Malware Analysis Report

2025-03-15 08:11

Sample ID 240530-ljtwtseb44
Target 2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike
SHA256 b75cd532c50dcb60baec52f6cedaca20ac30384a867a56ca5b7c874fd2a11ecc
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b75cd532c50dcb60baec52f6cedaca20ac30384a867a56ca5b7c874fd2a11ecc

Threat Level: Known bad

The file 2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Xmrig family

xmrig

Detects Reflective DLL injection artifacts

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 09:34

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 09:34

Reported

2024-05-30 09:36

Platform

win7-20240508-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\mbvhqVD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eyJhdYO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ykvmnWq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kbRyijo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AwIunkD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UgowYkn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rVkEMLS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GJjfyDd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fheEzaU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gkyPiiU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CmoWDPs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XfXCDje.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OxIeEre.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qXjfiFV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JecGwJq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XKIvUZo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZbiixIk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xzGtGSt.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WrbIHQG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yKDrFGo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TPjnksV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OxIeEre.exe
PID 1868 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OxIeEre.exe
PID 1868 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OxIeEre.exe
PID 1868 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ykvmnWq.exe
PID 1868 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ykvmnWq.exe
PID 1868 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ykvmnWq.exe
PID 1868 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mbvhqVD.exe
PID 1868 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mbvhqVD.exe
PID 1868 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mbvhqVD.exe
PID 1868 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwIunkD.exe
PID 1868 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwIunkD.exe
PID 1868 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwIunkD.exe
PID 1868 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\UgowYkn.exe
PID 1868 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\UgowYkn.exe
PID 1868 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\UgowYkn.exe
PID 1868 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TPjnksV.exe
PID 1868 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TPjnksV.exe
PID 1868 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TPjnksV.exe
PID 1868 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyJhdYO.exe
PID 1868 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyJhdYO.exe
PID 1868 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyJhdYO.exe
PID 1868 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXjfiFV.exe
PID 1868 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXjfiFV.exe
PID 1868 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXjfiFV.exe
PID 1868 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rVkEMLS.exe
PID 1868 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rVkEMLS.exe
PID 1868 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rVkEMLS.exe
PID 1868 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JecGwJq.exe
PID 1868 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JecGwJq.exe
PID 1868 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JecGwJq.exe
PID 1868 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XKIvUZo.exe
PID 1868 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XKIvUZo.exe
PID 1868 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XKIvUZo.exe
PID 1868 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbiixIk.exe
PID 1868 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbiixIk.exe
PID 1868 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbiixIk.exe
PID 1868 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kbRyijo.exe
PID 1868 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kbRyijo.exe
PID 1868 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kbRyijo.exe
PID 1868 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJjfyDd.exe
PID 1868 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJjfyDd.exe
PID 1868 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJjfyDd.exe
PID 1868 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xzGtGSt.exe
PID 1868 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xzGtGSt.exe
PID 1868 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xzGtGSt.exe
PID 1868 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrbIHQG.exe
PID 1868 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrbIHQG.exe
PID 1868 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrbIHQG.exe
PID 1868 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\fheEzaU.exe
PID 1868 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\fheEzaU.exe
PID 1868 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\fheEzaU.exe
PID 1868 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gkyPiiU.exe
PID 1868 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gkyPiiU.exe
PID 1868 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gkyPiiU.exe
PID 1868 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CmoWDPs.exe
PID 1868 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CmoWDPs.exe
PID 1868 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CmoWDPs.exe
PID 1868 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XfXCDje.exe
PID 1868 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XfXCDje.exe
PID 1868 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XfXCDje.exe
PID 1868 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKDrFGo.exe
PID 1868 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKDrFGo.exe
PID 1868 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKDrFGo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\OxIeEre.exe

C:\Windows\System\OxIeEre.exe

C:\Windows\System\ykvmnWq.exe

C:\Windows\System\ykvmnWq.exe

C:\Windows\System\mbvhqVD.exe

C:\Windows\System\mbvhqVD.exe

C:\Windows\System\AwIunkD.exe

C:\Windows\System\AwIunkD.exe

C:\Windows\System\UgowYkn.exe

C:\Windows\System\UgowYkn.exe

C:\Windows\System\TPjnksV.exe

C:\Windows\System\TPjnksV.exe

C:\Windows\System\eyJhdYO.exe

C:\Windows\System\eyJhdYO.exe

C:\Windows\System\qXjfiFV.exe

C:\Windows\System\qXjfiFV.exe

C:\Windows\System\rVkEMLS.exe

C:\Windows\System\rVkEMLS.exe

C:\Windows\System\JecGwJq.exe

C:\Windows\System\JecGwJq.exe

C:\Windows\System\XKIvUZo.exe

C:\Windows\System\XKIvUZo.exe

C:\Windows\System\ZbiixIk.exe

C:\Windows\System\ZbiixIk.exe

C:\Windows\System\kbRyijo.exe

C:\Windows\System\kbRyijo.exe

C:\Windows\System\GJjfyDd.exe

C:\Windows\System\GJjfyDd.exe

C:\Windows\System\xzGtGSt.exe

C:\Windows\System\xzGtGSt.exe

C:\Windows\System\WrbIHQG.exe

C:\Windows\System\WrbIHQG.exe

C:\Windows\System\fheEzaU.exe

C:\Windows\System\fheEzaU.exe

C:\Windows\System\gkyPiiU.exe

C:\Windows\System\gkyPiiU.exe

C:\Windows\System\CmoWDPs.exe

C:\Windows\System\CmoWDPs.exe

C:\Windows\System\XfXCDje.exe

C:\Windows\System\XfXCDje.exe

C:\Windows\System\yKDrFGo.exe

C:\Windows\System\yKDrFGo.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1868-0-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/1868-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\OxIeEre.exe

MD5 9fd53c1d3d2afd2c1556bd654be540f9
SHA1 24d57f87634cd604bd7f45fd0cce044a50a68b4d
SHA256 db3e02fca869ba89ef7e9c3df8da717fd1e71a610516f75d00cce6b7fb3f9d10
SHA512 b189df42fcda726b58a409e48f7f86196d5de66abbeb35cc54ec1ca77b3d528f5de07a9759eee769bb8d7258aa5deb1f4ec697c2e2ddd8d4b0386a659f035ce8

memory/1592-7-0x000000013F340000-0x000000013F691000-memory.dmp

\Windows\system\ykvmnWq.exe

MD5 615109a05c8d9b924be02661d1d74d70
SHA1 60fbf361a4ceb8252cda364a023d57546b87a4dd
SHA256 2e3d13dc8721eddf4500429366528a1b347c18fea3a1c5508e3215196bd762d1
SHA512 864a5417fcda8a40096c3215ef56fe098017654a81060700a591a31942f0c07926b377d7f5976e159cbb08a70a0895b1f598f4d9c9d43aa1306597ebfb94b24b

memory/2580-14-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/1868-13-0x000000013F930000-0x000000013FC81000-memory.dmp

C:\Windows\system\mbvhqVD.exe

MD5 99f3e57e1fb3967997179473ae17d725
SHA1 096eec5a9cc59d98979a9c8329a8abf420131db6
SHA256 bc84112f9fd113f40e2932c28189e1709444b67bfd92976f0d188292206f6664
SHA512 98a4ba30ea352a025ac7110d14e246705b596f5a4563f032090e438616026e16205e46cb897a4ccbe7e398c1753584b1096cc8dca6156ffed8f25f32e8ff4e96

memory/2616-22-0x000000013F510000-0x000000013F861000-memory.dmp

memory/1868-19-0x000000013F510000-0x000000013F861000-memory.dmp

C:\Windows\system\AwIunkD.exe

MD5 204662c5aa2dfc9f8d4032d1e82dbfec
SHA1 9ba45e3243107f08692b2c33a3c38a53c50a2ef1
SHA256 1d105dcbb411701d7f8968722851add9ab65671da9d60c265900ca8c5242cdf4
SHA512 a49f11e378cae2540141eb2f4c61d7b8326c4b389ce6fe92d957d74672079f544a57a06507fe44f34bdab6beaf0caf4ea78ea3c546f4d212857a74d66b28f636

memory/2824-29-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/1868-28-0x000000013F4E0000-0x000000013F831000-memory.dmp

\Windows\system\TPjnksV.exe

MD5 e18a5e143e7a25ed12053b315b93b2c8
SHA1 368743c6f5eaf7735c36e0afe9392c9ebc637e6a
SHA256 a04e3875ac1fe474dcb89c8f98732e3f77840f7fde5ad3c0694d30b312bfad60
SHA512 c6bff5b604b7b7dfcb9817ade0556b24375c4f312ada8e154e023af9b68a58ee5b34916c6aa73ae34552dbf9c7100982c0cdb6e29ca8984a7860fb69976c7fc8

memory/2620-35-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/2604-43-0x000000013FB40000-0x000000013FE91000-memory.dmp

C:\Windows\system\qXjfiFV.exe

MD5 a3b081fed06c96b2baccebe46430dc4b
SHA1 f28c9c6836e291ba9aa143c4076f0274fa37fec0
SHA256 6d7d1fe90388eb024b3cf631017967a0b64646b9d1c6afca16e48b54419dd5ab
SHA512 11d31779ebdb7649b3162d73edfe2bd09a85724ec477c7b2e24cdf03922ce77224ab3ba61d69d643dcbd2ac96de94c639ef7991f4b9ab19cee887dd8fa0a7e56

memory/1868-56-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2652-57-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2580-68-0x000000013F930000-0x000000013FC81000-memory.dmp

C:\Windows\system\ZbiixIk.exe

MD5 83d01689a9f4f79be0b4263d036ba13a
SHA1 52d30ce1d8e8f02b6cf8631fdda92fd8d6b20e2d
SHA256 a8fb4ea1599a942aa8b6cfff77eeadc5e13acb5d6492d516f49ef9bc20accb5a
SHA512 4d44535ab7c61255c510326518368e7070f1d0d637f3f73e154caff49594913fa01c5ac2169e8bcf7c1498ebf52e3b33944574a6b1b9913c00ea3843c670e793

memory/1692-86-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2460-101-0x000000013F690000-0x000000013F9E1000-memory.dmp

\Windows\system\XfXCDje.exe

MD5 0f2ddf9c836960db5951da656cefa354
SHA1 b9ef3b00494d75849498f386a6a5795e239f9005
SHA256 5f4b36d40bb8de23984d66ec2529ce98a56f304688f39346e4a5368374df390f
SHA512 25a4d26f8c52df4d48ccbb53579b5cfbcb84f57d0a4fe8282effea9f333fa94a759ae918a94f5778e5f535382c6571441501ac5f8d11f3c0070a79fa134bee55

\Windows\system\yKDrFGo.exe

MD5 9cf878dcd77d5ebcb2db27ee99b3954f
SHA1 31d8d572b056ffad19ec02e7439adc9035bd796b
SHA256 54125f4b87d85903653ea3d5441a8a225a9ebb7c5e12ee9db28e7827a409118c
SHA512 8e34232dee9f85ff865c19e66eb390bb764b74c1566282ab4f33933f92227b1b1e16656caf195968614e5f6d3447ea2c20e54741af602b83e8c2db98a3bcbac9

C:\Windows\system\CmoWDPs.exe

MD5 910c78d2d56923170b20a2811cf51a37
SHA1 a41be74091273c616d2b1b1550ebf6bb1b30ee71
SHA256 bfd299bcfe65d17e2bfc99743627555f7691737f43991aaf54f300d5c92b4acc
SHA512 62790370601479d7e4f20f1615dd532447c3f52926bd482da9a2af7766d845bde0ce04dde26e716f2b39f40b0930aca4106246cb7337d3d012db431c498b8bb5

C:\Windows\system\fheEzaU.exe

MD5 878f7a31887a0fb1cc41865046d47862
SHA1 e74e57e08c5bb82558be803b9f666cc20eaefc74
SHA256 8e76084df1514ab03b5b1c02914073d9e3d65c33016871d980ab46fbc9b0a3ef
SHA512 4b3b9d47f7b6dd2ab205cec895dbf9ea001a527305e2f8af5c85c71aef2694009a520739819cb63212ffd581a10dd9be209aa03bb94353f6c5e51f8f2b60e7ac

C:\Windows\system\gkyPiiU.exe

MD5 53e534c8cbcecdec68b998f271c7c4a0
SHA1 767c4fa5973da9648bfa2fbc972103cdac64f7fa
SHA256 df6a6ea7173197d1b7137c1b228c08bbb41bed61d09330949909263b636c39a1
SHA512 1f1fa1078b553317a7c5ec1980ee057239eed24686894711533f33ef6f97b62874e3b54504f6658e36030702a8fdc93692583564bc0dadf3bb9607be8f44567d

C:\Windows\system\WrbIHQG.exe

MD5 0c84d219721afda25605e12c6d81af34
SHA1 c11356823a169a52fe3a1e89b1b7431168800c6c
SHA256 5ff8e7067323fcfd4418b3fc6843acb8745b3dd3e9315461d1bc2a11e6337430
SHA512 42c614d0faef3ea652169481bd2156d13804bd30a66288a828b60cdd7d59659a0453538a7c819e9b61750e360404c672eeccf59c611faa617e994becc1828683

memory/1868-107-0x00000000024F0000-0x0000000002841000-memory.dmp

C:\Windows\system\xzGtGSt.exe

MD5 cbf08152c87077ad4628726cb6f2e8f5
SHA1 20d3f87220a473e7c05e77ef51b48d888a579c93
SHA256 df06969016c23f0726b960f24e164e5f5be2f7c1e16ba8016e34e8be3edce94c
SHA512 e659d42f092e0c4086b42f725a859c9a9b87cc39430f80ac209041ab3d6b21d0ad2ed675256304c39804563786f837abfcb86985aa14e124b283be051525b9c0

memory/2784-138-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/1868-100-0x000000013F690000-0x000000013F9E1000-memory.dmp

C:\Windows\system\GJjfyDd.exe

MD5 cad72596e5650e1d00fe77503e1c65f4
SHA1 39469a5846140c16065fff015d6ec884cb35624d
SHA256 e501af565b31ab6a668b30dcc4765bbfe55de902a9d229c02743788cb12e5359
SHA512 9f6d867e1fa1d8bd8376111cc23684f749c9d94c8babd070400af4b5b0d105fa51b316d424eab72c4a89febf0e222af8ed4ca683fba8a657ca67369f13ff4ec2

memory/1460-93-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/1868-92-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/2620-91-0x000000013F3D0000-0x000000013F721000-memory.dmp

C:\Windows\system\kbRyijo.exe

MD5 abe9db469ce1d492831f9c26a8bc4498
SHA1 e4ccb533f3695929fb2013da8e54368daed41602
SHA256 b4ba906ccd1beec40b82472bc5bfb153741a6978c1fc516748d29883098231c9
SHA512 a074bc48359539c0856a858b1fa7a5b217274c8260ad6d814953649698c96b41ff65b046932ecf2192d6f03beff8cfd76b1184f092f8b30cd1dc26d826e0fb0f

memory/1868-85-0x00000000024F0000-0x0000000002841000-memory.dmp

memory/1876-78-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/1868-77-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2616-76-0x000000013F510000-0x000000013F861000-memory.dmp

C:\Windows\system\XKIvUZo.exe

MD5 77bfc1e4481b6cf220fdb38bbd67ae0e
SHA1 4b0c3671b56df5602addff255a007b35622cc6f2
SHA256 fdf843677932d203454bbf4f08a156eabcd541ca0445ba9a41467de28c75c03d
SHA512 dd5d2e123e162da7849288f2e19275e7ece0b7585c0fb750eb6ba07df2b8cd4b7d27b48c0e2a007d45539f0facc62d3eec800995787fece32545a3bdce2266c3

memory/2904-70-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/1868-69-0x00000000024F0000-0x0000000002841000-memory.dmp

C:\Windows\system\JecGwJq.exe

MD5 3c49cd7bcdd16768a24dfae4f7a5833d
SHA1 86d2879342f67dbd7eb0100255024d8bd43786d7
SHA256 a82d4893db29286b7053c5c671cbfa9be19b1510db6851a9d3cac060877c4ab6
SHA512 f059468a6fdb1fc868b3333462be205348ab3f6cfe5ef1545c6f16f83814a664eb7ec6984f42077e36f05c12f79af4b081053a67dc11bf134c2e4003e98b2ff0

memory/2528-63-0x000000013F420000-0x000000013F771000-memory.dmp

memory/1592-62-0x000000013F340000-0x000000013F691000-memory.dmp

C:\Windows\system\rVkEMLS.exe

MD5 82fc484f087584527ba152369ed6abb9
SHA1 90a3484cae7770c951104e8623846b72b8a5a215
SHA256 5719ee83992e71180453b77c6949c0b12a593dccfc5bfdbe780e8b1f700ce5fc
SHA512 24182f2c91f07ed4db52e88df601d6d60af7d3c4c880cb01dcc848320e9df16f591880e285e26e859d86f231bc072c507be8356888f10e409aa51db04b7afe80

memory/2784-49-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/1868-48-0x00000000024F0000-0x0000000002841000-memory.dmp

C:\Windows\system\eyJhdYO.exe

MD5 c4dcc74edad33183e2b703a733eb73bb
SHA1 fb2b09ed9f657db57b38ab637a8f463c6bb82e49
SHA256 c925f9f45fefad55dcc4f902dce309532690f4c5066dbc075ce7a793d144a73b
SHA512 24e46615b623438d1a5ab557650bb0d5198b7f57e1e765f487ae6530c35b233fc13ff4be06ce9be7b938b8cc133964a91312b0c1ae503fc2ce42dd5e73799b6b

memory/1868-38-0x00000000024F0000-0x0000000002841000-memory.dmp

memory/1868-34-0x000000013F3D0000-0x000000013F721000-memory.dmp

C:\Windows\system\UgowYkn.exe

MD5 2e286be490a445e6db43cd86f10855dc
SHA1 c62cd19f67d6e7f86160e38a19bb4bb7f4598627
SHA256 805da2b2683bac9d987f2346079617ec3a40dd2845f15bea135df31525c3b04a
SHA512 ce1234ba4b2d75a288a2f572fbbb4bcdbc72b5cb86498a7930bf1cc412f18bfad9638c2b6f1e59261a58cbba9967f7a1c7e4e3084656fb89a67697c50753489c

memory/1868-139-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2904-149-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2528-152-0x000000013F420000-0x000000013F771000-memory.dmp

memory/1692-151-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/1876-150-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/1460-153-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/2380-156-0x000000013F040000-0x000000013F391000-memory.dmp

memory/1432-161-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/1868-162-0x00000000024F0000-0x0000000002841000-memory.dmp

memory/1028-160-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/1448-158-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/1580-157-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/324-155-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2460-154-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/1856-159-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/1868-163-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/1868-164-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/1868-174-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/1868-187-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/1592-215-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2616-218-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2580-219-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2824-221-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2620-223-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/2604-225-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2784-227-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/2652-229-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2528-231-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2904-233-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/1876-235-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/1692-247-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/1460-249-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/2460-251-0x000000013F690000-0x000000013F9E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 09:34

Reported

2024-05-30 09:36

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\STompFf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ojGRNOP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nThjuiR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mQFgAfj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kPdruSp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dZNbGap.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JeUjfQr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tFbUsdU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tewTPUj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wXrqBgc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fOIUPzJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dFtPGNK.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qkpJCoa.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iOpJMjz.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wisnVwH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JDLGERE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ShkJORX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NTWMHnO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\avmEILp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZBeQdrT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lgdPyzZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ShkJORX.exe
PID 2348 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ShkJORX.exe
PID 2348 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\STompFf.exe
PID 2348 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\STompFf.exe
PID 2348 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NTWMHnO.exe
PID 2348 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NTWMHnO.exe
PID 2348 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\avmEILp.exe
PID 2348 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\avmEILp.exe
PID 2348 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kPdruSp.exe
PID 2348 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kPdruSp.exe
PID 2348 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\dZNbGap.exe
PID 2348 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\dZNbGap.exe
PID 2348 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojGRNOP.exe
PID 2348 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojGRNOP.exe
PID 2348 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeUjfQr.exe
PID 2348 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeUjfQr.exe
PID 2348 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFbUsdU.exe
PID 2348 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFbUsdU.exe
PID 2348 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\dFtPGNK.exe
PID 2348 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\dFtPGNK.exe
PID 2348 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tewTPUj.exe
PID 2348 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tewTPUj.exe
PID 2348 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBeQdrT.exe
PID 2348 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBeQdrT.exe
PID 2348 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkpJCoa.exe
PID 2348 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkpJCoa.exe
PID 2348 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\iOpJMjz.exe
PID 2348 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\iOpJMjz.exe
PID 2348 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wXrqBgc.exe
PID 2348 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wXrqBgc.exe
PID 2348 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\fOIUPzJ.exe
PID 2348 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\fOIUPzJ.exe
PID 2348 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wisnVwH.exe
PID 2348 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wisnVwH.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\lgdPyzZ.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\lgdPyzZ.exe
PID 2348 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nThjuiR.exe
PID 2348 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nThjuiR.exe
PID 2348 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mQFgAfj.exe
PID 2348 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mQFgAfj.exe
PID 2348 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JDLGERE.exe
PID 2348 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JDLGERE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ShkJORX.exe

C:\Windows\System\ShkJORX.exe

C:\Windows\System\STompFf.exe

C:\Windows\System\STompFf.exe

C:\Windows\System\NTWMHnO.exe

C:\Windows\System\NTWMHnO.exe

C:\Windows\System\avmEILp.exe

C:\Windows\System\avmEILp.exe

C:\Windows\System\kPdruSp.exe

C:\Windows\System\kPdruSp.exe

C:\Windows\System\dZNbGap.exe

C:\Windows\System\dZNbGap.exe

C:\Windows\System\ojGRNOP.exe

C:\Windows\System\ojGRNOP.exe

C:\Windows\System\JeUjfQr.exe

C:\Windows\System\JeUjfQr.exe

C:\Windows\System\tFbUsdU.exe

C:\Windows\System\tFbUsdU.exe

C:\Windows\System\dFtPGNK.exe

C:\Windows\System\dFtPGNK.exe

C:\Windows\System\tewTPUj.exe

C:\Windows\System\tewTPUj.exe

C:\Windows\System\ZBeQdrT.exe

C:\Windows\System\ZBeQdrT.exe

C:\Windows\System\qkpJCoa.exe

C:\Windows\System\qkpJCoa.exe

C:\Windows\System\iOpJMjz.exe

C:\Windows\System\iOpJMjz.exe

C:\Windows\System\wXrqBgc.exe

C:\Windows\System\wXrqBgc.exe

C:\Windows\System\fOIUPzJ.exe

C:\Windows\System\fOIUPzJ.exe

C:\Windows\System\wisnVwH.exe

C:\Windows\System\wisnVwH.exe

C:\Windows\System\lgdPyzZ.exe

C:\Windows\System\lgdPyzZ.exe

C:\Windows\System\nThjuiR.exe

C:\Windows\System\nThjuiR.exe

C:\Windows\System\mQFgAfj.exe

C:\Windows\System\mQFgAfj.exe

C:\Windows\System\JDLGERE.exe

C:\Windows\System\JDLGERE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2348-0-0x00007FF760430000-0x00007FF760781000-memory.dmp

memory/2348-1-0x0000021843D50000-0x0000021843D60000-memory.dmp

C:\Windows\System\ShkJORX.exe

MD5 3b1d2cd30ddf48ffda3009fe874393f0
SHA1 cbc1822e93c025f143d0698bd6903dd152a767db
SHA256 281b5a7f0260a1ddc5deb79bb13d191a7cd1a2cb299cdae1165b59ebe097c8a6
SHA512 e166b1667b7eda187fdfba73bd221c17457a27968a97b5e074aa3e45cf5d2317195f81e45a6dc51ce4a1cba40906c2939d1be682f82e4c4317dc527b5b9e7c88

memory/2816-6-0x00007FF762560000-0x00007FF7628B1000-memory.dmp

C:\Windows\System\STompFf.exe

MD5 e3f55f1b5a040896d8356725bb333d71
SHA1 a57cce631893d0e25267402869808645051c7547
SHA256 1b1eeedb59f0fc58a2afea9b299e6b79716544ea21c80726ce5a18ecb1148946
SHA512 aa8fbded958d0288779d06feffce64adab1a23ef07b8d5e080c989405ae43dd5aff791049d4263497d761f2ed94a37104dfc758a0db40ba6e1e93bc28871fb2d

C:\Windows\System\NTWMHnO.exe

MD5 078ae1879b58d400f5b7b25b40441a2c
SHA1 80a50fdb8f32d39f1e1d54593d74966f2f534618
SHA256 2e66d88c7fe780177d58874599e726cf7f0be7dd51aebbf7efd44be8555149d1
SHA512 2b9272f3b1504bbe0f5052be9a9f19278836412b8cf2062105d5413e443d80c1a323d196514455d17207c754c103ef0fe7cc8a5fee9558d2f699f1a6fbb82b64

memory/2264-16-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp

memory/1052-20-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp

C:\Windows\System\avmEILp.exe

MD5 cf1479e784ee45ba0954cac5c2b8ab25
SHA1 a51c6c267321c22b6aa29b0ef859eeb6ac27822d
SHA256 c28fa468cbc09569715bdc1b01f66899ce9acf7247af6c627b6a054f1384a287
SHA512 b09e8ea21aebaa62214fae348ba74d1ed97ece6e31f4a1396a443f1b18d5b15bd3fc3a18475f4d261823e654e000f5c260fb9fffd0a7e656e57f3ace08a9345d

memory/1260-26-0x00007FF79F640000-0x00007FF79F991000-memory.dmp

C:\Windows\System\kPdruSp.exe

MD5 55cf3231dea085eb0443e000a26fe44b
SHA1 00dc401f5dcafcbe9c962f9ce99db431dd183d69
SHA256 c37c7bb34d4aab390c2887ca80251a349d0a6e3d52d3bb34dbd8b711405988d6
SHA512 8e56e51442175e9c6d329c5951b0fd21a40e51076211ebd249cfbf07ea92ca8164e9333d523ae0d5fc15d79eb535cc038e1b18676a6fe679c31fc19eb9b4dff9

memory/2528-37-0x00007FF6984F0000-0x00007FF698841000-memory.dmp

memory/4952-42-0x00007FF72C3C0000-0x00007FF72C711000-memory.dmp

memory/4468-47-0x00007FF656CD0000-0x00007FF657021000-memory.dmp

memory/3820-52-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp

C:\Windows\System\dFtPGNK.exe

MD5 834fd0f948e3730cb7fc46a4c7170c7a
SHA1 82de6056c70a00c5c552509256fab052c27de379
SHA256 9a1c3dfcacb8a87992e592c3b78692f707a9ecb86e6fedee8fed940b655146f7
SHA512 dc7306f4a03db0450da9261e567ec10bef1468ee125eeaa43f351e64c87bc536f4723733481170e6343642d4fe6119a75ba214b7cc831617a096d364bf5d9ef3

C:\Windows\System\qkpJCoa.exe

MD5 9ea4418f412d7e1420ee0708f2693478
SHA1 6f7c4a094350df13446394182c9af9a74a1342ed
SHA256 dcd04d07fa73a3a2379e2356fc1d2d8448b981dffec2403dba6d01d3d7f4456a
SHA512 0b08e600349d616f77e601fb68625ad4ff282c9d4c7d0f681e5ba1354b972a2d762e62dffbcaa3b85596cbc503cdef5f91895e82df73f79df93f30c24a561129

memory/464-80-0x00007FF76AD80000-0x00007FF76B0D1000-memory.dmp

memory/3224-86-0x00007FF64E8D0000-0x00007FF64EC21000-memory.dmp

memory/1224-89-0x00007FF6100C0000-0x00007FF610411000-memory.dmp

memory/2264-88-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp

memory/2816-87-0x00007FF762560000-0x00007FF7628B1000-memory.dmp

C:\Windows\System\iOpJMjz.exe

MD5 54f49817441783f43999cd59e302148c
SHA1 fb724210f7b8e1a6484cd18adf3bbd2fa8c3c78f
SHA256 27514bd162d31aa80bde7d30cd90b11621d1e01e075f53a3dd9b8433b0b7e167
SHA512 e1c34eafd2a3335725ecdf5acb4d622c1d0bbaef74fed794ed2ce98a64387afef7451a4880564fa270680d51307f7456a185ee50c8f9162ab86fb8a1798082df

memory/5068-81-0x00007FF716CF0000-0x00007FF717041000-memory.dmp

memory/2348-76-0x00007FF760430000-0x00007FF760781000-memory.dmp

C:\Windows\System\ZBeQdrT.exe

MD5 0785fea7dd66dec2130c2ec5a7ca1f70
SHA1 3b3ef960d136b16d624fbc4d73e2fc6ba4169ab1
SHA256 1b537091e861936bcb7bd6f723b9509811900cdbc6a4546f1af544e30197fea3
SHA512 01359c53bf6f0e1e69197d10b39aa9051f5957144b56ec99036b5e788e14a35df85e192886ef9874cc2c55686ccb50d67695131ee4fc1b8e0bcaf168eba8d49e

C:\Windows\System\tewTPUj.exe

MD5 8231afc5a3207995276d2ea432a743e3
SHA1 55cbb303c874a357f4539b09fedb24ee02d308b4
SHA256 878b624bad8f5ec4b2d3b4fc9bb1fa974a0569971f1d2559b11a40c5e353111c
SHA512 d7e8311cbb037c187444cda1797b78c9747d251ad1497e3cda32d16c945517161e699ef8b6adbea82c934dca3b23577a69459583141faadf78a5ecbe940f7ea6

memory/2864-62-0x00007FF60A430000-0x00007FF60A781000-memory.dmp

C:\Windows\System\tFbUsdU.exe

MD5 843baa6df3ccf6ad8019d388cec46e36
SHA1 57eba8f672fe7ed5ab804518009cf5f09dda5cd2
SHA256 fafeabc6f900ce05205e737d86bdfc2d8f8009e1880d4a10e9f77eda7091d04e
SHA512 7f99aaf746f6129ac3bd853bcabadf6e27576a5eb8f51d60f7ea3f95b44e480465ef3c89762078a17e944fd1c03b9c26d4819ad05f64ffdc5bfb574cdd18e315

C:\Windows\System\JeUjfQr.exe

MD5 bdbf24eb091efb2a04a3a00f6643daf9
SHA1 a6cee34328a6f788e2408a5e7c270f14260a01a9
SHA256 350c267ea4d59d3333c4078ae377cda5249fa8e6fd9059346929b65287bbbe1d
SHA512 714591e586f640be1758b40353f398cb833a9d2d5bebf6105116a1e906e12057531a24c9e81f9cc73963b8c8e1f3b3d0197b1ce3ac92dd8b633e0a6aa06acc35

C:\Windows\System\ojGRNOP.exe

MD5 9b72fb1ad6709dafcc2bc107cbaa0987
SHA1 8e282ebe529ba4d3f8926023af17155952461765
SHA256 8888a1198d48f83bf813f8a11613e2ed25748b4ebb60e0210cac7c672ad5649e
SHA512 a616ea5e99d9ec8ee00a1af083f493d3f928ddbaf924ad8cb2d8761832eecaf5675cb06b3310151349b442e51ef114d876a84e02c3fa85c88c3dd81eaf171955

memory/3860-45-0x00007FF692980000-0x00007FF692CD1000-memory.dmp

C:\Windows\System\dZNbGap.exe

MD5 ad650abef55b7591aba7c5b5aae11b59
SHA1 33b4af0959a777b6bf424777d40fe56552ae6025
SHA256 f1d8fdf4777bd6fa06834b7e5733dc3feee8c2d94425fc4633506fca426aafb7
SHA512 cb38586e3d4738399fa79b1ecbbcd7da9f23af466561cebf04ff9fce539648f190feb2b6804f49dc588e89728cde87eeacbb9ff54a7d04b639578742ae51cf9c

C:\Windows\System\wXrqBgc.exe

MD5 07c88d1c9ca4b2a5135a74881fa47223
SHA1 c62b183b5bae662d3e8d8ee2840785e1e2c19ede
SHA256 5fe18ae6e3937cf6cf5556c3467991147b76ba0988612495b652b81f6aadd96c
SHA512 2bf4ca4f42f4ba84906900a05b5011c8684668989785ffd78a5f27083230e9fc30023e09f8eb58086be0e8f4d8061507eec40b8d4426adcc2806568294904422

memory/816-95-0x00007FF7D2AD0000-0x00007FF7D2E21000-memory.dmp

memory/1052-100-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp

C:\Windows\System\fOIUPzJ.exe

MD5 1483ef5dec1fa44cbda3ff2566120b70
SHA1 f4b0622254c0a89a6b8113ef67eeb5de9d8dd65d
SHA256 d3a39f3566a88d95217c62fc67c5f6424a28ec7c781b6a40dca983f0920f62c4
SHA512 820206ab20bdabe193cf513b34695a95650f8ebf9c3c2e34f569d67e1a8c9f9d1243b324068246b1015256274c0a74bceffda3829d2b320655b361e9eb49b8b3

C:\Windows\System\wisnVwH.exe

MD5 b79b91abe32d09a789e21c2721cc4963
SHA1 33d839f41bfe3748df6f5bd3870d0eb015e16777
SHA256 fc355971d7a57721494120a5a7c1d72d2ff1e5ec24f31280fbc624de59f10116
SHA512 437b0a00c427879421e5992dfbc936e7ffa82debe1db45e9aab649e51da495075b64148fee65efe4de503fb8b03e4a2ad6ec1e3af315f7e3296a51a8e9036102

memory/1260-108-0x00007FF79F640000-0x00007FF79F991000-memory.dmp

memory/3620-111-0x00007FF65DBE0000-0x00007FF65DF31000-memory.dmp

C:\Windows\System\lgdPyzZ.exe

MD5 1c2eab634874e0a1b0dcd5a19cd0f87c
SHA1 9bbc2c227f64f953fa97ef1cdc342c04fd39ae87
SHA256 33a398f9ce8f6d6589c3fa79d4c8d29d620481111b54fb109abed7ac8288b6da
SHA512 14fb0537a534a9a7c354f44c577291a35459b04ceb7c85b4f0476a4db12930e043964b808eeb69c8497ac7cba60b5002c232935583dcf7dc67e14838a9586dcb

memory/4584-104-0x00007FF707FB0000-0x00007FF708301000-memory.dmp

memory/4512-116-0x00007FF767F40000-0x00007FF768291000-memory.dmp

C:\Windows\System\nThjuiR.exe

MD5 a95f23ebad58c58de7809a72cacc34b1
SHA1 ce55b4ae53d5a26199586533036be7ca5679b825
SHA256 8a3ba6e694b07ba109e5ad8fa6849b19bbfb250d063575ac1792f92fb21d0ce4
SHA512 318d1356b2b0963578e2bd15bd3b3557ed04edb11bf57a92d0b07b617211d2736ff50f3edc936a90afc96433d894deef14a8dbc06d7b2a8aaaf160497404a0a0

C:\Windows\System\mQFgAfj.exe

MD5 8759b45b815fb788ea0cbae73170753a
SHA1 a80ba893ac161653a5bb4444d92b02d702796fa7
SHA256 9c6c6894bccb7001aa471c1e5e7c55cc64c6e6e797344a1a4d21b791de170df4
SHA512 66883932767816a6fad72d8667f66224abfad2d44f872c56e3e3c6325d60c3dc15488b26ecee0f5a33a0cbb39025e9e1c92edcaead2f9c3c7ef0c3bb9c711d0b

C:\Windows\System\JDLGERE.exe

MD5 e5fbd52da7ecb2111908c3d9537d4471
SHA1 ec7381a20fa6380d5cb8229fbcdc0f4933655473
SHA256 de583db6a9ae0183526ff5993feff6ca87cbf01201b4a791b396a3505ade1d84
SHA512 f5bea2543635e05956321ff1a8be1501b9191e290de467970005e29e0b6c038fd2b92f385d90e5159ac0940c3888290da41e86a4e2ba336023dc3931a8e0ec12

memory/4468-129-0x00007FF656CD0000-0x00007FF657021000-memory.dmp

memory/2384-137-0x00007FF653DB0000-0x00007FF654101000-memory.dmp

memory/1996-133-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp

memory/1276-139-0x00007FF646C00000-0x00007FF646F51000-memory.dmp

memory/3860-138-0x00007FF692980000-0x00007FF692CD1000-memory.dmp

memory/2864-145-0x00007FF60A430000-0x00007FF60A781000-memory.dmp

memory/3820-144-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp

memory/5068-148-0x00007FF716CF0000-0x00007FF717041000-memory.dmp

memory/2348-151-0x00007FF760430000-0x00007FF760781000-memory.dmp

memory/4584-152-0x00007FF707FB0000-0x00007FF708301000-memory.dmp

memory/2816-200-0x00007FF762560000-0x00007FF7628B1000-memory.dmp

memory/2264-208-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp

memory/1052-210-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp

memory/1260-212-0x00007FF79F640000-0x00007FF79F991000-memory.dmp

memory/2528-214-0x00007FF6984F0000-0x00007FF698841000-memory.dmp

memory/4952-216-0x00007FF72C3C0000-0x00007FF72C711000-memory.dmp

memory/4468-218-0x00007FF656CD0000-0x00007FF657021000-memory.dmp

memory/3860-220-0x00007FF692980000-0x00007FF692CD1000-memory.dmp

memory/3820-222-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp

memory/2864-224-0x00007FF60A430000-0x00007FF60A781000-memory.dmp

memory/464-228-0x00007FF76AD80000-0x00007FF76B0D1000-memory.dmp

memory/3224-227-0x00007FF64E8D0000-0x00007FF64EC21000-memory.dmp

memory/5068-232-0x00007FF716CF0000-0x00007FF717041000-memory.dmp

memory/1224-231-0x00007FF6100C0000-0x00007FF610411000-memory.dmp

memory/816-235-0x00007FF7D2AD0000-0x00007FF7D2E21000-memory.dmp

memory/4584-237-0x00007FF707FB0000-0x00007FF708301000-memory.dmp

memory/3620-239-0x00007FF65DBE0000-0x00007FF65DF31000-memory.dmp

memory/4512-241-0x00007FF767F40000-0x00007FF768291000-memory.dmp

memory/2384-244-0x00007FF653DB0000-0x00007FF654101000-memory.dmp

memory/1276-247-0x00007FF646C00000-0x00007FF646F51000-memory.dmp

memory/1996-248-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp