Malware Analysis Report

2025-01-22 19:41

Sample ID 240601-dys9vagg95
Target 2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike
SHA256 ca167e6872d3cf69c5f45583095bf03c099d04e80e56092269e5a35aef66b0ef
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca167e6872d3cf69c5f45583095bf03c099d04e80e56092269e5a35aef66b0ef

Threat Level: Known bad

The file 2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Xmrig family

Cobaltstrike

xmrig

Cobaltstrike family

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

XMRig Miner payload

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:25

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:25

Reported

2024-06-01 03:28

Platform

win7-20240220-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FOgmDet.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sJsHkbr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ySEBFPL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sXMjaNZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oWCWQCF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tWBDRuy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LRjiapD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zAvjOuN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uoTcKne.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HuTTJTs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hwwtTQh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nSOpRSw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CzVerFL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rSsLyEF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tpCybaX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wxjuXGo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nQIhWOB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ycrambg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\byteXcq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ptPnUWa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MlnTFsx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\MlnTFsx.exe
PID 2192 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\MlnTFsx.exe
PID 2192 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\MlnTFsx.exe
PID 2192 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\byteXcq.exe
PID 2192 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\byteXcq.exe
PID 2192 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\byteXcq.exe
PID 2192 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\zAvjOuN.exe
PID 2192 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\zAvjOuN.exe
PID 2192 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\zAvjOuN.exe
PID 2192 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOgmDet.exe
PID 2192 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOgmDet.exe
PID 2192 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOgmDet.exe
PID 2192 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ptPnUWa.exe
PID 2192 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ptPnUWa.exe
PID 2192 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ptPnUWa.exe
PID 2192 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\sJsHkbr.exe
PID 2192 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\sJsHkbr.exe
PID 2192 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\sJsHkbr.exe
PID 2192 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSOpRSw.exe
PID 2192 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSOpRSw.exe
PID 2192 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSOpRSw.exe
PID 2192 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\HuTTJTs.exe
PID 2192 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\HuTTJTs.exe
PID 2192 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\HuTTJTs.exe
PID 2192 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ycrambg.exe
PID 2192 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ycrambg.exe
PID 2192 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ycrambg.exe
PID 2192 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ySEBFPL.exe
PID 2192 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ySEBFPL.exe
PID 2192 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ySEBFPL.exe
PID 2192 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\CzVerFL.exe
PID 2192 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\CzVerFL.exe
PID 2192 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\CzVerFL.exe
PID 2192 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXMjaNZ.exe
PID 2192 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXMjaNZ.exe
PID 2192 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXMjaNZ.exe
PID 2192 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\oWCWQCF.exe
PID 2192 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\oWCWQCF.exe
PID 2192 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\oWCWQCF.exe
PID 2192 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\rSsLyEF.exe
PID 2192 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\rSsLyEF.exe
PID 2192 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\rSsLyEF.exe
PID 2192 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\tWBDRuy.exe
PID 2192 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\tWBDRuy.exe
PID 2192 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\tWBDRuy.exe
PID 2192 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\tpCybaX.exe
PID 2192 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\tpCybaX.exe
PID 2192 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\tpCybaX.exe
PID 2192 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRjiapD.exe
PID 2192 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRjiapD.exe
PID 2192 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRjiapD.exe
PID 2192 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\hwwtTQh.exe
PID 2192 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\hwwtTQh.exe
PID 2192 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\hwwtTQh.exe
PID 2192 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxjuXGo.exe
PID 2192 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxjuXGo.exe
PID 2192 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxjuXGo.exe
PID 2192 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoTcKne.exe
PID 2192 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoTcKne.exe
PID 2192 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoTcKne.exe
PID 2192 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQIhWOB.exe
PID 2192 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQIhWOB.exe
PID 2192 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQIhWOB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\MlnTFsx.exe

C:\Windows\System\MlnTFsx.exe

C:\Windows\System\byteXcq.exe

C:\Windows\System\byteXcq.exe

C:\Windows\System\zAvjOuN.exe

C:\Windows\System\zAvjOuN.exe

C:\Windows\System\FOgmDet.exe

C:\Windows\System\FOgmDet.exe

C:\Windows\System\ptPnUWa.exe

C:\Windows\System\ptPnUWa.exe

C:\Windows\System\sJsHkbr.exe

C:\Windows\System\sJsHkbr.exe

C:\Windows\System\nSOpRSw.exe

C:\Windows\System\nSOpRSw.exe

C:\Windows\System\HuTTJTs.exe

C:\Windows\System\HuTTJTs.exe

C:\Windows\System\ycrambg.exe

C:\Windows\System\ycrambg.exe

C:\Windows\System\ySEBFPL.exe

C:\Windows\System\ySEBFPL.exe

C:\Windows\System\CzVerFL.exe

C:\Windows\System\CzVerFL.exe

C:\Windows\System\sXMjaNZ.exe

C:\Windows\System\sXMjaNZ.exe

C:\Windows\System\oWCWQCF.exe

C:\Windows\System\oWCWQCF.exe

C:\Windows\System\rSsLyEF.exe

C:\Windows\System\rSsLyEF.exe

C:\Windows\System\tWBDRuy.exe

C:\Windows\System\tWBDRuy.exe

C:\Windows\System\tpCybaX.exe

C:\Windows\System\tpCybaX.exe

C:\Windows\System\LRjiapD.exe

C:\Windows\System\LRjiapD.exe

C:\Windows\System\hwwtTQh.exe

C:\Windows\System\hwwtTQh.exe

C:\Windows\System\wxjuXGo.exe

C:\Windows\System\wxjuXGo.exe

C:\Windows\System\uoTcKne.exe

C:\Windows\System\uoTcKne.exe

C:\Windows\System\nQIhWOB.exe

C:\Windows\System\nQIhWOB.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2192-0-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2192-1-0x0000000000080000-0x0000000000090000-memory.dmp

C:\Windows\system\MlnTFsx.exe

MD5 16e99e9687c937ec1af6d55a1a572224
SHA1 e13ea44d6fb4cd85ad4b394c029a02cc100a8bd9
SHA256 0f15c6905315945af416d83e0e480f9b6086e8091bbabbbe0e129536d97f0eab
SHA512 99fbdad9fa9d482db1a624b68688fb7edb07d1f8e1ba947eb690dc906f280853d6d336089f64f4a42ae3de33761f6f09a95c6c64f1f3d8c7aaa7536ef81a0ea8

\Windows\system\byteXcq.exe

MD5 358fa462aa192b93aaf11ebcde4f7889
SHA1 57335baab9ebebb00394a95ea0c4fee299356904
SHA256 503125155c9a0ca241ef506837ae7a8a2b60800957fb13e7d4ab1cbfd3cf0d0f
SHA512 c1b75a5ed107749e1335fd215de7c02de6091e6f8c0b22ccf335191683a722e63cb81eb81d26fbb95cae33889f65524e8facb66260e6f2ec5ef853ebe8db83b3

memory/2192-16-0x0000000002250000-0x00000000025A4000-memory.dmp

C:\Windows\system\zAvjOuN.exe

MD5 4a2973ee2180210a4b14cd562ee4323d
SHA1 9962df8478a6689eafc24887f5a8143278317407
SHA256 ad83e6418a9568124c12a319211c8356cdbad9c66af9d68a51b97fa24e5a35de
SHA512 f64dfd69f078caccb30867815606e1beb33308ad9e49a7dde72fb4fc9522623e766fc2824d672684adbe59d213e067562f8adddca92cf7115175e9124a441a36

memory/2984-22-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2476-20-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1788-12-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2192-8-0x0000000002250000-0x00000000025A4000-memory.dmp

\Windows\system\FOgmDet.exe

MD5 8948dad3f42cbb73dafebda2c0ff6803
SHA1 cea0292962e913e3520e75b93fda129f6be597ee
SHA256 ee55cfc22215577d66f8352da321af5aa9dc4c8df8b9557c48ea15b7a55a528e
SHA512 5b55a0f45853244916e28b582e05889f57e43671538a5110305f331e15e2c89729820cf3cd03fbd7f22ac5da67acef8eb254862ddb069ce299b34e8aed771c83

memory/2192-26-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2644-28-0x000000013F9F0000-0x000000013FD44000-memory.dmp

\Windows\system\sJsHkbr.exe

MD5 d9368191b838cd62dad9c37a4fb1f685
SHA1 38f3922add0b90201a0f8d2eb520b143b8083585
SHA256 70fe31f3c9d69679cfb15a355198539d4b9e723a6de692dbac9d81717bd96c99
SHA512 a31f508a9a5d3213528183d8a681b92471ac1e46818ed83bd2544978b1bfcbffc070c95d44c2ee7caf47789b5712de1a407752d8df45e9e7cade27fc180e06e1

C:\Windows\system\ptPnUWa.exe

MD5 91a464b095f565c71b840e0c8ea08e73
SHA1 555658b5ff68a8bcb5b1b68438fc6bdb276e63c2
SHA256 3badfa4ad593327a8caf95fa4fe05d5358f4fc4d88408ac045a1fd1e68ee56e8
SHA512 328c05212f8d012d959afb0da3b4530cb96aa6f4aa6c38b69398a2c835df89732f62da3c33daf957d64621e1a7f5188762667f2ba0ed7a6d489aab0a7f1ad792

C:\Windows\system\nSOpRSw.exe

MD5 129bae82d92fe7f7d00a513c44ffef1e
SHA1 eff5b217ef6c21fbb3fcf800d2eb04c59d45052b
SHA256 663578324e0551b4a9c5a35b3beff48918ab66e9f6381428c8122b11cfff8cc9
SHA512 2516f85bb0d02f8758f7a76b5359cd389e131f9bf58ab6e812c23470ed7f9918531d0cde8a28fd4915ff654ddc3edf9069f3b73d4c52999c621be9dcf27644a1

memory/2420-47-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2192-50-0x0000000002250000-0x00000000025A4000-memory.dmp

C:\Windows\system\HuTTJTs.exe

MD5 04a0dad0dbff5154c923cf343b44757a
SHA1 df7f64adc4633bf10e9743a09694ba17d0bf084c
SHA256 4c2cdf77a48e505dbde2499d9f7d09ed408b153f188515a3cc1e19668b1be2e2
SHA512 e553dd5f3413fdc8bedb48ce16275ed4dd1cc125fb41af2756c63d8f5fa4ce9c88c7a8ecf46400209ce590ab2be430e9d8742963bbc9d05702a7d34a091ad05a

memory/2500-57-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2192-56-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2692-49-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2192-48-0x0000000002250000-0x00000000025A4000-memory.dmp

memory/2748-46-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2192-45-0x0000000002250000-0x00000000025A4000-memory.dmp

memory/2192-63-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2192-64-0x0000000002250000-0x00000000025A4000-memory.dmp

C:\Windows\system\ycrambg.exe

MD5 6f333bcd88373e59acf2787615c56a15
SHA1 0513f2aad925b6f05d1580e1de6cb802145248c0
SHA256 2dee6e4a4f68654a7e0867fe9a01b7586421b7363b47ae6b347fbb93a2592612
SHA512 cb5fde6b22bc29d012ffec117485769e5dbbb9f5a35c649b398c476364b7e9b52d896ff63a8f20f90bcc88dcfc59204b74c80aa6039fbc9b98af6fcd068133df

\Windows\system\ySEBFPL.exe

MD5 53594e3cdd89a843de6ea5a16ecd2e3f
SHA1 1f3936d4d0363960e32a1c06e4ec2e273d0cf5e6
SHA256 f26488847a5f2967d9ff5d2296c66d000824758907a31b2d12bf3a8940c304cf
SHA512 3a9bc6e8c7d8e7b22d854949381f619f6b6d5c6ad054915e011f98b7f35d84d67e9bc7d4e58833d4223f740150971f9a78eff2b49198633a6a2288fd771dbd2a

memory/2192-69-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/1516-72-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2396-65-0x000000013F360000-0x000000013F6B4000-memory.dmp

\Windows\system\CzVerFL.exe

MD5 f8c2d12a14128fecc7a2cd36ea510de4
SHA1 f920fadbdbecacc34c2741a376e3217a73e0ba26
SHA256 f473835536e7425311067ba1f43e0e658617986d3c6513122b2584d868fefc7a
SHA512 5778ba6c38242796b17faee2f75c6b3a15a465399f6e8bc5f7f8587cfe64119e49d2bc5fe9cd77752868bffba13ff48d2b43ec653986c88e6e9bd75b2c6dc335

memory/2192-74-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2476-79-0x000000013F100000-0x000000013F454000-memory.dmp

C:\Windows\system\sXMjaNZ.exe

MD5 ed61115cb54c4d42382e871f499a3c05
SHA1 38ac25074f5a0c9ebc9ac9409e2b492032cff460
SHA256 0e4b4ec8e8ec8baf5729f7b26a3ee555630d3292cfddfa0db22c167e6a495a34
SHA512 92762a717a275a2c83410cd0e66efac84247ec3c25db350dc26cf5adc8b51f8872efadcd1cfceb5f11d4e474e6aeba6615aed7239b8b40c6c7c5ef2a2411cc32

\Windows\system\sXMjaNZ.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

memory/2644-86-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2432-80-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2828-93-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2636-92-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2192-94-0x000000013F9E0000-0x000000013FD34000-memory.dmp

C:\Windows\system\oWCWQCF.exe

MD5 b94c659669ffe2118a7f843fd490738b
SHA1 58581c05d1f1abf0259a8e539ee1e7978f5f7453
SHA256 10f9682b62d5047df1b411911106e312fd69bcfc039760d0ea4115744d6c3f54
SHA512 6aa8f4fcbe83b3788eee1f946adfbc4d0c2f2d233c67fd0b65c3c8e800f29d61d9a8378b385355db8aeadb818395eec5ba760c979619ba06e97f865554f5e7b9

\Windows\system\rSsLyEF.exe

MD5 a708ad471415099490157bc7591756e3
SHA1 cc02279c9c87754e2c10929468ecb83db262d6d3
SHA256 ff53634a38b60644817af0bab38316017ed3ee8db7842b8c39cddca8fe51ba48
SHA512 e70597fd408aadb862007d99cd4fed1ba62b88ca1eefbbb80a93cdf1e12f9f0ab235e5d786abb221c5393848d19517fd46a24541c10cfd079988e7d677d4f2b5

\Windows\system\tpCybaX.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

C:\Windows\system\tWBDRuy.exe

MD5 7cf2892acc475b623a61c1f6b620b7e9
SHA1 682e3ff7f00db4f50862f3aa1e33308c59cdc082
SHA256 7e350d6600c99aa5fe6d93316b763b338231babbde316b815bb86664f8ae2414
SHA512 b458bc74400a65950509654092647d803cd472ce07e2ef55cb6c859ba54568aa7ed7ae8b0aca2d83d761c4ab9b51ced6b492fa77f9fa1049640da9438dce51f4

C:\Windows\system\LRjiapD.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

\Windows\system\nQIhWOB.exe

MD5 ddf0adb590fd0b79e0bc4e403e5fcd14
SHA1 82dce26613436cba2b809c09bd0bd2946db1b1bd
SHA256 883862b8d8be672d1ead844ca5614e08fb8356c773a6ec13771adf740d287e39
SHA512 f98601a889c04ddb4a620509a660d30716205bacc6614a5ccb5d0c4888f5a75e128698bf5d6632498045e7a536c43e88c5dafe8efe8b93f12b1d6c1fa572618b

C:\Windows\system\uoTcKne.exe

MD5 cb933e98b66eda441da7ecb91b9066a5
SHA1 bf7c4826f0e06c36bdab088a657f1f3b25938738
SHA256 499ca6f140d2c55d5301d24b8940dd08844562d0ac117be6d43f6ff189b692e1
SHA512 1422510a48cec8b0bb1512cb65483d89f67690ed145068b860abe8d1c7da8ea23e0b090529579bb1c3880593ccb00b5c831158139bf0b68e71e5007d0a8f099c

C:\Windows\system\wxjuXGo.exe

MD5 31b67c1c7bfa7b6026808e44893bd3ea
SHA1 c2187c3ba293e82a38bc017a4e425852ec153402
SHA256 3c8719349e2996189ba04cbeed1c0aef3e759e7cbc864730a7d3de268a43f0db
SHA512 250566d5262fd433c295d7ed87c19462627d2c62589d3fb87b7c3ed37b06e99e4b1613ae9f269d45471f6784b2cb385b7a679d8c6605cb0ba38504601e2e3652

\Windows\system\wxjuXGo.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

\Windows\system\LRjiapD.exe

MD5 9b88120cf45e96345698c7bc66eb6abb
SHA1 5871cc0c4a7af51e97e7723cfa547bbe2be88ad4
SHA256 982212cb1bdcbf5c8b4f4c1024ddec0a817499d9fdab0b36337a7d2ba5ae950c
SHA512 2399f06496b14dc67abc5e81df5150a50d560614089c11933b7d6782770f2d9c4a7f37c9accdb70f4b789c25d9bde163e66d2115faa04eefb05923e9363bd30b

C:\Windows\system\hwwtTQh.exe

MD5 e5a6b64b4f4ffb59732dcfe28154f1af
SHA1 f405db156278f4f4ae2a9bca5f292cf6eee73688
SHA256 dcca2253e91110eeb93a1f7c23eb3d81ae632d4bc407458639aef90c0339e481
SHA512 cb782cf390e011896dd2a5132fd7ebd063bb5b4f71b9345263808a2b4582a3adc5a42fa0d35dfd0207ef98e01fb6fb980ad1773cd996a8615f5e11fa1a531740

C:\Windows\system\tpCybaX.exe

MD5 e2b818524d2f9ebf15b9d03382aaaba5
SHA1 e18240526782fb75f232c853b6533dcfddbe9558
SHA256 b1593426a906e2abf19069c45649c2bbb3d5d425de6674482a0dc4da7a527dd8
SHA512 9e62acd8d7836e4817d26e802ec71ce22bfe577d5eb0023e0775901cf5a80d0b1ad03517476d948cd973036363313fd1007ad6eac9c831bc001a4a8a2ca5e4c2

memory/2192-135-0x0000000002250000-0x00000000025A4000-memory.dmp

memory/1468-134-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2192-136-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2192-137-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2192-138-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2192-139-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/1788-140-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2984-141-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2476-142-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2644-143-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2748-144-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2692-145-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2420-146-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2500-147-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2396-148-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/1516-149-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2432-150-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2636-151-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2828-152-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1468-153-0x000000013FE50000-0x00000001401A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:25

Reported

2024-06-01 03:28

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MMndVmC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fLVjQHx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JegVldD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dvAceVL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BDrigul.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wdhuEVh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZosOPSP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RXZimIm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AmRGzdi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bmmIQcS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qtbxsDm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kknksJp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\spiXuUy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cATIdwp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vTpbbmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qdbRvzM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SZNuhgv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LdhyKfA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cfsGVLa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EuFHLuL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VLeAzkA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4956 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\dvAceVL.exe
PID 4956 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\dvAceVL.exe
PID 4956 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\SZNuhgv.exe
PID 4956 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\SZNuhgv.exe
PID 4956 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\BDrigul.exe
PID 4956 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\BDrigul.exe
PID 4956 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\wdhuEVh.exe
PID 4956 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\wdhuEVh.exe
PID 4956 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZosOPSP.exe
PID 4956 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZosOPSP.exe
PID 4956 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\LdhyKfA.exe
PID 4956 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\LdhyKfA.exe
PID 4956 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\cfsGVLa.exe
PID 4956 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\cfsGVLa.exe
PID 4956 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\EuFHLuL.exe
PID 4956 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\EuFHLuL.exe
PID 4956 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\AmRGzdi.exe
PID 4956 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\AmRGzdi.exe
PID 4956 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\VLeAzkA.exe
PID 4956 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\VLeAzkA.exe
PID 4956 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\RXZimIm.exe
PID 4956 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\RXZimIm.exe
PID 4956 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\spiXuUy.exe
PID 4956 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\spiXuUy.exe
PID 4956 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\MMndVmC.exe
PID 4956 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\MMndVmC.exe
PID 4956 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\cATIdwp.exe
PID 4956 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\cATIdwp.exe
PID 4956 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\fLVjQHx.exe
PID 4956 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\fLVjQHx.exe
PID 4956 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\vTpbbmd.exe
PID 4956 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\vTpbbmd.exe
PID 4956 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\qdbRvzM.exe
PID 4956 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\qdbRvzM.exe
PID 4956 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\bmmIQcS.exe
PID 4956 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\bmmIQcS.exe
PID 4956 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtbxsDm.exe
PID 4956 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtbxsDm.exe
PID 4956 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\JegVldD.exe
PID 4956 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\JegVldD.exe
PID 4956 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\kknksJp.exe
PID 4956 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\kknksJp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\dvAceVL.exe

C:\Windows\System\dvAceVL.exe

C:\Windows\System\SZNuhgv.exe

C:\Windows\System\SZNuhgv.exe

C:\Windows\System\BDrigul.exe

C:\Windows\System\BDrigul.exe

C:\Windows\System\wdhuEVh.exe

C:\Windows\System\wdhuEVh.exe

C:\Windows\System\ZosOPSP.exe

C:\Windows\System\ZosOPSP.exe

C:\Windows\System\LdhyKfA.exe

C:\Windows\System\LdhyKfA.exe

C:\Windows\System\cfsGVLa.exe

C:\Windows\System\cfsGVLa.exe

C:\Windows\System\EuFHLuL.exe

C:\Windows\System\EuFHLuL.exe

C:\Windows\System\AmRGzdi.exe

C:\Windows\System\AmRGzdi.exe

C:\Windows\System\VLeAzkA.exe

C:\Windows\System\VLeAzkA.exe

C:\Windows\System\RXZimIm.exe

C:\Windows\System\RXZimIm.exe

C:\Windows\System\spiXuUy.exe

C:\Windows\System\spiXuUy.exe

C:\Windows\System\MMndVmC.exe

C:\Windows\System\MMndVmC.exe

C:\Windows\System\cATIdwp.exe

C:\Windows\System\cATIdwp.exe

C:\Windows\System\fLVjQHx.exe

C:\Windows\System\fLVjQHx.exe

C:\Windows\System\vTpbbmd.exe

C:\Windows\System\vTpbbmd.exe

C:\Windows\System\qdbRvzM.exe

C:\Windows\System\qdbRvzM.exe

C:\Windows\System\bmmIQcS.exe

C:\Windows\System\bmmIQcS.exe

C:\Windows\System\qtbxsDm.exe

C:\Windows\System\qtbxsDm.exe

C:\Windows\System\JegVldD.exe

C:\Windows\System\JegVldD.exe

C:\Windows\System\kknksJp.exe

C:\Windows\System\kknksJp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/4956-0-0x00007FF766CE0000-0x00007FF767034000-memory.dmp

memory/4956-1-0x0000025336B40000-0x0000025336B50000-memory.dmp

C:\Windows\System\dvAceVL.exe

MD5 c8967f0ab5751bff25d3f4d228294c60
SHA1 11eaa63b7cc49ceadd9ba09fcbda48ea2a73f3ee
SHA256 4e7b446006b062aa09eb8a515249f084cf2004dab86c6ad25f855eda40fe9756
SHA512 aef7f14e261112fb06e7b7fbc6a3410cefed8547a31162c88d66305015f8c0d474d3607996e8b7d87305fef001d0a9b11d97c2360c86594f7c63793c73421b3c

C:\Windows\System\SZNuhgv.exe

MD5 5d2f847875421a8530038173da21d1ef
SHA1 8237ddb43f5b165613c64573e4e967df6bff5911
SHA256 82c5b98b4d5734d69f771dd3eb36546ceea24f3302ae6b294617bfc6aa9d8ecf
SHA512 dbcf0573db2d81475acb7d3d7e1a5f324975cb7ff1a7619362ecc2e1ad3f60e029516e55c59e8580776541ce299e022770d21e9205f97c3bb8d492fae3680670

C:\Windows\System\BDrigul.exe

MD5 5c31c0f89406daddadb45e7a3c732862
SHA1 6b6edfb5434b113a376f708908798ad3c5d294d8
SHA256 a5fedd61ee1df8848725ae894314624b81f05ead7fda60b9cb1d89ed9552555b
SHA512 32e025d02acac72d6ca94670d37d140f9ce4861922545f086b0c4fe8b4f1b4a6a7f54edfa9198ebcb7c01aedbdbd1a8c5224a73d5e213401f681b64412d662f5

memory/2676-13-0x00007FF7BDC90000-0x00007FF7BDFE4000-memory.dmp

C:\Windows\System\wdhuEVh.exe

MD5 73ed291de9072c3aabbc86d91e124631
SHA1 f923e621f51a41d8da140373a0ad9edc3e096982
SHA256 c2d6f38c46a002453826011e7e5f53451c5b6f94b811ea6e4d2906ef7513c62c
SHA512 b374113bb989666e95bb4cd277f7b1a79032ebc6712c859e75b73b923390cda3ec77f3d6981320a5948459c1e2ad46c6657a3b3949d2eee8991d59fbbc843440

memory/2732-22-0x00007FF6B62D0000-0x00007FF6B6624000-memory.dmp

C:\Windows\System\ZosOPSP.exe

MD5 497455450f66f30885574e1b346c2307
SHA1 203e4d46ec4535995494f7b75015123a71386abf
SHA256 35bbc052728b3d0ba8ccbe7382f012f6b0cb5b711f0da9d7efd350fbf55a25f6
SHA512 3bef8029b8d8321c95f7c210cffe86d6b04e143fa6f3b5c549b2068ce0503702773c2228d2fdbdc84a42fa8f28299068036c80e415111847f6c27b0c7bda66f4

memory/1532-30-0x00007FF670CB0000-0x00007FF671004000-memory.dmp

C:\Windows\System\LdhyKfA.exe

MD5 bcf03d1dbefdcddf72a92cb56e04f80e
SHA1 c4c0678ffe391d6848e988b0aaf89036abd94593
SHA256 dc2e82bfedce02ae8310cc0e4c258234e0b19ff3a3f3aa74b8252d7ed444ea97
SHA512 91e25005debfb2d5d6215ec943bedb14bee9e3d4f0ac0575c799a81940d11b223e2b82bc02f71fc3a4f0ea18f284d2bce4545a01be7c0eb2c9f928354858edb4

memory/5056-37-0x00007FF65A0B0000-0x00007FF65A404000-memory.dmp

C:\Windows\System\EuFHLuL.exe

MD5 7558c3c33e8c8aefa79efd9dd8ebb92c
SHA1 7b74db3449de840268fa88da577d28be3339be76
SHA256 bbed0bb7b45361cefde9bd55505e08b6d87efe7fac9669561a48dbd66d821e8e
SHA512 275ef17eda83d2c1e0619595bf1bf4d8dbba8dbce45e358012ed421c0f6e2e3fbe67c3f66144b9e267c886a8650c2a58b6c7b188c4fe2e5cfb6b245ca2a114f1

C:\Windows\System\AmRGzdi.exe

MD5 89debde7d60dd6fd5411dcf6dbdd919a
SHA1 7f0b30048f5ac2d9509065c4a38de3da5c29f1d2
SHA256 b08d619db0176fa63dbc5b4a744e3391689c913d9ac303741cc67a129d2d213d
SHA512 033c3c70e4c2dd236bcac3615a0a5a0d6e5441d77e4fc52ae476c46d052447c853c35606686e18f88d41425a9e46af7c95968a5884ceb675bbdee0c6b47be8ae

C:\Windows\System\cfsGVLa.exe

MD5 ea7c89df6ac79dc2b54e634d660ef4dd
SHA1 a028e244474e0cecbfaec531026c3c6a95a7c643
SHA256 2d1277edcdb7fc31ae0336da9cff08ec4b7170843c676913510ddf7248acfcde
SHA512 f6a15cc9f46feb44817049cf2610e8fc65db73168b7837d9c3844841507c4a82ffdb458003c9b32df531bf3e3434f181f5f89930f14a91ac01246d0860db42da

C:\Windows\System\VLeAzkA.exe

MD5 21864a6cc2f95c7adae014750cde67b4
SHA1 a5f6595b25b0b637cd7fe725a7fbd245f4cbe0a6
SHA256 7c034a9c9a5bacdd2893e7241c2a557875117a03c47aecbc08d1e0a2938f5102
SHA512 7f14d0ac73ee4c65921d82b50060b1a16128f90c37febe461d7e20bd403e5d550a452242936ef3e5bca8dfdbf91d3d8e836ae7c2c0b19845f71d1c3e31eddc0a

C:\Windows\System\RXZimIm.exe

MD5 b253d527f8c6b285643a3ed0a5aeca65
SHA1 19909de808d49fea46cc03f272f0bc7d6cb55b56
SHA256 52911bab97cb393debd1a863ef3a122444823c71c9ac3f1508cf7bc3c1cb4352
SHA512 e3f63225ea7202b156ca774727ce5af9df200d16f5b7a398bf9443f8f1080bfa67d4677c790620ab894b95d544406e0cf5705eae6257c49f5479690be295cb5a

C:\Windows\System\spiXuUy.exe

MD5 0dfd80798b23f76e16c7ed48e85f3af3
SHA1 6d3f478dbfa979ee095bb8d8f85a4eb84db173ed
SHA256 feedb9f30c1e7ad3a0370e59a75178e4028fe83f62abd4b076316a0988900746
SHA512 f6bb95607647958bc18e333c2fe1d1349ddf85efc6a2450932fd84517539474b2ddbf2854f9a02baaec0e8997f4c6f8eb1cd41b4ca4186e8fb96c318d518a449

memory/1972-72-0x00007FF68E880000-0x00007FF68EBD4000-memory.dmp

memory/4712-71-0x00007FF75E970000-0x00007FF75ECC4000-memory.dmp

memory/3180-68-0x00007FF6FEFB0000-0x00007FF6FF304000-memory.dmp

memory/4576-54-0x00007FF6A94E0000-0x00007FF6A9834000-memory.dmp

memory/628-49-0x00007FF681930000-0x00007FF681C84000-memory.dmp

memory/3812-45-0x00007FF65D660000-0x00007FF65D9B4000-memory.dmp

memory/4348-28-0x00007FF6A3600000-0x00007FF6A3954000-memory.dmp

memory/3540-9-0x00007FF658CD0000-0x00007FF659024000-memory.dmp

memory/4956-80-0x00007FF766CE0000-0x00007FF767034000-memory.dmp

C:\Windows\System\cATIdwp.exe

MD5 4b6f9f4b8206e215a671c5a8cf4c7263
SHA1 990c5d915f32824cd02fc9300d3ea433510578d7
SHA256 6329206d8ed3a4c71d4057ed5b87e86b43bf62fa31b7615fb452d07f0f5a2285
SHA512 b3b3d413d34b31c9bb56fb6f483fa38a875c84245237205b3cd5d2f2f3e0845aee24306a754ffdb3dbb80278a9eb339d78cf78b7e10db80d1a967bb73bc6f542

memory/3540-87-0x00007FF658CD0000-0x00007FF659024000-memory.dmp

C:\Windows\System\fLVjQHx.exe

MD5 ede3237c377b4b72a9780525d106d95c
SHA1 072c67ecb058ab14a44a778d20ef44ee4d63a26d
SHA256 3255061675375c00f04eef9f495c9d802c2d03f1edcf0baad3d2af8c3d10d221
SHA512 f199e11064b9374fc31088759bde592a2481b746f12ad64859c0fff47f9d4bf9df080d597deaa2698e64c64c45382c987321d4ffdae37a4dcda9bead1d3ee2cc

C:\Windows\System\vTpbbmd.exe

MD5 bbfc253e2472be1c43dbc720fe957025
SHA1 39ae18397ffaa6050d20513a9af6b8935b5074ec
SHA256 d86c964fe65979dc00a7efac89bcc574715506ecbd105b442adf7265251c6ec6
SHA512 64fa1b87e758976f5f0e4b6b337728725922378d5e3a31181e6d07aaf636f8db18012977387211fe0ce7d730c7930dcb81dc751bf1a9b427f967465645dc4aff

C:\Windows\System\qdbRvzM.exe

MD5 8fd3908774ff69351e792bbaecffb2dd
SHA1 6b3f636f24b408042aa5c17c788cade5e24dbdae
SHA256 941b35b3f8c6f39f51ac5fe3b6ee44d450242416708210ae14c18a336196a655
SHA512 03dad71b1eea139cceadc5e351e82c0428e7bfdc9cd4410363868006d4a384ced5ec54b6c15319067d13ecf170ae4df929ddca9ff35aa6ab7fafef7504018bed

C:\Windows\System\qtbxsDm.exe

MD5 36a7cb47750d5080e7a2b14fd6801b72
SHA1 8261211d8e6f193d0c024c0885723d7b4ad244c4
SHA256 06ab7d395ef048ef76ee7afbc9bfd76d1ebacc7297a37c3b7c90f3977ac03cd0
SHA512 6fb2011f61ac67e487e308335dbcf03af2758be402d3a84ccf914c065f531b0c853f7f4f1eda4d8d4ade1167038f1a9496e967f79f01c4bc1fd4cc77b0d0e950

C:\Windows\System\kknksJp.exe

MD5 0c4247defe2a09f927d85f740547ba9d
SHA1 e902ba1cee0f590b2905432637f3cbe32df04490
SHA256 81da9d2efac23b5b6460c85efc4084e3eb35d6bbf892d11c88699d53f15c47c1
SHA512 3f293fae6d81ba1e7fa7249e59a263dffd472dc3caa274d50024f7d8fb5b3ad3ee2d3a4c37cacfaacf27127019896cede949c42edb51cb89fcf4605555c891cc

C:\Windows\System\JegVldD.exe

MD5 900257e817f1ec41a62048228862b5f2
SHA1 883d368a85d72ce6b8269e86951ee19a619e7577
SHA256 0edc35816325e82b09d9080959076d6363ad2ba40a6f32ac34786c31bd5257bb
SHA512 a5977c147baf2fdb7a7abbaa416eb8d228cf8ef61a5746f75c8a385e3a6b2c914cb76bb6533b18e2c176a4f91e7551282254d33f9d13fb957bd9e4a1f19cc563

C:\Windows\System\bmmIQcS.exe

MD5 d25eb3ee95d0450158d37f017cbe16cf
SHA1 6abbf267d3c59b9dc8410ae23790cdb1058051ac
SHA256 2b5d95f8347af4330fc64c9b5faff9233f0cb9d57e7af7bb994da56e58404e7a
SHA512 e7646106436720a7c8664fa089280c81cae744e6a6d1a0b5a8f144557621ff524b87fa44860b7d9480fca5d9fd17e1d61279a74a7bd50724de1058d2c3789f78

memory/3464-108-0x00007FF60C6A0000-0x00007FF60C9F4000-memory.dmp

memory/1532-105-0x00007FF670CB0000-0x00007FF671004000-memory.dmp

memory/4208-104-0x00007FF6F5CB0000-0x00007FF6F6004000-memory.dmp

memory/2732-101-0x00007FF6B62D0000-0x00007FF6B6624000-memory.dmp

memory/516-99-0x00007FF61CD80000-0x00007FF61D0D4000-memory.dmp

memory/4348-95-0x00007FF6A3600000-0x00007FF6A3954000-memory.dmp

memory/2676-94-0x00007FF7BDC90000-0x00007FF7BDFE4000-memory.dmp

memory/4268-91-0x00007FF6C2350000-0x00007FF6C26A4000-memory.dmp

memory/3204-81-0x00007FF7FAD10000-0x00007FF7FB064000-memory.dmp

C:\Windows\System\MMndVmC.exe

MD5 fa8052a1c0ed7203ee28127050816e1b
SHA1 c6a8259e64f2c534c3a89e8d0d9d35d108891604
SHA256 0f917284376c76f8dbc23daf85b9d29e47c01f94c655a619b7124adafda373a9
SHA512 4921652d6465931613a45ecb4e75af57c154c4dfd16c78b0358306781b6281e5514622fb7bf821b0085ed63ebe4b5f55fac383c86c293a9c6efd65879ad20cdc

memory/628-132-0x00007FF681930000-0x00007FF681C84000-memory.dmp

memory/5020-133-0x00007FF718C20000-0x00007FF718F74000-memory.dmp

memory/1608-134-0x00007FF746080000-0x00007FF7463D4000-memory.dmp

memory/3948-136-0x00007FF79A170000-0x00007FF79A4C4000-memory.dmp

memory/212-135-0x00007FF604CC0000-0x00007FF605014000-memory.dmp

memory/3812-131-0x00007FF65D660000-0x00007FF65D9B4000-memory.dmp

memory/5056-130-0x00007FF65A0B0000-0x00007FF65A404000-memory.dmp

memory/4576-137-0x00007FF6A94E0000-0x00007FF6A9834000-memory.dmp

memory/4712-138-0x00007FF75E970000-0x00007FF75ECC4000-memory.dmp

memory/1972-139-0x00007FF68E880000-0x00007FF68EBD4000-memory.dmp

memory/4208-140-0x00007FF6F5CB0000-0x00007FF6F6004000-memory.dmp

memory/3464-141-0x00007FF60C6A0000-0x00007FF60C9F4000-memory.dmp

memory/3540-142-0x00007FF658CD0000-0x00007FF659024000-memory.dmp

memory/2676-143-0x00007FF7BDC90000-0x00007FF7BDFE4000-memory.dmp

memory/4348-144-0x00007FF6A3600000-0x00007FF6A3954000-memory.dmp

memory/2732-145-0x00007FF6B62D0000-0x00007FF6B6624000-memory.dmp

memory/1532-146-0x00007FF670CB0000-0x00007FF671004000-memory.dmp

memory/5056-147-0x00007FF65A0B0000-0x00007FF65A404000-memory.dmp

memory/3812-148-0x00007FF65D660000-0x00007FF65D9B4000-memory.dmp

memory/628-149-0x00007FF681930000-0x00007FF681C84000-memory.dmp

memory/3180-150-0x00007FF6FEFB0000-0x00007FF6FF304000-memory.dmp

memory/4576-151-0x00007FF6A94E0000-0x00007FF6A9834000-memory.dmp

memory/4712-152-0x00007FF75E970000-0x00007FF75ECC4000-memory.dmp

memory/1972-153-0x00007FF68E880000-0x00007FF68EBD4000-memory.dmp

memory/3204-154-0x00007FF7FAD10000-0x00007FF7FB064000-memory.dmp

memory/4268-155-0x00007FF6C2350000-0x00007FF6C26A4000-memory.dmp

memory/516-156-0x00007FF61CD80000-0x00007FF61D0D4000-memory.dmp

memory/4208-157-0x00007FF6F5CB0000-0x00007FF6F6004000-memory.dmp

memory/5020-159-0x00007FF718C20000-0x00007FF718F74000-memory.dmp

memory/3464-158-0x00007FF60C6A0000-0x00007FF60C9F4000-memory.dmp

memory/3948-162-0x00007FF79A170000-0x00007FF79A4C4000-memory.dmp

memory/212-160-0x00007FF604CC0000-0x00007FF605014000-memory.dmp

memory/1608-161-0x00007FF746080000-0x00007FF7463D4000-memory.dmp