Malware Analysis Report

2025-01-22 19:38

Sample ID 240601-l68cqsae26
Target 2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike
SHA256 6cd3802aef92bdf43531236fcf3ac51027b51d96a31a3a0b7dfe169a9aa9776b
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6cd3802aef92bdf43531236fcf3ac51027b51d96a31a3a0b7dfe169a9aa9776b

Threat Level: Known bad

The file 2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

XMRig Miner payload

Cobaltstrike

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

xmrig

UPX dump on OEP (original entry point)

Xmrig family

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 10:09

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 10:09

Reported

2024-06-01 10:12

Platform

win7-20240419-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SoXhrBm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yttZlLR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sOfEYid.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dTDmLMj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DAiVabL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qPNxgcj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ozLNebQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aDJEWJt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dAWZteO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rMsCoWU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Biklqkj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VsiadeV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CjQzPsm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fXpfvyO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qCToxvB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wAMFcdk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pQNbgxn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EfvCBCE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cSfPUfk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hZkwXDN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uzMaDdV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uzMaDdV.exe
PID 1964 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uzMaDdV.exe
PID 1964 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\uzMaDdV.exe
PID 1964 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\aDJEWJt.exe
PID 1964 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\aDJEWJt.exe
PID 1964 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\aDJEWJt.exe
PID 1964 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\SoXhrBm.exe
PID 1964 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\SoXhrBm.exe
PID 1964 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\SoXhrBm.exe
PID 1964 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAMFcdk.exe
PID 1964 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAMFcdk.exe
PID 1964 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAMFcdk.exe
PID 1964 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQNbgxn.exe
PID 1964 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQNbgxn.exe
PID 1964 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQNbgxn.exe
PID 1964 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\dAWZteO.exe
PID 1964 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\dAWZteO.exe
PID 1964 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\dAWZteO.exe
PID 1964 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMsCoWU.exe
PID 1964 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMsCoWU.exe
PID 1964 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMsCoWU.exe
PID 1964 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EfvCBCE.exe
PID 1964 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EfvCBCE.exe
PID 1964 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EfvCBCE.exe
PID 1964 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\Biklqkj.exe
PID 1964 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\Biklqkj.exe
PID 1964 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\Biklqkj.exe
PID 1964 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\VsiadeV.exe
PID 1964 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\VsiadeV.exe
PID 1964 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\VsiadeV.exe
PID 1964 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yttZlLR.exe
PID 1964 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yttZlLR.exe
PID 1964 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yttZlLR.exe
PID 1964 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sOfEYid.exe
PID 1964 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sOfEYid.exe
PID 1964 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sOfEYid.exe
PID 1964 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\dTDmLMj.exe
PID 1964 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\dTDmLMj.exe
PID 1964 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\dTDmLMj.exe
PID 1964 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DAiVabL.exe
PID 1964 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DAiVabL.exe
PID 1964 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DAiVabL.exe
PID 1964 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qPNxgcj.exe
PID 1964 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qPNxgcj.exe
PID 1964 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qPNxgcj.exe
PID 1964 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cSfPUfk.exe
PID 1964 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cSfPUfk.exe
PID 1964 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cSfPUfk.exe
PID 1964 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZkwXDN.exe
PID 1964 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZkwXDN.exe
PID 1964 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZkwXDN.exe
PID 1964 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjQzPsm.exe
PID 1964 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjQzPsm.exe
PID 1964 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjQzPsm.exe
PID 1964 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXpfvyO.exe
PID 1964 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXpfvyO.exe
PID 1964 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXpfvyO.exe
PID 1964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qCToxvB.exe
PID 1964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qCToxvB.exe
PID 1964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qCToxvB.exe
PID 1964 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ozLNebQ.exe
PID 1964 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ozLNebQ.exe
PID 1964 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ozLNebQ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\uzMaDdV.exe

C:\Windows\System\uzMaDdV.exe

C:\Windows\System\aDJEWJt.exe

C:\Windows\System\aDJEWJt.exe

C:\Windows\System\SoXhrBm.exe

C:\Windows\System\SoXhrBm.exe

C:\Windows\System\wAMFcdk.exe

C:\Windows\System\wAMFcdk.exe

C:\Windows\System\pQNbgxn.exe

C:\Windows\System\pQNbgxn.exe

C:\Windows\System\dAWZteO.exe

C:\Windows\System\dAWZteO.exe

C:\Windows\System\rMsCoWU.exe

C:\Windows\System\rMsCoWU.exe

C:\Windows\System\EfvCBCE.exe

C:\Windows\System\EfvCBCE.exe

C:\Windows\System\Biklqkj.exe

C:\Windows\System\Biklqkj.exe

C:\Windows\System\VsiadeV.exe

C:\Windows\System\VsiadeV.exe

C:\Windows\System\yttZlLR.exe

C:\Windows\System\yttZlLR.exe

C:\Windows\System\sOfEYid.exe

C:\Windows\System\sOfEYid.exe

C:\Windows\System\dTDmLMj.exe

C:\Windows\System\dTDmLMj.exe

C:\Windows\System\DAiVabL.exe

C:\Windows\System\DAiVabL.exe

C:\Windows\System\qPNxgcj.exe

C:\Windows\System\qPNxgcj.exe

C:\Windows\System\cSfPUfk.exe

C:\Windows\System\cSfPUfk.exe

C:\Windows\System\hZkwXDN.exe

C:\Windows\System\hZkwXDN.exe

C:\Windows\System\CjQzPsm.exe

C:\Windows\System\CjQzPsm.exe

C:\Windows\System\fXpfvyO.exe

C:\Windows\System\fXpfvyO.exe

C:\Windows\System\qCToxvB.exe

C:\Windows\System\qCToxvB.exe

C:\Windows\System\ozLNebQ.exe

C:\Windows\System\ozLNebQ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1964-0-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/1964-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\uzMaDdV.exe

MD5 0394d3a9fca1ad519790eb53be690147
SHA1 1ce477a5585f7b8019307c8f83c0c3e697793e90
SHA256 bd5a3de94cb1b1784ac8ca231343fb8931f7a6790d9c46db4789fbf45ae17897
SHA512 18963735b40b700e395243927673961f6b9a239c31ae3db86c5df39cadb913bf5055c982c1ed2486bd208c142e8e6631d0b76eb4b30dfaa09122a1f7e7a1281a

memory/2972-8-0x000000013F620000-0x000000013F974000-memory.dmp

\Windows\system\aDJEWJt.exe

MD5 437953c577570eb51a8877d4cc33fa90
SHA1 9201c0e8532d4e1e0d2ff4b763729a7937b0e21c
SHA256 f3ea5425190d645f65709d32c8baa726a5ae00cbc8ac2153ea8601508173f63e
SHA512 b773808dd3b4bce5adc28e008703933198ba2fe27c9db4097e9c53ac0ec8102867188a51a79ebe4d62580ecfe701e9963028ffe03c2ff08e66c768dc22d6485c

C:\Windows\system\SoXhrBm.exe

MD5 8704d3efb5f73b217c89a2f06f8143fb
SHA1 13243be053ff897ed3965cdea8d8a1ef294bc1b1
SHA256 2a23bb198a6c2f2ff7428471155cdd7873079a008f4a01c02d2fdcb7fbc4c4b8
SHA512 1de3ed38d8eb39934cf5509841b14308dbf6fd3c532aef533b8b8bcf8a12ce90e91e783144a4e36a85b4dfc9546e1ef350138871ba87a985d275d8abddc4f4e8

memory/1964-17-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/3036-15-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2648-20-0x000000013F9F0000-0x000000013FD44000-memory.dmp

\Windows\system\wAMFcdk.exe

MD5 3044685b44d9b19f381491b3f7a128e4
SHA1 ae7cf282817692c2c95c1502183ec8fb5d40943e
SHA256 dee1f1bbc18b1e397ab9d2e6a927ecd28d934a01dce481d0b626cb024206f671
SHA512 78ed4eaa782038ed3bc6183758a7e32ae241e242045b2f9361120237b7a708351fec6d03cd0372fda9b807143a87a623e07ec59091ee2acff63f61d355c0bd05

memory/2604-27-0x000000013F480000-0x000000013F7D4000-memory.dmp

C:\Windows\system\dAWZteO.exe

MD5 be5aa17d97a932ab697b5355ec7864e2
SHA1 4e0c499616a5567e99cc0cda18edd0699e396f6c
SHA256 d4873aa86299539746e9e21f434df72aa7498d51d63605b3bf82c70f6b86e9f9
SHA512 b519637059ad889c6a769441e1a1448ce9c808f74a68c26e812bf037dd0a83cba2fddf9a207889cf35ab219251aecf806c4299e39a357dbf3f282d0b5c2435ad

memory/2728-35-0x000000013F020000-0x000000013F374000-memory.dmp

C:\Windows\system\pQNbgxn.exe

MD5 de9415f74777f564ffb21084c693b3c1
SHA1 4d403addd05b4e41b8d194ad745bfe2530735c89
SHA256 54c984649b8c76b3a57b8da017f38d95dcfcf9e4d00f61e50ac7c80ad00d1ff2
SHA512 41d8e26ac3ac72b77f22830ae72cb46fdb66080ab349bc927db98284d863041e5d83d504d7f8aecee755e2d5b3e1a54d123ac2ce72b55ef81b077e2346c893f5

memory/2992-40-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/1964-36-0x000000013F850000-0x000000013FBA4000-memory.dmp

C:\Windows\system\rMsCoWU.exe

MD5 e435dc94d00d688521b1756d8db26830
SHA1 e71b82dc5a16aa701c7efaae579ae3e0b178d3c7
SHA256 7e9e95e81cb8dc71143c07fc4df9695e5d45da3bfe7c99eff59496046fd984a3
SHA512 d853f3b29a95e92a32ff5af0ea6310d4ffe6632bf5a7a795ced535fb27747f12cb05ee5c86f541a465b181a415af99e3a0a12801a2c819223053c023c8553b05

C:\Windows\system\EfvCBCE.exe

MD5 d642670d5efbe5a5399f76203b7343e9
SHA1 d2fd0f7548ca1692fb4b090ebc21f90a97a6c295
SHA256 c00459bc750b0fe2c73edc6f8d82653938dc1d933f95c873a482353316ea58f0
SHA512 3402eb2fbf8dd993fd1a7028ee94ea77bcd99315b51c65a7e16b82b0980439c9bf3d2b20394f57d61c56ff3874e3e1bd58a92e4192bf06629989738d4a7caccf

memory/2476-49-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2496-55-0x000000013F600000-0x000000013F954000-memory.dmp

memory/3036-48-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2464-64-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2892-70-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2648-63-0x000000013F9F0000-0x000000013FD44000-memory.dmp

C:\Windows\system\Biklqkj.exe

MD5 11e583a01cae7e3c94bc9e4198e74b74
SHA1 c6eba3e8a25263229f772a7bfe0561405f3c93fc
SHA256 b4020b4c3f5f3c8fa47ec42fb6772a297695b34f3e089788f29b484bf9071a87
SHA512 53b6766a30382d0c293c1fef588152c2746b10610c35eb8095b686bca8fbe1f83b701b924c400128fb5147f190fceccffe3f8d4f202b3c4d4bec632945cddb8b

memory/1964-58-0x00000000023B0000-0x0000000002704000-memory.dmp

C:\Windows\system\sOfEYid.exe

MD5 3ac90c9e69ba2182f9f30806bcd7e9d7
SHA1 b34b3b1460db75420981aa45e74412267313ef8c
SHA256 76bafcf2831566e9136ba9f3144c10f3acc76fb138d1b6a17609e1febd3c8cbf
SHA512 3712b5616a9ebc86ed5eaeff106860a5f3b63017e63699b247bd3f3203221fa43723298b17c3280a1d6ff2883e4170d921e42656bb956070ad908ee98057daa7

C:\Windows\system\dTDmLMj.exe

MD5 233dc596ddfcbfde15b81d1d64c576d3
SHA1 4377c25fc52dfd1e61aee3fe79996fe18e49f55e
SHA256 d85508664bdbbd44acba06dc26515377252088bc83535103d9ed10004f6143ec
SHA512 74baf3e2323a2c34903c6ac5824e0efed1063f03da2f05513c7c197325fbe3c20bd6019a72cda00647449e36646855c8efa425f575b7031fe6ba869b5fae3555

C:\Windows\system\DAiVabL.exe

MD5 b6c0424278038625fd284768ed148001
SHA1 f7d8d852d6a438edfeb980b37e496e1019549291
SHA256 0bb65665663ca213a0d52a337f1271e9d1389b506c1926da7a970ada206c4ac1
SHA512 74d98fc95e5cf31472faa716cffcc01593b3ad02363ef4f38ff6f7228dfc9526dbad8d4c742f070e7453aca7d2709b050f58c17805c5da56602b9155a1bfb71f

memory/1840-98-0x000000013F120000-0x000000013F474000-memory.dmp

C:\Windows\system\qCToxvB.exe

MD5 470499145338a92396b1fc4aeb9fd684
SHA1 7dc7f4a1ab4f2a66af077a23ae177ce548c30c46
SHA256 49cb92132694136810ea884e69c786ce4fe45bb52674e5d064569c231581639f
SHA512 47d3abe8f95ade4508179cf0d8d73ae58763726f2aadf5ba03d43060c706250d9350e3ba40e061b22db09b46ee22dd49e70e795974bd760ef200ad7f9f3011ec

\Windows\system\ozLNebQ.exe

MD5 77e3f66d69a4242bf43bd202b163d805
SHA1 f73d1a4b4f8991eda6436017a7d3f5bcbb7a24da
SHA256 b5ed4d0e3c814f232073f328401b41716351d8a21c4469920fa4715b721c10d7
SHA512 ff24b960f916a7b795b13e4f01ca2cb86347222e3491e7d23befec2fdbb1c44d2b9719533394f2e68d9747bd494deccaddfdab1058e0da0c34c01ff0b2ca8292

\Windows\system\fXpfvyO.exe

MD5 aa3cf19751eb99f44977f7830852bbc4
SHA1 5147cc28b371be4d730cb5ee406d1e80ea5cbc0f
SHA256 fb5dc948f5e36a2ebdfcaad019a261a34aebb900e94345097066bf55f3badb99
SHA512 9426a4755085ef863e263f3fe5470a417592f79b109f3ccbbd1dfa2aabee3a29bfd0de47497027ef7d76ff1d148bafd936c6a3f1736c5f625908f4fcec841df9

C:\Windows\system\hZkwXDN.exe

MD5 22952d9ba28dfda0025cb3b407beebe5
SHA1 560c690e9cfc50714786d1165a41df3336ce359a
SHA256 eb645ba26a54fe11b6c20a088b568890a2fa650d18cffbfdb5c40434dd67b369
SHA512 fdb0cb402434cbdcf0f2a9df2525e22c8534c7ca18df4ad0b063d6bfec07774776f45bc627f0cf9cdb38028d78bed063aaebb3af4f7228948d21d093687edebe

C:\Windows\system\qPNxgcj.exe

MD5 6e5a08f2438325a96f0d3e2ab516c73a
SHA1 9f9961c8bed5a4d28e69e787499dd8de53cfe9f4
SHA256 031e3a9d0fb1ca3a26690c6e57f65f7744cca613da9df72d21ce1b527fe23262
SHA512 5211154825fa57468e54798184c5df3384f9e0114862c81081691501ee372665decba16ee2bdd7851e2cd994967b0df7326301c837e1e1c46cf0468bdb05052a

C:\Windows\system\CjQzPsm.exe

MD5 7b38825b0a93366b705436bfbc245d35
SHA1 a7be5867dac4d80d66dc2541aa006665cdfedd06
SHA256 81cc80d8e6d6cb4d9d4089f2c1814716de79e67c9287e11d26aa73162a4b9c90
SHA512 585115baab6a4aca75feea0dc06c3ae361d6e5591eaa9a88d9640c092fd5392f30d938e49bd0d858ea4c388020c7cf9e3ecee7d96e763a5251bd32eca36f202a

C:\Windows\system\cSfPUfk.exe

MD5 93047addbf070364a2981d37e9b7fc3d
SHA1 f720135821b539070f4eebe1b0604114bf07dd7f
SHA256 03c988416276576053fca595824db153788dff981430d34de5931262a34e3c8d
SHA512 fa9f24db84db57afac6de0a4afa120e4f2ad8e083d054df41593939e1121eeba6af773b3ab37a2b0f45fc193b345df38fed7af9eacebe284880fb87dc239bc47

memory/1884-91-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2496-134-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2992-90-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2536-79-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2728-78-0x000000013F020000-0x000000013F374000-memory.dmp

C:\Windows\system\yttZlLR.exe

MD5 b0adab95cc8d4265d168acf90bdcbaa7
SHA1 85f04451453b15ab23537f63340b450b89ea87cd
SHA256 01af08b57ef5047395f4fc1dcd6fd1bcedab61cc78200b483c61556f19070f35
SHA512 792c4e35212397841e8a667d90f2785317a65340577c1f3d43242ea38b65c40cb45877babf07b8a77d72c978e1ac28233ee34a15de6719cbe82489a08cfd550d

memory/1964-76-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2604-75-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2884-85-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/1964-69-0x00000000023B0000-0x0000000002704000-memory.dmp

C:\Windows\system\VsiadeV.exe

MD5 a119038af374dbb18dfe61b7f6af5e5f
SHA1 9c37679be1a451eef1f54065d4349495330e9a76
SHA256 f346ca0deabfe6c7441e56fcbb03cb410656159106dc35ce5856f24a5dcdbf79
SHA512 fc313ca7022816464f84a814557a7ddfccd43986beb1a2286c2855233317cd3dfe8b87af41b9060e4c17b8b8cb0f174284812d0b5bf1765db2a243183d7e609d

memory/1964-54-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2972-42-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1964-25-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/1964-135-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2892-136-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/1964-137-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2536-138-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/1964-139-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2884-140-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/1884-141-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/1840-142-0x000000013F120000-0x000000013F474000-memory.dmp

memory/1964-143-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2972-144-0x000000013F620000-0x000000013F974000-memory.dmp

memory/3036-145-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2648-146-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2604-147-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2728-148-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2992-149-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2476-150-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2496-151-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2464-152-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2892-153-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2536-154-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2884-155-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/1884-156-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/1840-157-0x000000013F120000-0x000000013F474000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 10:09

Reported

2024-06-01 10:12

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\fnhiJRx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kHOCEHT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ElEoHvh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NIjLIrm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JkBGNMa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vtYpEiv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eXwodaG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nkPpPkj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yIyDbgN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hZilBLn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HYFDRgr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZDrQNvg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rwRMtbx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MZdoNIn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zVbGwfZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\flidRdn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tHsBArz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vuocFIT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bQwuxbt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JPSCPUj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ovjMfmJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3192 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HYFDRgr.exe
PID 3192 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HYFDRgr.exe
PID 3192 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovjMfmJ.exe
PID 3192 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovjMfmJ.exe
PID 3192 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\tHsBArz.exe
PID 3192 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\tHsBArz.exe
PID 3192 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\NIjLIrm.exe
PID 3192 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\NIjLIrm.exe
PID 3192 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkBGNMa.exe
PID 3192 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkBGNMa.exe
PID 3192 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vuocFIT.exe
PID 3192 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vuocFIT.exe
PID 3192 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fnhiJRx.exe
PID 3192 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fnhiJRx.exe
PID 3192 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\bQwuxbt.exe
PID 3192 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\bQwuxbt.exe
PID 3192 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JPSCPUj.exe
PID 3192 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JPSCPUj.exe
PID 3192 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZDrQNvg.exe
PID 3192 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZDrQNvg.exe
PID 3192 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rwRMtbx.exe
PID 3192 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rwRMtbx.exe
PID 3192 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kHOCEHT.exe
PID 3192 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kHOCEHT.exe
PID 3192 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vtYpEiv.exe
PID 3192 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vtYpEiv.exe
PID 3192 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ElEoHvh.exe
PID 3192 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ElEoHvh.exe
PID 3192 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXwodaG.exe
PID 3192 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXwodaG.exe
PID 3192 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MZdoNIn.exe
PID 3192 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\MZdoNIn.exe
PID 3192 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nkPpPkj.exe
PID 3192 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nkPpPkj.exe
PID 3192 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVbGwfZ.exe
PID 3192 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVbGwfZ.exe
PID 3192 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\flidRdn.exe
PID 3192 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\flidRdn.exe
PID 3192 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yIyDbgN.exe
PID 3192 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yIyDbgN.exe
PID 3192 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZilBLn.exe
PID 3192 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZilBLn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\HYFDRgr.exe

C:\Windows\System\HYFDRgr.exe

C:\Windows\System\ovjMfmJ.exe

C:\Windows\System\ovjMfmJ.exe

C:\Windows\System\tHsBArz.exe

C:\Windows\System\tHsBArz.exe

C:\Windows\System\NIjLIrm.exe

C:\Windows\System\NIjLIrm.exe

C:\Windows\System\JkBGNMa.exe

C:\Windows\System\JkBGNMa.exe

C:\Windows\System\vuocFIT.exe

C:\Windows\System\vuocFIT.exe

C:\Windows\System\fnhiJRx.exe

C:\Windows\System\fnhiJRx.exe

C:\Windows\System\bQwuxbt.exe

C:\Windows\System\bQwuxbt.exe

C:\Windows\System\JPSCPUj.exe

C:\Windows\System\JPSCPUj.exe

C:\Windows\System\ZDrQNvg.exe

C:\Windows\System\ZDrQNvg.exe

C:\Windows\System\rwRMtbx.exe

C:\Windows\System\rwRMtbx.exe

C:\Windows\System\kHOCEHT.exe

C:\Windows\System\kHOCEHT.exe

C:\Windows\System\vtYpEiv.exe

C:\Windows\System\vtYpEiv.exe

C:\Windows\System\ElEoHvh.exe

C:\Windows\System\ElEoHvh.exe

C:\Windows\System\eXwodaG.exe

C:\Windows\System\eXwodaG.exe

C:\Windows\System\MZdoNIn.exe

C:\Windows\System\MZdoNIn.exe

C:\Windows\System\nkPpPkj.exe

C:\Windows\System\nkPpPkj.exe

C:\Windows\System\zVbGwfZ.exe

C:\Windows\System\zVbGwfZ.exe

C:\Windows\System\flidRdn.exe

C:\Windows\System\flidRdn.exe

C:\Windows\System\yIyDbgN.exe

C:\Windows\System\yIyDbgN.exe

C:\Windows\System\hZilBLn.exe

C:\Windows\System\hZilBLn.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
DE 3.120.209.58:8080 tcp
NL 52.142.223.178:80 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/3192-0-0x00007FF686F80000-0x00007FF6872D4000-memory.dmp

memory/3192-1-0x000002079C430000-0x000002079C440000-memory.dmp

C:\Windows\System\HYFDRgr.exe

MD5 2c7e8cfc5a30f9fe871cafacc4cc7ab1
SHA1 ba6f8fadd0baacb57156a0703322a4a41751c15d
SHA256 15d02b1c76fe8f5a6c534dbc306c4b5c055778e266ad4c295176182b30c645b9
SHA512 2694d4e79c211a25dd5052c3be4a3aca3e56810023caa4b3e94fed75e633d27a9c226d879e4fbab79203e91ead8c0077eb237632b302a23db426729033c01079

memory/4036-7-0x00007FF7D8480000-0x00007FF7D87D4000-memory.dmp

memory/2644-12-0x00007FF739600000-0x00007FF739954000-memory.dmp

C:\Windows\System\ovjMfmJ.exe

MD5 fdaeb9ad854c1bb9b14d49a836e90bb5
SHA1 eb279727551593d0b43b901fe259f0e01767fe77
SHA256 e83086e358b96a76d5fdd51d10b9c101ebae2f688806c9b302e35ecfa07add43
SHA512 d6d306bd938ae3ca21cabd88ff50f7699d3313c23846c4dc822b364e67f38a6ca88057c5ee27e16f184ab40b8f2b2a3f3a1a311024cdc95206002cfc3c91a01d

C:\Windows\System\tHsBArz.exe

MD5 d693ffcca076b77cf16a4860b917e4f3
SHA1 73fbca5de53be7e84ea19aa111657bbefebde8c0
SHA256 42a165f9e3f4bbd265baf0291fb6d6ab74d5193fde2ae66b47dc8a51521b5989
SHA512 ac97063452711aab89b6db4fc54781a2b27bebb612ca03e74f3f265af5080898c70228913a202d922f29bf7e19dd60b7474dbeaf6ab0cc9b2f02f96b0cf54dbc

memory/2240-20-0x00007FF654A50000-0x00007FF654DA4000-memory.dmp

C:\Windows\System\NIjLIrm.exe

MD5 c3fe9a8fa5e1140ff093a24b716f5944
SHA1 8234ee59b2d2e1d5d5348d6c793fe3b42a4c80eb
SHA256 9efb6351f7075bdea54da9075dbae36d223200e0a66075780b2031053334cb0a
SHA512 551260a9c11a0ba0195c727831bcc0b5b06f61188f24465134188b490b150903ba6cd08a834a2b9dca4b9c0317be13727d840ffeca1462d04c50b5a298044f2e

memory/2364-26-0x00007FF617B10000-0x00007FF617E64000-memory.dmp

C:\Windows\System\JkBGNMa.exe

MD5 091ab7f1fc4bd1feae164a389340e758
SHA1 1c17e2bc831f7e28ec7ee6731d14cdc1725ef731
SHA256 d0068d7636c33d188992d10682837c055e97568732941244fa50528fcad45ba6
SHA512 db432860e11e43d1f8bfc90e3e59f269ab077bfa756fe2d76738524d4355e779835ccecf7a85ca041c5c119165ba1130a7b89322069209258cb04e4f89ae225e

memory/216-32-0x00007FF7B5910000-0x00007FF7B5C64000-memory.dmp

C:\Windows\System\vuocFIT.exe

MD5 3428bfcb9b55ed527649b5475de95558
SHA1 5788f67bf7127da8a0c43cb10be50686c069eb1c
SHA256 5cfdaae392855de47164110294ca5a7faa48af8e187ac57e5d7859837209ac9d
SHA512 0714eeaf73dda43482b5b760042492a8ef02de4448719985e55f9e9bb811c8694ac317dbb05a32696170a69199f4fb8774d11c9929171558d82d964c135ce53c

C:\Windows\System\fnhiJRx.exe

MD5 32a77db0bfedccd25dfd603f88ef7e1d
SHA1 785aace1477ee187307c60f0d8b472965d380d47
SHA256 7876c406baba5431ddf15c82bf0d46f06715ffa401565b95b6bdfb398d77e979
SHA512 cf4f01726a542d3dbef53a966a3fac80296fedd51c71a6b5c2e72e66a12ff2e0085d011ad089cd10ad910d65a8ba1d8512dad334fd4929a63206ae0c5c780aea

memory/2904-44-0x00007FF64F640000-0x00007FF64F994000-memory.dmp

memory/2260-38-0x00007FF6AA9D0000-0x00007FF6AAD24000-memory.dmp

C:\Windows\System\bQwuxbt.exe

MD5 4fd9d4d829c08d88fea0b8b646183922
SHA1 fac67dcf1d34fb753fdaaa178c6232210f151954
SHA256 e5231fec7c63af9b6c749a3711fda94096e835aded378d18e6ff8dd7c390cf51
SHA512 33cde751d09444cec134af9a4af08eeed519b94b6200ccb5af161e8ce2f8f37630e54e6ced7b577b5b87550164a164f958c4cfa8442117314356d9084a7e13a0

memory/1016-50-0x00007FF77A6D0000-0x00007FF77AA24000-memory.dmp

C:\Windows\System\JPSCPUj.exe

MD5 a350094889283275de5c66fa8a03430a
SHA1 2c75674890afabe17a32ad17a91767384d94788c
SHA256 e21ab20743f06c716a6c4c4b397709bc9c8adc4f918b79602c182002a152f182
SHA512 35c400e7d6f44bca192aac8c18107b6cbb99984256030265f7206fdb47c83edd5e596e9abb99c4d13894fbfe6121921c49c0f47ea169406cb232fb6ac69de618

memory/5060-54-0x00007FF6AC5C0000-0x00007FF6AC914000-memory.dmp

C:\Windows\System\rwRMtbx.exe

MD5 1b2d3b77d426be2be89c7469ecdccb3c
SHA1 824098d7b6e010769cbbdef94cf76e24bf09dc11
SHA256 07581d8cda59680de432f47dee7e293c5a0575531eb58aa5686723b4c09860e0
SHA512 045c89b09afaf4e07ad87d2e60878e7a0aef15fd0fa9fd55071e0fb72ecc087bf392b4738332700a2ebff93747714760deeb8906ac7e168145a91891df0fd2bc

memory/4876-68-0x00007FF7B7CD0000-0x00007FF7B8024000-memory.dmp

memory/4036-71-0x00007FF7D8480000-0x00007FF7D87D4000-memory.dmp

memory/1640-73-0x00007FF6EF9C0000-0x00007FF6EFD14000-memory.dmp

memory/968-75-0x00007FF77A420000-0x00007FF77A774000-memory.dmp

memory/2644-74-0x00007FF739600000-0x00007FF739954000-memory.dmp

C:\Windows\System\kHOCEHT.exe

MD5 b76172e85cc64ae94a95af9874bb881f
SHA1 914226798aa77504256ff93492c2b3c2874449cc
SHA256 2f73b8069586da60cf1ef61db6430b0b30017d7876ba11f506302629e240b79f
SHA512 bff3840de4f2fcfa6fff9f6e17500233248fe99a8391778ba2ddc6cc0db683bdd083aa4ee3bd89895fedfd941d7f16c03addd2dd9ee2dcfd4d129206d6eaf744

memory/3192-62-0x00007FF686F80000-0x00007FF6872D4000-memory.dmp

C:\Windows\System\ZDrQNvg.exe

MD5 74288fc049a4e9615b7ae2773cbda0aa
SHA1 5325ebc3868e60b5cbb23a990f2f98ef73c2a92d
SHA256 02e83ed6eb4d5a3bef1bcc343ab5fc42220739199d56cd917ee6c38e83bfd815
SHA512 6fd89e06243e5d71721860719f024b6f1715721d21649135fc49f1dc2b695b3ce02d1e72d8cb7cf676caae2a3d5be3a28063c7331c8a135baf315b4ea2b740de

C:\Windows\System\vtYpEiv.exe

MD5 287a3132565f32a9f6861384ab51c170
SHA1 5e865e912cd6aa5d933a0846670322c23fad1ce7
SHA256 5e26e9406093586c211c99f614b19255b1b351e8ffc5c6042520af0630e819e6
SHA512 683f5367a8966ecc4d3bec90a620298a875825a2f2b4fbbbb7bd48cf51db2f9b8a4066fa213db14b5433fda7ae2dc5e8b3e3f2dc04f2c98d0ad1ce3a8802aa01

memory/2240-83-0x00007FF654A50000-0x00007FF654DA4000-memory.dmp

C:\Windows\System\ElEoHvh.exe

MD5 f0657206f111b995527e12ab1d9f24d8
SHA1 e10f49780dbab5730362da988bf2d1cf51d79cca
SHA256 965f27e9c42553b89c7c63c2a8b694423ac5dfbfaf6c24ffd1f6098865e140bf
SHA512 946856ade0cf9f0ec8b4bcc3e4f85cd12826e24c0eae5138a98ee78a3c2a83ea87a59c5e14281fbc57954dac723fece2a0ceed6c782211e4f9711b2892855e00

memory/436-84-0x00007FF750070000-0x00007FF7503C4000-memory.dmp

C:\Windows\System\eXwodaG.exe

MD5 6e043ea8e53e1f3b30c0ee44ec116213
SHA1 e3e9573283bf9424e9cee0fbd3bf1c89ead00e10
SHA256 ad257e25da349ee2ed80302ff332e05908a0cd12e14c81063afb7e82943f82c1
SHA512 0a57ae26d633dd64d5e1444dfe10192431e8cdb9d830240913f4220052f28d6b08fc6fd2e855a3dc73229198cdbf4a83370caa039b41689df14df7d324a223cd

C:\Windows\System\MZdoNIn.exe

MD5 f77b462579de9916c654b5bb5c0224d1
SHA1 4aff9d19561837226ff68dd11abbfe8fbe1b2421
SHA256 4446fd73c3a8be38fc7148ed2ff590f1636ca3c60039f7f8f035d148b2185691
SHA512 3fde35ad72438ded90ebf00f7f329f83242d9b0a18bc120f38c5f168049a741732e8f0f11867253ffd0a63bc7544bd321443e5565c105b09b68c0296ede52e67

C:\Windows\System\nkPpPkj.exe

MD5 139c3b9a42aa187314ab92e59a55d325
SHA1 194a09c0d05187753f1c0550c0b603ed59731c2a
SHA256 65b6e26ea8d228dd3cd3f760e4d4bf2b8e26a35f212a077206190663d04fd3da
SHA512 11b52a4202d7760328d37282167cad590e0f937aa0e7e75f281b086b00f4a426bb2a5d1b754de21b7d4237061b1c7fa8422a02ee410fb36d4a8c76d4aa763627

C:\Windows\System\zVbGwfZ.exe

MD5 595367571b7d723355cf1d8ab47b1e34
SHA1 d22807b4cf0b5d6a57b05c0e386288e36682da63
SHA256 1a70aa25076cfefbc35adacf3b78ec143737c6473b3034f179454b86c7114eae
SHA512 982d1db04e12b72dee06fd50b94ef3d841ab1d7cea710ea85ac7e5a8047be03fa75e8b2e2a3cbe0021ec2b7acabef9ba046b60135292d9f2ae8220d5f64ab005

memory/2364-108-0x00007FF617B10000-0x00007FF617E64000-memory.dmp

memory/3288-112-0x00007FF79D280000-0x00007FF79D5D4000-memory.dmp

C:\Windows\System\flidRdn.exe

MD5 d9fc7fe1f49305ff562cee0c91cbf692
SHA1 f8dc4cda7f8c72e93ddaa74205db0cf80c5ccf1d
SHA256 5a399e2de54fd9ab9a7c4c4a58158f74941fbe7c50e6c62fd360f7a28c335841
SHA512 03d4cea8167eda768ac8ad4964bf77d745745ebe571222d5a5def48c394a1cc5b5bad15750de76a24f365a3f205e9aefbb5994cef87f2f3d7c1d5799b1ecf53a

C:\Windows\System\yIyDbgN.exe

MD5 7c19438c8acfa540c513ee67d2a09d3a
SHA1 0411b8e713fd3d271211af10f5a1d34c358c8029
SHA256 5f8462ce33828a4096cbe58b05953087bbb93a129ad9f764da2853f33fafa7df
SHA512 da3b2bff642c5321bed4b1e1c0a2ae75185f39f65039dae2e46f011dc7b042514c56f6a995e6b5b457711b905167342557fb56687b843e77bd6d79fd6ec52dcb

C:\Windows\System\hZilBLn.exe

MD5 a6b26bd43aa8dfde5e4f6420e1bef8f2
SHA1 15553a77293662aa58a7ee79ed9faf0f35b35ed2
SHA256 4510c6817fabc5af1859eede710309b356ccc85037dd528be063e40d4a706a93
SHA512 e8a83f2f62be26c201a22b87e699c4f41eda05b631a4b5187721c3e4c57689ea9a624cd054d24df9ffba199fe06b71f5e24cef5d644af96ebc87a122ecce0604

memory/3344-132-0x00007FF60E1E0000-0x00007FF60E534000-memory.dmp

memory/4604-131-0x00007FF7B4FE0000-0x00007FF7B5334000-memory.dmp

memory/828-127-0x00007FF74FEB0000-0x00007FF750204000-memory.dmp

memory/3568-123-0x00007FF7D7EA0000-0x00007FF7D81F4000-memory.dmp

memory/5028-120-0x00007FF6DBBC0000-0x00007FF6DBF14000-memory.dmp

memory/456-118-0x00007FF6FC840000-0x00007FF6FCB94000-memory.dmp

memory/3152-113-0x00007FF749720000-0x00007FF749A74000-memory.dmp

memory/5060-133-0x00007FF6AC5C0000-0x00007FF6AC914000-memory.dmp

memory/968-134-0x00007FF77A420000-0x00007FF77A774000-memory.dmp

memory/4604-135-0x00007FF7B4FE0000-0x00007FF7B5334000-memory.dmp

memory/4036-136-0x00007FF7D8480000-0x00007FF7D87D4000-memory.dmp

memory/2644-137-0x00007FF739600000-0x00007FF739954000-memory.dmp

memory/2240-138-0x00007FF654A50000-0x00007FF654DA4000-memory.dmp

memory/2364-139-0x00007FF617B10000-0x00007FF617E64000-memory.dmp

memory/216-140-0x00007FF7B5910000-0x00007FF7B5C64000-memory.dmp

memory/2260-141-0x00007FF6AA9D0000-0x00007FF6AAD24000-memory.dmp

memory/2904-142-0x00007FF64F640000-0x00007FF64F994000-memory.dmp

memory/1016-143-0x00007FF77A6D0000-0x00007FF77AA24000-memory.dmp

memory/5060-144-0x00007FF6AC5C0000-0x00007FF6AC914000-memory.dmp

memory/4876-145-0x00007FF7B7CD0000-0x00007FF7B8024000-memory.dmp

memory/1640-146-0x00007FF6EF9C0000-0x00007FF6EFD14000-memory.dmp

memory/968-147-0x00007FF77A420000-0x00007FF77A774000-memory.dmp

memory/436-148-0x00007FF750070000-0x00007FF7503C4000-memory.dmp

memory/3288-149-0x00007FF79D280000-0x00007FF79D5D4000-memory.dmp

memory/3152-150-0x00007FF749720000-0x00007FF749A74000-memory.dmp

memory/456-151-0x00007FF6FC840000-0x00007FF6FCB94000-memory.dmp

memory/5028-152-0x00007FF6DBBC0000-0x00007FF6DBF14000-memory.dmp

memory/3568-153-0x00007FF7D7EA0000-0x00007FF7D81F4000-memory.dmp

memory/828-154-0x00007FF74FEB0000-0x00007FF750204000-memory.dmp

memory/4604-155-0x00007FF7B4FE0000-0x00007FF7B5334000-memory.dmp

memory/3344-156-0x00007FF60E1E0000-0x00007FF60E534000-memory.dmp