Malware Analysis Report

2025-01-22 19:42

Sample ID 240601-mc7psaaf88
Target 2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike
SHA256 38beffdd41fb0f6ed2eea60298f5775fedb455ca3340e8b91edc1e593b9468e7
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38beffdd41fb0f6ed2eea60298f5775fedb455ca3340e8b91edc1e593b9468e7

Threat Level: Known bad

The file 2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Cobaltstrike family

Cobaltstrike

Xmrig family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

xmrig

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 10:20

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 10:20

Reported

2024-06-01 10:22

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\EQzipxn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yHECCJR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZCuASFN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EwXLZLU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ckcSQHx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eRVLIEu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NWsCAla.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JLFIwYd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fPewvvF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DXHWBye.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DwjqpNu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZySJOJK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pSIhnPY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HaozNzO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jIgDxJx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\njhlIEN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DjtdDcE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IxJrBtU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xqiulNU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZRtjFdy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cqHDYcE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQzipxn.exe
PID 1776 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQzipxn.exe
PID 1776 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQzipxn.exe
PID 1776 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\IxJrBtU.exe
PID 1776 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\IxJrBtU.exe
PID 1776 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\IxJrBtU.exe
PID 1776 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\eRVLIEu.exe
PID 1776 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\eRVLIEu.exe
PID 1776 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\eRVLIEu.exe
PID 1776 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\xqiulNU.exe
PID 1776 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\xqiulNU.exe
PID 1776 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\xqiulNU.exe
PID 1776 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZRtjFdy.exe
PID 1776 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZRtjFdy.exe
PID 1776 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZRtjFdy.exe
PID 1776 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DXHWBye.exe
PID 1776 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DXHWBye.exe
PID 1776 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DXHWBye.exe
PID 1776 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\cqHDYcE.exe
PID 1776 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\cqHDYcE.exe
PID 1776 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\cqHDYcE.exe
PID 1776 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NWsCAla.exe
PID 1776 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NWsCAla.exe
PID 1776 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NWsCAla.exe
PID 1776 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\yHECCJR.exe
PID 1776 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\yHECCJR.exe
PID 1776 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\yHECCJR.exe
PID 1776 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HaozNzO.exe
PID 1776 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HaozNzO.exe
PID 1776 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HaozNzO.exe
PID 1776 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLFIwYd.exe
PID 1776 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLFIwYd.exe
PID 1776 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLFIwYd.exe
PID 1776 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCuASFN.exe
PID 1776 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCuASFN.exe
PID 1776 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCuASFN.exe
PID 1776 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwXLZLU.exe
PID 1776 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwXLZLU.exe
PID 1776 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwXLZLU.exe
PID 1776 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DwjqpNu.exe
PID 1776 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DwjqpNu.exe
PID 1776 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DwjqpNu.exe
PID 1776 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPewvvF.exe
PID 1776 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPewvvF.exe
PID 1776 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPewvvF.exe
PID 1776 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZySJOJK.exe
PID 1776 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZySJOJK.exe
PID 1776 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZySJOJK.exe
PID 1776 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\jIgDxJx.exe
PID 1776 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\jIgDxJx.exe
PID 1776 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\jIgDxJx.exe
PID 1776 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ckcSQHx.exe
PID 1776 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ckcSQHx.exe
PID 1776 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ckcSQHx.exe
PID 1776 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSIhnPY.exe
PID 1776 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSIhnPY.exe
PID 1776 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSIhnPY.exe
PID 1776 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\njhlIEN.exe
PID 1776 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\njhlIEN.exe
PID 1776 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\njhlIEN.exe
PID 1776 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DjtdDcE.exe
PID 1776 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DjtdDcE.exe
PID 1776 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DjtdDcE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\EQzipxn.exe

C:\Windows\System\EQzipxn.exe

C:\Windows\System\IxJrBtU.exe

C:\Windows\System\IxJrBtU.exe

C:\Windows\System\eRVLIEu.exe

C:\Windows\System\eRVLIEu.exe

C:\Windows\System\xqiulNU.exe

C:\Windows\System\xqiulNU.exe

C:\Windows\System\ZRtjFdy.exe

C:\Windows\System\ZRtjFdy.exe

C:\Windows\System\DXHWBye.exe

C:\Windows\System\DXHWBye.exe

C:\Windows\System\cqHDYcE.exe

C:\Windows\System\cqHDYcE.exe

C:\Windows\System\NWsCAla.exe

C:\Windows\System\NWsCAla.exe

C:\Windows\System\yHECCJR.exe

C:\Windows\System\yHECCJR.exe

C:\Windows\System\HaozNzO.exe

C:\Windows\System\HaozNzO.exe

C:\Windows\System\JLFIwYd.exe

C:\Windows\System\JLFIwYd.exe

C:\Windows\System\ZCuASFN.exe

C:\Windows\System\ZCuASFN.exe

C:\Windows\System\EwXLZLU.exe

C:\Windows\System\EwXLZLU.exe

C:\Windows\System\DwjqpNu.exe

C:\Windows\System\DwjqpNu.exe

C:\Windows\System\fPewvvF.exe

C:\Windows\System\fPewvvF.exe

C:\Windows\System\ZySJOJK.exe

C:\Windows\System\ZySJOJK.exe

C:\Windows\System\jIgDxJx.exe

C:\Windows\System\jIgDxJx.exe

C:\Windows\System\ckcSQHx.exe

C:\Windows\System\ckcSQHx.exe

C:\Windows\System\pSIhnPY.exe

C:\Windows\System\pSIhnPY.exe

C:\Windows\System\njhlIEN.exe

C:\Windows\System\njhlIEN.exe

C:\Windows\System\DjtdDcE.exe

C:\Windows\System\DjtdDcE.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1776-0-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/1776-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\EQzipxn.exe

MD5 652f29d76f5485c461b0fcc44d730318
SHA1 8c6db95789bec96e6d4675e3c2243fab9ab9bb0d
SHA256 d41c6ccdaf9a8fc4263e1f3f03def202e1ff83fd27dcdd08a43117271dc9030d
SHA512 cc11fe81c649dc10808038944423f54298fe181e19db35acbb041a78d5b0bf64e938e87299b42872733b594b15f2e1a5ed56d33fcd72936c215d569e2bac4e06

memory/1776-6-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\IxJrBtU.exe

MD5 d92906cf02a60d8e4b8183ddbae4a14d
SHA1 270d99cfd4800e148bc45ed96c38b1e4722eea6d
SHA256 a12d3f921d9841adbcd1c1d5461c09cb76fb074c1bf2edd782a3bf3fca2f5139
SHA512 47f9b03fda97e5212ca302073a14379ad9076046a3905fa8badd951118a72d33744bac2e29291ab9dedb877f9197eb85943f6db1f94a6e31ce6c391b7d40f85a

memory/1776-13-0x000000013F330000-0x000000013F684000-memory.dmp

memory/1300-15-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2420-12-0x000000013FD60000-0x00000001400B4000-memory.dmp

C:\Windows\system\eRVLIEu.exe

MD5 4554834dfecd2522013d5271c72c37b8
SHA1 bcb8cf114cf6377a36e5943fecd34c90b0ca34b7
SHA256 506669d8ed5153bafb6f99339a62c6918cc264744d602762069c7d154ba7d1d5
SHA512 c1eb45223965f57618370a6383425489c59943ada7b404c417cb890ca9f436b7a17c45dd1f9b18a68d01b26612b6ab17b998d2c3448fe7fba6ce3232ba0004be

memory/3060-26-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2688-30-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/1776-28-0x000000013F6B0000-0x000000013FA04000-memory.dmp

C:\Windows\system\xqiulNU.exe

MD5 55bae7cbd2bfd54d4d4fb3ff8d2f969f
SHA1 7fa90b718678f0aec6026cb7dd6b6ce5584ed067
SHA256 acaff6262c9ead317f6475dfb98f2106e976edbe52e544891438cfdd96d44a7d
SHA512 a8f3944c4af53e3c7384b7b8e548d12e52827effeeec259e0851f87938ed31e0fc1fd0d6aa6fb8a7e70cc6fa0ffc6643696172802d4848086bb07ef7e652c3f7

memory/1776-23-0x000000013F0B0000-0x000000013F404000-memory.dmp

C:\Windows\system\ZRtjFdy.exe

MD5 d65750b9811971e85ba538c04ff39b96
SHA1 e9bac7fdf904991727cff0c5c869f8d6cf7d2b6c
SHA256 e53723f4b501ef36cef7fa6249e863cc8f5a5b893f7b5aef8384b514593d1f6d
SHA512 837219c5bbff982b837a4bbdf61db1b30158db5c8a2a618d0d4e8758821fa7ba772342519bf21108ba35d14d62ee12565fddddd078270344ed08fc2424f4b693

C:\Windows\system\DXHWBye.exe

MD5 da160638ca9d48f06651cf75b08ca735
SHA1 d617d858a828030c59852639790efc3072c3e599
SHA256 b99be4b48bcd0f028947d84edc94b65488aaa776cee88588363330da62f6b243
SHA512 3402653026794ceba0ef0c30115b48679a9b28acf48deda7a827b9866ee5f6daa6ee02962531d783ebc7ff4d326642a31b1da5fc645184e4bcec822a7b371662

memory/2260-42-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2420-56-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2264-51-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/1776-63-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2740-64-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2564-72-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\JLFIwYd.exe

MD5 daf64e2d670af09845f24e6a1a4d7316
SHA1 5fe2e3b8a4df5601eea712480a31b17666fa5505
SHA256 1186cba158a9fb8fc84383f45c096a556f708f9af5bfa2d17d14599b875d12ef
SHA512 3567e4d703b53ec531226b5c2c3b0a35f5f08b6ed4f1f0a6a520d959b46c4c7a239ea6240b881dcbd178d2a4884b99d2ac1cd112593bb3cabf668fe759208bc6

memory/1776-80-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/1904-88-0x000000013FFF0000-0x0000000140344000-memory.dmp

C:\Windows\system\ZySJOJK.exe

MD5 9268cbe6d87f767fcb0589434bae18ce
SHA1 54e67e6482a2a2d477fa64aebba87447488ab206
SHA256 76146887f142645f8a6fe3a902e53bc8682018703bf2c80e09374d7580160bcf
SHA512 60498e2c69fae62f1d348f6e2e1f25004a0d9194b636cb726a16cb4707ee62e4ecbe5d6a15b16aa687b2ca73594b49b980b336a1553bcba5fd7b5a5197e3f73e

C:\Windows\system\njhlIEN.exe

MD5 c03bf7fc1b3122f40916be8756ec9f05
SHA1 689855920ae27fe01327eb942ee8584f19a68dc9
SHA256 317e284ba071b14ff991072738d3e6bbe6f8bf6dbe9746d83f64030c75637dfb
SHA512 ba63fc18cdf88d80e7e16b7506e757bca5dc77beb0c9c3d27288cb2488708fdd8718aea378dfe714068fc9ffd08fe6a985610ca26f21372c74a34433aeb58cac

\Windows\system\DjtdDcE.exe

MD5 8427a12b6aebf1fa962b42898edc36b3
SHA1 599c543ca0df0119f913b37a2daa7ad666970076
SHA256 f7700b9f1ba83ff2dfd08382cba54a03fb28a51f2eb191c1b351e6f041faafed
SHA512 b0294dc3d1d002cf6d72fe398062d698258bd3a4c3348071a311b4582e094343ea0ec743521d4d77ed9a8cbf42f292b930a4b735eaf0961da96ba7f3dde5bfb4

C:\Windows\system\pSIhnPY.exe

MD5 1ff3fc5c21bf1d3be19b0788606b20f0
SHA1 60514ac9f911b216680a9677a1ff4d13ebe60f36
SHA256 21109ccef6df717990e254feda726dc655573c2044828ab051d58b7e16075dcd
SHA512 bb6b714c39ef49fad9a7dec9579747c71f1a3276ae3c1f2e117f4dc2bc1bd8f54a51e8603f7455ad3590d26eeef5ff527334f0628181d7c6014fe6b8a3c6de49

C:\Windows\system\jIgDxJx.exe

MD5 5f3d70bbb99ad67600da58d8020bb9e5
SHA1 8fafae243064135a12dd3b2f3d3db7da1ea104b6
SHA256 3519ec65ad4636b6420071e60315884eab9c5e053551fe2f3102dbda21a96b58
SHA512 1faa8a65a8334a3b3d11e192a2878e77d1925aff9f20302d66c8d3b8cca24e2e6ff33b0587b57eb2e900cbd0cadc99ba45cd05acf90246b01423598ae3be03a3

memory/1776-111-0x000000013F220000-0x000000013F574000-memory.dmp

C:\Windows\system\fPewvvF.exe

MD5 c707a5a90c70e1aa94362535f52d1198
SHA1 0b0d253fefed1358b1f2e405eaba0ea7b50d3ed4
SHA256 e66f171b3ff1f80f0e38189595e3f5dd13776f29f812d1bf7b9b2db6ee6dea7e
SHA512 9a24ac1949f30e9d5ce6644a2f22c4967987f003518dc87f6180186a5c91071f76af1b0bef0301a70a697d2ed2af6b9ebf990b3cafb76ac2421168f5b28ea023

C:\Windows\system\ckcSQHx.exe

MD5 802bcfce6ae4a6c9507590044c789511
SHA1 849b70861e61c52af29dbe2eed3f942f8d553693
SHA256 972e14999ead0ae0dcfb0c118e7406e75320a489d7f3789471f2b7326f0ac733
SHA512 c321c0ace6c1ecd48c6ea44547d32dea4b4073f2c8d14d568291293264f6c2fa24ed7e73b40964a52a41e243ec0b3c02676aaa87aa038e57e970fa644cefd8f2

memory/2264-141-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2852-104-0x000000013F330000-0x000000013F684000-memory.dmp

memory/1776-103-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2260-102-0x000000013F9C0000-0x000000013FD14000-memory.dmp

C:\Windows\system\DwjqpNu.exe

MD5 2d61c69ea30ada543be9bd1ac675aa38
SHA1 5913cd6af780289ceba5caaecdd1928ffa82da9f
SHA256 18e5a5c6b3ca257b020a0270da7854f21516d33c32a012dc6e0000a2679d888a
SHA512 a022245bbd28733306cd7539e3b29d64719ba795a6ca6931c9d0669e95315857ab013ab95089e7dd35252a844c3836ed62d89e24961a8d4f0727097a1b528873

memory/2680-95-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/1776-94-0x000000013F800000-0x000000013FB54000-memory.dmp

C:\Windows\system\EwXLZLU.exe

MD5 ce0b6d34109ab3c18a51cf990db0f29d
SHA1 8eaf791c5fbffcd130a4f5f6a2acccb28d97ba2e
SHA256 4699e72564d54d0f27c2bff34d5d27b4404fd969b2553de3edc9e7b528e43533
SHA512 93a82036ad0f6e7193273fe2771cade2aecf4c0d88f4ff72aad6f7e762e5c1212fd9dd13d01d5f6cc2e2a3e93439ead10014413559af91f0fa3f7babe4cb0dac

memory/2196-142-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2688-87-0x000000013F6B0000-0x000000013FA04000-memory.dmp

C:\Windows\system\ZCuASFN.exe

MD5 d4f3a9d27bfcf70bdc7928ee67d352ab
SHA1 d07bc0f392eb8182f43c9994e4baa5517aa62353
SHA256 76ce9f64deadea516b29b837f7715d0a345acc093e06417646fcb3dd0d0004e2
SHA512 c31c63ebbb73beb844ad34a4586ea2c183ec88f439d6e875458e0a553e2fa217aa39ecb2031626bf1e241d7cd1b52192fea83ea330333d41729645afea725003

memory/1776-84-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2960-81-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/3060-79-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/1300-78-0x000000013F330000-0x000000013F684000-memory.dmp

memory/1776-71-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\HaozNzO.exe

MD5 4d7aaf02ff671f318b1e4ee86fb9818f
SHA1 f97f84398373f09ba30938ea4b80da0ed26aa752
SHA256 a6d24ac8f4b9b80e3cc90e69d1e12985eca2e10f1b9421eab3ff42dad04d201a
SHA512 b702cb8f4eef63fd05418b7d4d90653f5314550599beddb8f9dc3fcaeb1791aa7ee02dbb5b143ebb75878ebfd342beb689a31a7d99ddc5c5005a1c51776c0416

C:\Windows\system\yHECCJR.exe

MD5 05e0b24737fe9e3301b1e83cc02f5c82
SHA1 13963bd1b623dc8c0e92efeefbbbd9d83f1c84f4
SHA256 77555d888c398d3f531b4709da1fac8937771e0e7762b0c7a99c2f493e163293
SHA512 b9e04ffee59ddfe17528eb14d2f747a6985efb08af08c5f08cc6753d57153314b36692a74b9c2777ed08294e4c44eb8b40e8ee5126bf39a010a9d447d957353d

memory/1776-50-0x000000013FD40000-0x0000000140094000-memory.dmp

C:\Windows\system\cqHDYcE.exe

MD5 322f571c7a64df70e8e303aa69747601
SHA1 fa23519d21089de70bca95e81df97b51d21c4b34
SHA256 e5afa3974a87c13bcbfa6a8f5c4d9b327ceb42baa56c37f7f46bb1539ccbdeb4
SHA512 70ac7b3e4f853675cb0a4e29ff693b8e45ffc9f51f95ec614f7766e7537be5c9763cd29b7083df8f19e69e4467d74844a69113e40cb4a8f4761a6d05d06a7a68

memory/2740-143-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/1776-48-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2196-57-0x000000013F9F0000-0x000000013FD44000-memory.dmp

C:\Windows\system\NWsCAla.exe

MD5 9c98d7099f9fdc494989a89ca817273b
SHA1 a3b635182aefe81e64f5cb905c578785d11b493e
SHA256 69a20a3db368c949b5e90c778a5a9222db3e1ffbe4da979742d8aefd1a2e2e6c
SHA512 f2ec86a989cc24e65ba7cc27c83503409e5a9289c0c912e638064d6286a70e9c5f16ed19a3953222d0e41b32b9795206f4428dc79c3cd7683fd722608665b49f

memory/1776-41-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2660-37-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/1776-36-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2564-144-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1776-145-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/2960-146-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/1776-147-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/1904-148-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/1776-149-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2680-150-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/1776-151-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2852-152-0x000000013F330000-0x000000013F684000-memory.dmp

memory/1776-153-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2420-154-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/1300-155-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2688-156-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/3060-157-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2660-158-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2260-159-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2264-161-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2196-160-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2740-162-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2564-163-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2960-164-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/1904-165-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2680-166-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2852-167-0x000000013F330000-0x000000013F684000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 10:20

Reported

2024-06-01 10:22

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ieGNVtM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CbPOFIS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dgCrDcJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FomKXXr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KEnfBQG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\evPtqKp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OdBsLnV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NJwqZPx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mbEnQSN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sjvRijT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AJtubec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fflhrTY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZdqjynD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hgzRhfK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fyMMGoF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\psjebCt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gllyxnw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bBFIXDj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HBbVIQf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fBoVwsQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\arIumhp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBbVIQf.exe
PID 2028 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBbVIQf.exe
PID 2028 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\dgCrDcJ.exe
PID 2028 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\dgCrDcJ.exe
PID 2028 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJwqZPx.exe
PID 2028 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJwqZPx.exe
PID 2028 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fyMMGoF.exe
PID 2028 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fyMMGoF.exe
PID 2028 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\psjebCt.exe
PID 2028 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\psjebCt.exe
PID 2028 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FomKXXr.exe
PID 2028 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FomKXXr.exe
PID 2028 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\mbEnQSN.exe
PID 2028 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\mbEnQSN.exe
PID 2028 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\gllyxnw.exe
PID 2028 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\gllyxnw.exe
PID 2028 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\sjvRijT.exe
PID 2028 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\sjvRijT.exe
PID 2028 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBFIXDj.exe
PID 2028 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBFIXDj.exe
PID 2028 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fflhrTY.exe
PID 2028 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fflhrTY.exe
PID 2028 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZdqjynD.exe
PID 2028 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZdqjynD.exe
PID 2028 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KEnfBQG.exe
PID 2028 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KEnfBQG.exe
PID 2028 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fBoVwsQ.exe
PID 2028 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fBoVwsQ.exe
PID 2028 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\evPtqKp.exe
PID 2028 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\evPtqKp.exe
PID 2028 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ieGNVtM.exe
PID 2028 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ieGNVtM.exe
PID 2028 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AJtubec.exe
PID 2028 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AJtubec.exe
PID 2028 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgzRhfK.exe
PID 2028 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgzRhfK.exe
PID 2028 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\arIumhp.exe
PID 2028 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\arIumhp.exe
PID 2028 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CbPOFIS.exe
PID 2028 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CbPOFIS.exe
PID 2028 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OdBsLnV.exe
PID 2028 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OdBsLnV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_c4a10f915ec41f9da525e3d30e0f015c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\HBbVIQf.exe

C:\Windows\System\HBbVIQf.exe

C:\Windows\System\dgCrDcJ.exe

C:\Windows\System\dgCrDcJ.exe

C:\Windows\System\NJwqZPx.exe

C:\Windows\System\NJwqZPx.exe

C:\Windows\System\fyMMGoF.exe

C:\Windows\System\fyMMGoF.exe

C:\Windows\System\psjebCt.exe

C:\Windows\System\psjebCt.exe

C:\Windows\System\FomKXXr.exe

C:\Windows\System\FomKXXr.exe

C:\Windows\System\mbEnQSN.exe

C:\Windows\System\mbEnQSN.exe

C:\Windows\System\gllyxnw.exe

C:\Windows\System\gllyxnw.exe

C:\Windows\System\sjvRijT.exe

C:\Windows\System\sjvRijT.exe

C:\Windows\System\bBFIXDj.exe

C:\Windows\System\bBFIXDj.exe

C:\Windows\System\fflhrTY.exe

C:\Windows\System\fflhrTY.exe

C:\Windows\System\ZdqjynD.exe

C:\Windows\System\ZdqjynD.exe

C:\Windows\System\KEnfBQG.exe

C:\Windows\System\KEnfBQG.exe

C:\Windows\System\fBoVwsQ.exe

C:\Windows\System\fBoVwsQ.exe

C:\Windows\System\evPtqKp.exe

C:\Windows\System\evPtqKp.exe

C:\Windows\System\ieGNVtM.exe

C:\Windows\System\ieGNVtM.exe

C:\Windows\System\AJtubec.exe

C:\Windows\System\AJtubec.exe

C:\Windows\System\hgzRhfK.exe

C:\Windows\System\hgzRhfK.exe

C:\Windows\System\arIumhp.exe

C:\Windows\System\arIumhp.exe

C:\Windows\System\CbPOFIS.exe

C:\Windows\System\CbPOFIS.exe

C:\Windows\System\OdBsLnV.exe

C:\Windows\System\OdBsLnV.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2028-0-0x00007FF6DFC10000-0x00007FF6DFF64000-memory.dmp

memory/2028-1-0x00000175FD010000-0x00000175FD020000-memory.dmp

C:\Windows\System\HBbVIQf.exe

MD5 7c7bdb2de47bd8d9797917175e2b422c
SHA1 95ebfe4bcad068c36345ed36ec796f2e39b514cd
SHA256 e43759dbee1c4ca0b2422d6b21590240edb3bae747ee52450bc23798973d19b4
SHA512 51a99c342adcad9c7e910b978f5fbd60813bb275d6e7200f17690dc412ca3293a4365c8c1174eec764148886abdc7dc57da52be5e1fbcb255349dbb712fa2f2d

memory/852-13-0x00007FF77C930000-0x00007FF77CC84000-memory.dmp

C:\Windows\System\fyMMGoF.exe

MD5 a92b151a2a25c6336e53150ba41fcb12
SHA1 b1c38a4e65dcfbd65c5f5e9db6d091cbfd1eaffb
SHA256 59c5b04832d4ac9fc227e804210fa9b13fab63ed757df88458d94cf8035fbde7
SHA512 54ad7168cdbe376f13ba91ac7ecc62cacc7f4ffa742d16a95ee2889bde0f720b33d969afb08f118079305c30b04713c2bfad70cec9ee06a6cc9614e9b0c572c7

C:\Windows\System\NJwqZPx.exe

MD5 8010bdf0b0cb8c7132c5ea7ef8ccff34
SHA1 2de9823265e369c20f6268255e5b49f62c391f7d
SHA256 2dbbbcc6cc62b0414f6ad42ed500fd2a9b405304d923745ee6ba52569a401dc5
SHA512 6d9fa2a881a052e9db78f88a7c64837cd361ff8317ccd571b2bda2b644e905abf6689372483b4cb27f6d221bd99bad6154e38563da5ba8256847ceb4bae8f182

memory/2860-20-0x00007FF75BD60000-0x00007FF75C0B4000-memory.dmp

memory/5004-19-0x00007FF7F1F90000-0x00007FF7F22E4000-memory.dmp

C:\Windows\System\dgCrDcJ.exe

MD5 6057db207a2bc302f8f13c5fed1867bc
SHA1 d7b796a4c4ccf94abc1afc0c85935b5ba70b4ece
SHA256 414728b57041f68d78bacf211b7f783c87f3a856d5a860f23c24b1d2eaf38225
SHA512 2441001fdbe5473bc18773a7fc9a026660d12fdfbd53c3473b9884e2d21d311511f2137a2e416dfad9ddf5a916b4ee0fa3b2c2e99b8788cad1f0cdd96bd728fb

memory/4616-26-0x00007FF7D8C20000-0x00007FF7D8F74000-memory.dmp

C:\Windows\System\psjebCt.exe

MD5 2ddf977fec6d82dbe5dd30ffab28a8f0
SHA1 e32856350a3392eac404059464b2760998891a25
SHA256 c376bcbb0f58a2fe9b4b14719e9abe53bd133d5ec2b2b01d55acffd1aa661c3e
SHA512 b7f85d00ab765466fc17c389f88fe21756077ccfcb603b08bb89834a53deed528ac4970ab8ec7c49f9f8da75e752bb7c94601bb6384420b59909ce1675bed2de

C:\Windows\System\FomKXXr.exe

MD5 651e3f920b1ff142180ef17eb53f7276
SHA1 884e3421d0fcbc29ceba083e8001e3b3791f1d76
SHA256 8aba98fdd44f08b3ee0b009c1389bcad827623d96e32cc6a9e3a27f1c405d938
SHA512 1052148f8231e0e4e7409d5331a4afb537fd0fa7393d81e31edc5f1c97be7d0e8e6b6a963db7a208257990cd20eebfd9482393ee01524c80b3f4626374a1c369

C:\Windows\System\mbEnQSN.exe

MD5 30bf939b0badac4a795f6f33c2213afc
SHA1 147c5a5d3984e8590f2dab5c547d4a74be2f4e41
SHA256 1b3a28df678dde93b6a1c424a9866ee9bb306bfd26bf1cf1c474b01a1dcd2de4
SHA512 7a1c330300dd10b076a4ae5d5a683bdfd4ed41ebcf7fbdab39e8889196049e585ca96887a29baa6c64d89c6b30f3fc8e96c78c8f40740e38937afeb6eb622fbf

memory/3492-42-0x00007FF64D2C0000-0x00007FF64D614000-memory.dmp

memory/4920-47-0x00007FF7213C0000-0x00007FF721714000-memory.dmp

memory/1200-51-0x00007FF681FD0000-0x00007FF682324000-memory.dmp

memory/4568-53-0x00007FF72E9E0000-0x00007FF72ED34000-memory.dmp

C:\Windows\System\sjvRijT.exe

MD5 cdd9d24d78d552866c972bfc37d71d23
SHA1 9824718c767c612e0cdcd07443dda15f72e3f22a
SHA256 d80e1a99ddbbb2bfac8692d7d6337b0ab25744961457e0cc2f09ccfe0a8503ed
SHA512 3c8677c7699142a15ca892fc5c56ce6fe8f816ccfd44f79b5e7b13f86c7d4d80caca7cd2c4c5921696cc6df3980a16c81afd7a2f3eacd364c5e9cb9343a31c81

C:\Windows\System\gllyxnw.exe

MD5 591712f31f904675d232a8924dae8a40
SHA1 4a7245240a30fd1caad465f88cb82efc9b7611d8
SHA256 a9aa99cdd15fe6ca750f33b20b9691e0288dd05f9ebd0406785b78605a53780d
SHA512 4c75148c0c3f16699e544dc4f5ef0a4d2260dccbc16d60d37fc0c74a93c920ef12f4bd0bedb2de9ed8d9e71392a12583ac4deda6a7528ae6f1c5289e7e0e60a9

memory/2428-32-0x00007FF7711E0000-0x00007FF771534000-memory.dmp

C:\Windows\System\bBFIXDj.exe

MD5 4336fe7bb1922874c84e1ede1cf4b457
SHA1 87c97dd0ff4eaaf8c7574e7c4cc06058cee3782a
SHA256 e1a9520fafb70631fd3fa52beeee08016a65be875f94784a9d525b2f034552a4
SHA512 38198ae5f94047e242e962643959dfc91c300de560014ef342e6c3e4e6f36b30090f1c5782b17d8579a601e5340450179803bbe5233514e966a44481a9e9036a

memory/3652-63-0x00007FF731510000-0x00007FF731864000-memory.dmp

memory/2028-60-0x00007FF6DFC10000-0x00007FF6DFF64000-memory.dmp

C:\Windows\System\fflhrTY.exe

MD5 78e312a4512e3fa5d2443f8b46563b52
SHA1 814acd66726d9ac9c592ce0d07b153cf13af8cbc
SHA256 a63d3149bde38f58e1bc5a7b2f8ee93e81c1cbf4347be509787f79420e289a01
SHA512 d36774433b9bb03f8db80b12311b4cf6ec4fe2540f18a912f9ddb1674ebb8e37da8684e1dad1f7675a6de76be8529893a9e5a0f2ba1416ad25486e529c0f8709

C:\Windows\System\ZdqjynD.exe

MD5 9c21653489655c8a10a43a7dc9bbc7c9
SHA1 50ab66cd672645612798b4ef9437e4dc58b02a8c
SHA256 2cdb5d81828c541788b0fdaffb6aabf51d5e5fc8a931126abb4551b5aa60cbce
SHA512 04d8708165c129f338083a845f9375359aa0a90c78f769c2c67314a5ad6ade521a51abfa5708fad57980dac174e745d0749f8a18bdc50fc532274fbfd484d4a9

memory/3540-69-0x00007FF6A27F0000-0x00007FF6A2B44000-memory.dmp

C:\Windows\System\KEnfBQG.exe

MD5 a1b18113481e5f5481fa871bc4420916
SHA1 d0c48e7c815090294e57ce4f79a0bf79a06a5d8e
SHA256 5b70a7fe5f457c4707266e22732bf8fe236b97530c9f38bba99a3d773efcb797
SHA512 e13870ecfa97041f5ece19b6806d590ba0e644638e8de52d12164a01c8bc9ff91569f77faf45912b9977566105da9d77748cd19287588afe22200aa7457ba963

C:\Windows\System\evPtqKp.exe

MD5 86e559905d9e4acc4c915812811285ca
SHA1 49ad9e08ca9ff04ecb726732925db353ee03f44c
SHA256 c1dd4e2a1f718cc3461f36f7d5ade10cd41dafcb9d7fc81e4e0a8e195b439f1a
SHA512 f7801b653fd40dd7e039b0a6f3fbe32051ac4ae32dcbd6559ffad98e8e2cfab8a7b6f19b6d83eda910224c09d1ea6380e62897503953cefb4bfde1b039ee3727

C:\Windows\System\fBoVwsQ.exe

MD5 a65f3b2e3fd79ed7354b41afefa8d602
SHA1 e5666f77628f47be738109251aaaefd68cc6211b
SHA256 2c51fea8900261592e66626013a8fd7b8bbf184ed899f43ee0480a3c6b9d88bc
SHA512 f0b75fb4e96d11006cd382704666c05d25d8199f08c7b7e092915f08c9a6cc60bc5b3fb20cfb0b2d35408c37b8ea1c28c1eaaef9abd0a9cc1d9c6b7448772f62

memory/3836-84-0x00007FF7F9290000-0x00007FF7F95E4000-memory.dmp

memory/2180-76-0x00007FF70EBA0000-0x00007FF70EEF4000-memory.dmp

memory/2860-75-0x00007FF75BD60000-0x00007FF75C0B4000-memory.dmp

C:\Windows\System\ieGNVtM.exe

MD5 c71c8437f2faa1ac5420fdd7222c98c3
SHA1 708ad03cb9e1fd10f315b08b6d301bd01bb6477b
SHA256 d174e6b5259b7ecc4b69fdd99be32e2191d987e6f76e8751afaafe7a8f5c9ea7
SHA512 2551706f18437bfd762d116ca9d23b3ca037a0d9919df24998b0074cecb6986482c3933d49722c7ef037779a43304339126b7c708405e039e59e471a122c05d6

C:\Windows\System\AJtubec.exe

MD5 219658d720bd3873ff207478d2c57b36
SHA1 4afe758a745d77834804494aa530b7ad5165eaa5
SHA256 f3bc95c70e472d16329978230f74b3aa7224335a7eb8fff513198b61d6cbd895
SHA512 72368d13a27aef31bcd29b740155eb6d429d1cbbe53ce8d80ce8c14aeeead4af769030491ecb3c1d9bbd15a9c4b0d5616f6909b730ce3b129cbfcb475e9f4724

C:\Windows\System\hgzRhfK.exe

MD5 93808e1994d09cf495909b4fd9e99431
SHA1 ab2db54bdcef32469ece0355a339726e13750af2
SHA256 4b1ff101b95b58062b0b9b6fb22bdafc5aa9c55a57abe6a2bf66fd739891a1b6
SHA512 d2b5833fba34a0c8476b7e0e3fddbefb9223324198932eeffacd953b7c35d17cb5c17b82a8c7e9f215e2536dcc76f09bd597d9d069726f3e62678e39b3a58f2c

memory/676-111-0x00007FF6E0530000-0x00007FF6E0884000-memory.dmp

C:\Windows\System\arIumhp.exe

MD5 34a686e6dd07811b1044642cae3af03e
SHA1 66011d0c1d2b5b58bf703459e5687cadc93481e1
SHA256 fb7a15de12deca0296c421bbeac2491e9de3f6ad82ce239bd5b1f57e75a07628
SHA512 1ed5e53467be9795c2531ad276726ca2a342bcb3f97ee89b20dfe9093b55268c4903bb242513f586aaea41ed74bfae46df77bb0b087001ec1e46e55c5d0ed203

C:\Windows\System\CbPOFIS.exe

MD5 493883e1408a6e0acafea85deea09a71
SHA1 7e923f42fbc069cba992bdcdf4aa0d7bf8e332ce
SHA256 cc9b170d36fecee07bcd68823a20acc7976d43bc95f18e825cd5081b751c15cb
SHA512 ecf8e5611a2cd0f8c77f82bcc7a74ab45962ea5dca7ad9c821ffe70084b7cdd89ae38ce3cd0d60d0786eca7a462fb09eeaf1692a4d6655b516565bd591eeb76c

memory/4632-123-0x00007FF7F9FA0000-0x00007FF7FA2F4000-memory.dmp

C:\Windows\System\OdBsLnV.exe

MD5 a3a72cfb92941e30ea0d57cceee58b86
SHA1 d62501da4d3783897bab6a85c51bc21a90ca3828
SHA256 d3a1f2f9c21e7111834d4e3b747af6a7490de4f88e35e7d116963be2aee91db4
SHA512 dfff99c18031540a3aa1004108ef3e6ae438591f5702da7dd848bb5bc0aafb2c9b84b7d90debb9fbdbe2e195f32ca08dad3eebcd0995fc676228f0751213e33b

memory/3180-126-0x00007FF677850000-0x00007FF677BA4000-memory.dmp

memory/1200-121-0x00007FF681FD0000-0x00007FF682324000-memory.dmp

memory/4920-114-0x00007FF7213C0000-0x00007FF721714000-memory.dmp

memory/3492-113-0x00007FF64D2C0000-0x00007FF64D614000-memory.dmp

memory/2220-112-0x00007FF7F1460000-0x00007FF7F17B4000-memory.dmp

memory/4636-101-0x00007FF765980000-0x00007FF765CD4000-memory.dmp

memory/4444-100-0x00007FF792180000-0x00007FF7924D4000-memory.dmp

memory/2440-95-0x00007FF7253A0000-0x00007FF7256F4000-memory.dmp

memory/4568-132-0x00007FF72E9E0000-0x00007FF72ED34000-memory.dmp

memory/3708-133-0x00007FF6F4D20000-0x00007FF6F5074000-memory.dmp

memory/3652-134-0x00007FF731510000-0x00007FF731864000-memory.dmp

memory/3836-135-0x00007FF7F9290000-0x00007FF7F95E4000-memory.dmp

memory/4636-136-0x00007FF765980000-0x00007FF765CD4000-memory.dmp

memory/3180-137-0x00007FF677850000-0x00007FF677BA4000-memory.dmp

memory/852-138-0x00007FF77C930000-0x00007FF77CC84000-memory.dmp

memory/5004-139-0x00007FF7F1F90000-0x00007FF7F22E4000-memory.dmp

memory/2860-140-0x00007FF75BD60000-0x00007FF75C0B4000-memory.dmp

memory/4616-141-0x00007FF7D8C20000-0x00007FF7D8F74000-memory.dmp

memory/2428-142-0x00007FF7711E0000-0x00007FF771534000-memory.dmp

memory/4920-143-0x00007FF7213C0000-0x00007FF721714000-memory.dmp

memory/3492-144-0x00007FF64D2C0000-0x00007FF64D614000-memory.dmp

memory/4568-145-0x00007FF72E9E0000-0x00007FF72ED34000-memory.dmp

memory/1200-146-0x00007FF681FD0000-0x00007FF682324000-memory.dmp

memory/3652-147-0x00007FF731510000-0x00007FF731864000-memory.dmp

memory/3540-148-0x00007FF6A27F0000-0x00007FF6A2B44000-memory.dmp

memory/2180-149-0x00007FF70EBA0000-0x00007FF70EEF4000-memory.dmp

memory/3836-150-0x00007FF7F9290000-0x00007FF7F95E4000-memory.dmp

memory/2440-151-0x00007FF7253A0000-0x00007FF7256F4000-memory.dmp

memory/4444-152-0x00007FF792180000-0x00007FF7924D4000-memory.dmp

memory/4636-153-0x00007FF765980000-0x00007FF765CD4000-memory.dmp

memory/676-154-0x00007FF6E0530000-0x00007FF6E0884000-memory.dmp

memory/2220-155-0x00007FF7F1460000-0x00007FF7F17B4000-memory.dmp

memory/4632-156-0x00007FF7F9FA0000-0x00007FF7FA2F4000-memory.dmp

memory/3708-158-0x00007FF6F4D20000-0x00007FF6F5074000-memory.dmp

memory/3180-157-0x00007FF677850000-0x00007FF677BA4000-memory.dmp