Malware Analysis Report

2025-01-22 19:40

Sample ID 240601-cw36laef6s
Target 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike
SHA256 a211816f3d87545a1962f50902bfb93e03a82a7f88b8c203babd645d5cee23dd
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a211816f3d87545a1962f50902bfb93e03a82a7f88b8c203babd645d5cee23dd

Threat Level: Known bad

The file 2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

xmrig

Cobaltstrike family

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Xmrig family

XMRig Miner payload

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 02:26

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 02:26

Reported

2024-06-01 02:29

Platform

win7-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\bZBcKzc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xjkEfSI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LBbcrKJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nLcrwxV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DqqUGoO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OpCbVIq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aWwiPwM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zodSnjL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zvgxOzs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XCfbCIl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SDZChUs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dcglPUa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aKezGQi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zOKwBQx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ivunZda.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PzwpBvI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vwMwavL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\smizcLM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pXXqDPk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nCcGIFX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eThapiE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1036 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\bZBcKzc.exe
PID 1036 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\bZBcKzc.exe
PID 1036 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\bZBcKzc.exe
PID 1036 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\xjkEfSI.exe
PID 1036 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\xjkEfSI.exe
PID 1036 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\xjkEfSI.exe
PID 1036 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\LBbcrKJ.exe
PID 1036 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\LBbcrKJ.exe
PID 1036 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\LBbcrKJ.exe
PID 1036 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\pXXqDPk.exe
PID 1036 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\pXXqDPk.exe
PID 1036 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\pXXqDPk.exe
PID 1036 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\dcglPUa.exe
PID 1036 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\dcglPUa.exe
PID 1036 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\dcglPUa.exe
PID 1036 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\nLcrwxV.exe
PID 1036 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\nLcrwxV.exe
PID 1036 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\nLcrwxV.exe
PID 1036 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\aKezGQi.exe
PID 1036 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\aKezGQi.exe
PID 1036 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\aKezGQi.exe
PID 1036 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\zOKwBQx.exe
PID 1036 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\zOKwBQx.exe
PID 1036 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\zOKwBQx.exe
PID 1036 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\ivunZda.exe
PID 1036 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\ivunZda.exe
PID 1036 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\ivunZda.exe
PID 1036 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\PzwpBvI.exe
PID 1036 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\PzwpBvI.exe
PID 1036 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\PzwpBvI.exe
PID 1036 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\nCcGIFX.exe
PID 1036 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\nCcGIFX.exe
PID 1036 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\nCcGIFX.exe
PID 1036 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\OpCbVIq.exe
PID 1036 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\OpCbVIq.exe
PID 1036 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\OpCbVIq.exe
PID 1036 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwMwavL.exe
PID 1036 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwMwavL.exe
PID 1036 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwMwavL.exe
PID 1036 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\XCfbCIl.exe
PID 1036 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\XCfbCIl.exe
PID 1036 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\XCfbCIl.exe
PID 1036 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDZChUs.exe
PID 1036 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDZChUs.exe
PID 1036 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDZChUs.exe
PID 1036 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\smizcLM.exe
PID 1036 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\smizcLM.exe
PID 1036 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\smizcLM.exe
PID 1036 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\DqqUGoO.exe
PID 1036 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\DqqUGoO.exe
PID 1036 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\DqqUGoO.exe
PID 1036 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\aWwiPwM.exe
PID 1036 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\aWwiPwM.exe
PID 1036 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\aWwiPwM.exe
PID 1036 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\eThapiE.exe
PID 1036 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\eThapiE.exe
PID 1036 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\eThapiE.exe
PID 1036 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\zodSnjL.exe
PID 1036 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\zodSnjL.exe
PID 1036 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\zodSnjL.exe
PID 1036 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvgxOzs.exe
PID 1036 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvgxOzs.exe
PID 1036 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvgxOzs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\bZBcKzc.exe

C:\Windows\System\bZBcKzc.exe

C:\Windows\System\xjkEfSI.exe

C:\Windows\System\xjkEfSI.exe

C:\Windows\System\LBbcrKJ.exe

C:\Windows\System\LBbcrKJ.exe

C:\Windows\System\pXXqDPk.exe

C:\Windows\System\pXXqDPk.exe

C:\Windows\System\dcglPUa.exe

C:\Windows\System\dcglPUa.exe

C:\Windows\System\nLcrwxV.exe

C:\Windows\System\nLcrwxV.exe

C:\Windows\System\aKezGQi.exe

C:\Windows\System\aKezGQi.exe

C:\Windows\System\zOKwBQx.exe

C:\Windows\System\zOKwBQx.exe

C:\Windows\System\ivunZda.exe

C:\Windows\System\ivunZda.exe

C:\Windows\System\PzwpBvI.exe

C:\Windows\System\PzwpBvI.exe

C:\Windows\System\nCcGIFX.exe

C:\Windows\System\nCcGIFX.exe

C:\Windows\System\OpCbVIq.exe

C:\Windows\System\OpCbVIq.exe

C:\Windows\System\vwMwavL.exe

C:\Windows\System\vwMwavL.exe

C:\Windows\System\XCfbCIl.exe

C:\Windows\System\XCfbCIl.exe

C:\Windows\System\SDZChUs.exe

C:\Windows\System\SDZChUs.exe

C:\Windows\System\smizcLM.exe

C:\Windows\System\smizcLM.exe

C:\Windows\System\DqqUGoO.exe

C:\Windows\System\DqqUGoO.exe

C:\Windows\System\aWwiPwM.exe

C:\Windows\System\aWwiPwM.exe

C:\Windows\System\eThapiE.exe

C:\Windows\System\eThapiE.exe

C:\Windows\System\zodSnjL.exe

C:\Windows\System\zodSnjL.exe

C:\Windows\System\zvgxOzs.exe

C:\Windows\System\zvgxOzs.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1036-0-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/1036-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\bZBcKzc.exe

MD5 bdf795eb141a0ecb33eb3f53b38d1132
SHA1 d2ab9a825acba8aa230aa176e9e20d5c8348960f
SHA256 344d4030fb9fcc662462c67f0a5af2a794b5e759050a8bf2712e1e19d7d102a3
SHA512 37f7ce7a52d85c2cad39c537936ab86d28a69af7f2b69abc7a5177a217d94f09b4b7afdece901e787a4bf85dd751dc77057b721933df7ea53471a25cecc86eef

memory/2860-8-0x000000013FDF0000-0x0000000140144000-memory.dmp

\Windows\system\xjkEfSI.exe

MD5 6a20f7d5346fffe5e21de3b8e026186c
SHA1 71161180fac08740e09902ca3d7c6cd061c26f35
SHA256 992efb97a7bebdc127fb5f0e32a181736cc3ad6be5d0ef91e28fa09779f66d48
SHA512 1e0e6802b613440cad229fd26b20e3660c155d7dc7edfcad9f1ce066a0ebf9a60e5fbd4c094adadcf64349b01ec76e069d6f4cab7fc9d8928801964b3b111e2b

memory/1036-11-0x000000013F8F0000-0x000000013FC44000-memory.dmp

C:\Windows\system\LBbcrKJ.exe

MD5 3f42e911022ce096230ad0c8f4a416a2
SHA1 513ae265a1944cbd51a9681a2c68055d51f72553
SHA256 b33615ec51873e23c4378aa26b88c38b4aa64625344d976823b7065db0520098
SHA512 5ecde2c413116b5c01c7ce752a4e38962bee81ab565df123042be4236a6fa36c8ac0dc65dcc22f59fc756bbf6c7e64433665b63ae545581a535ee60dfedf0d7d

C:\Windows\system\pXXqDPk.exe

MD5 9ebc43eddf1817c0e0d7e8a837424166
SHA1 588ccaf50e983806377108111aba97e31edf5ac3
SHA256 35bd96971a1adb3ab31d3ca1cbb767a3c0b8dc62a625b8dbdd193da1ccb17be3
SHA512 2a994e6698cacbd8fdbc9418813ac56889ba33c003ce73a503bb546fe71d1c6cff1554006c969fd59a24ecb2817cfcf35b2087b05bbcd4912c60041438785812

\Windows\system\nLcrwxV.exe

MD5 b168e024d14945b488567a1377a3cf16
SHA1 8f5f9d1d4d02e9717c8974e964fc4ee228588466
SHA256 07c7e759c09765e4b70352829a4bf469265496acbc41fe08ec15698110403505
SHA512 5e27387b8d8a710243c1df0152dfa7a193196368f718d9091e9448ea64f494e34ab20beb40c2ca922b1b22f656500538e7e189ace8c9b6cba47209e937442493

memory/1036-39-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

C:\Windows\system\dcglPUa.exe

MD5 502a1f68665756007c0bcf346702b13f
SHA1 65b0cd798c140848c6cc5e190d5efc9416f82ccf
SHA256 13e3836116de8887561cbc6091e33227df7b3a19c0d39f10f5c48401d8252f23
SHA512 3de516a417a54f7373f3410f8c9fc26da0ef035adec334f09f6d12a28064a603e329f4887e891858d70a0a4243913679e0fc002aa56bc7ecfbd2b7f22cf3197f

memory/2680-40-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2576-20-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/1036-36-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/1036-33-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1036-23-0x000000013F850000-0x000000013FBA4000-memory.dmp

C:\Windows\system\zOKwBQx.exe

MD5 8213e6932656ab2391af223acc55f415
SHA1 d3d8bd22fcd3e98ef16497623d0878425732e093
SHA256 b3593a598523e5499437b2aa838a7bf0b16e4c30a205ae8343f998241693c2a0
SHA512 a029fa54f350f1cf5878372a022df026e3c6976ed81c057995595acaa572b31a7e13e19f8ce9395d467cef8985940861587e8bacc9486268f27e0456a26bdcbb

memory/1036-65-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1664-74-0x000000013F5D0000-0x000000013F924000-memory.dmp

C:\Windows\system\OpCbVIq.exe

MD5 646df2377bd1d973faf8039b6c1b4339
SHA1 8f628623bfc814a27688903a725eae54b2f55607
SHA256 29a7f7f9cc61502861951e5604e30e85e01856630a2b868329f76749c6af4579
SHA512 a91f26e81a5b5296c823b273b48e18884c49fef27a68df75027eed98d975ffcf97fdf2fbf88184687c511202b2da2583aba545197702f9bab6069d396d11fc4a

memory/620-88-0x000000013F6F0000-0x000000013FA44000-memory.dmp

C:\Windows\system\XCfbCIl.exe

MD5 3cfdafbb87b737304ea9384884c5b0c4
SHA1 218d1c5368991caa67b34031d8786dd4355e9fab
SHA256 2d5915ee6c17b68343d22deddbd2cb7c9e40ec1ce58f4dca3d080fb00bd23d54
SHA512 bfa7841e552e8b1768ed0df1286fbc4180c838cc24300613178bceacc65da9c9b1369a6ee76cfc4eaf1f947579cac2458089633d97445d25608321bc53c0f9a6

memory/1780-101-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\aWwiPwM.exe

MD5 8d322c43341778598176737c2197b5ec
SHA1 cb5733dd54dbc12f7ae22b14b44bd9344d067f8d
SHA256 df44521c8a6491639e67c777c1771c822412f6ee22c864b4d2f1c0569df257c1
SHA512 34eb3469265b04a404bde881779a827126effa1c85e21bd67850e63b9b3078f9a1da51e8584ffeba83b5d8b5a8c96f39646ca355e533a57cc79562bb0b0f2eb7

\Windows\system\zvgxOzs.exe

MD5 2fb8631c8009f7858c034313122615d9
SHA1 28ae6c60e9f854a84217671efd9157b6b321dee1
SHA256 18cadf7532312a7644c6afe1d5546e3e97eb8105521aa519fae6087d352853fd
SHA512 7a47336aceda7f37891deec7a3be54669c9f465c67203835f6e4120b82715044b6cc5dbfe11c327aa9f4b9e93f0f083265b65afc20eae3052e6e0ca5c9d5c730

C:\Windows\system\eThapiE.exe

MD5 d2a2f07ff92391072e4b1fdfeb12049d
SHA1 d415581d9f34ef6a86b311adc90ae2a0cde7d36e
SHA256 be9e7281bb17909de9374356d52d2c5dd273ec4ac279d984e29e69285d01221d
SHA512 dbf3fc0154a3a02a04575058cc3eec3d7285099e133103a7e75ff4ea712ce5e33fca7e91287f3aa8053d487343e2db1f6e5e063b0943cd27e2b3077e55300f36

C:\Windows\system\zodSnjL.exe

MD5 f31516ab1c05692400741243805ad203
SHA1 744798c3c10236318417a5d421ae14d5ebb8ceaf
SHA256 59c84dfd798a1406b2d4e2cb046b9e9183cb4d901257cca37522d0a50c065779
SHA512 e025025e92f49661b058ae5f67c4ddcc32822d9e53fb55135e54f2c4c5a09e2270cabdb57a5e4c8636d1e95d4bfb5b72ac80e73666584dea378697927f266715

C:\Windows\system\DqqUGoO.exe

MD5 36bf6dac6004e748ef1d5bb50bac67ab
SHA1 5cfeb1f9045cc408716c0e2e90b474848bebd884
SHA256 a68251d02741faf31211f17aaed9cc580e5fbd80ab0552b3c98584143bbe87e7
SHA512 39784ac905e3c268f8ab30ab13d8795b6c2f8ea51e0ff6f2541c9638e71bc8a151274af70fbe5ed0e7b579e684ecd50fb89f38589dbc97aa43269ccd4b325123

C:\Windows\system\SDZChUs.exe

MD5 1967caf5093ca39cf2073e3e12192120
SHA1 d9b6e5c55c252b81da899d56124fdbfbc332720b
SHA256 cf6abeced2fb3646d23e2d351c5c14f7cda0dc113af7d1999c8300e130046881
SHA512 b58ebbe207085fc273a7cb90b7b48dc08e2cfae25bfa68e2a13e0fbfb97c23bf416e7642218a6585ef495f8a78b3b548c692c2241db17135f54610a55624c42a

memory/1036-108-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2556-107-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2872-140-0x000000013FAD0000-0x000000013FE24000-memory.dmp

C:\Windows\system\smizcLM.exe

MD5 9070590d875fff4aa8fa0e20e25c74f0
SHA1 d058bc9f4104c5ce94bb94d6e7e644af69f31429
SHA256 21d8dcf18d725373a6177804f3251afe0b37bfee37d0b61a5e6dc59e86b124e9
SHA512 538e8d4bc8d69d6a6b60093338e302fa1858122bad8ddd2424368a94ee2789c50b32059d2d2d7c8b1c7d6d891c39226139886389d1c0308514232209c8923e2e

memory/2420-96-0x000000013F690000-0x000000013F9E4000-memory.dmp

C:\Windows\system\vwMwavL.exe

MD5 dc219ee98ac78f692226d21b8240f632
SHA1 93570aff8e687202739756fdd9aef97f80b2b9fb
SHA256 d62fc57ad1f7e38cbc3877d3d93fef6eed73c0bb51519ac999675578ab902a58
SHA512 4d428140183c0868fecbb6bc735f5d13e84c478d7e69457a56cbb60f8ff0773b5aa5ddeed50a6a3099b470f2b95b5147729a534c2cbefb8e6e4b1920a68fb7bf

memory/1036-92-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/1036-87-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/1604-82-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2464-142-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/1036-141-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/1036-81-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2664-80-0x000000013F850000-0x000000013FBA4000-memory.dmp

C:\Windows\system\nCcGIFX.exe

MD5 5bd13186f2337b0899ee6230de844dce
SHA1 a3d51b6dfa71740bb74024682ee40d4d90fccdc9
SHA256 7015169b09866f3d8546297cc81d4d259c7f2a93e766d13e9c85fdd1e65e9b2b
SHA512 0acd15b76d5638798cbb69f05e49c36f2aa92764e5c9c3e9503f15dd352c9b3d69496afc6610ba3bff6fc344316071d5649df1ea13508a9c5d8593545e9bae54

memory/1036-73-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2576-72-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2852-66-0x000000013F9E0000-0x000000013FD34000-memory.dmp

C:\Windows\system\ivunZda.exe

MD5 4f5504a9f0d585c5d63fc17bd982f1fb
SHA1 6a7d295dd68c60e6589de0608fcd745757913a2f
SHA256 0f41ca0fee510b1bab01186baa67defa9a7e308caddaf13e433d42b99a840bbd
SHA512 5f0b77d94337f6ff40e24a58f347cb3457e4d2551cb6e1486042340ee40835952f6fb3900d3826374d68e0f4918938c014618f59a2dc0a18aa4c3ab8399479b4

C:\Windows\system\PzwpBvI.exe

MD5 dac102cebf9d643780a175f1ba30b162
SHA1 cb9ffbf7bdb6869c1d1e264fc52f53eaa4b37d35
SHA256 4fa15cda6f4c12d99f1798609ae86fafe41f23309fb0d5dd271297818c05a5ff
SHA512 88880c6a63ad243cc819d9fb578a131351be1d2482d8b8a74368a04019c8d1908b45850ad867cdc5d691c6eae2b36d8d9401ab517b010797fdc2bd4ffa0979fa

memory/2852-144-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1036-143-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2464-59-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/1036-58-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2524-57-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2872-51-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/1036-50-0x000000013F8F0000-0x000000013FC44000-memory.dmp

C:\Windows\system\aKezGQi.exe

MD5 d259f496469bb7be69df4f7dc9100943
SHA1 c76a3da28fa720bf0415e4efecf768fff3fd81a6
SHA256 aa47225c930f30661a459c395651b7b7dd2c912e1bc4982ae41405afb9771131
SHA512 095a54f9f3adf1558908ce3b3bf6be7919b79daa3eca5312a59e68476782e0e0c3fe0b05cee493950af0088743be0b1582f66990d20c40736ad935e7747f9903

memory/2556-47-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2860-46-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/1036-45-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2664-30-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/1036-18-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/1664-146-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/1036-145-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/1604-148-0x000000013F320000-0x000000013F674000-memory.dmp

memory/1036-147-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1036-149-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/620-150-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/1036-151-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2420-152-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/1036-153-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/1780-154-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2860-155-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2524-156-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2664-157-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2576-158-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2680-159-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2556-160-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2872-161-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2464-162-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2852-163-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1664-164-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/1604-165-0x000000013F320000-0x000000013F674000-memory.dmp

memory/620-166-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2420-167-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/1780-168-0x000000013FD80000-0x00000001400D4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 02:26

Reported

2024-06-01 02:29

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IMoAAxN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VMOLuqB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IJxwbze.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xSmvYNd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mjLANlW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SjFrNsO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kIQLHlK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BZRSQpD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OsnwzEG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\czEPjyg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qfgZdcn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gdmazGA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UEFJhyr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hPQNOLF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jpNQjnD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OwLCBAZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\brUSiyA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WpXuGxv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jkTPMho.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GwsmVkY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mXQIaXh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 996 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\UEFJhyr.exe
PID 996 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\UEFJhyr.exe
PID 996 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\IJxwbze.exe
PID 996 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\IJxwbze.exe
PID 996 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\BZRSQpD.exe
PID 996 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\BZRSQpD.exe
PID 996 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\hPQNOLF.exe
PID 996 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\hPQNOLF.exe
PID 996 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSmvYNd.exe
PID 996 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSmvYNd.exe
PID 996 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\jkTPMho.exe
PID 996 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\jkTPMho.exe
PID 996 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\GwsmVkY.exe
PID 996 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\GwsmVkY.exe
PID 996 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\OsnwzEG.exe
PID 996 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\OsnwzEG.exe
PID 996 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\mjLANlW.exe
PID 996 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\mjLANlW.exe
PID 996 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\jpNQjnD.exe
PID 996 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\jpNQjnD.exe
PID 996 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\mXQIaXh.exe
PID 996 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\mXQIaXh.exe
PID 996 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\OwLCBAZ.exe
PID 996 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\OwLCBAZ.exe
PID 996 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\qfgZdcn.exe
PID 996 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\qfgZdcn.exe
PID 996 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\brUSiyA.exe
PID 996 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\brUSiyA.exe
PID 996 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\czEPjyg.exe
PID 996 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\czEPjyg.exe
PID 996 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\SjFrNsO.exe
PID 996 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\SjFrNsO.exe
PID 996 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\WpXuGxv.exe
PID 996 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\WpXuGxv.exe
PID 996 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\gdmazGA.exe
PID 996 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\gdmazGA.exe
PID 996 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\IMoAAxN.exe
PID 996 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\IMoAAxN.exe
PID 996 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\VMOLuqB.exe
PID 996 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\VMOLuqB.exe
PID 996 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\kIQLHlK.exe
PID 996 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe C:\Windows\System\kIQLHlK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_cdf4eb4c7418aa955eb8f81536e6f200_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UEFJhyr.exe

C:\Windows\System\UEFJhyr.exe

C:\Windows\System\IJxwbze.exe

C:\Windows\System\IJxwbze.exe

C:\Windows\System\BZRSQpD.exe

C:\Windows\System\BZRSQpD.exe

C:\Windows\System\hPQNOLF.exe

C:\Windows\System\hPQNOLF.exe

C:\Windows\System\xSmvYNd.exe

C:\Windows\System\xSmvYNd.exe

C:\Windows\System\jkTPMho.exe

C:\Windows\System\jkTPMho.exe

C:\Windows\System\GwsmVkY.exe

C:\Windows\System\GwsmVkY.exe

C:\Windows\System\OsnwzEG.exe

C:\Windows\System\OsnwzEG.exe

C:\Windows\System\mjLANlW.exe

C:\Windows\System\mjLANlW.exe

C:\Windows\System\jpNQjnD.exe

C:\Windows\System\jpNQjnD.exe

C:\Windows\System\mXQIaXh.exe

C:\Windows\System\mXQIaXh.exe

C:\Windows\System\OwLCBAZ.exe

C:\Windows\System\OwLCBAZ.exe

C:\Windows\System\qfgZdcn.exe

C:\Windows\System\qfgZdcn.exe

C:\Windows\System\brUSiyA.exe

C:\Windows\System\brUSiyA.exe

C:\Windows\System\czEPjyg.exe

C:\Windows\System\czEPjyg.exe

C:\Windows\System\SjFrNsO.exe

C:\Windows\System\SjFrNsO.exe

C:\Windows\System\WpXuGxv.exe

C:\Windows\System\WpXuGxv.exe

C:\Windows\System\gdmazGA.exe

C:\Windows\System\gdmazGA.exe

C:\Windows\System\IMoAAxN.exe

C:\Windows\System\IMoAAxN.exe

C:\Windows\System\VMOLuqB.exe

C:\Windows\System\VMOLuqB.exe

C:\Windows\System\kIQLHlK.exe

C:\Windows\System\kIQLHlK.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/996-0-0x00007FF65A8D0000-0x00007FF65AC24000-memory.dmp

memory/996-1-0x000002E125B10000-0x000002E125B20000-memory.dmp

C:\Windows\System\UEFJhyr.exe

MD5 5d9ca81f3d091f084841f9f0c6796b57
SHA1 03473ad00928c1e19e3fd83a5255b9ec6936bf6a
SHA256 ada4274eed3e25fb190061a6e16f4c47e716b1269bea1fbfa21129584988b6fd
SHA512 a0d128c2771ed514475714893879b57721171068d038e2d7165bceae6b04d9f48eebfb8fcccf8055519e8421bb999c38159f47829e33ba8146951dd42481a917

memory/404-8-0x00007FF69CA60000-0x00007FF69CDB4000-memory.dmp

C:\Windows\System\IJxwbze.exe

MD5 57d84755f1aa157b2e6f2c360c0996a5
SHA1 a5c475868c9f010111e6da2b725c7e9f6e5eb2ff
SHA256 1148b516e61530380d6def80825ad2a21d4f1d0a5d6e32a3669e7b8e04dd0228
SHA512 1088910b610cc96716a951026aea7dd9089e5b7390d72dd6a373beacefd2ad66133b479c4354e63223ec0c56d4d907257085342423c44ec27dfa88853a9fcc40

C:\Windows\System\BZRSQpD.exe

MD5 770af445eb854d6dacf948a36d32bbba
SHA1 aa44ae5214f62baa552996d60508fe3d56821df3
SHA256 fb1b47fd8a8c365150869b5b3bb0d4324efc46abffaa30b7979e71cdba972ca5
SHA512 402fbfd6a9d9c9787895a53f09a5b4aaf788c366d128664e453172fc7ce337025c789420abeb2e7b23c0c2210be3615e270bdbc5a1ef64e7980108962f304bf6

memory/3600-13-0x00007FF756270000-0x00007FF7565C4000-memory.dmp

C:\Windows\System\hPQNOLF.exe

MD5 2e59797b79a636a0f07d442a3c675e54
SHA1 f3e57c807fb81d13f990b57a135de1a4ae9cfd3a
SHA256 6eea9dfdaa8863458ad13b592b82e8c19ca0fbf9a0cbc25e620ed875a92aeee3
SHA512 204d83c4f4a660c7fb49e25cdba0bad4368ccb78538138359897f555fc04a629e453070a287c98babe52a38efdc4fc93cf48ef6aa148a6a3e35bc4c6a7bcab6e

memory/4128-24-0x00007FF74E280000-0x00007FF74E5D4000-memory.dmp

C:\Windows\System\xSmvYNd.exe

MD5 b6400ae0bf6be6e4267cb91149e45e47
SHA1 a4e7b3a64bd4fdb8ae1bd32a068b10080b1486a6
SHA256 0dd13e8b889c86015d73215b53efdae019c77ee6714c7a9ceb3b4390093c0a13
SHA512 82f17e60ed138b48fc1427ac1c8b2ffe5f09c3b31aa1edd47751d17dff358160574bf8286dac15c4cfb59b8a93ba1dfde4b2bd6b3b1a4357c1e2f0fe5debf66a

C:\Windows\System\GwsmVkY.exe

MD5 5f746a240f1b4aaefd945d15dae0b1e7
SHA1 96289f13fb1b2a3a025ed0070d32e57e41d27818
SHA256 e46f2db07bb0c0e0f481a65c9ae181acc0e985d08d088d12cdb5fcbe56e64e59
SHA512 3cbdf44a39cafbcdfa02aca13053663cfc6778f819c8664396e4884bdf950628562c0019d8235b9134a47a4ee3393486464a31d67a106a24236d8d8e88ab7b5b

C:\Windows\System\jkTPMho.exe

MD5 0c1b9ded468650dce1ee689f1113045b
SHA1 7019b138bc247077e60646d5914636f888908fe7
SHA256 1082e091454b24f9907a15e198211ab4a2f5fe18d277507ad8f90ef91f2fda14
SHA512 2de29b1621e019460ed99799bb8a5c570cc90eb4de6ec268b82cffdfcd7e74e0b4e89be005dc357606c11b81447ae443c4b52887cba64d72ae0e7f3bf8b1b014

memory/4984-44-0x00007FF668750000-0x00007FF668AA4000-memory.dmp

memory/4288-42-0x00007FF76ACC0000-0x00007FF76B014000-memory.dmp

C:\Windows\System\OsnwzEG.exe

MD5 2bbe0a05da4cb2e1c29f0a434f774a23
SHA1 01bd2a77bd80168cdc6c6e92fb1272290e9ed232
SHA256 7b58932650ed00d8765458face4d90812cad128885cdbc6029d05b88d3118d96
SHA512 3c76ff3464401c127fb92a4f4578b2cd6cdc83f0bd7934717c4d81a2f0375f8d6a1e23048fe0c28ff221db3ba7999c0b889be7d7bdeb7ec50284b5d04a8004e7

memory/644-31-0x00007FF758A10000-0x00007FF758D64000-memory.dmp

memory/4264-18-0x00007FF69B4A0000-0x00007FF69B7F4000-memory.dmp

memory/4952-49-0x00007FF6FA530000-0x00007FF6FA884000-memory.dmp

C:\Windows\System\jpNQjnD.exe

MD5 e83c90b47d31812005d14dcc8263da08
SHA1 82f0ad844a8cd482fbefea9bb4ad42e0753e29cb
SHA256 8e7cc3dbf72313d74dd059dd1299caabe09ba8ef76eadd8c3a87dcde45b2705c
SHA512 266bb2d0ab2422499b262934315e10cb28400c2d6267849e16778b396aff275de18eeeadec822f7156b7f8f36b475575f5781b2119fcf40d9a87b4198fa5b324

C:\Windows\System\mXQIaXh.exe

MD5 59becea4a178ca48b2be223626446ba2
SHA1 798446d7d53715dde900b267ede6b5c209bad3c3
SHA256 7f7dd94762f58c3623548a96dd61c9fa0055fa12240cac386d4be2f7c327d2a2
SHA512 0ff5eb1941c3d2f0c0108988838803ff74e419bd3699f7297657e81c1003b813a8c6f5506ded8e4c4caea6866b60cb6688e7817bb674143fb5eef6044b6118bd

memory/3588-76-0x00007FF7D6C20000-0x00007FF7D6F74000-memory.dmp

memory/404-85-0x00007FF69CA60000-0x00007FF69CDB4000-memory.dmp

C:\Windows\System\czEPjyg.exe

MD5 ac6910eda21a5ddd739b73b30fbae3f6
SHA1 7b6b5a30a3f088614b5a00349e20962cba1fc726
SHA256 ddc091b2ac0d25a9356a65e6c5e412e61072ad7c217e92f391eaeb8e0054bb0c
SHA512 59491546f9eec7f41a3c0c593daaeb7ffbd482d7ab49e38881d674e95473f0c03cd5ceb3a2a171134f4210284140a32c1a702b2ffdbbb1d7ddfac2ba8a849da8

C:\Windows\System\SjFrNsO.exe

MD5 3b401ca04859a0d52515b7b2ddf34635
SHA1 905d0d276febcdcaacca4747250da819d5129b51
SHA256 9b9932467387b8be6b1594dcf72c4682bd434265299c18f1693e84d4cb53e7e3
SHA512 f1d68a46db0aa2ea2a9cc0a738f6dea37c5ca8d7b75874dccca29f579eb11493ddd4ef89647a453072711af5c2fcd1cc1c4de427ba7565342df8ccd86560ba55

memory/3600-97-0x00007FF756270000-0x00007FF7565C4000-memory.dmp

memory/3204-99-0x00007FF6EA7A0000-0x00007FF6EAAF4000-memory.dmp

memory/5076-98-0x00007FF7308D0000-0x00007FF730C24000-memory.dmp

C:\Windows\System\brUSiyA.exe

MD5 21bd3dbb62c940d510d3e4fe7cdc9ef8
SHA1 d981373b8450c1e516e6b8d721d8863cb16d5a3d
SHA256 0a690096466cbdf9a02d2be16519428f943f55e9cdb1d03568c54923b25ce881
SHA512 0512e96ef07512ed92bdc43ee27cdb5f6485db93938627e5299d5d382c3ee1a4c7c0cfc831613a76d7842356a01dc1498c3207ac384a886f0fea8fd3b4cbfbaf

memory/396-86-0x00007FF7399E0000-0x00007FF739D34000-memory.dmp

memory/3956-84-0x00007FF68F350000-0x00007FF68F6A4000-memory.dmp

C:\Windows\System\qfgZdcn.exe

MD5 03686cfd6bbb43c8ac4dc50889b137b9
SHA1 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee
SHA256 ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471
SHA512 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2

memory/2896-79-0x00007FF7C91B0000-0x00007FF7C9504000-memory.dmp

memory/996-77-0x00007FF65A8D0000-0x00007FF65AC24000-memory.dmp

memory/3996-70-0x00007FF6039C0000-0x00007FF603D14000-memory.dmp

C:\Windows\System\OwLCBAZ.exe

MD5 ca9b052436019ac5dfa3122b21c4050f
SHA1 e11c5fa85a0947fbe179f472a6489a21a9e8c4b5
SHA256 02e9c05c5daec122036b6094693923ac801d802ab995bdb2ffb6b8675b74cb97
SHA512 c602240e1d5ca9bf01a6fd817bcb4c2fc488595b481607cd51efa48f8ccb2f0f23ed68666fa8eaf8f587e43c4c90f7965d15361fe8477ce6970451be4eefaf5a

C:\Windows\System\mjLANlW.exe

MD5 06335ea2a90ed2c26fd7b30c8367e42b
SHA1 6f182c7b7517b333c7a8395b4416566eec761a46
SHA256 84b348870d953605c27209a056b61548e85bb807f987fc7dc83141d53be4a376
SHA512 232b5830376e7faf25aa7064b9c7cabe6c32fd27748cb1e461b198bae3680403461290a180ef86ecb5ab89890a62fa981c7de3fc038b026e5e69a4826a0c2137

memory/3480-54-0x00007FF674210000-0x00007FF674564000-memory.dmp

C:\Windows\System\WpXuGxv.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

memory/4264-108-0x00007FF69B4A0000-0x00007FF69B7F4000-memory.dmp

C:\Windows\System\IMoAAxN.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

C:\Windows\System\kIQLHlK.exe

MD5 b170a63cc779c45f18a0771e5f859c0a
SHA1 f636def61b9d00902f8b1bfee6fdad335e4d118e
SHA256 17748baf841ebad4183a37a9c8c1e0fbe63d073f02196e2748aea4b02a0ad877
SHA512 41c3a1d667572fd6ecc6294cd43fd3734a2f024da6f6764d10785f9db613962eea5cebbe5876659ceb788f6b9e1621878cfd04e5db5cca5621648158451e8ba1

memory/3820-123-0x00007FF75D150000-0x00007FF75D4A4000-memory.dmp

C:\Windows\System\VMOLuqB.exe

MD5 05e1356a0d856137a03d056c65b16222
SHA1 462e69c9ee12c3f7df02ef7a9e94470b534c4c76
SHA256 82b22d9916e7d0de0801889913b443da6f1c1d5cf1b19957607acd726d6104cd
SHA512 4cd73f7193a1d8c2587bf1d26cf45dcbee92621ed99e4cd2a85d0b06e47378fed2d99463727608184f2a9a21bd5a9d5b266086e1a53ef7d0f8fabae168885229

memory/644-119-0x00007FF758A10000-0x00007FF758D64000-memory.dmp

C:\Windows\System\gdmazGA.exe

MD5 9a6f6b27fa65d697d9f84ec5e9c20fb3
SHA1 bdca14285a03999a8b0a55890bf5a1200d7fe3c9
SHA256 b529ef82cb1ef02a06805d27424e54bdfff2baafdca43cf33060a3d49065a706
SHA512 e4a31cf4d80abd8ec5fa34d56522f10f6653913244290f9a73bbc5fda4ae4ac42f8fcb0db5edd335975ec2d6a9be6b759c82535d1e6db3d59f9a3fbc27b9ff3a

memory/1832-116-0x00007FF60AE80000-0x00007FF60B1D4000-memory.dmp

memory/4128-113-0x00007FF74E280000-0x00007FF74E5D4000-memory.dmp

memory/4608-112-0x00007FF7B97F0000-0x00007FF7B9B44000-memory.dmp

C:\Windows\System\IMoAAxN.exe

MD5 2127d64a32af87f4ef05b2be722551d9
SHA1 0a7b04c97fb2f925c3a48a6a8529d707749b3c08
SHA256 0f44b54ded9f58f8179ab537915384130a258cce457b35eaf1bdef09b235b784
SHA512 7d133fbb916ab5211dce8bb0f4a93c2cd841db69a3c28f464b68ae3a6c3b49a9af0117d062aa4681768a9d2ce0fe9ae2e7d8363d65baeeeaf6e1310700435a4d

C:\Windows\System\WpXuGxv.exe

MD5 9e650eb2d97191c3995a6557dbb43ba3
SHA1 82553242c5d7d931a035fbc11254a469ea3ebd03
SHA256 fc49146c4bdf398995bdc03bd7d82342be8c32ba8c801faa3ce395506307d999
SHA512 d2533522df44f3159318f0146cb72e1baefc19d4eb0a7cb251eaaf6aa19b649280b99df6ba6426b0c68feba6ccd32a4e720d6b86cf9728bae001f8401c7e9e07

memory/1500-132-0x00007FF6D4780000-0x00007FF6D4AD4000-memory.dmp

memory/1264-133-0x00007FF680860000-0x00007FF680BB4000-memory.dmp

memory/3480-134-0x00007FF674210000-0x00007FF674564000-memory.dmp

memory/3588-135-0x00007FF7D6C20000-0x00007FF7D6F74000-memory.dmp

memory/3956-136-0x00007FF68F350000-0x00007FF68F6A4000-memory.dmp

memory/396-137-0x00007FF7399E0000-0x00007FF739D34000-memory.dmp

memory/3204-138-0x00007FF6EA7A0000-0x00007FF6EAAF4000-memory.dmp

memory/1832-139-0x00007FF60AE80000-0x00007FF60B1D4000-memory.dmp

memory/3820-140-0x00007FF75D150000-0x00007FF75D4A4000-memory.dmp

memory/404-141-0x00007FF69CA60000-0x00007FF69CDB4000-memory.dmp

memory/3600-142-0x00007FF756270000-0x00007FF7565C4000-memory.dmp

memory/4264-143-0x00007FF69B4A0000-0x00007FF69B7F4000-memory.dmp

memory/4128-144-0x00007FF74E280000-0x00007FF74E5D4000-memory.dmp

memory/4288-145-0x00007FF76ACC0000-0x00007FF76B014000-memory.dmp

memory/644-146-0x00007FF758A10000-0x00007FF758D64000-memory.dmp

memory/4984-147-0x00007FF668750000-0x00007FF668AA4000-memory.dmp

memory/4952-148-0x00007FF6FA530000-0x00007FF6FA884000-memory.dmp

memory/3480-149-0x00007FF674210000-0x00007FF674564000-memory.dmp

memory/3996-150-0x00007FF6039C0000-0x00007FF603D14000-memory.dmp

memory/3588-152-0x00007FF7D6C20000-0x00007FF7D6F74000-memory.dmp

memory/2896-151-0x00007FF7C91B0000-0x00007FF7C9504000-memory.dmp

memory/3956-153-0x00007FF68F350000-0x00007FF68F6A4000-memory.dmp

memory/396-154-0x00007FF7399E0000-0x00007FF739D34000-memory.dmp

memory/5076-155-0x00007FF7308D0000-0x00007FF730C24000-memory.dmp

memory/3204-156-0x00007FF6EA7A0000-0x00007FF6EAAF4000-memory.dmp

memory/4608-157-0x00007FF7B97F0000-0x00007FF7B9B44000-memory.dmp

memory/1832-158-0x00007FF60AE80000-0x00007FF60B1D4000-memory.dmp

memory/1500-159-0x00007FF6D4780000-0x00007FF6D4AD4000-memory.dmp

memory/1264-160-0x00007FF680860000-0x00007FF680BB4000-memory.dmp

memory/3820-161-0x00007FF75D150000-0x00007FF75D4A4000-memory.dmp