9c9850a8749e7eab9392c475a0a5fedb92b1
SHA512 18e58c52f2314c5c82d2d2d5abdf8d3d5c9e6c76f15d751e1748d8e5af6f3069031b04ca151e9f9658def2f28d3b2cc91b4d386fff61b38ea4114f68d3086a04

memory/2892-107-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2892-105-0x000000013F630000-0x000000013F984000-memory.dmp

C:\Windows\system\ROnOsuy.exe

MD5 37f663800fe14b98e6fe6857c7bc7d78
SHA1 8a49690aee22ea09d706eec96965afc7d74430e5
SHA256 bc53c71863752b5bdd24add31bd66259acbaf203e277b6cfad3d3e2ced61abda
SHA512 19ba5e3f22e34280f36cf8daef22a6bb2d420fe5f7c5382418518bed12f36d3a77e3ce12d05fa9dd865c1e560a3d474d18b335b4dcc03bb58c00bcdbe6607b3f

memory/2440-101-0x000000013F1D0000-0x000000013F524000-memory.dmp

\Windows\system\zMWeGFl.exe

MD5 f37713159468cd6f42e64ebbadedd64a
SHA1 1a6ac9420dbb5627eedd79f5f97edbc9e56f5e2a
SHA256 3c91417bf7c7afd2ce497465db832fe2d2f01acede1ccbefacbe8a6abd1e9e0b
SHA512 73acaa6967e1c199cd811923d5dd3c7f62472280c7fb304e5304898d949b0a610b76d4fa41ac753ee01fb4dab83201b42b2be862a356aa3d56b3a08906a2e4aa

memory/2188-71-0x000000013F760000-0x000000013FAB4000-memory.dmp

\Windows\system\ZbBxvEh.exe

MD5 0e46df0dc6c436984cc10dd48866fcec
SHA1 8674c8eea552833d06e20a94b63cc19a40c3c6bc
SHA256 1e58d1531413368ab839d0ee37badc60c18eeedd862e8a8121fdcc09fd188a5a
SHA512 29109f5334cbe4236f1ac51f0a807649215344614b5e0e25ed1b3daace079c4f56191b0fc6da944af678cfdf67c3721ea057e0a253679088c899635d1684417a

memory/2892-58-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2800-56-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2892-66-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2284-65-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2892-64-0x000000013FB20000-0x000000013FE74000-memory.dmp

C:\Windows\system\bLmJiAC.exe

MD5 458aabc58bab5b7b452b5ce184c6cf57
SHA1 ecae5af36e9c65c4a2e62d81e2f788f07dc2156b
SHA256 75afbaefebe3039eb0342dd7a3c7d286274c50a6ac5e35c3ad22cd27b740895b
SHA512 70af3d13fab4de937859e5f2a2addcd3096a28f14e1e71093314ccaae810bb1c9843b34772945e09249779434434d9133661e4cb9de2c4268e3687efcd9343d5

memory/2592-52-0x000000013F920000-0x000000013FC74000-memory.dmp

C:\Windows\system\ovUTmZI.exe

MD5 3b3aaa7fffde58dcd163d45ce58af3f3
SHA1 a80f820f27462798f627c335b133303c841154a7
SHA256 9ec932626b0d96a7d0161d35cc55bbc0346fa7be46b60650ce37e45802fe0363
SHA512 fbc19361ba9981a9579112805dbce9679ad17a7886fdd5919e91748f2c37cfc6760a9a8ef55c13d556ef5e43e0d836bafaaa694112efc4cbb743d8b4ad1ac491

C:\Windows\system\vEQXKgX.exe

MD5 4131dc18fb625de20c758143c495cd2f
SHA1 f7e962ebd41ac769ebaef96001202eb7462d00a4
SHA256 38de71c431106d765cc6c5a8c451e57de885dec7327385a40dbc3752cf56a081
SHA512 b8202fbcd3e9a4e8c0ed35baa3d5c472104eeb9f51ebc332614ff1b60cefc5f8f0785fce0cde5d9f8c02115635845759356eba3b832c49de28b664d2ee52d854

memory/2672-42-0x000000013F2B0000-0x000000013F604000-memory.dmp

C:\Windows\system\CusqdIE.exe

MD5 297f69406f728e7de573536bccb88785
SHA1 6145bad4f336ee55de7eebe99e782ceeb7751f56
SHA256 c84be9e20d767a23bb77f3df341854eb8ab0b536d41816e1beca7ec4cea287af
SHA512 2a5c4417aec3b17b589b7b819bc9c8cbd1d799e392f3ccb9f0e7d009f00ed6df0655054d93e2231fca3dbcedc61cf7d8880c14b7e729e72b3688e0aec634b1ee

memory/2892-39-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\rqOzfbj.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

C:\Windows\system\ybjboAA.exe

MD5 cad67df11de10e841e203c91e692e81c
SHA1 a7018035c433ab761acd007e23eb99ada1f91484
SHA256 d224c59143ab6189c54206c1602c082ca27086a4c144c35ad0bba074b6f11953
SHA512 1bec1c18ccd50a55cc220bb8e3675cbf53ae0e130f85ba378a037fd5de78eb34a992a1cdf05efb3be04a0a1b7450502169cb0ea5046dc3525e4ac5e15d2093da

memory/2892-10-0x000000013F850000-0x000000013FBA4000-memory.dmp

\Windows\system\xerWHfg.exe

MD5 584f538448805d7d8e211736c57faa1f
SHA1 e3e051d7613ae3908cccc821ce6e01ee8c347fe4
SHA256 2505a1b68515a87c08ed6737d0fd964b386075f10176c9c5759f2d38f3b6bdfe
SHA512 e04156cb73aaf63d50d81ef1386535f30c70441afd69551ed46240467e9a379f5664c620813e7ec629fd886f4fe40ad8efab85d457709ce78dfb4abe5ec6b850

memory/2892-135-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2892-136-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2892-138-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2892-137-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2440-139-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2892-140-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2228-141-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2496-142-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2800-144-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2424-147-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2188-148-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2876-150-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2284-149-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2440-152-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/1268-151-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/2972-146-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2592-145-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2672-143-0x000000013F2B0000-0x000000013F604000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 23:26

Reported

2024-05-29 23:29

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\vjFkrQb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zigLJvA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vyBYAVJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yCmXvdn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JhadslG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\stxpLVz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rfYeOYz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZxdvWfr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MZdzPJy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VluBlJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vpVXzph.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ciYoQAv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fNgImyp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AqmycWP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gtbnxVY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nnKpnRW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VkUCxjP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\msDVnrG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\liTGOww.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uiqXsyX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NLXqmxt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3696 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\VkUCxjP.exe
PID 3696 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\VkUCxjP.exe
PID 3696 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rfYeOYz.exe
PID 3696 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rfYeOYz.exe
PID 3696 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZxdvWfr.exe
PID 3696 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZxdvWfr.exe
PID 3696 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uiqXsyX.exe
PID 3696 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uiqXsyX.exe
PID 3696 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vjFkrQb.exe
PID 3696 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vjFkrQb.exe
PID 3696 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\NLXqmxt.exe
PID 3696 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\NLXqmxt.exe
PID 3696 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gtbnxVY.exe
PID 3696 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gtbnxVY.exe
PID 3696 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zigLJvA.exe
PID 3696 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zigLJvA.exe
PID 3696 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\msDVnrG.exe
PID 3696 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\msDVnrG.exe
PID 3696 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vyBYAVJ.exe
PID 3696 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vyBYAVJ.exe
PID 3696 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yCmXvdn.exe
PID 3696 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yCmXvdn.exe
PID 3696 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JhadslG.exe
PID 3696 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JhadslG.exe
PID 3696 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\stxpLVz.exe
PID 3696 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\stxpLVz.exe
PID 3696 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\VluBlJJ.exe
PID 3696 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\VluBlJJ.exe
PID 3696 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vpVXzph.exe
PID 3696 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vpVXzph.exe
PID 3696 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nnKpnRW.exe
PID 3696 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nnKpnRW.exe
PID 3696 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ciYoQAv.exe
PID 3696 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ciYoQAv.exe
PID 3696 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fNgImyp.exe
PID 3696 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fNgImyp.exe
PID 3696 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MZdzPJy.exe
PID 3696 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MZdzPJy.exe
PID 3696 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\liTGOww.exe
PID 3696 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\liTGOww.exe
PID 3696 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AqmycWP.exe
PID 3696 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AqmycWP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\VkUCxjP.exe

C:\Windows\System\VkUCxjP.exe

C:\Windows\System\rfYeOYz.exe

C:\Windows\System\rfYeOYz.exe

C:\Windows\System\ZxdvWfr.exe

C:\Windows\System\ZxdvWfr.exe

C:\Windows\System\uiqXsyX.exe

C:\Windows\System\uiqXsyX.exe

C:\Windows\System\vjFkrQb.exe

C:\Windows\System\vjFkrQb.exe

C:\Windows\System\NLXqmxt.exe

C:\Windows\System\NLXqmxt.exe

C:\Windows\System\gtbnxVY.exe

C:\Windows\System\gtbnxVY.exe

C:\Windows\System\zigLJvA.exe

C:\Windows\System\zigLJvA.exe

C:\Windows\System\msDVnrG.exe

C:\Windows\System\msDVnrG.exe

C:\Windows\System\vyBYAVJ.exe

C:\Windows\System\vyBYAVJ.exe

C:\Windows\System\yCmXvdn.exe

C:\Windows\System\yCmXvdn.exe

C:\Windows\System\JhadslG.exe

C:\Windows\System\JhadslG.exe

C:\Windows\System\stxpLVz.exe

C:\Windows\System\stxpLVz.exe

C:\Windows\System\VluBlJJ.exe

C:\Windows\System\VluBlJJ.exe

C:\Windows\System\vpVXzph.exe

C:\Windows\System\vpVXzph.exe

C:\Windows\System\nnKpnRW.exe

C:\Windows\System\nnKpnRW.exe

C:\Windows\System\ciYoQAv.exe

C:\Windows\System\ciYoQAv.exe

C:\Windows\System\fNgImyp.exe

C:\Windows\System\fNgImyp.exe

C:\Windows\System\MZdzPJy.exe

C:\Windows\System\MZdzPJy.exe

C:\Windows\System\liTGOww.exe

C:\Windows\System\liTGOww.exe

C:\Windows\System\AqmycWP.exe

C:\Windows\System\AqmycWP.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/3696-0-0x00007FF634290000-0x00007FF6345E4000-memory.dmp

memory/3696-1-0x0000018F743D0000-0x0000018F743E0000-memory.dmp

C:\Windows\System\VkUCxjP.exe

MD5 4c38db6dfdadd06b922adf1ebfa4f027
SHA1 10fd55d441a1a8537aab80600627405d79ac8f23
SHA256 69b89d0516d81a445f13ae6901e54a7d6233079ba9df3a9cdbe7a73dbed2630a
SHA512 b5e04a5d9e1073dea420eacda4fee57c9849b10afbe999c53006bdfed317fcb5eacd7fe9eabbe33d7e9cb292cf6768d7f3d1fce5bc388d7cb9b03846026b67a9

C:\Windows\System\VkUCxjP.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

C:\Windows\System\rfYeOYz.exe

MD5 35b1e62ef54c7bd66cee2b56d39be962
SHA1 b092ed64bdbcc29fe9cccbcfcf74f8894e1309ab
SHA256 7278d5fc5a788f4f462b35fe844435f2ea78dd2e8c2558c94df35eb75e6b9c57
SHA512 ce45e2bd0d41435f1b1fe6e2adcf65e89fcf54aebaf4ed3ef8fc05f2641ad4cdebb1a52b6958f7b82bbfe49b95e7352663b351967599a2aa54c92934a4b00a7b

C:\Windows\System\ZxdvWfr.exe

MD5 0963563d28ba47d8c0e8d0abb3d57a5f
SHA1 e6c3a120fb6d5acdfbf89a0e42c44402c18f9964
SHA256 0f0884d19e0f552e9cb2727b5512a5a2e262198dcb890385ee15de0850bc6148
SHA512 e7f96141fadf1dfed757a73d5f24ed07d6474fc2391b414fcaaa27c0d0bdeaf2e0fbb4f4a6aeddbd503c46f36c5bc42e24759783f064e2844062023568dbea95

memory/5092-20-0x00007FF7136C0000-0x00007FF713A14000-memory.dmp

C:\Windows\System\uiqXsyX.exe

MD5 cb02de4872003a2358976d18e269ea2d
SHA1 1b7a5720d65a0f79d0a0afaad8ac9af52cfd39fb
SHA256 134532abc3bd6ed219e691a70330024344b85dd775a7bb0e987f703af17f796a
SHA512 6b26852fbc135955ff5b6fbf660efbca7d393494aa6ff203145471f6ac671c9c755009ef4513bc21df7613777b96410c2983522fe015685ee12c02bc6abef40a

C:\Windows\System\vjFkrQb.exe

MD5 77c7c6c70a8bf7b31f15ad36d806d562
SHA1 ec29815efda0cbf74bc873a5b027e4a69b166d9c
SHA256 227fae4a52a859668aedf776757f932e5f07c4fee352ca5b005a68b6ce651003
SHA512 9536a81956b2f8dbcfa77186fb3937d9927816c446ce18220c79f1f12718b4e0721b74ca0ad8ea526b4aabf7cefd15b534aa427ebe8794c3c54d461f60fa90a0

C:\Windows\System\NLXqmxt.exe

MD5 281a17f80e4a189f045542c86441b37c
SHA1 6b5d422dc0efc95b6aef75aaac448ebbefda0cd7
SHA256 9e6b9923d8d426be386b4d08f028b413158faabaa488f36850e8cc2c7f4e3b1c
SHA512 bcdf84191c1d5bcd0a66376ab7ca7eaea1609eecae0554dc37aa1d9694a1d9f0ff66a979ce9831b02c0dd21c580b496dc5ca5d8106c45f8035cce019a7d14468

memory/4904-39-0x00007FF69BE80000-0x00007FF69C1D4000-memory.dmp

memory/1560-42-0x00007FF7C31A0000-0x00007FF7C34F4000-memory.dmp

C:\Windows\System\zigLJvA.exe

MD5 e2ba4394832f6afb8892a6cfc9c19b41
SHA1 ff9cf29849647ea076c6df44d5db1f25431fe55c
SHA256 c2221f1f96b4a66c1814c9bd47b65523ffb4349fcaa65f3f8fe2ae791b9c1cf4
SHA512 0d69e932096fda932b694a9534d6e977111f5bf25c380043bd9ccfb39d9aab9c876f54513eb9bb5167b6082f149d1bb91cfb59ab958e9c394853b44586641b64

C:\Windows\System\msDVnrG.exe

MD5 d83c263cee8cb52cf60f8589daeb3a3d
SHA1 73f0fdca219c8dfef17ae938aff3d190b483bc6b
SHA256 0dd61c117272ab7d58147c7616f3880baffa912cb0a1d53bd23b6f3745848f3c
SHA512 2bbc18462dd8c65db4592a0d4663892363bfc5f342c8007ca316e4e88cf7c8597da8e9105682020e9b4f3c4b687fdf909422f0d4a86e3fa4c94df7828eb2a58b

C:\Windows\System\vyBYAVJ.exe

MD5 224570d5e9ced5f1d73b15ca5c7d1ca0
SHA1 4f061c022fbf440806438d47c545cf896d1f97ef
SHA256 2474bd0c66a46c28947395d649bac7504c4a93d8ae9dffce5e5756303350d6e1
SHA512 e557cec176aed5ecff219cb7feec8019b0e6df062c0973173699a785df314b3b748c05c3400e4178d4c0e5ad1c9fc8ac9a83fcefb5c256d51bf0e2a71c5b4ed2

memory/2452-61-0x00007FF6D56E0000-0x00007FF6D5A34000-memory.dmp

memory/3696-66-0x00007FF634290000-0x00007FF6345E4000-memory.dmp

C:\Windows\System\stxpLVz.exe

MD5 d10f1344c8763fb541d3806a071e575a
SHA1 9a6b19a276c5a96e9715d7fb5cefc5f425b39b37
SHA256 180f267d1959fb453286beaee6587ed15f6ef02964c63d582b3e0b05f3591d0f
SHA512 fda3e79a55847615234a54e4a39ed25c63bffff6e413011996dc610107ebeac85997200807fb513ea59c48f5838595b1ce3a54eac3eba32824d5c59fda16d063

memory/5092-93-0x00007FF7136C0000-0x00007FF713A14000-memory.dmp

C:\Windows\System\vpVXzph.exe

MD5 a66e4e946aca4d3e3e45a0b531c2f8e9
SHA1 8d23347e247718715798d47f0878841549cd36d3
SHA256 b7890751a3dfddc235e236308e6dd8167da32aad1340b86d81250e6c54fe9014
SHA512 7445335311be64cadc924a5cc42849ed13d9cfc3080ca670b9a7d33655c4377a7aa0c4caf55727497c326346c654149f4d4158bf6762dc43c842ca12a68c7eba

memory/1608-94-0x00007FF6A60B0000-0x00007FF6A6404000-memory.dmp

C:\Windows\System\VluBlJJ.exe

MD5 327965b950c05649b5684fb649a7acb4
SHA1 61325ccfc3f34771a9f567e8050fb7546f781b37
SHA256 0b345d41c5fcbab3b7bdf3f2a35e0df8b185d6336d3daf55c59b270f4d4224de
SHA512 016b4f5b9c2a1de107d2e24e3f7c64bd26ccca23ad6be5f914f76275667eedfb9a15a201e1f4e0c714d23d0154a10cc7e35d32c3d9791e96b490387622a7b6ef

memory/1148-87-0x00007FF618A90000-0x00007FF618DE4000-memory.dmp

memory/1088-86-0x00007FF721A80000-0x00007FF721DD4000-memory.dmp

memory/1604-83-0x00007FF7D8CD0000-0x00007FF7D9024000-memory.dmp

memory/2296-78-0x00007FF740190000-0x00007FF7404E4000-memory.dmp

memory/2820-77-0x00007FF6A77E0000-0x00007FF6A7B34000-memory.dmp

memory/3384-74-0x00007FF6B0900000-0x00007FF6B0C54000-memory.dmp

C:\Windows\System\JhadslG.exe

MD5 ec36da25a783ab9307ef22197f2fe1d1
SHA1 51de4ef83744d8a0fd5ea3613d155fa6c2a9a88f
SHA256 7a85c2a3f225cce9b11f912a5a0c793152d400273bbfb2a27c7e35391ecf2331
SHA512 850e0bf37a27d9e3a8ea1569b4e9b158306068c348a2a334be5015337ce74edea37005dd0a40dbbebf3c101c9fed832edacd642752a0aeac88482e7e4a7e99ca

C:\Windows\System\yCmXvdn.exe

MD5 68743e34d443ff13041a9461f097b4fe
SHA1 8dd039597fd326162800aab60abd20e754017892
SHA256 61910b86974accdfc072d87c2d1b12316fce4daf2b48f53ce276b4c73c16299e
SHA512 a1a46d618db61cfd2b1445fc060e1397572aeb3ffe8db45f4df9b42aec941f04171e61a4e75f5d30a82ab8fb8cb974f708a05d77396f7991162372d52f8d641e

memory/736-65-0x00007FF6B7C40000-0x00007FF6B7F94000-memory.dmp

memory/524-56-0x00007FF6E4290000-0x00007FF6E45E4000-memory.dmp

C:\Windows\System\gtbnxVY.exe

MD5 3f21fc58ec0ad6fe458b8ef4960ba370
SHA1 18d1f49c9530351ee1161dbb8e5127916f4cf92e
SHA256 2d5ab85e2606321799e0b1261796c1376c6758ca37a77ef08fcfb189c6e3584c
SHA512 ce67c102823ade843fffe92e28a626475ac4155902ffb2427b1a298d7e16480d49f16045234cbf66eeb9c59a16798fb508b2598de2826cc24539308d37326195

memory/4896-33-0x00007FF70B6D0000-0x00007FF70BA24000-memory.dmp

memory/2720-26-0x00007FF6E14E0000-0x00007FF6E1834000-memory.dmp

memory/1604-14-0x00007FF7D8CD0000-0x00007FF7D9024000-memory.dmp

memory/2820-8-0x00007FF6A77E0000-0x00007FF6A7B34000-memory.dmp

C:\Windows\System\MZdzPJy.exe

MD5 0e731dda6e07f134e8905bfc70233a8f
SHA1 46d42a6dee450d6c72c45198da72e3f0a5286ce8
SHA256 d6db155c39c3cdf5456652b54d19377a58e512c7831981708309090958747a85
SHA512 85fbe8aaa2516d4d711ccb2fd1255cd9f28b095acfd592bb35fc49d5d882b7bf4985bb9b78027f023b96763f25543987bc3c85b856d04ff04f24b14a6cc166e0

C:\Windows\System\fNgImyp.exe

MD5 bf4d60c80ea0b279ae116232092cd663
SHA1 dd3d663938ec2c2f870f8ebce8e3209b6591ea07
SHA256 1c5dbc325311514e81c692187ebaebb50eb29163dfc9f2ba864bb0272c6e0b12
SHA512 5bf07d3e948f17397827ebc2d8202f3bde19a701e456c356246fc9bf793085d7d7c50afb74d83a8092f9c9c512a5f8bff0fee1bd11d3c9d1c43fb0292dcb01b7

memory/4200-124-0x00007FF757000000-0x00007FF757354000-memory.dmp

memory/4168-127-0x00007FF6C63B0000-0x00007FF6C6704000-memory.dmp

memory/1284-133-0x00007FF6D74A0000-0x00007FF6D77F4000-memory.dmp

C:\Windows\System\liTGOww.exe

MD5 d1716528559e5f8b05456e8abb0015f8
SHA1 e0a18e4a6c1015baabf94cd3f248defe3029a832
SHA256 b5877d64318748c42858f3419dacbedbf0d2a5f66b456feb1f9ded15f6cfa970
SHA512 47d89d40e75dc5f8c6acd8a467f0ca79a514de3237061dc7711f4beaaf630574886d60b34dfbd7aaf8bd2f5a2ed79e5d058faac75012df5aac1d0edba1751131

memory/4880-130-0x00007FF73F380000-0x00007FF73F6D4000-memory.dmp

memory/1560-129-0x00007FF7C31A0000-0x00007FF7C34F4000-memory.dmp

C:\Windows\System\AqmycWP.exe

MD5 16f80b2031920f59fa948e08b2716444
SHA1 f758a5f38cd5a24e26fbcc4f1d9685fcbe801557
SHA256 a075d87e5c49cb17844ae40ff5f8e85945a432af4a976e23a8a399dde6540108
SHA512 94792d5265fb4d299f4a94aa3f62341be65b4ce482e2fb4d4a04f011c54ded6245a9ac0e02ef561663c2e1481a8e2d58e49fcd67b501bfa51ce0602d7a4e10bb

C:\Windows\System\liTGOww.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

C:\Windows\System\ciYoQAv.exe

MD5 53367e0e2c20d72ef99de9814e932d89
SHA1 5ba6457355513e53b98318aa850c21c8313907b6
SHA256 290b8abf79ade2cae054152f2e368f1d03c609fe5b898d727ffacbb81ecfd203
SHA512 8940bf1f4ee110e6bde4639acbf912cd84627f338415ac4e4cf0d95d4350a1fe20a3b91a814ddb46b25f1bca92cb84175966c40f06a8064b6e5939240fa33734

memory/436-109-0x00007FF60D5F0000-0x00007FF60D944000-memory.dmp

memory/4896-107-0x00007FF70B6D0000-0x00007FF70BA24000-memory.dmp

memory/2208-104-0x00007FF67D750000-0x00007FF67DAA4000-memory.dmp

C:\Windows\System\nnKpnRW.exe

MD5 804953174911071cccd83df944783b22
SHA1 b900cea399ae3c4de77a22c0cf57d086d1e56f47
SHA256 8b0f3bc6df93e532d86cf1a43d2ab149c3455f6b10e29cb44a1f3d7be4887614
SHA512 e203c93b93970d30405df5203f36ff43a9006cd6f6c4c1059b6b64fb3f2ac4ffd59d125bceafc7f6867003c0384b60f6d8a2f46957872fc2f221ea3867343ab8

C:\Windows\System\nnKpnRW.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

memory/2452-134-0x00007FF6D56E0000-0x00007FF6D5A34000-memory.dmp

memory/3384-135-0x00007FF6B0900000-0x00007FF6B0C54000-memory.dmp

memory/1148-137-0x00007FF618A90000-0x00007FF618DE4000-memory.dmp

memory/1088-136-0x00007FF721A80000-0x00007FF721DD4000-memory.dmp

memory/1608-138-0x00007FF6A60B0000-0x00007FF6A6404000-memory.dmp

memory/436-139-0x00007FF60D5F0000-0x00007FF60D944000-memory.dmp

memory/4880-140-0x00007FF73F380000-0x00007FF73F6D4000-memory.dmp

memory/2820-141-0x00007FF6A77E0000-0x00007FF6A7B34000-memory.dmp

memory/1604-142-0x00007FF7D8CD0000-0x00007FF7D9024000-memory.dmp

memory/5092-143-0x00007FF7136C0000-0x00007FF713A14000-memory.dmp

memory/2720-144-0x00007FF6E14E0000-0x00007FF6E1834000-memory.dmp

memory/4896-145-0x00007FF70B6D0000-0x00007FF70BA24000-memory.dmp

memory/4904-146-0x00007FF69BE80000-0x00007FF69C1D4000-memory.dmp

memory/1560-147-0x00007FF7C31A0000-0x00007FF7C34F4000-memory.dmp

memory/524-148-0x00007FF6E4290000-0x00007FF6E45E4000-memory.dmp

memory/2452-150-0x00007FF6D56E0000-0x00007FF6D5A34000-memory.dmp

memory/736-149-0x00007FF6B7C40000-0x00007FF6B7F94000-memory.dmp

memory/3384-151-0x00007FF6B0900000-0x00007FF6B0C54000-memory.dmp

memory/2296-152-0x00007FF740190000-0x00007FF7404E4000-memory.dmp

memory/1148-154-0x00007FF618A90000-0x00007FF618DE4000-memory.dmp

memory/1088-153-0x00007FF721A80000-0x00007FF721DD4000-memory.dmp

memory/1608-155-0x00007FF6A60B0000-0x00007FF6A6404000-memory.dmp

memory/2208-156-0x00007FF67D750000-0x00007FF67DAA4000-memory.dmp

memory/436-157-0x00007FF60D5F0000-0x00007FF60D944000-memory.dmp

memory/4168-159-0x00007FF6C63B0000-0x00007FF6C6704000-memory.dmp

memory/4200-158-0x00007FF757000000-0x00007FF757354000-memory.dmp

memory/1284-160-0x00007FF6D74A0000-0x00007FF6D77F4000-memory.dmp

memory/4880-161-0x00007FF73F380000-0x00007FF73F6D4000-memory.dmp