Malware Analysis Report

2025-01-22 19:38

Sample ID 240601-nc2n7sbg53
Target 2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike
SHA256 4328bc94b5d8f62eb0293efc1ab857275220b8b564cd7038f54a6251bd925147
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4328bc94b5d8f62eb0293efc1ab857275220b8b564cd7038f54a6251bd925147

Threat Level: Known bad

The file 2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Cobaltstrike family

Cobalt Strike reflective loader

xmrig

Cobaltstrike

Xmrig family

XMRig Miner payload

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 11:15

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 11:15

Reported

2024-06-01 11:18

Platform

win7-20240419-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\KJQxfBX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gdwqpgN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hilekFY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RblfDVc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xeeFdcK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QZUWHSS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xbLkiNZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rcnvBuC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qmLEylZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SJVcSyg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TekStts.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YpwNqvd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bBiVbwx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OAUJTME.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LcFjjlf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qZKfDjA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CulpRoX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rrqZtus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jvQxwEK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nRCSwSp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lmXjgip.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1008 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gdwqpgN.exe
PID 1008 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gdwqpgN.exe
PID 1008 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\gdwqpgN.exe
PID 1008 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qmLEylZ.exe
PID 1008 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qmLEylZ.exe
PID 1008 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qmLEylZ.exe
PID 1008 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\CulpRoX.exe
PID 1008 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\CulpRoX.exe
PID 1008 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\CulpRoX.exe
PID 1008 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZUWHSS.exe
PID 1008 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZUWHSS.exe
PID 1008 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZUWHSS.exe
PID 1008 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\rrqZtus.exe
PID 1008 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\rrqZtus.exe
PID 1008 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\rrqZtus.exe
PID 1008 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\hilekFY.exe
PID 1008 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\hilekFY.exe
PID 1008 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\hilekFY.exe
PID 1008 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\RblfDVc.exe
PID 1008 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\RblfDVc.exe
PID 1008 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\RblfDVc.exe
PID 1008 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xbLkiNZ.exe
PID 1008 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xbLkiNZ.exe
PID 1008 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xbLkiNZ.exe
PID 1008 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\jvQxwEK.exe
PID 1008 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\jvQxwEK.exe
PID 1008 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\jvQxwEK.exe
PID 1008 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\SJVcSyg.exe
PID 1008 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\SJVcSyg.exe
PID 1008 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\SJVcSyg.exe
PID 1008 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRCSwSp.exe
PID 1008 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRCSwSp.exe
PID 1008 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRCSwSp.exe
PID 1008 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBiVbwx.exe
PID 1008 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBiVbwx.exe
PID 1008 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBiVbwx.exe
PID 1008 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\TekStts.exe
PID 1008 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\TekStts.exe
PID 1008 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\TekStts.exe
PID 1008 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YpwNqvd.exe
PID 1008 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YpwNqvd.exe
PID 1008 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YpwNqvd.exe
PID 1008 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\OAUJTME.exe
PID 1008 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\OAUJTME.exe
PID 1008 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\OAUJTME.exe
PID 1008 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\LcFjjlf.exe
PID 1008 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\LcFjjlf.exe
PID 1008 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\LcFjjlf.exe
PID 1008 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZKfDjA.exe
PID 1008 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZKfDjA.exe
PID 1008 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZKfDjA.exe
PID 1008 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xeeFdcK.exe
PID 1008 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xeeFdcK.exe
PID 1008 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xeeFdcK.exe
PID 1008 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KJQxfBX.exe
PID 1008 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KJQxfBX.exe
PID 1008 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KJQxfBX.exe
PID 1008 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lmXjgip.exe
PID 1008 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lmXjgip.exe
PID 1008 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lmXjgip.exe
PID 1008 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\rcnvBuC.exe
PID 1008 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\rcnvBuC.exe
PID 1008 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\rcnvBuC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\gdwqpgN.exe

C:\Windows\System\gdwqpgN.exe

C:\Windows\System\qmLEylZ.exe

C:\Windows\System\qmLEylZ.exe

C:\Windows\System\CulpRoX.exe

C:\Windows\System\CulpRoX.exe

C:\Windows\System\QZUWHSS.exe

C:\Windows\System\QZUWHSS.exe

C:\Windows\System\rrqZtus.exe

C:\Windows\System\rrqZtus.exe

C:\Windows\System\hilekFY.exe

C:\Windows\System\hilekFY.exe

C:\Windows\System\RblfDVc.exe

C:\Windows\System\RblfDVc.exe

C:\Windows\System\xbLkiNZ.exe

C:\Windows\System\xbLkiNZ.exe

C:\Windows\System\jvQxwEK.exe

C:\Windows\System\jvQxwEK.exe

C:\Windows\System\SJVcSyg.exe

C:\Windows\System\SJVcSyg.exe

C:\Windows\System\nRCSwSp.exe

C:\Windows\System\nRCSwSp.exe

C:\Windows\System\bBiVbwx.exe

C:\Windows\System\bBiVbwx.exe

C:\Windows\System\TekStts.exe

C:\Windows\System\TekStts.exe

C:\Windows\System\YpwNqvd.exe

C:\Windows\System\YpwNqvd.exe

C:\Windows\System\OAUJTME.exe

C:\Windows\System\OAUJTME.exe

C:\Windows\System\LcFjjlf.exe

C:\Windows\System\LcFjjlf.exe

C:\Windows\System\qZKfDjA.exe

C:\Windows\System\qZKfDjA.exe

C:\Windows\System\xeeFdcK.exe

C:\Windows\System\xeeFdcK.exe

C:\Windows\System\KJQxfBX.exe

C:\Windows\System\KJQxfBX.exe

C:\Windows\System\lmXjgip.exe

C:\Windows\System\lmXjgip.exe

C:\Windows\System\rcnvBuC.exe

C:\Windows\System\rcnvBuC.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1008-0-0x0000000000080000-0x0000000000090000-memory.dmp

memory/1008-2-0x000000013F280000-0x000000013F5D4000-memory.dmp

\Windows\system\gdwqpgN.exe

MD5 ec9f12562dbdbc8bddcfa1877bb8426c
SHA1 ae815a8b204213b92bdc9b2c515617c13a8805ce
SHA256 6f4371ef2eb798d39b84efe5c6ec7180d3d8adb24a37a31b212f981e3559d078
SHA512 4f26eae23f0f4bf365544c2d0383077751587b8eb72d8d47fe8c0712597cbd9e881fbc09f81701a8bbea89e00e0b5c6561d9df1459b317cfe3b21b89e8d44f70

\Windows\system\qmLEylZ.exe

MD5 e5f30c4046e37fc3cf603ca9c9edb54d
SHA1 2692638f3e2cfddc7c3805261d1626f44042bd32
SHA256 2b59227ab3e60c7c7f21bf8e48b412845cd47e4f826f81235212217644d56510
SHA512 9e338f1129f12aff92832394aa67f1b530678d515d8538474d4afa7ccd52d471642592cc4c9711e07d0f20bc1570674540dfcc2a12c2a367d1dfb8fa9a6e8344

memory/1008-13-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2056-11-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2424-15-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/1008-6-0x000000013F8B0000-0x000000013FC04000-memory.dmp

C:\Windows\system\CulpRoX.exe

MD5 1507cb440086891c82dd289e1072825a
SHA1 0f8ec2b3cd0f2c02920af175229eb79ed58b3197
SHA256 31b681ef1a57dc70825172b38aa097912b6af50efb2d0f2b375afe180a1543f3
SHA512 4c28ba0e2b23d25e977735d44348ee9f3d8022d83763641c59ef7beee49dd58227f711c905f889e82bda38ecc6a92dff5e821b743507ef8f4e393f54d12a2894

\Windows\system\QZUWHSS.exe

MD5 fa8016ae588cd9b18c33e04f8f84e0d2
SHA1 0d6c7d4f9343907dc259325d02c75ec7b4cf9110
SHA256 7d60badbed7387d9b1693758666fb0dc0cdc285b1cd3bb24cf7d3abf454ebfcd
SHA512 fd9539085018dff6ad7823e3f2f87476cc6999420a34ec94a143045641b17e7e29085fc347c784a32d0a9b16bbfd3e8cb941adc00ff7d4129c109ce634a73040

memory/2756-29-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/1008-27-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/1008-20-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2572-23-0x000000013F300000-0x000000013F654000-memory.dmp

C:\Windows\system\rrqZtus.exe

MD5 e7ba8a5b47b01706bff5c0c8ee698c66
SHA1 cb8b18824e76b4f8dd376e9e677d98b4bf9901dc
SHA256 16cb9149db6e718d060b3c586c9701ae3c13af755a7bc770539be41132cbf0ae
SHA512 3d49e981f50d7c3164792e7ec31119d5e8751243998fef0788fdc2f69da89a5f6de13913f45749a032cd12bbd15050aab875c64290e6ca60dde2c364d96f1038

\Windows\system\hilekFY.exe

MD5 7b4736cbde479bf4568888e035e32625
SHA1 db2b87d0820bef7b65a544d14a7c822fb9db393b
SHA256 f2c64cdb9f4813941a05be6c0a7b97172babea0fce553c3ecddf12d4b3fc69fe
SHA512 e7f1ff32c09a9e06a44652db563c9ec48f7613d8e2f322dae3478f0e3d5fc37142ed25a3e947054f0b575f74383d6edc8ead4e49203df4bd065ed4385b86faad

memory/1008-39-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2740-37-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/1008-36-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/1008-41-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/1008-40-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2488-45-0x000000013FFA0000-0x00000001402F4000-memory.dmp

\Windows\system\RblfDVc.exe

MD5 336f4065171d218069b95cfd10f7b62e
SHA1 5ae3662ced1ebea644017f8c4ac7ee80e36b27d7
SHA256 2acd9820745e9742e6ded9625bbe5c231c33d7082be3124ee1eb57f51eb5e4e8
SHA512 ef393d2e1244b79bb61b6f45022b6d15c610a50dd8393290c96db38f0f9872adede5664a5ae79fadff16f5ec321a666ea6e1564405c47b5a561c81f861c4b993

memory/2580-53-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2056-49-0x000000013F8B0000-0x000000013FC04000-memory.dmp

\Windows\system\xbLkiNZ.exe

MD5 61d67de1638d7ea411458f3498cadf13
SHA1 def0d4b887887b5d1ee6c9031eae86dd3baf488e
SHA256 8da47192788feca6f395f1ba157109b60cb0ce2d1a49459d4408946eeded1436
SHA512 51bf0041f47c3d1bbdb0c9aa5a626abb29d4db9a6135ddabfa09e2ccdefe955dfe40acb0423d21cb7d1e08ccb31f9e4aaf2e55de07c16bc7cb7362019a4fc41f

memory/2424-59-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2496-60-0x000000013FED0000-0x0000000140224000-memory.dmp

\Windows\system\jvQxwEK.exe

MD5 f71a3cce15b821cc5f2e847a6edcc56b
SHA1 372b8ecda31b27e94fcab1e73657ef6d8c81f67e
SHA256 b6c5a4b12d11104317b0d8df62f4af9aa61c2db02cad25c2912432da22e6e2d3
SHA512 0e6a8a55c67b583cf4851b47673ccb0873dfadaf376970696ff678bdb1113e47360d271e51ed2050f87a6ea622866ea512009942d57492870ba0fcec1c47de9a

memory/3016-67-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2572-66-0x000000013F300000-0x000000013F654000-memory.dmp

\Windows\system\SJVcSyg.exe

MD5 59ab2097497cd9fb65e193010aef402b
SHA1 149d8546a0f047efdb5837eb21b76a8134ec272f
SHA256 9bc564c3c80684147d91f1361d77f996425e2569c7dc820411e864b9e7106214
SHA512 ac02aa1a2a215ad7ce979ceb08238c5a46f602062b57f86df6c598abf783e5c04b21d8e345cfa2575157841ed4d1dc31abe072c3dfa473256d1e15eb568d565c

C:\Windows\system\nRCSwSp.exe

MD5 abaaadeb577e7228e3f6d9d08ba6d67b
SHA1 91e56f89e117d443ff1cec984a9be28a1495eacc
SHA256 f9deca587a0f8a2c7cf999334687ce88916be899161cf19dcd83cb9a8710b7e6
SHA512 60ed82ffa8e643a3bc632ee2d20ab069a9fe76a588432d3a6fff2f8bcd5027b54c1b114b0301071ba458eb090c43dccf032fbac68826c2ad0ec44b63f3e37b04

\Windows\system\bBiVbwx.exe

MD5 215e42b083c4e448cecd11b3ca00daa7
SHA1 2a93bf35994c80233b83684d97527530038d2384
SHA256 068288b620a738a3e65ec0677084ef87d9df231f68ab0ce1439b5bc8ca4edb4e
SHA512 38d24587f1f0b8b47f8a60f8bc5926d16973c244b38ff565787f37a4e6fbe3f8ce59710992fc757d651de55e7c54801d1546566e375e0481f86422d413c253b0

memory/2756-82-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/1228-89-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2720-88-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/1008-87-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2524-86-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/1008-85-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/1008-84-0x000000013F960000-0x000000013FCB4000-memory.dmp

C:\Windows\system\TekStts.exe

MD5 50bacb4dcd3ce3c401f92e0a08a2facc
SHA1 9f30d499a92a41d1275f38f1eae02913917b5023
SHA256 5379ab893258d88dfbfa96fabe79a3fa31766395eca0b52475cee1f5c538e644
SHA512 516c8623b31c976fe303753249e30d9e2ab0b41e0537c5472308ea158d59a0945b4d8c38ac76d7331f959e4acc258b7cfbf95f087acfa721d30fb31ab099e567

C:\Windows\system\LcFjjlf.exe

MD5 a8a16c96fc5fe98c53b42c38751fff0f
SHA1 b253b583b25f431ccae605f5343d8bdba916e67c
SHA256 096d7f006e93fa4135d688b80e209bfb17840b7356775a996f2433718e0580b3
SHA512 6105a19853655aeae715338befe5a5e1c2fa80bd6a5af316091a537ad8adc489bf9fa17488f8a2eee416b6b5b9f623d534f05ab13121224b8b0cfe3f9151e542

C:\Windows\system\qZKfDjA.exe

MD5 2aee9922cb20dbb8bf9dacc28ebac99d
SHA1 a796341b2876cffe95b6bc9029f77dfb089f0543
SHA256 f49a9984ad3c3c5e4f5efabe984a5b077c02a013cc0a9b1413694fc68f96e734
SHA512 3efefa571160209f10b029ae029d4438891118deb190e132116c5a4c64dada5afa796a92237c9c84f9cec8277017d72c614b850f83de2037122cb32311b3da40

C:\Windows\system\rcnvBuC.exe

MD5 6155add31e2340b06bec8b50c85a4972
SHA1 4a1762fbc632e5f8b6e65c1d84087a71a102c5fe
SHA256 cd1b65d147cd07c6ef18300323f70904418a93401ca8a7c2b5fbbd8843d5828b
SHA512 5e9b35f8595df42565ac7218237ee8ec90693d9d77a23ed8da9840920d200f9391b414e4f6fad37663172da60083780410c82e55237f604ebd61c890376e6846

memory/1412-122-0x000000013F410000-0x000000013F764000-memory.dmp

\Windows\system\KJQxfBX.exe

MD5 846489f1092fc18c26b69e4484755562
SHA1 bc23159da14e385a186d1f07509cb95627e1efdf
SHA256 226a5998f559d7ee607c9b6941447389ed5df919858a02fee6edbaedbfbcd224
SHA512 e731039723baf7286243bd0ebcc73cadf1c68ffebd86c36eef4503ceb5f55a577e11047043a037fbc7a2c6f0622352a001b226d4b381662540aee150a5f9d593

C:\Windows\system\YpwNqvd.exe

MD5 f88ee1966b7abdfdd355cf3b1103baf4
SHA1 7098673e540499f1295d0fb291885e657b881774
SHA256 ef4f772a5d4e39cc3d1cf6309e8f1ac702bd150c11c7b6ceeab84d1668470223
SHA512 f62c459fa7f9efbef4f719bfecf148b564de52aed90ef6e6f915ee4e3b48d3fed26c78fa3eb7262b0fa8aa8c2d40c1ce0e765b996e98bb83244b101efb1a6c92

memory/1008-100-0x000000013F960000-0x000000013FCB4000-memory.dmp

\Windows\system\OAUJTME.exe

MD5 95cf2eab1180b7b7e8093b7cf8937191
SHA1 c278a880c69a264291e6836d4839bdb9d3e0f70a
SHA256 9363a33641b7684e139b9419a28df141f00819a1a393edcbc4fbb8111c72765a
SHA512 cec6480a82b8b350c4d245555798caa9203be277614ff1f56c4f06a7034440d9001cdc81107f357265d14744dff27dbf8176ed420b4e20fae0390955c5124caa

C:\Windows\system\lmXjgip.exe

MD5 ade61fe7f5cf9c366723389dfeed1658
SHA1 24e35097518400222df58ed967a38ecb07c42f40
SHA256 3c915ae6e450793c767dbd13db1778280f86c063da61772c072a7b9a95bffe88
SHA512 1d7ed4c46b05901b2e16cfa992b9260ed415e6ee5d0a66e51552d678d686a92d2488d3bf5a39a33ed059e8ab136a8f37970dd22964ead06e18db5a76917a8bae

C:\Windows\system\xeeFdcK.exe

MD5 3fe60a864a3070ccebd44fba0cadfffe
SHA1 d5335030664a41a653a5ead530d5f6fb618e4a8b
SHA256 018d461c30224bf74475976d7dc27bcbbece166d3e66e6a11a8728a624de9d9b
SHA512 691ef5e547df395651df9ca13976764edb12a25ec6be296616360712b1b9d18275fb8731dbdfbfccd4877477f1992bbe5a27090aad5aa469d2cc39ed040a603a

memory/2568-106-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2488-137-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/1008-138-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/1008-139-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/1008-140-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2568-141-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2056-142-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2424-143-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2756-144-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2740-145-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2572-146-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2488-147-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2580-148-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2496-149-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/3016-150-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2524-152-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/1228-151-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2720-153-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/1412-154-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2568-155-0x000000013F960000-0x000000013FCB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 11:15

Reported

2024-06-01 11:18

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ixhccaX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fHzjIwO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oxOIeAf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mgisGEl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\POnqRby.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mqsJShq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lpfzfsn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yKEtlHl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bBaCvNP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zXgFtaW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YhjrxWx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lJvGUUw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\guQqpEY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XbeFDaT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pQRWUmN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OPvgJQs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XDyMDvD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fBkOkBp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UAHWCFO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MEqwKpQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MewzzJe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\mqsJShq.exe
PID 3012 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\mqsJShq.exe
PID 3012 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\XDyMDvD.exe
PID 3012 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\XDyMDvD.exe
PID 3012 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\MewzzJe.exe
PID 3012 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\MewzzJe.exe
PID 3012 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhjrxWx.exe
PID 3012 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhjrxWx.exe
PID 3012 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\fBkOkBp.exe
PID 3012 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\fBkOkBp.exe
PID 3012 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lJvGUUw.exe
PID 3012 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lJvGUUw.exe
PID 3012 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lpfzfsn.exe
PID 3012 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\lpfzfsn.exe
PID 3012 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ixhccaX.exe
PID 3012 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ixhccaX.exe
PID 3012 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\fHzjIwO.exe
PID 3012 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\fHzjIwO.exe
PID 3012 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKEtlHl.exe
PID 3012 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKEtlHl.exe
PID 3012 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\oxOIeAf.exe
PID 3012 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\oxOIeAf.exe
PID 3012 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBaCvNP.exe
PID 3012 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBaCvNP.exe
PID 3012 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\guQqpEY.exe
PID 3012 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\guQqpEY.exe
PID 3012 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UAHWCFO.exe
PID 3012 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UAHWCFO.exe
PID 3012 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\MEqwKpQ.exe
PID 3012 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\MEqwKpQ.exe
PID 3012 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgisGEl.exe
PID 3012 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgisGEl.exe
PID 3012 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\XbeFDaT.exe
PID 3012 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\XbeFDaT.exe
PID 3012 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXgFtaW.exe
PID 3012 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXgFtaW.exe
PID 3012 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQRWUmN.exe
PID 3012 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQRWUmN.exe
PID 3012 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\POnqRby.exe
PID 3012 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\POnqRby.exe
PID 3012 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\OPvgJQs.exe
PID 3012 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe C:\Windows\System\OPvgJQs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\mqsJShq.exe

C:\Windows\System\mqsJShq.exe

C:\Windows\System\XDyMDvD.exe

C:\Windows\System\XDyMDvD.exe

C:\Windows\System\MewzzJe.exe

C:\Windows\System\MewzzJe.exe

C:\Windows\System\YhjrxWx.exe

C:\Windows\System\YhjrxWx.exe

C:\Windows\System\fBkOkBp.exe

C:\Windows\System\fBkOkBp.exe

C:\Windows\System\lJvGUUw.exe

C:\Windows\System\lJvGUUw.exe

C:\Windows\System\lpfzfsn.exe

C:\Windows\System\lpfzfsn.exe

C:\Windows\System\ixhccaX.exe

C:\Windows\System\ixhccaX.exe

C:\Windows\System\fHzjIwO.exe

C:\Windows\System\fHzjIwO.exe

C:\Windows\System\yKEtlHl.exe

C:\Windows\System\yKEtlHl.exe

C:\Windows\System\oxOIeAf.exe

C:\Windows\System\oxOIeAf.exe

C:\Windows\System\bBaCvNP.exe

C:\Windows\System\bBaCvNP.exe

C:\Windows\System\guQqpEY.exe

C:\Windows\System\guQqpEY.exe

C:\Windows\System\UAHWCFO.exe

C:\Windows\System\UAHWCFO.exe

C:\Windows\System\MEqwKpQ.exe

C:\Windows\System\MEqwKpQ.exe

C:\Windows\System\mgisGEl.exe

C:\Windows\System\mgisGEl.exe

C:\Windows\System\XbeFDaT.exe

C:\Windows\System\XbeFDaT.exe

C:\Windows\System\zXgFtaW.exe

C:\Windows\System\zXgFtaW.exe

C:\Windows\System\pQRWUmN.exe

C:\Windows\System\pQRWUmN.exe

C:\Windows\System\POnqRby.exe

C:\Windows\System\POnqRby.exe

C:\Windows\System\OPvgJQs.exe

C:\Windows\System\OPvgJQs.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3012-0-0x00007FF75C5B0000-0x00007FF75C904000-memory.dmp

memory/3012-1-0x000001F239A80000-0x000001F239A90000-memory.dmp

C:\Windows\System\mqsJShq.exe

MD5 159b4631d4db5b30bf1228f6c22cf562
SHA1 a8e7f634caa6054be7f6103e38a7bc826e607603
SHA256 47be5d27a4a5b8c4c2575a41de9942daac2a31987a326538806805ae1e0fb54d
SHA512 875a7ef4a4fe834aa69ac690c0c130525cef4b0d3511107c16c82c5aa796c71a4ceca75341539e71ca50ba4b991fc243db5742f74a509a5757a365483e3b2ee1

C:\Windows\System\MewzzJe.exe

MD5 d79081e737bb461f4a1499cd1ed71ff0
SHA1 33a78067ed5f33c00905205f50bb1b86b0fb3110
SHA256 a02a5749aa327ffa0935cc2ad68cad2ccaee3f93f69fefbf5a18eeb5b6570ecc
SHA512 4cbe3be574fa668faae4e577907e34a10031e3c9fbe0364a847fe398cfe612bf59c328ba557de5dcb288dd059be37b82a23d205ccc92f605db821bc1ad4f4058

memory/4732-10-0x00007FF6935B0000-0x00007FF693904000-memory.dmp

C:\Windows\System\XDyMDvD.exe

MD5 504be61bf1f0e7d86a468f3608c630ad
SHA1 4d9489c03abebc09a4779743c79dc957c24d90e3
SHA256 89c8d0ec0fe2214e95c8529a44e6d25ea9e614069f0bf9702e19eb33428bae78
SHA512 2cd4f5526faef9d76b5e65768925daf4ccec4fd0c33e5445a1b26534fd59032f7b13557d8b80afbab22783a7a3ac60f3dc3951283987703abc772acf19bfc724

memory/704-26-0x00007FF762D90000-0x00007FF7630E4000-memory.dmp

C:\Windows\System\fBkOkBp.exe

MD5 c97ea841a516f4547278886450b8f680
SHA1 3d87c8b1d1fa5384d64be430655f2472f81652c6
SHA256 2c40fd2cd06da8a160301c5308ef5fe70ed6468d835a4f4c163f6f3ac66f4fee
SHA512 39fdf4a21a5b11bb4b818b305b7828575e3974847ea453dece40e1aaaadb7bc76f4dd54cfa6a2f802d319b39e7cb5724ca8381aa916e72edfddbecb10b1702e9

C:\Windows\System\lJvGUUw.exe

MD5 1ffe0c0178e395c24eb3fe5a79ed53d0
SHA1 d2bc794ebb593bdcb9f17065c046bcc0218a5698
SHA256 e6b7df6ec39a988c665e4ce2f0a8281369b35b8826702cf88c7d3f9890035336
SHA512 9d7daadeb8690d318982b7febbe0b737574a147a8df57cdf17e8a1797e394e542e5c60ffe57728c3f38e0c8d7ccc6be713cd1b939c0d3b00300e98860f9e4a4b

memory/2864-42-0x00007FF7C5A40000-0x00007FF7C5D94000-memory.dmp

memory/4640-43-0x00007FF74FAC0000-0x00007FF74FE14000-memory.dmp

memory/2768-44-0x00007FF7932B0000-0x00007FF793604000-memory.dmp

C:\Windows\System\lpfzfsn.exe

MD5 71328457c40c91b62889cd9883b12e70
SHA1 7d368844dc540ea15d0712db5aad638448eba728
SHA256 80747fbd9c1c5e320478611b0b541d88045029ab26094cbe7ed4deb6a2857567
SHA512 225408137cd716ad70c6e9e9cfb13c7ac1f26b7289095b3de8dbd1d9a7987b158b5e62bb2958d454530ceb6ac9f7291c233c61bd30aaf91da1bca748837194e7

C:\Windows\System\YhjrxWx.exe

MD5 b3e129d4fbd16cc455dd8acd1fcdf75f
SHA1 7b1c7ae6116dcd86cc157c285d579b309a6ece17
SHA256 d6b5c97d65cc143cff68b800f8ce0abc69a4b936c6c2618efa3cf66b77c383de
SHA512 b5f57b28a55f7d0f37ff35e5133d03e3d0dd3c09fff80f042e1b363d43fb43a7c303dbeaa6deb6e47a66500c3a4d0aab21c5713b76a956114c2ae27e453bf717

memory/3472-25-0x00007FF776C50000-0x00007FF776FA4000-memory.dmp

memory/772-17-0x00007FF6A5B00000-0x00007FF6A5E54000-memory.dmp

C:\Windows\System\ixhccaX.exe

MD5 cc46baa045e185f1aa930944da08a451
SHA1 15ce5b86d5786579e106198313d5ed597497ad81
SHA256 25e80aad341b89fed6415485d154af95c799a45eb938f309d911fc0ba3a22158
SHA512 ebe962866a936ca375ec778e8204a781a01fa252daf1b49a3bcb995d36791583de4320997a34e07f587236e216b2cc717a95533fbb5704c6105d2e640abb1854

memory/4560-49-0x00007FF67B970000-0x00007FF67BCC4000-memory.dmp

C:\Windows\System\fHzjIwO.exe

MD5 47c276590b77321de38c096be2b1c27d
SHA1 fecd0f3e7ca8ab6bf8ab665f07e66ee91c0e2d8f
SHA256 59bd43e6e4a9ada5993a417758cac768daaf5d85d738770c8509f1828a7c8239
SHA512 38910f44a2818686119bb42af8192a71cbdd1d4b9c492438da43c697e5e6602adeb3439feb466cbc76d10260700b17516f567296d256991cf3de1d327dabc4a1

C:\Windows\System\oxOIeAf.exe

MD5 4abd022244a285f8246722b36525342a
SHA1 1ef9d33db0de98de213001e899f18ac28ecb10e2
SHA256 1f0fa77f22d85d59eba993d61d01ebb2da08341bc7162d5edf8987afd6764554
SHA512 7c4317858eea218ab5f45aef6f993067dcd049318e9a7b7a15e5fff71f88d12dd471010992ce50cf6d1be5563a14ee6cf47da9fa08aa9fdc1cc6fd2d4a8e8b3a

memory/332-72-0x00007FF611EF0000-0x00007FF612244000-memory.dmp

C:\Windows\System\UAHWCFO.exe

MD5 e45c5eebd2c20441baae1c992afab714
SHA1 3f0e303d7a493189a10f78e579e2e0ea4e39d486
SHA256 87973bb6e942f38042d57f8a63c8a398869fc18ca8c1acb92493f1cf7ad10e04
SHA512 bbfd8a381ea7cc03301fddf2b0585166afd25187c706e9860d5f094570767b46da4ed52bac31b1932b9d84ed359c64b043a3c9abf07d92db121dcb9f27d20510

C:\Windows\System\guQqpEY.exe

MD5 7f040dc04b9577154970cfe253c262dd
SHA1 eab6efe204d35858ebb5fc661593cee7bcd93f9a
SHA256 84d29fb9154b7130b101eccde698a509277f6df39d797eb6aaeb2e34250e9a67
SHA512 4d8ce1e438ca6cc7e6afb69745868a6095b74cb18fc9854ae6c575a362e035ee95a6022cdc8d2f69ed091a1b43c1ed1dd799c7b8c4bd99f305f65904ca3d4cc7

C:\Windows\System\bBaCvNP.exe

MD5 c4ea0246c23b06a58dfd8fe098c493f3
SHA1 7c89fdee6a9caccb48eba2f53fa8d34aeddb3cf9
SHA256 7af9416e8fa2f441d99c38043c4b6480e9aba868d81346fe9249ee46e4ea78c7
SHA512 9510ebd538fe1d2508b0598e30767ab2bc6f446f75dfc842ce5dbb9fe7ca1b264f278656945daa3d63b81e6f7d6567bd71703ff31b4937c33f8af83b50825563

memory/2916-75-0x00007FF70F640000-0x00007FF70F994000-memory.dmp

memory/2452-67-0x00007FF6413D0000-0x00007FF641724000-memory.dmp

C:\Windows\System\yKEtlHl.exe

MD5 8f5d434d12cd6e5539466c9b570f04bf
SHA1 f115cf39fe26c69483c8a41b6508178c261f5d33
SHA256 5304e3a9e0b8ef0846823dedfeea5bf73f5a17c7495db65f70a44f0c526c6930
SHA512 0285a9c4c8a4a59c4a6e910d06868855493f4d07f8a6aca1f0be23b5f934b230de961bbe65509fc698b18079653b16e01c2bbedb116fe0f3895ca2c8f6229423

memory/3136-58-0x00007FF7E2120000-0x00007FF7E2474000-memory.dmp

C:\Windows\System\MEqwKpQ.exe

MD5 ccf9e00cad25411b3a6de8fe28950fb3
SHA1 90f52377e5354081e8219c688ee11c7bc9bdab76
SHA256 7911f646a0d8b265c99e707bbac6ab2eb159f412a8ebbf3a8ddff160e3363ce4
SHA512 a56e713de921ac927b87ccc10d8952ae60b47ecf67abe4814abb63220fc7ee9b97d8e5326d8b721d157672427775259d0caa26958ce17624bd96e672e4875491

memory/3012-85-0x00007FF75C5B0000-0x00007FF75C904000-memory.dmp

memory/3204-95-0x00007FF68B1B0000-0x00007FF68B504000-memory.dmp

memory/4628-94-0x00007FF6AC450000-0x00007FF6AC7A4000-memory.dmp

memory/4812-99-0x00007FF6326F0000-0x00007FF632A44000-memory.dmp

memory/4500-106-0x00007FF7C5890000-0x00007FF7C5BE4000-memory.dmp

memory/772-108-0x00007FF6A5B00000-0x00007FF6A5E54000-memory.dmp

C:\Windows\System\pQRWUmN.exe

MD5 0542f0b7b6c7ba8dd9b8198ae698145c
SHA1 aaf495faa0cbe881bcf5013c991e1370ebe05f67
SHA256 c681ae9cdd1d1ff4a38c59312826b46f6c21672d80c40f3c40458b1409736fba
SHA512 89ba08606494b36537144e182c1479efc6187525413bdf45fc91c5064923c9fec4aeb03059bff27f62bfe6d6a581cb54a938ba2122d29f74198de1ef1d8076dc

C:\Windows\System\zXgFtaW.exe

MD5 c6f72796e5376ffd9aa42666720090b7
SHA1 3bcf254c005afd1a1d9fca9f592bd3f61c430c98
SHA256 d9ae8f529853ece58c4e258fc8ceba868c8f4b73df9e6ad864c0947e1c016394
SHA512 b1e8246656c370bc688948f0a944d79dd98725c9baa509a8d5a795d68243b97ac755bfd696437af90c8d537b10d3e772778272d3f83a01e27e1cbf6e7242cf9e

C:\Windows\System\XbeFDaT.exe

MD5 12e1889325a2744e9aeb5abef58dfc3a
SHA1 05692d02224e1218e3209d63ee4b051158ae59bf
SHA256 7ae60596b80724ebfe03c56e2546f56dec857c09ea0628e9330c878037427347
SHA512 0dd0dbba5b680852074289f6305fea6641234cec6f4f0b4f45cee2e18cea0ef2231df2d2fefd48c30c54c9e441a8f7e838e6131bfee3b7a86f0afe800f78dd30

memory/4440-111-0x00007FF7958E0000-0x00007FF795C34000-memory.dmp

memory/1372-107-0x00007FF743C80000-0x00007FF743FD4000-memory.dmp

C:\Windows\System\mgisGEl.exe

MD5 dfb6dacc52ef46e57c6dea3f52e54060
SHA1 dec83730afa24a8c60e199d9f325d04be22e9250
SHA256 3be516d8c7446fd420e75e3894371a85a670746d7b8cf3a1ad85dcc7118ec158
SHA512 1f4b5ff61065fbc6c66dd011ec994f9acbf247ad316d61ec21d37c369c20f56d4488877a0d1a1c0501488abe4efc435e3b5e5ebc518ae2c82baecfc511c0a902

memory/3472-98-0x00007FF776C50000-0x00007FF776FA4000-memory.dmp

memory/704-122-0x00007FF762D90000-0x00007FF7630E4000-memory.dmp

memory/4076-126-0x00007FF6460C0000-0x00007FF646414000-memory.dmp

memory/3476-130-0x00007FF755210000-0x00007FF755564000-memory.dmp

C:\Windows\System\POnqRby.exe

MD5 c19b8612d700f95a34f4f303e42a48ff
SHA1 5d89e8662c024984f4e33bc8aa46ea0efeb9e492
SHA256 fdc05bd7e318d49a967a3e669b50a4cddfa168039806575b253e722e5699307e
SHA512 7396b7a2751e9e951c6bca179734a5643b7ec8f8a67a91e2a7ec93707287d49401d8cebb7b98170c657efd3cd2cbc725f436f4dff9f6ae2e320462958bb75c8f

memory/1388-131-0x00007FF752590000-0x00007FF7528E4000-memory.dmp

C:\Windows\System\OPvgJQs.exe

MD5 94864e60242c5f883133df101fd31dfc
SHA1 09bb289a7c2b35d9c6da85ac7f7b8c3edda380aa
SHA256 3a050ec9586dedeb3d6fe93c0e877d402bf3612cb239ab8136757c2005c0b72e
SHA512 9c7ff7d185d234fd0b522e9b77426b391a20394e492b8730feb29444cfa0c41ab2f2b8674c397413bb8a441b1337f451e3b58f65a8500089a80cff2bc6f5b012

memory/4560-132-0x00007FF67B970000-0x00007FF67BCC4000-memory.dmp

memory/3136-133-0x00007FF7E2120000-0x00007FF7E2474000-memory.dmp

memory/2916-134-0x00007FF70F640000-0x00007FF70F994000-memory.dmp

memory/4500-135-0x00007FF7C5890000-0x00007FF7C5BE4000-memory.dmp

memory/1372-136-0x00007FF743C80000-0x00007FF743FD4000-memory.dmp

memory/4440-137-0x00007FF7958E0000-0x00007FF795C34000-memory.dmp

memory/4732-138-0x00007FF6935B0000-0x00007FF693904000-memory.dmp

memory/772-139-0x00007FF6A5B00000-0x00007FF6A5E54000-memory.dmp

memory/3472-140-0x00007FF776C50000-0x00007FF776FA4000-memory.dmp

memory/704-141-0x00007FF762D90000-0x00007FF7630E4000-memory.dmp

memory/2864-142-0x00007FF7C5A40000-0x00007FF7C5D94000-memory.dmp

memory/2768-144-0x00007FF7932B0000-0x00007FF793604000-memory.dmp

memory/4640-143-0x00007FF74FAC0000-0x00007FF74FE14000-memory.dmp

memory/4560-145-0x00007FF67B970000-0x00007FF67BCC4000-memory.dmp

memory/3136-146-0x00007FF7E2120000-0x00007FF7E2474000-memory.dmp

memory/332-147-0x00007FF611EF0000-0x00007FF612244000-memory.dmp

memory/2452-148-0x00007FF6413D0000-0x00007FF641724000-memory.dmp

memory/4628-149-0x00007FF6AC450000-0x00007FF6AC7A4000-memory.dmp

memory/3204-150-0x00007FF68B1B0000-0x00007FF68B504000-memory.dmp

memory/2916-151-0x00007FF70F640000-0x00007FF70F994000-memory.dmp

memory/4500-152-0x00007FF7C5890000-0x00007FF7C5BE4000-memory.dmp

memory/4812-153-0x00007FF6326F0000-0x00007FF632A44000-memory.dmp

memory/1372-155-0x00007FF743C80000-0x00007FF743FD4000-memory.dmp

memory/4440-154-0x00007FF7958E0000-0x00007FF795C34000-memory.dmp

memory/4076-156-0x00007FF6460C0000-0x00007FF646414000-memory.dmp

memory/3476-157-0x00007FF755210000-0x00007FF755564000-memory.dmp

memory/1388-158-0x00007FF752590000-0x00007FF7528E4000-memory.dmp