Malware Analysis Report

2025-01-22 19:33

Sample ID 240601-vlxj6saa37
Target 2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike
SHA256 5a3d8265796fc5444a98d86f1d0ad3db9d5e4ad0e9b0f1d222e72d0ef0ac2878
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a3d8265796fc5444a98d86f1d0ad3db9d5e4ad0e9b0f1d222e72d0ef0ac2878

Threat Level: Known bad

The file 2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

UPX dump on OEP (original entry point)

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

Detects Reflective DLL injection artifacts

Cobaltstrike

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 17:05

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 17:05

Reported

2024-06-01 17:07

Platform

win7-20240221-en

Max time kernel

138s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pkHReYH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rAbXgtA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BkLBHVZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zMUYFTo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SgvGkAw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iZUNdQl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JONyWpW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uztvnQH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QkYeBlM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eXJOhaG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wZbsihz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ucsVsXo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PTbGLws.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SDJrldb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UTXIUWv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VGbKeXb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mFdPKRW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bDhsjKz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DVpUQNI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\olankER.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KIgzcRg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXJOhaG.exe
PID 2992 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXJOhaG.exe
PID 2992 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\eXJOhaG.exe
PID 2992 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\wZbsihz.exe
PID 2992 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\wZbsihz.exe
PID 2992 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\wZbsihz.exe
PID 2992 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\ucsVsXo.exe
PID 2992 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\ucsVsXo.exe
PID 2992 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\ucsVsXo.exe
PID 2992 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\rAbXgtA.exe
PID 2992 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\rAbXgtA.exe
PID 2992 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\rAbXgtA.exe
PID 2992 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\BkLBHVZ.exe
PID 2992 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\BkLBHVZ.exe
PID 2992 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\BkLBHVZ.exe
PID 2992 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\PTbGLws.exe
PID 2992 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\PTbGLws.exe
PID 2992 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\PTbGLws.exe
PID 2992 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\VGbKeXb.exe
PID 2992 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\VGbKeXb.exe
PID 2992 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\VGbKeXb.exe
PID 2992 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\zMUYFTo.exe
PID 2992 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\zMUYFTo.exe
PID 2992 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\zMUYFTo.exe
PID 2992 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDJrldb.exe
PID 2992 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDJrldb.exe
PID 2992 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\SDJrldb.exe
PID 2992 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\SgvGkAw.exe
PID 2992 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\SgvGkAw.exe
PID 2992 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\SgvGkAw.exe
PID 2992 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\mFdPKRW.exe
PID 2992 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\mFdPKRW.exe
PID 2992 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\mFdPKRW.exe
PID 2992 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\bDhsjKz.exe
PID 2992 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\bDhsjKz.exe
PID 2992 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\bDhsjKz.exe
PID 2992 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\DVpUQNI.exe
PID 2992 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\DVpUQNI.exe
PID 2992 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\DVpUQNI.exe
PID 2992 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\olankER.exe
PID 2992 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\olankER.exe
PID 2992 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\olankER.exe
PID 2992 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZUNdQl.exe
PID 2992 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZUNdQl.exe
PID 2992 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZUNdQl.exe
PID 2992 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\JONyWpW.exe
PID 2992 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\JONyWpW.exe
PID 2992 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\JONyWpW.exe
PID 2992 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\uztvnQH.exe
PID 2992 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\uztvnQH.exe
PID 2992 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\uztvnQH.exe
PID 2992 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\QkYeBlM.exe
PID 2992 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\QkYeBlM.exe
PID 2992 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\QkYeBlM.exe
PID 2992 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\UTXIUWv.exe
PID 2992 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\UTXIUWv.exe
PID 2992 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\UTXIUWv.exe
PID 2992 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\KIgzcRg.exe
PID 2992 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\KIgzcRg.exe
PID 2992 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\KIgzcRg.exe
PID 2992 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\pkHReYH.exe
PID 2992 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\pkHReYH.exe
PID 2992 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\pkHReYH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\eXJOhaG.exe

C:\Windows\System\eXJOhaG.exe

C:\Windows\System\wZbsihz.exe

C:\Windows\System\wZbsihz.exe

C:\Windows\System\ucsVsXo.exe

C:\Windows\System\ucsVsXo.exe

C:\Windows\System\rAbXgtA.exe

C:\Windows\System\rAbXgtA.exe

C:\Windows\System\BkLBHVZ.exe

C:\Windows\System\BkLBHVZ.exe

C:\Windows\System\PTbGLws.exe

C:\Windows\System\PTbGLws.exe

C:\Windows\System\VGbKeXb.exe

C:\Windows\System\VGbKeXb.exe

C:\Windows\System\zMUYFTo.exe

C:\Windows\System\zMUYFTo.exe

C:\Windows\System\SDJrldb.exe

C:\Windows\System\SDJrldb.exe

C:\Windows\System\SgvGkAw.exe

C:\Windows\System\SgvGkAw.exe

C:\Windows\System\mFdPKRW.exe

C:\Windows\System\mFdPKRW.exe

C:\Windows\System\bDhsjKz.exe

C:\Windows\System\bDhsjKz.exe

C:\Windows\System\DVpUQNI.exe

C:\Windows\System\DVpUQNI.exe

C:\Windows\System\olankER.exe

C:\Windows\System\olankER.exe

C:\Windows\System\iZUNdQl.exe

C:\Windows\System\iZUNdQl.exe

C:\Windows\System\JONyWpW.exe

C:\Windows\System\JONyWpW.exe

C:\Windows\System\uztvnQH.exe

C:\Windows\System\uztvnQH.exe

C:\Windows\System\QkYeBlM.exe

C:\Windows\System\QkYeBlM.exe

C:\Windows\System\UTXIUWv.exe

C:\Windows\System\UTXIUWv.exe

C:\Windows\System\KIgzcRg.exe

C:\Windows\System\KIgzcRg.exe

C:\Windows\System\pkHReYH.exe

C:\Windows\System\pkHReYH.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2992-0-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2992-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\eXJOhaG.exe

MD5 e5c354bced6c428f587ee3222e66c1a3
SHA1 f2a5af000e60e0486764e7dc7fd60a39e5e79dad
SHA256 ad0df4bc595c18d5a153fb37fde1011e756c5ee2719be1ee34dff34c20bdf743
SHA512 5248b63e1d684bbf02d6e47033385c61bf04c9c5cb221fc22ccb403492f05848ea8fee605e44d622baca53eb4f99952b06445f7e38362047523d98745bdd82d3

\Windows\system\wZbsihz.exe

MD5 463fc211f910bf76b5dfe67bfdd97571
SHA1 481e689503c7773dc8e78434cc6c68f8964ae94b
SHA256 6e4475ee83372aa63b127e3d498e937e04e506f50055a1871eccf1bcd8f0724d
SHA512 6dc89d0e62a287b27fc8c973efa6a10e98b084e9107030363f1b2cf758d38b4e002c5a8090b60fdf03c0a8e5b6b4c86b17bb85246d17e21ec10ccdd3dea24ac8

memory/2992-7-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2992-13-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2940-12-0x000000013F310000-0x000000013F664000-memory.dmp

memory/3028-15-0x000000013F4F0000-0x000000013F844000-memory.dmp

C:\Windows\system\ucsVsXo.exe

MD5 d66850f6040e367e0c75bd6163a4551a
SHA1 749e0d4efa8af800208d9fe9b355e3da2951b6e8
SHA256 e0ed049a1edaff9959fac4e598ea8d53f711dd4e5ffd57abfcbfdc35b2e09bad
SHA512 d256fa98409a150c4c86cc268eef9599ebd65882db5eb52b8b5e944d18c0bf9b67fda17e3dec046fa3d7a0b884ab1d059ac09758741fd863f8ad45587fe27273

C:\Windows\system\rAbXgtA.exe

MD5 7309cd2f94a037ce25c601bdd402d33a
SHA1 a1cc0553efc41649de278b8087f280aef98a1332
SHA256 29807a406678daa735de4eb2ad9022edcaf0c62cad0d25e6971aca747ed34bd7
SHA512 64b9302e62da5c403563c3fed694dc7ea0a3107c4ec3293ba8105cb773c60a569908897b76ed00ce26f6a77d22bc6137a94a40d6a7bb92f904562508850fca75

memory/2992-21-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2992-30-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2652-29-0x000000013F5B0000-0x000000013F904000-memory.dmp

C:\Windows\system\PTbGLws.exe

MD5 59b82ad301a668cdd2a9a60530bcfca7
SHA1 45518bd69c88569a6d0456c3bc7bdc0d90844eb3
SHA256 2009996c2b17c47d170c0a27252ebeb518241882a4901d91e29e370ae22e6440
SHA512 d0b2ec14e08282b42702d7f43a309e6cc376901811113bb771a74ee9d14997d753753f04b8c820b7f339cad2c94afc27ddbb9116555a1700cc94a66b463e087b

C:\Windows\system\BkLBHVZ.exe

MD5 699569c45844fc07112f73c91a18a4ff
SHA1 baa1134538464033cce5d5dfff658440edc01ef5
SHA256 a4e9a437bdb914d97e823b6dc39894066d8131d8877b4265285b7656b90f4c0e
SHA512 7c40934ac6e7ecd34001ef00689235a4319d08a322cc65326614ac08a08516b6b470aa93a0f2bc6e7ffdf32e26527f81fa9f696aa1e7031b887b87d74e9d7cd5

memory/2992-34-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2496-43-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2992-40-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2512-39-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2528-25-0x000000013F020000-0x000000013F374000-memory.dmp

C:\Windows\system\VGbKeXb.exe

MD5 0e41f7cc92a0e6660cf6e5caa16ba0cc
SHA1 5a9a0984606ba85013b8b8d3e2b489b05d517d4b
SHA256 b868f4ad8f9f703bcdb80cac088bcb8be877d7d0de3ab1d5f0e5ac2b5849f274
SHA512 e161f316f08c947ff28aeb34d5744a080f1ce3c66e60437d4e35e5ea5b45f6f58e8e6d7e72c7161a6af12b3ab5cb35f0d5637837a47da2b8a2c317ef95183647

memory/2992-50-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2992-57-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2440-58-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2992-71-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2884-72-0x000000013F310000-0x000000013F664000-memory.dmp

memory/3028-85-0x000000013F4F0000-0x000000013F844000-memory.dmp

C:\Windows\system\DVpUQNI.exe

MD5 00cc4cbb5561f7335494951722b5648e
SHA1 610d3fc1d880325b2c637b5447f7b382c24631f9
SHA256 2409ab1ec0fbadc96e89ac054d73382a58ecd0688f9f75b6850d55e9cdda9032
SHA512 bb241a075087c63888dd37da4f01310e8de2b4d45f4fe6d3d164de6f12cc362c77730efdb3b28811f09a200d12d8b9f6e3c0beea4fcf02ad8b8b7a5c7b70a876

C:\Windows\system\JONyWpW.exe

MD5 7ee189927ad5eff6a5dea20dab8fd4df
SHA1 998368e52f03ed42a80237249add352a5b121f86
SHA256 f8d5c76766f723517ea4772dbe6d9f9e91fb10f31535d79f81d185022bac4011
SHA512 7775c766e38f10c46b99cf4b7efef0613ac24b973efac7d3c185e500b26ee9843b50efee8ac1047a5c530da0adab6f80c58447c5f71692a21adea29f167d9c12

C:\Windows\system\UTXIUWv.exe

MD5 39bce3088190ca132937936468d55dfd
SHA1 732118f2f781b9ab34372676984fca7adb01e692
SHA256 009f101cb5e908a2f17c96a928dfd1820d0399f7a1363610156847453cfada38
SHA512 b75a9e7e602e11aa8e8a503dc0c60563ade72d5980bb47a862ec219edf485d99210164c008c4a19b237e12f88f9fc4ac9239fe0e1c63b61f42b937a987471233

\Windows\system\pkHReYH.exe

MD5 c83866a7f33946a61036a3315977d537
SHA1 906bdf64f7861a06814fd0d39f7bea241fe61145
SHA256 ed826f96faa9669a913b17a034c50a1ddb577f1fd2f2880f5b0a2bcff2f9c779
SHA512 a6bfc178d87de465385d9fce35eed31a98e10fd8aa844058e00d98a390c745e3cde7a7c7df850d56bd104d57380a32c0487e0f1e55375991d42332b03369b81b

C:\Windows\system\KIgzcRg.exe

MD5 879a1e826236ff37e6a49dd2377c7314
SHA1 e4bc067311ee089bab00895c3307a52d77a15aa4
SHA256 be7d7f195e0638d80710536dea314ed2890e249106af61aec987cb135f5ec645
SHA512 ae37620f9b2a3e82060f1dc5cd006e0e15bc1d7c2914c284b29f6d6d59095fdbefccda8db965fe6b26e851cef43e404ea9b61cacc968126a9811bd26a614ab24

C:\Windows\system\QkYeBlM.exe

MD5 546908e546ede620c77537904ee60be4
SHA1 084a6616568419785e46a7f0e10526a65a274327
SHA256 cfa0d19894662e1a13bd38ab924d688f61a0f5fec1bd7caacb463ec476ff52fc
SHA512 66d794d6f127cfc910fc9e13b570f22cfa6ff904a20bc3ef4206f36c90e0947c3d81786ebbd565704851c08d032bed66bad8530f86cc5584ec787748ff6568e4

C:\Windows\system\uztvnQH.exe

MD5 c1256fb094b47dc387bb401981cdd62a
SHA1 5c1907266091d31290156f1a7e668bf802d11727
SHA256 76d997248d43ceb47e11df7b315b4fea78b424720c2e246dc6cddd93262e3c1e
SHA512 5e919dc600661040fc57d93254a915aa884faed616dc675723c8368c76fed45fa0a6ebd35ec7e7ae9375dc70f169beb995e926a6b680a9053f9d03d68697f52a

memory/2992-107-0x0000000002290000-0x00000000025E4000-memory.dmp

C:\Windows\system\iZUNdQl.exe

MD5 25bb822ab5e07c39b9e6569f16296fa8
SHA1 da5eeba558f062fe20f0fd7a8fafeda17292e407
SHA256 338b0d1cdeb6c72c59a1670d32bd1337abf938a885fcf8cb4898f7cf37e3daa8
SHA512 ef5ba82ecfc8a4ed99f2faa3317810448be5850e61f1b7de48a6d564c7b614a729e22478ddee5253aab4afc7344b1643f8ae72a28aaff8632e0ba46eb5450920

memory/2712-102-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2992-101-0x0000000002290000-0x00000000025E4000-memory.dmp

memory/2692-96-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2992-95-0x000000013F4B0000-0x000000013F804000-memory.dmp

C:\Windows\system\olankER.exe

MD5 658385bf40d9ab85988c3b16562ad072
SHA1 7d2ef8982d36baf7d30e3b966727fc4a1f1d2b86
SHA256 65ebc248d5edb6d9eb1d7b80b66c62b7eff08b515c646bf71cfecad900854ba4
SHA512 b1d877094f98241595772bdc9bc6915df6e72bcc0e6ace7dca52422b51b096e4fd228132ec6ecce2739c4b37eccbe00a8a4f48470ee2511a217ac048aafa0f27

memory/2512-139-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2496-140-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2652-94-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2444-87-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2992-86-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2896-79-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2992-78-0x000000013F540000-0x000000013F894000-memory.dmp

C:\Windows\system\mFdPKRW.exe

MD5 afa1e34e8a11395c27a1a5e92ac07f55
SHA1 9d64c9332dc0e3981ff3bc6b782f4841a3913933
SHA256 f3e55714b8797d1bd72a10b55d9e78d9d60553e1d26f70241903eae253a99124
SHA512 e5cc72d7e207516d642aa57a3aaee91c7dbe4adf0386b23128fd0f3af045ce0ec252e6b101b5b11d8e24e29dd114cce97906690451f049ea129c99908c127648

C:\Windows\system\bDhsjKz.exe

MD5 a94c0e5ab2cfb9b1b6c9459ed13de65d
SHA1 b81f7a98e1005d2238b5dc0dd928a1c7ac577eaf
SHA256 da85450b0e80ae4c303de3648088e8ffe44a66b57a514b4b76c5ff0b4761209b
SHA512 7ca085d98f703c5d580def3f9d825cc5ad4a0be3cf9d5d16eb1b397f1e7c74c4dac72f1888c97c3eeec8041ad667b0e9ded45e1b4ff7a305bed6666e73ae32cd

C:\Windows\system\SgvGkAw.exe

MD5 b94d8b374a0641c6e5e8bb395e1875b9
SHA1 eaecb56dbae85cf1cf7a2c270b066a81dc6baf35
SHA256 88bc135cfb2db1f543e11a287e4375318c9a33b1ca25f9b6e6d1ab7ea8b042d6
SHA512 3501eea055a2feced0379e623523f6bd06b43a44a56f2a00c690fa478e2bd85e2a6beb12dd2d1fa6521bf1e34add39d6b6fce35b31309bcf3466ce59c4eccf37

memory/2416-64-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2992-63-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2940-62-0x000000013F310000-0x000000013F664000-memory.dmp

C:\Windows\system\SDJrldb.exe

MD5 fd9c5c86165a73f9275931002c8d2109
SHA1 b0a93f45cfcd74529da262906b73f3a2e6eae923
SHA256 da508c8a73250259a19bb8bfdade2f56b5f444d7e80c75f75bbe6612c6831033
SHA512 8931fb6fd6e014afe45982db6b4a5eeb33a8abc793a07ff58412536c46543204b37c6bbb8bdd268da11a10a06346a48084f62b75a969aa86f091fff35b09ce5c

memory/2776-51-0x000000013FEB0000-0x0000000140204000-memory.dmp

C:\Windows\system\zMUYFTo.exe

MD5 dc4d058dcd36dfdfa7689451c0bd2253
SHA1 3c4501ca10b3d1552e1b10f83a1da743a06cbc3e
SHA256 a333d1ac232530f4b8ff483e0e7b2dce83b295f940fd6841b209f6f2b9af5b39
SHA512 305537078730e0ce4742f290fad99af1518c600ba5589badc5d05958afeac43f2c91d8afd518062445e2e142f0ec3ae53ce43f8c1c2588b9205cae9614f0e278

memory/2416-141-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2884-142-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2992-143-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2896-144-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2992-145-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2444-146-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2992-147-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2992-148-0x0000000002290000-0x00000000025E4000-memory.dmp

memory/2712-149-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2940-150-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2528-151-0x000000013F020000-0x000000013F374000-memory.dmp

memory/3028-152-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2652-153-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2496-154-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2512-155-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2776-156-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2440-157-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2416-158-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2884-159-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2896-160-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2444-161-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2692-162-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2712-163-0x000000013FB80000-0x000000013FED4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 17:05

Reported

2024-06-01 17:07

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gFjcIRS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PTRUxLZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yGdqbwT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dqoMRvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KouetMy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wNZAwIO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rsjPZBK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AqYuPOT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jmfvdvd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DQyVfVb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\drHuWVq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jqhsYGK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RAxELKO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EKwSxXg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Ldeimha.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QlxrXeb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TfVJWZu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bnhjWzN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LlRqbNl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kBOGuoe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bdlBDcI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5004 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\bnhjWzN.exe
PID 5004 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\bnhjWzN.exe
PID 5004 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\jqhsYGK.exe
PID 5004 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\jqhsYGK.exe
PID 5004 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\LlRqbNl.exe
PID 5004 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\LlRqbNl.exe
PID 5004 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\RAxELKO.exe
PID 5004 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\RAxELKO.exe
PID 5004 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\kBOGuoe.exe
PID 5004 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\kBOGuoe.exe
PID 5004 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\EKwSxXg.exe
PID 5004 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\EKwSxXg.exe
PID 5004 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ldeimha.exe
PID 5004 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ldeimha.exe
PID 5004 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFjcIRS.exe
PID 5004 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFjcIRS.exe
PID 5004 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\PTRUxLZ.exe
PID 5004 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\PTRUxLZ.exe
PID 5004 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGdqbwT.exe
PID 5004 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGdqbwT.exe
PID 5004 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\QlxrXeb.exe
PID 5004 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\QlxrXeb.exe
PID 5004 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdlBDcI.exe
PID 5004 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdlBDcI.exe
PID 5004 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\wNZAwIO.exe
PID 5004 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\wNZAwIO.exe
PID 5004 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\TfVJWZu.exe
PID 5004 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\TfVJWZu.exe
PID 5004 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\rsjPZBK.exe
PID 5004 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\rsjPZBK.exe
PID 5004 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\AqYuPOT.exe
PID 5004 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\AqYuPOT.exe
PID 5004 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqoMRvc.exe
PID 5004 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqoMRvc.exe
PID 5004 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\KouetMy.exe
PID 5004 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\KouetMy.exe
PID 5004 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\jmfvdvd.exe
PID 5004 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\jmfvdvd.exe
PID 5004 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\DQyVfVb.exe
PID 5004 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\DQyVfVb.exe
PID 5004 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\drHuWVq.exe
PID 5004 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe C:\Windows\System\drHuWVq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\bnhjWzN.exe

C:\Windows\System\bnhjWzN.exe

C:\Windows\System\jqhsYGK.exe

C:\Windows\System\jqhsYGK.exe

C:\Windows\System\LlRqbNl.exe

C:\Windows\System\LlRqbNl.exe

C:\Windows\System\RAxELKO.exe

C:\Windows\System\RAxELKO.exe

C:\Windows\System\kBOGuoe.exe

C:\Windows\System\kBOGuoe.exe

C:\Windows\System\EKwSxXg.exe

C:\Windows\System\EKwSxXg.exe

C:\Windows\System\Ldeimha.exe

C:\Windows\System\Ldeimha.exe

C:\Windows\System\gFjcIRS.exe

C:\Windows\System\gFjcIRS.exe

C:\Windows\System\PTRUxLZ.exe

C:\Windows\System\PTRUxLZ.exe

C:\Windows\System\yGdqbwT.exe

C:\Windows\System\yGdqbwT.exe

C:\Windows\System\QlxrXeb.exe

C:\Windows\System\QlxrXeb.exe

C:\Windows\System\bdlBDcI.exe

C:\Windows\System\bdlBDcI.exe

C:\Windows\System\wNZAwIO.exe

C:\Windows\System\wNZAwIO.exe

C:\Windows\System\TfVJWZu.exe

C:\Windows\System\TfVJWZu.exe

C:\Windows\System\rsjPZBK.exe

C:\Windows\System\rsjPZBK.exe

C:\Windows\System\AqYuPOT.exe

C:\Windows\System\AqYuPOT.exe

C:\Windows\System\dqoMRvc.exe

C:\Windows\System\dqoMRvc.exe

C:\Windows\System\KouetMy.exe

C:\Windows\System\KouetMy.exe

C:\Windows\System\jmfvdvd.exe

C:\Windows\System\jmfvdvd.exe

C:\Windows\System\DQyVfVb.exe

C:\Windows\System\DQyVfVb.exe

C:\Windows\System\drHuWVq.exe

C:\Windows\System\drHuWVq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 73.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5004-0-0x00007FF7FF3A0000-0x00007FF7FF6F4000-memory.dmp

memory/5004-1-0x0000022B0E120000-0x0000022B0E130000-memory.dmp

C:\Windows\System\bnhjWzN.exe

MD5 1eb280438fcaee73b7501fc4ac00acdb
SHA1 23a69b08a49edd6c6f37c54eca8e68f230a3ed32
SHA256 bc961e5449858a1f5f6cf62a46a3fa8c07a7f4a5d35dcb44ba28b76bc734bf7c
SHA512 ad8ee9d0a5ef2f6536380d769943964b7c6229586c50ab024d40d23aee33c6e4a406ea6c49f6a5ddc3a4c91d731064e7b1e9e5f109fa5e6750bb46f2ae934119

memory/2044-8-0x00007FF60FFC0000-0x00007FF610314000-memory.dmp

C:\Windows\System\LlRqbNl.exe

MD5 c5c9dac8230b706923b0de4e90e818ec
SHA1 d16c3d760faa8decb7164fcb5c9d495f0adadf22
SHA256 c9c35b79eacffa4b0c0cfdc1c3368562943b72e600e509521088b60f41b19d5a
SHA512 3318309a66b67a3b42ed43cb2140ba2f6f49d56bd9e590770559056c32e5e759cf59330f6b76b893b32c14ba92c28f28baa905de1914fee73ace11d6c87d7c98

C:\Windows\System\jqhsYGK.exe

MD5 186fef5e29a024e3bba77e8ea329c193
SHA1 5d4a4f65a7884656fc1bcfadbadf99234ef06041
SHA256 51229816e7ef63f9906eef45f23b8d6bbecbf91a90efec7869e8ae95a138dfc4
SHA512 a8eff53ad316ba285365cf4c72175b692d4da0fdfbfba86f1b7874967aa3168570fd15e08b1f6fec8c655ae610a5c941939a0203379947f741f3e0dd08768f87

memory/4144-12-0x00007FF7D5390000-0x00007FF7D56E4000-memory.dmp

C:\Windows\System\RAxELKO.exe

MD5 e11e9022e17f3d98b60598a202036c31
SHA1 79b5102719039ac10c377f70bb9710c7b5dca828
SHA256 3e543cdd92073baee43506e410abfe2689c277155fa321ceac5d852a8e4d8af1
SHA512 7932d41ee030cdd450e5a01737585a91f728e232e3611701019ffb27b413b44fbe9942aa46d3eedd3e69899cace7fcdef3922cd82711a728bcd35ec85089b6a9

C:\Windows\System\kBOGuoe.exe

MD5 865f8ad2f9a9edf3d5b713c5c0f25951
SHA1 01020ef01e46e3dbf0a4caeaaa31a5cfa92de258
SHA256 c6539f29d2adbe9aebc19bfe5f31831e2483a0062b8586f31d1d9913559e0e4c
SHA512 f8bd339ce2f06cdef6182e4537652a88182af0b3276ee64eda7e17bfe21eada1de558de1381b5ffcb0496cdfe92eafb374b36b0ec1dc34240e3b5e50e150b8ff

memory/1108-32-0x00007FF716110000-0x00007FF716464000-memory.dmp

memory/3400-26-0x00007FF6B1D00000-0x00007FF6B2054000-memory.dmp

memory/4928-22-0x00007FF6B07A0000-0x00007FF6B0AF4000-memory.dmp

C:\Windows\System\EKwSxXg.exe

MD5 b70dc101fc4c713d74dbc5b5a6c7b012
SHA1 0f6ac37b4c27af4887bc742159469a88b040fdcf
SHA256 73eae1b41e595f7a3c605a5c5fcbb97fe9527cf2bd84aede13d5339f2c6092b7
SHA512 a5de82333b111ce377faa861877a3abc7e208ce554aea452486f1dfab2b71e66c56a7d3c3aa24d51dafa3cfb2a5b479cca2669c1ca3bd94a027abb5feb203eaa

memory/3048-38-0x00007FF6ABBD0000-0x00007FF6ABF24000-memory.dmp

C:\Windows\System\Ldeimha.exe

MD5 eec62a85b81583fc492f9d0f19b79379
SHA1 6b43235757e61c18ee821a6820cf755b8d5f7b75
SHA256 9b4f6364676592a3df66aece4bda88831e011ee2990dfc1e27b15a97539a08fc
SHA512 a7de65f64456d0dbf4854b47f36ee30b623859d40bfde2abe9db7c9f0ffc5b26bcc9f8c3e300089c55d235bb905d1c5680a9cb7a0daaa27fe2f6bb77912e62d3

memory/4136-42-0x00007FF62BB00000-0x00007FF62BE54000-memory.dmp

C:\Windows\System\gFjcIRS.exe

MD5 0d2a0e782f723913a0e5fb32b38e5fb6
SHA1 c2dde5844226abb1ec1d95bd12abf190cc9ca4ff
SHA256 d09c509da4e2a11419070caad5ded15de63802520dc42f43b747359c48380924
SHA512 64bb56b239eee4b8405d2a199774a7b2e7493d6cb48fd7c1517d27dcd401ac5766fae22d51ae53e7fcdf573fc0f97af01c038178b3bd41d91c5c1d1c700b9f34

memory/4980-46-0x00007FF74CE80000-0x00007FF74D1D4000-memory.dmp

C:\Windows\System\PTRUxLZ.exe

MD5 95162b44e86a8a943727964b56d89980
SHA1 8deb023a57e9e9cedb0dda4dd71ccb7398c9be6d
SHA256 2b59500e362b580218280159b9057910c295b06cb9ac55442855fee1d882a454
SHA512 647a01edbcb1cffb8e177d4ec83821198d45b60d6ca866ac0c3f26fbbb1c1ede6b46572220c7cf32be66c186594d758eec7008d5a598626a46f083922e1425ef

C:\Windows\System\yGdqbwT.exe

MD5 279cf66265b1dd4781d3eddaff23fbf5
SHA1 601d839d4f59a63942e1b95c1fef385340fd2cc2
SHA256 c66847b28c004aefec11475a8333d3d6c6a2196921bd53711c086f4b18ad8fce
SHA512 3008cf69bf91b4157e1e602a57fbd6f205c9282f7483edda2286beeedab5efb76f76ead478361b81b6c06910c7ea874344f10a7d832b0828d89f41064f81bde7

memory/1672-54-0x00007FF61D930000-0x00007FF61DC84000-memory.dmp

memory/3572-63-0x00007FF72D1F0000-0x00007FF72D544000-memory.dmp

memory/5004-62-0x00007FF7FF3A0000-0x00007FF7FF6F4000-memory.dmp

C:\Windows\System\QlxrXeb.exe

MD5 151fcf83157bdc4dbf777acf8b4093f2
SHA1 4064afa5a6b3d8c5779fc6b9458b6d6852743b91
SHA256 59481c42a5c22f3b09c289112b0a67e0d27d2b427319097162d081c891883fcb
SHA512 8cd68a7c651b39065e6c76d1e10ad680800c7c336fafe46827cf7e3ecd4a4a8038ff279c724d12f0212640cea962394dc03b651a3547296a51bd08dfc787cb3c

C:\Windows\System\bdlBDcI.exe

MD5 7efe227d638ed4bf58367336147219e3
SHA1 04556d17e7f1270a79d5084f4efaa89f0cdd2b3b
SHA256 9b6f6bf7f78a88a0a6cfe1df8bb9b46277089667b9093c7a9661914e53baaa14
SHA512 42b79164e1d8fb94bd1f08dd584639ddf59e4102816b4c2a6053b159b459a77eed80b22ba1c3497f5e943d1cca65bcdf9eb9646e79d9e9ef85c4c63cd3435bbd

memory/3188-78-0x00007FF6F2920000-0x00007FF6F2C74000-memory.dmp

C:\Windows\System\TfVJWZu.exe

MD5 4e85ed4dfe53e4846401c070beb815be
SHA1 9b6f85b3b8da85ee98b3966b872f07cf27c65d05
SHA256 a001adfb1b5a423ea933b0caef11f448ec233db46be0db3a8e8f58a1f533e31a
SHA512 edbb6b0466ab091dbcb04fe391560f967661b77a19223ef6c9c2925f80d0652e42718b905f2e2de8755b76e99808970b5626516de493a5113a0e3e99af0d623d

C:\Windows\System\rsjPZBK.exe

MD5 a6632e1729e1c535c2800a855cf5507b
SHA1 44815cc044a9cf56242c65053d951fbe5082e958
SHA256 3508e60a426fcf50b7aa1d216f2cbbea962adb43c2b635dec5aaa121f463c23e
SHA512 50e7a113900a69e1e89442707de33bcd9df817b959a4742eac8046c12203e574a2ffe0747b8c2ac709fae1bd87cb94b1ef557cf595a1c7593a53a8ac2dd7ac6f

C:\Windows\System\AqYuPOT.exe

MD5 e520a603eca7ff42787aed4996d341aa
SHA1 b8f530e3b483e682c4a515cd47c0470baa981fcb
SHA256 a5a7ac6e562b1d8930a23130cf04281a63eef39a109670107301d891b61ec648
SHA512 0d19504415ce4f758804d4cf26bbb1d512f3f5dce0a5e9fb9059081932712276a272ac5b9c88f85b194730f17d733b21b4e991073a824dbb260b51e6d990a622

C:\Windows\System\dqoMRvc.exe

MD5 1507b4500935a3fd82fe3df6d663da65
SHA1 e9ba14d6bd0f5b8edcdc190817622c42c980e224
SHA256 cf5ccfe7136b4dae69de92b0eeeb4ab16f1f28c81ae85ed17b3cea2b974945fe
SHA512 7ee58453efdde300671b1d42bde456dae883bfecd89acb08859fd79c95b27fcbffd0b93f31dbf59681c4df6a0e0aa0287b8d9111509416aa36f9ff635465755c

C:\Windows\System\KouetMy.exe

MD5 ab61de290b50792ffba1aa0784368645
SHA1 24d4f88eaac1ba3d2ac8ec9842ca85cbf2061379
SHA256 e89b44a3f1ad6aefa3915312926edbbe55d677e3382de99e715369cb1c3161e9
SHA512 3e64604a5656ef27b83a731912a7712a349c45a4ab8a3525b62d5ad2c54eb7787b0b30ef0ca57b3d77f6ad81833fe9846f6fd70d9a92610c8fbacfa67bd2619f

C:\Windows\System\DQyVfVb.exe

MD5 2ea2d255862ae5ff78d6d147e080bf6e
SHA1 30c4dc60bad86e65695e8cd932959e1a8c98e9b8
SHA256 4d961904ad178e14f5c9e74e402fbb04b45901409d5dfd728c3b937e9cd69a8c
SHA512 8a0f3785e6ea65c8c05259f30e53afde616f7d85edb80b9d4ca2a673c9bc5b3109ea5dbb8738e58ca239c76479a009b013d270b41041f259d6648a31143dab44

C:\Windows\System\drHuWVq.exe

MD5 a610836a83094476cec2cc34d3fb2887
SHA1 2a21183c1cb475f31fcdecb34e277bf0e2371528
SHA256 47aec09702bc9de257c1338a837ab645cf416a23eeb638e427961bf786883243
SHA512 fd5bfdcab7f290a803c8c7684715cd63024a623ab06f6b138edc8c5de26af64c38355af69b6822010b2be20e866f3616db110146b8c7a9919123aa94f422a7b9

C:\Windows\System\jmfvdvd.exe

MD5 3816ba5ec3fecc68a395d96f0529131b
SHA1 1b113359c2a26c70ea3d9a96ac9a723ab0abd99d
SHA256 d83b479dd1a73730f69d341289d0dca67ac217cce780c9d3933102b46c94b19c
SHA512 676274c06ca2a808cf8c7f913db54d7775182002e35da45c666d2d71dabeacdebe8a627e41f4cb1cf455ba6bf43b54818b3f0007ba987261981ced9b4f2b8d12

memory/2560-91-0x00007FF6155E0000-0x00007FF615934000-memory.dmp

memory/4212-86-0x00007FF7CFEA0000-0x00007FF7D01F4000-memory.dmp

memory/4144-82-0x00007FF7D5390000-0x00007FF7D56E4000-memory.dmp

memory/4140-80-0x00007FF778CC0000-0x00007FF779014000-memory.dmp

C:\Windows\System\wNZAwIO.exe

MD5 8156686c56ce3e51c9aa28af422f4611
SHA1 e89128850756f8a7c2e238dc97cec7cf09f0b530
SHA256 fdd1b9d26767dc394d2f39167df9183043400876781fd2bbc9b2df64a6d60ed8
SHA512 a984f06ebdd205156992da14064b19912123ba49ebc46cf782e2f169e6781ea9f072a2dd575e7657bea21a59d4343aa46aa1bc0dabf4c372934dc872cb738ef7

memory/2044-72-0x00007FF60FFC0000-0x00007FF610314000-memory.dmp

memory/3400-124-0x00007FF6B1D00000-0x00007FF6B2054000-memory.dmp

memory/2756-127-0x00007FF653FA0000-0x00007FF6542F4000-memory.dmp

memory/3284-126-0x00007FF65A760000-0x00007FF65AAB4000-memory.dmp

memory/4560-128-0x00007FF7920E0000-0x00007FF792434000-memory.dmp

memory/3320-125-0x00007FF6A8F80000-0x00007FF6A92D4000-memory.dmp

memory/4780-129-0x00007FF7DADE0000-0x00007FF7DB134000-memory.dmp

memory/4092-130-0x00007FF6DD8D0000-0x00007FF6DDC24000-memory.dmp

memory/652-131-0x00007FF6F0ED0000-0x00007FF6F1224000-memory.dmp

memory/3048-132-0x00007FF6ABBD0000-0x00007FF6ABF24000-memory.dmp

memory/4136-133-0x00007FF62BB00000-0x00007FF62BE54000-memory.dmp

memory/4980-134-0x00007FF74CE80000-0x00007FF74D1D4000-memory.dmp

memory/1672-135-0x00007FF61D930000-0x00007FF61DC84000-memory.dmp

memory/2560-136-0x00007FF6155E0000-0x00007FF615934000-memory.dmp

memory/2044-137-0x00007FF60FFC0000-0x00007FF610314000-memory.dmp

memory/4144-138-0x00007FF7D5390000-0x00007FF7D56E4000-memory.dmp

memory/4928-139-0x00007FF6B07A0000-0x00007FF6B0AF4000-memory.dmp

memory/3400-140-0x00007FF6B1D00000-0x00007FF6B2054000-memory.dmp

memory/1108-141-0x00007FF716110000-0x00007FF716464000-memory.dmp

memory/3048-142-0x00007FF6ABBD0000-0x00007FF6ABF24000-memory.dmp

memory/4136-143-0x00007FF62BB00000-0x00007FF62BE54000-memory.dmp

memory/4980-144-0x00007FF74CE80000-0x00007FF74D1D4000-memory.dmp

memory/1672-145-0x00007FF61D930000-0x00007FF61DC84000-memory.dmp

memory/3572-146-0x00007FF72D1F0000-0x00007FF72D544000-memory.dmp

memory/3188-147-0x00007FF6F2920000-0x00007FF6F2C74000-memory.dmp

memory/4140-148-0x00007FF778CC0000-0x00007FF779014000-memory.dmp

memory/4212-149-0x00007FF7CFEA0000-0x00007FF7D01F4000-memory.dmp

memory/3320-150-0x00007FF6A8F80000-0x00007FF6A92D4000-memory.dmp

memory/2560-151-0x00007FF6155E0000-0x00007FF615934000-memory.dmp

memory/2756-153-0x00007FF653FA0000-0x00007FF6542F4000-memory.dmp

memory/3284-152-0x00007FF65A760000-0x00007FF65AAB4000-memory.dmp

memory/4560-154-0x00007FF7920E0000-0x00007FF792434000-memory.dmp

memory/4780-155-0x00007FF7DADE0000-0x00007FF7DB134000-memory.dmp

memory/652-157-0x00007FF6F0ED0000-0x00007FF6F1224000-memory.dmp

memory/4092-156-0x00007FF6DD8D0000-0x00007FF6DDC24000-memory.dmp