Malware Analysis Report

2024-10-24 18:15

Sample ID 240606-pq2f2afb46
Target 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike
SHA256 6f6057c04cd85dfb29863ed15cd66d2a6100f782f112725f6bada081205bf223
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f6057c04cd85dfb29863ed15cd66d2a6100f782f112725f6bada081205bf223

Threat Level: Known bad

The file 2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

xmrig

Detects Reflective DLL injection artifacts

Xmrig family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 12:32

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 12:32

Reported

2024-06-06 12:35

Platform

win7-20240221-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WNPfmgp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BsVBgbg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fQwrjUV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tEkHrYg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FQwoNMK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TsmUOCw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ynFooWL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nooleCK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bKnIcIL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MEYimLq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vfapkHh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bObNrGU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AsswDPL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oCvrJZR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NnXnYLN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XnGOrxn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NhQlQDM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uUqupNF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cIExyMK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qkruryb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NauGehs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WNPfmgp.exe
PID 1152 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WNPfmgp.exe
PID 1152 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WNPfmgp.exe
PID 1152 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BsVBgbg.exe
PID 1152 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BsVBgbg.exe
PID 1152 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BsVBgbg.exe
PID 1152 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NhQlQDM.exe
PID 1152 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NhQlQDM.exe
PID 1152 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NhQlQDM.exe
PID 1152 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQwrjUV.exe
PID 1152 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQwrjUV.exe
PID 1152 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQwrjUV.exe
PID 1152 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\tEkHrYg.exe
PID 1152 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\tEkHrYg.exe
PID 1152 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\tEkHrYg.exe
PID 1152 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\uUqupNF.exe
PID 1152 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\uUqupNF.exe
PID 1152 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\uUqupNF.exe
PID 1152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKnIcIL.exe
PID 1152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKnIcIL.exe
PID 1152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKnIcIL.exe
PID 1152 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCvrJZR.exe
PID 1152 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCvrJZR.exe
PID 1152 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCvrJZR.exe
PID 1152 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NnXnYLN.exe
PID 1152 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NnXnYLN.exe
PID 1152 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NnXnYLN.exe
PID 1152 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQwoNMK.exe
PID 1152 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQwoNMK.exe
PID 1152 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FQwoNMK.exe
PID 1152 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MEYimLq.exe
PID 1152 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MEYimLq.exe
PID 1152 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MEYimLq.exe
PID 1152 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\cIExyMK.exe
PID 1152 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\cIExyMK.exe
PID 1152 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\cIExyMK.exe
PID 1152 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\vfapkHh.exe
PID 1152 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\vfapkHh.exe
PID 1152 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\vfapkHh.exe
PID 1152 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\TsmUOCw.exe
PID 1152 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\TsmUOCw.exe
PID 1152 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\TsmUOCw.exe
PID 1152 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ynFooWL.exe
PID 1152 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ynFooWL.exe
PID 1152 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ynFooWL.exe
PID 1152 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkruryb.exe
PID 1152 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkruryb.exe
PID 1152 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkruryb.exe
PID 1152 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NauGehs.exe
PID 1152 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NauGehs.exe
PID 1152 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NauGehs.exe
PID 1152 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bObNrGU.exe
PID 1152 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bObNrGU.exe
PID 1152 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bObNrGU.exe
PID 1152 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XnGOrxn.exe
PID 1152 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XnGOrxn.exe
PID 1152 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XnGOrxn.exe
PID 1152 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AsswDPL.exe
PID 1152 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AsswDPL.exe
PID 1152 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AsswDPL.exe
PID 1152 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\nooleCK.exe
PID 1152 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\nooleCK.exe
PID 1152 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\nooleCK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\WNPfmgp.exe

C:\Windows\System\WNPfmgp.exe

C:\Windows\System\BsVBgbg.exe

C:\Windows\System\BsVBgbg.exe

C:\Windows\System\NhQlQDM.exe

C:\Windows\System\NhQlQDM.exe

C:\Windows\System\fQwrjUV.exe

C:\Windows\System\fQwrjUV.exe

C:\Windows\System\tEkHrYg.exe

C:\Windows\System\tEkHrYg.exe

C:\Windows\System\uUqupNF.exe

C:\Windows\System\uUqupNF.exe

C:\Windows\System\bKnIcIL.exe

C:\Windows\System\bKnIcIL.exe

C:\Windows\System\oCvrJZR.exe

C:\Windows\System\oCvrJZR.exe

C:\Windows\System\NnXnYLN.exe

C:\Windows\System\NnXnYLN.exe

C:\Windows\System\FQwoNMK.exe

C:\Windows\System\FQwoNMK.exe

C:\Windows\System\MEYimLq.exe

C:\Windows\System\MEYimLq.exe

C:\Windows\System\cIExyMK.exe

C:\Windows\System\cIExyMK.exe

C:\Windows\System\vfapkHh.exe

C:\Windows\System\vfapkHh.exe

C:\Windows\System\TsmUOCw.exe

C:\Windows\System\TsmUOCw.exe

C:\Windows\System\ynFooWL.exe

C:\Windows\System\ynFooWL.exe

C:\Windows\System\qkruryb.exe

C:\Windows\System\qkruryb.exe

C:\Windows\System\NauGehs.exe

C:\Windows\System\NauGehs.exe

C:\Windows\System\bObNrGU.exe

C:\Windows\System\bObNrGU.exe

C:\Windows\System\XnGOrxn.exe

C:\Windows\System\XnGOrxn.exe

C:\Windows\System\AsswDPL.exe

C:\Windows\System\AsswDPL.exe

C:\Windows\System\nooleCK.exe

C:\Windows\System\nooleCK.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1152-0-0x000000013F410000-0x000000013F764000-memory.dmp

memory/1152-1-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\WNPfmgp.exe

MD5 d92fa9bcbaedcbfded5783fc4bdfbc2e
SHA1 05ef28d4c60e81ceaf4d131e20272b9cc25420c9
SHA256 bb6fa71e0c2e3ce539682c212d960bb541199b86fde22b486e234f6dee6935e6
SHA512 68e472c4a1d6d878bd7ff3ddf1edf7570ef639120c26248b381664d3b4b5f67b6fcb2d701c9dd00346138ae180e579bb3eaf01331e4511d7cddb89bc7466268c

\Windows\system\BsVBgbg.exe

MD5 9b40f6a112b19fbb6f704f1c53e90131
SHA1 a614a8fc93f63ee5da20b23bbda9791fb8cc6163
SHA256 bfbdb0a042283833be5ec1b0b2719a25b563e010647da8cdf55dbff13b62df1d
SHA512 dc255a65fb43adbfe0e5b179f8e71d01d70ef848212450e5076c8485946dc2e28da51d3b8d435d069e69fc21930c5f9c17bb5a85388935b1d578401177163545

memory/2228-7-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2236-15-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

C:\Windows\system\NhQlQDM.exe

MD5 328a92ba49457b65ef0bb14872325016
SHA1 c0b80f3c243d95a328c90ebc716b486599fbe9ec
SHA256 9fe79c4a391cc0c9c2ef4c2607c08c1c2abad986ded942007933468ba605418f
SHA512 bda0311d4d09b84b34a5cc70ec542a7a4cae9025c4a0e0d4156449e06dc15df73c61c6e295efcbd576125d48f56182be033953b5115d8f75b6d5932e830d2ed5

memory/1152-13-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

C:\Windows\system\fQwrjUV.exe

MD5 45f822d6ec91d3553fb9400d446d0d38
SHA1 e629229565e0fe80c2c5144993fa13dcaf097d2c
SHA256 b3ec9c86e357e0c45c989134a25e2ec0a89e036b2a3a88b1a327da0d9ef8c8a7
SHA512 192b41b3c26ea2e401efee1954c2c715edb6acfa6e4171d61a4a22a219d7b5c28e3b969ff7ea36b966ea35a7f6a95feb6f8be294ea4c282a0d827c55ddc879d9

memory/1152-26-0x0000000002340000-0x0000000002694000-memory.dmp

memory/1704-27-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2824-21-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/1152-20-0x0000000002340000-0x0000000002694000-memory.dmp

\Windows\system\tEkHrYg.exe

MD5 114f59a9f1b9eadc83d66f62fa57813b
SHA1 54aa2e1f2fac300a619fc32fe3d8692c081fa867
SHA256 60f53ed3d77bbb33e25c08f1eea6808e543e1ce1fb4edb87b99541b72fac9b0d
SHA512 05ae925bed4979f9b69ac483c47ce41fe462f2f84782cc3c3672db880340530a8c0a45a03c3bac8e6027604ccb3ee673b810bda8004120db8504b6b99f08733e

C:\Windows\system\uUqupNF.exe

MD5 4072b2722dbdbe570270bfeadb687843
SHA1 c9d3e5200ff09561d70b384ae8af814790661da1
SHA256 5c9931db5fdf67dcd4eb9894387f63d28853cb868e10d778b260d356d59f09fe
SHA512 94140072e8cc88f4e0def3be8c652529856dedaaa5b82f202d0b8ba932cc45f9426014b59caff2099ffc33aa5496f1a787dd5960d8f957e9a0f848cc88c2138e

memory/1744-37-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/3000-39-0x000000013F500000-0x000000013F854000-memory.dmp

memory/1152-38-0x0000000002340000-0x0000000002694000-memory.dmp

\Windows\system\oCvrJZR.exe

MD5 fd9a69cc7a173ad45c07375c985e1312
SHA1 aa31a8335edccad3bfcb51e7b590561c8205c6a4
SHA256 c52459493704014669ecd7c0b0ba143ec4b845032f26d1a5420f90a16d55f29c
SHA512 1a280e06dce28cb814a222af10b0be35dff56fc51af7a47c3d980febe41bcf1085fa63c0a9e24ce617937ea2a1401fcafde426d9a54a00d33570a296a42a8df2

memory/2908-49-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/1152-52-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2228-55-0x000000013FDF0000-0x0000000140144000-memory.dmp

\Windows\system\bKnIcIL.exe

MD5 9ce0cf392d9b20526655f5f46ab32a6c
SHA1 717b7192a7032c96e276074d7d046567d03113fe
SHA256 022b2ccd27d0277e101f9124e4378fe691998eb42acfd0bb808d88e78b7ada44
SHA512 7efdd1649d23539b37c07065a5c084466ad0351ead2dbff205b3496dee871fea09c0389156757a2c4b78946ea54f3d67035567266cc371838081de61d2b849cd

memory/1152-57-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

\Windows\system\NnXnYLN.exe

MD5 eb16ca9547e0ffd436dd572f93ef0b23
SHA1 c350ebd05aad6bffcf7c4f8a8160070eaacb26a2
SHA256 627b5ae722eef39f3b1990a0dc02d971a63918fa58534012b55eede8981a5a6e
SHA512 e2ec5fdf7c1af81f6882d115e95a6ed02d02453d0ba1a646f16fdead3725bb405bddd7b6506ccd0d4b5a0be3a01fb867b1c56e72a30335f108d7cd1a2c01529c

memory/1152-47-0x000000013F410000-0x000000013F764000-memory.dmp

C:\Windows\system\FQwoNMK.exe

MD5 6e00893f49a13d3ca604073671c04f6a
SHA1 941d19b5a5824260b4ebdc4085c87c9900655f5c
SHA256 23a9378ffe9de4a1349c1ae9426bb2bfda57fe9a9ebb65e20e8faf83a0d347ac
SHA512 dc088b8d0254a01ab4c3febf8e9edb3ecba57758767059a821d15bd5aba086a0ce5bbdb5f0ff6624e5a41f324516f5b43d6cbcc279b2fff89151b011ce3b530c

memory/2508-68-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1152-69-0x000000013FE10000-0x0000000140164000-memory.dmp

C:\Windows\system\MEYimLq.exe

MD5 c127e49e2c95bb5a192e0942639914e3
SHA1 c85315b5dc672bfb1b57079832957303bca93408
SHA256 f99a4599b6d16ce2ad48787d3f77e2676226e13a408f75617ce7168dd308ee7c
SHA512 0070b7eb0393d338c9b81ad7db672a8be507c63bd0b78d184196e82e1e36983ae52543f04b4aa0ede6124cdd38387f00a250461a1ab317e97c14b6b0baeea8c4

memory/2644-77-0x000000013F850000-0x000000013FBA4000-memory.dmp

C:\Windows\system\cIExyMK.exe

MD5 fd37c645b8712e0b77d1b45ed0ffa396
SHA1 9ebdb304922adad9586fc2f62b234b3a858325e5
SHA256 de1c6734590022d9a6cfbc6586f1af38e29bccf5530f3945fd70b21137f54628
SHA512 c93a1c64170ed474a5d0383b48fd625943056e9a5a0a8972bf926b913960ab05755cf0b0517d43b19712cdb32d7f5678c7ad33630245072b8e0ba458428902f3

memory/1152-86-0x0000000002340000-0x0000000002694000-memory.dmp

memory/2480-87-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2824-88-0x000000013F2B0000-0x000000013F604000-memory.dmp

\Windows\system\vfapkHh.exe

MD5 5ac8ef9a4bde56328bd60c6b7ad817b8
SHA1 89928c568f378ac9ade10289d8342924ff8031cc
SHA256 a52fde297510c91312b431257918f98af451c6760e286497d55cc2fd81292a06
SHA512 579bb04deef102434dcd2e70800b3a1dded8631fc40d8d7b519f5f8537170ef4ccddaacec3a90342bdc2639c5756dffa6834015b92e92450b4b66a106129a67f

memory/2376-95-0x000000013F630000-0x000000013F984000-memory.dmp

memory/1152-93-0x0000000002340000-0x0000000002694000-memory.dmp

memory/1704-92-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2540-83-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2236-80-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/1152-78-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/1152-76-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2636-73-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/1152-96-0x0000000002340000-0x0000000002694000-memory.dmp

\Windows\system\TsmUOCw.exe

MD5 8764008bc634101d27d021a827c56ffd
SHA1 4b323694d65a01b91bb698aa00b3a078049295e6
SHA256 eb5c0e258558c7ae680bf6939486dc680168a05bc059ce2025ffbae323666a95
SHA512 a6165d832a1f6d848195a5b71273da80499dce33c655d40a1259d2bc7217da6278cf55c8dc45e6ef9c714778bf17e517af39e8dad3030e5bbea2231ab6f918ba

\Windows\system\qkruryb.exe

MD5 8ff5f30cf3e9b62cccab561f5d931683
SHA1 998673c496a4bbb1f6addf55e1f226b8a8bf78f1
SHA256 95fcbf4fee3259603f8876f55f424d89c8db514f5ac6aa76efc96ef1244a1954
SHA512 964716b8549c90299951473cbc54b7f2e418072a392df54aa978c65e4626b0a8dac1e5388d4018a77b1ee5ed70fc528bc787db5a741e4d9acba147ca3b15a73d

\Windows\system\NauGehs.exe

MD5 0d123aab921caaaa6a6e0d6d55810a2b
SHA1 ba2122b0818af4ad8803ea3e2e60fff90d85b966
SHA256 c227093c69de2a053decbd8d32f8884f58f2cbb12b2d09c83fd806f411f6b55b
SHA512 59f360180b95c3b0a7a3a74ef1d568c05d00814fcccdae8ca1aa0f65c82db8180a8194be17ea9925568b99c8ca9cb572b7cc8a25a047d4e750366717a4d53cec

memory/1152-123-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2848-124-0x000000013FE90000-0x00000001401E4000-memory.dmp

C:\Windows\system\XnGOrxn.exe

MD5 cb042f2fbb042e25d4c462a318bbc00f
SHA1 403694ee324a1577a05973bc2b5a79c27b24b7f0
SHA256 237ecc918d5bf4726e7ee6f1c5928d2d7d0f24b0a651e84e8e70ac661fb0409d
SHA512 c26bcd051a70755aaa3ef5bdd4ed46c8823718a420ca71dca91b416653f8a8c15668289c6099aeed556546621376ee4615dd8b6c33377902334ce94623ec7569

\Windows\system\nooleCK.exe

MD5 6859c00ce6523af6efb69de2f42d30a9
SHA1 a3e61a3d3692889c44ebe4b524e1351d375ada33
SHA256 4aa2f50fdad802530876abf60c56eb0ec844f09106c25b6c1dc0a6a38d558ac5
SHA512 8f21986ba3b865bc5420b944f666788760af1ce1f7b241af06758c36fb871a0d042920a1bd4610c73e76347f1096059389631256362725a402b420c87f150ac3

C:\Windows\system\AsswDPL.exe

MD5 0609fab9c695eb18e501461fcdd7fd5b
SHA1 c4432e2288496c803cf1974e7226b4a7f1878a62
SHA256 64efbb391992c4cad0ce8ff3b969d83fb90bda9d127e19f4929ec7e9a6a13a36
SHA512 6dab5fd426e6f6914d8ff9c817b4e98a347b9fcc286371aa4b295968509f1f489601c76b5f211d024d93be3da098bf42931d9d8f7154aa6dfb2963b86457e31c

C:\Windows\system\bObNrGU.exe

MD5 f0b29fdf636876b882108cd662c12019
SHA1 c91c739380772a30c94816387a4e27834678c9b3
SHA256 1c939acc3e46560a689d1a15e5ecb43ab330d96cdaabd51a8310d089b8ea4357
SHA512 d711939384cdba94a7303247505875607d787782e288ea5030f375418171de9a7f69223f00f374321a84f0bce4e3116c1ec4c0a65d73beba033962988db94e70

memory/1152-125-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2908-115-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/1152-121-0x0000000002340000-0x0000000002694000-memory.dmp

C:\Windows\system\ynFooWL.exe

MD5 9c59a74c603aaffaa840242242d0a8b9
SHA1 765dd9571bc6d2dda9c276e651182745fdf2dd01
SHA256 1ec3ae2f2dde71128b5951b47b7f14c2b24e2de56756af6e93b301d550625120
SHA512 bc4984c7bbcaa7ffa1088055a4ac56afe2e90c767795896a7462d0b048c466e277b780f5ebed5d9f603326d1db3fb4738826d62d6ae8e0897c8309b38ffb7517

memory/3000-102-0x000000013F500000-0x000000013F854000-memory.dmp

memory/1744-98-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/1152-144-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/1152-145-0x0000000002340000-0x0000000002694000-memory.dmp

memory/2376-146-0x000000013F630000-0x000000013F984000-memory.dmp

memory/1152-147-0x0000000002340000-0x0000000002694000-memory.dmp

memory/2228-148-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2236-149-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/1704-150-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2824-151-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/3000-152-0x000000013F500000-0x000000013F854000-memory.dmp

memory/1744-153-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2508-154-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2908-155-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2636-156-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2644-157-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2540-158-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2480-159-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2376-160-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2848-161-0x000000013FE90000-0x00000001401E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 12:32

Reported

2024-06-06 12:35

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\bZvOLkv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PfvKVSE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kZfvKCw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uUVgoVx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PJihGwb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XQUxJVC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fkCfrYU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GgFGtAb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kGVGcjP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HqouYBP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IyNkLtg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MQzhqEM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pTtWfjo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xLDDAvr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pNYcRiF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cqRiyVD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BDHDmeP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FHZkPdE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zjptahN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UFWwZPD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wIKDZpF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1108 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQzhqEM.exe
PID 1108 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQzhqEM.exe
PID 1108 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zjptahN.exe
PID 1108 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zjptahN.exe
PID 1108 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFWwZPD.exe
PID 1108 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFWwZPD.exe
PID 1108 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\wIKDZpF.exe
PID 1108 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\wIKDZpF.exe
PID 1108 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\pTtWfjo.exe
PID 1108 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\pTtWfjo.exe
PID 1108 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fkCfrYU.exe
PID 1108 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fkCfrYU.exe
PID 1108 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xLDDAvr.exe
PID 1108 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xLDDAvr.exe
PID 1108 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZfvKCw.exe
PID 1108 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZfvKCw.exe
PID 1108 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqouYBP.exe
PID 1108 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqouYBP.exe
PID 1108 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\GgFGtAb.exe
PID 1108 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\GgFGtAb.exe
PID 1108 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNYcRiF.exe
PID 1108 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNYcRiF.exe
PID 1108 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\cqRiyVD.exe
PID 1108 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\cqRiyVD.exe
PID 1108 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kGVGcjP.exe
PID 1108 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kGVGcjP.exe
PID 1108 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\uUVgoVx.exe
PID 1108 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\uUVgoVx.exe
PID 1108 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BDHDmeP.exe
PID 1108 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BDHDmeP.exe
PID 1108 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\PJihGwb.exe
PID 1108 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\PJihGwb.exe
PID 1108 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XQUxJVC.exe
PID 1108 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XQUxJVC.exe
PID 1108 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bZvOLkv.exe
PID 1108 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bZvOLkv.exe
PID 1108 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IyNkLtg.exe
PID 1108 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\IyNkLtg.exe
PID 1108 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\PfvKVSE.exe
PID 1108 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\PfvKVSE.exe
PID 1108 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FHZkPdE.exe
PID 1108 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FHZkPdE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\MQzhqEM.exe

C:\Windows\System\MQzhqEM.exe

C:\Windows\System\zjptahN.exe

C:\Windows\System\zjptahN.exe

C:\Windows\System\UFWwZPD.exe

C:\Windows\System\UFWwZPD.exe

C:\Windows\System\wIKDZpF.exe

C:\Windows\System\wIKDZpF.exe

C:\Windows\System\pTtWfjo.exe

C:\Windows\System\pTtWfjo.exe

C:\Windows\System\fkCfrYU.exe

C:\Windows\System\fkCfrYU.exe

C:\Windows\System\xLDDAvr.exe

C:\Windows\System\xLDDAvr.exe

C:\Windows\System\kZfvKCw.exe

C:\Windows\System\kZfvKCw.exe

C:\Windows\System\HqouYBP.exe

C:\Windows\System\HqouYBP.exe

C:\Windows\System\GgFGtAb.exe

C:\Windows\System\GgFGtAb.exe

C:\Windows\System\pNYcRiF.exe

C:\Windows\System\pNYcRiF.exe

C:\Windows\System\cqRiyVD.exe

C:\Windows\System\cqRiyVD.exe

C:\Windows\System\kGVGcjP.exe

C:\Windows\System\kGVGcjP.exe

C:\Windows\System\uUVgoVx.exe

C:\Windows\System\uUVgoVx.exe

C:\Windows\System\BDHDmeP.exe

C:\Windows\System\BDHDmeP.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8

C:\Windows\System\PJihGwb.exe

C:\Windows\System\PJihGwb.exe

C:\Windows\System\XQUxJVC.exe

C:\Windows\System\XQUxJVC.exe

C:\Windows\System\bZvOLkv.exe

C:\Windows\System\bZvOLkv.exe

C:\Windows\System\IyNkLtg.exe

C:\Windows\System\IyNkLtg.exe

C:\Windows\System\PfvKVSE.exe

C:\Windows\System\PfvKVSE.exe

C:\Windows\System\FHZkPdE.exe

C:\Windows\System\FHZkPdE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1108-0-0x00007FF78F3A0000-0x00007FF78F6F4000-memory.dmp

memory/1108-1-0x00000221A5FD0000-0x00000221A5FE0000-memory.dmp

C:\Windows\System\MQzhqEM.exe

MD5 c1a3282377cb82b098504514594e7b43
SHA1 271ad2dad4f9d8e418172e74bc99a41623daacac
SHA256 61f25f5fced1a67677ae58548b41ff4f12e65cfc08c27d5d2b18501cc41351fa
SHA512 dc92a36160eefadc40a483c82f1a692df8592a338a134f4be0a91edc44acb1863e6b0ea64f6a7e6c6debdcf307bd29ec56445eeb105c61dbec25655d5cd8ff5b

C:\Windows\System\zjptahN.exe

MD5 ed34ec9c9e37632c5b693959106c9140
SHA1 e1741e9c07cf026e678c0e229914e504d43e8d19
SHA256 557586d64eb33d42384d6840f5ceedc356b518f301a23c9c37d4ab758dc07c04
SHA512 1abe4c1cb603e6c80027419b6c7a101398717a5220aeaa00b1e388fe7616c70771d9a4534bac555255090e346c9f42af3ced84e6d73c873a47e545eddb48a7a6

C:\Windows\System\UFWwZPD.exe

MD5 bddfe9926862cf33dc2f98c828c7097f
SHA1 ef092d26f23571f81d6e4bd50779045232bdb509
SHA256 011e117044d88cc031d49b8e19d5e7d7aba4bc79f2e52caadc4d36766ed91e5a
SHA512 3a48405ea2a5dc5da6bd0862a22829dda13a3478dc8c7df6b9d6a44e49ea6f93782caa8522b594b0cd624581a0a1435b0d833ce6c12ff73dcc1f27ae1ad93a9b

memory/2328-8-0x00007FF67EC20000-0x00007FF67EF74000-memory.dmp

memory/3864-19-0x00007FF73B3D0000-0x00007FF73B724000-memory.dmp

C:\Windows\System\wIKDZpF.exe

MD5 d8400061133f489eaf9973073f70ee8b
SHA1 d862dc995022c4725a5a5ed5acdfbea0753b944d
SHA256 494a922d1015cae3363664c84149479bab4f6e72d20ce45680bcfbf86c8cc9d8
SHA512 8ef4e334599c487e63c8fe22a929dc1407aecf9ee7fddd393b631af0f051b0638c5961f716b3d35722b5f4658313b3d5bddbcbd85454e5a4cad5312c1479b432

memory/896-26-0x00007FF694C40000-0x00007FF694F94000-memory.dmp

memory/1396-17-0x00007FF74C8C0000-0x00007FF74CC14000-memory.dmp

C:\Windows\System\pTtWfjo.exe

MD5 9a340f66cbbcf59ef4cbc66245c703ee
SHA1 23983279481c10bb4dd0aeb39cac01001718be3e
SHA256 5818b75d0d99885ad62aeeec608f25c884e3e7482fb6d0138047da3e77a03318
SHA512 38f41fd0b06d015c70ca35df8c49fe49a616a1429dcb8ccc94e68473812092b20d01552b37e00e9bc9075e0a95e0934370c6d8a81a5ca522ca6c0d8d23d0ab16

memory/2288-32-0x00007FF7F1720000-0x00007FF7F1A74000-memory.dmp

C:\Windows\System\fkCfrYU.exe

MD5 4cb2b26e484f3678bbe69c168a815129
SHA1 bc50afc39c329e520a83b25aa53ba4fc955afa40
SHA256 a128df34fa8ffcc58f3c86c6db0635490f9df43680e33b86429c70760ef2cecc
SHA512 50b907b472b6e62f2f5f12327358a5f69f73febb58a7b6d987b0e05c6e4900e8cb32a00af4fa97884c99f8187bef0ffbab4d6091bf9f4db0a8f486115efa16e5

memory/3940-37-0x00007FF6CEF40000-0x00007FF6CF294000-memory.dmp

C:\Windows\System\xLDDAvr.exe

MD5 09e80afbaba58650bf99d2959d66555f
SHA1 e12cb8cd726c03a24194ff504071e1a20b496aeb
SHA256 f43d486bedbf06a51cb2f5f19ae6c9f7e857d7ae35c9b94797d3fbc60c5147c5
SHA512 e2a68df2cbbfbe8f5bc82b34c5041eab55e54a969c1123440924d6bc70c6282c1ded364c5b15a1ba357d8f55b538ae4c55e864ae491840f40d4d95a6c66487a7

memory/2056-42-0x00007FF69DB30000-0x00007FF69DE84000-memory.dmp

C:\Windows\System\kZfvKCw.exe

MD5 3e51d58bbceb2ee1f85d2bec36f074c1
SHA1 6b131fccd20c16b3ec04c64b3f55b74a38d928f1
SHA256 20ef1762c10a483f5f2ce3fa1c872fdfdb2d18895d9ed169f858c1ec0a1ecf08
SHA512 f79f51e448e9ac7860b7dbbfc96994611f38bfe6da588fe279224f84a11d25163e6a78026aecf5b12f01d6632e2874428a5911e2ab5c1ff42da4e93b84ec7b41

memory/1644-49-0x00007FF631FD0000-0x00007FF632324000-memory.dmp

C:\Windows\System\HqouYBP.exe

MD5 97080e0d48dcbafdbd1aa5b3b4fe19ea
SHA1 4c351c4c5324d7f73f4c4cde24110e881e4dc154
SHA256 d2463923841a5d588216e69d36661310c79792fbaaca02cec8da8f8ec7652c51
SHA512 7e1edfeecfa5730a49f0cba53041044987214ae9f5fb91a2ba7259b485e344f5ad16d5c71aa1f9a05e2a587c73d2e805a87959b589a9cd8016d7fd3771f1dc9d

C:\Windows\System\pNYcRiF.exe

MD5 8ba52077a740076ac3c33630be9b25c2
SHA1 b03e788db166230432b1b57d6ad5cb0c2f3808e9
SHA256 938fd61db48b6ad1f8c1715ec9064a66e39d98f1615469141ef9ce44fe0b7a9a
SHA512 987104135f85dd5d9ddfea2864d3af43d0a5347659cfbf032df89e8b3ff4ffe4886e4d0954f76788ee58523a887243b64d0d60ce53810b85587d77c4f98d6243

memory/1108-62-0x00007FF78F3A0000-0x00007FF78F6F4000-memory.dmp

C:\Windows\System\cqRiyVD.exe

MD5 9dc5db0391f057deaf335e8841d8b698
SHA1 ebe602f5bc3121dd73bffe8b543ac0fc2aaf9f6d
SHA256 a4fd8b3ced243a30fa7beab225738cc46a46377d91db0a8b66614601f87da6ed
SHA512 d91c413401ac6dea48790e843ca4ce8146651b86ca8b9a473f37e07fb46ed40b2ceba8d3f406d7e4533109267799aaf8a358f4e170025ddbb45b7af4b81dc915

C:\Windows\System\uUVgoVx.exe

MD5 208a7d200de09d5f3bd8c5c41f281b0f
SHA1 fe2c0b97fad4814eff23fdd6acebda1fcf7ababf
SHA256 6c21822cd43caf0c1dcf7de5a0e2f9fd341cdbadc70d093dd292816d6322ae96
SHA512 a82ae0641fd8a59f82c99ab21511d428a6b9ba787d8ef870c025757a534f279efa60b034d6e7a9619d1bcaa329d8b375139fb98a24f8e86915ccb0c9fbcddc67

C:\Windows\System\kGVGcjP.exe

MD5 999a8becd52f2c9b169e563640b63825
SHA1 15651e2f1c7a9076fc85457cc327d31a14719e04
SHA256 8a139fd9518283a2d9e7d065b7e9b0c46c10c5a6605b4f222ad697a102efeefe
SHA512 279bc224aaad15bad1d171a18fbec237201865fb8e5b0a979c3afeb052b591a2278551dc5325e43c0d0a107897ac859235fb1a1ff0e4d7f39c7105104c3a9cd6

memory/1292-85-0x00007FF64DAE0000-0x00007FF64DE34000-memory.dmp

memory/2328-87-0x00007FF67EC20000-0x00007FF67EF74000-memory.dmp

memory/640-88-0x00007FF768320000-0x00007FF768674000-memory.dmp

memory/4676-86-0x00007FF6038A0000-0x00007FF603BF4000-memory.dmp

memory/3604-82-0x00007FF7C4AB0000-0x00007FF7C4E04000-memory.dmp

memory/4984-79-0x00007FF6154B0000-0x00007FF615804000-memory.dmp

memory/4148-60-0x00007FF7E1000000-0x00007FF7E1354000-memory.dmp

C:\Windows\System\GgFGtAb.exe

MD5 f1d8da22fb824fbfc9c65316f31dfe74
SHA1 6e77d49c00b568d9731b1a9775317bc7daef5a28
SHA256 11f40b182ad36125445f8d61005acc9e71ec9c5903504c3bbbbea88e3e248a96
SHA512 2cff13c834bca0dfe0fc0d9d8ccfba004d577ef273a197c20c36d67621a86a370d15fe6e48a976c3081b668b1db0258b516ea9352d070dc94e8a3bbe0b6c9830

C:\Windows\System\BDHDmeP.exe

MD5 7713eb7c743271347693c3aed397ba97
SHA1 d92d59dfbd2bfe28ab08958416ae8b59e12e70c9
SHA256 c4f277cbf3f1b9c8cb25ddbd181bfeb188918ac532fae1658c9cb756330f9de0
SHA512 d371ba868ed40c35911a5ef82c0caace34335476d3e018c55af73bddea7354190441c47ceb4bcd809ddf1f8cfbd396e44acc4dde9b934bf999b894ffc4d09c12

memory/384-92-0x00007FF6568C0000-0x00007FF656C14000-memory.dmp

C:\Windows\System\PJihGwb.exe

MD5 35765bb01bba34d5fb3af92f4e617f1d
SHA1 41dcafd5dcee0d3b444dee20ef6ec57dc1780363
SHA256 e0d0aebdfc2b50f3da3e4f0a66f1d9fd631d2f6289ae915fc9b2cb7a5dd145e9
SHA512 8397e812fb206066a859c913d4bf465d5b8fedf370b12c4bdca3b7edfed98a41b13d4ec082e9f124e97ccb6abf29062f1be725e03b776fcc9d10f232e953847e

memory/4308-101-0x00007FF74F800000-0x00007FF74FB54000-memory.dmp

memory/3864-100-0x00007FF73B3D0000-0x00007FF73B724000-memory.dmp

C:\Windows\System\XQUxJVC.exe

MD5 ade896e0734f2240bf34ba181db3f306
SHA1 a3ea6ca29ade5e0afac65e5aeebc3c4806ca421f
SHA256 7faec22642a94b0eca6033b5e41f92fe2901725f0f2be4bddd7acc92c793e25d
SHA512 045275ffb8a75b85ce7d0b6898548a6620ee9b0b68440e5bafeaff235949c0d78071107c155a67fc2b252d00af2a6ee62f05f2646e6b40c9a34c7402d21671b9

memory/896-107-0x00007FF694C40000-0x00007FF694F94000-memory.dmp

memory/3544-112-0x00007FF664010000-0x00007FF664364000-memory.dmp

C:\Windows\System\IyNkLtg.exe

MD5 14a6d63ca8a083384d9cde9c3f02819a
SHA1 521a7d61910a1d1ba5b850146451297fde4c81a5
SHA256 9cf67080b2972a66bbda2e9778f9cc7458bc261a0d99eebc6ae32569d7f24779
SHA512 ef172ec2b4627db00c8706fe132e4afae3b9a68a2c27ccc58fe10af31c5589a3533efffa353fde7cbbfa0b754f97817e69405f29df733d30701dc473ed17f382

memory/3652-122-0x00007FF65E190000-0x00007FF65E4E4000-memory.dmp

C:\Windows\System\bZvOLkv.exe

MD5 c0ef00cd4cd6c6f14766a260707afec9
SHA1 07a178942bba515440891acd01f684ad7222e885
SHA256 cf19c3269d9a2f08a0cba37226bbbc01713e7d9740c9c807ba5deb3400c5ffe6
SHA512 80f3858230f9c1a085546f5d82b09dabf46c603154fa777126829ec341d3a662f1b27db10ebf74b568dd3fe40db5c3e9163d4df4fcc7a2779f929a9fa3161335

C:\Windows\System\FHZkPdE.exe

MD5 4d9afdab21f017c3f0f23f34f63b18c7
SHA1 a26e7227cf889b596e06f6bea741141e1c24372b
SHA256 d9b8a438b3d23cbec59225f6142428b89dea3d0a80a9f9a9fc44e8692204201c
SHA512 b6b03b9c27824a811cbe72446f5b199a5f80e497c3c408736600274e9b4934624fdf2a7ff021cc465bf34648c0b63240967aaa12fd28e692cb27849dac8738a5

memory/3940-125-0x00007FF6CEF40000-0x00007FF6CF294000-memory.dmp

memory/4704-123-0x00007FF7C97F0000-0x00007FF7C9B44000-memory.dmp

C:\Windows\System\PfvKVSE.exe

MD5 2e4038fd3ec1245b3eb7964d76ecb341
SHA1 f5f4c13b519cb5ba882e9d61e21242d0a5a6ab31
SHA256 eee736eb9d6ecf88818ce208723f57eb6d251feccfed7916c37401ad1ab0d1c9
SHA512 16730f55357764b536853cc6879a4b7d53f256156793623813f68119e9e12c0117df279942f65c9be9e3a4db571321b3d58c9f7f539bfb9a3c13b5a1a937eca8

memory/2056-132-0x00007FF69DB30000-0x00007FF69DE84000-memory.dmp

memory/4540-133-0x00007FF7BB610000-0x00007FF7BB964000-memory.dmp

memory/2868-131-0x00007FF6B0480000-0x00007FF6B07D4000-memory.dmp

memory/384-134-0x00007FF6568C0000-0x00007FF656C14000-memory.dmp

memory/3652-135-0x00007FF65E190000-0x00007FF65E4E4000-memory.dmp

memory/4704-136-0x00007FF7C97F0000-0x00007FF7C9B44000-memory.dmp

memory/2328-137-0x00007FF67EC20000-0x00007FF67EF74000-memory.dmp

memory/1396-138-0x00007FF74C8C0000-0x00007FF74CC14000-memory.dmp

memory/3864-139-0x00007FF73B3D0000-0x00007FF73B724000-memory.dmp

memory/896-140-0x00007FF694C40000-0x00007FF694F94000-memory.dmp

memory/2288-141-0x00007FF7F1720000-0x00007FF7F1A74000-memory.dmp

memory/3940-142-0x00007FF6CEF40000-0x00007FF6CF294000-memory.dmp

memory/2056-143-0x00007FF69DB30000-0x00007FF69DE84000-memory.dmp

memory/4148-145-0x00007FF7E1000000-0x00007FF7E1354000-memory.dmp

memory/1644-144-0x00007FF631FD0000-0x00007FF632324000-memory.dmp

memory/4984-146-0x00007FF6154B0000-0x00007FF615804000-memory.dmp

memory/4676-147-0x00007FF6038A0000-0x00007FF603BF4000-memory.dmp

memory/3604-148-0x00007FF7C4AB0000-0x00007FF7C4E04000-memory.dmp

memory/1292-149-0x00007FF64DAE0000-0x00007FF64DE34000-memory.dmp

memory/640-150-0x00007FF768320000-0x00007FF768674000-memory.dmp

memory/384-151-0x00007FF6568C0000-0x00007FF656C14000-memory.dmp

memory/4308-152-0x00007FF74F800000-0x00007FF74FB54000-memory.dmp

memory/3544-153-0x00007FF664010000-0x00007FF664364000-memory.dmp

memory/2868-154-0x00007FF6B0480000-0x00007FF6B07D4000-memory.dmp

memory/3652-155-0x00007FF65E190000-0x00007FF65E4E4000-memory.dmp

memory/4704-156-0x00007FF7C97F0000-0x00007FF7C9B44000-memory.dmp

memory/4540-157-0x00007FF7BB610000-0x00007FF7BB964000-memory.dmp