Malware Analysis Report

2025-01-22 19:34

Sample ID 240601-vnaheshc9s
Target 2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike
SHA256 9d56348bdcd2464b28f6a502b35a26b771d5aa28c68a886dd315520d274b4461
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d56348bdcd2464b28f6a502b35a26b771d5aa28c68a886dd315520d274b4461

Threat Level: Known bad

The file 2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike

Detects Reflective DLL injection artifacts

xmrig

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 17:07

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 17:07

Reported

2024-06-01 17:10

Platform

win7-20240215-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ahUPYzu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vclGVma.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kkjObmV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QDRMrzY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NGHvmBL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JYlKVlz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KEKDjKT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZnppEvk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UxHViVY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WySemUP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iGkBrvQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cjGVNtC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sZHkIoL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pRpjGvA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NGTBPqh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rKWMeYy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oQRxfqK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KZvaguD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VlkMpLT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EEVLiRa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dRiMpUK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dRiMpUK.exe
PID 1204 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dRiMpUK.exe
PID 1204 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dRiMpUK.exe
PID 1204 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRpjGvA.exe
PID 1204 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRpjGvA.exe
PID 1204 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\pRpjGvA.exe
PID 1204 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\kkjObmV.exe
PID 1204 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\kkjObmV.exe
PID 1204 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\kkjObmV.exe
PID 1204 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NGTBPqh.exe
PID 1204 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NGTBPqh.exe
PID 1204 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NGTBPqh.exe
PID 1204 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZHkIoL.exe
PID 1204 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZHkIoL.exe
PID 1204 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZHkIoL.exe
PID 1204 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rKWMeYy.exe
PID 1204 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rKWMeYy.exe
PID 1204 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rKWMeYy.exe
PID 1204 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\oQRxfqK.exe
PID 1204 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\oQRxfqK.exe
PID 1204 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\oQRxfqK.exe
PID 1204 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UxHViVY.exe
PID 1204 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UxHViVY.exe
PID 1204 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UxHViVY.exe
PID 1204 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZnppEvk.exe
PID 1204 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZnppEvk.exe
PID 1204 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZnppEvk.exe
PID 1204 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\QDRMrzY.exe
PID 1204 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\QDRMrzY.exe
PID 1204 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\QDRMrzY.exe
PID 1204 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZvaguD.exe
PID 1204 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZvaguD.exe
PID 1204 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZvaguD.exe
PID 1204 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ahUPYzu.exe
PID 1204 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ahUPYzu.exe
PID 1204 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ahUPYzu.exe
PID 1204 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\WySemUP.exe
PID 1204 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\WySemUP.exe
PID 1204 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\WySemUP.exe
PID 1204 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NGHvmBL.exe
PID 1204 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NGHvmBL.exe
PID 1204 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NGHvmBL.exe
PID 1204 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlkMpLT.exe
PID 1204 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlkMpLT.exe
PID 1204 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlkMpLT.exe
PID 1204 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGkBrvQ.exe
PID 1204 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGkBrvQ.exe
PID 1204 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGkBrvQ.exe
PID 1204 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\JYlKVlz.exe
PID 1204 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\JYlKVlz.exe
PID 1204 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\JYlKVlz.exe
PID 1204 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\EEVLiRa.exe
PID 1204 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\EEVLiRa.exe
PID 1204 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\EEVLiRa.exe
PID 1204 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\vclGVma.exe
PID 1204 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\vclGVma.exe
PID 1204 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\vclGVma.exe
PID 1204 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\cjGVNtC.exe
PID 1204 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\cjGVNtC.exe
PID 1204 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\cjGVNtC.exe
PID 1204 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KEKDjKT.exe
PID 1204 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KEKDjKT.exe
PID 1204 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KEKDjKT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\dRiMpUK.exe

C:\Windows\System\dRiMpUK.exe

C:\Windows\System\pRpjGvA.exe

C:\Windows\System\pRpjGvA.exe

C:\Windows\System\kkjObmV.exe

C:\Windows\System\kkjObmV.exe

C:\Windows\System\NGTBPqh.exe

C:\Windows\System\NGTBPqh.exe

C:\Windows\System\sZHkIoL.exe

C:\Windows\System\sZHkIoL.exe

C:\Windows\System\rKWMeYy.exe

C:\Windows\System\rKWMeYy.exe

C:\Windows\System\oQRxfqK.exe

C:\Windows\System\oQRxfqK.exe

C:\Windows\System\UxHViVY.exe

C:\Windows\System\UxHViVY.exe

C:\Windows\System\ZnppEvk.exe

C:\Windows\System\ZnppEvk.exe

C:\Windows\System\QDRMrzY.exe

C:\Windows\System\QDRMrzY.exe

C:\Windows\System\KZvaguD.exe

C:\Windows\System\KZvaguD.exe

C:\Windows\System\ahUPYzu.exe

C:\Windows\System\ahUPYzu.exe

C:\Windows\System\WySemUP.exe

C:\Windows\System\WySemUP.exe

C:\Windows\System\NGHvmBL.exe

C:\Windows\System\NGHvmBL.exe

C:\Windows\System\VlkMpLT.exe

C:\Windows\System\VlkMpLT.exe

C:\Windows\System\iGkBrvQ.exe

C:\Windows\System\iGkBrvQ.exe

C:\Windows\System\JYlKVlz.exe

C:\Windows\System\JYlKVlz.exe

C:\Windows\System\EEVLiRa.exe

C:\Windows\System\EEVLiRa.exe

C:\Windows\System\vclGVma.exe

C:\Windows\System\vclGVma.exe

C:\Windows\System\cjGVNtC.exe

C:\Windows\System\cjGVNtC.exe

C:\Windows\System\KEKDjKT.exe

C:\Windows\System\KEKDjKT.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1204-0-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/1204-1-0x000000013F600000-0x000000013F954000-memory.dmp

C:\Windows\system\dRiMpUK.exe

MD5 a42d96dc1468f86e087c32e479dc1eb4
SHA1 ef3c3e568f4f228361a1fd8f1d9ab90d8d540a85
SHA256 0ff32cd68b4a67ccd07c92d0798511c5d6ecc38b11ee1e8968c6a17031e1451d
SHA512 833b3d1f4da5be81548b9e0e30025d9b4a33051fea43af2f046426a5132714fd2b12ebe1ab173b30069115185d313af6695f268aa7a41b00cd3236c14f16d68a

C:\Windows\system\NGTBPqh.exe

MD5 42febb108c0b303a55b9ef73945acd06
SHA1 bb534131d7a9ea7d95f28419a43fbcaa5e173bb2
SHA256 6672c69f35f4d7ad3af7019d18498b283d24011751dde40ff90a0b0ecfe8112b
SHA512 599b914ffd21dfa6520fa3a643ff0e19f86c710f3a08f7b755507281d58eb47b5f1d4038ea32424a24f64c3e548835edcbd35e56e202a30a601171469bc25939

memory/1780-15-0x000000013FB00000-0x000000013FE54000-memory.dmp

C:\Windows\system\rKWMeYy.exe

MD5 b2cc1e9ab728d54a1e62c501713fcf48
SHA1 1b557f0d7e2513253bef1fb4e016c62bc4c0b231
SHA256 904f71119e307a6d831b9b5e3358fd806cbe811836de8a418d1f976bc6560c73
SHA512 fd4945c0ccf50d36b8aecadec0f8292cc0b22edc59e5aaf4acc1680c14c10a1d455d1bf866577a37507db1db70d10559c65aecaa20924b6dc7d921ec2f0cbd85

memory/2644-38-0x000000013FEA0000-0x00000001401F4000-memory.dmp

\Windows\system\UxHViVY.exe

MD5 127ff931912f551b1dbcf3e8ffb2288c
SHA1 9620e88a02e0b3709bd6141fd5dc1623db07cdf5
SHA256 36dfe80613dc717afa341343c5b9d1da63b8961d2b1d5cecf91f9b645f7693bc
SHA512 9914768adf15c1d86eb45199808f01dda62f337d2914ace60ea3595005411d7e09c957959c80647a5e0c387e0842948c0de552b8785a1ed6237e4f3d8dc89c9d

memory/2604-46-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2460-56-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/1204-55-0x000000013F600000-0x000000013F954000-memory.dmp

C:\Windows\system\oQRxfqK.exe

MD5 61de9526d1e7cc7028037b243a636449
SHA1 4cd63a9658d015d3e460c1f060e8dd624765d157
SHA256 580257b539cbded534816cd068228ad2631e7851a68374a0ad44e806f110ecb2
SHA512 4dc6e5f1d7bf9f6870b6f6ee8777e01108514bda10300a2435ae25c2284847a0e220448690d2b177f8259664ca084e44ac04908d916830edbd38853c6a9ec7e3

memory/2592-40-0x000000013F750000-0x000000013FAA4000-memory.dmp

\Windows\system\sZHkIoL.exe

MD5 cf9c8d605b076b84d4770a75793d3484
SHA1 28fe1494763f6151e5ee70771083724c599663d0
SHA256 cd11af6dfef581fb2ba1732263cd45807026d8122bdc5b8a3460b3a47fd6f745
SHA512 388df1d7839e2be08cc03a11338613efe4ec5a9742de9ec5995d6cbb33284bd991e7fc89abb7fdca3eaa8fed47b5641d00b436ef25311c2762d39b6a4b3dfbe2

memory/1204-36-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1836-27-0x000000013FB50000-0x000000013FEA4000-memory.dmp

\Windows\system\kkjObmV.exe

MD5 f5f682d317af1f488ef7b31dfc6f7bf3
SHA1 f8bbd3c6ecd2155d8db47d377d46a547c8de7887
SHA256 b21a93322d497c7653a3a66035819bc313e74b498e6771b7ba9408c7fe7a5722
SHA512 74723114305e597bc3c16fc5c38f128c7410d9e0dd08222ec0540f09f8ee21503eeaa0cac0583df3b457396161713483447a63bc651618c606812e5e266c249b

C:\Windows\system\QDRMrzY.exe

MD5 547dcf2541ac079cbf49a1c412cbee3c
SHA1 9ab572b642212fd401331ba71dbfbafb47de1e07
SHA256 3f33b0d8a7d794e942af610be885bae0770b41b8369a79280192900e02452224
SHA512 a2124674fe4108751813c15b0b6ccd444a492494df740b7d2d72fa068dcb42c3a27ef14f63588cb75289b0afef484c7c3e6236c01950a821c2446bfad2864356

\Windows\system\ZnppEvk.exe

MD5 a3e4dd8eb994edda294a8af79da735a0
SHA1 89f53f97e4298dc1cf1d96bcbe13fad4f6d8c973
SHA256 0f96732c0e54bd39c21da2549d20e55a60fdc93bb1f2b50cbacae8b131592ab5
SHA512 1e048e1760cc5f80392971926f65c7b9f1cdfde89327892ba20db1910912d682ccd9198582352a02cb11b190e963c874d28a98e2d7ed9ab63e8e754129c3a21d

memory/812-76-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/1204-75-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\KZvaguD.exe

MD5 95e13e11260900f3867779e07997a23a
SHA1 e93696a2721c0855ea906af180eee47a851c2abf
SHA256 83a274d7cf98404d3f31de373579735f14fd19a6d5988928ce96399737fd0000
SHA512 aea71f43c22e7e53313eb9d9ed54d8b2c47c0e8e064229dc34dd25f718e2d7ac6316dc05b374dd4108b9575fe14927a8cc28d5bdf2463053800cd982a79f9c70

memory/2756-62-0x000000013FE40000-0x0000000140194000-memory.dmp

C:\Windows\system\ahUPYzu.exe

MD5 b38c223467ccc23e95d03ee22f152ad5
SHA1 49bf6012213d9b095eda7087d0c189424e049c27
SHA256 7ae2fd228b75f7ae05448c3f57c00d8ba06755be39d96c8b606b21bab952e31b
SHA512 aacd39e1c527e3d2516173d3c218b95841b3444b7f8e8af2deaab776af1ef07f6f204ae4d4c92efb5669e81f9f093a666223067ed910d431180a3aa28bb58ccc

memory/1836-84-0x000000013FB50000-0x000000013FEA4000-memory.dmp

\Windows\system\WySemUP.exe

MD5 f9687c886bfc2b6f9c314963b546dc5c
SHA1 d4aa5541bfe44c06f3e9d60e7353d55d3872bc72
SHA256 2a4d05ca3a51ed940e86494354e769fa22e861ea47c21efc66239455cbafaa1f
SHA512 405bb71ec2bec1e875a42e5376411bae69ae96500f28ff362565d3cb9721c0fa3e74d7f4081764d54bdf29621928a9649af4c221c19dccaba967991d3ecbaf94

memory/2852-96-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2892-99-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2592-98-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2644-97-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2604-104-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/1204-105-0x00000000022F0000-0x0000000002644000-memory.dmp

\Windows\system\VlkMpLT.exe

MD5 6c0a08c224d5e09296cb34a9f5393d59
SHA1 02e9617b340a692b0fe63c2291a355b524cb1ec6
SHA256 bc2b4d84540239f98b618bdb0ea1464ca808664b3113a43634eb7ea82a54675e
SHA512 53abf1882d051d4f27c8c36c7e815b811125be706dc16a7deb395e826ecc6d7e7f0299e45e92824b45671c82abfd432323ac2798614d63a1324a012b6612bff5

memory/1204-95-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\NGHvmBL.exe

MD5 98b8b09aba94d80522e52585efef6414
SHA1 f8e06143fbfdd3e797284d2c800db43d6a02fd39
SHA256 e77ae855e62856d47e5e35431438b1e66dfbe984ccad8e65397a70860a51a929
SHA512 fe515083c3f585578ca7844c55a7b550c59ca7527256d90ca8814063cf69e7d20b99385fdb6b6d6766f38a67bb4fb1439a0f21763861d11808c941cce5e0133c

memory/1204-92-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2472-86-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/1204-85-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\iGkBrvQ.exe

MD5 322c38567a040cf54276e898e8dc8068
SHA1 48d6d3cf5cb8ed71f2363befbf95c330fe26e551
SHA256 cdd5e213ffe4023bc991107462c5cb02cfbb421f00282a920c2b598f525bca64
SHA512 1aec332278e04cc254b0d3de34f2e4cd76e342d22524d8f4723cb3e7f0e210c7cffb8add4eede18130ad9d7a573f9bf5d7530be866c8d559c97e4d6c20e7ebff

C:\Windows\system\cjGVNtC.exe

MD5 cf9dff787da5f1e409bd364c2a6ff9e1
SHA1 c9b716ef4b3c55e1ba629fed462af5c095a83672
SHA256 e62ab6be9ab272129255c4045a5cf247ca5957c80df503ecbb7c0505d955ff4b
SHA512 9e34fb179e36762054e1f278805675ae652a18dce117fc59e282882aa788804e9b3246e73826f711d69f293f21ce20080f788786d76557c6449ab2b7b0eb2167

\Windows\system\KEKDjKT.exe

MD5 afc1ad0d24f53b1a9c6de9fc5d059fd8
SHA1 ed8a177c1bf4d92f4ff3edd8dafeb09fdcc3e777
SHA256 9807b2e156b3bab16dce1c1fc29aedf659c332e85314d318ad024fa3796b8ca8
SHA512 dca3a1dbf73158bd0e1f8917f5404149bb3121c010a6669bc11830df600ee1ff9cd506d6054a0888e98bd5d7957c79aefa729ba1569fac016583c3e7d60c8766

C:\Windows\system\vclGVma.exe

MD5 dd5938e5b8ca9bb708e222cdb7cb1cb0
SHA1 f5c6b423866a499de422c95fa8b7a243361d1f92
SHA256 ca338f7a97a4c1583e9b1a8d730f200d51cf682d9ed4d9611575d32cb94fed0c
SHA512 0093ba74d92649843239d9c6f781245c3f6091a90050cfdd470204114b165a7079921aaee1a6918a2eedec9cafc5f250b09dd452184895e87d728d4de453e801

C:\Windows\system\JYlKVlz.exe

MD5 9f57293c8f5df179e01ffa5df0892292
SHA1 c78b0eba394fad8618877bc81df3ae05e96bfa68
SHA256 3d62b5c2833e6e327a41d9304da1382dfa6f064ba2842518029afebeeb7f2ff3
SHA512 6a698f4867eae383c2c5178dd6ad75518a4a0d38d0db84d5db0098a33cb783a621fef83da8f8b9597f8dbda97c45f72a9fa1ce3e980daf5071b27ba92aacdddf

C:\Windows\system\EEVLiRa.exe

MD5 07a44fedee58448febc0a3c3d2d0717c
SHA1 bbba974271136eec0f505ce446028cc260ba3b86
SHA256 d83b0993c858f9e14ece998f9a7c9aaed34b20ec21b5976535c84e0754c9ca01
SHA512 ed669fb6c4335ebf9fc442a5886c77e6d54c52bae8835c2e200abe3462c4726f7e881656b84a7728eb51e4d9b34453070882cc5aee8e30a571e95aae4ec4920e

memory/548-83-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2228-81-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2476-68-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/1204-67-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/548-24-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2228-23-0x000000013F720000-0x000000013FA74000-memory.dmp

C:\Windows\system\pRpjGvA.exe

MD5 71301a3ad7093cb752c31bef2a58595d
SHA1 7680b9d31e8e00e85c582d98feaebdfea087820b
SHA256 c0dc152bddcc45ba6024509367775a98dad3a598257d743cc2244bd433a0bca4
SHA512 cfc3b7c254f7a9670c56e40b089eb5292a9e2e126cfcb577746ea59016b2ed4cba04df917f56d8a9619c4cab248d69a71bd58bbe08244ce4a176826bd592ca95

memory/1204-20-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/1204-19-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/1204-18-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/1204-8-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2476-139-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/1204-140-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2892-142-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2852-141-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/1780-143-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/548-144-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/1836-145-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2228-146-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2604-148-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2592-149-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2644-147-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2460-150-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2756-151-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2476-152-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/812-153-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/2472-154-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2852-155-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2892-156-0x000000013F130000-0x000000013F484000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 17:07

Reported

2024-06-01 17:10

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\vOEoaVx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XkYqxFh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HaLTrxo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\slZMyrZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rSWrMpT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wKqVUdD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GvBbcNj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QmRuKLG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ueYjEjK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nOzKlpo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dLVDSSf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JHACHve.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZQnotPo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hXXNClh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KOqxqvO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KRdsBqi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NELHuqR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gbXRhrs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aHHfYqC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SptVUpQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ECCSOgz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\nOzKlpo.exe
PID 2044 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\nOzKlpo.exe
PID 2044 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rSWrMpT.exe
PID 2044 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rSWrMpT.exe
PID 2044 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dLVDSSf.exe
PID 2044 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\dLVDSSf.exe
PID 2044 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\vOEoaVx.exe
PID 2044 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\vOEoaVx.exe
PID 2044 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\wKqVUdD.exe
PID 2044 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\wKqVUdD.exe
PID 2044 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\GvBbcNj.exe
PID 2044 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\GvBbcNj.exe
PID 2044 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\JHACHve.exe
PID 2044 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\JHACHve.exe
PID 2044 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\gbXRhrs.exe
PID 2044 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\gbXRhrs.exe
PID 2044 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\XkYqxFh.exe
PID 2044 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\XkYqxFh.exe
PID 2044 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\QmRuKLG.exe
PID 2044 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\QmRuKLG.exe
PID 2044 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZQnotPo.exe
PID 2044 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZQnotPo.exe
PID 2044 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHHfYqC.exe
PID 2044 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHHfYqC.exe
PID 2044 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXXNClh.exe
PID 2044 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXXNClh.exe
PID 2044 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ueYjEjK.exe
PID 2044 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ueYjEjK.exe
PID 2044 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KOqxqvO.exe
PID 2044 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KOqxqvO.exe
PID 2044 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\SptVUpQ.exe
PID 2044 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\SptVUpQ.exe
PID 2044 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\HaLTrxo.exe
PID 2044 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\HaLTrxo.exe
PID 2044 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ECCSOgz.exe
PID 2044 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ECCSOgz.exe
PID 2044 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRdsBqi.exe
PID 2044 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRdsBqi.exe
PID 2044 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NELHuqR.exe
PID 2044 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NELHuqR.exe
PID 2044 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\slZMyrZ.exe
PID 2044 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe C:\Windows\System\slZMyrZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\nOzKlpo.exe

C:\Windows\System\nOzKlpo.exe

C:\Windows\System\rSWrMpT.exe

C:\Windows\System\rSWrMpT.exe

C:\Windows\System\dLVDSSf.exe

C:\Windows\System\dLVDSSf.exe

C:\Windows\System\vOEoaVx.exe

C:\Windows\System\vOEoaVx.exe

C:\Windows\System\wKqVUdD.exe

C:\Windows\System\wKqVUdD.exe

C:\Windows\System\GvBbcNj.exe

C:\Windows\System\GvBbcNj.exe

C:\Windows\System\JHACHve.exe

C:\Windows\System\JHACHve.exe

C:\Windows\System\gbXRhrs.exe

C:\Windows\System\gbXRhrs.exe

C:\Windows\System\XkYqxFh.exe

C:\Windows\System\XkYqxFh.exe

C:\Windows\System\QmRuKLG.exe

C:\Windows\System\QmRuKLG.exe

C:\Windows\System\ZQnotPo.exe

C:\Windows\System\ZQnotPo.exe

C:\Windows\System\aHHfYqC.exe

C:\Windows\System\aHHfYqC.exe

C:\Windows\System\hXXNClh.exe

C:\Windows\System\hXXNClh.exe

C:\Windows\System\ueYjEjK.exe

C:\Windows\System\ueYjEjK.exe

C:\Windows\System\KOqxqvO.exe

C:\Windows\System\KOqxqvO.exe

C:\Windows\System\SptVUpQ.exe

C:\Windows\System\SptVUpQ.exe

C:\Windows\System\HaLTrxo.exe

C:\Windows\System\HaLTrxo.exe

C:\Windows\System\ECCSOgz.exe

C:\Windows\System\ECCSOgz.exe

C:\Windows\System\KRdsBqi.exe

C:\Windows\System\KRdsBqi.exe

C:\Windows\System\NELHuqR.exe

C:\Windows\System\NELHuqR.exe

C:\Windows\System\slZMyrZ.exe

C:\Windows\System\slZMyrZ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2044-0-0x00007FF7C4640000-0x00007FF7C4994000-memory.dmp

memory/2044-1-0x000001FF62340000-0x000001FF62350000-memory.dmp

C:\Windows\System\nOzKlpo.exe

MD5 d4f0d35b51f18915d6a97986473bb36a
SHA1 64fab789c2564d941d183a614087fdf7c974ec2d
SHA256 3698dd44f234e0bd631604ca236deb920a9804a560104747b31e164ef4bbf422
SHA512 f89a94f510f9c6f10fb3ed1a7bccaf7a80814dd92e7e1743f164f3ba1f36eb153cd3cf24a34ea237a96a4485199a6c1be35748d474eb0f9a76a46649dc5ff906

C:\Windows\System\rSWrMpT.exe

MD5 ef221b9e4e740f02efffa624b3123391
SHA1 8d33bd3c7a8b3b3fc36c818d0e7d11dc5e749707
SHA256 85abcb22ffc7505a580cbfcd3cd592a1e777192b0696e10f008152ba998849a6
SHA512 2c8f530054ee1647f287da9dcbcd78fc18a52fec5ff6528be5612e98ebe4e34ddb7142fb393968df1519fdc212f10239ae699c126c2159c87d46d21161b59051

memory/3088-13-0x00007FF7472A0000-0x00007FF7475F4000-memory.dmp

memory/536-16-0x00007FF6F0700000-0x00007FF6F0A54000-memory.dmp

C:\Windows\System\dLVDSSf.exe

MD5 988410f92ee48af197544106cacddb72
SHA1 ae275f6ee35f2d485ec24dd83b0d6d499dd2a453
SHA256 a95bfff88eb66676242816ff5c4889498d51850db872bc7edbed530847f6a8ff
SHA512 27a7ccf2d6ac392e20653c0fecca667c1e2c5455f4d6c2b44c32daf33005d305f2d5f700e784c69186f3f19c1366239e1054dcc3f89972a7bafaca3fc2a6c867

memory/3612-20-0x00007FF6F2660000-0x00007FF6F29B4000-memory.dmp

C:\Windows\System\vOEoaVx.exe

MD5 75934adc8f9e6d3f19afe0a1e14b2784
SHA1 7087e1846452b3d9b8c58b57368df0d2b4d48d23
SHA256 68c7460cda5b728b775309146bf8fe4f6da58dc297bb5332553ef455a2e6e450
SHA512 6a3e16bdeeb7288a5789cc1454e84656253b59dfe8fd8278e3ebb3ea8a66ec95c53044f2849a932d6ebab5072fd9555650c87a5a736a17c37d315ba4f57ff08e

memory/4768-38-0x00007FF6D7EF0000-0x00007FF6D8244000-memory.dmp

C:\Windows\System\GvBbcNj.exe

MD5 272ba9ecb2a53f8e0a4f4aa00da21b7a
SHA1 79dafa886353cf558f5c0eb7dad0702a38c4ea4b
SHA256 35b9d8899e215a824f7ec44fdc686cec4d12ec65d47d144381b850aa564841d5
SHA512 5e822e2efb8b60ef1a5a77ada4b624309e9f93bc1e97bb5b6d2f126ca4d4e22d27fb56748b32dc6a0b9113009b56d9ea979eed6d7e995f4e78d7f972582afc53

C:\Windows\System\JHACHve.exe

MD5 0c3d603e7f15c713e07110f3593f08e2
SHA1 bfa9a9814ac87a166b5e0c706be5a8db3426f41b
SHA256 0171a1dffb17655a0e2245a509bf5de617b6edb63a0e2a9b9080c93f5a304e13
SHA512 93159260adfa72a6c10df52f8583160f3059a6bf09c93da1303e639afefb57d2d0a4fca993d276d604dfa03bf8dcc9ea6f6595ac63506a8051e03dea761dd6e2

C:\Windows\System\gbXRhrs.exe

MD5 5d1b47800f7770201506c453eb15fa5a
SHA1 63dcef97222ce53da1039cfd7f3f19458dbbe9ef
SHA256 6ec22ccb088eca2db22675088a2bc43e84f237dc95cbfb284405f8b7d8deb916
SHA512 1af54cc925b145ec3defe821380acbca242bc7ea9864f7c20c07965db02cee09944742756975912857058b3a7e0e96990dee99efce886278c798f83dbd4ddd83

memory/1484-48-0x00007FF7220D0000-0x00007FF722424000-memory.dmp

C:\Windows\System\XkYqxFh.exe

MD5 9a78c08c5a5fb78da63ede1845d93907
SHA1 3acb8af01eb1e55361cf83f81d8c8b4e0c1b7bbf
SHA256 9c08fcd6316362bfd9654c36d8e42c852b8b9d09f89b737d169b57ac6064cef2
SHA512 89633602d85b24723bd2e3d5859da83110056e023ca78451abd2cec2d33222923e974874f9f9d732af7576bef77e297c21a5ed138c60b5c2d86fb40854876a0a

memory/3560-56-0x00007FF7C96D0000-0x00007FF7C9A24000-memory.dmp

memory/2044-60-0x00007FF7C4640000-0x00007FF7C4994000-memory.dmp

memory/4772-66-0x00007FF6CD860000-0x00007FF6CDBB4000-memory.dmp

memory/3624-69-0x00007FF6E8380000-0x00007FF6E86D4000-memory.dmp

C:\Windows\System\ZQnotPo.exe

MD5 e0e41279f9efa48cc30b509cfcaf1635
SHA1 2ccd4183f74e478ed18da742112546ffa060ea92
SHA256 fd267c9bb3892aa1717a413be1bce36077e481b947b3b4d079e0c33a71df2cd0
SHA512 0348d57aa7610c9958d02a8caba2ae9407bdd49b55934efd11254ce45022a16685eb67f063d4d4cf335fdb438059f09a5a52e7f628f897e12f9d244b69b88d07

C:\Windows\System\QmRuKLG.exe

MD5 eb7b74d3419837b044514e9a8ac9d1c6
SHA1 e0797cd3f2fd681396cbf5505c8047f6b4a9aa8b
SHA256 a3d37df72afe3e64139e61522ac1dc8ebb77ac7543f1eface82149cb246d06a1
SHA512 c0f5ed334c26ee6300f30118cce5629d51c5061ddee5ad1b7c0ddeb49d6f213e969e5237f869eb530d60a1e7d52113d95f10dfdc411e878ed558d4681300aee7

memory/4804-50-0x00007FF7298D0000-0x00007FF729C24000-memory.dmp

memory/1992-32-0x00007FF7C7070000-0x00007FF7C73C4000-memory.dmp

C:\Windows\System\wKqVUdD.exe

MD5 b2fb8a17efd39a76bb7054fe458f13ac
SHA1 f3b1a7ae261b7e2d585a7fdaafd3ea20b90e7b42
SHA256 8ffbc970dd0ffad7df246a47c550cec563474cbfa7cbd29021e36183dc35a43f
SHA512 c211e3f841f530772dd58451f9ca60111b4ffda2c8f34db5520f114b36220f6e090be93ffde360ba40008b5d0c7ecd8f706a05d64ec3dc65da264eb54e32cacd

memory/1780-26-0x00007FF66D100000-0x00007FF66D454000-memory.dmp

C:\Windows\System\aHHfYqC.exe

MD5 893a8246b42948b9a06ed20b33532b6a
SHA1 83c7716ce6a516bdd98c1394f4e33de1321d4ee6
SHA256 609559dc4cc9b9f08d60672e18aa2edacd783fda0566a975e97ebec94e47653f
SHA512 63e7c864c0ba703f394f53d61ca1301cce445459c2e10e7d22ec6497a2a52b36565430b776b09bdd039d96cef79339cc53395ece680c9d90d9bcdec2ace0b24f

memory/2932-75-0x00007FF7FB430000-0x00007FF7FB784000-memory.dmp

C:\Windows\System\hXXNClh.exe

MD5 6fc1d2a6aa4e5fec1598640195150caa
SHA1 163971d08fea512c74e8dc6194438875b3a4e2dd
SHA256 c7702a558c524dcd71e1b49a725b4d00424bcfa78922fa47fa3df7ad8780489b
SHA512 32242bb3972b6c84fe04251d691d74728217a6789799a7b9b70417f9c92fed40204f2a0597f504eb1e15f95e5fdd6bfa9b9cbc89671f004164b2844ac1ca4ae4

C:\Windows\System\hXXNClh.exe

MD5 b77891e873582e56e92ba138083e54dd
SHA1 5249858c2cd1f406c4aa21158719fe4fb1a3afe7
SHA256 f7a21a253281e0ffe6edeff1956075d5dced7eb1e32518485c5783883ea97a3e
SHA512 844d7ca22700b9189a784ead4b81a1826972a11dcee9474e73f4eb700d75f470f5f0bb3b99b7ca029133f05a8bcf921bef7a4ca5286d269ae68232fc94f3b446

memory/1780-84-0x00007FF66D100000-0x00007FF66D454000-memory.dmp

memory/408-86-0x00007FF6D9140000-0x00007FF6D9494000-memory.dmp

C:\Windows\System\KOqxqvO.exe

MD5 83a55d92f31b981dee72b791cad44b73
SHA1 cbef31ba3a609f71036845bea3d6fe61a71c6f89
SHA256 dee6baf23f56f8e251cad8e8df6bc8194e23057c34498a57d780dad76c9315f1
SHA512 d6cd301af96f32e97c411011be4862ea0df21608598cb1c9ac19548caa5e2c05059a6f6601fe35fc7432feb199661f76a3d893f915b7510e1ad7c7e3e998cda6

C:\Windows\System\ECCSOgz.exe

MD5 3c030f65ac0110f2ddfd22c37b06327c
SHA1 7946878ae67e185d07cff467c562e8b018317884
SHA256 b17b80144698f354492515de6229d2541083ee80a03e7a523891ef44f62e485a
SHA512 586c510e75f2983df383fe8606a835266272623d675bcb6c01d769b43bd5ce0094dbd71a3028fa7e658ccc6e82dc1b6c7e391d222acf4cc497a74912830e781f

C:\Windows\System\KRdsBqi.exe

MD5 8bf5a28ac2a5e84400108e6a32281116
SHA1 a54baa009569c921e6c189c76dcdcc1843c1545e
SHA256 bd846b8d154725a2b29a7d43fd888bec99377cc00201b3cb449da0e2022f234e
SHA512 684ac88c8b306781c9a2d191c4bd41a529fd2b9d02eadce648ae8403388c3a4c757f3a65500ad584b348cc4741a108822bc32b37b87a6fe12515433fc6fe3ab7

C:\Windows\System\NELHuqR.exe

MD5 04d51d193560bd7cbe3c1aa4176588ed
SHA1 50c403f2cdd24613871102930823a4077a309a84
SHA256 d2f2e6f71c7392c54365bfeba96646f1b48bfc2b35cee99399fabe8555745a79
SHA512 16c84370d3456e4b479306cb1207e32853b3b3dacdc34ee2c06bac6f00e0ed99d27f6c49bc2894052479d03d45c8d3898044a71ee9425a44f4f5a31a42b6918a

C:\Windows\System\slZMyrZ.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

C:\Windows\System\slZMyrZ.exe

MD5 0d5b011114595b7d7d9094d27d093553
SHA1 987525dc27a5cc5a41b4fe4bb89ab58e8a13c765
SHA256 1ea25a87f1c224a8af145c82285fa057e0153c8de738ed19b5c3fe5d1143000b
SHA512 975e8b1a83c3703fd3b61e4ccf69fbbe89341a863dd837d0bb056446a13e9572f46eb7b89abae4ae13e9121d8f156e1b514a1eb13b14117b28f3b4e729cbdcc0

memory/5080-125-0x00007FF70BD70000-0x00007FF70C0C4000-memory.dmp

memory/4804-124-0x00007FF7298D0000-0x00007FF729C24000-memory.dmp

memory/4788-121-0x00007FF674AE0000-0x00007FF674E34000-memory.dmp

memory/4412-120-0x00007FF78C5C0000-0x00007FF78C914000-memory.dmp

C:\Windows\System\NELHuqR.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

memory/4140-116-0x00007FF717400000-0x00007FF717754000-memory.dmp

memory/2396-106-0x00007FF67D360000-0x00007FF67D6B4000-memory.dmp

C:\Windows\System\HaLTrxo.exe

MD5 f030e73d61b0a6ca7ac30a89910fcdc5
SHA1 313d78a16de68238937bf81741c9dbec6c0c1401
SHA256 ae06c1352f3beda74b9b86089e9b5b6bdd216e2196e2a0303b964f930c31c0ed
SHA512 a62a267ff4e60e3ba56149f72172514e71c063cfc2de0fab721af28a92aece7ce6d3bf01545a2abaa9e86dc19213f998270bdde5fbd91922382d7dcaa773f865

C:\Windows\System\SptVUpQ.exe

MD5 a26702a3a1f517e4a78ac0feb8a2e9f6
SHA1 8eb22016e172bf16b1c7d6e4aa9d64506372339c
SHA256 da4691fd0024db5ba759ae9c47d1b0a18f0bdfc9d575fa30b14aab3f9e506740
SHA512 366fe15ba4b58988d8acec69e218a93e7b800c7a3f4eb5fb2b98efa2818d4a2bfd4cf5c56485f6cf705724f100738e3b1c7338a80df7ba0350207edae8d15033

memory/3384-99-0x00007FF760340000-0x00007FF760694000-memory.dmp

C:\Windows\System\ueYjEjK.exe

MD5 cf26e0d9bd7a2d965883d0f1d159c45f
SHA1 b849d7d4f3d2d8072543ed7154069361d0c67e92
SHA256 7c98bf851775d40674541d1fe6d5d27a4faf48221d2ac15896c95daf459dbdba
SHA512 b98cbe03180fa5d6512490041a501e4ccc11c2019f9abc670b643db7545dad83c94ca89efb8a62f73f40fbe63edf29412523659921df7ef641af9c5acf6b5bc7

memory/4840-83-0x00007FF636A70000-0x00007FF636DC4000-memory.dmp

C:\Windows\System\ueYjEjK.exe

MD5 4b7216d89e20f49e9c16c0253cc47511
SHA1 2897390157f4ddd1aa5b6b0434e8fd2685151896
SHA256 04a2e3581379ca63394646169e2f7cb8764608261eb5b43957d0130fd0e5013f
SHA512 f54f6e029123d95222d09bc2138897f709e3650dbd2270183df96ad9e927ef303c0844f40a0b5cc26ee82536f2274eb38af1088d33729d685b4f9415ecb7be84

memory/1568-131-0x00007FF7D9510000-0x00007FF7D9864000-memory.dmp

memory/3560-130-0x00007FF7C96D0000-0x00007FF7C9A24000-memory.dmp

memory/4772-132-0x00007FF6CD860000-0x00007FF6CDBB4000-memory.dmp

memory/408-133-0x00007FF6D9140000-0x00007FF6D9494000-memory.dmp

memory/2396-135-0x00007FF67D360000-0x00007FF67D6B4000-memory.dmp

memory/3384-134-0x00007FF760340000-0x00007FF760694000-memory.dmp

memory/3088-136-0x00007FF7472A0000-0x00007FF7475F4000-memory.dmp

memory/536-137-0x00007FF6F0700000-0x00007FF6F0A54000-memory.dmp

memory/3612-138-0x00007FF6F2660000-0x00007FF6F29B4000-memory.dmp

memory/1780-139-0x00007FF66D100000-0x00007FF66D454000-memory.dmp

memory/1992-140-0x00007FF7C7070000-0x00007FF7C73C4000-memory.dmp

memory/4768-141-0x00007FF6D7EF0000-0x00007FF6D8244000-memory.dmp

memory/1484-142-0x00007FF7220D0000-0x00007FF722424000-memory.dmp

memory/4804-143-0x00007FF7298D0000-0x00007FF729C24000-memory.dmp

memory/3560-144-0x00007FF7C96D0000-0x00007FF7C9A24000-memory.dmp

memory/4772-145-0x00007FF6CD860000-0x00007FF6CDBB4000-memory.dmp

memory/3624-146-0x00007FF6E8380000-0x00007FF6E86D4000-memory.dmp

memory/2932-147-0x00007FF7FB430000-0x00007FF7FB784000-memory.dmp

memory/4840-148-0x00007FF636A70000-0x00007FF636DC4000-memory.dmp

memory/408-149-0x00007FF6D9140000-0x00007FF6D9494000-memory.dmp

memory/4140-150-0x00007FF717400000-0x00007FF717754000-memory.dmp

memory/2396-151-0x00007FF67D360000-0x00007FF67D6B4000-memory.dmp

memory/3384-152-0x00007FF760340000-0x00007FF760694000-memory.dmp

memory/4788-153-0x00007FF674AE0000-0x00007FF674E34000-memory.dmp

memory/4412-154-0x00007FF78C5C0000-0x00007FF78C914000-memory.dmp

memory/5080-155-0x00007FF70BD70000-0x00007FF70C0C4000-memory.dmp

memory/1568-156-0x00007FF7D9510000-0x00007FF7D9864000-memory.dmp