Malware Analysis Report

2025-01-22 19:40

Sample ID 240601-dlhbtaff8y
Target 2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike
SHA256 d2bd88618e3800133a8d9e0db2c37727a41513cf9bc68122821e6e8f5a316c49
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d2bd88618e3800133a8d9e0db2c37727a41513cf9bc68122821e6e8f5a316c49

Threat Level: Known bad

The file 2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Detects Reflective DLL injection artifacts

XMRig Miner payload

Xmrig family

Cobaltstrike family

Cobaltstrike

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:05

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:05

Reported

2024-06-01 03:08

Platform

win7-20240508-en

Max time kernel

124s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\Gialqwe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hqsbPJp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vOjFUcm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MnQAViU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oeZrCBO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zCVkuIQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cprRiRJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DkzxflM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OGYJVwr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eWkWWNr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HUbDulp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MegcHRa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZMWxDum.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kyKpOnA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UijatYD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LELGmTh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mncqekz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DuGzhJj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bDXbqpU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eOmLMjR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sDOyaWG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\hqsbPJp.exe
PID 3056 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\hqsbPJp.exe
PID 3056 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\hqsbPJp.exe
PID 3056 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZMWxDum.exe
PID 3056 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZMWxDum.exe
PID 3056 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZMWxDum.exe
PID 3056 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\eWkWWNr.exe
PID 3056 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\eWkWWNr.exe
PID 3056 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\eWkWWNr.exe
PID 3056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\vOjFUcm.exe
PID 3056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\vOjFUcm.exe
PID 3056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\vOjFUcm.exe
PID 3056 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyKpOnA.exe
PID 3056 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyKpOnA.exe
PID 3056 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\kyKpOnA.exe
PID 3056 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\UijatYD.exe
PID 3056 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\UijatYD.exe
PID 3056 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\UijatYD.exe
PID 3056 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUbDulp.exe
PID 3056 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUbDulp.exe
PID 3056 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUbDulp.exe
PID 3056 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\MnQAViU.exe
PID 3056 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\MnQAViU.exe
PID 3056 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\MnQAViU.exe
PID 3056 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\oeZrCBO.exe
PID 3056 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\oeZrCBO.exe
PID 3056 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\oeZrCBO.exe
PID 3056 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\MegcHRa.exe
PID 3056 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\MegcHRa.exe
PID 3056 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\MegcHRa.exe
PID 3056 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\LELGmTh.exe
PID 3056 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\LELGmTh.exe
PID 3056 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\LELGmTh.exe
PID 3056 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\zCVkuIQ.exe
PID 3056 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\zCVkuIQ.exe
PID 3056 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\zCVkuIQ.exe
PID 3056 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\mncqekz.exe
PID 3056 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\mncqekz.exe
PID 3056 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\mncqekz.exe
PID 3056 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\DuGzhJj.exe
PID 3056 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\DuGzhJj.exe
PID 3056 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\DuGzhJj.exe
PID 3056 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\cprRiRJ.exe
PID 3056 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\cprRiRJ.exe
PID 3056 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\cprRiRJ.exe
PID 3056 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\bDXbqpU.exe
PID 3056 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\bDXbqpU.exe
PID 3056 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\bDXbqpU.exe
PID 3056 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOmLMjR.exe
PID 3056 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOmLMjR.exe
PID 3056 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOmLMjR.exe
PID 3056 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\Gialqwe.exe
PID 3056 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\Gialqwe.exe
PID 3056 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\Gialqwe.exe
PID 3056 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDOyaWG.exe
PID 3056 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDOyaWG.exe
PID 3056 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\sDOyaWG.exe
PID 3056 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\DkzxflM.exe
PID 3056 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\DkzxflM.exe
PID 3056 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\DkzxflM.exe
PID 3056 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\OGYJVwr.exe
PID 3056 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\OGYJVwr.exe
PID 3056 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\OGYJVwr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\hqsbPJp.exe

C:\Windows\System\hqsbPJp.exe

C:\Windows\System\ZMWxDum.exe

C:\Windows\System\ZMWxDum.exe

C:\Windows\System\eWkWWNr.exe

C:\Windows\System\eWkWWNr.exe

C:\Windows\System\vOjFUcm.exe

C:\Windows\System\vOjFUcm.exe

C:\Windows\System\kyKpOnA.exe

C:\Windows\System\kyKpOnA.exe

C:\Windows\System\UijatYD.exe

C:\Windows\System\UijatYD.exe

C:\Windows\System\HUbDulp.exe

C:\Windows\System\HUbDulp.exe

C:\Windows\System\MnQAViU.exe

C:\Windows\System\MnQAViU.exe

C:\Windows\System\oeZrCBO.exe

C:\Windows\System\oeZrCBO.exe

C:\Windows\System\MegcHRa.exe

C:\Windows\System\MegcHRa.exe

C:\Windows\System\LELGmTh.exe

C:\Windows\System\LELGmTh.exe

C:\Windows\System\zCVkuIQ.exe

C:\Windows\System\zCVkuIQ.exe

C:\Windows\System\mncqekz.exe

C:\Windows\System\mncqekz.exe

C:\Windows\System\DuGzhJj.exe

C:\Windows\System\DuGzhJj.exe

C:\Windows\System\cprRiRJ.exe

C:\Windows\System\cprRiRJ.exe

C:\Windows\System\bDXbqpU.exe

C:\Windows\System\bDXbqpU.exe

C:\Windows\System\eOmLMjR.exe

C:\Windows\System\eOmLMjR.exe

C:\Windows\System\Gialqwe.exe

C:\Windows\System\Gialqwe.exe

C:\Windows\System\sDOyaWG.exe

C:\Windows\System\sDOyaWG.exe

C:\Windows\System\DkzxflM.exe

C:\Windows\System\DkzxflM.exe

C:\Windows\System\OGYJVwr.exe

C:\Windows\System\OGYJVwr.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3056-0-0x000000013F040000-0x000000013F394000-memory.dmp

memory/3056-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\hqsbPJp.exe

MD5 f99be095413efc891b0c7d8b66f0ea8a
SHA1 6eb1a153c362562e974c828819ace039ece82f00
SHA256 45bd3b1e9a3838b21e59d8a8c5faa20bee4434ebee07758806dc03c737c81569
SHA512 b1e3f21f8c296e8ac7258d90ff1ecea54d4484e6a1234d028ae48515d2c3fe02e579ff6553a359813eff783f32fa8c79dab1f684d88ecbf5bdba76aff90ce798

memory/2456-8-0x000000013F2C0000-0x000000013F614000-memory.dmp

\Windows\system\ZMWxDum.exe

MD5 f2d29204e190c8bd6195adae4cf8aecf
SHA1 e4883cbf17e9db51a337d5c8b45dc252743005df
SHA256 fb09bc15fe85bb3643c915e18310f4a9c1c7eadaa1e7b4540335a0c6dd73e31b
SHA512 9129265047dd9c609b4ea71036ee900befe8a5c442e15cc9930a7302a19be285167c1ea09300218119807e9b7740b1bf0d0013855f16e1c205c6662134fcbb30

C:\Windows\system\UijatYD.exe

MD5 d68cf579743d307481c0ae2ef727fab7
SHA1 6f6b67ce5bfbae3aa14950c9031dece0d3fd9a85
SHA256 b70171c7d2174fcc43a0714d5995866f9b7132668760fab38741a95cddff89ae
SHA512 6fe9c9262e246dd683211f04470c88654ea0ede0b96e9ed609295475f2dcee773282f1f4239fbc3074dbe0b87cbdc1b4c4550c76c6f2195917ddd72435ad12e7

\Windows\system\eWkWWNr.exe

MD5 702cadc70c16a07fb8ce77a7332d3362
SHA1 467a099c1404069805439f59068f474c9389f32c
SHA256 33d624cc4b5a48c906ad49f2c50bd95cb61ea7e6af049f0931d77f07c4e60a3b
SHA512 732956c55b85f6a478099a6ece9a2562bb2293bad4079deabb1a9bf40715275234e6ee899c8c14eae91528a772c741c53b24f3d78481cac0ac511bec8d6a71e3

memory/3056-50-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2812-52-0x000000013FCC0000-0x0000000140014000-memory.dmp

C:\Windows\system\kyKpOnA.exe

MD5 ba0dab4e9bd65b24c3fac4f5d41a2cd6
SHA1 03211f423cdbfadbb60a77d029472d8b2e65733c
SHA256 5b41aee25e125e1a4112dd03e71396be015e6f9e7665e7f98812ae5db4162915
SHA512 1a9ca0f92696989a24b2cd255e07e63827812aff9ef9e3e3597d21ad94b8d76d45e032c97dff7f615198b8c9d8a943f7081aa18022f49269d43f36b8d1b219c7

memory/3056-39-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2644-72-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2556-63-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/3056-85-0x0000000002320000-0x0000000002674000-memory.dmp

C:\Windows\system\DuGzhJj.exe

MD5 bcb5e2b8e3d128c21b7c74f175fc386d
SHA1 b1c78ddaf7fef9479bf4ade01dc56ceaca0a2afb
SHA256 cf28ba062dd0d4529d17571bb2f40e74113e0adc1e0dcebe721f7aa840b3948d
SHA512 faa96533917d59b29d38dd4e4169b5879b5e3cb5ebd50f114778d43f60bc355d69b2bcba07a95143321a79879badedff57c758060b0106b9fc735ea88c37a995

C:\Windows\system\eOmLMjR.exe

MD5 bb36f6e0801f7c4ab9a0f11670bd1cf4
SHA1 83df28ca5e66d5195ecdc1d1b6edffbfc384c729
SHA256 73c917af111f6c51bf7e13765a1f418b987d6fdd2d7cb422bf2f12402ac5be89
SHA512 1b97c3a6b55100edf82b558d422f0ecf2a5e223ac199c357388d20b042f3eee439b8fa3d85e87d67182ac3eee7d429c6d4bf8f7f36927ce3d9d1cdfbf28f98ee

C:\Windows\system\DkzxflM.exe

MD5 6cbbf68e3292c9b7811ce6afc986b0a8
SHA1 8c58d4f0ddffa2e789dfea7d6eb18e22b49ef777
SHA256 ba2ba4e29e87840ebba07407eec4178c37bccf5c8e53082c5cf30d73b474f41c
SHA512 d6030b4ffc94b47faa434adf0336a49e9d93f019f33e7be8a0cf1e2d8ad9532cbd3fc59c6c69da97ba62cad32a0e493a22ce88ec2fb068d7ccbf7b21530bcbff

\Windows\system\OGYJVwr.exe

MD5 f71721f4c4b245614fc8feff4fdb1e3c
SHA1 a9e9bcaec0b915f6b1d5bb5e6559c8a352cd331d
SHA256 ab5ad4c924769195d602d4c3661a2ead70cf4c27ada0b2d409c8163915c6587b
SHA512 2823354ef33854aa7512256e9c97d7f2680f06648fa6bcf035880fb554354dfa5d47931b8686a6e954722e87d25c35b40e8740b40e35eb81d910a0026a5b6bfe

C:\Windows\system\sDOyaWG.exe

MD5 2cfdfa2e7e6707ba61c96780c63909f5
SHA1 6335567c8231d8b847a7756b14fefa9c46cd7093
SHA256 48074380a6321e6b44577c8b2491c5431fd37481955fc1642c679478a44c834e
SHA512 7ce7ffde91609a96d40eafa4f55bd5eadb0bc58ad59e9d5061e9d30965356396a4b2a603aa48bf318c7c5bf2c8879250a2b3040ff5dc1d8a99bcf2beafe0285f

C:\Windows\system\Gialqwe.exe

MD5 fbf9701ad23581739221a3e01ee13595
SHA1 e227dd57955a35c359750b7244ba2793f62707db
SHA256 83e661a39589b5ddda0c61a79f34c639f2304106edb437c0184fa1721b6d8987
SHA512 76803e5f3a3fdbd55ae51acb24a5da7d8d364dc2f9f62969f07bc290840dbc8e644d1500cf90d08d68f09ca5719e21c4e6f419c0d5bc9a6ec4200d9b9fa9b1b9

C:\Windows\system\bDXbqpU.exe

MD5 f38feed12c1e4ca355f61006c8d5fad2
SHA1 74b08cd4f40a82513bca3598f8bfc08c1ce10a37
SHA256 e831ca399d1e0693b2dc0f2f2794c0173388db60f85d884de720e068a9a674a9
SHA512 86e5dd625c1385310bf6684075d30bf6b9763994b84b3b6e93d9ac558a6d07986d14a1cc8eef8d6c43b0456ba4680a0713c8306c9e7cd1345d87549843da8a56

memory/3056-108-0x0000000002320000-0x0000000002674000-memory.dmp

C:\Windows\system\cprRiRJ.exe

MD5 9fd24a3b5e3014f72849e3116723ec0a
SHA1 379ae9bd42d8dadda66601984b40997f5e3bd685
SHA256 43679d89aee9cb0eb1ba46bf5b3b040cd13ad7ed42c39f459cab967a502de351
SHA512 5c0c74924c57b09961be3d6438435973239ee5e3a0d025f8f488c093995c57f625ee58accc925b8ec9f81a1676db2bc6ef79641cd28f1f6c16d7ac150570ec2f

memory/3056-92-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2624-91-0x000000013FBC0000-0x000000013FF14000-memory.dmp

\Windows\system\mncqekz.exe

MD5 931f03dc3a3725656f0467c11c38a4c4
SHA1 cf897f01adb76b0219e82794325e7e8d8fb42eed
SHA256 78a740d758dae27effdd455a72ddea0a00a54a336bbee904695a43ab43d2ff92
SHA512 221cf6e9787b97db09cf76473d8eafaaf26885a4dd1611f19366fa54c55868393532707c97747ed6735f4a48690d5cb9958da5937cae71f36ea5dde8c797c360

memory/3008-104-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2988-99-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/3056-98-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2716-97-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2768-86-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2188-84-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2064-78-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2640-140-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2556-142-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2904-141-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/3056-77-0x000000013F520000-0x000000013F874000-memory.dmp

C:\Windows\system\LELGmTh.exe

MD5 07e3184a03033a7c38863bc79e0e484e
SHA1 8fa956103be5f830335fb0e714e72233be15a61e
SHA256 1779efba1d2f4d725000f23bd4f11b43caba3a930957b6f7983ca67d58a57c9e
SHA512 c365815598674ab66e9ec7dd22a605b942f4b0d87b0261a875835b94fb196fc57a2487320d936fdb33c001023b87079a92f6a6ddf6c84b6e7fc9a94723998ff3

C:\Windows\system\zCVkuIQ.exe

MD5 2dd6facfd1a0046bb866e7544874c2fc
SHA1 6e7d935dd86a73f5264090eb79d0f386b0357c81
SHA256 8d36f1e6d4bfd73d19f7698413e1879fb71e16ddab2ef3c63ba48632f90b27ae
SHA512 92704936f0770148697b3f082f0365201af633ba4ac488ebbeea327415159c15b2c26998ea13247616466e875a325e5ecce9b22d89770ecbb7b44ec278f9d5bb

memory/2904-62-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/3056-61-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2640-60-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2456-59-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/3056-143-0x000000013F3B0000-0x000000013F704000-memory.dmp

C:\Windows\system\oeZrCBO.exe

MD5 a48dc16c6928fc9558f3d6cde743c6c6
SHA1 f7edff8357c0316e72d7da4d37cda7a2e4b7c29f
SHA256 c95b703a18019c905d05f48d788af488bfd7530a88360694234236c84b76fbd7
SHA512 868555a529bf055584b1a487c64a49ff2654ad425d1acb1777c35cf3aa3e19cca5ca02367f2b5b554768c6c7bea9eb53d088c573808fb026e70f5ed92c06aebd

C:\Windows\system\HUbDulp.exe

MD5 1b95fd58f1bd66f8f9c410b8629efb17
SHA1 c3ea004827f24e23c7966545fcbd301e23cc5fdf
SHA256 e5e2b249bb9020ca17150cef50a8c3ad7a7fa9c351fa325528644ce59db9b79c
SHA512 114ad72f0fc0eb9204e15166f3f44caa4dd36ac0741034919e4c7d72295d4306583a59f3581dafe78ac0d5318b991035b726499d40b208eb299a8e36434c9126

memory/3056-71-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2624-28-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/3056-25-0x000000013FBC0000-0x000000013FF14000-memory.dmp

C:\Windows\system\vOjFUcm.exe

MD5 a689e74d341def637b55f19071f9436c
SHA1 43a66cdb41584d022ce168bcb821e5e57077d4c2
SHA256 35e843b33fb8d3d3e67d0184049cb2dd7c4ffd35e2ab0b5ddbab052c89aac831
SHA512 ce59df8d7c55213e529d28b7619aad5b8e59983847b278397fa864ac34397fecddf12a2a1fa59656abec3d77a452f1d2c113d99429e93305b834da1a94c03393

memory/2188-17-0x000000013FA30000-0x000000013FD84000-memory.dmp

C:\Windows\system\MegcHRa.exe

MD5 04a8e75080ef989a5567c11d94426da1
SHA1 dcdaa40c2515469394021762a7e95ccadd86f691
SHA256 8a7a76727cc6f558c046abe90a83f49d25ee78aab3fd98b7a86bedfe6416a5ca
SHA512 adbfe5016b20ba9cd8f7452981bc79c7c42a8b26d349d9e5c93061da1413832aff2b0456ec65bbe61fe658f63556022f0ec09960dd7ab0ab1c216e4c56c00e94

memory/2064-145-0x000000013F520000-0x000000013F874000-memory.dmp

memory/3056-144-0x000000013F520000-0x000000013F874000-memory.dmp

memory/3040-51-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/3056-47-0x000000013FCC0000-0x0000000140014000-memory.dmp

C:\Windows\system\MnQAViU.exe

MD5 ad2870a85eb544848e83663279118d1a
SHA1 45232f5568750fff0f200f926c7b6767020171f5
SHA256 eae31ddab68fe23984ccac57bea77b91f326056968a618d6033e6098a5df0f70
SHA512 54e021c75cb258c02d534c586702bd272b73c18919f1c3663c0fdb343092265edfb869c8eaa8dfec744f8e5d4facd146e7663de4fd2cbbf0b675dce8346535da

memory/3056-43-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2716-35-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/3056-32-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/3056-21-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/3056-12-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/3056-146-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2768-147-0x000000013F320000-0x000000013F674000-memory.dmp

memory/3056-148-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/3056-149-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2988-150-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/3056-151-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2456-152-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2188-153-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2624-154-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2716-155-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2812-156-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2904-158-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/3040-157-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2644-162-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2556-161-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2064-160-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2768-159-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2988-163-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/3008-165-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2640-164-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:05

Reported

2024-06-01 03:08

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HNRItUT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iFPEQeO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wFngEqy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wOqiKgR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QIEfxux.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YJsCVnj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\syIdOlK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zEIOTvf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ltovcSg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\atNEhnV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JaksOup.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OLOXPIo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xJnsPuL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rfGtZag.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tGsrMAS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nLglsCa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GmJxHMQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\biNYeJI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DkXwMBW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zvMJOZp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LXxmLac.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4004 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\nLglsCa.exe
PID 4004 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\nLglsCa.exe
PID 4004 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\GmJxHMQ.exe
PID 4004 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\GmJxHMQ.exe
PID 4004 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\wFngEqy.exe
PID 4004 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\wFngEqy.exe
PID 4004 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOqiKgR.exe
PID 4004 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOqiKgR.exe
PID 4004 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\QIEfxux.exe
PID 4004 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\QIEfxux.exe
PID 4004 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\YJsCVnj.exe
PID 4004 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\YJsCVnj.exe
PID 4004 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\biNYeJI.exe
PID 4004 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\biNYeJI.exe
PID 4004 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\xJnsPuL.exe
PID 4004 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\xJnsPuL.exe
PID 4004 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\syIdOlK.exe
PID 4004 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\syIdOlK.exe
PID 4004 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\rfGtZag.exe
PID 4004 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\rfGtZag.exe
PID 4004 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\DkXwMBW.exe
PID 4004 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\DkXwMBW.exe
PID 4004 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvMJOZp.exe
PID 4004 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvMJOZp.exe
PID 4004 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\zEIOTvf.exe
PID 4004 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\zEIOTvf.exe
PID 4004 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\HNRItUT.exe
PID 4004 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\HNRItUT.exe
PID 4004 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\atNEhnV.exe
PID 4004 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\atNEhnV.exe
PID 4004 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\tGsrMAS.exe
PID 4004 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\tGsrMAS.exe
PID 4004 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\LXxmLac.exe
PID 4004 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\LXxmLac.exe
PID 4004 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\JaksOup.exe
PID 4004 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\JaksOup.exe
PID 4004 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\OLOXPIo.exe
PID 4004 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\OLOXPIo.exe
PID 4004 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\iFPEQeO.exe
PID 4004 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\iFPEQeO.exe
PID 4004 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltovcSg.exe
PID 4004 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltovcSg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_127e9d363e51a9edf7b9c303ee305c85_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\nLglsCa.exe

C:\Windows\System\nLglsCa.exe

C:\Windows\System\GmJxHMQ.exe

C:\Windows\System\GmJxHMQ.exe

C:\Windows\System\wFngEqy.exe

C:\Windows\System\wFngEqy.exe

C:\Windows\System\wOqiKgR.exe

C:\Windows\System\wOqiKgR.exe

C:\Windows\System\QIEfxux.exe

C:\Windows\System\QIEfxux.exe

C:\Windows\System\YJsCVnj.exe

C:\Windows\System\YJsCVnj.exe

C:\Windows\System\biNYeJI.exe

C:\Windows\System\biNYeJI.exe

C:\Windows\System\xJnsPuL.exe

C:\Windows\System\xJnsPuL.exe

C:\Windows\System\syIdOlK.exe

C:\Windows\System\syIdOlK.exe

C:\Windows\System\rfGtZag.exe

C:\Windows\System\rfGtZag.exe

C:\Windows\System\DkXwMBW.exe

C:\Windows\System\DkXwMBW.exe

C:\Windows\System\zvMJOZp.exe

C:\Windows\System\zvMJOZp.exe

C:\Windows\System\zEIOTvf.exe

C:\Windows\System\zEIOTvf.exe

C:\Windows\System\HNRItUT.exe

C:\Windows\System\HNRItUT.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8

C:\Windows\System\atNEhnV.exe

C:\Windows\System\atNEhnV.exe

C:\Windows\System\tGsrMAS.exe

C:\Windows\System\tGsrMAS.exe

C:\Windows\System\LXxmLac.exe

C:\Windows\System\LXxmLac.exe

C:\Windows\System\JaksOup.exe

C:\Windows\System\JaksOup.exe

C:\Windows\System\OLOXPIo.exe

C:\Windows\System\OLOXPIo.exe

C:\Windows\System\iFPEQeO.exe

C:\Windows\System\iFPEQeO.exe

C:\Windows\System\ltovcSg.exe

C:\Windows\System\ltovcSg.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4004-0-0x00007FF6BD500000-0x00007FF6BD854000-memory.dmp

memory/4004-1-0x000002C014B00000-0x000002C014B10000-memory.dmp

C:\Windows\System\nLglsCa.exe

MD5 a9c250398820e7fb5f71ac5036fbf35a
SHA1 898a3d25cade88a4e29323b03f86661c6e5019c1
SHA256 c71df6e37e0d669acdcb516499f7974ccfa5dc4cb3b0c88a7756e3211ffd006a
SHA512 b7f8a6671cae8438a65b2597610048ffaf306d73023882b9686712d6ca20b629ddcd9a8c9f6fed2de7141ca24e97f873761e9f3157077dc3962ae24fbc237d7f

C:\Windows\System\GmJxHMQ.exe

MD5 60ba4cf6e4eed3fb5d7cdddc0a38c42b
SHA1 0ac3c92d8ee2df597199ac66e0876a7be8ea7f4a
SHA256 79b6d9c381c56559782d148040adc73cb8f20db3a83673f52abf49d39366f500
SHA512 a1d6df5dfa9cff153f01082b51ba3ec5ca385cb6703fd4b450a6c2c25e941be4a41e79fc2386abce41fc7f35a0f163f8a96ab515cd15c1c657fc48d3192e056a

memory/3292-12-0x00007FF6E9510000-0x00007FF6E9864000-memory.dmp

C:\Windows\System\wFngEqy.exe

MD5 09157b269f26173045213b5963fbdf13
SHA1 54f3dfa740b9378bb2871bf7a463ee4e85d1ff78
SHA256 585e5fb9128b39af98c06676f8f3c3daf456498d09ce5ee1a272acfbe8e3ffe5
SHA512 75a35ffeedb360f1dbff11ff8e428594bd87d3281355727ac8db9777928bca2d2613206eec2a872ba675baf5a829ba1615593f315d0922b80ebc664bf50b8821

memory/1408-19-0x00007FF6DE820000-0x00007FF6DEB74000-memory.dmp

C:\Windows\System\wOqiKgR.exe

MD5 7a2232e256d1a82ad04689424b7b6115
SHA1 8475661d1345ea8fc454f68a5054796433b144ef
SHA256 48f2d9bfbc8ce0b5bc862ce388cc17dad7b4a4dd24566b8f86c3a3a2d71ca56e
SHA512 2ddf77340ebca55b4494f7b5e32a4eecba4bb03cf6b408ef29afcbfa2d91805384a940443c322bd1591890692277054184a1360e491ed864226c29bf16278303

C:\Windows\System\QIEfxux.exe

MD5 1414d29170192d4b7fe1ed24fff110db
SHA1 67dc2a8b4615fdacd5a5289f12093262d6222974
SHA256 bb3daa5dabc772bff0256ea7ec50b488b077b2a43b87807f6eefec4dd9b52efd
SHA512 0875fb0e34900868b84d1a806a046f466c0f90b4f391a7dc9b19c559c7da517bf15b385b15c2b55e968fb01041cd44407efd0b483d849f59131eb81ebb50b3b8

C:\Windows\System\YJsCVnj.exe

MD5 2869812ffd95b73c4626c5cebcddd39d
SHA1 4c21e999e36d61f7fb33ba85daeb38efbdc634c7
SHA256 b3bdd40dad6af69ddb99bedf1b691e39e8d21c4a173ac80d709991a4c60573b1
SHA512 1e6ab99c897826e3210db8d86599a935164b7975d05b4a8bacad146bb33e0b78a7d609b54233845696813a02e1be383eab7e22c0dbd2f436f4dd1855ca109f46

memory/3340-34-0x00007FF6B1530000-0x00007FF6B1884000-memory.dmp

C:\Windows\System\xJnsPuL.exe

MD5 2ffc301ce0cf3cbb499546e523a4c042
SHA1 f09f01eb92f03233425cb82a71b50730ee794e0f
SHA256 dc24e63f222ecc4a25b3eee88471fa5eb2b87f37be9edf0bfb0efcfabeaab981
SHA512 12660f1bbb67351cc8f27b17f4e9877fd667de085bcb3c06630086b5c54f7e57623429a4bcb4c2fdf0a9b5ecd8fcbcac816ec1ff9f3f668b37351cb7b4f8bf2c

C:\Windows\System\syIdOlK.exe

MD5 5ddc4d7ec98e9af443c5f64dde0e1f4f
SHA1 ad1ac4730272cde4ae527697c565edd898ad945d
SHA256 f33d68c149cb99c29ca7f202b489c0ab4d69c1f71ca7e208e1468393588ff9e5
SHA512 3e23e8729c95899231e7decbe426fd9d681fdbfe4e979a9ddd4c4cb4fa526cfef0ad95792391d300ecc0ba395466f8158f6c4d902cea5420ee60fd4821619a99

memory/3964-56-0x00007FF621930000-0x00007FF621C84000-memory.dmp

C:\Windows\System\rfGtZag.exe

MD5 db3c6adeaa577e56a7359cea29cb5272
SHA1 8e3654aa290240a97608d91f31ed6c862e0afa26
SHA256 e09f664e41e6866cedd369f2224d343b988ff02ed279d5c8d02f4895f17af2a7
SHA512 846cd65207da8d0308f1711c8e4e364e888d9756221a617d8ade342dd0786912787daf78443d7c886cd287acf764bce8ec34947db8f5a9b012546e504f729223

C:\Windows\System\DkXwMBW.exe

MD5 380089aaa26b03cd1ff5dd6846378a5a
SHA1 9046ba530a1e3c434ec201e84f3b59077ca1bb91
SHA256 7209e84c85d4dce254623e68f59891990204da1304689537b180013ad9945da2
SHA512 de2d55675a0ca93ac20e9667e4ef91a8c4184d73db3c1ba09f2addf805f4921590bc059195806cc1fcae80472bd032ac850a9e36367e9b0f3aeaff2a5e44d17b

memory/2096-75-0x00007FF63CD40000-0x00007FF63D094000-memory.dmp

C:\Windows\System\zEIOTvf.exe

MD5 705193cce9c2e2e679412ec5d9f79fa1
SHA1 c2527f2c01d1d18c938ead1e7b61690bb3859c94
SHA256 a901f29849f9895ba9f6d06d25bbd4925ad204d4abccbf2b79e00387b8105087
SHA512 31600835494bce8db4db977f6cff77a6ed25663df96a627f38f7eca7621a7bdd59eb284938c437f02882ebf9d8e81fb85534930d08f7401726179355b5934b5d

C:\Windows\System\zvMJOZp.exe

MD5 6c9dbb545d12f4e93e7ddcf3e6c1dace
SHA1 065ac670badeb352b3e72059ef1e183cbe4009ad
SHA256 f0402b8e31705dd1df23937c1df0007b64d501c4d95ac0357001c69485c4902c
SHA512 5f5f087d733f44eca8757e0d3325dd29c32132e55b5ad8d863116ec46a44819a1f1e0105bafc36efe6ab829c7bf002ca729b646aad4582d27390a2877407c346

memory/1256-76-0x00007FF6B7280000-0x00007FF6B75D4000-memory.dmp

memory/1248-74-0x00007FF7B48A0000-0x00007FF7B4BF4000-memory.dmp

memory/4552-62-0x00007FF78A780000-0x00007FF78AAD4000-memory.dmp

memory/4856-59-0x00007FF6F88B0000-0x00007FF6F8C04000-memory.dmp

memory/1060-53-0x00007FF741760000-0x00007FF741AB4000-memory.dmp

C:\Windows\System\biNYeJI.exe

MD5 17fcede09fc258c0f5c2eac27d76f14f
SHA1 3fe7ae2054352939ae7df3f91a250a6e1a8ad69c
SHA256 daa78b62cfe48358bf1d1d6538b7bf17ac295a8bae7fa7686ff53f08c919cbe9
SHA512 0c1b31493a490412865006589387efbd5c41ad14f7adf79f3420cb55b5a4b3d4211eac3177e6a16aaf18234ceb97029363c1d22fa71a6a8a53f2ebda8fe6ca71

memory/4580-40-0x00007FF6E11D0000-0x00007FF6E1524000-memory.dmp

memory/4960-35-0x00007FF7A8D00000-0x00007FF7A9054000-memory.dmp

memory/924-28-0x00007FF722C70000-0x00007FF722FC4000-memory.dmp

C:\Windows\System\HNRItUT.exe

MD5 fec09651b6a6d3cb866713208078013f
SHA1 5940923df968737cf7e376e69182dedbbad7d6b2
SHA256 2b172963959dade069fe32b7ca6f937dc3c1ecc20ab5321b4ba0ef0a345b16bb
SHA512 57c475bcb10d8f5e124fe5ee8a8144adb0b9631fc7302b8a7711f5db1d11b13124419894a39cf77f6d6790254d19e153f87c99c997a5c124e0326f65d393cabc

C:\Windows\System\atNEhnV.exe

MD5 9325f6caa79fea7f718aa71180f1f77e
SHA1 47065a4aa5d63ba7a19cb377d1a738d0e1ba95f7
SHA256 f6715522b9f1e0f59694dbf018a5985e95ae0c0bc4f3d656a11efd6eb39cafe5
SHA512 91b9bb382eb4cb07d45a865aaddbbec36ab8c81d42322b6111f899b625a6fd58082b482e37e77ce29083638f2951799f6da6e18f8565d21b2e8e69ce6b13548e

C:\Windows\System\tGsrMAS.exe

MD5 a59528b4cfda13d59b9c401994c99698
SHA1 7daef62b330688c7707ade4d26560ce7d500cd7b
SHA256 a241649fdc1a23be222e39343ba80ec1a3a130fd91111768ee627eb3da0c87c5
SHA512 4774a574dda118a4dd69217acf08e32f801b1e5f361dd1088bed931720133ebde886035e96ae2a8e8327f1e1bb56e7f66a7751c84f42f0b4cb7da994fa0635c7

C:\Windows\System\LXxmLac.exe

MD5 03099c99018f087f8bba98477d41e451
SHA1 5be1528adbe391110415c2c1d78102cf2bc40097
SHA256 47f3848970986708b1ff60384ab7f0db9de649c88dcbeb9f3894b6012ab5dc52
SHA512 eb0ce13843a48d8bc2f9949fb3b3830dada2b8dd04cf13fccac0ecd447de65252d5865edcf4f87ce7a0755693604bebff9d946bcac652a1484eea625a8bc36a7

memory/3044-101-0x00007FF7320A0000-0x00007FF7323F4000-memory.dmp

C:\Windows\System\OLOXPIo.exe

MD5 c17114702e09e9b4206b5aff4740c72b
SHA1 2bfe4e0933b8d0cbcd636c3500ca842332b8d4e8
SHA256 b92fa8b587c55ddc1800cc0b2ccda599453d6d8f7ed3f7fb4b91daa21ce0d9b0
SHA512 be8a6deb8664b923f4ef329c93b1b4b99bfe5320f5be52fef8200f97ad9857ab482c5344c1f21effefbcbd965b2fcda0ce945f98179d832f488c445e09e0293a

memory/3340-116-0x00007FF6B1530000-0x00007FF6B1884000-memory.dmp

C:\Windows\System\iFPEQeO.exe

MD5 dfe4ee1e438a1542e42a2a0878259fbc
SHA1 d5b4319f19fd5cb40ca20770c828dae9b10ef75c
SHA256 2762c5ab69510bf08846f13974af806dbce38f466cd9d13be553044f13a52956
SHA512 d1a31ff8facab4bb2c16da619f8528777b74589504359b25eb231081ed8322bdc7db7b16a7e7a01bf7d75236c528cda4202bb5b0b0f34737fbff5a71bee2fde5

C:\Windows\System\ltovcSg.exe

MD5 98375e225e25626db2a93457f7220d20
SHA1 8c5c2d8ad981163b99e77962c233f0c6a630880d
SHA256 7f078ebdc6c157d70437d0713caa9fd7282d5f5d7900c3e5334340bd995063b3
SHA512 001ffe0992a0a34422dd9733903a4b3ba82417ba9f57eefd50e4773a5fa0be43dc5144b8a1c710fd1616c2b6c73500b8a6ce6a27a6766ac82c138ac3e0219021

memory/4980-129-0x00007FF6A64A0000-0x00007FF6A67F4000-memory.dmp

memory/4856-130-0x00007FF6F88B0000-0x00007FF6F8C04000-memory.dmp

memory/2204-128-0x00007FF6CB9A0000-0x00007FF6CBCF4000-memory.dmp

memory/1060-126-0x00007FF741760000-0x00007FF741AB4000-memory.dmp

memory/4580-125-0x00007FF6E11D0000-0x00007FF6E1524000-memory.dmp

memory/4648-123-0x00007FF7DB3B0000-0x00007FF7DB704000-memory.dmp

C:\Windows\System\JaksOup.exe

MD5 5b84d32e340f86db8105240f52c523c9
SHA1 e6743eee630d82a97fb239d190d9c0c7953413e9
SHA256 e70118f4f0abe77400b85ce4310dafd35b44dcecefa92152e0236fa1f1766dd5
SHA512 efceb69098a8094f7040867cbda3bfb066d63a3f105f68d8294635eb05f514daeac6b3de05d284c590e1fab4131acb0ec42d4d0dccf49d8104693689bf150b77

memory/924-118-0x00007FF722C70000-0x00007FF722FC4000-memory.dmp

memory/2640-113-0x00007FF71EA60000-0x00007FF71EDB4000-memory.dmp

memory/1416-109-0x00007FF702300000-0x00007FF702654000-memory.dmp

memory/1408-106-0x00007FF6DE820000-0x00007FF6DEB74000-memory.dmp

memory/1820-94-0x00007FF7625C0000-0x00007FF762914000-memory.dmp

memory/4004-92-0x00007FF6BD500000-0x00007FF6BD854000-memory.dmp

memory/528-86-0x00007FF629DF0000-0x00007FF62A144000-memory.dmp

memory/4552-135-0x00007FF78A780000-0x00007FF78AAD4000-memory.dmp

memory/2096-136-0x00007FF63CD40000-0x00007FF63D094000-memory.dmp

memory/528-138-0x00007FF629DF0000-0x00007FF62A144000-memory.dmp

memory/1256-137-0x00007FF6B7280000-0x00007FF6B75D4000-memory.dmp

memory/1820-139-0x00007FF7625C0000-0x00007FF762914000-memory.dmp

memory/3044-140-0x00007FF7320A0000-0x00007FF7323F4000-memory.dmp

memory/1416-141-0x00007FF702300000-0x00007FF702654000-memory.dmp

memory/2640-142-0x00007FF71EA60000-0x00007FF71EDB4000-memory.dmp

memory/4648-143-0x00007FF7DB3B0000-0x00007FF7DB704000-memory.dmp

memory/2204-144-0x00007FF6CB9A0000-0x00007FF6CBCF4000-memory.dmp

memory/4980-145-0x00007FF6A64A0000-0x00007FF6A67F4000-memory.dmp

memory/3292-146-0x00007FF6E9510000-0x00007FF6E9864000-memory.dmp

memory/1408-147-0x00007FF6DE820000-0x00007FF6DEB74000-memory.dmp

memory/924-148-0x00007FF722C70000-0x00007FF722FC4000-memory.dmp

memory/4960-149-0x00007FF7A8D00000-0x00007FF7A9054000-memory.dmp

memory/3340-150-0x00007FF6B1530000-0x00007FF6B1884000-memory.dmp

memory/4580-151-0x00007FF6E11D0000-0x00007FF6E1524000-memory.dmp

memory/3964-152-0x00007FF621930000-0x00007FF621C84000-memory.dmp

memory/1060-153-0x00007FF741760000-0x00007FF741AB4000-memory.dmp

memory/4856-154-0x00007FF6F88B0000-0x00007FF6F8C04000-memory.dmp

memory/4552-155-0x00007FF78A780000-0x00007FF78AAD4000-memory.dmp

memory/1248-156-0x00007FF7B48A0000-0x00007FF7B4BF4000-memory.dmp

memory/1256-157-0x00007FF6B7280000-0x00007FF6B75D4000-memory.dmp

memory/2096-158-0x00007FF63CD40000-0x00007FF63D094000-memory.dmp

memory/528-159-0x00007FF629DF0000-0x00007FF62A144000-memory.dmp

memory/1820-160-0x00007FF7625C0000-0x00007FF762914000-memory.dmp

memory/3044-161-0x00007FF7320A0000-0x00007FF7323F4000-memory.dmp

memory/1416-162-0x00007FF702300000-0x00007FF702654000-memory.dmp

memory/4648-164-0x00007FF7DB3B0000-0x00007FF7DB704000-memory.dmp

memory/2640-163-0x00007FF71EA60000-0x00007FF71EDB4000-memory.dmp

memory/4980-165-0x00007FF6A64A0000-0x00007FF6A67F4000-memory.dmp

memory/2204-166-0x00007FF6CB9A0000-0x00007FF6CBCF4000-memory.dmp