Malware Analysis Report

2025-01-22 19:41

Sample ID 240601-h1h9wade91
Target 2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike
SHA256 9caede73510afad6241aae0f3dc3a5efe2410c845e75cc07e7227eb0330b6bc2
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9caede73510afad6241aae0f3dc3a5efe2410c845e75cc07e7227eb0330b6bc2

Threat Level: Known bad

The file 2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

UPX dump on OEP (original entry point)

xmrig

Xmrig family

Detects Reflective DLL injection artifacts

Cobaltstrike family

Cobalt Strike reflective loader

Cobaltstrike

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:12

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:12

Reported

2024-06-01 07:14

Platform

win7-20240215-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\dMnHnKx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\quUuvYR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WpCyjYb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qZChCKN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fOgobdy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iliRSua.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iZqPKfJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KYkPJjz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IXhTiEn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rIlHPcn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zJGqCam.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VUvALFr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ComUJeC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xSvpADe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uwTuPUR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SBUwRaU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\baoqPta.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NnyTSlW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GmERsVh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qQOibNh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PDyQXol.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\SBUwRaU.exe
PID 2040 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\SBUwRaU.exe
PID 2040 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\SBUwRaU.exe
PID 2040 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ComUJeC.exe
PID 2040 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ComUJeC.exe
PID 2040 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ComUJeC.exe
PID 2040 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZqPKfJ.exe
PID 2040 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZqPKfJ.exe
PID 2040 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZqPKfJ.exe
PID 2040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KYkPJjz.exe
PID 2040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KYkPJjz.exe
PID 2040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KYkPJjz.exe
PID 2040 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IXhTiEn.exe
PID 2040 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IXhTiEn.exe
PID 2040 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IXhTiEn.exe
PID 2040 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\dMnHnKx.exe
PID 2040 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\dMnHnKx.exe
PID 2040 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\dMnHnKx.exe
PID 2040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rIlHPcn.exe
PID 2040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rIlHPcn.exe
PID 2040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rIlHPcn.exe
PID 2040 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PDyQXol.exe
PID 2040 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PDyQXol.exe
PID 2040 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PDyQXol.exe
PID 2040 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\quUuvYR.exe
PID 2040 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\quUuvYR.exe
PID 2040 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\quUuvYR.exe
PID 2040 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSvpADe.exe
PID 2040 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSvpADe.exe
PID 2040 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xSvpADe.exe
PID 2040 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\baoqPta.exe
PID 2040 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\baoqPta.exe
PID 2040 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\baoqPta.exe
PID 2040 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WpCyjYb.exe
PID 2040 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WpCyjYb.exe
PID 2040 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WpCyjYb.exe
PID 2040 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZChCKN.exe
PID 2040 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZChCKN.exe
PID 2040 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZChCKN.exe
PID 2040 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\zJGqCam.exe
PID 2040 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\zJGqCam.exe
PID 2040 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\zJGqCam.exe
PID 2040 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\NnyTSlW.exe
PID 2040 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\NnyTSlW.exe
PID 2040 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\NnyTSlW.exe
PID 2040 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fOgobdy.exe
PID 2040 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fOgobdy.exe
PID 2040 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fOgobdy.exe
PID 2040 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GmERsVh.exe
PID 2040 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GmERsVh.exe
PID 2040 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GmERsVh.exe
PID 2040 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQOibNh.exe
PID 2040 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQOibNh.exe
PID 2040 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQOibNh.exe
PID 2040 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\iliRSua.exe
PID 2040 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\iliRSua.exe
PID 2040 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\iliRSua.exe
PID 2040 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\uwTuPUR.exe
PID 2040 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\uwTuPUR.exe
PID 2040 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\uwTuPUR.exe
PID 2040 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\VUvALFr.exe
PID 2040 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\VUvALFr.exe
PID 2040 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\VUvALFr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\SBUwRaU.exe

C:\Windows\System\SBUwRaU.exe

C:\Windows\System\ComUJeC.exe

C:\Windows\System\ComUJeC.exe

C:\Windows\System\iZqPKfJ.exe

C:\Windows\System\iZqPKfJ.exe

C:\Windows\System\KYkPJjz.exe

C:\Windows\System\KYkPJjz.exe

C:\Windows\System\IXhTiEn.exe

C:\Windows\System\IXhTiEn.exe

C:\Windows\System\dMnHnKx.exe

C:\Windows\System\dMnHnKx.exe

C:\Windows\System\rIlHPcn.exe

C:\Windows\System\rIlHPcn.exe

C:\Windows\System\PDyQXol.exe

C:\Windows\System\PDyQXol.exe

C:\Windows\System\quUuvYR.exe

C:\Windows\System\quUuvYR.exe

C:\Windows\System\xSvpADe.exe

C:\Windows\System\xSvpADe.exe

C:\Windows\System\baoqPta.exe

C:\Windows\System\baoqPta.exe

C:\Windows\System\WpCyjYb.exe

C:\Windows\System\WpCyjYb.exe

C:\Windows\System\qZChCKN.exe

C:\Windows\System\qZChCKN.exe

C:\Windows\System\zJGqCam.exe

C:\Windows\System\zJGqCam.exe

C:\Windows\System\NnyTSlW.exe

C:\Windows\System\NnyTSlW.exe

C:\Windows\System\fOgobdy.exe

C:\Windows\System\fOgobdy.exe

C:\Windows\System\GmERsVh.exe

C:\Windows\System\GmERsVh.exe

C:\Windows\System\qQOibNh.exe

C:\Windows\System\qQOibNh.exe

C:\Windows\System\iliRSua.exe

C:\Windows\System\iliRSua.exe

C:\Windows\System\uwTuPUR.exe

C:\Windows\System\uwTuPUR.exe

C:\Windows\System\VUvALFr.exe

C:\Windows\System\VUvALFr.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2040-0-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2040-1-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

\Windows\system\ComUJeC.exe

MD5 d052ba773a170a7d4869cd1b0b37650e
SHA1 a3fddbc65b075eefcee0a92677ded5e2843d1f4a
SHA256 6802eaaa6bbd1234662c7c4cd2619145f5986e15ecad55052e98777f2e1c976a
SHA512 33a51f182a0164a94f6c9029f54534c382c8b4ebde19a4cd98da875330c10e9ff470cff6c9fbc5873f479fc3ece428e06b785e8d08a4e184322ee506cee2916d

memory/2040-15-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2004-12-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2040-11-0x00000000021A0000-0x00000000024F4000-memory.dmp

C:\Windows\system\SBUwRaU.exe

MD5 cbea0cc0e2b63f041fde561142551b88
SHA1 b0e9ed2bd6b53f919bde9376e39507524e170ea1
SHA256 2e6faa4692bec7f942d6cb80ff54ca62af8c20be0345d9c1c2b5559540685e83
SHA512 fe376026e6591dde5a47915ebb6deac75c342be6c48b145b1e147f38935c825e10adac5956ee1db25e0b91ecf2dc44bdb58c16ec78389398abdcf733def0941b

memory/2800-16-0x000000013F550000-0x000000013F8A4000-memory.dmp

\Windows\system\iZqPKfJ.exe

MD5 5c7d0005403e5ae4abf20cdad15997b2
SHA1 79f01f7efdabd7c6a3b92a480c3da09586a60f25
SHA256 1674e7079c1dc9d28f574d91abc65da04319785b145ffc527c4a8438a2d03bad
SHA512 9b53385b65047b8bf2eaface8541868fb7b135a91a92788cfae288aa50390f908073dacc0bba55b7d88771e9d4f3dfaee4b015d2767a61f940e0f34461bbf3b1

memory/2040-20-0x000000013F600000-0x000000013F954000-memory.dmp

\Windows\system\IXhTiEn.exe

MD5 6e5b54b4de7b333e49e813606cc6f846
SHA1 8990a56775b1a758466e3ae33fed9f973c744e70
SHA256 de8906d2308503204cc78c3ffabcb86e3b991660fa16bd31da225e404354b3ad
SHA512 584ce684f4c6fbf698ee0da1412f619c03f2c2fdb5e0e16dbed5adeb69824a6262eb8e8aa04cfeeec694548fa8fa1754a6a6967292d64929fcd82d97bd93a986

memory/2640-26-0x000000013F600000-0x000000013F954000-memory.dmp

C:\Windows\system\dMnHnKx.exe

MD5 78e866eb7c5af429cc418819022dc4d8
SHA1 5c2be63f6096922bfa79429ef42d816cfc6fcd1b
SHA256 bfa9c63c336711427785894738cc10952d3439b86ccf8968b16564ca167ff5b8
SHA512 e91c2d2309b15817096fcca9a882f1cbb5b031b511b7fe33f168c066fb05a8ffe0402accc35feb82b8bf92938a6f04d20f4554dcee4f6a94a324f8faf366342b

memory/2572-39-0x000000013F3C0000-0x000000013F714000-memory.dmp

C:\Windows\system\KYkPJjz.exe

MD5 3ea60474018a3afec169d7d770b94938
SHA1 6fa2e26b110424ca641af7dcbd2b11f58ea2c4c8
SHA256 6eb82fe34a71dc4d9e61425d1bcc0335b2b8dbd8e89a0905ea7c11b063363c20
SHA512 d9e21f37b203968c0b32d30caa6054ef6afdff468be6a38fbb8af13b7e23387eb0fc0ecb06dd940dbe522f1c5331fbc52865ca729a420e6e620a980c9d52f28d

memory/2960-36-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/2040-33-0x00000000021A0000-0x00000000024F4000-memory.dmp

memory/2040-42-0x00000000021A0000-0x00000000024F4000-memory.dmp

memory/2676-44-0x000000013F7D0000-0x000000013FB24000-memory.dmp

C:\Windows\system\rIlHPcn.exe

MD5 8e49ebc2e4cafee6e8485b3a9654c2ca
SHA1 8ab881edd4976d8c5b12055004576d0bd4470f2b
SHA256 57c42f9ce130df43e1c2a5ee68e685ce1f6e61015266db2cbf645ea68317c889
SHA512 09e5c68b5c75069f2d4fe68a5f99f8708f9a48018ed74ce4844f224fe37f199f41191c683f21269d84164be27e20a2bf71249c2db4a0739ec862fe5060f2a651

C:\Windows\system\PDyQXol.exe

MD5 8ea90cef2e0cccded1692acd7642b1d8
SHA1 c051fb533e03b1525617086ea6ebc6f71b222e1c
SHA256 57f0d402d6a8468806c48ce22d32269db45a0361f596f40940e0231360fe29c5
SHA512 2eca95c4d16a766995d9a0eb92de6404fb7204a3130a2bae1e2d4b51e2f5c5b339700170850b91d6f93491fffd0c151ff35077eb95a7cd30b469093507442199

memory/2040-56-0x00000000021A0000-0x00000000024F4000-memory.dmp

memory/2924-57-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2696-50-0x000000013F080000-0x000000013F3D4000-memory.dmp

C:\Windows\system\quUuvYR.exe

MD5 e6132873c0ea49b85f6914d65b18412e
SHA1 fb2e9fd2c328cfe0ef6b6b0a242344240e56b8c0
SHA256 1e57e9f4a0bbb2e98eed3b1b57dc6a1bac8ef49b74c76fc1b3ccb7da53df178a
SHA512 68d2db2962b3b8bfa1aa5bc8ed2c21a65fa9a64f5b0e70b8883954f55fe9fd70466eabb1efe8251e56a8a2e26872445ae5e06b3b1cbbf2e75b2681a2de42d409

C:\Windows\system\xSvpADe.exe

MD5 8e1f1d234c2c2cfa36cef90a90d2311b
SHA1 0f45ccaa8344cd5ed4c7dcbddca186eda668580e
SHA256 2698d0730617655b383172f18990146724fcf527e148ee437ce5cf822b8d18cd
SHA512 f3c11b92c6d0a436a0e4aba9917c163e8c6c785463fab3a1a7639001155d7538ca568b347c4f8b6a5c4fc4c9b9f9bbc96def0aa056b1f886632cc600ba91ea8a

memory/2712-72-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2520-63-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2040-67-0x00000000021A0000-0x00000000024F4000-memory.dmp

memory/2040-65-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2040-49-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2040-43-0x000000013F3C0000-0x000000013F714000-memory.dmp

\Windows\system\baoqPta.exe

MD5 d709be32ed6af9a15acd73cdfdbeaa85
SHA1 c8ff65ccfe7ab5dc8c4981f7482ab4fdb21307b9
SHA256 76386930b12f59042e52bbb464bb355a359e04deb3d13fd0ef69a5a22817e09e
SHA512 fdacc60f75a8419143bd8c18d0e3718e66479cc84b284fafab0b7f38d90da685c33532356d05a881830a4766bc9cfa9a397b199be478eb71011916a85b2f23be

\Windows\system\WpCyjYb.exe

MD5 511d0eba50b9cbadca966d52c5072547
SHA1 839430e8b4978e2bd230c3f2c064f6686686eee2
SHA256 596041d7ca12fc42764cf51bd43d505a507ece79da2fff22926250b5da1b9022
SHA512 56c543499ea1b56e1756494292401fbee154a30a9b14428607333cbc63d4725c4b8cd8f98eed103a5a28ca89fe2ef3fb1f0c8d6730754185ef438d17c39ae481

memory/1824-83-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2040-85-0x000000013F600000-0x000000013F954000-memory.dmp

\Windows\system\zJGqCam.exe

MD5 531fe4af0c0b4746249bea8f14498c2b
SHA1 21a829d71860ee32e505e82825e7d9ef223c3e80
SHA256 d8f188b3c405e192f0783090c7a3948c19067f39a41245eaa84c1e4fe8df0195
SHA512 829d738fbd22a14ce718ecdfbe403e0e815c2336ec2ffe48fae494d974c225d93ff1b7ef99f41bde61577bf5d41a2395f159be55323f76829aac7a7edc3d84b0

memory/2960-97-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/2532-101-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2692-90-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2640-88-0x000000013F600000-0x000000013F954000-memory.dmp

C:\Windows\system\fOgobdy.exe

MD5 0eb9ee8ef1f64009f1eb6a8c5ba00869
SHA1 83bc7a3d205fb3b28e8bcffe567e26897d8a7977
SHA256 185f3181576266d114afda7181ebc908476f5eb55bc88d4ccb6083532d5ecb97
SHA512 7e74f275c4fdb372d67a87a5da363a9f164621edbe56c2147a6372a2c78d5c223793a931cc02ccb79c1224650fe838ed8a3b246f7fafe47df3b5cfc266d6219d

C:\Windows\system\uwTuPUR.exe

MD5 f37938d762581d272399feff08f9ae4b
SHA1 d4ea46acdabf6ae7876599ce3dd977c33e190b88
SHA256 6aa20ad76d6c6a3f547bbd975a9e9d8723e568ac70be5320545753b106acafcf
SHA512 699434de18829f71ef223c1e52b93377a1ff76202ac5d7c6bfdee41b772c4a91f419b62ac1fb18d49231ba1c4528dd5bcaa47b1a5c56462274d6588afafe6864

\Windows\system\VUvALFr.exe

MD5 22d0d6880a09b256caeb8ebee2fa9663
SHA1 d9318f51bdc38cf0b1b2ec5561753bec95658ada
SHA256 b27dfde8235d484b7f88b164d9bb8c54d6a745928b13aaa9befc87e720fc5572
SHA512 8a9a59f690407e14307e7e0943caba55314e7be7b103c60ceb9be8a735e4f243c703584c8d5eb0c2c225a9b0d9ea96601fc8de0f166254176abb89c96312bd21

C:\Windows\system\iliRSua.exe

MD5 c0ea344234b163f188b2d6f6bf0f6d8f
SHA1 f529951a279a27e13da7c6e216db3e1edd711884
SHA256 9ed85b56a544d90fe6812416079c904aa18781244ccf814a702890d56c1b7751
SHA512 92a8cd6b4f49b7b83251016f565da0f66570ad40732df1e116d005adb9f27f3d10ddd8f9fd915c99e4307ed8cd61a088f2f8df9d57227a44da72d7ad32e85860

C:\Windows\system\qQOibNh.exe

MD5 df6c7ae9dfa02a187471f1567d7ff152
SHA1 a455154671ccca108fd693ed7f0be9baf483a07e
SHA256 d5e3f2b4815fb3812b3fcdfbe9c6565cec5dee46316a1462e5871c6780ffdaef
SHA512 ed7bd6f598f26a2ad4f9c33de474aede73285a4f9261af6f09d27e3db6491bd632555c2e59f918d3035f633eda5be4000a78d38ef80d9d460469b5c9c5b6e10f

C:\Windows\system\GmERsVh.exe

MD5 90c508b16c8ced492b898b39f58066f6
SHA1 84fe2ddefd1f70db29af65403cec9497298d6fce
SHA256 ab2115ecc7c9cf1569daf94168e749e919224c27d1a5ef83b3f79cc8b54ea02d
SHA512 9b1912232368f8620ed5fdb1310f63e81f5cbe4db511769b8e601263f18426d169d204053613e0a71786dc9e0cbd7bfa5289a0ed6b795eea706cf935c6c6da48

memory/2040-110-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2040-109-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2040-108-0x00000000021A0000-0x00000000024F4000-memory.dmp

C:\Windows\system\NnyTSlW.exe

MD5 a532b3f9c3790d7a72652c25097937ba
SHA1 1edb441aa264b4aab9109f9370d86b233457b3cc
SHA256 5bf832d2cae1160a2c77e017d1feeeb91fdd6259b8d4ac4e63131b860f48f7d5
SHA512 a177d68dd926058cd4a5babc893b34037c13acbbfba98aedc8f6b192edacaa30e65e4986605300743127862d8d2db9d04b36814a60810d5879541b1f3d8dd6c9

memory/2744-103-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2572-102-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2040-99-0x000000013F1C0000-0x000000013F514000-memory.dmp

C:\Windows\system\qZChCKN.exe

MD5 a0d722a4c4f67e3900696c00b4ccee6d
SHA1 5478b947cb782a5b2084461bf4e4ab9898f0af2f
SHA256 db559948e2d3e65f06b46b5a38725076d7e32e5f9d7d71696ace69ecc8730658
SHA512 10a7f263268d178a9a370a78c08c32777cb14c6c015c4b933b520f79dbcd37c841254e8ad4452ef5980c43a98a0a961c5e3fe615b103d59164d112e909946cd2

memory/2040-92-0x00000000021A0000-0x00000000024F4000-memory.dmp

memory/2040-82-0x00000000021A0000-0x00000000024F4000-memory.dmp

memory/2696-141-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2924-142-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2520-143-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2040-144-0x00000000021A0000-0x00000000024F4000-memory.dmp

memory/2040-145-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2040-146-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2004-147-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2800-148-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2640-149-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2960-150-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/2572-151-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2676-152-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2696-153-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2924-154-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2712-156-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2520-155-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/1824-157-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2692-158-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2744-159-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2532-160-0x000000013F1C0000-0x000000013F514000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:12

Reported

2024-06-01 07:14

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pFtUHvF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xMhFTbJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fMmQTYU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xGIRcGf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qdzaWAB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tUjaLob.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\avITRck.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hfoWXne.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ooNUalQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oJdfOyP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lreYrzB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KSvdLCa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PRzJzzc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ePHIvqt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jQmVZEb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WjskUtv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HhHkBUG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cQGwoHN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\swkYNWs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XDATwDQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PGNVXfm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRzJzzc.exe
PID 3856 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRzJzzc.exe
PID 3856 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pFtUHvF.exe
PID 3856 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pFtUHvF.exe
PID 3856 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HhHkBUG.exe
PID 3856 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HhHkBUG.exe
PID 3856 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\cQGwoHN.exe
PID 3856 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\cQGwoHN.exe
PID 3856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\swkYNWs.exe
PID 3856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\swkYNWs.exe
PID 3856 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\avITRck.exe
PID 3856 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\avITRck.exe
PID 3856 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfoWXne.exe
PID 3856 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfoWXne.exe
PID 3856 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ooNUalQ.exe
PID 3856 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ooNUalQ.exe
PID 3856 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\oJdfOyP.exe
PID 3856 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\oJdfOyP.exe
PID 3856 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\lreYrzB.exe
PID 3856 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\lreYrzB.exe
PID 3856 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xGIRcGf.exe
PID 3856 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xGIRcGf.exe
PID 3856 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ePHIvqt.exe
PID 3856 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ePHIvqt.exe
PID 3856 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\jQmVZEb.exe
PID 3856 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\jQmVZEb.exe
PID 3856 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\XDATwDQ.exe
PID 3856 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\XDATwDQ.exe
PID 3856 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PGNVXfm.exe
PID 3856 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PGNVXfm.exe
PID 3856 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WjskUtv.exe
PID 3856 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WjskUtv.exe
PID 3856 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\qdzaWAB.exe
PID 3856 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\qdzaWAB.exe
PID 3856 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\tUjaLob.exe
PID 3856 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\tUjaLob.exe
PID 3856 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMhFTbJ.exe
PID 3856 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMhFTbJ.exe
PID 3856 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMmQTYU.exe
PID 3856 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMmQTYU.exe
PID 3856 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KSvdLCa.exe
PID 3856 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KSvdLCa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\PRzJzzc.exe

C:\Windows\System\PRzJzzc.exe

C:\Windows\System\pFtUHvF.exe

C:\Windows\System\pFtUHvF.exe

C:\Windows\System\HhHkBUG.exe

C:\Windows\System\HhHkBUG.exe

C:\Windows\System\cQGwoHN.exe

C:\Windows\System\cQGwoHN.exe

C:\Windows\System\swkYNWs.exe

C:\Windows\System\swkYNWs.exe

C:\Windows\System\avITRck.exe

C:\Windows\System\avITRck.exe

C:\Windows\System\hfoWXne.exe

C:\Windows\System\hfoWXne.exe

C:\Windows\System\ooNUalQ.exe

C:\Windows\System\ooNUalQ.exe

C:\Windows\System\oJdfOyP.exe

C:\Windows\System\oJdfOyP.exe

C:\Windows\System\lreYrzB.exe

C:\Windows\System\lreYrzB.exe

C:\Windows\System\xGIRcGf.exe

C:\Windows\System\xGIRcGf.exe

C:\Windows\System\ePHIvqt.exe

C:\Windows\System\ePHIvqt.exe

C:\Windows\System\jQmVZEb.exe

C:\Windows\System\jQmVZEb.exe

C:\Windows\System\XDATwDQ.exe

C:\Windows\System\XDATwDQ.exe

C:\Windows\System\PGNVXfm.exe

C:\Windows\System\PGNVXfm.exe

C:\Windows\System\WjskUtv.exe

C:\Windows\System\WjskUtv.exe

C:\Windows\System\qdzaWAB.exe

C:\Windows\System\qdzaWAB.exe

C:\Windows\System\tUjaLob.exe

C:\Windows\System\tUjaLob.exe

C:\Windows\System\xMhFTbJ.exe

C:\Windows\System\xMhFTbJ.exe

C:\Windows\System\fMmQTYU.exe

C:\Windows\System\fMmQTYU.exe

C:\Windows\System\KSvdLCa.exe

C:\Windows\System\KSvdLCa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3856-0-0x00007FF6D8BF0000-0x00007FF6D8F44000-memory.dmp

memory/3856-1-0x0000028D5CC80000-0x0000028D5CC90000-memory.dmp

C:\Windows\System\PRzJzzc.exe

MD5 2ee5bb22fe47e13a4128df61b13bc426
SHA1 831dc8f125d636f79aae9a426c48dde6468fb466
SHA256 758c74b54b383e8551cbb009eb299faf5a44b90142b5f5d77d0ba44a28551480
SHA512 7c32d69bea123b8fb5b26b21373f6dd7708560f52f286a2a4bad9bdcd1a57a87d03fe465f37ba74967348f76c44777bb4bbb387991edcf18faa362c822c87af0

memory/220-8-0x00007FF746210000-0x00007FF746564000-memory.dmp

C:\Windows\System\pFtUHvF.exe

MD5 69b530448a2ba0da1623124170e21abd
SHA1 77ec57652abfe1aed99fbb32a80b7e447436b5cc
SHA256 2c94dffdee072f1415849e2f6cd3e8c1b76e749fe8a44f1802bbdd549d3d019c
SHA512 5769f9a454447d7a522172a29b559c7ef55c28feb17f133b1056651e256feeb349e1c10083e8e9745e519e1b8311c4dc8961ec5f0909322572bd3ccebfb124ba

C:\Windows\System\HhHkBUG.exe

MD5 822b4356e94cb60a74174b9b2619400e
SHA1 84fc376de46612637b2a7f92242fe3ccea0eda36
SHA256 6a5e2d886905a9ea960a79eaa638d3c858236f6bfdf44023f0c3547a9b0ec602
SHA512 29b53d17cbc3fc4ebc90b4963a8d507fb1d965d60ed2253bfdd67946340e960cfe69bdd22eddd7673d3058d2668334741b0f5fcccd49b02c4fb7c1ec12566443

memory/2556-25-0x00007FF72CE00000-0x00007FF72D154000-memory.dmp

C:\Windows\System\swkYNWs.exe

MD5 fd00f3df9076ceab7aa3713feafe5845
SHA1 8b218bb0ff7f73f170ff8202451c0a4b5df95b07
SHA256 6d14bdbcd8c0d2ac5028450253947c6ad169d48c7926efbc789c4b43fb347ae3
SHA512 d3a506badbc33b16652a7f4bffbf736370416aaeb45e1919099e77269cec0dc728ea0eeb7ce0f24edcedd2e53800346550bcd4aadcdd06d6893433567a9be32d

C:\Windows\System\avITRck.exe

MD5 fd5a9e805e6580333b9b50e8f160bd89
SHA1 c10d4e4829a4de974e0325845fa72e0dfd73cdc1
SHA256 f8b4d481451860e28dfcc309a9b682f1f33c021cac89d2d5ed737ecafa3541e9
SHA512 8ee08e4fc0dbf0730ca97eedb3590ce47f97374639c5f3a27c6aaf441fc823469d0dadd0030181f3ab58cc1e5029b8cb651bfb4269e956d48a429db8daac2dec

C:\Windows\System\hfoWXne.exe

MD5 c14083cc5cf8113026362fb02a842cac
SHA1 3e02e481fec33f59f902bea5872e4c4198b68b40
SHA256 912696ff98a3e6fdb7cbbccc531119f5660a3eb5690bb72c0bfc811825345a24
SHA512 667657fb0e6e13b8400f25415e78ea6efc10529cfca27f8a2996b71a6d60cc54901703fc5c62a576ae567ee4740fb2d441e8082dbf1c905b64c58987b46fa6e1

memory/2680-46-0x00007FF62E920000-0x00007FF62EC74000-memory.dmp

C:\Windows\System\oJdfOyP.exe

MD5 424506fc5ae3f9364fd0db058a9172d5
SHA1 73ee2845dc18b82db75cac105b9b169d13770721
SHA256 994b9e41061ee1fc86adcf962901ef523d2495b2564a109ae37e6b8f0b7e1772
SHA512 e5bc7939ea6c99bf0f943bd30e7f7536c798696d36f0a5ba2500fe3f9ccf4f512ddd3583683028eb4bf2543474b8ba78dcf454f009a24c9dab26892503822212

memory/2496-53-0x00007FF69EC10000-0x00007FF69EF64000-memory.dmp

memory/3696-51-0x00007FF7D0DE0000-0x00007FF7D1134000-memory.dmp

memory/3528-50-0x00007FF6F3200000-0x00007FF6F3554000-memory.dmp

C:\Windows\System\ooNUalQ.exe

MD5 467581ee690c122f0427b657649cfff6
SHA1 64942b512d9be14e90f8ec14681e83f953bb692b
SHA256 c020c53632dab3b82bfad134fb4023c2d8986879fbe68e0ef1e9db6d9be44c08
SHA512 aa34cfda582e05c1bbb6d4a76d48fcfdad3f2470bef5715915a351c6e934789b7c98b91f5823f799c3b01d5e584738564c11eb3841e8f7f091c24b131cfd358b

memory/2968-35-0x00007FF6F18A0000-0x00007FF6F1BF4000-memory.dmp

C:\Windows\System\cQGwoHN.exe

MD5 83987e642f826b169c250039c649a583
SHA1 bde35e71c62dd1e371c8c3244a5e1c5e2bf6f03f
SHA256 dd50e955bd304f6ae9505442bb5db73cea8c899e6f4d91761126cd567634ade2
SHA512 a0cb823f993cd5a7cdc119f2df40ab3384b6c890f3082d24bb3cb1761c23456be5ad1f17f00380225f06fe54e9cee7effa585f2ba110137ce99ee46af3c13e3c

memory/1708-28-0x00007FF7D3AC0000-0x00007FF7D3E14000-memory.dmp

memory/3940-16-0x00007FF7E1E90000-0x00007FF7E21E4000-memory.dmp

C:\Windows\System\lreYrzB.exe

MD5 5085b197ccd7795fba7a80fcbde7beda
SHA1 54c675db5c012035677978c5605580f5777abe22
SHA256 3c98488c4d10b24ae869cd2534006ec950fef99cf3d0f89bc422962336940ced
SHA512 fb9f7aeb78110e2381053d62d80e64607fa1cb26449daee80f2a4940c6a25a8f4c5426f758198c415f1ca7167ae06142ca69a2ba93b0a8b88d79b79ff4b7f672

memory/2116-61-0x00007FF750630000-0x00007FF750984000-memory.dmp

C:\Windows\System\xGIRcGf.exe

MD5 e01395fe8c35dc3060dc05be3eae4d34
SHA1 34528f3950a150805c1f4a27e9609a9a1782f264
SHA256 7c28a1166ee5f00a89536c573529f8421dc703302dc57a9e9fe38ae6bd941b17
SHA512 630bb2de44368b9d9ff1d1db52f8d97d231057d861caf2580528fe5d9664e90f3bfc189928a3713b4ad556726f0f6c38dccbd163eff11c681bbcd6cda791cb3c

memory/5096-68-0x00007FF6412A0000-0x00007FF6415F4000-memory.dmp

C:\Windows\System\ePHIvqt.exe

MD5 f66f272af9a7014fdcaee7e0c48eca95
SHA1 fd7dc63595875f0f540c57e43dab4d22d3c59149
SHA256 6ead512b4d0c26ce3f58954b98d6ef135731b77955d201ffbe85ac481525a9fd
SHA512 feaa3e54a6082007a72af017b34edcecf4f1ef3ad39cabcb6de3a4fbcf8b4f9e237416a4492d04b8cee2afa9e08a18eac94473661bcdb3065ac600443452cc33

memory/220-77-0x00007FF746210000-0x00007FF746564000-memory.dmp

C:\Windows\System\XDATwDQ.exe

MD5 8fa685b4fb52392585ac3e16d03e2b46
SHA1 11f3d392434031e0791320ede19897a8bb0acd87
SHA256 8be3aa1197c54539fa39adf0c0f397295581616ecfd5539985c0ab1fb51bb279
SHA512 924133e24451ff36f44fc74042daaa5d6657d877dedca8c1c0b105c6d39b63a59f57d7081ebb86f632b756797b399025fd4cce951ef4eacbb44115de0c38a4a8

memory/3932-86-0x00007FF7A7E00000-0x00007FF7A8154000-memory.dmp

C:\Windows\System\PGNVXfm.exe

MD5 822ed14194a7bed851664cc707c4a060
SHA1 bf8b35ebfc4795605c2996fca199a46e058a9900
SHA256 34747f439701644a7b3487fec498d9be4aace3f9902d77785206ca57fd748ed7
SHA512 f7c4e075b657dc470fd1a343fd54c44c2f79dc43a353cb6370f03840c802bf8fc74b3ec7ec049d16b7a600523fb8712907eddb77d335ccfb568e2466014c1a3e

memory/4468-89-0x00007FF60FEB0000-0x00007FF610204000-memory.dmp

memory/1580-85-0x00007FF70BAA0000-0x00007FF70BDF4000-memory.dmp

C:\Windows\System\jQmVZEb.exe

MD5 1c02f3bb9b18c9f6ae6c7c1600defe23
SHA1 347a533eb059bcab1ea4f546e116d97aabc25c98
SHA256 ed5f56a98397e2dc3e59fffda62e3fc942ff3d2a57eba170fbee21ed46212b46
SHA512 3650c68416b550bfa4acfd96cf40cc74af5dccd0fc0cb810905c5764a317d01ad5f6b209a729248098d95439c1579a61cae572546ef35558a5863e9228450905

memory/3856-76-0x00007FF6D8BF0000-0x00007FF6D8F44000-memory.dmp

C:\Windows\System\WjskUtv.exe

MD5 7ee1a20b433ca5172f7c4a115138551e
SHA1 572bdbdfc5e0126468c1824237b0b23eb1522100
SHA256 d2f475b0c5e4ae20f1232879303f252261ab7753197a80c695cd05e590b79690
SHA512 19305e9f80ed4dac7a923a37f02c6b6ff86809683671d7504f8df689e3051f566c42c5e4120307b37a203ec38c9f93de9a724d9ffba12a3d2f9cfbc60b670621

memory/1668-97-0x00007FF73CE80000-0x00007FF73D1D4000-memory.dmp

memory/3940-94-0x00007FF7E1E90000-0x00007FF7E21E4000-memory.dmp

memory/1708-101-0x00007FF7D3AC0000-0x00007FF7D3E14000-memory.dmp

memory/1672-103-0x00007FF747050000-0x00007FF7473A4000-memory.dmp

C:\Windows\System\qdzaWAB.exe

MD5 f708e432f7d4b2e00653ca5db4fc8006
SHA1 ce67c5f1a2aa660306f297903c549273b1f9c1cb
SHA256 768ba7318060eadee9459f553ca3110bd2aa000e95830b6b68e36c08614fbcbd
SHA512 93ee12a20e4834b18b9211c2cf61b2fefaadcd04dd75e66f298039e28e2a74889cb42b4c705b12300796b167decea236e7edfdcb216b1811d71ec958e53f3e3d

memory/2968-108-0x00007FF6F18A0000-0x00007FF6F1BF4000-memory.dmp

memory/2084-109-0x00007FF733730000-0x00007FF733A84000-memory.dmp

C:\Windows\System\tUjaLob.exe

MD5 5291840bc143d134d2e5ca851e3b60a0
SHA1 3b95d36fb9b6658c4d6ec8f06559cdc40057b01e
SHA256 6f636cbfd7d0bb607202756807967c1af799d231dd53ee3b5f84939f7e6fead5
SHA512 173228aa36b419529dc0b623a609f6a636013be1aab0531e70f7dabecb1030332c0218d98001c14c119ee8e91bd253490b20d848605b42dcfa3728d15e36dc14

C:\Windows\System\xMhFTbJ.exe

MD5 a0d6963ba8eec3fc4013f72f451ee45d
SHA1 9bb361863bed24b5b65ed799a7d7d3e17b0dc262
SHA256 d8a5183a22006edc0ddef682d0dd683b5542d7ffea048f57a8364a0b39708ce0
SHA512 61d868e2ef67c64fdf3579101b24d4aa8fab5bd077b931c64e0f8752af6b2206cc6bd38f8d7927ca8bc17f823966dd9e38d49b598a27421f93613897bb65f6f8

C:\Windows\System\fMmQTYU.exe

MD5 e4d8666a318f4ad79a668038861e41e6
SHA1 8a54f4c3f1d241cfd13c34b01a1db53e5c48bb88
SHA256 2db3f9f9460b68de517c69661e277982e961827593f433d5a786eb9b49cf2e31
SHA512 8cd7d00e16a0c871ffbe3332189fc44f54b9e62cb6c723ff2e849689455ea5affdb169ab1f2e685b603d8a1ab32bed8c32ffb3827fda00e98f8b34f1d8e95d76

C:\Windows\System\KSvdLCa.exe

MD5 d269153e6211587e534448b7a13704f5
SHA1 dccd944bff3ec425f8ff1283d0fdf4ed36077aba
SHA256 7ac3555e3f0cfbbbb95d0f235913e66b5b543728f8b6cd7f1f74594179b72218
SHA512 61a352a0b5188ed8137c54847703e93730d811e3dce0d60c5b18df3902194adaa28e07d622eaf56690dc70cf3001ce5e54554cbd8062c52b7aab98b53fc2a6ee

memory/2496-129-0x00007FF69EC10000-0x00007FF69EF64000-memory.dmp

memory/4788-131-0x00007FF67B8D0000-0x00007FF67BC24000-memory.dmp

memory/3728-128-0x00007FF6889F0000-0x00007FF688D44000-memory.dmp

memory/4296-123-0x00007FF661130000-0x00007FF661484000-memory.dmp

memory/1968-116-0x00007FF655750000-0x00007FF655AA4000-memory.dmp

memory/2116-134-0x00007FF750630000-0x00007FF750984000-memory.dmp

memory/1968-135-0x00007FF655750000-0x00007FF655AA4000-memory.dmp

memory/3728-136-0x00007FF6889F0000-0x00007FF688D44000-memory.dmp

memory/4296-137-0x00007FF661130000-0x00007FF661484000-memory.dmp

memory/4788-138-0x00007FF67B8D0000-0x00007FF67BC24000-memory.dmp

memory/220-139-0x00007FF746210000-0x00007FF746564000-memory.dmp

memory/3940-140-0x00007FF7E1E90000-0x00007FF7E21E4000-memory.dmp

memory/2556-141-0x00007FF72CE00000-0x00007FF72D154000-memory.dmp

memory/1708-142-0x00007FF7D3AC0000-0x00007FF7D3E14000-memory.dmp

memory/2680-144-0x00007FF62E920000-0x00007FF62EC74000-memory.dmp

memory/2968-143-0x00007FF6F18A0000-0x00007FF6F1BF4000-memory.dmp

memory/3528-145-0x00007FF6F3200000-0x00007FF6F3554000-memory.dmp

memory/3696-147-0x00007FF7D0DE0000-0x00007FF7D1134000-memory.dmp

memory/2496-146-0x00007FF69EC10000-0x00007FF69EF64000-memory.dmp

memory/2116-148-0x00007FF750630000-0x00007FF750984000-memory.dmp

memory/5096-149-0x00007FF6412A0000-0x00007FF6415F4000-memory.dmp

memory/1580-150-0x00007FF70BAA0000-0x00007FF70BDF4000-memory.dmp

memory/4468-151-0x00007FF60FEB0000-0x00007FF610204000-memory.dmp

memory/3932-152-0x00007FF7A7E00000-0x00007FF7A8154000-memory.dmp

memory/1668-153-0x00007FF73CE80000-0x00007FF73D1D4000-memory.dmp

memory/1672-154-0x00007FF747050000-0x00007FF7473A4000-memory.dmp

memory/2084-155-0x00007FF733730000-0x00007FF733A84000-memory.dmp

memory/1968-156-0x00007FF655750000-0x00007FF655AA4000-memory.dmp

memory/3728-157-0x00007FF6889F0000-0x00007FF688D44000-memory.dmp

memory/4788-158-0x00007FF67B8D0000-0x00007FF67BC24000-memory.dmp

memory/4296-159-0x00007FF661130000-0x00007FF661484000-memory.dmp