Malware Analysis Report

2025-01-22 19:41

Sample ID 240601-cabt8adf7y
Target 2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike
SHA256 8e35f57d4f433eab255f82c17e71d38c4371ed681105097f2a01d89d13664052
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e35f57d4f433eab255f82c17e71d38c4371ed681105097f2a01d89d13664052

Threat Level: Known bad

The file 2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Xmrig family

xmrig

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobaltstrike

Detects Reflective DLL injection artifacts

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 01:51

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 01:51

Reported

2024-06-01 01:54

Platform

win7-20240508-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\jvuMnzQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aTYQPwY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RnuAaMf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AngXGYT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hcJWWdI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nFxyBNB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EdRvvTw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IGEBLac.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HzYaeZL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kZpYLMu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pLElGtD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uGfhdll.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UrIpatI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QyEexpF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gbhBxsD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CZUXLRf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DzgALgw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IqZZNAL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wnqFhWD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BqIXEFd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lOPufms.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\IqZZNAL.exe
PID 2072 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\IqZZNAL.exe
PID 2072 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\IqZZNAL.exe
PID 2072 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\wnqFhWD.exe
PID 2072 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\wnqFhWD.exe
PID 2072 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\wnqFhWD.exe
PID 2072 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\jvuMnzQ.exe
PID 2072 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\jvuMnzQ.exe
PID 2072 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\jvuMnzQ.exe
PID 2072 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\uGfhdll.exe
PID 2072 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\uGfhdll.exe
PID 2072 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\uGfhdll.exe
PID 2072 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrIpatI.exe
PID 2072 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrIpatI.exe
PID 2072 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrIpatI.exe
PID 2072 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGEBLac.exe
PID 2072 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGEBLac.exe
PID 2072 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGEBLac.exe
PID 2072 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\aTYQPwY.exe
PID 2072 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\aTYQPwY.exe
PID 2072 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\aTYQPwY.exe
PID 2072 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\QyEexpF.exe
PID 2072 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\QyEexpF.exe
PID 2072 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\QyEexpF.exe
PID 2072 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\gbhBxsD.exe
PID 2072 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\gbhBxsD.exe
PID 2072 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\gbhBxsD.exe
PID 2072 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\RnuAaMf.exe
PID 2072 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\RnuAaMf.exe
PID 2072 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\RnuAaMf.exe
PID 2072 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\HzYaeZL.exe
PID 2072 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\HzYaeZL.exe
PID 2072 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\HzYaeZL.exe
PID 2072 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\AngXGYT.exe
PID 2072 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\AngXGYT.exe
PID 2072 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\AngXGYT.exe
PID 2072 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\BqIXEFd.exe
PID 2072 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\BqIXEFd.exe
PID 2072 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\BqIXEFd.exe
PID 2072 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\CZUXLRf.exe
PID 2072 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\CZUXLRf.exe
PID 2072 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\CZUXLRf.exe
PID 2072 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\hcJWWdI.exe
PID 2072 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\hcJWWdI.exe
PID 2072 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\hcJWWdI.exe
PID 2072 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOPufms.exe
PID 2072 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOPufms.exe
PID 2072 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOPufms.exe
PID 2072 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZpYLMu.exe
PID 2072 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZpYLMu.exe
PID 2072 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZpYLMu.exe
PID 2072 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzgALgw.exe
PID 2072 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzgALgw.exe
PID 2072 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzgALgw.exe
PID 2072 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\nFxyBNB.exe
PID 2072 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\nFxyBNB.exe
PID 2072 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\nFxyBNB.exe
PID 2072 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\pLElGtD.exe
PID 2072 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\pLElGtD.exe
PID 2072 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\pLElGtD.exe
PID 2072 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\EdRvvTw.exe
PID 2072 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\EdRvvTw.exe
PID 2072 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\EdRvvTw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\IqZZNAL.exe

C:\Windows\System\IqZZNAL.exe

C:\Windows\System\wnqFhWD.exe

C:\Windows\System\wnqFhWD.exe

C:\Windows\System\jvuMnzQ.exe

C:\Windows\System\jvuMnzQ.exe

C:\Windows\System\uGfhdll.exe

C:\Windows\System\uGfhdll.exe

C:\Windows\System\UrIpatI.exe

C:\Windows\System\UrIpatI.exe

C:\Windows\System\IGEBLac.exe

C:\Windows\System\IGEBLac.exe

C:\Windows\System\aTYQPwY.exe

C:\Windows\System\aTYQPwY.exe

C:\Windows\System\QyEexpF.exe

C:\Windows\System\QyEexpF.exe

C:\Windows\System\gbhBxsD.exe

C:\Windows\System\gbhBxsD.exe

C:\Windows\System\RnuAaMf.exe

C:\Windows\System\RnuAaMf.exe

C:\Windows\System\HzYaeZL.exe

C:\Windows\System\HzYaeZL.exe

C:\Windows\System\AngXGYT.exe

C:\Windows\System\AngXGYT.exe

C:\Windows\System\BqIXEFd.exe

C:\Windows\System\BqIXEFd.exe

C:\Windows\System\CZUXLRf.exe

C:\Windows\System\CZUXLRf.exe

C:\Windows\System\hcJWWdI.exe

C:\Windows\System\hcJWWdI.exe

C:\Windows\System\lOPufms.exe

C:\Windows\System\lOPufms.exe

C:\Windows\System\kZpYLMu.exe

C:\Windows\System\kZpYLMu.exe

C:\Windows\System\DzgALgw.exe

C:\Windows\System\DzgALgw.exe

C:\Windows\System\nFxyBNB.exe

C:\Windows\System\nFxyBNB.exe

C:\Windows\System\pLElGtD.exe

C:\Windows\System\pLElGtD.exe

C:\Windows\System\EdRvvTw.exe

C:\Windows\System\EdRvvTw.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2072-0-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2072-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\IqZZNAL.exe

MD5 3273652935bea893fa3dcd110b333e66
SHA1 60bc8dbe5c5e90d70bffbb48e1af0151a35842b6
SHA256 6ccd0832768d0e2b8cee00f0bb63558c70084ebf4847668e7466fee553d5aad1
SHA512 fe1f09402a8f24bbf122cba1126320ac541b9cb55850e1656b37297fbbad202dcd19e6ebcfc2bbd34877ca85d5bdc02395706998561c69dd0ddcc8d7098bebf3

\Windows\system\wnqFhWD.exe

MD5 9c82f66e6e86d262547941fe2bf286fc
SHA1 40fe8996ecdcee8d0eba8d13cdfc20ec10bee8bd
SHA256 f21e7165cb51bb85b8bd0abeb61807742ab7079c04f0b92a520ada30c6ca87cf
SHA512 aab7a382b7e63110849f8256c8b5c85cacc424a216ef86cceee08785889c9d2cda0925c346f2041997e5b0b4eacc0c1f07d2162e061cc797ec3cdb3546f0bfd1

C:\Windows\system\jvuMnzQ.exe

MD5 f298e091ccbcd0fcb4375d9a9cc12c44
SHA1 673156dc55649678730c6d1e580f3b5a1cfd1b1f
SHA256 83f3b3570bc2a5a190ddfa696b3376cdd79c08d72054583a2f12cc785f7ba1d1
SHA512 5b5841f2185b0d58619e84f05942b7e54bf2a265c4cf7b3f10e2314e55dda270c40e285b711b3633c4444513da14db88c66aa89a94d641105cc1798d4d30648d

\Windows\system\UrIpatI.exe

MD5 800d8ab19bbd53d47707bd809bf00b41
SHA1 55c18ee9364b8f7262b4f61551d09a0a1c984314
SHA256 f8d3fc31eb6df3d531f85a3c9319cb72b6a05696c186262a34ad1b164dd134f9
SHA512 f9dff396b6a7f2587550b196aa67c238e61274ef0faa995599e1afcc1dcc79d64fee43f21cb39b007b139c8b85296114b103de77a248a69fc9a3807ed8ae0188

memory/2072-34-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2832-39-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/3056-26-0x000000013F650000-0x000000013F9A4000-memory.dmp

C:\Windows\system\uGfhdll.exe

MD5 1bda58385cdd1d8af6e6cc196ef9eb56
SHA1 0c89fde97783332f4571d84f501e5d9fd50f4b96
SHA256 146ec45e7d0d9ac2d0665e0ad19301fc2b120607f7a5de062d75572a2b1e422a
SHA512 dfba45b349664b70811ade240bc9c445d7e42b751df99de3d56f79cbd23e88aa34cae347d9eeb29b5d53d9c720cf10c8659f7fa3234f2844819a6c4ae31212a0

memory/2072-22-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2684-40-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2748-49-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2584-56-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2072-69-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2592-70-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2072-84-0x000000013F300000-0x000000013F654000-memory.dmp

C:\Windows\system\CZUXLRf.exe

MD5 c4655ffdeb0c063c6f118d29ff6aa816
SHA1 d6facf00171cae869599ec8167d4db2cd1a2b172
SHA256 ce8a044c08882c7c239eb3d442ae978a71f885115e409fc4ecbdd86ed9e43c37
SHA512 2b3692375b35b5bb29270f879d950abe14c83455ce70f162b1c1a254f5d87cd0e59c2ed81bfecb7e6c5937d1f6e87101479530f52bc10720fc58744e2c875b17

C:\Windows\system\lOPufms.exe

MD5 5ddcde9d592ad2ada9eff831651a15c9
SHA1 536a8bfd71ba481347702cb80291868c05ad886d
SHA256 920a89092aff7111990bb86f65180ba188473015bb56483f7d2333eac25dda28
SHA512 4a66a6e2ad7e7d8ca86134603791c557f15581b078648b58ee18733c9b437469fc3795b614c4c49196b2db567364d157a1175b5e5c26a71c571944ad64b0245a

C:\Windows\system\DzgALgw.exe

MD5 95b07d3a91247d84fa9b990156c7344a
SHA1 fa28a34e8cb761f84ecea5065b6672d8959a5a98
SHA256 3afa6fc4a5cb0f83894b5f4600f402e86fe5de5f1b4beaeb43256316151fe177
SHA512 bc14e5a7baf20fb25806d33a75f1c8009120bd806742693b242df03b0c8c3a78c0bf990063a34cb6aa28e58bbac8e4ab7fda5749570ec394787c74e263d42177

C:\Windows\system\pLElGtD.exe

MD5 a637645036b20a419cf2330b6ebf4b18
SHA1 1998382ab37f9d713fc8cce2ace83d574f1881d3
SHA256 e889c929960be24edff2a512f901663dec38c4b824462b8b51c1badfb21b1091
SHA512 9f6f09ddcafec86e9a6424638fdd42f10729159653bb40e7da3bc355bcea2efa97e5a1c159b2f21d1a068d08bdc538ff3b275a2fdcee5fdc78457c7094dd2651

\Windows\system\EdRvvTw.exe

MD5 866b9a3e2d93623e1301fd46f0ee32ef
SHA1 8d0c8caf788818b8d9d901293616ed214140ca23
SHA256 783b5781846bdb7c8a8cbc15474b5fec7c9d98f91d27f2442eace8899a0539d8
SHA512 f989c0bb4c5772bf2ba896b72024a3c75bfeca31769bd86f89dec4b1dfc850595a655fa5b4a440fc1d8be2574092fcd008aba418e04f1e59ef810518dcb2717b

C:\Windows\system\nFxyBNB.exe

MD5 f505735597258b09dcdcb821a36d3cc3
SHA1 5317de55236e96ddd10b2bb3c43e51f4fda72ffb
SHA256 8ea8807d6a12a0d1e2b0a64d9d992867bae1cf0820bf5d4865b48ed4d27bbe7a
SHA512 9a9ace9dae807b157a5d754d81dabee23520e32a1169f0478490d1af70fd362392cc156a337d7c6ad8bd3029741812edfc981495b61e9366e2b41bb10780ab32

C:\Windows\system\kZpYLMu.exe

MD5 1460c7ef2d6f7c41120e5118339bed35
SHA1 0587f48ed7e66695cf5e97549dde9ac4e814da39
SHA256 f7253b37b394ec883dc18ff3a07e0feac498ec5597ce69e4531b2eb70b6cc484
SHA512 cc24e656672b403293c19b385733433bed0a9b8f396fd63035bbb4176c8b804c645a50af35da6091fbbb700051203650efcc5b46fb7c33931c468079d4a89f1d

memory/2684-137-0x000000013F020000-0x000000013F374000-memory.dmp

C:\Windows\system\hcJWWdI.exe

MD5 0e938d3841499920eda981ec6eb81da8
SHA1 97c6ad28cc782730d4e954b2cbfce0b670bb383b
SHA256 85170d5bda8db84c3e49f78a4a61a56c0ecd5d4e5fa12a233c8e54bc03dffefb
SHA512 e23c19fcff13eba7947654b752cbfe1e2ed3fa1bfac8c712ef4b6cb9db910939ef53e97cf7ea7343bd89c745009ab2f56e1f187ebcdad2fc08c3dda24282874e

memory/2072-104-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2832-103-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/1836-92-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2780-99-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2072-98-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2072-91-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/1740-90-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2748-138-0x000000013F1F0000-0x000000013F544000-memory.dmp

C:\Windows\system\BqIXEFd.exe

MD5 10d8b833fd13a1e616d839988a8f6e26
SHA1 d65b0a198085aeac314f1bbe37b69fa74823d2d2
SHA256 7ed2325d6fd4d04a6fa94489ed28fd7b3df422a562fe91f89ebffad2043f3729
SHA512 b1e358cc1ddcbc792de11e2b5954144b60367410892a27028b2b9ae889cbff6ca35912f9914301e550f0ee47dc53701dc2d65f5f81c23ad95432ded7dcc20ed8

memory/2144-77-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2072-76-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/1040-85-0x000000013F270000-0x000000013F5C4000-memory.dmp

C:\Windows\system\AngXGYT.exe

MD5 9bef8ef0e4ec26b9330109ef6f3b393c
SHA1 1b88144dcc2007d7bcb032d4b97bd9fcce7f033f
SHA256 6b5741e55f2f2b0587e463ca2ca4c5556ee0860febf080eb60247f04511e6ad8
SHA512 6315666e2c4f5d1cfe62ff72261021ed47fe682bf37744f589798e8350e3d3b0c3359a01dd907b7e300a9ee9db663961f8da79c3a50763bcd1ab099b88d33dff

C:\Windows\system\HzYaeZL.exe

MD5 8b1b3f7ed6c6a1b516d9cfbb55208052
SHA1 e84c942d69ae52cef409b244d3026465e5349bd1
SHA256 527379ad8cd653479089aa2502d25ad6942d21dfa66e5d37fcc8cb8dc1a8c61e
SHA512 f1a5c80e010cfb812322a6bd4038082cccc85efe5215aa6024f12d86e79c379175ccab2cf5446c50180c7746c81c5af79d1ab1ac98ee0ad4eca540f76b50a249

C:\Windows\system\RnuAaMf.exe

MD5 42c15aada2f74893b5d7ea8ecc36fa17
SHA1 531049a3d53b007bf283756d580dd816ed2a4a91
SHA256 ff2abe06ea910828f6847d8e184b8a8bf65bd4042d4f382022def5d3b6056b08
SHA512 44635b2a6230390d93c5cb5b204c4123a2d13770f64be0288a0bdc5baecf8c5e7ee03f22ecb91d7ac9bd3f707d6ac9b23e866665bd3cd179f973a675f5e24635

memory/2464-64-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2584-139-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2072-63-0x000000013FA40000-0x000000013FD94000-memory.dmp

C:\Windows\system\gbhBxsD.exe

MD5 377670a9fc51aa5d1265a780245653f4
SHA1 2ae1cef689c1726e7e82f3ae9a79b745072d1257
SHA256 d5c42de4f944d1919e820e4093982808d819703759c199304e12ddacb2609694
SHA512 89890b40944ecab4efc1ac578b519ce0489752bce83b34675b8bdea2d53621f884e991c2fd080a80371caad5c7bb6618ae83357dc2e1fa3fed08251dc3e225a8

memory/2072-55-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\QyEexpF.exe

MD5 39b10ec52cbd97b28824e13aedc3d610
SHA1 4c4780be5b6633828638645c98fdc3eae593631d
SHA256 a7f46dcfbc18d9d06acd0ffbdb2d2d32472b5322df795fb11821a3f4d663846f
SHA512 ecbe24572331e481cd4ce4d9d6d1946f563bf0218409aaad37d25d6582b9f37d6a5df6379542314042e6ba1243d947fac500b18d42c3ab815ab484ccef48664d

memory/2072-48-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\aTYQPwY.exe

MD5 9c8786819dd46946492d822554632256
SHA1 d6c2c3ad434506ed946c1014acebd07fbca3d389
SHA256 9eace5ca8b61f62b3c415d0c864670e0d463617d1d302cb74950c0380733d664
SHA512 68fcf425706d8e2e1e8a63eaea15ac3f586997aa01c574083f38af8591c6a3e3328df02a0a42d432246c196701a8cabaacf0e8385041bc083d8482c46849ae87

memory/2072-38-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2988-36-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2072-35-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2616-33-0x000000013F1D0000-0x000000013F524000-memory.dmp

C:\Windows\system\IGEBLac.exe

MD5 ebef2524d1bbd95fd268eef280fb7eba
SHA1 f9980fac731e2394f84c842f72fb82adbc23bcfe
SHA256 0cb2130f23c6410323bbee12bb748a7310d95179a87b24a6e943972540095239
SHA512 5d44a4477c25eb4ced7c8f880fd228be677692ea301ef0986f71a8905844f3492645c4290a810a6f1311858a03f7f831a9a0ef652f4e5badfbd6e983ff12fd5a

memory/2072-30-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/1740-17-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2592-140-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2144-141-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2072-142-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/1836-143-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2780-144-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2072-145-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/1740-146-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/3056-147-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2988-148-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2616-149-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2832-150-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2684-151-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2748-152-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2584-153-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2464-154-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2592-155-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2144-156-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/1040-157-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/1836-158-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2780-159-0x000000013F2B0000-0x000000013F604000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 01:51

Reported

2024-06-01 01:54

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IBCfRAF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VhNdvpI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BUaWrBw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NypCsQJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HkfhfbQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DSkLCxp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RMxXqzs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lNdFlhh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\snXvShk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AekQMHB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uhSczTj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RaIyLDM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xsqAceI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bQYhChl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BfFWNUW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CGuCToQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kwQfKkH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wwcZkUk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XhfJUGT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ToTlrmN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OCWrrBw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\OCWrrBw.exe
PID 2108 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\OCWrrBw.exe
PID 2108 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\lNdFlhh.exe
PID 2108 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\lNdFlhh.exe
PID 2108 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\BfFWNUW.exe
PID 2108 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\BfFWNUW.exe
PID 2108 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\CGuCToQ.exe
PID 2108 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\CGuCToQ.exe
PID 2108 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\IBCfRAF.exe
PID 2108 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\IBCfRAF.exe
PID 2108 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\VhNdvpI.exe
PID 2108 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\VhNdvpI.exe
PID 2108 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\uhSczTj.exe
PID 2108 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\uhSczTj.exe
PID 2108 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\BUaWrBw.exe
PID 2108 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\BUaWrBw.exe
PID 2108 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\kwQfKkH.exe
PID 2108 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\kwQfKkH.exe
PID 2108 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\wwcZkUk.exe
PID 2108 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\wwcZkUk.exe
PID 2108 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\AekQMHB.exe
PID 2108 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\AekQMHB.exe
PID 2108 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\snXvShk.exe
PID 2108 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\snXvShk.exe
PID 2108 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\NypCsQJ.exe
PID 2108 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\NypCsQJ.exe
PID 2108 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\HkfhfbQ.exe
PID 2108 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\HkfhfbQ.exe
PID 2108 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\XhfJUGT.exe
PID 2108 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\XhfJUGT.exe
PID 2108 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\DSkLCxp.exe
PID 2108 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\DSkLCxp.exe
PID 2108 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\RaIyLDM.exe
PID 2108 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\RaIyLDM.exe
PID 2108 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\xsqAceI.exe
PID 2108 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\xsqAceI.exe
PID 2108 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\RMxXqzs.exe
PID 2108 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\RMxXqzs.exe
PID 2108 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\ToTlrmN.exe
PID 2108 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\ToTlrmN.exe
PID 2108 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\bQYhChl.exe
PID 2108 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe C:\Windows\System\bQYhChl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\OCWrrBw.exe

C:\Windows\System\OCWrrBw.exe

C:\Windows\System\lNdFlhh.exe

C:\Windows\System\lNdFlhh.exe

C:\Windows\System\BfFWNUW.exe

C:\Windows\System\BfFWNUW.exe

C:\Windows\System\CGuCToQ.exe

C:\Windows\System\CGuCToQ.exe

C:\Windows\System\IBCfRAF.exe

C:\Windows\System\IBCfRAF.exe

C:\Windows\System\VhNdvpI.exe

C:\Windows\System\VhNdvpI.exe

C:\Windows\System\uhSczTj.exe

C:\Windows\System\uhSczTj.exe

C:\Windows\System\BUaWrBw.exe

C:\Windows\System\BUaWrBw.exe

C:\Windows\System\kwQfKkH.exe

C:\Windows\System\kwQfKkH.exe

C:\Windows\System\wwcZkUk.exe

C:\Windows\System\wwcZkUk.exe

C:\Windows\System\AekQMHB.exe

C:\Windows\System\AekQMHB.exe

C:\Windows\System\snXvShk.exe

C:\Windows\System\snXvShk.exe

C:\Windows\System\NypCsQJ.exe

C:\Windows\System\NypCsQJ.exe

C:\Windows\System\HkfhfbQ.exe

C:\Windows\System\HkfhfbQ.exe

C:\Windows\System\XhfJUGT.exe

C:\Windows\System\XhfJUGT.exe

C:\Windows\System\DSkLCxp.exe

C:\Windows\System\DSkLCxp.exe

C:\Windows\System\RaIyLDM.exe

C:\Windows\System\RaIyLDM.exe

C:\Windows\System\xsqAceI.exe

C:\Windows\System\xsqAceI.exe

C:\Windows\System\RMxXqzs.exe

C:\Windows\System\RMxXqzs.exe

C:\Windows\System\ToTlrmN.exe

C:\Windows\System\ToTlrmN.exe

C:\Windows\System\bQYhChl.exe

C:\Windows\System\bQYhChl.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2108-0-0x00007FF6E2530000-0x00007FF6E2884000-memory.dmp

memory/2108-1-0x0000020E23FA0000-0x0000020E23FB0000-memory.dmp

C:\Windows\System\OCWrrBw.exe

MD5 4814e7c3fe1d355b6691cb2c9c24b8cc
SHA1 ae5d85b1042b7090933c3302c1b9c33570920bdd
SHA256 d1c7788a42d05e189c23b1c8739965c0dca146e04df5941ccebdb94f8f32dbe6
SHA512 cb6f69b6d6e05efdc5ec2ff058b3330c3529b3493808c986134a91b03f2017196776f17d87c008fc81cb7b3d5407771ea487674d362cd73fb50a3b32a4a44e4d

memory/2824-8-0x00007FF63F600000-0x00007FF63F954000-memory.dmp

C:\Windows\System\lNdFlhh.exe

MD5 f5c5aadf53383494128de801d9240dec
SHA1 3d79785af59d40984d6360aa8273e6e11cfd3ea8
SHA256 dfc2569fa25cccd0a4220d6650576af65ce1f16d71c61be9ffad47d81a3e7f77
SHA512 daa65c902024c92f425f1a9b62f95c198af693642524fe1856b727e803d69d505a2c4a3ab88016cd6f91c2495f5d8293b2c96114247490c06ebddeba8cb0bd7c

memory/4788-12-0x00007FF60BB50000-0x00007FF60BEA4000-memory.dmp

C:\Windows\System\BfFWNUW.exe

MD5 a9bd5031b9c96c192869e838810b10e9
SHA1 473e67565e83d310bd79afc03222ff73c1643c93
SHA256 fc244ca3e27e5136f6fa28b547128688a0702b70775bb80d1a70abf519cd03ab
SHA512 52c1dd6a756fb4306b14057c8cd4281cbceef10d991bad4da18dc65198984a72db2bd260055315aff1cc796e0993f320f66ca45b62e91bd134767b5562b6bda1

memory/3716-18-0x00007FF60EB00000-0x00007FF60EE54000-memory.dmp

C:\Windows\System\CGuCToQ.exe

MD5 766beabb16e64599b23170821370ad99
SHA1 62eab6cd42b24ae388b2039dbe55899d640d22e4
SHA256 571b59b95a28d334000f3f2daca8caf4aa9fbeb2dd1b82b143791101511d215f
SHA512 97c067321f8b336169f732daa103c8da71adbbff30b9c035571e5907a43374cdc82484f5a43ac842f50895871f29963279ddadc060378393c9f30ffa55088887

C:\Windows\System\IBCfRAF.exe

MD5 ad826020144ddcb072fd0a713deb39c7
SHA1 6e23b7fb3583e94e9cb8becb9aa226ccd7f0ba2a
SHA256 1ca1403065115aab91177e791cf622afcbfaca50676642ef3970281893eed1e0
SHA512 2017e15241d317c4538dd766c2ac2012fb62803796b3edb4c0d054f2b5131a795239e87fbdf5bbd8eef2674a9a49e892c7ec8073f1016c797ce859ca6dc4ee33

memory/5024-30-0x00007FF6E2090000-0x00007FF6E23E4000-memory.dmp

memory/432-24-0x00007FF60FA40000-0x00007FF60FD94000-memory.dmp

C:\Windows\System\VhNdvpI.exe

MD5 e01c95c3d6c3c535f61a4d5e795ef09d
SHA1 03b962618a79bd9cee0fa00e7ef2002ac38723b5
SHA256 ecb45bacc9ae0121b12dc2bf7a3c9fb1d33bb3a0b72eda01524e7d395be4627b
SHA512 6a87ff519666da9492352ce1d2bbad834eb92d014b426af2495051a54658ebb4d9102b1a0f3a935b9f1ce25e6a123c2413eb0fbb2a417917c27119894ecd7613

memory/1180-38-0x00007FF714630000-0x00007FF714984000-memory.dmp

C:\Windows\System\uhSczTj.exe

MD5 3a83fba699aec2f700542d00957c1306
SHA1 980ff460bc254ca78bbd121d22a6724fd6632dda
SHA256 1574f50b90400779343321c5b45228f0c67f3236207f6f2e05d8f41d94100a99
SHA512 e8303b5c7d4447cbbf9d26e6e73e8b1eb9c193645a4b7fb8990f560cf2846f2fa4e795288b17818df8820779b75e773698422448830afcc53c2c11dabc425359

C:\Windows\System\BUaWrBw.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

memory/3928-47-0x00007FF6333E0000-0x00007FF633734000-memory.dmp

C:\Windows\System\kwQfKkH.exe

MD5 97a3b32ab914edf61295d3e94c7c180f
SHA1 2c5d460cd4feaf57a1d08e24f7fc9d0734206578
SHA256 33879e5a12a2a31b2c1696d99c6b00b9be4a86ed520d131f242b20335f2a7caa
SHA512 1d68f991bb283cb42f9f09307f5a86c18058b22f4303bd53e5dce98cb778c9d28f635df040495928b20ed202bd8b51231e992428374ca5475fbee05686374ecb

C:\Windows\System\wwcZkUk.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

memory/2108-62-0x00007FF6E2530000-0x00007FF6E2884000-memory.dmp

memory/1552-67-0x00007FF7CC370000-0x00007FF7CC6C4000-memory.dmp

C:\Windows\System\AekQMHB.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

memory/4488-70-0x00007FF619B70000-0x00007FF619EC4000-memory.dmp

memory/3716-79-0x00007FF60EB00000-0x00007FF60EE54000-memory.dmp

C:\Windows\System\HkfhfbQ.exe

MD5 e9dca5492592d6ee5bdd4f8210a617c1
SHA1 61f9e612e49e2bc4e9d9bee58ce2f5d8e12aad1e
SHA256 e65220be63d0d006388ae41fe3dbee4fa45cf583b27aa25638e1135874e67a8d
SHA512 80b9ca3c3f9bc7c34372b8c45b4ac02cbd590c468d0fdbe4c22c2c7dcfdaea1eff048d736f99e38bbabbb9daaf18092c2098b6c63d368ab94e2c7d2154b75c21

C:\Windows\System\DSkLCxp.exe

MD5 06e3f45b9551e73fb3de14794d2f5c1d
SHA1 33c19f8944e55e8bde65a4bace95d464d051efaf
SHA256 0b8e6fe3203697649a255ec782adeccdc6a21b78e3d417a9f3b1bc5408f29e08
SHA512 722f65a8b67734e3629e5696013a52fe704a97646e53aca201889fd438eb8fb5784dbaa93362d950808ac95dfaaa32007f47a40a29cbae5c16cd1190e2a08300

C:\Windows\System\RaIyLDM.exe

MD5 676c4bb09b07c7cbe31d625dc4bda94a
SHA1 b070d78787edb6237f353d8882a447a7f594ba66
SHA256 297df0c9444175069e6df9cdd22075c57f25554277e9b414a3281e92090dd19f
SHA512 5d2a113eb6f64883f3c7e9805a20dc34c5f7b5d60fcf6dd2a7ed069a43148caeb5f9aa2d200c2619a9cc469140ebfba4f8923d95415c17c9588aa627023cdb3d

C:\Windows\System\ToTlrmN.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

C:\Windows\System\bQYhChl.exe

MD5 93bacfc3d845f374627b012c3a61a1e5
SHA1 f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae
SHA256 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d
SHA512 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

C:\Windows\System\bQYhChl.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

C:\Windows\System\ToTlrmN.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

C:\Windows\System\RMxXqzs.exe

MD5 29d2f84685560d5c5533e4f2e904b126
SHA1 587a0ea5f40243075c52b6f2e2dd96c12690a39d
SHA256 740d0214e10273256e32d33dabed10d1582dbbfc6cb904850fd02cd1ef547974
SHA512 093cefb105f13f38fdae3ec7acefcf353425ffb4eaee2301f6b6ccff9e5e108bbe096439dc4771e6a0455c140064c70ff4e998289de6f8334493235da9b568d6

C:\Windows\System\RMxXqzs.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

C:\Windows\System\xsqAceI.exe

MD5 b6ad2e9c5a69e4c25332dd6cbeac8dfb
SHA1 5717486199ba68ab9df2cde8731fedab301962bb
SHA256 200904411adac6d2f4ed063988c6d38da3019ca912e74097037f389ff3da2d12
SHA512 9d74e3b5577e624687c00dfefb75f07f3d6bf40fab8a6806e41549efa74f1f9d69d6cd1ea5207229b320d91058baa6b3a9ce6aadaf249e809d12ed16bf379246

C:\Windows\System\XhfJUGT.exe

MD5 103e85d4eaac8ddfb6f3b5375a6a37fc
SHA1 6477ef58e65eacb00ee5af4a962a0d3112594662
SHA256 7a9c3203e1c7834cd1471b3acd063f85cd86718b34b8fa76cc4ae74be283c1c7
SHA512 00a886159ad63e382e57439a0016449c3fb57a935ef7c5623b795c9d56fb88488e621c9a99e46faef2dc7d44e30da79c32680a0d59435f6d62b041529ca3b504

memory/1312-94-0x00007FF7CB350000-0x00007FF7CB6A4000-memory.dmp

memory/4344-92-0x00007FF627720000-0x00007FF627A74000-memory.dmp

C:\Windows\System\XhfJUGT.exe

MD5 f580b5d790053fee7fff4b76615a03b0
SHA1 989829a8668ec92829b511f8349529db56634e1a
SHA256 cb8faf5d192dffb336f6c3ff32fa150e5464727d0a43944172b74833e424e1ca
SHA512 aee4c107f1f6fe7f5e0c0358ade0f322c151e02f1fbce2a71be92cfa6486910bb362b6c5c87bab451840438ecb85b10654b0f65432e85eee848ef862cfcc6600

C:\Windows\System\NypCsQJ.exe

MD5 c02fb3b16e7301165457d9ca11d050a1
SHA1 c7464664d390100c915c2213f86965643cc7dbcd
SHA256 8c255c9592851ff64a0ba6b6dd31488be1e5fe89fb217c5986c49e0b89b91231
SHA512 4b5cd48944da4f26138f7fa943fe7a66d6d5baf842982bfe0f9fcec9a5e163ed14264ba1ab73208596f598ea3dea4402624e2936196e11e415d499038f01af81

memory/5108-78-0x00007FF766C20000-0x00007FF766F74000-memory.dmp

memory/4788-76-0x00007FF60BB50000-0x00007FF60BEA4000-memory.dmp

memory/2356-75-0x00007FF713390000-0x00007FF7136E4000-memory.dmp

C:\Windows\System\snXvShk.exe

MD5 e8c4508a392ccf08590d3627a36cc3c3
SHA1 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256 cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512 f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

memory/2824-69-0x00007FF63F600000-0x00007FF63F954000-memory.dmp

C:\Windows\System\snXvShk.exe

MD5 93d46d62d961e02a56e7181c67a0bc09
SHA1 c6389ab9e89efe7b99a0736d9d797061f214cff9
SHA256 a0182c1e607ca54679ba03d7e79a820ff0590c56f6c8abfbe8bc7dea68d442bb
SHA512 614b0b36f7a483dfc371a701ba312eeb526758a01ce67307bde3467be04e48a6e69443b899629484dccbb069af4a086f81daf874f163c93b2093049b449e3544

C:\Windows\System\AekQMHB.exe

MD5 5b6cc8875f0e6e20d33f61b4dcb33551
SHA1 e85b51a972ba8c10bb6d847aca57b782e9e62f14
SHA256 b858d42ffdbc5fafe0f866baacfee1588efb7880d8a1af17a6f1a43be6232b36
SHA512 db0bf1630c31a31380098123968b658936c27fef1aa78f2bcf51e6e9febe863015b99072d0f9d16fe53c9e002d530af704c4f6dfc3a2fe2bf4cd83cd5dcdae6e

memory/5068-61-0x00007FF6DA9F0000-0x00007FF6DAD44000-memory.dmp

memory/2748-51-0x00007FF602210000-0x00007FF602564000-memory.dmp

C:\Windows\System\BUaWrBw.exe

MD5 01a576e3f1335ed309ef3919fac916a9
SHA1 8165606312355192c0de78485bb4d25de5ec2007
SHA256 2b56b3d1b64fd3a424ed1ac85aa7f390ca50af03f2a2a51fbfb82bfc1cfc6541
SHA512 2052cf14df42400fa927c28cc097afb7bcaedf7cbad1b0093901f19a2c972bd17ee8c685a5715764bcc16290a338c4fc3bff6b8291f19fcd43bd18b14b1075a0

memory/4396-127-0x00007FF7DD370000-0x00007FF7DD6C4000-memory.dmp

memory/5024-126-0x00007FF6E2090000-0x00007FF6E23E4000-memory.dmp

memory/3480-131-0x00007FF76FD30000-0x00007FF770084000-memory.dmp

memory/760-132-0x00007FF7B9420000-0x00007FF7B9774000-memory.dmp

memory/4192-130-0x00007FF739C90000-0x00007FF739FE4000-memory.dmp

memory/208-129-0x00007FF7C9240000-0x00007FF7C9594000-memory.dmp

memory/4104-128-0x00007FF603AF0000-0x00007FF603E44000-memory.dmp

memory/1180-133-0x00007FF714630000-0x00007FF714984000-memory.dmp

memory/5068-134-0x00007FF6DA9F0000-0x00007FF6DAD44000-memory.dmp

memory/1552-135-0x00007FF7CC370000-0x00007FF7CC6C4000-memory.dmp

memory/2356-137-0x00007FF713390000-0x00007FF7136E4000-memory.dmp

memory/4488-136-0x00007FF619B70000-0x00007FF619EC4000-memory.dmp

memory/5108-138-0x00007FF766C20000-0x00007FF766F74000-memory.dmp

memory/1312-139-0x00007FF7CB350000-0x00007FF7CB6A4000-memory.dmp

memory/2824-140-0x00007FF63F600000-0x00007FF63F954000-memory.dmp

memory/4788-141-0x00007FF60BB50000-0x00007FF60BEA4000-memory.dmp

memory/432-142-0x00007FF60FA40000-0x00007FF60FD94000-memory.dmp

memory/5024-144-0x00007FF6E2090000-0x00007FF6E23E4000-memory.dmp

memory/3716-143-0x00007FF60EB00000-0x00007FF60EE54000-memory.dmp

memory/1180-145-0x00007FF714630000-0x00007FF714984000-memory.dmp

memory/3928-146-0x00007FF6333E0000-0x00007FF633734000-memory.dmp

memory/2748-147-0x00007FF602210000-0x00007FF602564000-memory.dmp

memory/5068-148-0x00007FF6DA9F0000-0x00007FF6DAD44000-memory.dmp

memory/4344-153-0x00007FF627720000-0x00007FF627A74000-memory.dmp

memory/5108-152-0x00007FF766C20000-0x00007FF766F74000-memory.dmp

memory/1312-154-0x00007FF7CB350000-0x00007FF7CB6A4000-memory.dmp

memory/4396-155-0x00007FF7DD370000-0x00007FF7DD6C4000-memory.dmp

memory/4104-156-0x00007FF603AF0000-0x00007FF603E44000-memory.dmp

memory/208-157-0x00007FF7C9240000-0x00007FF7C9594000-memory.dmp

memory/1552-151-0x00007FF7CC370000-0x00007FF7CC6C4000-memory.dmp

memory/2356-150-0x00007FF713390000-0x00007FF7136E4000-memory.dmp

memory/3480-160-0x00007FF76FD30000-0x00007FF770084000-memory.dmp

memory/760-159-0x00007FF7B9420000-0x00007FF7B9774000-memory.dmp

memory/4192-158-0x00007FF739C90000-0x00007FF739FE4000-memory.dmp

memory/4488-149-0x00007FF619B70000-0x00007FF619EC4000-memory.dmp