Malware Analysis Report

2025-03-15 08:09

Sample ID 240530-lrerwadd7v
Target 2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike
SHA256 271bb6abf65e6cb24fb3f383d69a6e701278a6cf09ab50e05f37017bdb29b36c
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

271bb6abf65e6cb24fb3f383d69a6e701278a6cf09ab50e05f37017bdb29b36c

Threat Level: Known bad

The file 2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

xmrig

Cobaltstrike

Xmrig family

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 09:45

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 09:45

Reported

2024-05-30 09:48

Platform

win7-20240221-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\aUHgJUC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YuNsJGI.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HwvoPeA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KFuPlRJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HpMfgqx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bMPhZtb.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JZBIkir.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HObKDZL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qnczIdi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nxRXpIh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tnzxOpj.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WvONLQs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sUKFgQR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gASJbtk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KsejixU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kRMreQH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GBXoTbx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qEtRZgY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kjKvVnX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QphDJDr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YoTiwjZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tnzxOpj.exe
PID 2960 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tnzxOpj.exe
PID 2960 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tnzxOpj.exe
PID 2960 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kRMreQH.exe
PID 2960 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kRMreQH.exe
PID 2960 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kRMreQH.exe
PID 2960 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvONLQs.exe
PID 2960 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvONLQs.exe
PID 2960 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvONLQs.exe
PID 2960 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\QphDJDr.exe
PID 2960 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\QphDJDr.exe
PID 2960 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\QphDJDr.exe
PID 2960 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YoTiwjZ.exe
PID 2960 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YoTiwjZ.exe
PID 2960 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YoTiwjZ.exe
PID 2960 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpMfgqx.exe
PID 2960 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpMfgqx.exe
PID 2960 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpMfgqx.exe
PID 2960 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMPhZtb.exe
PID 2960 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMPhZtb.exe
PID 2960 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMPhZtb.exe
PID 2960 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HwvoPeA.exe
PID 2960 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HwvoPeA.exe
PID 2960 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HwvoPeA.exe
PID 2960 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\KFuPlRJ.exe
PID 2960 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\KFuPlRJ.exe
PID 2960 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\KFuPlRJ.exe
PID 2960 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GBXoTbx.exe
PID 2960 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GBXoTbx.exe
PID 2960 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GBXoTbx.exe
PID 2960 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\aUHgJUC.exe
PID 2960 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\aUHgJUC.exe
PID 2960 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\aUHgJUC.exe
PID 2960 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JZBIkir.exe
PID 2960 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JZBIkir.exe
PID 2960 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JZBIkir.exe
PID 2960 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HObKDZL.exe
PID 2960 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HObKDZL.exe
PID 2960 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\HObKDZL.exe
PID 2960 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gASJbtk.exe
PID 2960 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gASJbtk.exe
PID 2960 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\gASJbtk.exe
PID 2960 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qnczIdi.exe
PID 2960 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qnczIdi.exe
PID 2960 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qnczIdi.exe
PID 2960 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nxRXpIh.exe
PID 2960 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nxRXpIh.exe
PID 2960 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nxRXpIh.exe
PID 2960 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YuNsJGI.exe
PID 2960 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YuNsJGI.exe
PID 2960 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YuNsJGI.exe
PID 2960 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qEtRZgY.exe
PID 2960 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qEtRZgY.exe
PID 2960 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qEtRZgY.exe
PID 2960 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUKFgQR.exe
PID 2960 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUKFgQR.exe
PID 2960 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUKFgQR.exe
PID 2960 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\KsejixU.exe
PID 2960 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\KsejixU.exe
PID 2960 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\KsejixU.exe
PID 2960 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kjKvVnX.exe
PID 2960 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kjKvVnX.exe
PID 2960 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\kjKvVnX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\tnzxOpj.exe

C:\Windows\System\tnzxOpj.exe

C:\Windows\System\kRMreQH.exe

C:\Windows\System\kRMreQH.exe

C:\Windows\System\WvONLQs.exe

C:\Windows\System\WvONLQs.exe

C:\Windows\System\QphDJDr.exe

C:\Windows\System\QphDJDr.exe

C:\Windows\System\YoTiwjZ.exe

C:\Windows\System\YoTiwjZ.exe

C:\Windows\System\HpMfgqx.exe

C:\Windows\System\HpMfgqx.exe

C:\Windows\System\bMPhZtb.exe

C:\Windows\System\bMPhZtb.exe

C:\Windows\System\HwvoPeA.exe

C:\Windows\System\HwvoPeA.exe

C:\Windows\System\KFuPlRJ.exe

C:\Windows\System\KFuPlRJ.exe

C:\Windows\System\GBXoTbx.exe

C:\Windows\System\GBXoTbx.exe

C:\Windows\System\aUHgJUC.exe

C:\Windows\System\aUHgJUC.exe

C:\Windows\System\JZBIkir.exe

C:\Windows\System\JZBIkir.exe

C:\Windows\System\HObKDZL.exe

C:\Windows\System\HObKDZL.exe

C:\Windows\System\gASJbtk.exe

C:\Windows\System\gASJbtk.exe

C:\Windows\System\qnczIdi.exe

C:\Windows\System\qnczIdi.exe

C:\Windows\System\nxRXpIh.exe

C:\Windows\System\nxRXpIh.exe

C:\Windows\System\YuNsJGI.exe

C:\Windows\System\YuNsJGI.exe

C:\Windows\System\qEtRZgY.exe

C:\Windows\System\qEtRZgY.exe

C:\Windows\System\sUKFgQR.exe

C:\Windows\System\sUKFgQR.exe

C:\Windows\System\KsejixU.exe

C:\Windows\System\KsejixU.exe

C:\Windows\System\kjKvVnX.exe

C:\Windows\System\kjKvVnX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2960-0-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2960-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\tnzxOpj.exe

MD5 2b48e493a97283113d95d7ecc45a05b5
SHA1 a6c390a2676e31ca8e60ec80ad1d8f73a58bb642
SHA256 2001c54b83d4e9bc4750cf50a6bc29db33e633d695580124ebb2c426b145cfcf
SHA512 e90c1f8c76ec9e55d2154d376e87714a9e269564d738138e8b4ab4d6e23cdf8be4bc62466e23206ad2ed1df0d0d86fa64c6c08c4d05b826c0375a4567e4ac281

memory/3056-9-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2960-8-0x000000013FC20000-0x000000013FF71000-memory.dmp

C:\Windows\system\kRMreQH.exe

MD5 16e90297b6bf56bfe899bd75bb02a87d
SHA1 cba85c53e54dbca82dea9f64a3a3e9f49a726537
SHA256 000cc152151ece63b9733b9800311ba1b2194707ac5812f0493a44fe67f36645
SHA512 27e159abae650c69284e5a08da980d4277f01db818876fc4dd49e30751f5084f51e6371725b5afad0f9355a895fe1b4760f3e723828ac7d2638c03b67b123f54

memory/2156-15-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2512-23-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2960-22-0x0000000002350000-0x00000000026A1000-memory.dmp

memory/2960-14-0x0000000002350000-0x00000000026A1000-memory.dmp

\Windows\system\QphDJDr.exe

MD5 4e305ac434b1ef63b62aa8ef6fad04f8
SHA1 aa4601d89cc0bb3cce4954f5183a631f3a100028
SHA256 cc0af98f2a60eed9c6924910306630bd3793d9632e4c9dc8ffa2ab0b691ed827
SHA512 694826e83591f614d6088f2eff588a1ee91339ebab2d7bfe23d923ec48bd173f90f93f2c2ccd6c68ef661a6b2b4d66eddbe12060545f5ecc3fc037ae342962a8

C:\Windows\system\YoTiwjZ.exe

MD5 8db8c7df22246335acbb22451995a8c6
SHA1 bd0a5ff8cdd7d828359625867b0ec36afbc46160
SHA256 224a5bcf335d0b336cddfbde2c9e54f50d7478b36911719b217d6436fcd1b4de
SHA512 84e51a57c3d26a7cdb3908a1a0546b6f6ecacdafb372b9604ded2b50db4ce827f4316f06330c8cb6ff146ef0111c67812cc81b3aa416733310a038b2a5a90807

memory/1728-29-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2576-40-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2960-52-0x0000000002350000-0x00000000026A1000-memory.dmp

memory/2580-53-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2760-58-0x000000013F5B0000-0x000000013F901000-memory.dmp

C:\Windows\system\GBXoTbx.exe

MD5 217c2cbf8f7656f3058c7fb5548f84a4
SHA1 7c85263eaf50ecff0df5d83a4226133dcfeccbab
SHA256 bc3f29712dffd8474b89b8bd667ac9112edb4164e3a4c8b2a6508b344ecddc78
SHA512 897beda1d09b0dcfa2e93f9290030c2ef6ddb10cd9af678c47f5c33dd87c1f4a0d7491d610bc2f086776371d880ccfaec9f39175935d51cb08a2b72f18d99339

memory/2588-63-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2424-68-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2156-73-0x000000013F240000-0x000000013F591000-memory.dmp

\Windows\system\gASJbtk.exe

MD5 b7ccbffa1f5025f6a55f9f8595d60e79
SHA1 59f67030d8dabfc6cb155ffa07cd59e48932fdaf
SHA256 a2abf7cd40957a3a11d7070c3eca20aa9e581e433892a3ff8d270436e21c612b
SHA512 a8aba2683528f5fc409a8a818604b9f9856f5775ce021cb87bf949640f6a2c0f83217b11bb2b1bd61375e62740693318adfae039f9c43284e9be41d7f03ab40d

\Windows\system\KsejixU.exe

MD5 3b9a3ba8e082df331f2cb7be04555a1a
SHA1 846a7e5e534fdf7fa2e21c9610c1989e6f24b6e5
SHA256 b7ea32b9b848e05ab547ddcd7b3b3191a576a8299ef73e2a9a9b1c8d0356111d
SHA512 6aac5a9836cee43844f6a8807c12a09522f6979df317411ca15a9be6cfe165800b423828a336512f5bf605f8f30f99fe7f6faf994ad50ee8370e19c629fa3d42

C:\Windows\system\YuNsJGI.exe

MD5 cb6cf1ecf389d85e53f6b0cfcc6ba8f6
SHA1 e4f1c71784f2ee00510d0941cb62183fb6397e58
SHA256 c43578c32e1ff6dc2575fd2162363fec09262c8629f2e0134fbe3dbbd3e05824
SHA512 9b746974fd1858c4a4617a3472640f9b94e95862081111a10c7e70d2c1adfbafdbf97b7cec02bf50a558c12c2343f78da468aae340cdd85eafc2cf6f8ac23cb6

\Windows\system\qEtRZgY.exe

MD5 b8f858ed44eddfd8311542a460a67a84
SHA1 3e550f6615606bc82cfe02c782470588f1225b94
SHA256 8fecf7635e8fd4d5be50f4d3394aeca27fae1fb2fa8c29ceba207423a81eb26a
SHA512 e4cea4247511a5e308e5992ea10b52c1cd6f1b2223ca3aad4f3967dd572e1a0c70b3e7fa5804e8bf9531d605195348432685581edb9708f32f1fcab393bb6a08

memory/2960-94-0x000000013FC90000-0x000000013FFE1000-memory.dmp

\Windows\system\nxRXpIh.exe

MD5 a516be3abff37fc58385eed5c9e93de4
SHA1 98a56040f5b9fab557536a77650705a918ecb035
SHA256 50a3fa93c1736db2e4d596ade37d5659a0b3f25099e2c06be65a33f2716ea372
SHA512 29041e43c852f4192362df6c952c13ae464782f572d03284d3318764bda2a6560cfef30dfb8f9b8c432f74f0f0324995f246ee92afde3bb5aabd28c72b80c4e2

C:\Windows\system\kjKvVnX.exe

MD5 caa573ef95beb6bde4c091983892ef24
SHA1 7ca0015bda2da34fce4798190bb230855678d483
SHA256 bf723189ade871425691b99775e9d6b5473216be1fe761219640cf9bf57d9012
SHA512 462fc0617e0376384035a3903345b18929e4aa7664fd42e9ccc34d4148f43976804c6ca088fe19f001a3333b3bf5fa7d9810858d67cc534704a61df1976b8a05

C:\Windows\system\sUKFgQR.exe

MD5 cb912fd29310d626a67d94935023f9bf
SHA1 4255dc501f7f5898dde1994a8b7262cf173bc45d
SHA256 1a6ae772f57c69793a4cc0f65db78956cc2ffeb1d1c85fdd1c8eb4d69e650e52
SHA512 d14601618c89ceb5412608a0f75b376a2f6a7e09cbc62edc88b7ba005b1f11910b1844920a09393018893adcce4e1878e22f919c76c66743fbc94257734847eb

memory/2484-75-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2960-74-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/1856-98-0x000000013FC90000-0x000000013FFE1000-memory.dmp

C:\Windows\system\JZBIkir.exe

MD5 e11fe36d11f3a3bc6ede7b24b7045e4c
SHA1 38e9fa8e4d4dc4d179d9e60fa52dde70b925eea1
SHA256 0b8c3d8720eefdc946713a904cdda64b05d692092378f67aa4be78a9406c4418
SHA512 c80652c97dd8370456c86384faa3448b33f6cc7c438e88e828aa2e3e4e9d457ba243b90c6bbfa89ddf74bdf6e4f4e1b678999858b6941f01ba14c44bc0657f92

memory/1728-90-0x000000013F6B0000-0x000000013FA01000-memory.dmp

C:\Windows\system\qnczIdi.exe

MD5 1d10c25e6a8b60c0553d87e30cd60933
SHA1 8a71790c24dd05da677dc1927fbb13680e07b351
SHA256 e720a23790a72b22734bb2a6b77f7f28647544ba4d15bb45cb75e56f9bbb3f1f
SHA512 75e09d308e555878fa35ef255bdab0095f8a67d5fb5f5cd4b3d6bd01c353f6a86f17ca83aa1eed7976fafcdb296cfc6616fbf5cdf10c77c6c0462524d54885fb

memory/2960-88-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2464-87-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2960-86-0x000000013FC80000-0x000000013FFD1000-memory.dmp

C:\Windows\system\HObKDZL.exe

MD5 ddfe4560efc5822c95b7361748c7d4c3
SHA1 0d27313b5beb2ec2cda6b4ed70e377a445cc8567
SHA256 eab632202f41dcbf215a9f45f88755ecb66332f0fbcd02a00b76e8ea11ff3083
SHA512 a9abc14ce259db8e53991065cbd9aff14da92ddf3bf14f663c408e68f80c3d47b7512dc5b1b84b99b8b7ac06f2671bdfd5ebffb81c8353148a0c831726c74985

C:\Windows\system\aUHgJUC.exe

MD5 4dc4c05f61ac322080b65852e861281e
SHA1 a83e6693182416cede21416c0f0b660f6f0e97c6
SHA256 63f4f053f31d463da88ab8f3eede814806dc348028d783076c19fafa3809f650
SHA512 ce73524391e016f64ef003d59de4c683466333a4f6b0f101e969b8354d362e484962d3f797e50f097438e85cde95adddd783130cc6c99129100f02feef43054b

C:\Windows\system\KFuPlRJ.exe

MD5 f89e2fce7a0fe4b560fc95274a3b1a9c
SHA1 4f444a875df393c0efebef8941e6312f74c68c6c
SHA256 b8692dcd0951a1bbd04d203dd3e85db9ebb72a225781c8dfc67d8e3501a22725
SHA512 5470e0808d8d27e7c05d223e1bbbc0e9ac336754437b48b8505fa9eca8e5a0f8927580c7193e27c87dcea483e46eab867e5842d7e51eaac1e5f3a59ac7c75917

memory/2960-51-0x000000013F530000-0x000000013F881000-memory.dmp

C:\Windows\system\HwvoPeA.exe

MD5 4622ca6be63432e17936b3c0d43a5570
SHA1 25d15fb11664b9ca474fd47ea91eff46106b78d1
SHA256 d57f35f1680e9fd38bb5b7648759f2c35b3c3fdb9a24486bd13df062f83e37be
SHA512 090460aad769693b724c0d2e54bc3bf6adc78af8bd876cf1fd3b1dc3555dbb0d28e833f9a58530d662806dfbc78cee70408c5642e6ed6024c9c7db741de4c528

memory/2688-46-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2960-45-0x0000000002350000-0x00000000026A1000-memory.dmp

C:\Windows\system\bMPhZtb.exe

MD5 e15cfdb6f3a68ce42a01535c4dce616e
SHA1 64564c7082d97ffffb91de5c2d38f8290f0b2eab
SHA256 4b65c60dd30e983959bcdd56225ddab590a16292074ee52c5d509b97c38d9b3e
SHA512 8671a911b4d040b4761f8ebf505a3694e2fd405d00d4028b8bdafb191d54bee51b6c462ccf9fc34660f4bcdd38da8edb535fa9c3b344e853bcca3ae208b8dd6e

C:\Windows\system\HpMfgqx.exe

MD5 1435a043d5b2c2547aa86fb943de410d
SHA1 dfe3d0faebdca1020c13144342bb26f515fff94e
SHA256 82d020fb164f74af9fe83bf839eca9bb6f535142761d06afbd8a6cb57da9a93a
SHA512 fefd805b325f94a361f790101d50bde10723af28be5155ca56fadff2c068e67aa8cc39939d39b2ba1a467c85c0236b1ae2340cd7c407a67dae8934268363dc8d

memory/2960-28-0x0000000002350000-0x00000000026A1000-memory.dmp

memory/2644-35-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2960-34-0x0000000002350000-0x00000000026A1000-memory.dmp

C:\Windows\system\WvONLQs.exe

MD5 94d3930478b78774eb802acd8e29c752
SHA1 31ee85083f1df73683870d11e6847d7928259fe8
SHA256 7a2f917146cd8a23e6a605da2c253f7e5a153326d2d695f0e2e1f73f1cac8339
SHA512 9c3c0641495797e448b7bd88c22c5898e93001cff0d232de098966c86fa0450f4486a7728f22f08dbb1a3c65d087595e3afb9a209cfc6e646b3552e5daec8230

memory/2960-135-0x0000000002350000-0x00000000026A1000-memory.dmp

memory/2688-136-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2580-137-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2960-138-0x000000013F530000-0x000000013F881000-memory.dmp

memory/1728-142-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/1856-153-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2464-151-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2484-150-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2424-149-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2588-148-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2948-152-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2760-147-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2576-144-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2644-143-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2740-156-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/1604-159-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/1772-157-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2664-155-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2692-154-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2308-158-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2960-161-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2960-160-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2960-162-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2960-184-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/3056-208-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2156-210-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2512-212-0x000000013F210000-0x000000013F561000-memory.dmp

memory/1728-233-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2580-239-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2484-237-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2644-236-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2576-243-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/1856-242-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2588-247-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2760-253-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2688-249-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2424-256-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2464-258-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 09:45

Reported

2024-05-30 09:48

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qpvtobG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\poKkSTW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IVCAErH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eZlTiZe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IlHBnld.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tAOJRHT.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QiTrchS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RbaxhDS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uaGfRWU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JzFaEAJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EuMeUON.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vIwFuBX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZpCYNcG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pLXKwOr.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xYhjKQk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DIbPWhH.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nEfiuFp.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AFWnbKW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AGLyaTZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rOrBFOG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\znSsqpA.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pLXKwOr.exe
PID 1848 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\pLXKwOr.exe
PID 1848 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\QiTrchS.exe
PID 1848 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\QiTrchS.exe
PID 1848 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nEfiuFp.exe
PID 1848 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nEfiuFp.exe
PID 1848 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qpvtobG.exe
PID 1848 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qpvtobG.exe
PID 1848 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\AFWnbKW.exe
PID 1848 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\AFWnbKW.exe
PID 1848 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYhjKQk.exe
PID 1848 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xYhjKQk.exe
PID 1848 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\RbaxhDS.exe
PID 1848 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\RbaxhDS.exe
PID 1848 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\poKkSTW.exe
PID 1848 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\poKkSTW.exe
PID 1848 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\IVCAErH.exe
PID 1848 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\IVCAErH.exe
PID 1848 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uaGfRWU.exe
PID 1848 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uaGfRWU.exe
PID 1848 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\DIbPWhH.exe
PID 1848 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\DIbPWhH.exe
PID 1848 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JzFaEAJ.exe
PID 1848 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JzFaEAJ.exe
PID 1848 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\AGLyaTZ.exe
PID 1848 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\AGLyaTZ.exe
PID 1848 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\EuMeUON.exe
PID 1848 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\EuMeUON.exe
PID 1848 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rOrBFOG.exe
PID 1848 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rOrBFOG.exe
PID 1848 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\eZlTiZe.exe
PID 1848 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\eZlTiZe.exe
PID 1848 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\IlHBnld.exe
PID 1848 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\IlHBnld.exe
PID 1848 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tAOJRHT.exe
PID 1848 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tAOJRHT.exe
PID 1848 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\znSsqpA.exe
PID 1848 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\znSsqpA.exe
PID 1848 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\vIwFuBX.exe
PID 1848 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\vIwFuBX.exe
PID 1848 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZpCYNcG.exe
PID 1848 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZpCYNcG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\pLXKwOr.exe

C:\Windows\System\pLXKwOr.exe

C:\Windows\System\QiTrchS.exe

C:\Windows\System\QiTrchS.exe

C:\Windows\System\nEfiuFp.exe

C:\Windows\System\nEfiuFp.exe

C:\Windows\System\qpvtobG.exe

C:\Windows\System\qpvtobG.exe

C:\Windows\System\AFWnbKW.exe

C:\Windows\System\AFWnbKW.exe

C:\Windows\System\xYhjKQk.exe

C:\Windows\System\xYhjKQk.exe

C:\Windows\System\RbaxhDS.exe

C:\Windows\System\RbaxhDS.exe

C:\Windows\System\poKkSTW.exe

C:\Windows\System\poKkSTW.exe

C:\Windows\System\IVCAErH.exe

C:\Windows\System\IVCAErH.exe

C:\Windows\System\uaGfRWU.exe

C:\Windows\System\uaGfRWU.exe

C:\Windows\System\DIbPWhH.exe

C:\Windows\System\DIbPWhH.exe

C:\Windows\System\JzFaEAJ.exe

C:\Windows\System\JzFaEAJ.exe

C:\Windows\System\AGLyaTZ.exe

C:\Windows\System\AGLyaTZ.exe

C:\Windows\System\EuMeUON.exe

C:\Windows\System\EuMeUON.exe

C:\Windows\System\rOrBFOG.exe

C:\Windows\System\rOrBFOG.exe

C:\Windows\System\eZlTiZe.exe

C:\Windows\System\eZlTiZe.exe

C:\Windows\System\IlHBnld.exe

C:\Windows\System\IlHBnld.exe

C:\Windows\System\tAOJRHT.exe

C:\Windows\System\tAOJRHT.exe

C:\Windows\System\znSsqpA.exe

C:\Windows\System\znSsqpA.exe

C:\Windows\System\vIwFuBX.exe

C:\Windows\System\vIwFuBX.exe

C:\Windows\System\ZpCYNcG.exe

C:\Windows\System\ZpCYNcG.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 52.111.227.11:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 udp

Files

memory/1848-0-0x00007FF62DE20000-0x00007FF62E171000-memory.dmp

memory/1848-1-0x0000016CCF620000-0x0000016CCF630000-memory.dmp

C:\Windows\System\pLXKwOr.exe

MD5 5ac7c5093daa3417a0d07c3a9dbc70c5
SHA1 b098ae707bdec473c668e9c8cdc09b69f2b0a185
SHA256 a4d763a09cbee43dd114337d66df5cf7768d290ec678fa1d1f104d45a0b8c038
SHA512 6191269070a14e61ab5a936a8a7d67274ed756bac6590f53806983df807caeba2df0547caaddae94aaa3590bb67b495cc5aa8ad06892d315ba88ce0b630d78e8

C:\Windows\System\nEfiuFp.exe

MD5 d8d0681a0ba93c43cfdc35f2c0f658a7
SHA1 0e8d323863d1661d6e6501a4a2cae207159446ca
SHA256 6ac71afc9abf851d6e9c9742c5cf5b39d63ceba87c0642fc140a57034dc5a47b
SHA512 977622ccf9f93273e6a089804e1e40df2fa5ef2be5cdcfdf380051958ddd2a6437dd5df421a88a187ca4d5acecb50e1aff00fc530ac0f06fceeb3c848d0bcf9a

C:\Windows\System\AFWnbKW.exe

MD5 12442cc2c19a710853871c0034fe815b
SHA1 4a5dd05f7f893ce8eef7b6c2fab52e40567fbff2
SHA256 9b88c5d66a8f713d70fd2687bf51d4d39e8dfdea07a1ff7521a676a6dedbcbc3
SHA512 755c7be927eefeb42c4168d2f409126445dd030f136761ad235dc8f633a81b0aa609b053d50fe19ae720fde2e555479ffe3746c7ad2052a9423973aad04ebd90

C:\Windows\System\qpvtobG.exe

MD5 9251dc56bcf4e93c80c9358c3297a73d
SHA1 25a17d4306d661b7392c3f1163e3a1d3c55f8fc1
SHA256 ce63474c3a45936725a27c443c307c9f210d0a4fd108afdf85ffadab559b949b
SHA512 5316d37f9260ebad5425e9ba48f94376cce302e565d1c61f70809ebbcf1792c31a4f66d1ef30770fa5953f4f6e0bb2dbdf64899d64aca4ef644d91b2a623fdb6

memory/2732-45-0x00007FF7B8E70000-0x00007FF7B91C1000-memory.dmp

memory/3452-58-0x00007FF61C670000-0x00007FF61C9C1000-memory.dmp

C:\Windows\System\uaGfRWU.exe

MD5 78d91efc4064e70cd8f7111921ce59bc
SHA1 ce34831cf29b0367294b859047bdbc3f195730bd
SHA256 86e38bb8be0dc971727dceb9c33b91e5eb21ad2a7f5111e3cfb74e62761c0eaf
SHA512 d7432047147e6d4b14a2d11847cb0e148cbb5071ac1f965ba6689f422cca4349c9309db2ee3804722f7b7e2a355a0ea039574dcacbdfcbe3cbb1d66615ba8fca

C:\Windows\System\IVCAErH.exe

MD5 b8b3735efbce02f8690fd838c712272f
SHA1 3e7baf28905471e1ad0147cecb0eb33331dbfd9a
SHA256 f8ac6017f9bf860389c2da12b63c7864e6b8fb9245e49b3e29a4f74fc683a169
SHA512 dbc198f75ac1b61fc3ac89b3069f392883d19b21d8a9b3ed244f878c8716bd8c00a706c7e898c327f74fad6823eb4cea6b6776ce1503d56c4fdadf5a41e04df8

C:\Windows\System\JzFaEAJ.exe

MD5 fa7b21c2ab39aacfc18ac5c67a942c42
SHA1 b664190d4b979f26501a38a2f9b330da4028fa50
SHA256 f534118865e73ee975409ccd6b03aac98627677c65528da3f465cf53c4d0eeb5
SHA512 f0340350652635adaa6f38b968d16b44b91ba23469a45086e5787364cf5dfed02c2ecc1d5e4c1bc0d7148d2c7bbfa636c9970822a8daae171e9721d772b24497

memory/856-84-0x00007FF7B7200000-0x00007FF7B7551000-memory.dmp

C:\Windows\System\EuMeUON.exe

MD5 747ae85a4e2ac90d497c4a3e01452ffd
SHA1 7494ecc440c9ba4e3a093f05ef034d2e5b5db24f
SHA256 fc5b37aff48770e21ab816559447752f3e385dfbb9b6ae2c2b0a37be9b1eeced
SHA512 979335c15e10bfe307049e3f08cadecf392e9ce474d7a3b98ec54832ff1be6f9b7a0cd39c4fb872ab5ba22b8b167713edb20e05b5f3cc130c2dc32c4d490d44c

C:\Windows\System\eZlTiZe.exe

MD5 c832790b24a4a5213f1a3b2d5169ece3
SHA1 04a12a91a72aa12ff9a80e8ad6886b80f2232c73
SHA256 e0b811edb16fd1822173c2f76283bc1ed2ef338fbc9932ca62273a4f6f594999
SHA512 d66f8d9adc0525c433fa2b63ed4c28d8bd620d0f9c225075c660ad8cbd3e7b2fc530217839c90da0854d71f969ffc64c5504efac5f1f59c7fc33fe32d5e802eb

C:\Windows\System\rOrBFOG.exe

MD5 567433f8378e0e9953387035c080b976
SHA1 628ca425e6359824cb4d7b5d1ee7884bdf03a6cf
SHA256 5e6b58a99d858442344a1c2a9707ab5cc6cca50d9e707c901bc25f65e6d0ea5b
SHA512 78034a5d424d01b94e401d1aeaa2f203ee809c7fc94525569b520d36f2ef18b3b91108ad40d859b58dcd2c4a72e147386eeabb5581b3b48022e0c134cfa361b3

memory/2336-90-0x00007FF6509D0000-0x00007FF650D21000-memory.dmp

C:\Windows\System\AGLyaTZ.exe

MD5 de94681a2387564df84a993db767d5b4
SHA1 5a0482a33ba203f1f52f5d8936831b08dcc27bba
SHA256 049e2550514a3b53460470e55020bbd325b9b7456ed3d3342d8edb9c9a1f843a
SHA512 9fbaaecdecc4e58e867283c6c015884bdffbfeafa9b3ab3c711603f9d7f4569803ab7bfe04f69f928ac80c54a1a4e31b5def6052a665b02f653a23902808ab9a

memory/1428-85-0x00007FF6C07B0000-0x00007FF6C0B01000-memory.dmp

memory/804-83-0x00007FF6B9980000-0x00007FF6B9CD1000-memory.dmp

memory/4976-79-0x00007FF6EAF50000-0x00007FF6EB2A1000-memory.dmp

memory/3416-77-0x00007FF759CD0000-0x00007FF75A021000-memory.dmp

memory/3504-70-0x00007FF674C50000-0x00007FF674FA1000-memory.dmp

memory/2884-69-0x00007FF62F080000-0x00007FF62F3D1000-memory.dmp

C:\Windows\System\DIbPWhH.exe

MD5 4fa2ffccbce593c2ce1ed44a59ee3a4f
SHA1 414aa5f33f6a7c396577fe036f932d3cff763de1
SHA256 48c98d64464c69f4487a94169c1fbabfd5a526b138933136e6985e96fa6f11d5
SHA512 2c623e0bb774560620ea41ce3ee2d4a8456aa122ecf80194221f82130cf1dd622d37a1a8e6d11b4a160d6bb0bbab1eeb10dd9ac430328837682013db76a31f67

C:\Windows\System\poKkSTW.exe

MD5 2433ba6519c3a7f3b4cbc8a8a6065765
SHA1 b61de995e4af745ee1ece296fbc5fbf9e1a1cc37
SHA256 4d3326edcc01f5597e14577061a54c8584e1fb83bcac30e37d4f76c08252a47a
SHA512 c4c5a8af4e7b45e03a27ddeafe023bcfa9227aa90a4ac82d08bf27bc386287ce09a6cdf42b66deb620d38645556d7bf064f80002e3782f97c5615733aab9fb99

C:\Windows\System\RbaxhDS.exe

MD5 eba41ed13b5a9450bc1854663311f29e
SHA1 baa9952412db258c2750f0f1008ad8563d3e7f7f
SHA256 a145ad5fef5b2b2e185ae236567434e355e9194f939df8f224b8295d35a57e21
SHA512 7261c8261c226c1e51a3b99b5844283639125b925da47ab21a77b63cc2c02d4a8f96e77618cfa777e3d10bf3225aaab7227307753e13e116eece5f7e8d4a97e8

C:\Windows\System\xYhjKQk.exe

MD5 d02a0472143ae76775d1a2af78a06030
SHA1 a99e8a7774a12080e83ba4753a982aed100af48d
SHA256 e7b7ed95e08d6f6a72cebda8612768b9060846efb6757607fb2c844cabc39f7c
SHA512 42c7801598287da6b283212b131377c4396cc1b55394e8bddf654ea05bff47221ba38f77a704768e6a42e39007a15a2204e048f82208dc7983b669311c5d00c9

memory/2548-41-0x00007FF6BCA80000-0x00007FF6BCDD1000-memory.dmp

memory/976-35-0x00007FF65DCF0000-0x00007FF65E041000-memory.dmp

memory/3028-23-0x00007FF6658E0000-0x00007FF665C31000-memory.dmp

C:\Windows\System\QiTrchS.exe

MD5 d4d45672afae8c62253e46e271cb48a6
SHA1 b85d4e0dc1ac2eee7f075a6ae3348fbf5b4ce10c
SHA256 56a073404a105f17c3e441714d986ac6e414cbcdcdd468b7354547faf59d6c05
SHA512 db03a74ca6a0d93f96da86501879ac8ca6e67e878b8480c8b2e033090a72d75bf89909f15310227576d2d55fd655f4bfa1bc09d312237fe2d452c7678c3159ee

memory/1396-15-0x00007FF6BD3B0000-0x00007FF6BD701000-memory.dmp

C:\Windows\System\IlHBnld.exe

MD5 99a13e0eeb8da58d8ff36e197843711b
SHA1 cc78efcd03522e14897718c924862d5f5dfd4529
SHA256 9430b4deeaf653619162810bd2a9ea06d62e4fd30883e15bd700c5c052d8018c
SHA512 53b9deb7f8b9fcd2ccf1770d0bbe1af1113c856eea6f9e8582ec2b2b7002d63ac93b039ed39bfb9c36492e7524e03a61a2b806ed23e6e0eb99efc44fc9605b0b

C:\Windows\System\znSsqpA.exe

MD5 1d9a5c3b4634fe397b21e0479536d25e
SHA1 59b1b9e215568199f22f3aaf0b67557989ce25a8
SHA256 bd1449559a4047618f5f2c8d782eba21e047b5a566c6dbad961f13d10cc963ff
SHA512 33bcccb5812531849f5fc2a18f12c751038a9e3ad3af5cf71e9e3e1c13b85982fc22b3677e0d1467f1405fbaf6303d5c2b30440f791d8de8e6b47e47c2a6765f

C:\Windows\System\ZpCYNcG.exe

MD5 0cf74ba17f89618fff1c69386f5b7480
SHA1 32a387fb1fd20f33f31caedfef45b1e5a8129fa1
SHA256 7db147811203dc28941af686dff1d1df22f2f624ffcef177ec56191253a40927
SHA512 36e6fce3f419ed2d9d4e292994e64e7dd44161f77cc48289a1d0c7cb75c0bb2231e4f6a94b13328476a86b8b0e1c0ab9096696adf4b668bb510d399da1b3c014

C:\Windows\System\vIwFuBX.exe

MD5 4c391b7b13dc3268072b5fb2b72d663d
SHA1 85da8c090ead9a30410191a75cce21e192469e5a
SHA256 5dd2b573354ef952c0f6953c67191f1d9ba8f66df37ac7e80c13bccbab7e39a5
SHA512 3a438e55251e99d65d418613b132e857d47801fc6127034185c9f4e20551d2e9759e10afe4c512f0039497e5ad199156c5b4e9effd12f6ad1bb3aa2126c4d6b5

memory/1848-116-0x00007FF62DE20000-0x00007FF62E171000-memory.dmp

memory/3160-104-0x00007FF7E61E0000-0x00007FF7E6531000-memory.dmp

C:\Windows\System\tAOJRHT.exe

MD5 ff98c2400da76d3a3d4cea9cc1735945
SHA1 6dfe0650a49ee2b9a9a89a1a900daf8d32c1ff55
SHA256 eb85883ee5bfea361ed252b0536536121401f233b29f09c2679ea3a4d50a3be0
SHA512 faef3f5a9f792c2e0e6c066203f51bdc2740c67b8786e16347d8ed5d759618705e73c637d1d70fc560e23b56b1a1ee456bb949facded0100ebce8fed430bc264

memory/2620-98-0x00007FF6080C0000-0x00007FF608411000-memory.dmp

memory/1344-9-0x00007FF668590000-0x00007FF6688E1000-memory.dmp

memory/5060-126-0x00007FF78F6C0000-0x00007FF78FA11000-memory.dmp

memory/4508-127-0x00007FF60DC80000-0x00007FF60DFD1000-memory.dmp

memory/4056-128-0x00007FF612E90000-0x00007FF6131E1000-memory.dmp

memory/3740-125-0x00007FF70AF20000-0x00007FF70B271000-memory.dmp

memory/976-133-0x00007FF65DCF0000-0x00007FF65E041000-memory.dmp

memory/2732-137-0x00007FF7B8E70000-0x00007FF7B91C1000-memory.dmp

memory/3416-138-0x00007FF759CD0000-0x00007FF75A021000-memory.dmp

memory/2548-135-0x00007FF6BCA80000-0x00007FF6BCDD1000-memory.dmp

memory/3028-132-0x00007FF6658E0000-0x00007FF665C31000-memory.dmp

memory/1344-130-0x00007FF668590000-0x00007FF6688E1000-memory.dmp

memory/1396-131-0x00007FF6BD3B0000-0x00007FF6BD701000-memory.dmp

memory/1848-129-0x00007FF62DE20000-0x00007FF62E171000-memory.dmp

memory/2336-144-0x00007FF6509D0000-0x00007FF650D21000-memory.dmp

memory/1428-143-0x00007FF6C07B0000-0x00007FF6C0B01000-memory.dmp

memory/804-141-0x00007FF6B9980000-0x00007FF6B9CD1000-memory.dmp

memory/856-142-0x00007FF7B7200000-0x00007FF7B7551000-memory.dmp

memory/3452-140-0x00007FF61C670000-0x00007FF61C9C1000-memory.dmp

memory/3160-146-0x00007FF7E61E0000-0x00007FF7E6531000-memory.dmp

memory/1848-151-0x00007FF62DE20000-0x00007FF62E171000-memory.dmp

memory/1344-196-0x00007FF668590000-0x00007FF6688E1000-memory.dmp

memory/1396-198-0x00007FF6BD3B0000-0x00007FF6BD701000-memory.dmp

memory/3028-200-0x00007FF6658E0000-0x00007FF665C31000-memory.dmp

memory/2884-202-0x00007FF62F080000-0x00007FF62F3D1000-memory.dmp

memory/976-204-0x00007FF65DCF0000-0x00007FF65E041000-memory.dmp

memory/3504-206-0x00007FF674C50000-0x00007FF674FA1000-memory.dmp

memory/2548-208-0x00007FF6BCA80000-0x00007FF6BCDD1000-memory.dmp

memory/4976-220-0x00007FF6EAF50000-0x00007FF6EB2A1000-memory.dmp

memory/2732-222-0x00007FF7B8E70000-0x00007FF7B91C1000-memory.dmp

memory/3452-224-0x00007FF61C670000-0x00007FF61C9C1000-memory.dmp

memory/3416-226-0x00007FF759CD0000-0x00007FF75A021000-memory.dmp

memory/804-228-0x00007FF6B9980000-0x00007FF6B9CD1000-memory.dmp

memory/856-230-0x00007FF7B7200000-0x00007FF7B7551000-memory.dmp

memory/1428-232-0x00007FF6C07B0000-0x00007FF6C0B01000-memory.dmp

memory/2620-236-0x00007FF6080C0000-0x00007FF608411000-memory.dmp

memory/2336-235-0x00007FF6509D0000-0x00007FF650D21000-memory.dmp

memory/3160-243-0x00007FF7E61E0000-0x00007FF7E6531000-memory.dmp

memory/3740-245-0x00007FF70AF20000-0x00007FF70B271000-memory.dmp

memory/4508-247-0x00007FF60DC80000-0x00007FF60DFD1000-memory.dmp

memory/5060-249-0x00007FF78F6C0000-0x00007FF78FA11000-memory.dmp

memory/4056-251-0x00007FF612E90000-0x00007FF6131E1000-memory.dmp