Malware Analysis Report

2025-01-22 19:33

Sample ID 240601-vjbvpahh56
Target 2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike
SHA256 82c6dd4c32d0e936aa89f3f240c5141265e5d2e0e75a355cfdb7c5594fd8b38a
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82c6dd4c32d0e936aa89f3f240c5141265e5d2e0e75a355cfdb7c5594fd8b38a

Threat Level: Known bad

The file 2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Xmrig family

UPX dump on OEP (original entry point)

XMRig Miner payload

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 17:00

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 17:00

Reported

2024-06-01 17:03

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zZFwBvC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EFtfWEZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uLHyjjG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tUpIRpk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TeMtdZR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\piirGlS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HGVBGdt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eUeQkPf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DtdJZAz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pSPWmfg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PkYQrgM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wCZPbqh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qIqilzo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\alfVlgf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LwBAFAK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WHzZpFo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UdNbfBZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EYGXiwo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LaDxKGI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HHFIthS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ShMqxFw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\alfVlgf.exe
PID 2128 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\alfVlgf.exe
PID 2128 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\alfVlgf.exe
PID 2128 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LaDxKGI.exe
PID 2128 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LaDxKGI.exe
PID 2128 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LaDxKGI.exe
PID 2128 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DtdJZAz.exe
PID 2128 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DtdJZAz.exe
PID 2128 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DtdJZAz.exe
PID 2128 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSPWmfg.exe
PID 2128 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSPWmfg.exe
PID 2128 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSPWmfg.exe
PID 2128 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHFIthS.exe
PID 2128 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHFIthS.exe
PID 2128 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHFIthS.exe
PID 2128 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\zZFwBvC.exe
PID 2128 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\zZFwBvC.exe
PID 2128 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\zZFwBvC.exe
PID 2128 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LwBAFAK.exe
PID 2128 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LwBAFAK.exe
PID 2128 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LwBAFAK.exe
PID 2128 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ShMqxFw.exe
PID 2128 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ShMqxFw.exe
PID 2128 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ShMqxFw.exe
PID 2128 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkYQrgM.exe
PID 2128 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkYQrgM.exe
PID 2128 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkYQrgM.exe
PID 2128 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UdNbfBZ.exe
PID 2128 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UdNbfBZ.exe
PID 2128 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\UdNbfBZ.exe
PID 2128 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHzZpFo.exe
PID 2128 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHzZpFo.exe
PID 2128 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHzZpFo.exe
PID 2128 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EYGXiwo.exe
PID 2128 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EYGXiwo.exe
PID 2128 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EYGXiwo.exe
PID 2128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\tUpIRpk.exe
PID 2128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\tUpIRpk.exe
PID 2128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\tUpIRpk.exe
PID 2128 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EFtfWEZ.exe
PID 2128 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EFtfWEZ.exe
PID 2128 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EFtfWEZ.exe
PID 2128 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TeMtdZR.exe
PID 2128 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TeMtdZR.exe
PID 2128 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\TeMtdZR.exe
PID 2128 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\wCZPbqh.exe
PID 2128 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\wCZPbqh.exe
PID 2128 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\wCZPbqh.exe
PID 2128 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\piirGlS.exe
PID 2128 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\piirGlS.exe
PID 2128 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\piirGlS.exe
PID 2128 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HGVBGdt.exe
PID 2128 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HGVBGdt.exe
PID 2128 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\HGVBGdt.exe
PID 2128 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qIqilzo.exe
PID 2128 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qIqilzo.exe
PID 2128 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\qIqilzo.exe
PID 2128 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUeQkPf.exe
PID 2128 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUeQkPf.exe
PID 2128 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUeQkPf.exe
PID 2128 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\uLHyjjG.exe
PID 2128 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\uLHyjjG.exe
PID 2128 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\uLHyjjG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\alfVlgf.exe

C:\Windows\System\alfVlgf.exe

C:\Windows\System\LaDxKGI.exe

C:\Windows\System\LaDxKGI.exe

C:\Windows\System\DtdJZAz.exe

C:\Windows\System\DtdJZAz.exe

C:\Windows\System\pSPWmfg.exe

C:\Windows\System\pSPWmfg.exe

C:\Windows\System\HHFIthS.exe

C:\Windows\System\HHFIthS.exe

C:\Windows\System\zZFwBvC.exe

C:\Windows\System\zZFwBvC.exe

C:\Windows\System\LwBAFAK.exe

C:\Windows\System\LwBAFAK.exe

C:\Windows\System\ShMqxFw.exe

C:\Windows\System\ShMqxFw.exe

C:\Windows\System\PkYQrgM.exe

C:\Windows\System\PkYQrgM.exe

C:\Windows\System\UdNbfBZ.exe

C:\Windows\System\UdNbfBZ.exe

C:\Windows\System\WHzZpFo.exe

C:\Windows\System\WHzZpFo.exe

C:\Windows\System\EYGXiwo.exe

C:\Windows\System\EYGXiwo.exe

C:\Windows\System\tUpIRpk.exe

C:\Windows\System\tUpIRpk.exe

C:\Windows\System\EFtfWEZ.exe

C:\Windows\System\EFtfWEZ.exe

C:\Windows\System\TeMtdZR.exe

C:\Windows\System\TeMtdZR.exe

C:\Windows\System\wCZPbqh.exe

C:\Windows\System\wCZPbqh.exe

C:\Windows\System\piirGlS.exe

C:\Windows\System\piirGlS.exe

C:\Windows\System\HGVBGdt.exe

C:\Windows\System\HGVBGdt.exe

C:\Windows\System\qIqilzo.exe

C:\Windows\System\qIqilzo.exe

C:\Windows\System\eUeQkPf.exe

C:\Windows\System\eUeQkPf.exe

C:\Windows\System\uLHyjjG.exe

C:\Windows\System\uLHyjjG.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2128-0-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2128-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\alfVlgf.exe

MD5 9caf15c6abb5607c67e968042e4de57a
SHA1 420208aca7226be0e60966ff3200bccf336fde2a
SHA256 ec801c38bfb9584037a77e543f9acbaee1ca2bc8869164beb6ec6cd1a845339f
SHA512 a9531f35d4c2f2dca20b9ad8cb47b808cdf739d48bd9bb6387b21ca9805217859c9d24884014bed588cc63fe2b215297e9765537c3b5fb4b755cf8dd7c2feac5

memory/2128-6-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2356-9-0x000000013F920000-0x000000013FC74000-memory.dmp

\Windows\system\LaDxKGI.exe

MD5 91ad6128ce7a032dd148054bb05dcd8b
SHA1 00e17590f285bf17361e09c4c836b300110873f5
SHA256 8b9a7687a9df2276e0534174df8e26d82083a9624e4a259087fbf99bb0d5c0c5
SHA512 578e4353c696059e60b7074152e7f864c1ca53f51c7789a7ba5253da39fecf7f0f6d2b8719f42553ab26d31d9991a12876906dde0e6be1427d880b54c559a5e5

memory/1532-15-0x000000013F180000-0x000000013F4D4000-memory.dmp

C:\Windows\system\DtdJZAz.exe

MD5 e71fb788bf217e742787ffc17b55766c
SHA1 13e54e6ade15b7d70a08cea159c1676b00935b26
SHA256 5c9963c8fb058aaf5f3a567ccc220b3f67c095b9e7f1693cdca1c85fe63a426e
SHA512 7c8a1852891c712e627dec42b05cfdd568ff39013331155727846162445372d95f7ca90c134c29b590a39f6c799a791b46854f6bd5c0f34ed2150abd783b458f

memory/2200-22-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2128-21-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\pSPWmfg.exe

MD5 34640353e4705db8ed0413a4238353fa
SHA1 afd0da373eefc6b9b9f275ab9a757c2ecace69be
SHA256 234ed108d9ae5efd84e389042c80eb34d6fcf522e0568212d5cd41a562d1a0cd
SHA512 dae108389be16e9483960cb2cd65eedbdccafb2c30e3fbe6e898d9b3408b72dfca29f226a825da3f918e294421bf5398d2360055d250dffc731cf972ae4da5eb

memory/2992-29-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2128-28-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2756-36-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2128-35-0x000000013F3E0000-0x000000013F734000-memory.dmp

C:\Windows\system\HHFIthS.exe

MD5 5edd73faad9e584ca4455de8a98cc240
SHA1 febe7e334aab35dfbce85fb7d01e09d152e54f25
SHA256 bc3f4e02930156dd7ca05fc923f8982f5d82efe267521d067b7c07168eb488c6
SHA512 b3cdf898d663389b938e964c46939e074bc6d8873502fd299f720e5aeac54f75221a30e68a03a1818490b909cf7c8f3e1fc9f41846f3cb588609a93de6770341

C:\Windows\system\zZFwBvC.exe

MD5 f1952a12fa3652f352f9aea1ed059a99
SHA1 5fbe36115c83e9c6811bacfddafe0066867823a0
SHA256 35890335eac5e827f2cc377912d66307e520692123572a780bc832c281038221
SHA512 c7f3228c9641dbb54b9de2246c227d79e3f81527ea313a49ea321cf242a9edce0f7655ab082b4e0633fcd379f5b33f232ba783edf2fed831789e72306b86bcd5

memory/2128-42-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2668-43-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/3068-51-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2128-55-0x0000000002360000-0x00000000026B4000-memory.dmp

\Windows\system\EYGXiwo.exe

MD5 72e2cf916e5b973ed57b21ef99afc5ee
SHA1 0a7e008f17942246e6cf9543484cc0be66be028c
SHA256 8a6b0ebb9ad9978301b5930b6aac302876ce2a11c7bf30a5e4832433581300d7
SHA512 a44f00451e410e5472cf3f7fb7dbc9a9ce26c4bf65a7f0ee8e3c2492de3372a857dce707da5613ee706a7faf4e947ec66c23d619ee99f9110a7348cad3287185

memory/1532-78-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2128-75-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2128-74-0x000000013F410000-0x000000013F764000-memory.dmp

\Windows\system\PkYQrgM.exe

MD5 117eb48c4e8cd859ec69b79c38dfb25f
SHA1 e6c6c3e5832a024f90d093919e1df793c0c96f50
SHA256 4835d7704fecade5685d8a8866ceab9ae3d6e26cc4adb72cac0fd94a37bb7ee4
SHA512 4e344444784526d1e06da3560419d9aa4be2d03d2203053b0f57fad6939d1bab33c7bd880965b04044a70e87d88b08f86722afcbb6b07741c9e2594fd7351d82

memory/2516-87-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2812-86-0x000000013F410000-0x000000013F764000-memory.dmp

C:\Windows\system\WHzZpFo.exe

MD5 5dd6992a282f58ee31c3b48db1164050
SHA1 132ef8b53d80433f367b92103eab4bac00da6dca
SHA256 3a5cee525c763bca6372c78d37f97acf461444a265a739e2570f4a716fbb1301
SHA512 52f45b7e1a7359fa2be7c01e3432ead298fefb7956afe79c1a9f02c34076f549c452703dbf8c8a8bf18632a93c70e4c38aa0a032a357161c17b0da91447324d6

memory/2128-81-0x0000000002360000-0x00000000026B4000-memory.dmp

\Windows\system\tUpIRpk.exe

MD5 7ee430cd3f5ddb0e2d4203bc40d5f390
SHA1 140b54cf31115e0b41ab0bcd8ab33ccbca2b0882
SHA256 e928ef073747e003e00c03aa79a1ad0e315060a64ab3e823d36844a4b21c0cf8
SHA512 d0283f76fc5443c5a93e33edf1fe3f2b1cf0f6306411765760b34f9d8363696d9db0478bab95ef07d7434af42a00190e861d06387d0e34f23c0bfd745c61dd1d

memory/2236-69-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2128-68-0x000000013FC60000-0x000000013FFB4000-memory.dmp

C:\Windows\system\UdNbfBZ.exe

MD5 3a7f7f7ad5daa3eae5d17a15b721ffc4
SHA1 c6ff5cd8685c9d93b8d6e6b91a5371d296ba9a1c
SHA256 101ade6863e0d7881194835cc14b012940af2f79062c9db8ce016cf55bccb1df
SHA512 32b44895db25fc4223e7c9b15f192d880820b656240fa3bfe690c76b8783760646d49b1b48ea9170073a68dcb06f64e2dcbca4e784ca297bd2488e658c233347

memory/2356-58-0x000000013F920000-0x000000013FC74000-memory.dmp

C:\Windows\system\ShMqxFw.exe

MD5 a4caef9742faf53c3f0219fdd9cffea6
SHA1 88959bee3031fed2dcdd29780de26596886bd616
SHA256 49f6f653ada1e8efd9669092716abac839bf1da205623edda17123f4dad606d1
SHA512 45790335b64e569e6e6c9104d9c9782c6c4583a293ab39394ff49a2a0849cfccebc7a1b6fff58d27a249c21feb039db91753098e125989a1ecad68bc0808dffd

memory/2128-49-0x000000013F7F0000-0x000000013FB44000-memory.dmp

C:\Windows\system\LwBAFAK.exe

MD5 a2997af4ec160d652b54eea4826b811d
SHA1 fb7c6b7eb1264cffea79d8ae1c8f4d92c34a58f5
SHA256 ee1df58262d6ba02b03f2389b12094a1ea3f393014ee625df74daad9d2b12dce
SHA512 af5950c5a7f08f0d22be5d0c7f576515a0a974d3ce9ce36f7129d33e86b2012eab1b492792716ddee12b8fd6a22e434d1596b4b46b27884614d8715f70bfda47

memory/2128-47-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2128-52-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/3068-91-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

\Windows\system\EFtfWEZ.exe

MD5 3f7389c31d645cad7a2225eefe00d3ec
SHA1 a833a5614c6e3c6f3fa52fe860d9fd5221df4400
SHA256 9fba8477921d68eca03a45db988caf47811b512b9caf80635a16ba75a45b589e
SHA512 20aed2683309a98fd4502170030da2fbe3604f64d4c41ea16ddee2f5bf3ec42ddd092ed304317a6eb975ef5d05d485895b7dc7c2643c2a8044098eabfe4ce0af

C:\Windows\system\wCZPbqh.exe

MD5 bda5acd4dcaf0620fd0587397143bb4c
SHA1 eede1fd890b6c52a3e8283a9c25ad0473aeb4089
SHA256 f9ac310aa90554261f26187baf060ceac1925f56353728736b17332e7adee826
SHA512 bcde4ba922d4bdf74ece74534c557a16e1cdff94614b1671424e8b5d2ce944e265f12c7b0eda554a00fbcbf9869f9d0ce0861da948c7e311ced484e0b25d3318

C:\Windows\system\HGVBGdt.exe

MD5 76c952198aebc9085907eb02c3a28413
SHA1 430725c7fb43404162460a17d232c2ee819ec1ff
SHA256 44599f954d1628efd51a25fc73f6e3259ac9fc131f4b3327664ab78e0bac1cc7
SHA512 cf7a1f80457b411d9803c6cd914d07b9ffcc737a1b2327f65edb84c660be4bd8d07bb04058b3060f90145df6c48ac3ffafe0aba9aaa21626a7ba820b2167ef72

C:\Windows\system\piirGlS.exe

MD5 206f4ea4ab5be0650f92017590ace671
SHA1 26a439f4091add5cdddf3512d89a2dd7320e244d
SHA256 6c6ab46d37e8c6478037a83b779b05368a8a9f1d908925f7b196f115af3e988f
SHA512 f31257abcb53ceaa8c58bc2ec1853b3269ec42422b220949ed462cf1acee93c6cc2cd131bf0d193469f9ce73c5d11caea5f97ad895347f0d7f14ff168b5cfc28

C:\Windows\system\TeMtdZR.exe

MD5 3e8c1de7e599a79a43635f13b18e47a4
SHA1 b02fe89b913b82310e2d82458c475817e54caf19
SHA256 254d0ef2f18dd38e19c556fe679aa91eef629ecbd6c6a1898103e8c711ba7e5a
SHA512 9ec424d87686e36cf1728dd07bce5498214338afef947cb3f1a2b4348c6f2d80404290813171644c49784c397e55a3215c06234a9e1a74df98e6bd968f1787bb

\Windows\system\qIqilzo.exe

MD5 59efc480e3b97cb54d713299fa1c022a
SHA1 16285918db64c2a5831c1d31b50edf54736eeca0
SHA256 946454e635154aaed6a40c384f6ab89df50e553d7c5d100f9051d9f476b9ab0c
SHA512 15cc68119a4ea81113e4b09300760c0c0c7364744c04ca79998362e33e56e20ca8dc45499ab2929dfd72bc8f0ad4f0f6a5c4e6366911c28424afb239bec58799

C:\Windows\system\eUeQkPf.exe

MD5 25b17634372d3a7bccf7a7ef50d08391
SHA1 42f80c4a3e7e098cdab26bd9b816775bc86c07e7
SHA256 6933102220b5817282589e2fbf71bff62ce89b853b5e34bc647feb45357b1511
SHA512 627512e9e5255c5ae4c379a939d3b7a082baa9cc75f52238783779467ef0cb49e2b1778b286fcde74692fee4972b13a28f0cab2418fe120debbff85fd34db3a9

\Windows\system\uLHyjjG.exe

MD5 250e82e58e0071599aa59b1fd528b3f2
SHA1 37bb0a5319ebe60f8755706ff82c97720c2d7210
SHA256 7cf0c8064dd3d0d463887a0e782e632cda809eee8caf108b38e06509b0dfd172
SHA512 902cfa36606dbaf108fe830c7027aeb391f31748b5ec15d628d433e04a8bf68053781d19b0cb483e5d6c7b93a137be49aaa37ce33372a8c892fcdc17e300fce5

memory/2128-123-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2128-122-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2128-121-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2808-118-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2128-110-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2236-138-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2128-139-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2580-140-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2516-141-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/3000-142-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2128-143-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2128-144-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2356-145-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/1532-146-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2200-147-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2992-148-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2756-149-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2668-150-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/3068-151-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2808-152-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2236-153-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2580-154-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2516-156-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2812-155-0x000000013F410000-0x000000013F764000-memory.dmp

memory/3000-157-0x000000013F590000-0x000000013F8E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 17:00

Reported

2024-06-01 17:03

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\XnLWXne.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GkWfNIQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RiiobCd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BxuXVQp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AfnApKf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eKwNpXV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DvqizSu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JQEpiPC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VPiHake.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ySezUjD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ssqxOQm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nRryjoI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DAOYlKi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LFQCMYI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PFCXqAe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CyXIXbE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gxbfOhI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EYpEtMN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XruJGcl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JyWkzFw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NdoTHVF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\gxbfOhI.exe
PID 4552 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\gxbfOhI.exe
PID 4552 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssqxOQm.exe
PID 4552 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssqxOQm.exe
PID 4552 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\NdoTHVF.exe
PID 4552 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\NdoTHVF.exe
PID 4552 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ySezUjD.exe
PID 4552 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\ySezUjD.exe
PID 4552 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRryjoI.exe
PID 4552 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRryjoI.exe
PID 4552 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DAOYlKi.exe
PID 4552 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DAOYlKi.exe
PID 4552 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\eKwNpXV.exe
PID 4552 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\eKwNpXV.exe
PID 4552 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DvqizSu.exe
PID 4552 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\DvqizSu.exe
PID 4552 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LFQCMYI.exe
PID 4552 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\LFQCMYI.exe
PID 4552 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\AfnApKf.exe
PID 4552 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\AfnApKf.exe
PID 4552 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XnLWXne.exe
PID 4552 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XnLWXne.exe
PID 4552 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EYpEtMN.exe
PID 4552 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\EYpEtMN.exe
PID 4552 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\GkWfNIQ.exe
PID 4552 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\GkWfNIQ.exe
PID 4552 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JQEpiPC.exe
PID 4552 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JQEpiPC.exe
PID 4552 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\RiiobCd.exe
PID 4552 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\RiiobCd.exe
PID 4552 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\PFCXqAe.exe
PID 4552 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\PFCXqAe.exe
PID 4552 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XruJGcl.exe
PID 4552 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\XruJGcl.exe
PID 4552 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\CyXIXbE.exe
PID 4552 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\CyXIXbE.exe
PID 4552 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\VPiHake.exe
PID 4552 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\VPiHake.exe
PID 4552 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\BxuXVQp.exe
PID 4552 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\BxuXVQp.exe
PID 4552 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JyWkzFw.exe
PID 4552 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe C:\Windows\System\JyWkzFw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\gxbfOhI.exe

C:\Windows\System\gxbfOhI.exe

C:\Windows\System\ssqxOQm.exe

C:\Windows\System\ssqxOQm.exe

C:\Windows\System\NdoTHVF.exe

C:\Windows\System\NdoTHVF.exe

C:\Windows\System\ySezUjD.exe

C:\Windows\System\ySezUjD.exe

C:\Windows\System\nRryjoI.exe

C:\Windows\System\nRryjoI.exe

C:\Windows\System\DAOYlKi.exe

C:\Windows\System\DAOYlKi.exe

C:\Windows\System\eKwNpXV.exe

C:\Windows\System\eKwNpXV.exe

C:\Windows\System\DvqizSu.exe

C:\Windows\System\DvqizSu.exe

C:\Windows\System\LFQCMYI.exe

C:\Windows\System\LFQCMYI.exe

C:\Windows\System\AfnApKf.exe

C:\Windows\System\AfnApKf.exe

C:\Windows\System\XnLWXne.exe

C:\Windows\System\XnLWXne.exe

C:\Windows\System\EYpEtMN.exe

C:\Windows\System\EYpEtMN.exe

C:\Windows\System\GkWfNIQ.exe

C:\Windows\System\GkWfNIQ.exe

C:\Windows\System\JQEpiPC.exe

C:\Windows\System\JQEpiPC.exe

C:\Windows\System\RiiobCd.exe

C:\Windows\System\RiiobCd.exe

C:\Windows\System\PFCXqAe.exe

C:\Windows\System\PFCXqAe.exe

C:\Windows\System\XruJGcl.exe

C:\Windows\System\XruJGcl.exe

C:\Windows\System\CyXIXbE.exe

C:\Windows\System\CyXIXbE.exe

C:\Windows\System\VPiHake.exe

C:\Windows\System\VPiHake.exe

C:\Windows\System\BxuXVQp.exe

C:\Windows\System\BxuXVQp.exe

C:\Windows\System\JyWkzFw.exe

C:\Windows\System\JyWkzFw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4552-0-0x00007FF6795D0000-0x00007FF679924000-memory.dmp

memory/4552-1-0x0000019353C00000-0x0000019353C10000-memory.dmp

C:\Windows\System\gxbfOhI.exe

MD5 a96a9e97d7906f07417bf0c9d56df3ee
SHA1 78aa742817475154457d43c0bfdd716431dc5547
SHA256 77208cd94c799775fb805109de3bbd0dbd5915cc669ac1793ada8dbd0f522f46
SHA512 09d04fc6f76c4efa755eb7c15a86ab6d4a1668f966af8074555edcb20e6d4de89ab93a09d161b259f4d51ca5b17f143e3c1b8f36810e9479c34031bfef791dc8

memory/4828-8-0x00007FF785B90000-0x00007FF785EE4000-memory.dmp

C:\Windows\System\NdoTHVF.exe

MD5 583358dd3b7da570d9dec0b7caf4bbb8
SHA1 211448997c837e94b19c3f204b1f5ea49e29c9ed
SHA256 e3f5b522ca4a097216c7050908832fb7871a046c9eb417f85ebe833e5a4b522f
SHA512 4666414503de8e93a6e81076f5bb3474573470566f7f4ba8a4f78f3f9ae7955304e9bafd562ce5d6c192d121ac0de18bcfb9c725d52f4fa6f59035ebb2e8e9fc

memory/3124-14-0x00007FF6E6150000-0x00007FF6E64A4000-memory.dmp

C:\Windows\System\ssqxOQm.exe

MD5 03ea6107387487c35c4e879ad171ff61
SHA1 c670ed1367753a3790f081d2d5aa53476128c7e6
SHA256 70d796c8a65721f092d13c87ece1343855117470b8dc7f6450bfbb01e4d905d8
SHA512 59aadbfba80897f87f2ced15faa530d5f1b02d46d4de5de9c7a4cc4d5a868f7d30b5369321c85cdceb8a6eba89cde8c03420a81235487cbe181003ed397412fd

C:\Windows\System\ySezUjD.exe

MD5 0c5c9336b782f22ed904fd7212525b7b
SHA1 fecdf84133715ee4b8710d14c188d482eb894548
SHA256 bd9f22bdc548060d0da28aa8b72aa68192658b1f62fdcbb11a9366845eefbf8c
SHA512 f60442c88d8d68c1f243362616143684b9d35ef6fef97a9c91332d7816f0e6c67f6f7f003f371c5b55d31750a8b5e50304ff6f5da11ecc0c2e48fb553632fc0e

C:\Windows\System\nRryjoI.exe

MD5 db37d94d85a0d67804784390a488bcdf
SHA1 ba6098282876b5dbcb60b05e8d20c9764aaaab42
SHA256 eb134e0557a16f648d974a7b1d6d70bbeba44aa59283a78e379d736dfaeddac0
SHA512 0bd4d7c291893fd265d0a689ecf70e07f64d5883f6a2b820ac2364cf66048cfb1641936335196f8b6501071e8c4b0733bbea1de2cf8e67dac6d8b4ed14d1af83

C:\Windows\System\eKwNpXV.exe

MD5 6faef2867347308c32e4b6ffead9cef5
SHA1 85897d29c92ecdb5898e238b4e4b5f52257cbcfa
SHA256 1a66844e8a4bae3b78241ed40f53bf4f159ac245fc2acf8f6ce3ddf0381ae798
SHA512 8cadba9686a252c0dd8a78d7f53fb7271f27984e6a9d1251bc6663a65e674ef8aa3d99e3d11694a54aaa47a63630bac30d1c7a6ff0a90c551dda044246ae961e

C:\Windows\System\LFQCMYI.exe

MD5 572c81b2dcc15f4ed17fbb2b541cb8db
SHA1 ab0572eaec7be4d2136e7fa1bbb4d4572a1a3479
SHA256 a28c33d1ea3d0c83c7a637364cc8a12a277bcb11c805efab7ba6d1794fe03805
SHA512 8c6c9ca4dd7615c50cb2c5a15bc762785125ddca028085b2aaa86ad97213d581e84bd8c1b751a819d78d50deed83cb5dd1bb16d6d097686fca4026eb15d8891f

memory/1476-54-0x00007FF621030000-0x00007FF621384000-memory.dmp

C:\Windows\System\XnLWXne.exe

MD5 7893481d1f2f9ec1c412f0862b965b9b
SHA1 67493934eb37214a1360381795b5cc2792d2f963
SHA256 f3c6ad58d230e3b4e84bf9b162860ed745b92704b76bc6b634cbd818a1968107
SHA512 d39bda9e432aefe5849c475ef8ce397c57b57ba566f5c15b6b053098a6846c4ec8bbe96a63b928b6a77efd6a4de310c2fe690527aaa8fa529adfeef4579f8223

C:\Windows\System\EYpEtMN.exe

MD5 cfc9fe8ea474f93c62ec3a68e3f25a6a
SHA1 ca41558242f075eb3348dd016982fbe31f52f67f
SHA256 7db3c8b69f3db97c53987d94efbda5728e158d2de069f556e5a247e97db0c8f0
SHA512 b6e37e24c37e5a0bf886bc067583a21a0244fc7729e6d266a98e05dc154cae5ab26589cf000c42fd1439d391203e4cf22da3e302da2288a70c4a7a0e9d4fdce8

memory/3884-75-0x00007FF6D0870000-0x00007FF6D0BC4000-memory.dmp

C:\Windows\System\GkWfNIQ.exe

MD5 01f09d5daabd8e5c0e8f35fd45717989
SHA1 ac6d457f099a08258102b3097ef24dddf8fb508e
SHA256 0d85297ad2be7aa5be667987a84fbe24b08b6b5a52ae9034562534ee4b1bc11d
SHA512 2ee29f1558287be4c6044fc4a4ea34bc6c3426f5ad3d466456c9ea8cc8cda03429fc12370b9d4b54808c74e63a6b8fdb2a5a79af4520bb565582dfe6fc75fc7d

memory/1540-76-0x00007FF62EBD0000-0x00007FF62EF24000-memory.dmp

memory/3332-74-0x00007FF610CB0000-0x00007FF611004000-memory.dmp

memory/3120-73-0x00007FF6C7FB0000-0x00007FF6C8304000-memory.dmp

C:\Windows\System\AfnApKf.exe

MD5 950f76a1c06f0f96fb3b2095e6393c24
SHA1 b7c950e4427343efb0f2d494bbd35b3eea7a4c58
SHA256 b22d63da844196688815ca56e1ca4ecac169f07490ba45b2265dbfce395f5f54
SHA512 ccfe3824b23dc70268546f6e3410786863c46facc4987cf16ae4d99cce355542947b69a567003dfd15d00089a4c482dcbd3d434269807047b8914cc34ca70f55

C:\Windows\System\DvqizSu.exe

MD5 a75edbc2ea663a2ab211d107282f4b5a
SHA1 e8887e96ab8f2f1c0500675347e2b14e4e3a77b5
SHA256 eb122e8d4a2885e280ef43480cec179c5263125b22aff26eff2123f4ce570514
SHA512 2095c74f5297722e894a05127b74d3bacaa1aefacf6bfd986f5a3e36116d337083306262a5211747af3dc7bb0f75e7fd753fb6b653fcdc4652eedd1cdccb6799

memory/2164-51-0x00007FF739590000-0x00007FF7398E4000-memory.dmp

memory/2580-44-0x00007FF6A0AE0000-0x00007FF6A0E34000-memory.dmp

memory/1080-40-0x00007FF7722F0000-0x00007FF772644000-memory.dmp

memory/4328-39-0x00007FF646BF0000-0x00007FF646F44000-memory.dmp

C:\Windows\System\DAOYlKi.exe

MD5 669980cb6291046715181571804f1ffe
SHA1 e1a68a4108126642edb93cb10eb3a0c0efdebcdf
SHA256 55aed6e7b10c222599fbe31856c4f3f023dae07b4985a6d1b8bb59fb72c4ae11
SHA512 e77320eb8612a4870c602cdcc84604a7cd38c933b44925748882862b3cedf4621780be682572dbeaab4e176bddb1ba7084ad5a8988dc91c486f7f91442182c83

memory/3340-31-0x00007FF7EE060000-0x00007FF7EE3B4000-memory.dmp

memory/4804-18-0x00007FF768750000-0x00007FF768AA4000-memory.dmp

C:\Windows\System\JQEpiPC.exe

MD5 28fe561609fc7bd60109aa3b37de76ae
SHA1 cb8565e0062e81e96d0ef68c1d10d5a8f726173e
SHA256 0f996557512e62159b76976108e6e5716f14f39789b20b4d01bf79f514717570
SHA512 76cb7cdd14f0fc1c77772604b50b445631ebea68aa3907e736fb8236fdc50342e6ca3d06ba3d962b645d0ae5fd202eb2871526da67d015c0edfca007c80c02c0

C:\Windows\System\RiiobCd.exe

MD5 f2f28395667451c943c15db98c41d38a
SHA1 e372744ed9c95150f488f3b41b1f07e355cb54c1
SHA256 21d3277b1ce1ee8585a0092d1d33458e68416d4abd8238bceffc9f9cc2487ade
SHA512 e4f78178a09b2ec28672b3a00ec3ad190d3f5802a82363521148b0566f514b58445da9d6895c8a58da536da432f26b5197ebd2b3c9e3f3214d9e5ac356970976

C:\Windows\System\PFCXqAe.exe

MD5 f3bc5df0107c153d1268839b6be704d7
SHA1 fb72819f870330c2a02716020ea6c070b8c12313
SHA256 4adce3f866d861502de733f3eba6ff7e1eaa93aab413a1cee5a466517b971216
SHA512 8f5dee862083a02817a50b999bda97839bd33889255abb702e4a7d6e481ce05c63ff185b89f6cb38e90c199cd87fc2cde90ed12ab28c8446546d9a5d24ceb7c3

memory/2412-99-0x00007FF6A9070000-0x00007FF6A93C4000-memory.dmp

memory/4552-102-0x00007FF6795D0000-0x00007FF679924000-memory.dmp

memory/4828-107-0x00007FF785B90000-0x00007FF785EE4000-memory.dmp

C:\Windows\System\XruJGcl.exe

MD5 73a67d5d698ad2b3d3945c435a2ded25
SHA1 5bb08ac2e8024d3dcaf99542f909eb4d94a2ffc8
SHA256 1cfa9f45b7f15bd16c33f1e9c4f7fc11354674cc5d68d890d43eada40578c0ad
SHA512 1c637240a190536975054675e9d718ec98ebc19996189397a0ecd2196b01d0f9fd6cda312c846885583cd7c018024c2418e6b207f45919c41e411df1fdadb8f3

C:\Windows\System\VPiHake.exe

MD5 f20d4ca219aa3e6012fd26e0eac30a17
SHA1 27354465cbc8ae14ab777d38a40af2b1cbb3288f
SHA256 25d0bc6674d281ae2173a191520971c210a4a31d37f2ac2a9d0c1bb9ac114c7a
SHA512 e19f6d5132f2c8eb868b55c13d3f4c6adf418b24ec8a2faca9ae09b2e3f8dbbcc1a0357198956109a613adfcc97c0776f931e203853b6828db5903747647c7bb

C:\Windows\System\BxuXVQp.exe

MD5 5adc7980cc1fa26ce7d1fa750989c911
SHA1 83b41293665c622be9002eedfea70bd9de7decbd
SHA256 da8082c45b22a15f966636222ffee4d455fe8a4e1d0710cf44ac35a5e6cdac4c
SHA512 756eb6057ecd930e2c78b6908af9e4327c887de20e79f5bd4d341d490b12c4a8420bfad13c6718195424a18b9f1d9a0c1d65a7b97c53fa3dc9b6f50b16a68090

C:\Windows\System\JyWkzFw.exe

MD5 9142c2fad2997bb542cdb5c03042bc4f
SHA1 efa3350a24ac361056b675d6718b718db90172da
SHA256 9e99fa9ecfa9eb777f6a924892dad443bea60fb7013eefc467d85e960041a6b7
SHA512 48dbb7a48b868fefe8bb8030020eef2cd96a7a56f274ac79f5168493386629f68fd019c38c046b4236ffb64673f4dafcb1fb73d3e5efb52a9747b3a4241324cd

C:\Windows\System\CyXIXbE.exe

MD5 e17603be99f75d14c8731c8f4fd37306
SHA1 bc34ad3f0bf0808720b95057dcecc8f3754fc7e8
SHA256 56a0414dbead3b5da4c377b577c192c6705b2e11c1f82afe77de0407fae688d8
SHA512 c3338246380057ed0492e24843b2168cd1bc0bc395542fa182f33b5faa99b5d2e3a4dd57ecb1206be3190648d73cafcb1755c5d4f7038f8a79a77e4da10bc38c

memory/3288-106-0x00007FF6F92C0000-0x00007FF6F9614000-memory.dmp

memory/1532-105-0x00007FF65A2D0000-0x00007FF65A624000-memory.dmp

memory/4720-89-0x00007FF62E580000-0x00007FF62E8D4000-memory.dmp

memory/408-126-0x00007FF785B40000-0x00007FF785E94000-memory.dmp

memory/2540-128-0x00007FF727170000-0x00007FF7274C4000-memory.dmp

memory/1424-127-0x00007FF786FB0000-0x00007FF787304000-memory.dmp

memory/2032-129-0x00007FF6CF670000-0x00007FF6CF9C4000-memory.dmp

memory/3340-131-0x00007FF7EE060000-0x00007FF7EE3B4000-memory.dmp

memory/4328-132-0x00007FF646BF0000-0x00007FF646F44000-memory.dmp

memory/4804-130-0x00007FF768750000-0x00007FF768AA4000-memory.dmp

memory/1080-134-0x00007FF7722F0000-0x00007FF772644000-memory.dmp

memory/2580-133-0x00007FF6A0AE0000-0x00007FF6A0E34000-memory.dmp

memory/2164-135-0x00007FF739590000-0x00007FF7398E4000-memory.dmp

memory/1476-136-0x00007FF621030000-0x00007FF621384000-memory.dmp

memory/3884-137-0x00007FF6D0870000-0x00007FF6D0BC4000-memory.dmp

memory/2412-139-0x00007FF6A9070000-0x00007FF6A93C4000-memory.dmp

memory/1540-138-0x00007FF62EBD0000-0x00007FF62EF24000-memory.dmp

memory/3288-140-0x00007FF6F92C0000-0x00007FF6F9614000-memory.dmp

memory/408-141-0x00007FF785B40000-0x00007FF785E94000-memory.dmp

memory/4828-142-0x00007FF785B90000-0x00007FF785EE4000-memory.dmp

memory/3124-143-0x00007FF6E6150000-0x00007FF6E64A4000-memory.dmp

memory/4804-144-0x00007FF768750000-0x00007FF768AA4000-memory.dmp

memory/3340-145-0x00007FF7EE060000-0x00007FF7EE3B4000-memory.dmp

memory/1080-146-0x00007FF7722F0000-0x00007FF772644000-memory.dmp

memory/4328-147-0x00007FF646BF0000-0x00007FF646F44000-memory.dmp

memory/2580-148-0x00007FF6A0AE0000-0x00007FF6A0E34000-memory.dmp

memory/1476-150-0x00007FF621030000-0x00007FF621384000-memory.dmp

memory/3120-151-0x00007FF6C7FB0000-0x00007FF6C8304000-memory.dmp

memory/2164-149-0x00007FF739590000-0x00007FF7398E4000-memory.dmp

memory/3884-152-0x00007FF6D0870000-0x00007FF6D0BC4000-memory.dmp

memory/1540-153-0x00007FF62EBD0000-0x00007FF62EF24000-memory.dmp

memory/3332-154-0x00007FF610CB0000-0x00007FF611004000-memory.dmp

memory/4720-155-0x00007FF62E580000-0x00007FF62E8D4000-memory.dmp

memory/1532-156-0x00007FF65A2D0000-0x00007FF65A624000-memory.dmp

memory/2412-157-0x00007FF6A9070000-0x00007FF6A93C4000-memory.dmp

memory/3288-158-0x00007FF6F92C0000-0x00007FF6F9614000-memory.dmp

memory/408-159-0x00007FF785B40000-0x00007FF785E94000-memory.dmp

memory/2032-160-0x00007FF6CF670000-0x00007FF6CF9C4000-memory.dmp

memory/1424-162-0x00007FF786FB0000-0x00007FF787304000-memory.dmp

memory/2540-161-0x00007FF727170000-0x00007FF7274C4000-memory.dmp