Malware Analysis Report

2025-03-15 08:11

Sample ID 240530-a8c4tsgc7y
Target 2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike
SHA256 a7625ebd01d317d216eba5b87eb178ee2e94c08a1594cc40be5a0fb5597f2e83
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7625ebd01d317d216eba5b87eb178ee2e94c08a1594cc40be5a0fb5597f2e83

Threat Level: Known bad

The file 2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike family

XMRig Miner payload

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 00:52

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 00:52

Reported

2024-05-30 00:55

Platform

win7-20240221-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\eIgIeqr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FwCZxnW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YmElaBj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JrwAXZK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kvwKOPp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LXvtWBy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Oqkuxnp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HrQlkgf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KUEJvSd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SCjNjKE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mYFtgUU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nrdjtVv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lvFMeZb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CDtWcXU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XRFbbOo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\abgqlfr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TPKfjhI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kgWnGYX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SAMFYhF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XmaUpGE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yDhrhiz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TPKfjhI.exe
PID 2952 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TPKfjhI.exe
PID 2952 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TPKfjhI.exe
PID 2952 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\Oqkuxnp.exe
PID 2952 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\Oqkuxnp.exe
PID 2952 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\Oqkuxnp.exe
PID 2952 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kgWnGYX.exe
PID 2952 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kgWnGYX.exe
PID 2952 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kgWnGYX.exe
PID 2952 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HrQlkgf.exe
PID 2952 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HrQlkgf.exe
PID 2952 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HrQlkgf.exe
PID 2952 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\KUEJvSd.exe
PID 2952 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\KUEJvSd.exe
PID 2952 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\KUEJvSd.exe
PID 2952 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\SAMFYhF.exe
PID 2952 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\SAMFYhF.exe
PID 2952 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\SAMFYhF.exe
PID 2952 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIgIeqr.exe
PID 2952 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIgIeqr.exe
PID 2952 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\eIgIeqr.exe
PID 2952 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmaUpGE.exe
PID 2952 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmaUpGE.exe
PID 2952 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmaUpGE.exe
PID 2952 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\SCjNjKE.exe
PID 2952 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\SCjNjKE.exe
PID 2952 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\SCjNjKE.exe
PID 2952 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\nrdjtVv.exe
PID 2952 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\nrdjtVv.exe
PID 2952 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\nrdjtVv.exe
PID 2952 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\lvFMeZb.exe
PID 2952 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\lvFMeZb.exe
PID 2952 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\lvFMeZb.exe
PID 2952 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\CDtWcXU.exe
PID 2952 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\CDtWcXU.exe
PID 2952 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\CDtWcXU.exe
PID 2952 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwCZxnW.exe
PID 2952 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwCZxnW.exe
PID 2952 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwCZxnW.exe
PID 2952 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YmElaBj.exe
PID 2952 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YmElaBj.exe
PID 2952 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\YmElaBj.exe
PID 2952 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\yDhrhiz.exe
PID 2952 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\yDhrhiz.exe
PID 2952 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\yDhrhiz.exe
PID 2952 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\mYFtgUU.exe
PID 2952 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\mYFtgUU.exe
PID 2952 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\mYFtgUU.exe
PID 2952 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XRFbbOo.exe
PID 2952 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XRFbbOo.exe
PID 2952 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XRFbbOo.exe
PID 2952 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrwAXZK.exe
PID 2952 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrwAXZK.exe
PID 2952 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrwAXZK.exe
PID 2952 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\abgqlfr.exe
PID 2952 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\abgqlfr.exe
PID 2952 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\abgqlfr.exe
PID 2952 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kvwKOPp.exe
PID 2952 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kvwKOPp.exe
PID 2952 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\kvwKOPp.exe
PID 2952 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LXvtWBy.exe
PID 2952 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LXvtWBy.exe
PID 2952 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LXvtWBy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\TPKfjhI.exe

C:\Windows\System\TPKfjhI.exe

C:\Windows\System\Oqkuxnp.exe

C:\Windows\System\Oqkuxnp.exe

C:\Windows\System\kgWnGYX.exe

C:\Windows\System\kgWnGYX.exe

C:\Windows\System\HrQlkgf.exe

C:\Windows\System\HrQlkgf.exe

C:\Windows\System\KUEJvSd.exe

C:\Windows\System\KUEJvSd.exe

C:\Windows\System\SAMFYhF.exe

C:\Windows\System\SAMFYhF.exe

C:\Windows\System\eIgIeqr.exe

C:\Windows\System\eIgIeqr.exe

C:\Windows\System\XmaUpGE.exe

C:\Windows\System\XmaUpGE.exe

C:\Windows\System\SCjNjKE.exe

C:\Windows\System\SCjNjKE.exe

C:\Windows\System\nrdjtVv.exe

C:\Windows\System\nrdjtVv.exe

C:\Windows\System\lvFMeZb.exe

C:\Windows\System\lvFMeZb.exe

C:\Windows\System\CDtWcXU.exe

C:\Windows\System\CDtWcXU.exe

C:\Windows\System\FwCZxnW.exe

C:\Windows\System\FwCZxnW.exe

C:\Windows\System\YmElaBj.exe

C:\Windows\System\YmElaBj.exe

C:\Windows\System\yDhrhiz.exe

C:\Windows\System\yDhrhiz.exe

C:\Windows\System\mYFtgUU.exe

C:\Windows\System\mYFtgUU.exe

C:\Windows\System\XRFbbOo.exe

C:\Windows\System\XRFbbOo.exe

C:\Windows\System\JrwAXZK.exe

C:\Windows\System\JrwAXZK.exe

C:\Windows\System\abgqlfr.exe

C:\Windows\System\abgqlfr.exe

C:\Windows\System\kvwKOPp.exe

C:\Windows\System\kvwKOPp.exe

C:\Windows\System\LXvtWBy.exe

C:\Windows\System\LXvtWBy.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2952-0-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2952-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\TPKfjhI.exe

MD5 f36b3302b81d2152648e702ad9325ecc
SHA1 174e88dabb03b6b3207d1c7778f058ab8312635e
SHA256 04d67d77efb16f1f639e4c344559a6f1500ea573e00ba92007363097ac5b8948
SHA512 15e7b100cac4ae5be600993018f9b967bf5b26282e2ee294028cf546f1a926c44e0383a31d5ae3b48acf8ee062965dca936895e9c6f9e5ff68150e66cf24d0ff

C:\Windows\system\TPKfjhI.exe

MD5 a927e766ce0dd88b8afa022d7aaab378
SHA1 422287f8a834644e1848d54f2bf2947cb4d9c611
SHA256 81e0932dbf7d0f4e5ae2a26abdde6c855e4888a48395a5365d915a2c028faba5
SHA512 1a5afcf433c3816618fd8297bfb37e0bc1b4e3be23e1e6dc3013e5c60bbdb78a00fe2f7e08abcbf58f9eebc2f68922438d301e367329a99bc5093689ed541864

memory/2952-8-0x000000013FFC0000-0x0000000140311000-memory.dmp

C:\Windows\system\Oqkuxnp.exe

MD5 7754132381e07a385a002dbbeb9dee0c
SHA1 9955b7072502b3d89101be3a732d5a85945f3ea8
SHA256 88f6c1eda4756a51b9ddd77ca22f9c5d9a7bb654762436621691287a245d3d3e
SHA512 29d68f6cc518163fcbf52b6da736e73b235366b1096bfe0074c6435080b8930dd34903f21b6a407b20ea2927c0287be4edb5686b1c5fd269cd0d3466a1c5a1c8

C:\Windows\system\kgWnGYX.exe

MD5 91df922314a4caab432bba0c590ca3c0
SHA1 b91e20ca4d9be7c8e6fd75ac2830eb878c22eb76
SHA256 0cf813b51717aab8d4bf85c804cd17451a9e8a3cc11f9cb8db55a7f62fc7b809
SHA512 41834d81c15003ab88fdc17f65dd4d58bf778aa7f748c1778b8b4cf1f00ba4e25cbf41434779e3783c6b2862972c82761d5a6dbf80e22770db840e6a09a40184

\Windows\system\HrQlkgf.exe

MD5 c158417a6b8f8e60f963da0a669fb73d
SHA1 fbee5db6397d3fbb8d1b7b963ba67086c38e538d
SHA256 92e01e0f98627daa1565c842cdc4bc694df62de483e6abb31a64a3e722593027
SHA512 7e1e3c36d96e82def3470c40cdd109dd873395a9477215571324649d5c6ccd61e2fb8acea5f9f56ad4dd4e37b8ca22bbd3b4fe85f02c9a5b920134a2e2db3c76

C:\Windows\system\kgWnGYX.exe

MD5 0eeff42903c14c2247189ea7a774d687
SHA1 7e0ea0bdfcc151021c75c1108e934342b605846b
SHA256 bb823b109c3fd202f70fc62155af45ef4186e0c757ed0cb8da1df53c92fcdb73
SHA512 e723d232f83176b67b80263d7ecae4fda24b6fe7dc5a72e0959e68db588a629e4e927b1dc64edfd8095967e592caaf0b239fa916b26e0632b33c5c047e690c49

C:\Windows\system\SAMFYhF.exe

MD5 6c2e3b26858a7441169e9035ff1be4a2
SHA1 34433bac98b048c39484729ff9203ec06f3933d7
SHA256 36ba98fada74e84acdc8e5001c9fb8b1af8fb5e404660f31fd4406b744af3c17
SHA512 74818455772b8287af008671749b4cdfc8ef21fc81c889d31e3435ccecc96c7f2001655b743f18b70a94b99c864dfc9fcbb5a9d02f28c2ceba327b59c1a3efb3

memory/1300-30-0x000000013F5E0000-0x000000013F931000-memory.dmp

C:\Windows\system\HrQlkgf.exe

MD5 4a2baacbaa621a0245869c1e83a330c0
SHA1 f407db0e6d9bff0c7cbc3e3257a2820fc68962ee
SHA256 61fa97c0c980f7e9efd4a22f4af73e9966d4c9b55ddce44e7897df47f6ef9a83
SHA512 905b8a5a26e4bb8135396cd7ba7250b86d9db96dc8aca0d2b340ca0b3ebb11f2337e6d7456913513de6838904317ee1a536303487ab018f294fc6c7f20fafd36

C:\Windows\system\eIgIeqr.exe

MD5 9c7b82e7cf3f776819bf027b168bc3e3
SHA1 473f79e7c7966633fe68ecee77b1d4973d6575da
SHA256 5d7bd1b8a49c2c358905cf6e420c49378244e547fc18a80e1f79f64e93ee7a18
SHA512 f653e50625c9028e1695c3596e95364c164dd57804812b2d262616d80948f9fadd3df40fd49d331e95950492d86dfba8b914aef77222cf164697d0f820504794

memory/2952-49-0x000000013F5E0000-0x000000013F931000-memory.dmp

C:\Windows\system\XmaUpGE.exe

MD5 88fb2332b2960a2b1dae6d0fb26e6df4
SHA1 6f4ba29487fa566d094a7974f9bc03d8b01fa9e2
SHA256 ff21ec406122a242992d655c94b22ecb787639b804891f10fa9c1c01f153e15a
SHA512 16ca644f750ab98cca3b073e75396757b04a4ed1a8234a5def1e7f02462a5653460329ab58141c427205b80668b183e4a1c718e1db4ffe2b0d33713fc46623df

memory/2520-57-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

C:\Windows\system\nrdjtVv.exe

MD5 6a5a8059ed60bcf5a89f323cd200a115
SHA1 ad558fa2a3c479a6365a7dfe9d0a15b8c77970f0
SHA256 ab5744d8ceceff736fc3725048e62b7f1c9839abd49db2d01c882ca62b27f771
SHA512 b7382def3b644e02957fa024a3db1f30b10f97ad03cf944d39bf8eabbd02caa9face50b204e9c6a15048daea304e0f7b7a10777a4aeb9f8067778ae386984ac6

memory/2912-78-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2932-83-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2420-92-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2952-98-0x000000013F110000-0x000000013F461000-memory.dmp

C:\Windows\system\yDhrhiz.exe

MD5 e079a532debf2aa09ed43399f7482a78
SHA1 d64d769e3852c50693e4939ff3c40188d985ada3
SHA256 f0e2e71cee385e456cf0a137190ff1c1a4b29ed7cc4b5c514e44a5a394624d11
SHA512 8aba5fe4a36db99c5343691e54a7723b5626c7b4bf43886827b3df3f80c7dcb9e6bc850e27458fb5b242f7a701bccc0b53ebc5b21d12d38ba652c2283e9e3d7e

memory/1300-105-0x000000013F5E0000-0x000000013F931000-memory.dmp

C:\Windows\system\mYFtgUU.exe

MD5 35dc97925499d03367fbc14e4ef4637b
SHA1 d85703eca99f6ae8fb53acf290bc99cd541e029a
SHA256 0017ee913bf62b45749c29c336f20bc56e7700247933dd049403650aba74e34f
SHA512 54a772af54e00f8585d89e796133ae1fa191554bfacce30dd56d3da9402f70c0efcffb40d8eb91b3d3e1380ce5251934cf059d6ae51bb8a8be04d1cf8c1ca8a7

\Windows\system\kvwKOPp.exe

MD5 45ed70d0b7d4a61dd9ab7ea126749d24
SHA1 dd6ceff6a82643367652b586600c6977da94167a
SHA256 0a68780183fda4e42a9adc43162a22b3430f28bf502bc3d28178b95be3406c52
SHA512 ea44ec071da4dcb9da5b9e6352af0bd3e4626e8ca50b8021dd9dbc8c041c47f08d458d01d8bc5c46479b016f2e60ca92385b67030e5442a4d91124ee92491f20

C:\Windows\system\LXvtWBy.exe

MD5 dedc487574b40e0af842939fd32fae9e
SHA1 17c2f600cc70444fa42c7ae6e3b14d7a2220e40f
SHA256 280999b2d18879c822facc6ca39699b693d1490b093408217f108ef16e5f58c1
SHA512 b0e32c6de4661de265f558875a5fdca64f1529a0745ddc22795fd7e269a31aed490f3e4a6e36ab2f6347254ec4a005a4d5ab2941df32eebd5514d8c9540b99ea

C:\Windows\system\kvwKOPp.exe

MD5 9cc3b8c96655ff70e0bab32927095145
SHA1 d44bc1271168e8cd48fd0247350522ff19ba10d0
SHA256 74c79613da11d512073bb65225893b278d9bbcf417b1b76e01905a61f9de45b8
SHA512 3756c7f8b567842b22282115ffeb29b7b5301154331afcc7c93aa3748cf12a4eed1e40a794dc937299e81a9b4917e38dcff4fdc3d6936bb4c744cf7d417c4d15

C:\Windows\system\abgqlfr.exe

MD5 1fca5c4c86e3159344efa30af95d388f
SHA1 5bbb3a754fa1af9c202fc58ddb46db247df44d98
SHA256 38401ad31139ce7dcf623e1a64908301b960e16c6bd42ee14491a5f8f70199a5
SHA512 3ad928fd77b8823136e5ba09c2b9a9d3b1d5c97ebf8d79eafa8999f4a71faf7746d3d342cbb1c107807506c8d5306ac4dbdd593ba2658294b373450edf8cddf6

C:\Windows\system\XRFbbOo.exe

MD5 0c6727dce3173dbb9f04e51991283efd
SHA1 3c84a503a609aa8ad90c36338d779aa6cad21f95
SHA256 cc831b6f8dc54e9582675f8a67b8efd8115a422ce04e9f8ac3a38f4510668cc7
SHA512 42ff04eb66fba229634d86440056e22c3f745e40bc8fa5e7f45cc7a9d01489cb447af568772a14da2d6b56929d68ba5534c1c885bee653e3ba3444b1cb5be03b

\Windows\system\mYFtgUU.exe

MD5 35d4b9b40e9b95b4a75dec06c4c6f979
SHA1 0b088ae4df4f56a63f25ba22b7e936e89c483dcb
SHA256 a2e35e125d8ab4763501772c6c07ab280e15f436019dc190dfa4cb55de62bc7e
SHA512 56c93fd59bffe6df5a120e950c179eec9dfb3eaf7c3f2e9804dbd4886aee0b0f3a2ad0227feedbd311243dfffa198f082d84fd5e6761249fd05b31e51ba2784b

\Windows\system\yDhrhiz.exe

MD5 0af3e36956df6549470e3ff9e1f46248
SHA1 b7c2a347a49c58d4223a4286a6b289d55c0e1230
SHA256 de6283192da89a26e9e9d707cb3c816eaa62df7fecf1922d21e6ab2e9c704f7d
SHA512 f6cbf74932b12c03901853f32cf1fb61f6e22feefcce2a97d48de63740fb58427602cef187e780bac418175b1bf620a28c6a169c5c08710f72ed2377d0caebb0

memory/2608-99-0x000000013FB50000-0x000000013FEA1000-memory.dmp

C:\Windows\system\YmElaBj.exe

MD5 8903a1e10bf1e21f164087c2b76007c3
SHA1 f0d81e1e4a4a630af7fc5007efb7fd2c392fe9a9
SHA256 74846cee843c6df624fd78a7fb7a5650beecf0ccb9299e25f3d4b665292527b3
SHA512 7ff4f487634d8f2169ee482262185e3b5a40aeb958c90d2eda518a0a4c917472bef135a1a36e0eb6771a70466e3f3ba0a485ad4525320c6bd3afc8acee9ed6d4

memory/2952-91-0x00000000022F0000-0x0000000002641000-memory.dmp

C:\Windows\system\FwCZxnW.exe

MD5 2c90cc0356f4566b008b342a9d566c17
SHA1 ebf9e9b28bb53ae069d716b5004df2309be38233
SHA256 65b8cc921e5beac8acb4c4978327db0a6410ebad1d4888e3af51dc309ddedc42
SHA512 4fc7b7f1cb308d635ae4f13da8749a4c3c49a3b33d7e00a30e678474258cb99d7d9e999972a39ce6a2df658ac2794e34b52570c8027cd8cc67d2e552eb9f0d90

memory/2952-82-0x000000013F740000-0x000000013FA91000-memory.dmp

C:\Windows\system\CDtWcXU.exe

MD5 c0cad8066bfa2e4be9076791dd91901e
SHA1 12d4c53998fdfa9a7945677b374b1c4664af3b01
SHA256 04868786f99256321a293db359efd29669e2c2ec89e724ab994fa6b2e5a22615
SHA512 dc282c9b4dd583a9cdc38eb848678d919e55a8038a424b840fdcfae791875e324ece3708fb042c29a03bc7dcd70f171a93ab187af0cac34142278936bd5c981a

\Windows\system\lvFMeZb.exe

MD5 584e10dc2cf96c43d3adc98aa3d1ed73
SHA1 58e190f90e69964364e855ef8038da4e73480054
SHA256 772b82101e0bd427190380143eeed46370c4f18e67c36539564a38365843734d
SHA512 30c530bee1b36aaf887310517b6603989b9a28aa583ecee277de0ed5a8e76396fcb47f5302e2d02f3e2e83b20b2e0a7d8a14354ea1b163fa16242c83d634a01c

memory/2452-72-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2952-71-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2480-64-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2952-63-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2952-56-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

C:\Windows\system\SCjNjKE.exe

MD5 36b836ea8337aef77e243fa159a41fef
SHA1 07a448a038a038af63be11708bf232543ec3999b
SHA256 47f8a0c149ff749f89e39eaba027364392567815bc24b02ecad30c5704e03e02
SHA512 3c4d52a15e730154eb80ceb30abe9bc12cbe0b2d9c671780124fa7563f9c362785614c400ef1024f2b4ff4948a32f9c8873705b711a4f897973f16751791b592

memory/2952-51-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2112-50-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2564-48-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2952-47-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2584-46-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2988-45-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2952-44-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2952-43-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/1160-42-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2952-40-0x00000000022F0000-0x0000000002641000-memory.dmp

C:\Windows\system\KUEJvSd.exe

MD5 8e5fe42f4b98bb66edf3a502dd76cdf0
SHA1 1994dbd83dcb816550dd2b3ee26e290acda558d8
SHA256 59e58a42a72c67195799b037cbd01127992229e15894c1f864a5a650573ec1ae
SHA512 3dcf870aa95b77b85a646e7fc1aacb12ff7d9749c6e51b4a1476a8d56d0f8db309b53b07cb2197d0f75914534250e47ddc3911be5a599de815a6f87054678664

memory/1684-24-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2520-135-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2952-136-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2480-152-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2952-151-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2932-148-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/600-159-0x000000013F440000-0x000000013F791000-memory.dmp

memory/1664-158-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/792-156-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/1980-155-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/1280-154-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2320-157-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/1960-153-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2952-160-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2952-182-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/1684-206-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/1160-208-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2988-212-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/1300-214-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2112-211-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2564-216-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2520-219-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2584-220-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2480-222-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2452-224-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2912-226-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2932-228-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2420-230-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2608-232-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 00:52

Reported

2024-05-30 00:55

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\iZdCzXm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gtdlWYt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UmbkPcG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ArJPggF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xjSpdwb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vwmFoDX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TXFSXqb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hzCEFHQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XRCQWMP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oaLKwjT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WreKtzA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\avBERzY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VRrtmPS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\quLYmIZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zSmzCaY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HPllRMW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CdpEHxL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AneoCLu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DETlRtQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HnbIgyQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LIgDkyI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\WreKtzA.exe
PID 1732 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\WreKtzA.exe
PID 1732 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZdCzXm.exe
PID 1732 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZdCzXm.exe
PID 1732 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TXFSXqb.exe
PID 1732 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TXFSXqb.exe
PID 1732 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\hzCEFHQ.exe
PID 1732 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\hzCEFHQ.exe
PID 1732 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\avBERzY.exe
PID 1732 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\avBERzY.exe
PID 1732 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\VRrtmPS.exe
PID 1732 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\VRrtmPS.exe
PID 1732 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\gtdlWYt.exe
PID 1732 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\gtdlWYt.exe
PID 1732 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\quLYmIZ.exe
PID 1732 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\quLYmIZ.exe
PID 1732 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmbkPcG.exe
PID 1732 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmbkPcG.exe
PID 1732 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\zSmzCaY.exe
PID 1732 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\zSmzCaY.exe
PID 1732 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HPllRMW.exe
PID 1732 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HPllRMW.exe
PID 1732 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\CdpEHxL.exe
PID 1732 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\CdpEHxL.exe
PID 1732 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DETlRtQ.exe
PID 1732 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DETlRtQ.exe
PID 1732 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ArJPggF.exe
PID 1732 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ArJPggF.exe
PID 1732 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\xjSpdwb.exe
PID 1732 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\xjSpdwb.exe
PID 1732 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwmFoDX.exe
PID 1732 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwmFoDX.exe
PID 1732 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\oaLKwjT.exe
PID 1732 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\oaLKwjT.exe
PID 1732 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HnbIgyQ.exe
PID 1732 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HnbIgyQ.exe
PID 1732 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LIgDkyI.exe
PID 1732 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LIgDkyI.exe
PID 1732 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\AneoCLu.exe
PID 1732 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\AneoCLu.exe
PID 1732 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XRCQWMP.exe
PID 1732 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XRCQWMP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\WreKtzA.exe

C:\Windows\System\WreKtzA.exe

C:\Windows\System\iZdCzXm.exe

C:\Windows\System\iZdCzXm.exe

C:\Windows\System\TXFSXqb.exe

C:\Windows\System\TXFSXqb.exe

C:\Windows\System\hzCEFHQ.exe

C:\Windows\System\hzCEFHQ.exe

C:\Windows\System\avBERzY.exe

C:\Windows\System\avBERzY.exe

C:\Windows\System\VRrtmPS.exe

C:\Windows\System\VRrtmPS.exe

C:\Windows\System\gtdlWYt.exe

C:\Windows\System\gtdlWYt.exe

C:\Windows\System\quLYmIZ.exe

C:\Windows\System\quLYmIZ.exe

C:\Windows\System\UmbkPcG.exe

C:\Windows\System\UmbkPcG.exe

C:\Windows\System\zSmzCaY.exe

C:\Windows\System\zSmzCaY.exe

C:\Windows\System\HPllRMW.exe

C:\Windows\System\HPllRMW.exe

C:\Windows\System\CdpEHxL.exe

C:\Windows\System\CdpEHxL.exe

C:\Windows\System\DETlRtQ.exe

C:\Windows\System\DETlRtQ.exe

C:\Windows\System\ArJPggF.exe

C:\Windows\System\ArJPggF.exe

C:\Windows\System\xjSpdwb.exe

C:\Windows\System\xjSpdwb.exe

C:\Windows\System\vwmFoDX.exe

C:\Windows\System\vwmFoDX.exe

C:\Windows\System\oaLKwjT.exe

C:\Windows\System\oaLKwjT.exe

C:\Windows\System\HnbIgyQ.exe

C:\Windows\System\HnbIgyQ.exe

C:\Windows\System\LIgDkyI.exe

C:\Windows\System\LIgDkyI.exe

C:\Windows\System\AneoCLu.exe

C:\Windows\System\AneoCLu.exe

C:\Windows\System\XRCQWMP.exe

C:\Windows\System\XRCQWMP.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/1732-0-0x00007FF686100000-0x00007FF686451000-memory.dmp

C:\Windows\System\WreKtzA.exe

MD5 edc44c7acfb430bc99efea55d1719afc
SHA1 90d2af465962e465a3b25c0a19b9bb69ef218693
SHA256 d1784f1230109fa939a5ce8fec8a0ccda07c58674271b7386c12026f15914dec
SHA512 6cd3e95ba292c6b2c93238b1f504fca75b39dbd9a50619a99a7871250633ad5383021292cc61ab7e7bcee2777681c1edd79cc7176941942ed6ca1453512cb836

C:\Windows\System\TXFSXqb.exe

MD5 9d79ebd52bd5a8fec7251412b8276b56
SHA1 82c96abaf016a8946e00d43dc4e512f491f05f76
SHA256 6f6bf7962a709ab50229e821ac82406471866647dc41959722e1a540a948aa6d
SHA512 d296db1077833ae01bbb2056498de4a68444843beb1df4e1ce61d09cf62b0bf8514405ae6de3b1c67012846c7692dec8e75015953118d68afc1c441d70b81252

memory/4416-26-0x00007FF6723C0000-0x00007FF672711000-memory.dmp

C:\Windows\System\avBERzY.exe

MD5 f8e3ee18d238c1f49a1c817e9c8d6c9f
SHA1 bc4fb2106eda87d5ae283a3d68034754ed20380d
SHA256 88143843b3e105001e52b9eff8c77a13456f91c3a11713049cb3a266acfbbba3
SHA512 11f0f4965c32cd01be1e21dbc53e231f73ffd48637c45f0ec67d59fe832de7f4c47e4e9c00384ddb34947daac05347478984ad546e4081d1a16ffc25a23b33da

C:\Windows\System\VRrtmPS.exe

MD5 aef5caaec2344bc24e19b818ed34b253
SHA1 1a5a74f8b987e9ec52cf20ac04c88a20931925d6
SHA256 9c12d7e37ee21ddcf94194c09cb9c9a40543134e2ab404ba31162ab3d059a967
SHA512 09cf301bd4ad71a2407a77213c9c1d52624f2233b9bb5fb69894ce521c8f64389a344d3f74b4e09d5c2256c603f0f3609f6b043fee64583975d552064d74f5bf

memory/3432-38-0x00007FF7F4C90000-0x00007FF7F4FE1000-memory.dmp

C:\Windows\System\quLYmIZ.exe

MD5 276ee099bc71c633091ea008ecac9ee5
SHA1 833efaaa22ad4ea3037981aba2b2a264e99d92d8
SHA256 186b779675b78601d094fc3265cca1af8af838e5c597d05ac2d0057d79ff814b
SHA512 882fafeb83535758613a6ffc6d9558559308fbe6e18e3789d8789e018cf4cd1d855647610df6c0e809a199c759d77a4be275969f2498c39f5a73cd5ceac1542e

C:\Windows\System\UmbkPcG.exe

MD5 bf2638dd33d4fd2993691dae9a1a78da
SHA1 f738b961e9d1f6aaa305d06f66cad5e0e3b88192
SHA256 870f8c35cd691ce79f2098156b9a9a28d9a19d57d50b469d5248ca41d586d03b
SHA512 e0244564099a87c7adf08109800e81bfb7f4e525dedd7613db72168a4eb687ea355e0973d997a4e58e9bab5c2210fa18273f62b247e46d37b8f1c7b40087bed2

C:\Windows\System\zSmzCaY.exe

MD5 f3d4a3adf1c1810069ae9093ccc9ce46
SHA1 b2ad3bccc7ab8dd56c6c5fc9cca56ae8919ca5fd
SHA256 a960651c04ebb460edc7c27b78921ed8a9ef2af106197c9a7a22629c86872bf6
SHA512 7546af4cf66d9f424e098e93dc97299d511d5e50f3eaa150eac68e3056d3becc71b6fbded9cdee3868772974df4c4ca13ded35e47ba60cd7ca2d2fc63e57557d

C:\Windows\System\HPllRMW.exe

MD5 b08fbfa3678c91ef27dc5390191f511b
SHA1 d981454a5798a8fab1a37f8196676db170bee03b
SHA256 d6d94c91ae449a2ae63b2d41da8d9fecd52b7d6ccf34cbd1c2dbd5f297e323b0
SHA512 80697690c23f9e6a0c60185707284e28241e9dd51b6efe92e8a387d0c84f23d38f0c113314a2a601bd79a87ca7e3ff1d3064548dfc13911ca264075116a11e31

memory/4932-72-0x00007FF7994A0000-0x00007FF7997F1000-memory.dmp

memory/3692-75-0x00007FF658D20000-0x00007FF659071000-memory.dmp

C:\Windows\System\DETlRtQ.exe

MD5 d727cd239dbde837337c2e2d6e57445d
SHA1 83a4f6efa124ad56f2e221645112eb0d3717d1b0
SHA256 6b93c6ac9a055653305e390efb43f0df213bf0656450c179cbf9d3fe4906b0c4
SHA512 e16557b654e462f96b0168b07a6e18aacfba96ea90804b54c578550db2937269fa642b64cde203620ba5446a48ed2a27bd63260db7b36b2067b324b26db68de4

memory/4104-87-0x00007FF702700000-0x00007FF702A51000-memory.dmp

C:\Windows\System\ArJPggF.exe

MD5 eeecb2d124ade27da931dd76f94bac02
SHA1 16353dae1acf3bccd8210b7e804ce557bfb16cd9
SHA256 c1aefe846fb31b35398c423ba63215eb320ff7b265d1f54e7be32d6e8d48c861
SHA512 5574c785f40287757bdc61e6b36378788a486d513a85182512d64f5f1671a00c3bdc3158e182f2a5d52c0573d7a6266ab411d1c4eaedd957b30b7cc07c11464a

C:\Windows\System\vwmFoDX.exe

MD5 8f4f2c99c2a108ff93aa961a269ed287
SHA1 3b5cb92721773c45bf57c67bf2aa8e5060d302c1
SHA256 aede35b569bd553e863d35658230d7d044a6a9d5794572ef161d07fbe31edd6b
SHA512 76c7b02b839e8114535501a3f3cf626b2f4ba3a7651a7daa0c7b87ac71b988b48d0280afb8e11596e322cbba03b91034018b10e0c600711da06d981bca37b6e1

C:\Windows\System\LIgDkyI.exe

MD5 80e819558ec41836be26180cac2c6864
SHA1 b5ce3f3769e2bc97dec4e481e1af08d8f41101ab
SHA256 496d0eb793419d8ed87b5424682c882dccc39478dc35d259ac6c16ac5f641eae
SHA512 fa47aa3ceed27af3d6624d0e395852a8507e93263477ab3fa7596e3e914526c27b35b50812b04dbe00c860fc84c0ac86e807e70248c8a94030062c83be80c437

C:\Windows\System\AneoCLu.exe

MD5 be4de5ad5baf332e355a7a57742ca6a7
SHA1 575c97cc44d1dcdc0eeedef4d99b219cca3fb8ec
SHA256 f7cea3d7dbc006462736b454806c03cb9d4a5497742cfca0d1522f47c6d0fa74
SHA512 8e6963defc3df81edb2ebb1d8aea79a20721042ac0795aa350f4a5a6bd6d615889f4e19a84a9ca3d5dced882219b058daba0b18d8adac6516da1ada2bb371278

C:\Windows\System\XRCQWMP.exe

MD5 e079a532debf2aa09ed43399f7482a78
SHA1 d64d769e3852c50693e4939ff3c40188d985ada3
SHA256 f0e2e71cee385e456cf0a137190ff1c1a4b29ed7cc4b5c514e44a5a394624d11
SHA512 8aba5fe4a36db99c5343691e54a7723b5626c7b4bf43886827b3df3f80c7dcb9e6bc850e27458fb5b242f7a701bccc0b53ebc5b21d12d38ba652c2283e9e3d7e

C:\Windows\System\XRCQWMP.exe

MD5 e987161827c695a9efec275ab3dfb819
SHA1 62cc16b2c1efef119033dabfae7bdfdcb60e01f4
SHA256 7dce66013deb27e7787d87cd168bc6fb20a159a6de1e4c7ae4622fd518e3dd50
SHA512 e0bd5a283377eb2223599f02246dd6d683b2a1a124ef2b833a35392ab01fb79596f8870669565fd466359793a358e07dfc03685823b83d5b0dcc8b2cd523d558

C:\Windows\System\HnbIgyQ.exe

MD5 844fca0375c8af1fc8e97aa51821c7bc
SHA1 1ccc79b52a31a885e02837e6ae20728661e08156
SHA256 9840356bf411f9004dc5d1efe91117d7424113b443ce3cf4cb2b2cdfc507ae1f
SHA512 7d6c1c7ce8d2d1fd3b85a71f0767022075ad44c69dd6769f526acf9842799af7f483b6db1ce41bc359567a2bbe8bc6dcab5259e69263a88cc135c4dad2aec7a9

C:\Windows\System\oaLKwjT.exe

MD5 80efa962739cb467e65c4f8ece105f17
SHA1 572c435be28bff9c9d365d01765aa5bfde5b45f0
SHA256 98d23ec773d039c0a16ae766b7a7e6518d8588b6eb401072b3df686012648e37
SHA512 8f5a0cec6a0c841d6d601a0405dc63bf31cafa7655fb809298cb0b61ebf5663217be7b5477eded521210e530ecebc9df73af1d28607d6752c1a6b766eab0601c

memory/5064-103-0x00007FF6FF310000-0x00007FF6FF661000-memory.dmp

memory/4416-102-0x00007FF6723C0000-0x00007FF672711000-memory.dmp

C:\Windows\System\xjSpdwb.exe

MD5 722bd22ae927d02d3eee0e1fc22ad828
SHA1 395ef0eded763c0e251454c4aebb14fa1b8f8a67
SHA256 b38aa2d5f9ec78860c890b0e04df5b5e641810d85184a10230ce9616cb662b41
SHA512 4c2191a1a20dc0c4867caa821136606743b4f058a1b9f5fd921840e13942ac1b6a8b39599116e97328ff0db9733e429bb03646a48aef5db8999889e37310b4d9

memory/3900-97-0x00007FF72CC90000-0x00007FF72CFE1000-memory.dmp

memory/4452-96-0x00007FF698A70000-0x00007FF698DC1000-memory.dmp

memory/3728-90-0x00007FF67DFE0000-0x00007FF67E331000-memory.dmp

memory/5104-81-0x00007FF6C7CF0000-0x00007FF6C8041000-memory.dmp

C:\Windows\System\CdpEHxL.exe

MD5 4163b35c41d291e6f2eb473e34f90d6e
SHA1 55cf70b022eb204a09714b8e927938325f91edc0
SHA256 e876f615444d943af07061e1ff78f664586d316d76e95c768a28836eb9cc5cb9
SHA512 aed27fe26606f4edc1c6bda242da186029600c13c6a69cd1e0687ec4f6eba15ddcf85980d7f2ebe29f8505112e2055ee81a44907da5add35a943531368ee336b

memory/4100-76-0x00007FF6B6600000-0x00007FF6B6951000-memory.dmp

C:\Windows\System\CdpEHxL.exe

MD5 e935c8bd6daebba30d0f5b0347089679
SHA1 e53502702676a9ea04db230ea7ed4904e0192f5d
SHA256 bb547bde953626ca4b877bfdb246afbd38d3af41ab7d7077c89cb8040e7bf2a9
SHA512 baa4b0359f00c888147ad36e3e9dc8b89dc20883fa0ffaeacafc6af641841b80ee4bc0bf69682282c5739e7f1d4e5c3b2aee6c96ea67d725494de48bb0969f8c

memory/4128-64-0x00007FF7F20F0000-0x00007FF7F2441000-memory.dmp

memory/1732-63-0x00007FF686100000-0x00007FF686451000-memory.dmp

memory/1256-58-0x00007FF6460D0000-0x00007FF646421000-memory.dmp

memory/1388-48-0x00007FF625C60000-0x00007FF625FB1000-memory.dmp

memory/2740-43-0x00007FF7C48D0000-0x00007FF7C4C21000-memory.dmp

memory/4628-129-0x00007FF643CA0000-0x00007FF643FF1000-memory.dmp

memory/4428-132-0x00007FF7CF8B0000-0x00007FF7CFC01000-memory.dmp

memory/4520-133-0x00007FF628B70000-0x00007FF628EC1000-memory.dmp

memory/944-131-0x00007FF7F3940000-0x00007FF7F3C91000-memory.dmp

memory/2488-130-0x00007FF6E9630000-0x00007FF6E9981000-memory.dmp

memory/4700-128-0x00007FF702B80000-0x00007FF702ED1000-memory.dmp

C:\Windows\System\gtdlWYt.exe

MD5 26f58c5cd167bb72a4144c4c9f78b936
SHA1 637892bd541f6f58aafe50edc979421b16fbbb97
SHA256 e33d80aaf4c41afa7d1cad42a8242a26935b70ae14bf352e4a4ca06d4bbe938f
SHA512 bc674bcd23d6463a6a6957fa7a4fb5673866591987c54f82d092d69225ecc4c3873813bafebddc828945f7d659829cafe97d2ba7557b809221f3c0b5a0e94d29

memory/4700-31-0x00007FF702B80000-0x00007FF702ED1000-memory.dmp

C:\Windows\System\hzCEFHQ.exe

MD5 d84891106dad0d7b4c34af85835ec4a8
SHA1 9665f97e962cdc4144cc100086ef9767ced5a5b4
SHA256 e8a5f91c8c2782a6bcd21f33eab10bf4224beef644a32d7ad28b3f57f788882d
SHA512 99ae93fd510de7cfcef873c985249199410b4395cf47a95aa3cb62c05fffe82e1b6c91a6f0f0d5f663e3d94c1f85eb70bf420495bec4261acf83c98b566255fe

C:\Windows\System\hzCEFHQ.exe

MD5 2dd44e2b50c8e6148a4303001aa2ae37
SHA1 ae4db4195952d9226517b0c37577d8741cc4a8f5
SHA256 aa1c2375b413e6aab7ede2ee469a2252ec3a8cbeb374502de2938d573d4bd893
SHA512 5bc4a51143348d5f49dc3ddc6ba9dc7512cbe8296768a7fd071c01f07c055cd535fb4bc72607f210e0afecafd4920075c36b7d0db4fb808cdfa04bda66d2514e

memory/3728-20-0x00007FF67DFE0000-0x00007FF67E331000-memory.dmp

memory/3692-16-0x00007FF658D20000-0x00007FF659071000-memory.dmp

C:\Windows\System\iZdCzXm.exe

MD5 0aa8a1fa32605cf3b72aa84b451d8fc0
SHA1 7f540315efc8d0d2033a5a52b953bc6c0a6a6cd7
SHA256 c4587bf3886c936bab28c5f2a98b80d40252a3176fb9834b71861c5f7d8f6ce0
SHA512 c0d87c6f85886889f249cb5dade884360604b1b48a218fb0d946c718bb14bb1b63f11e2eed04960f19f2e899e1bc23f49145226dbe9183dc9f6346dfa4e2a922

memory/4932-8-0x00007FF7994A0000-0x00007FF7997F1000-memory.dmp

memory/1732-1-0x000002E238D00000-0x000002E238D10000-memory.dmp

memory/3432-134-0x00007FF7F4C90000-0x00007FF7F4FE1000-memory.dmp

memory/3900-151-0x00007FF72CC90000-0x00007FF72CFE1000-memory.dmp

memory/4104-148-0x00007FF702700000-0x00007FF702A51000-memory.dmp

memory/4128-145-0x00007FF7F20F0000-0x00007FF7F2441000-memory.dmp

memory/1388-143-0x00007FF625C60000-0x00007FF625FB1000-memory.dmp

memory/4452-149-0x00007FF698A70000-0x00007FF698DC1000-memory.dmp

memory/5104-147-0x00007FF6C7CF0000-0x00007FF6C8041000-memory.dmp

memory/1256-144-0x00007FF6460D0000-0x00007FF646421000-memory.dmp

memory/2740-142-0x00007FF7C48D0000-0x00007FF7C4C21000-memory.dmp

memory/1732-135-0x00007FF686100000-0x00007FF686451000-memory.dmp

memory/1732-157-0x00007FF686100000-0x00007FF686451000-memory.dmp

memory/4932-208-0x00007FF7994A0000-0x00007FF7997F1000-memory.dmp

memory/3692-210-0x00007FF658D20000-0x00007FF659071000-memory.dmp

memory/3728-212-0x00007FF67DFE0000-0x00007FF67E331000-memory.dmp

memory/4416-214-0x00007FF6723C0000-0x00007FF672711000-memory.dmp

memory/4700-216-0x00007FF702B80000-0x00007FF702ED1000-memory.dmp

memory/3432-218-0x00007FF7F4C90000-0x00007FF7F4FE1000-memory.dmp

memory/2740-220-0x00007FF7C48D0000-0x00007FF7C4C21000-memory.dmp

memory/1388-222-0x00007FF625C60000-0x00007FF625FB1000-memory.dmp

memory/1256-224-0x00007FF6460D0000-0x00007FF646421000-memory.dmp

memory/4128-226-0x00007FF7F20F0000-0x00007FF7F2441000-memory.dmp

memory/4100-228-0x00007FF6B6600000-0x00007FF6B6951000-memory.dmp

memory/5104-230-0x00007FF6C7CF0000-0x00007FF6C8041000-memory.dmp

memory/5064-238-0x00007FF6FF310000-0x00007FF6FF661000-memory.dmp

memory/4628-234-0x00007FF643CA0000-0x00007FF643FF1000-memory.dmp

memory/4452-240-0x00007FF698A70000-0x00007FF698DC1000-memory.dmp

memory/2488-242-0x00007FF6E9630000-0x00007FF6E9981000-memory.dmp

memory/3900-237-0x00007FF72CC90000-0x00007FF72CFE1000-memory.dmp

memory/4104-233-0x00007FF702700000-0x00007FF702A51000-memory.dmp

memory/4428-248-0x00007FF7CF8B0000-0x00007FF7CFC01000-memory.dmp

memory/944-247-0x00007FF7F3940000-0x00007FF7F3C91000-memory.dmp

memory/4520-244-0x00007FF628B70000-0x00007FF628EC1000-memory.dmp