Malware Analysis Report

2025-01-22 19:39

Sample ID 240601-cpakpsec9v
Target 2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike
SHA256 88d46dc0a05fd53639f0364ade97a26eaa60b76903d356ef502d04eeb7e45f33
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88d46dc0a05fd53639f0364ade97a26eaa60b76903d356ef502d04eeb7e45f33

Threat Level: Known bad

The file 2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Cobaltstrike family

Xmrig family

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Cobaltstrike

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 02:14

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 02:14

Reported

2024-06-01 02:17

Platform

win7-20240221-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\mggiSjD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gvjnVbh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cGjKaNs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eLhmdlp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\skzrASG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UbPdmsr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qJbwtlw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rqPoiOY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BtqvMmS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EqZgjeT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Dtdxano.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RNohDUU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZWhMfep.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dkRQjWb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wbfFIxV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xtqqwkX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\APqvtHG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lcwOkXn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MfHZcwh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zzVklUU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Abotbqm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\gvjnVbh.exe
PID 2968 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\gvjnVbh.exe
PID 2968 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\gvjnVbh.exe
PID 2968 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\APqvtHG.exe
PID 2968 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\APqvtHG.exe
PID 2968 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\APqvtHG.exe
PID 2968 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWhMfep.exe
PID 2968 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWhMfep.exe
PID 2968 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWhMfep.exe
PID 2968 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\dkRQjWb.exe
PID 2968 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\dkRQjWb.exe
PID 2968 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\dkRQjWb.exe
PID 2968 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\cGjKaNs.exe
PID 2968 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\cGjKaNs.exe
PID 2968 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\cGjKaNs.exe
PID 2968 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\eLhmdlp.exe
PID 2968 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\eLhmdlp.exe
PID 2968 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\eLhmdlp.exe
PID 2968 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\lcwOkXn.exe
PID 2968 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\lcwOkXn.exe
PID 2968 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\lcwOkXn.exe
PID 2968 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqPoiOY.exe
PID 2968 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqPoiOY.exe
PID 2968 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqPoiOY.exe
PID 2968 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\MfHZcwh.exe
PID 2968 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\MfHZcwh.exe
PID 2968 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\MfHZcwh.exe
PID 2968 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtqvMmS.exe
PID 2968 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtqvMmS.exe
PID 2968 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtqvMmS.exe
PID 2968 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqZgjeT.exe
PID 2968 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqZgjeT.exe
PID 2968 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqZgjeT.exe
PID 2968 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\Dtdxano.exe
PID 2968 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\Dtdxano.exe
PID 2968 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\Dtdxano.exe
PID 2968 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\RNohDUU.exe
PID 2968 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\RNohDUU.exe
PID 2968 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\RNohDUU.exe
PID 2968 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\zzVklUU.exe
PID 2968 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\zzVklUU.exe
PID 2968 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\zzVklUU.exe
PID 2968 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\skzrASG.exe
PID 2968 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\skzrASG.exe
PID 2968 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\skzrASG.exe
PID 2968 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\UbPdmsr.exe
PID 2968 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\UbPdmsr.exe
PID 2968 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\UbPdmsr.exe
PID 2968 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\wbfFIxV.exe
PID 2968 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\wbfFIxV.exe
PID 2968 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\wbfFIxV.exe
PID 2968 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\qJbwtlw.exe
PID 2968 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\qJbwtlw.exe
PID 2968 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\qJbwtlw.exe
PID 2968 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\Abotbqm.exe
PID 2968 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\Abotbqm.exe
PID 2968 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\Abotbqm.exe
PID 2968 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\mggiSjD.exe
PID 2968 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\mggiSjD.exe
PID 2968 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\mggiSjD.exe
PID 2968 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtqqwkX.exe
PID 2968 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtqqwkX.exe
PID 2968 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtqqwkX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\gvjnVbh.exe

C:\Windows\System\gvjnVbh.exe

C:\Windows\System\APqvtHG.exe

C:\Windows\System\APqvtHG.exe

C:\Windows\System\ZWhMfep.exe

C:\Windows\System\ZWhMfep.exe

C:\Windows\System\dkRQjWb.exe

C:\Windows\System\dkRQjWb.exe

C:\Windows\System\cGjKaNs.exe

C:\Windows\System\cGjKaNs.exe

C:\Windows\System\eLhmdlp.exe

C:\Windows\System\eLhmdlp.exe

C:\Windows\System\lcwOkXn.exe

C:\Windows\System\lcwOkXn.exe

C:\Windows\System\rqPoiOY.exe

C:\Windows\System\rqPoiOY.exe

C:\Windows\System\MfHZcwh.exe

C:\Windows\System\MfHZcwh.exe

C:\Windows\System\BtqvMmS.exe

C:\Windows\System\BtqvMmS.exe

C:\Windows\System\EqZgjeT.exe

C:\Windows\System\EqZgjeT.exe

C:\Windows\System\Dtdxano.exe

C:\Windows\System\Dtdxano.exe

C:\Windows\System\RNohDUU.exe

C:\Windows\System\RNohDUU.exe

C:\Windows\System\zzVklUU.exe

C:\Windows\System\zzVklUU.exe

C:\Windows\System\skzrASG.exe

C:\Windows\System\skzrASG.exe

C:\Windows\System\UbPdmsr.exe

C:\Windows\System\UbPdmsr.exe

C:\Windows\System\wbfFIxV.exe

C:\Windows\System\wbfFIxV.exe

C:\Windows\System\qJbwtlw.exe

C:\Windows\System\qJbwtlw.exe

C:\Windows\System\Abotbqm.exe

C:\Windows\System\Abotbqm.exe

C:\Windows\System\mggiSjD.exe

C:\Windows\System\mggiSjD.exe

C:\Windows\System\xtqqwkX.exe

C:\Windows\System\xtqqwkX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2968-0-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2968-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\gvjnVbh.exe

MD5 9551a97504c27bb8df6143cb4fdb0863
SHA1 8beba8497c309f5aea2fac9cd7730daf38a521f4
SHA256 c09d57c233b857891ba7d4f5bd9f4bd4123278a2941512bb2bf4a594af768fb5
SHA512 ad3388014ab3fe8b9e9f54f9648042f292f1b4783433cd575e01aacb54b6e0662829a265f2b1095010c656815370a194af73a23176893f12e6b62a918f94711f

C:\Windows\system\APqvtHG.exe

MD5 81dddcda2357eab8b1fc766504194d7b
SHA1 f1363b4b68c3ca1c953b3b006e2de407aa167b21
SHA256 d18a684a7c9aa982ecf4ba6f61a21c9b0905ae9947eecbf9f5821ee403dd8b62
SHA512 1ed4c29b8c02bad54021b164806cd79114ca481cd2813027b296bf876e74cf1352e1a5ce20e569a8247a97bd759f9c2d80461cebab2272ee001e599572c6cef3

memory/2968-10-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2796-14-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2464-15-0x000000013F440000-0x000000013F794000-memory.dmp

C:\Windows\system\dkRQjWb.exe

MD5 3412689a63715a62805f1e1a1e26681c
SHA1 3e96e16a75bad6e1eca2dd3fba92bc99544d6825
SHA256 1951ae907ee2a9579db9025f42a50f5657e5e67713a6c4adb7659c35d0306ab6
SHA512 30629227c9a6285a1ab17cbdff6fbe2d02c746a8b9a3ae97247dae30221b1231c6e9746aec36e197bba8aeb25309c470f6a888f21b3368a66dbd5c8799cd9dd0

memory/2820-28-0x000000013F720000-0x000000013FA74000-memory.dmp

\Windows\system\dkRQjWb.exe

MD5 76bf0466328f407fb8356697751e9d17
SHA1 ab6d60cc0022bd9fcb09a7b133772948f1b44e71
SHA256 bc9432097e5cf86f7734fcdba0e6bde844e37f3c7c22e1538d1d567922da9884
SHA512 6cf2f8e6b124936088948bc61460f2c7dcf57e07e3b8a91ff6d8b8fbcfd1e6fcee7a878c2ad962cc9277cb4e28a8224410d0fb4788d1a0cedc18fa4f9e3db4a6

memory/2968-27-0x0000000002210000-0x0000000002564000-memory.dmp

C:\Windows\system\cGjKaNs.exe

MD5 9a62edcbf534cec0b79db8238d62fb70
SHA1 c62af0c4ce93035f2a620591c2fc2d7f4d325092
SHA256 a6d6e538a009077c7c0cfe756f808c3fdf78e136c6050706f75a01215f4ec5ea
SHA512 f5a9df47c301c7acc62b6a58da21a598dc27759c9c662e24ad3ae3629b802e6efdf46c4da7e436af0a6642c3bfe25ea8883a3c9b9c2e2dc0922820d66629bdf9

C:\Windows\system\eLhmdlp.exe

MD5 da49f1b1f2b96b49705866203751f59f
SHA1 1fb490e694febd4abb5609eba7058906c7c62fc1
SHA256 db17ce16538e3104d76c2865f6043929089867615332842fb4539363fa1e158f
SHA512 64230d121060a4ecf7e8546c8f3f841eea180c2377add458625a54155c0dd3d899c021538950ea3047fd426aed50dfc97cdf1f7e2bcab143f2777fd079bf8bf0

\Windows\system\eLhmdlp.exe

MD5 8a74009f7dd9c036cc12b3f189bd9ac6
SHA1 e53d33c260bb77d6ec7f4c05d6b7a52ccd5f9de0
SHA256 b349cfcd57c9962c2310b863621992c24963856bb8765a72596762e3d22c0932
SHA512 6b058797ebf39246aeec4041256bec3900d2fe258c40c7a628ad2f0a7c71cd84516d0e4598c1b869d273f2d776086698842e42f21ab1a8adea547d9c55a56876

\Windows\system\lcwOkXn.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

memory/2732-47-0x000000013FE80000-0x00000001401D4000-memory.dmp

C:\Windows\system\rqPoiOY.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

memory/2568-57-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2968-62-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2392-63-0x000000013F630000-0x000000013F984000-memory.dmp

C:\Windows\system\Dtdxano.exe

MD5 e8c4508a392ccf08590d3627a36cc3c3
SHA1 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256 cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512 f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

memory/2092-81-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2656-96-0x000000013F320000-0x000000013F674000-memory.dmp

\Windows\system\xtqqwkX.exe

MD5 42ed348ff06c36680b3920f2fa2d6d5c
SHA1 58e96af96ff18706771238cff03dbe22eff179e1
SHA256 93903e3b7b64a8ea2928b1656e2f843088981754b3546e9a9c4b4e2dd3595439
SHA512 abb4c915808fde9e95f563b8637f03a4e9a90e421386e7fe42c76f40d73e5bc0be5776c31701a8c0b12f88cc46fa43644280a3d6e725264bd40359b3af68e30d

C:\Windows\system\mggiSjD.exe

MD5 06e7776c45522cd727375134e965e22f
SHA1 b3c6cc8ec21bae0f0aa8708062a4e0f18fd21432
SHA256 2e168c5305fc6931df6647569f2eac771398a9fe5bbc1782667bc1c201007bfb
SHA512 0b18810a5223438d648db6031a4bc963ddc222296395333088b069467dd1914822ad34fd9a3ff6c6694db24c914bdda3b30ab67d7943ad9a074d0ee7d9dc226d

\Windows\system\mggiSjD.exe

MD5 0d5922d66ecf7b23254aac7defebabc4
SHA1 f8f74ef7fceb8f6780890e2f0ba332016a8ad820
SHA256 8029813c118663f7da438f62d257b0c00141da5beb2bb27feb57c2a559600558
SHA512 a4fcefd8a3e122eee39a2017137d41c7fa9c5d1ee53662148494aa1fb89f76a4ebd28ffd2c626d59911e63857a55eda822637fdbf9a492f8c2446d19e91ce3dd

C:\Windows\system\Abotbqm.exe

MD5 793af579bfad95c31ad4a03390456f93
SHA1 c0dab586d18870223ffef1f667885fe6a802ce7f
SHA256 64622c439c50ec3a80030fe9b474b3793ca4f0128a371e8cebbbcd32b0853755
SHA512 b1c4fb1459418e1aaf987279d8a8921ff31b98413f33494300a9fb635c9adda993cd352208a32ff485f23e25a7e5a937e4cc36c36fef91722ee6cddeeda09165

C:\Windows\system\qJbwtlw.exe

MD5 ef9d2894dc7fd6bf56c8946f3b2b25a1
SHA1 8feb8f7d46e112949136f433bdd6465eefa01618
SHA256 cc2cf1199c493fc1c13bbb3a6a384ad8c6dec862c93ba537e793979eb5ae8f99
SHA512 0f45432ae711aa1a5b0624e2dfdc8c6c6423baaf55c7c6de8f149c95d5753087150974afaf1dd039e41018ffc2b41581eb65aa14c204929c6eae996cf294981a

C:\Windows\system\UbPdmsr.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

\Windows\system\UbPdmsr.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

memory/2968-95-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2820-94-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2488-133-0x000000013F740000-0x000000013FA94000-memory.dmp

C:\Windows\system\wbfFIxV.exe

MD5 7cc5fbbea1692cf657e7ef0c5a977968
SHA1 2ae19a8b4e4e4d276e58c3645e5f83256ef4321a
SHA256 32f1ec516f7112312a6c3c21f6053293fce0007f315eea57788c867fd18ab650
SHA512 e2d7ff60d73e1453168bf43decabb08decb133da3c46b4eb519c00fbbc4a882f98021e47850a6c3dee36db83efc26367208d61e8b9489b5f1b7031373561a2b4

memory/2968-103-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2504-102-0x000000013FC20000-0x000000013FF74000-memory.dmp

C:\Windows\system\skzrASG.exe

MD5 5fa795b3b7fbfdb00bd1230752e0c717
SHA1 c04df1c0104752fc707883394c20b7a38d950291
SHA256 824077dfd6a62e9e36be5c206334d0508de5a3b956ad1bd496fa2e71eb9a9179
SHA512 de08f47b777576f6d8782f91ad503bcf8fdc3c8ebfac425ac7200b990be02ae05d557511a5745c3ce08c930b4d0fe264f704e0ed5826f20f19f9a35af8cd315a

\Windows\system\skzrASG.exe

MD5 c216c25bff310c3dc3b0d10a8ea553f7
SHA1 0aba1cdce814cd7d0c8a8a2d47c6c670a05d1b89
SHA256 b690cebfff78168c4d0ca1e2d20773af81b34f6777265412f0ef5df683abe0a1
SHA512 5de5947ddd0689f9d54598fbb96014592577ee6c5743f4c7856f508f5fa03f95507730c1bb4e4c395fbac420d3532b98ec0a5d58ef8706dc4b4267ff757b3264

C:\Windows\system\zzVklUU.exe

MD5 2435df1edab34daca5fca9838e34cde8
SHA1 ab0b10f5ac41d1c0b7d4b5d345c82195a529a279
SHA256 54cd37188b9f4bc8319e93b6e592cc1421a11df7de477b22a6fdcc28564bfe2a
SHA512 7b4e28ffd3d94571aacaf9b2c23348a9dbd49930cbe6e325c21bbd3f2d4e3c89448f1031d13f6ae2adf3f6c14b71cb37a636b94c989ed7b2fda1ce84480b17af

memory/2724-88-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2968-87-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2572-86-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2968-73-0x0000000002210000-0x0000000002564000-memory.dmp

C:\Windows\system\RNohDUU.exe

MD5 d7cba203857ea6f14d32c9970e7db51c
SHA1 acc71a2ec2329e592ecdcbb91b3e51f6877c30ea
SHA256 35c09f2c3f41ba570cedc8bed52e3122af420f9d13005f797ec4d561d0edb9cc
SHA512 c0836205f4fbe8cc3cac3cba970dd0ecb3d1193f6a8fbd07e81db4f53a285917ad2a04bc3afac27dab62ca7acf7680e0fb45258e59166e6f19fecda9094d8923

memory/2732-135-0x000000013FE80000-0x00000001401D4000-memory.dmp

\Windows\system\Dtdxano.exe

MD5 a701f409988e14835842cd294ff916ea
SHA1 6023d09e68b4a45c4fabe344f09cf9984146df65
SHA256 7beb2c97c99ea22eda29d01c1eb63addcc72f5ecaf8936dac8ae4e894fa1ae5c
SHA512 790f82c7995068dadd6cae634cef3242361af88f515dd709a2c8eff6abc79bf1d7b6d437aee68243147f8fcccc7a87ff9afdc8cd029177ba35374f69c9d2a999

memory/2296-68-0x000000013FE40000-0x0000000140194000-memory.dmp

C:\Windows\system\EqZgjeT.exe

MD5 7afc71e94704cf4a1b0156ec8878e107
SHA1 4b06e8c85c2de7e73fefdf253449427500e4adc4
SHA256 146149d579a4878bd3982241ad435f60e3891e40d31769fee467c7a1181aceaa
SHA512 699a0fa4c32e72bd9135ed75861b2d409971bf1ab995cd0e15b51146e8016ee48b5cb98d2aad6c14c347c9ed65510571540d3a26c5b96616dcf2a9e456be5b8e

C:\Windows\system\BtqvMmS.exe

MD5 08199d7a4ad8beba33a04c0e66328fe8
SHA1 9e256e8469b45fc26587fb63a7428f7d7853e1a2
SHA256 c910fd92012d9453ea467fe9dac73b7545f8e18b26643328976d6656ca997b90
SHA512 23b4cb5b25a4c73f083fee77a06f6c94076a476ae025bc93df11e001f13ac912397c740445671f485441d91a7a99cbfcc18a8374509cce5bc7e9788f6944b3f2

C:\Windows\system\MfHZcwh.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

\Windows\system\MfHZcwh.exe

MD5 5a7904c6cf1a29e8392e1da0b9339bb0
SHA1 e89af2cbf3e07227ae8edd30a249d76acc9335fd
SHA256 8c3180307c5778d91b5f9d63705c29a1ab7e0cf9e14be129ddbff61e0917d822
SHA512 23223222fb6275d698ce7703554dc58cf1b0dbb8ad1701b16e1fed581b3e0db861a3011ce6fec8fbc0ebe25b91c2d3961b85ebbacd378888b1e9a794a6598857

memory/2536-52-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2968-46-0x000000013FE80000-0x00000001401D4000-memory.dmp

C:\Windows\system\lcwOkXn.exe

MD5 4c8db5a2a5c5b8f585a0987bef8f8337
SHA1 819c7178bfcddedfb7608a1050bffd63c15df8de
SHA256 eabb47df9bac2b9bbc4bccb71a561c765cc4f4c8ee770fca487682de4ebdabb0
SHA512 3d3e715bf12f47f188e67560fc5411af2de7ac3336ee8e300397366fc48aacc92ad03fb1f672bb622751859db92fd9fb72411198faef8baea37a57ccde419887

memory/2488-40-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2504-35-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2968-34-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2572-22-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2968-20-0x000000013FBE0000-0x000000013FF34000-memory.dmp

C:\Windows\system\ZWhMfep.exe

MD5 ef453b474d0c5e36ac3ced12136640a1
SHA1 1803f86bd300d5c81a50994e1bd86da105c22e13
SHA256 5dd81f5fbef75391d2620c627eaaf45d41ff44f7d8ad402d2926194e5ba33dac
SHA512 8716ce23cac555deb4c37f67bae2e106297a09e383e0ff5a217dc52addcd0946872a5ec5e313e2a07dc14c88fe1627fb8b251d4de79399605b5cb0dcac17d2e5

\Windows\system\ZWhMfep.exe

MD5 520306f0af217a723b94881629ed2c1f
SHA1 edfebe61571cd3958f1312a9985e7616d97f5058
SHA256 753b1655c90b67a0e9ef8ac7f9ad5137a5f68ca7523e64de621b55f82736ad40
SHA512 9ac6a96dd03c1ec975477a89483a2d662a3a654c6c49304a4eef6675c320419be317a4ea86000c6b38c10beb98f86f51309fa6427a10328bb6e8081fbc42222e

memory/2536-136-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2568-137-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2392-139-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2968-138-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2296-140-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2092-141-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2724-143-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2968-142-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2464-145-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2796-144-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2572-146-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2820-147-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2488-148-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2568-152-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2092-155-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2296-154-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2392-153-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2656-156-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2536-151-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2724-157-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2732-150-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2504-149-0x000000013FC20000-0x000000013FF74000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 02:14

Reported

2024-06-01 02:17

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QeZelYS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DZsGfGg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tTGaUQX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nkSDGuA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CMNLDPp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mIndfIL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UAiBRQC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uMzKODm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EnrLQXM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hAPjkWo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VdgKqAZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nIWOJQm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BwrOVyo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XIxTJeh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CFnNnEW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DDUAZfj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gqRjdSV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZAkXitB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZFgUeJq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KKRrBqn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MupaMXk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4560 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZsGfGg.exe
PID 4560 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\DZsGfGg.exe
PID 4560 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\XIxTJeh.exe
PID 4560 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\XIxTJeh.exe
PID 4560 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIndfIL.exe
PID 4560 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIndfIL.exe
PID 4560 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\UAiBRQC.exe
PID 4560 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\UAiBRQC.exe
PID 4560 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\tTGaUQX.exe
PID 4560 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\tTGaUQX.exe
PID 4560 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\CFnNnEW.exe
PID 4560 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\CFnNnEW.exe
PID 4560 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\DDUAZfj.exe
PID 4560 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\DDUAZfj.exe
PID 4560 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZFgUeJq.exe
PID 4560 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZFgUeJq.exe
PID 4560 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKRrBqn.exe
PID 4560 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKRrBqn.exe
PID 4560 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\EnrLQXM.exe
PID 4560 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\EnrLQXM.exe
PID 4560 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\MupaMXk.exe
PID 4560 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\MupaMXk.exe
PID 4560 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\uMzKODm.exe
PID 4560 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\uMzKODm.exe
PID 4560 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\CMNLDPp.exe
PID 4560 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\CMNLDPp.exe
PID 4560 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\hAPjkWo.exe
PID 4560 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\hAPjkWo.exe
PID 4560 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\VdgKqAZ.exe
PID 4560 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\VdgKqAZ.exe
PID 4560 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\nIWOJQm.exe
PID 4560 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\nIWOJQm.exe
PID 4560 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\BwrOVyo.exe
PID 4560 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\BwrOVyo.exe
PID 4560 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\nkSDGuA.exe
PID 4560 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\nkSDGuA.exe
PID 4560 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\QeZelYS.exe
PID 4560 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\QeZelYS.exe
PID 4560 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\gqRjdSV.exe
PID 4560 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\gqRjdSV.exe
PID 4560 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZAkXitB.exe
PID 4560 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZAkXitB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\DZsGfGg.exe

C:\Windows\System\DZsGfGg.exe

C:\Windows\System\XIxTJeh.exe

C:\Windows\System\XIxTJeh.exe

C:\Windows\System\mIndfIL.exe

C:\Windows\System\mIndfIL.exe

C:\Windows\System\UAiBRQC.exe

C:\Windows\System\UAiBRQC.exe

C:\Windows\System\tTGaUQX.exe

C:\Windows\System\tTGaUQX.exe

C:\Windows\System\CFnNnEW.exe

C:\Windows\System\CFnNnEW.exe

C:\Windows\System\DDUAZfj.exe

C:\Windows\System\DDUAZfj.exe

C:\Windows\System\ZFgUeJq.exe

C:\Windows\System\ZFgUeJq.exe

C:\Windows\System\KKRrBqn.exe

C:\Windows\System\KKRrBqn.exe

C:\Windows\System\EnrLQXM.exe

C:\Windows\System\EnrLQXM.exe

C:\Windows\System\MupaMXk.exe

C:\Windows\System\MupaMXk.exe

C:\Windows\System\uMzKODm.exe

C:\Windows\System\uMzKODm.exe

C:\Windows\System\CMNLDPp.exe

C:\Windows\System\CMNLDPp.exe

C:\Windows\System\hAPjkWo.exe

C:\Windows\System\hAPjkWo.exe

C:\Windows\System\VdgKqAZ.exe

C:\Windows\System\VdgKqAZ.exe

C:\Windows\System\nIWOJQm.exe

C:\Windows\System\nIWOJQm.exe

C:\Windows\System\BwrOVyo.exe

C:\Windows\System\BwrOVyo.exe

C:\Windows\System\nkSDGuA.exe

C:\Windows\System\nkSDGuA.exe

C:\Windows\System\QeZelYS.exe

C:\Windows\System\QeZelYS.exe

C:\Windows\System\gqRjdSV.exe

C:\Windows\System\gqRjdSV.exe

C:\Windows\System\ZAkXitB.exe

C:\Windows\System\ZAkXitB.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4560-0-0x00007FF701CF0000-0x00007FF702044000-memory.dmp

memory/4560-1-0x000001C025E00000-0x000001C025E10000-memory.dmp

C:\Windows\System\DZsGfGg.exe

MD5 32b5113b15f95f647f04046ab637431a
SHA1 97d1717f21ad21b72202d34ff7a15c37015d6ebc
SHA256 80f9e3910cf9bf05eec73801158b52f03ea9ce45e21eab6c983e4b3cfee6ee4a
SHA512 a344560bdf248973cfc7af6f8ee32b626c71e3a7703616e53ed5362339abeb116ebc4cc3c96c558101aa5e6715cd3e73c0a315e339777c3b62ca19bc27981b64

memory/4172-8-0x00007FF7DE0F0000-0x00007FF7DE444000-memory.dmp

C:\Windows\System\XIxTJeh.exe

MD5 93eddbb8afd5b2d30f18f722baeea61e
SHA1 6efba84e244627a7375317a0744a40d0b39a3608
SHA256 c0bc5da2a918191fffa790970e73ede07262f1f3c329c54aa50531018283c9c1
SHA512 787d29cb6ee1d397a59bf5efa67d2b813902b5dedd207c7165f01a41ee8ecf1966082fcf8d3f2f1e90d50ba304979f02a002e2f8b05541ca13f914e6dab8ae99

C:\Windows\System\mIndfIL.exe

MD5 1cadf1e7fa8109c815277085fa72fe66
SHA1 7e44f2d1da52857a8ce6ac21367c77745f0b02b4
SHA256 5247d9c412d5a268b2fc4c58618dcd3707af7522e8f84543e97319fe9ee07170
SHA512 910dddcfd42dda3015be8b470a75409687d83b169f0fa28fa9f69b7b9d6a1f5c90f469ff38fb919f2a3d54c718c9a3d136bddee6205341ee645b4099ee620916

memory/1284-19-0x00007FF7113E0000-0x00007FF711734000-memory.dmp

memory/4124-20-0x00007FF6E1BF0000-0x00007FF6E1F44000-memory.dmp

C:\Windows\System\UAiBRQC.exe

MD5 48ab39ba3826b139b41abd2dfa856e05
SHA1 a586ea072ef3303582f86fab14cf1acf9d7bf03b
SHA256 2eb14a1c6c45934cbfec6cd77887e231b5104f4d2cad96d1b587e96b61428252
SHA512 cab97cabb8cd75075304393f35da3e18fb3aa329f38d4b7f8a7826e98c2b0af1fcf5203896b8cbb425aabacd178d1bb27787331314a6a7c2e79c1cb77a182dd2

C:\Windows\System\tTGaUQX.exe

MD5 ebd1ef5248c84063b86657fc3ab68f03
SHA1 3986d7b39c545d7485b36ee8f8e27f161c6861a2
SHA256 c3d26dd1f7cdc12ced6b2ee50ee9ce8881b8885eb7a5c1f470b9d338098b43e8
SHA512 253264dbd19d11dfa0042cbc560f948f3037a0a80bfe68671934fa3d872ae129fb6818f6f14d09f7dbb9ba44296e9c78398d66a82e396f17627476b714a9c658

C:\Windows\System\CFnNnEW.exe

MD5 48a25f0f99d8853087e76c39e229c052
SHA1 4fa29834192f07b0951d0bda25d602bbcc1c6800
SHA256 a4f89a5793c4b950dd2e620d8017796fd38f33e61b0afc92af486558b26f85df
SHA512 8230a41ce63d23e74172fee58d135bbefe13ae11443e1944ed6b32b5fa7a48d383bfe0249f1285d3e6d4cda06d5054186503ded63cf5544f3635a92337a712cf

C:\Windows\System\ZFgUeJq.exe

MD5 305ac6b39ea040beb3c5dc9508900fcb
SHA1 35a0c2f77ca3bc049e10958fc518cc2d89b6ab07
SHA256 baad52179c55f8646749accfe72df9c0aed3cf093320f428ddee49cc764cfd3b
SHA512 55395fb02f7e7b9ad256a23e7763330c9899bb61607d6bd1b7f2ff4d303e6f6c9c3f2a6b39ab4e39b0d4ae9859c6bb2f3be9b3ef715863e91d11e9b86f9a019a

C:\Windows\System\KKRrBqn.exe

MD5 b8d75034929bb417440b967a2d0102e8
SHA1 8e6e27bf949c848b8c68356449b9f139505bcfac
SHA256 9579d323c078fd0184e741080b67e66579b3f6910a0810f68f3998f77e7d6136
SHA512 61cee9b53617449e7357eb138998c6fa4b8b33cffaf93a5579e2e0703e78ef663241b051723f5d459de48b5e6c9798509636b6d401273c2499721b8920c0a888

C:\Windows\System\MupaMXk.exe

MD5 caddf713f3e6621cede22cc2b8e75421
SHA1 59e470c198cca573690078d15b90b29ffc316f6e
SHA256 fa79d8b8bbcef6abaaf09da265cbd42efca8afcb0f708f2973588a5a03822b29
SHA512 d4c5c6457aff7aaf6c6965788925778a99461ad8607a3b4616054dbccd5402f79b3b757011041963962cbcb1250347b93cbcb5563050e7d2c07ba13fbeb4550e

C:\Windows\System\CMNLDPp.exe

MD5 41be9fb8030bd037c387c2ee7ac168d1
SHA1 b009a85b5188463933b58206d148fa62cc1cc428
SHA256 cb2379244a9f714cb14c354c43b311f5f45deee2719e9612c05af5a10bf20d97
SHA512 ef40bc9fa911365fe057721902ec52a4b4a15ac2661ec2bbeb99350ef109d9082ab147004017fdc06985c148e70845fa44d92c25b31ab39339897bc6e34116c6

C:\Windows\System\hAPjkWo.exe

MD5 658425dbcdae7557b7704cff0b915398
SHA1 c32a4b03855a06618b8172c64bff552291318ab9
SHA256 1482c0b815d1ba76f187df8bdba80677f29b1decca39e8c85f51bd997d99bb85
SHA512 1f8c1fad611dceab04be7b6db3352131b5ed141566675561b254cd94b9fabce799dcb65d4b5379a9bca3cb683653fef199914283c7bb33121ce3a8c8112cb4ca

C:\Windows\System\nIWOJQm.exe

MD5 36b52cd70231ae3ed8ce67bc54bdc73b
SHA1 f66ca41358fa5797af8d07413afab708579a0690
SHA256 30673eeb7cce963f0fd6e350e070f7e210c5ede0743c932baf2ac572f3f6d061
SHA512 24a66133cd3ed8528df09a887d7ae87239b0a778bf184d712ce4ed01bb0c5881e77d2552a853b45f9f33a082e3796ce2d8418459f5442c348270e9cdead19b7d

C:\Windows\System\BwrOVyo.exe

MD5 2b359112dc6de128c14dd1f6c9a47317
SHA1 bc719e37be7bbedafe882cf09b9713bdc5fb8c46
SHA256 363b0ffac095bedcc5b26c447367f1efc98f43f95a7c20bba83d79d560fa5766
SHA512 d7bf4ce9724f7403d60280580f718b0f17806a0be38990a2774e44b204637ea9c09e0a3ecaf9347a0b2618c96b2b6d40b612496c7adb003ad237ff38d348a760

C:\Windows\System\QeZelYS.exe

MD5 d3d2409cf320045d64cd35a5b51b39f9
SHA1 612a81bf54ccc4aec5012aa0ae3197f85b4da1ca
SHA256 b12045dd1ce7a2220ed317db355c89d6b1a3cfce5307f0c94bd3cf57ddfc7d48
SHA512 4e573cb71f06e324a97dead1be17152edb34423963e1cadb36ea1d826a3784c562e6270658f365658f7c878665a2f68bc6d2d99d98278ac667d5d101b97d0c69

C:\Windows\System\ZAkXitB.exe

MD5 33195fd6a46cb9b296ad1827ae88c2a5
SHA1 a0cc33db50572129c8036e0f7b79276ab01fc3a3
SHA256 a78ad82622260b4271697a8904d17974a0e7a479c2b50bc8c1d899144cd834be
SHA512 2d221df5e4b63e995110847c9799cca9340ff67d25b7c3ae2f81782a23ca406aafee676ea2f57c1ec8b370356505b3783509e7f4df139c46802924e669acb79a

C:\Windows\System\gqRjdSV.exe

MD5 5aea31c7a80263a44d641813f14d16ca
SHA1 ac6982542ddda95be9c78f29d66c969e0e46a727
SHA256 8a3ef1b9104597229a7be79861021f3edf56e7b49f0b6571bf1e203d1bab282a
SHA512 724bf3dacaef7f1c70bd5b16a8c78aae337534dca94a78e63166576ed0308f95331e9056e9c3fbbbecaf25198df4a79292874b74d0f09eacfc9bb59f48c0c927

C:\Windows\System\nkSDGuA.exe

MD5 612205fac662f8fc131062c44c97a9be
SHA1 07945d30e7e7fd7b0cd1727163f0da4f508672ff
SHA256 79f545ea799e6d3280e310aaba29e85ccd6fb838dfc0e8356be128d510b46f04
SHA512 7e8a9d60ff7e1cee8fd1e61a5f2a62d2cb90a39d2c107f0408c366d1de4f9d53c34d53eb70e3e8621fbe0ac65c777a08759cbf02c550e984ed2ada36ca317e90

C:\Windows\System\VdgKqAZ.exe

MD5 9b4873c347664e01e66a77337b82a8a6
SHA1 cdca0b2012f601700b790d7b2b16e3f54be77f43
SHA256 175503f1e7d88dbe1a2f72bc9b5db3dc730d9ecd8cff2076e8204571480e6da3
SHA512 864d8cac9159083453b581d0adaf396a308210c2aec07731893d603fd4d634d33b219ce1e68cd2e2b0d152be90d3cd57b85ba9c8f67087a98dd1bcf8e236c53e

C:\Windows\System\uMzKODm.exe

MD5 fa1e7903b813926f3978e27caac59ef2
SHA1 7eb26b8f30c3004620991404d1d75e917da411f8
SHA256 bd4faf4b6f2141cff39881bb5a8ee3c671a96cc398c1bb8f2c1c3f04cbaa7400
SHA512 6c1364b6ef7fb35f4521a487d3bc349a435972415b90dea5d363533ee358da384b4ef395d3d3626c9af3a30703ae20696c9654bc86e94d1aa335d988488ebf1b

C:\Windows\System\EnrLQXM.exe

MD5 6b0c73d684fe5c40da3a219bdca00ede
SHA1 32d85117874252313083720dba51b1bb0a548dc4
SHA256 46f4e2dc9a5f80461f1f6c3ad3b64f67f615bb8ed1ae9f9d0e6780e9576eba6d
SHA512 f8e2d39a76864460e1f0df38c5cbd7b40b8f7ab561f4e65d510e685f15ccf0b57950a5835ea5b96d56e55dc33bc18576a68c2445b8070eb06cfbed79249b2f80

C:\Windows\System\DDUAZfj.exe

MD5 1373bfcbcb3b135b921da69f420fab5f
SHA1 009a5b098059bf15317f8e3f2789d1ff429b3108
SHA256 2556c460d4b775c820319ce041d389f1d8f8e39c30674178aa801d4aceca6c75
SHA512 dd10f28e9415ae0e82d6149f6eca349fade71c2763cdb1a0a7cc1ab42d588150653f8c3738f29468e016689446467167f464408e47a6043acea501b899896f4b

memory/3524-34-0x00007FF64FC00000-0x00007FF64FF54000-memory.dmp

memory/3428-26-0x00007FF7F8710000-0x00007FF7F8A64000-memory.dmp

memory/4648-112-0x00007FF7FACC0000-0x00007FF7FB014000-memory.dmp

memory/3456-113-0x00007FF78B2D0000-0x00007FF78B624000-memory.dmp

memory/1444-114-0x00007FF6AD540000-0x00007FF6AD894000-memory.dmp

memory/1500-115-0x00007FF655E10000-0x00007FF656164000-memory.dmp

memory/2136-116-0x00007FF748860000-0x00007FF748BB4000-memory.dmp

memory/3504-117-0x00007FF627170000-0x00007FF6274C4000-memory.dmp

memory/3616-118-0x00007FF7024A0000-0x00007FF7027F4000-memory.dmp

memory/2980-119-0x00007FF680C20000-0x00007FF680F74000-memory.dmp

memory/2340-121-0x00007FF7D0810000-0x00007FF7D0B64000-memory.dmp

memory/3412-122-0x00007FF70CD30000-0x00007FF70D084000-memory.dmp

memory/1804-124-0x00007FF750EA0000-0x00007FF7511F4000-memory.dmp

memory/5032-126-0x00007FF61D000000-0x00007FF61D354000-memory.dmp

memory/4580-127-0x00007FF6EAE10000-0x00007FF6EB164000-memory.dmp

memory/1060-125-0x00007FF6B5A80000-0x00007FF6B5DD4000-memory.dmp

memory/468-123-0x00007FF6EE3A0000-0x00007FF6EE6F4000-memory.dmp

memory/3328-120-0x00007FF6CB1D0000-0x00007FF6CB524000-memory.dmp

memory/4560-128-0x00007FF701CF0000-0x00007FF702044000-memory.dmp

memory/1284-129-0x00007FF7113E0000-0x00007FF711734000-memory.dmp

memory/4172-130-0x00007FF7DE0F0000-0x00007FF7DE444000-memory.dmp

memory/1284-131-0x00007FF7113E0000-0x00007FF711734000-memory.dmp

memory/4124-132-0x00007FF6E1BF0000-0x00007FF6E1F44000-memory.dmp

memory/3428-133-0x00007FF7F8710000-0x00007FF7F8A64000-memory.dmp

memory/3524-134-0x00007FF64FC00000-0x00007FF64FF54000-memory.dmp

memory/4648-135-0x00007FF7FACC0000-0x00007FF7FB014000-memory.dmp

memory/3456-136-0x00007FF78B2D0000-0x00007FF78B624000-memory.dmp

memory/1444-137-0x00007FF6AD540000-0x00007FF6AD894000-memory.dmp

memory/1500-138-0x00007FF655E10000-0x00007FF656164000-memory.dmp

memory/2136-139-0x00007FF748860000-0x00007FF748BB4000-memory.dmp

memory/3504-140-0x00007FF627170000-0x00007FF6274C4000-memory.dmp

memory/3328-143-0x00007FF6CB1D0000-0x00007FF6CB524000-memory.dmp

memory/2980-146-0x00007FF680C20000-0x00007FF680F74000-memory.dmp

memory/2340-145-0x00007FF7D0810000-0x00007FF7D0B64000-memory.dmp

memory/468-144-0x00007FF6EE3A0000-0x00007FF6EE6F4000-memory.dmp

memory/3412-142-0x00007FF70CD30000-0x00007FF70D084000-memory.dmp

memory/3616-141-0x00007FF7024A0000-0x00007FF7027F4000-memory.dmp

memory/4580-148-0x00007FF6EAE10000-0x00007FF6EB164000-memory.dmp

memory/1060-149-0x00007FF6B5A80000-0x00007FF6B5DD4000-memory.dmp

memory/1804-147-0x00007FF750EA0000-0x00007FF7511F4000-memory.dmp

memory/5032-150-0x00007FF61D000000-0x00007FF61D354000-memory.dmp