Malware Analysis Report

2025-01-22 19:44

Sample ID 240601-pbad1aca3s
Target 2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike
SHA256 40510a75a9cb01b2cf72a4ec4bc437dc455f7fa67fb534cc011975241840e02e
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40510a75a9cb01b2cf72a4ec4bc437dc455f7fa67fb534cc011975241840e02e

Threat Level: Known bad

The file 2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 12:08

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 12:08

Reported

2024-06-01 12:11

Platform

win7-20240215-en

Max time kernel

137s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\idFLJlY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JLsKKnQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xNsNXUX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pUcciAt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\itvHcOO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bjNoXBQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PCeFmvM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AizYGnN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zGIfmDV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\avxWIFS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rkPWgyN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DelGpqv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HTdPfks.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KlveNKr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MsOPVTE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qKMhHjP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XMxEEvT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UyqApMd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gZsRrqd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OEvGSKS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wGUNhqK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qKMhHjP.exe
PID 2740 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qKMhHjP.exe
PID 2740 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qKMhHjP.exe
PID 2740 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\avxWIFS.exe
PID 2740 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\avxWIFS.exe
PID 2740 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\avxWIFS.exe
PID 2740 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\idFLJlY.exe
PID 2740 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\idFLJlY.exe
PID 2740 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\idFLJlY.exe
PID 2740 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\itvHcOO.exe
PID 2740 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\itvHcOO.exe
PID 2740 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\itvHcOO.exe
PID 2740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XMxEEvT.exe
PID 2740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XMxEEvT.exe
PID 2740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XMxEEvT.exe
PID 2740 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\rkPWgyN.exe
PID 2740 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\rkPWgyN.exe
PID 2740 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\rkPWgyN.exe
PID 2740 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\bjNoXBQ.exe
PID 2740 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\bjNoXBQ.exe
PID 2740 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\bjNoXBQ.exe
PID 2740 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLsKKnQ.exe
PID 2740 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLsKKnQ.exe
PID 2740 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLsKKnQ.exe
PID 2740 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DelGpqv.exe
PID 2740 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DelGpqv.exe
PID 2740 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DelGpqv.exe
PID 2740 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCeFmvM.exe
PID 2740 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCeFmvM.exe
PID 2740 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCeFmvM.exe
PID 2740 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HTdPfks.exe
PID 2740 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HTdPfks.exe
PID 2740 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HTdPfks.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UyqApMd.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UyqApMd.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UyqApMd.exe
PID 2740 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xNsNXUX.exe
PID 2740 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xNsNXUX.exe
PID 2740 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xNsNXUX.exe
PID 2740 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUcciAt.exe
PID 2740 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUcciAt.exe
PID 2740 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUcciAt.exe
PID 2740 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gZsRrqd.exe
PID 2740 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gZsRrqd.exe
PID 2740 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gZsRrqd.exe
PID 2740 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AizYGnN.exe
PID 2740 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AizYGnN.exe
PID 2740 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AizYGnN.exe
PID 2740 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OEvGSKS.exe
PID 2740 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OEvGSKS.exe
PID 2740 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OEvGSKS.exe
PID 2740 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGUNhqK.exe
PID 2740 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGUNhqK.exe
PID 2740 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGUNhqK.exe
PID 2740 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KlveNKr.exe
PID 2740 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KlveNKr.exe
PID 2740 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KlveNKr.exe
PID 2740 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zGIfmDV.exe
PID 2740 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zGIfmDV.exe
PID 2740 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zGIfmDV.exe
PID 2740 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MsOPVTE.exe
PID 2740 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MsOPVTE.exe
PID 2740 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MsOPVTE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qKMhHjP.exe

C:\Windows\System\qKMhHjP.exe

C:\Windows\System\avxWIFS.exe

C:\Windows\System\avxWIFS.exe

C:\Windows\System\idFLJlY.exe

C:\Windows\System\idFLJlY.exe

C:\Windows\System\itvHcOO.exe

C:\Windows\System\itvHcOO.exe

C:\Windows\System\XMxEEvT.exe

C:\Windows\System\XMxEEvT.exe

C:\Windows\System\rkPWgyN.exe

C:\Windows\System\rkPWgyN.exe

C:\Windows\System\bjNoXBQ.exe

C:\Windows\System\bjNoXBQ.exe

C:\Windows\System\JLsKKnQ.exe

C:\Windows\System\JLsKKnQ.exe

C:\Windows\System\DelGpqv.exe

C:\Windows\System\DelGpqv.exe

C:\Windows\System\PCeFmvM.exe

C:\Windows\System\PCeFmvM.exe

C:\Windows\System\HTdPfks.exe

C:\Windows\System\HTdPfks.exe

C:\Windows\System\UyqApMd.exe

C:\Windows\System\UyqApMd.exe

C:\Windows\System\xNsNXUX.exe

C:\Windows\System\xNsNXUX.exe

C:\Windows\System\pUcciAt.exe

C:\Windows\System\pUcciAt.exe

C:\Windows\System\gZsRrqd.exe

C:\Windows\System\gZsRrqd.exe

C:\Windows\System\AizYGnN.exe

C:\Windows\System\AizYGnN.exe

C:\Windows\System\OEvGSKS.exe

C:\Windows\System\OEvGSKS.exe

C:\Windows\System\wGUNhqK.exe

C:\Windows\System\wGUNhqK.exe

C:\Windows\System\KlveNKr.exe

C:\Windows\System\KlveNKr.exe

C:\Windows\System\zGIfmDV.exe

C:\Windows\System\zGIfmDV.exe

C:\Windows\System\MsOPVTE.exe

C:\Windows\System\MsOPVTE.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2740-0-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2740-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\qKMhHjP.exe

MD5 53ab52e941c6b3612e2a22cf1c82182d
SHA1 c2f4596988dac356ebc33c9db8036b5d1cc84f6c
SHA256 d857ed5b6c581560b12d94b17ef61b1591c2841aa16d7d341445c1972a99d444
SHA512 801153158fb7a176da56fa1450f04ff106c2466983a18b10eec5df29fd5a7dbe2bc495581b78e5f9c95507a47b66e451a1dbfd3762559202cd413055fbbfcf68

memory/2204-9-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2740-7-0x000000013FE80000-0x00000001401D4000-memory.dmp

\Windows\system\avxWIFS.exe

MD5 cc0450ccae7c8310a7bd9f47bbc5c07d
SHA1 964cda55cffed8ca8cec5c27c11eccb8cdcf9c75
SHA256 8c56a4836d74624ea418170398fa26b349e120b57250fc6a8b7d473f2daafac1
SHA512 f3e40fcfec9e06e495711b341ea6ad4501212dc2241225eb41f619d9ce02c1b60c7739858209ba9286e6eab8ae9c870a9d4f8086cc3979c2d4fd947eb6398720

\Windows\system\itvHcOO.exe

MD5 63387ccd32b6f59dcaa5edc431faba6e
SHA1 f5c7b3eaf256751ee5d4f172dcb2e4a1330f5733
SHA256 e4be1179bd6385c6c1594d5dcf0fe374be0b5b05ea11404f75afbb2debbfb64f
SHA512 f49989426052934e49f27f1fa0ba7bb7a105071a6b4b243130c78d647508bdb72b80e3bcb6b402945f505ef208f95446f6db6e55ddb42375115ec723d9f7c481

C:\Windows\system\rkPWgyN.exe

MD5 8a80506278bd1b39925a867e157fdeda
SHA1 ecdb4fb8e7060fec68f32f495842464761224629
SHA256 bad291ef3ed6c5bc820b3a99a283f4504d837f8769e911d23235aa73d30e5fe5
SHA512 42cc396d4242130591a8ccd36cdb22733b4ed3f6d347e0ffd282e773b65fca44081ea6255b864ee7d9773d139a876b8a7fe94bcfe10d672ede5a5518a5da67f2

memory/2580-52-0x000000013F350000-0x000000013F6A4000-memory.dmp

C:\Windows\system\UyqApMd.exe

MD5 7fa6d198c297044fce74f852d2e957b8
SHA1 466c6709c1a5825d7ef96a8803853ec6be962cdc
SHA256 da586be30639819ae285cc84a0d0a9e4ec6994bd11265e66b75bd62f6b2c891d
SHA512 5c068be094230ae2c4e451f34fdb8d71b879296ec25406236da301b3e59d3c307b82f13cddeb521181ce98e674c4d10dd13a7b30f579eff7353679e498ba6f0e

memory/2740-68-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2492-70-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2740-69-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2740-67-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2740-66-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2740-64-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2640-93-0x000000013F1B0000-0x000000013F504000-memory.dmp

C:\Windows\system\AizYGnN.exe

MD5 a4cd4160ac3f10cbce58faa81190b078
SHA1 7f228847deb24ebc55f6f8439a50c9b1b52c388d
SHA256 2732dce179cff590f03331e9dc91dd126d8ada21950a42754cbf06d3e36ed721
SHA512 9022e65f01f3d8f8a86f586b3a7f8a9c49da88d70b96dfb57ad8e994e8105b25cff5088082c4848601f321e197ca6c9c62c058725f2745999812c160405a4482

memory/2740-48-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2704-85-0x000000013F970000-0x000000013FCC4000-memory.dmp

C:\Windows\system\gZsRrqd.exe

MD5 ccb4ce8829d785665844ea5251d21a42
SHA1 e8e66b2efb2063dd9bc29ff64b68b69a10ddf830
SHA256 02faccfb060e65cd42d8a6c0fe741ebb91d4afff9026d6eb3e655b649f158c70
SHA512 bd9d87529d6b6132da92aafa945afa032580491f7ebaf08e1e9f274a4c8edcd101a659d3a901ab91e18905ad4c990b02eefa2cf3e31f6aa86aa6ec0e1ecc919b

C:\Windows\system\KlveNKr.exe

MD5 aa7e2f827422712012dea5b0bdbd12f2
SHA1 30186a37cf23f119d425b174106d0524146d11fa
SHA256 b37c83e2c70ce5b282bff46991ef75779d6564d2ee6cf4659dba302dd6611f1c
SHA512 0889ffc4cbac45932ff8adbdc49b4ce1eeb861610cffef6508b98e9c66f47d91d957b4a95c4cce0eb196304817078d49706e5ceedf6fe4b8e5d8f4876af6383b

C:\Windows\system\zGIfmDV.exe

MD5 24be2d113308028f4ac9b6ad73ffe203
SHA1 db0fa63e20605b3efa593950c1176fa1197e0525
SHA256 89ee71246ad7f886c30c6640872ec578e762fda753e58a07cb89cc2a1c6da703
SHA512 5d73221f905571a37bd72f11aaed7b9d255b70618437c4d52a075ba4a2a5b63c67653a355ee7b84a039fa19f0a454ad03bdbef2945b1a2ac0cea3b2d4dfb824c

C:\Windows\system\MsOPVTE.exe

MD5 ede06f255b77566129fd6aeca6bab77a
SHA1 0cc177998d9c552b12de60f2d7d0366bb8075e5f
SHA256 e3d90ec284f405c624bb248c7ca487af95eab628bea5c8f83457a24d67869bab
SHA512 5905cd5840c3831b086f1f3cecbc61257ae104408ac0c0eb617e49e878e2637509618e8d23ed3f7f69a2307a7a138bb30a911ef9a8ce8da292831f1952dea419

\Windows\system\OEvGSKS.exe

MD5 1cf58a9f299bf72c6a31e99d35c8f30f
SHA1 e57190e0b0e24368892a211017858756de5aed47
SHA256 489084b42f647571c52f33ea6366a690b6c0a1d212b652511dc6522c0d90f8fe
SHA512 5bf06ba45e77efec2d7a730b408e562f564582ceb6ae6ce021db72a00c78dbfa01e34183cb6c670f4ec6cf807a05919bcabb615ca81609fad508053a8eaa0db7

C:\Windows\system\xNsNXUX.exe

MD5 69dbaedcbf6f3e5a6a6a61e1b01216e1
SHA1 b09030e4846b39a259e780eab29f15dfe44ff2b4
SHA256 5efd6302eb45d01da4e6e9c921d2e1526d982560fbe5cc0e0331a21aa1a81b5d
SHA512 c9d01400ecfcf9864641c57afac1a412d976bbfe77571ecdf0118506db34c29ffe6fb8523d0cb34bf98a1cf41d12fe845fcb4de1aaa925625fecd6ab579f9e94

memory/2740-98-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2940-97-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2736-96-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\wGUNhqK.exe

MD5 4fe09193f9134427c8b9f7478621e1ce
SHA1 7999afa6dabea86f401a6b0eac3607997e5cc939
SHA256 e34803ee24f6155295113ed8bad1540b119253be4df75b4495d0ff5016272f7b
SHA512 b94eb1055316deeeb69d67dbccee25eae50e68558e2ccd1346062b4e981de9163e2fe88ae9fbb438a890fa784420d2af308ccd3f2fc4c48a46963f053515d510

memory/2764-84-0x000000013F8E0000-0x000000013FC34000-memory.dmp

C:\Windows\system\HTdPfks.exe

MD5 11c2c931972dac404ccd369a1a202ec9
SHA1 82d6770fb9142019314d7739c0acfc7fe8f3ef74
SHA256 040bc3e0d3886a9991c4b01c30c5b350073bbf6d3c10276089ca5401be54def3
SHA512 fdde9241f51cd54d6bf74a4f7e118c4da7a6044366a00dead6b85884efe7b39b9682f12201c818bdfbc4e05a08a67c541fc9e602bf44ab1bd71ce8309c4f3216

C:\Windows\system\DelGpqv.exe

MD5 cb2799ef36242b20728130a860c895e9
SHA1 5220d6148e523d122d3b6f397f6b147812848ca9
SHA256 68be2423a4d28addc077222166bc5b63ba545e4b0875866c9ef79962e4976128
SHA512 b3ae97ed2cccc8ff568968a178df93cab880ba0295a6eb3dd7c13f72fa98455e3d3a3cd4b366a22c6c602a2fe6a3b66af23d71f86eddb8b5c451aa5f8b2e7a4a

memory/2728-80-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2740-79-0x000000013F6F0000-0x000000013FA44000-memory.dmp

C:\Windows\system\bjNoXBQ.exe

MD5 2b2c6147ec409fd4bf057c1fda624d1b
SHA1 be4ef1a15828f4bbfa45ec970d9f7d74fd53716f
SHA256 7f1339971a4fed9c7d1a9a8cda21361b8f096aa8cfb89e76d69969679dbc6020
SHA512 d2f2443d756b187f0eff2ec972271ebddf7c456530766aa2b2be4a86cd99b1437d6a59d54338d25bcf9bc23903ff1a7033f1913c38ec7150055918c5c1121f7a

memory/2700-75-0x000000013F1E0000-0x000000013F534000-memory.dmp

C:\Windows\system\XMxEEvT.exe

MD5 d4d921857da6fa0c5a256e01e4919f43
SHA1 fa5de811c4b8173a4ba379b1c072771c28743d78
SHA256 5519ea79bcec4e7f4d3eef4d7ef68e07920c9022726a26a0f992c6fe2947592c
SHA512 e1514c0a31d21768ec6fc32cc5c2e36611f12a223a5d21f00ed36898ecf4647a4827deb6aa176ae32929d67970b7aaaddd3bc3151707473b9a0322288487bb5f

memory/2740-72-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2720-56-0x000000013F170000-0x000000013F4C4000-memory.dmp

C:\Windows\system\PCeFmvM.exe

MD5 b3cea6430c73846eaaed6567bc7ec7a9
SHA1 722bac165f77f93f5c8d38916ef3d21aa7887907
SHA256 da46dfd2a67a7f8918492a1f14dbd70197958844d170d3df841f1c451a2a854e
SHA512 2c474fe501f10deb00b2f43abb7a11ebac69497fc31f6846a903977ecaf953e1c5405ab99e6b57766185b1e618d318ffaf4c27b5aab3c95d0cfb768f4289b85d

memory/2168-108-0x000000013FD90000-0x00000001400E4000-memory.dmp

C:\Windows\system\JLsKKnQ.exe

MD5 2586085d410e4fc3ad6501de89792f70
SHA1 8a25250bd2a0d18f1d2a883c936bfb76bcee11a9
SHA256 3299a983347e005061cd3a54bdda7d81d82386168e4f8b3ba420c1d07873e90f
SHA512 3888fbfb487447c9c07729ea75c3ef749ee2aa0ce2eace4b4f3ebe51e715e88a4850ddfad68a17cac7bffedff48b0bc1d2c1e67a18b2dcbd7a261e72e6782242

memory/2736-27-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\idFLJlY.exe

MD5 f010df9c2dbe8aebf4d0baa051ba3681
SHA1 5d3e1a405b8eb6798ea8ba5585db4339d10a83a6
SHA256 246225456fff73e373b5ad92beb8e5775a9c493e910e55adec7db1648fe1ba07
SHA512 feba6348948ac1beb8c6db3024eb7456a9a9faacb6d0cd115722dce77afa1862d6d6b8cbef283a5ee033e169afe61784ea45d512b80f07d5de1bb0c7d1e486a8

memory/2624-106-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2740-92-0x000000013F1B0000-0x000000013F504000-memory.dmp

C:\Windows\system\pUcciAt.exe

MD5 b5667948f7075a92d855e4ac2aeac966
SHA1 0a376c895dc19c2b4def34778405263fade9810d
SHA256 fceb7ddc1644baca58ce70d3a85b02026c8b927230cab26d72c482e39ace7e2a
SHA512 8cb54c4276c22171df6a571cc72db63c807f8411393d6f22c664d369d9ce48e706677006f642f21bcdad7505f5190950363d33f6807792b4a28f35936d73c2b2

memory/2624-61-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2648-43-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2740-35-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2740-33-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2940-31-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2492-137-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2700-138-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2728-139-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2704-141-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2764-140-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2740-142-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2740-143-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2168-144-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2204-145-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2736-147-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2648-146-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2940-148-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2580-149-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2720-150-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2624-151-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2492-152-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2700-153-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2704-154-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2640-155-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2764-156-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2728-157-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2168-158-0x000000013FD90000-0x00000001400E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 12:08

Reported

2024-06-01 12:11

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rkPWgyN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pUcciAt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gZsRrqd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OEvGSKS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PCeFmvM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KlveNKr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DelGpqv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HTdPfks.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UyqApMd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xNsNXUX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qKMhHjP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\avxWIFS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\idFLJlY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bjNoXBQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wGUNhqK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zGIfmDV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MsOPVTE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\itvHcOO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XMxEEvT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JLsKKnQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AizYGnN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 644 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qKMhHjP.exe
PID 644 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qKMhHjP.exe
PID 644 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\avxWIFS.exe
PID 644 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\avxWIFS.exe
PID 644 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\idFLJlY.exe
PID 644 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\idFLJlY.exe
PID 644 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\itvHcOO.exe
PID 644 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\itvHcOO.exe
PID 644 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XMxEEvT.exe
PID 644 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XMxEEvT.exe
PID 644 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\rkPWgyN.exe
PID 644 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\rkPWgyN.exe
PID 644 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\bjNoXBQ.exe
PID 644 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\bjNoXBQ.exe
PID 644 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLsKKnQ.exe
PID 644 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLsKKnQ.exe
PID 644 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DelGpqv.exe
PID 644 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DelGpqv.exe
PID 644 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCeFmvM.exe
PID 644 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCeFmvM.exe
PID 644 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HTdPfks.exe
PID 644 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HTdPfks.exe
PID 644 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UyqApMd.exe
PID 644 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UyqApMd.exe
PID 644 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xNsNXUX.exe
PID 644 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xNsNXUX.exe
PID 644 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUcciAt.exe
PID 644 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUcciAt.exe
PID 644 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gZsRrqd.exe
PID 644 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gZsRrqd.exe
PID 644 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AizYGnN.exe
PID 644 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AizYGnN.exe
PID 644 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OEvGSKS.exe
PID 644 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OEvGSKS.exe
PID 644 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGUNhqK.exe
PID 644 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGUNhqK.exe
PID 644 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KlveNKr.exe
PID 644 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KlveNKr.exe
PID 644 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zGIfmDV.exe
PID 644 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zGIfmDV.exe
PID 644 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MsOPVTE.exe
PID 644 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MsOPVTE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qKMhHjP.exe

C:\Windows\System\qKMhHjP.exe

C:\Windows\System\avxWIFS.exe

C:\Windows\System\avxWIFS.exe

C:\Windows\System\idFLJlY.exe

C:\Windows\System\idFLJlY.exe

C:\Windows\System\itvHcOO.exe

C:\Windows\System\itvHcOO.exe

C:\Windows\System\XMxEEvT.exe

C:\Windows\System\XMxEEvT.exe

C:\Windows\System\rkPWgyN.exe

C:\Windows\System\rkPWgyN.exe

C:\Windows\System\bjNoXBQ.exe

C:\Windows\System\bjNoXBQ.exe

C:\Windows\System\JLsKKnQ.exe

C:\Windows\System\JLsKKnQ.exe

C:\Windows\System\DelGpqv.exe

C:\Windows\System\DelGpqv.exe

C:\Windows\System\PCeFmvM.exe

C:\Windows\System\PCeFmvM.exe

C:\Windows\System\HTdPfks.exe

C:\Windows\System\HTdPfks.exe

C:\Windows\System\UyqApMd.exe

C:\Windows\System\UyqApMd.exe

C:\Windows\System\xNsNXUX.exe

C:\Windows\System\xNsNXUX.exe

C:\Windows\System\pUcciAt.exe

C:\Windows\System\pUcciAt.exe

C:\Windows\System\gZsRrqd.exe

C:\Windows\System\gZsRrqd.exe

C:\Windows\System\AizYGnN.exe

C:\Windows\System\AizYGnN.exe

C:\Windows\System\OEvGSKS.exe

C:\Windows\System\OEvGSKS.exe

C:\Windows\System\wGUNhqK.exe

C:\Windows\System\wGUNhqK.exe

C:\Windows\System\KlveNKr.exe

C:\Windows\System\KlveNKr.exe

C:\Windows\System\zGIfmDV.exe

C:\Windows\System\zGIfmDV.exe

C:\Windows\System\MsOPVTE.exe

C:\Windows\System\MsOPVTE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 108.116.69.13.in-addr.arpa udp

Files

memory/644-0-0x00007FF663C70000-0x00007FF663FC4000-memory.dmp

memory/644-1-0x000001F9E14C0000-0x000001F9E14D0000-memory.dmp

C:\Windows\System\qKMhHjP.exe

MD5 53ab52e941c6b3612e2a22cf1c82182d
SHA1 c2f4596988dac356ebc33c9db8036b5d1cc84f6c
SHA256 d857ed5b6c581560b12d94b17ef61b1591c2841aa16d7d341445c1972a99d444
SHA512 801153158fb7a176da56fa1450f04ff106c2466983a18b10eec5df29fd5a7dbe2bc495581b78e5f9c95507a47b66e451a1dbfd3762559202cd413055fbbfcf68

memory/1572-8-0x00007FF748160000-0x00007FF7484B4000-memory.dmp

C:\Windows\System\avxWIFS.exe

MD5 cc0450ccae7c8310a7bd9f47bbc5c07d
SHA1 964cda55cffed8ca8cec5c27c11eccb8cdcf9c75
SHA256 8c56a4836d74624ea418170398fa26b349e120b57250fc6a8b7d473f2daafac1
SHA512 f3e40fcfec9e06e495711b341ea6ad4501212dc2241225eb41f619d9ce02c1b60c7739858209ba9286e6eab8ae9c870a9d4f8086cc3979c2d4fd947eb6398720

C:\Windows\System\idFLJlY.exe

MD5 f010df9c2dbe8aebf4d0baa051ba3681
SHA1 5d3e1a405b8eb6798ea8ba5585db4339d10a83a6
SHA256 246225456fff73e373b5ad92beb8e5775a9c493e910e55adec7db1648fe1ba07
SHA512 feba6348948ac1beb8c6db3024eb7456a9a9faacb6d0cd115722dce77afa1862d6d6b8cbef283a5ee033e169afe61784ea45d512b80f07d5de1bb0c7d1e486a8

C:\Windows\System\itvHcOO.exe

MD5 63387ccd32b6f59dcaa5edc431faba6e
SHA1 f5c7b3eaf256751ee5d4f172dcb2e4a1330f5733
SHA256 e4be1179bd6385c6c1594d5dcf0fe374be0b5b05ea11404f75afbb2debbfb64f
SHA512 f49989426052934e49f27f1fa0ba7bb7a105071a6b4b243130c78d647508bdb72b80e3bcb6b402945f505ef208f95446f6db6e55ddb42375115ec723d9f7c481

C:\Windows\System\XMxEEvT.exe

MD5 d4d921857da6fa0c5a256e01e4919f43
SHA1 fa5de811c4b8173a4ba379b1c072771c28743d78
SHA256 5519ea79bcec4e7f4d3eef4d7ef68e07920c9022726a26a0f992c6fe2947592c
SHA512 e1514c0a31d21768ec6fc32cc5c2e36611f12a223a5d21f00ed36898ecf4647a4827deb6aa176ae32929d67970b7aaaddd3bc3151707473b9a0322288487bb5f

C:\Windows\System\bjNoXBQ.exe

MD5 2b2c6147ec409fd4bf057c1fda624d1b
SHA1 be4ef1a15828f4bbfa45ec970d9f7d74fd53716f
SHA256 7f1339971a4fed9c7d1a9a8cda21361b8f096aa8cfb89e76d69969679dbc6020
SHA512 d2f2443d756b187f0eff2ec972271ebddf7c456530766aa2b2be4a86cd99b1437d6a59d54338d25bcf9bc23903ff1a7033f1913c38ec7150055918c5c1121f7a

C:\Windows\System\DelGpqv.exe

MD5 cb2799ef36242b20728130a860c895e9
SHA1 5220d6148e523d122d3b6f397f6b147812848ca9
SHA256 68be2423a4d28addc077222166bc5b63ba545e4b0875866c9ef79962e4976128
SHA512 b3ae97ed2cccc8ff568968a178df93cab880ba0295a6eb3dd7c13f72fa98455e3d3a3cd4b366a22c6c602a2fe6a3b66af23d71f86eddb8b5c451aa5f8b2e7a4a

memory/4952-54-0x00007FF73F160000-0x00007FF73F4B4000-memory.dmp

C:\Windows\System\rkPWgyN.exe

MD5 8a80506278bd1b39925a867e157fdeda
SHA1 ecdb4fb8e7060fec68f32f495842464761224629
SHA256 bad291ef3ed6c5bc820b3a99a283f4504d837f8769e911d23235aa73d30e5fe5
SHA512 42cc396d4242130591a8ccd36cdb22733b4ed3f6d347e0ffd282e773b65fca44081ea6255b864ee7d9773d139a876b8a7fe94bcfe10d672ede5a5518a5da67f2

C:\Windows\System\JLsKKnQ.exe

MD5 2586085d410e4fc3ad6501de89792f70
SHA1 8a25250bd2a0d18f1d2a883c936bfb76bcee11a9
SHA256 3299a983347e005061cd3a54bdda7d81d82386168e4f8b3ba420c1d07873e90f
SHA512 3888fbfb487447c9c07729ea75c3ef749ee2aa0ce2eace4b4f3ebe51e715e88a4850ddfad68a17cac7bffedff48b0bc1d2c1e67a18b2dcbd7a261e72e6782242

memory/2332-49-0x00007FF6826B0000-0x00007FF682A04000-memory.dmp

memory/992-47-0x00007FF6C99F0000-0x00007FF6C9D44000-memory.dmp

memory/2920-41-0x00007FF7BFCB0000-0x00007FF7C0004000-memory.dmp

memory/3240-33-0x00007FF651BA0000-0x00007FF651EF4000-memory.dmp

memory/2408-27-0x00007FF7FB700000-0x00007FF7FBA54000-memory.dmp

memory/3528-19-0x00007FF7932F0000-0x00007FF793644000-memory.dmp

C:\Windows\System\PCeFmvM.exe

MD5 b3cea6430c73846eaaed6567bc7ec7a9
SHA1 722bac165f77f93f5c8d38916ef3d21aa7887907
SHA256 da46dfd2a67a7f8918492a1f14dbd70197958844d170d3df841f1c451a2a854e
SHA512 2c474fe501f10deb00b2f43abb7a11ebac69497fc31f6846a903977ecaf953e1c5405ab99e6b57766185b1e618d318ffaf4c27b5aab3c95d0cfb768f4289b85d

memory/3396-18-0x00007FF7740A0000-0x00007FF7743F4000-memory.dmp

C:\Windows\System\HTdPfks.exe

MD5 11c2c931972dac404ccd369a1a202ec9
SHA1 82d6770fb9142019314d7739c0acfc7fe8f3ef74
SHA256 040bc3e0d3886a9991c4b01c30c5b350073bbf6d3c10276089ca5401be54def3
SHA512 fdde9241f51cd54d6bf74a4f7e118c4da7a6044366a00dead6b85884efe7b39b9682f12201c818bdfbc4e05a08a67c541fc9e602bf44ab1bd71ce8309c4f3216

memory/4416-69-0x00007FF7229C0000-0x00007FF722D14000-memory.dmp

C:\Windows\System\UyqApMd.exe

MD5 7fa6d198c297044fce74f852d2e957b8
SHA1 466c6709c1a5825d7ef96a8803853ec6be962cdc
SHA256 da586be30639819ae285cc84a0d0a9e4ec6994bd11265e66b75bd62f6b2c891d
SHA512 5c068be094230ae2c4e451f34fdb8d71b879296ec25406236da301b3e59d3c307b82f13cddeb521181ce98e674c4d10dd13a7b30f579eff7353679e498ba6f0e

memory/1572-75-0x00007FF748160000-0x00007FF7484B4000-memory.dmp

memory/2964-81-0x00007FF658720000-0x00007FF658A74000-memory.dmp

C:\Windows\System\xNsNXUX.exe

MD5 69dbaedcbf6f3e5a6a6a61e1b01216e1
SHA1 b09030e4846b39a259e780eab29f15dfe44ff2b4
SHA256 5efd6302eb45d01da4e6e9c921d2e1526d982560fbe5cc0e0331a21aa1a81b5d
SHA512 c9d01400ecfcf9864641c57afac1a412d976bbfe77571ecdf0118506db34c29ffe6fb8523d0cb34bf98a1cf41d12fe845fcb4de1aaa925625fecd6ab579f9e94

C:\Windows\System\pUcciAt.exe

MD5 b5667948f7075a92d855e4ac2aeac966
SHA1 0a376c895dc19c2b4def34778405263fade9810d
SHA256 fceb7ddc1644baca58ce70d3a85b02026c8b927230cab26d72c482e39ace7e2a
SHA512 8cb54c4276c22171df6a571cc72db63c807f8411393d6f22c664d369d9ce48e706677006f642f21bcdad7505f5190950363d33f6807792b4a28f35936d73c2b2

C:\Windows\System\gZsRrqd.exe

MD5 ccb4ce8829d785665844ea5251d21a42
SHA1 e8e66b2efb2063dd9bc29ff64b68b69a10ddf830
SHA256 02faccfb060e65cd42d8a6c0fe741ebb91d4afff9026d6eb3e655b649f158c70
SHA512 bd9d87529d6b6132da92aafa945afa032580491f7ebaf08e1e9f274a4c8edcd101a659d3a901ab91e18905ad4c990b02eefa2cf3e31f6aa86aa6ec0e1ecc919b

memory/3964-86-0x00007FF619FF0000-0x00007FF61A344000-memory.dmp

memory/3528-85-0x00007FF7932F0000-0x00007FF793644000-memory.dmp

memory/4392-84-0x00007FF66B920000-0x00007FF66BC74000-memory.dmp

memory/3224-62-0x00007FF62AD00000-0x00007FF62B054000-memory.dmp

memory/644-61-0x00007FF663C70000-0x00007FF663FC4000-memory.dmp

memory/4776-96-0x00007FF7C3D60000-0x00007FF7C40B4000-memory.dmp

memory/3240-95-0x00007FF651BA0000-0x00007FF651EF4000-memory.dmp

memory/2408-94-0x00007FF7FB700000-0x00007FF7FBA54000-memory.dmp

C:\Windows\System\OEvGSKS.exe

MD5 1cf58a9f299bf72c6a31e99d35c8f30f
SHA1 e57190e0b0e24368892a211017858756de5aed47
SHA256 489084b42f647571c52f33ea6366a690b6c0a1d212b652511dc6522c0d90f8fe
SHA512 5bf06ba45e77efec2d7a730b408e562f564582ceb6ae6ce021db72a00c78dbfa01e34183cb6c670f4ec6cf807a05919bcabb615ca81609fad508053a8eaa0db7

C:\Windows\System\AizYGnN.exe

MD5 a4cd4160ac3f10cbce58faa81190b078
SHA1 7f228847deb24ebc55f6f8439a50c9b1b52c388d
SHA256 2732dce179cff590f03331e9dc91dd126d8ada21950a42754cbf06d3e36ed721
SHA512 9022e65f01f3d8f8a86f586b3a7f8a9c49da88d70b96dfb57ad8e994e8105b25cff5088082c4848601f321e197ca6c9c62c058725f2745999812c160405a4482

memory/2376-113-0x00007FF65D550000-0x00007FF65D8A4000-memory.dmp

C:\Windows\System\wGUNhqK.exe

MD5 4fe09193f9134427c8b9f7478621e1ce
SHA1 7999afa6dabea86f401a6b0eac3607997e5cc939
SHA256 e34803ee24f6155295113ed8bad1540b119253be4df75b4495d0ff5016272f7b
SHA512 b94eb1055316deeeb69d67dbccee25eae50e68558e2ccd1346062b4e981de9163e2fe88ae9fbb438a890fa784420d2af308ccd3f2fc4c48a46963f053515d510

C:\Windows\System\KlveNKr.exe

MD5 aa7e2f827422712012dea5b0bdbd12f2
SHA1 30186a37cf23f119d425b174106d0524146d11fa
SHA256 b37c83e2c70ce5b282bff46991ef75779d6564d2ee6cf4659dba302dd6611f1c
SHA512 0889ffc4cbac45932ff8adbdc49b4ce1eeb861610cffef6508b98e9c66f47d91d957b4a95c4cce0eb196304817078d49706e5ceedf6fe4b8e5d8f4876af6383b

memory/4100-133-0x00007FF60E360000-0x00007FF60E6B4000-memory.dmp

memory/2288-135-0x00007FF62BA50000-0x00007FF62BDA4000-memory.dmp

memory/3224-134-0x00007FF62AD00000-0x00007FF62B054000-memory.dmp

memory/2472-128-0x00007FF6BE7F0000-0x00007FF6BEB44000-memory.dmp

memory/4952-127-0x00007FF73F160000-0x00007FF73F4B4000-memory.dmp

C:\Windows\System\MsOPVTE.exe

MD5 ede06f255b77566129fd6aeca6bab77a
SHA1 0cc177998d9c552b12de60f2d7d0366bb8075e5f
SHA256 e3d90ec284f405c624bb248c7ca487af95eab628bea5c8f83457a24d67869bab
SHA512 5905cd5840c3831b086f1f3cecbc61257ae104408ac0c0eb617e49e878e2637509618e8d23ed3f7f69a2307a7a138bb30a911ef9a8ce8da292831f1952dea419

C:\Windows\System\zGIfmDV.exe

MD5 24be2d113308028f4ac9b6ad73ffe203
SHA1 db0fa63e20605b3efa593950c1176fa1197e0525
SHA256 89ee71246ad7f886c30c6640872ec578e762fda753e58a07cb89cc2a1c6da703
SHA512 5d73221f905571a37bd72f11aaed7b9d255b70618437c4d52a075ba4a2a5b63c67653a355ee7b84a039fa19f0a454ad03bdbef2945b1a2ac0cea3b2d4dfb824c

memory/1028-119-0x00007FF7171B0000-0x00007FF717504000-memory.dmp

memory/2332-110-0x00007FF6826B0000-0x00007FF682A04000-memory.dmp

memory/4948-104-0x00007FF76FED0000-0x00007FF770224000-memory.dmp

memory/2920-101-0x00007FF7BFCB0000-0x00007FF7C0004000-memory.dmp

memory/4416-137-0x00007FF7229C0000-0x00007FF722D14000-memory.dmp

memory/2964-138-0x00007FF658720000-0x00007FF658A74000-memory.dmp

memory/4392-139-0x00007FF66B920000-0x00007FF66BC74000-memory.dmp

memory/3964-140-0x00007FF619FF0000-0x00007FF61A344000-memory.dmp

memory/4948-141-0x00007FF76FED0000-0x00007FF770224000-memory.dmp

memory/1028-142-0x00007FF7171B0000-0x00007FF717504000-memory.dmp

memory/2288-143-0x00007FF62BA50000-0x00007FF62BDA4000-memory.dmp

memory/1572-144-0x00007FF748160000-0x00007FF7484B4000-memory.dmp

memory/3396-145-0x00007FF7740A0000-0x00007FF7743F4000-memory.dmp

memory/3528-146-0x00007FF7932F0000-0x00007FF793644000-memory.dmp

memory/3240-148-0x00007FF651BA0000-0x00007FF651EF4000-memory.dmp

memory/2408-147-0x00007FF7FB700000-0x00007FF7FBA54000-memory.dmp

memory/4952-149-0x00007FF73F160000-0x00007FF73F4B4000-memory.dmp

memory/2332-151-0x00007FF6826B0000-0x00007FF682A04000-memory.dmp

memory/992-152-0x00007FF6C99F0000-0x00007FF6C9D44000-memory.dmp

memory/2920-150-0x00007FF7BFCB0000-0x00007FF7C0004000-memory.dmp

memory/3224-153-0x00007FF62AD00000-0x00007FF62B054000-memory.dmp

memory/4416-154-0x00007FF7229C0000-0x00007FF722D14000-memory.dmp

memory/2964-155-0x00007FF658720000-0x00007FF658A74000-memory.dmp

memory/4392-156-0x00007FF66B920000-0x00007FF66BC74000-memory.dmp

memory/3964-157-0x00007FF619FF0000-0x00007FF61A344000-memory.dmp

memory/4776-158-0x00007FF7C3D60000-0x00007FF7C40B4000-memory.dmp

memory/4948-159-0x00007FF76FED0000-0x00007FF770224000-memory.dmp

memory/2376-160-0x00007FF65D550000-0x00007FF65D8A4000-memory.dmp

memory/1028-162-0x00007FF7171B0000-0x00007FF717504000-memory.dmp

memory/2472-161-0x00007FF6BE7F0000-0x00007FF6BEB44000-memory.dmp

memory/4100-163-0x00007FF60E360000-0x00007FF60E6B4000-memory.dmp

memory/2288-164-0x00007FF62BA50000-0x00007FF62BDA4000-memory.dmp