Malware Analysis Report

2024-10-24 18:15

Sample ID 240606-q4c62afh43
Target 2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike
SHA256 bc87a8e01ba009f72d588748287d1d8c37a8c8da9c3577aa0aabe7b7cefe9d0b
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc87a8e01ba009f72d588748287d1d8c37a8c8da9c3577aa0aabe7b7cefe9d0b

Threat Level: Known bad

The file 2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

XMRig Miner payload

Cobaltstrike

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

Xmrig family

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 13:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 13:48

Reported

2024-06-06 13:51

Platform

win7-20240221-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\eLcFmDU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DHbGbfs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jdAyvsO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sMpxiBS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fdhhizG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DEURpAW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PKTZqnW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oCbESDE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TQXDjPG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sRNfetF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EkNuHQy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AGHcAXH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jHCWHby.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YPFNrvU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dYkceII.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HfXpnWj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WENBqLO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lnCieWp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OEniadf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VLdupUe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ywVSzoB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jHCWHby.exe
PID 1664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jHCWHby.exe
PID 1664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jHCWHby.exe
PID 1664 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lnCieWp.exe
PID 1664 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lnCieWp.exe
PID 1664 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lnCieWp.exe
PID 1664 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OEniadf.exe
PID 1664 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OEniadf.exe
PID 1664 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OEniadf.exe
PID 1664 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fdhhizG.exe
PID 1664 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fdhhizG.exe
PID 1664 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fdhhizG.exe
PID 1664 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eLcFmDU.exe
PID 1664 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eLcFmDU.exe
PID 1664 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eLcFmDU.exe
PID 1664 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DEURpAW.exe
PID 1664 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DEURpAW.exe
PID 1664 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DEURpAW.exe
PID 1664 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YPFNrvU.exe
PID 1664 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YPFNrvU.exe
PID 1664 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YPFNrvU.exe
PID 1664 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DHbGbfs.exe
PID 1664 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DHbGbfs.exe
PID 1664 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DHbGbfs.exe
PID 1664 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PKTZqnW.exe
PID 1664 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PKTZqnW.exe
PID 1664 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PKTZqnW.exe
PID 1664 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VLdupUe.exe
PID 1664 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VLdupUe.exe
PID 1664 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VLdupUe.exe
PID 1664 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\dYkceII.exe
PID 1664 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\dYkceII.exe
PID 1664 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\dYkceII.exe
PID 1664 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HfXpnWj.exe
PID 1664 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HfXpnWj.exe
PID 1664 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HfXpnWj.exe
PID 1664 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCbESDE.exe
PID 1664 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCbESDE.exe
PID 1664 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oCbESDE.exe
PID 1664 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TQXDjPG.exe
PID 1664 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TQXDjPG.exe
PID 1664 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TQXDjPG.exe
PID 1664 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRNfetF.exe
PID 1664 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRNfetF.exe
PID 1664 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRNfetF.exe
PID 1664 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ywVSzoB.exe
PID 1664 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ywVSzoB.exe
PID 1664 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ywVSzoB.exe
PID 1664 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jdAyvsO.exe
PID 1664 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jdAyvsO.exe
PID 1664 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jdAyvsO.exe
PID 1664 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EkNuHQy.exe
PID 1664 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EkNuHQy.exe
PID 1664 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EkNuHQy.exe
PID 1664 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WENBqLO.exe
PID 1664 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WENBqLO.exe
PID 1664 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WENBqLO.exe
PID 1664 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sMpxiBS.exe
PID 1664 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sMpxiBS.exe
PID 1664 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\sMpxiBS.exe
PID 1664 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AGHcAXH.exe
PID 1664 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AGHcAXH.exe
PID 1664 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AGHcAXH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\jHCWHby.exe

C:\Windows\System\jHCWHby.exe

C:\Windows\System\lnCieWp.exe

C:\Windows\System\lnCieWp.exe

C:\Windows\System\OEniadf.exe

C:\Windows\System\OEniadf.exe

C:\Windows\System\fdhhizG.exe

C:\Windows\System\fdhhizG.exe

C:\Windows\System\eLcFmDU.exe

C:\Windows\System\eLcFmDU.exe

C:\Windows\System\DEURpAW.exe

C:\Windows\System\DEURpAW.exe

C:\Windows\System\YPFNrvU.exe

C:\Windows\System\YPFNrvU.exe

C:\Windows\System\DHbGbfs.exe

C:\Windows\System\DHbGbfs.exe

C:\Windows\System\PKTZqnW.exe

C:\Windows\System\PKTZqnW.exe

C:\Windows\System\VLdupUe.exe

C:\Windows\System\VLdupUe.exe

C:\Windows\System\dYkceII.exe

C:\Windows\System\dYkceII.exe

C:\Windows\System\HfXpnWj.exe

C:\Windows\System\HfXpnWj.exe

C:\Windows\System\oCbESDE.exe

C:\Windows\System\oCbESDE.exe

C:\Windows\System\TQXDjPG.exe

C:\Windows\System\TQXDjPG.exe

C:\Windows\System\sRNfetF.exe

C:\Windows\System\sRNfetF.exe

C:\Windows\System\ywVSzoB.exe

C:\Windows\System\ywVSzoB.exe

C:\Windows\System\jdAyvsO.exe

C:\Windows\System\jdAyvsO.exe

C:\Windows\System\EkNuHQy.exe

C:\Windows\System\EkNuHQy.exe

C:\Windows\System\WENBqLO.exe

C:\Windows\System\WENBqLO.exe

C:\Windows\System\sMpxiBS.exe

C:\Windows\System\sMpxiBS.exe

C:\Windows\System\AGHcAXH.exe

C:\Windows\System\AGHcAXH.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1664-0-0x000000013F110000-0x000000013F464000-memory.dmp

memory/1664-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\jHCWHby.exe

MD5 6a4f80c71362135f4dd4f618570031c2
SHA1 bb23d607f155f996c67846d433fdece8ba7a094e
SHA256 60925c5ca225c27989043860186f838244c3969d734de2856b32058f44ca5409
SHA512 b8f1191a1c1ccbf960b2fab66bbf8eeb617374e9dcccc97d83e9fa79fca3e23e172a9b7f1383e7ccb2fccd52135d63830a0cc3535aa83396ecb77e6f802cf40f

memory/2628-8-0x000000013F7E0000-0x000000013FB34000-memory.dmp

\Windows\system\lnCieWp.exe

MD5 6f8d82a696346bd137627d7dfda378f6
SHA1 6aafd26a96d773b2754fcbb4373aca193b5a302b
SHA256 1273946fd47639175085fdc521858a3a465ab1c665e82304cce0b8f816e7b312
SHA512 81a763157a56a8b55d8728be7ec8d0cd8c13997539745c33ed953f1957e9a2eb7ba3e6d2fde595275f4872d5a1651a78b37b38bf2df495b4ea2a5d84099197e8

C:\Windows\system\OEniadf.exe

MD5 5a9ebf5798aa569e95e9afed0e6d6607
SHA1 6118aec10195220d20561be714d33e3779470033
SHA256 44e5abc107b4fb58554a34af151e50ee99b08196046f7eec305b72d7edc6e2ed
SHA512 742a25c44a16e4b788953814529a6ab82a3c5b8c385019a7a7e3150f420bc477a3eba740c853be3fb5524ae2fe63de0067f5e0311ea53cf45580307809dae7fe

memory/1664-14-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2608-21-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2944-20-0x000000013F610000-0x000000013F964000-memory.dmp

memory/1664-18-0x000000013F810000-0x000000013FB64000-memory.dmp

\Windows\system\fdhhizG.exe

MD5 6b645785710464a0cf219c3ea9e798c9
SHA1 65473f3588ca1bebdcb75638d8ddfa3e4e6a02f0
SHA256 e048b1bb7d095d0b2641e4402d5ac2ebe4d9cff06445bf977649a9f8857a185e
SHA512 c18a660284fbc089fc9eaea4d123d075bb12c845f7674e499a52faf008c1e4a7cff317779d8949666381aa2382bea311394596a26136a74070af8366766483d9

memory/1664-27-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2456-28-0x000000013F780000-0x000000013FAD4000-memory.dmp

C:\Windows\system\DEURpAW.exe

MD5 ab9374b200b517eee231b066a88dc756
SHA1 87f0bc68a2ad90536a8284320805e5c9fba3a4b2
SHA256 9af8fc7652a16b95e47f1c2a40ad001278d841e2e03c79d6e0becab8e8343e1c
SHA512 addd4ed2b6500191010271de1ce89157446dafcf758fdde9e9a969ae40a65dd724b425b27c388f35c1c5aa43475b8a0d55c9535a2efd47b6ed28d858acab6b58

\Windows\system\YPFNrvU.exe

MD5 347abb5ef31218cc8e06fc3136c7afe7
SHA1 75b5014259492abf8c69290f84553f731c1807ad
SHA256 f8a9797940a81b8082121beb86d973189b14c67caee5821d5d0f7459a74f03b6
SHA512 10d5b269265ade174a04907d5a3b020cf38179d008a3adc17da636c0b2320da46f7545bfd1ce55501a9156955c06efe51230997775cc4bc77c280e292d6a42a0

C:\Windows\system\VLdupUe.exe

MD5 43fbac3594c923b5e3c83e6782a9bc41
SHA1 30c6e5befe28afe32183957f00602bdbf3ced54e
SHA256 148729ba90613bb8e91a64280fcead143a343815328d515841e72cf41fc873f1
SHA512 1a3554dddd4652c786db7b6eebf06bdafb7a71dbd8b3cd916f7d732597ee664e552e4d3a87cc8ee8c371a90521d31c67e93bf0ec1b926362fef51aabeb4df064

memory/1664-56-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/2160-52-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2876-51-0x000000013FE90000-0x00000001401E4000-memory.dmp

C:\Windows\system\DHbGbfs.exe

MD5 f5c04bd542a763a772f1c6f608d87a7d
SHA1 90ef3b218db750ccd5adf222bffcb1fa0e730ad5
SHA256 d196894cc10b101d6c303e1190290bc331a2b425dbdf649d90255e336f20794d
SHA512 576f1e197b813ca513a7815c19960ff180793a8f0b2f5959631b15397005163aa011d2fcf792655c1777ffbf9b723926849da95b83eb21568d0981bc7e21a861

\Windows\system\PKTZqnW.exe

MD5 a742473030f45a768ca3eeadb4227799
SHA1 8badac25e77396e066c6e0ccdb479b88120c1b29
SHA256 babd34956eb17afc1103eebe2127723be716a6c7fe7f8ac4035b3829bccc6ab8
SHA512 9c962a08aaf4e4df7ada077be89466adb66e7f00b28dfb3f9276659751ac481a6b0dd9f3fd7c8e74f9d82a1cf898b7bf3ceadf127718f9e9ba2195f73e39325b

memory/1664-81-0x00000000022E0000-0x0000000002634000-memory.dmp

memory/628-82-0x000000013F2C0000-0x000000013F614000-memory.dmp

C:\Windows\system\TQXDjPG.exe

MD5 a198608fc21bb5d7b307d51332c133df
SHA1 42377d158ee62c6d39ec586c4380627bf01c491a
SHA256 ce9f12d2ffdfe3700bf0be2f97ad8c103d58fe753a0599536bb6917468d00f0c
SHA512 0f79d1fac65f5b66f3eee31eff22811f4bb6e6fbc775dad6d11ded172b78c8955f6daf0147eac46c9e7745b50d62ea8009f05b0e34698b5f5be959d69433cb10

memory/1864-99-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/1060-92-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/1664-104-0x000000013F8E0000-0x000000013FC34000-memory.dmp

C:\Windows\system\EkNuHQy.exe

MD5 828d3845d42b2a6d9da36dfaeb0d8c7f
SHA1 a9f91ac4d9b2b55cf98b8e660a462aa00c23909b
SHA256 f8471cde3c1f87b0de5faf84caa6e7edc1485c3650719b7879a2b1d5e4fa163a
SHA512 ea0b2e2e911c8b01d437d428a345802bddb7efa3be0fe932614d33872979ba990bba242921d58121a1e1582dd39ee1785dc99e8f321afaaf0d664f29c67abf59

C:\Windows\system\WENBqLO.exe

MD5 afce5f06b80aaafee46c040e14566dac
SHA1 322c4a126c80e731c951d9ed7024ea0532129408
SHA256 291f5f6da39893617172cb275fc6b12008817008994f91e04dd487b2f9fc77cf
SHA512 b8bae5078f169c105fb45746ea5eb4c0b73872b7bffe1da49daa0149157a74b1a8994a859bd88824db614a1f80750d1ed70a5c205bfbed2bd3f89cd326c000d6

C:\Windows\system\sMpxiBS.exe

MD5 1822d1a70c95821fe1139c9f8fff9bee
SHA1 1cce329eb28849ba88c8f854641f0fa9f32b5c3a
SHA256 eaacbd207915f883037f3919f2d9fe3f7f2a2aba58940589e71a001723894a43
SHA512 f11e9c7c77297826b627a80a2c6e17cc545ea0cdfe957736a1068c90f24a6c42aa1c3276fe07a7aa38b670425816da9f8b21970bb9c9fff1d9b4210dfd404d7c

\Windows\system\AGHcAXH.exe

MD5 9e74574d0f149c677900770730544615
SHA1 7a8bac8eee69a9b3cb20a2eecfcf8e5efcb5e090
SHA256 cdf5f6ba6cd71997097f1b058a9b5706b8bfabd7f18c21432c63684152cfdeec
SHA512 0b702ff53216fcb8558fa334f299782790c99f20f80e73b43ac5d02be5312b8d91e9f69f60a0395449e025e4c6a8ee2dc958eaa5477f4c8942dc4852423e568f

C:\Windows\system\jdAyvsO.exe

MD5 c273692d7ac1501faf9ed9589db7c2e0
SHA1 68a72a0bffb39403d20a52c89db1fe76b7f5f5df
SHA256 2334641b276bc77e58ca57394cc718365610351a1f87b3e6a449ff744a47fedd
SHA512 d3c7153be820bd4a57782f9c2e37318d723333779c0843bfe66ce5ce7f857bf51c35f3a66f3c0cdcf3189135617a0654ddf65e31deb1282eb8d332a9823c860f

memory/2608-136-0x000000013F810000-0x000000013FB64000-memory.dmp

C:\Windows\system\ywVSzoB.exe

MD5 d1a0c6d6def4fbcec98cf56d9c88b9f1
SHA1 3c4914a6c53c1cd406382bba5ccf7e383d1b99dc
SHA256 b0a7087f478364722ba57840b30dba7c4e10fabc22cab1c8fb9128c5d6c7636c
SHA512 80199b425342e02cd9faafa522bbb27216a298f36809cd06deaf0a660bd3ecda523968321b3e00b4e5e690879cfa1c87431c256b32c7a9a407559adb5873c757

C:\Windows\system\sRNfetF.exe

MD5 c58b3bba4568ae04ee7c6a4f2fb4e63b
SHA1 4a6e277bb1ef153fde03e57c4eaf09a977bea896
SHA256 2b9b288c6d44b9ca82449d7eb4d857fbb8ebf206cb690c27f6f3714f8575f4cd
SHA512 8886bddff96452610aba533bdf408e144851f4bbf128a3e3aecf0a4b90083ac75bd404307fd6e4620ed997758f7d6be475967a4380f02a0ff9d686b728a8a801

memory/1664-91-0x00000000022E0000-0x0000000002634000-memory.dmp

memory/1664-90-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2628-89-0x000000013F7E0000-0x000000013FB34000-memory.dmp

C:\Windows\system\oCbESDE.exe

MD5 ce10493fddf085606baa6268e982c2f0
SHA1 81a3e75a567fe73e915aa172457f2d3ae4818dd3
SHA256 f12f6587eacdbe32432f452d5b39df51b25f266cba263ff9d669c4021dfedca4
SHA512 1c8962d97a59dac994553bd18678e01b2fa99e03e4dd8546d4b08fe38ac0fc06ff6500df3c8db0a04487047973b240bdd49a4e65fb8d2e1f0accb26a13a1b2cc

memory/2456-137-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/1664-98-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/2620-77-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/1664-76-0x000000013F110000-0x000000013F464000-memory.dmp

C:\Windows\system\dYkceII.exe

MD5 12ae8f513a1bd4dc9301c873f8b38872
SHA1 16080fc6a2658cfae2e7aa66b0e7a66c33801999
SHA256 bc239a30a590e5af68ddf571c2c6ccc5ce3472468102b37e94847c41315f0bc7
SHA512 21407848866fc6f4ece518b99ceea9e24f0cb91b85a03c4e5eae6350a27418c1717961c35d189efa1a3331a931b09e41809adecc9949de6aa0718921a7007cb2

memory/2404-72-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2372-71-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2364-70-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/1664-69-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/1664-67-0x00000000022E0000-0x0000000002634000-memory.dmp

memory/1664-66-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/1664-65-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/1664-64-0x00000000022E0000-0x0000000002634000-memory.dmp

memory/2488-63-0x000000013FE20000-0x0000000140174000-memory.dmp

C:\Windows\system\HfXpnWj.exe

MD5 9efbdd2e6034f8861a79365b3d17d0be
SHA1 6925fec8e30cf959828b858d24a2b4eb2726f73b
SHA256 d6819dd1f019c2cb2ad8cb56ac9a63c13f631e6fbd850f10153042ce923ea19d
SHA512 420e98fb8d3ed6ecb70d0ed9f59f66c1ca653f2b12176a31e57c8ced3700de2ddc8d3587726575e93a1f4d2801d01800d467642a01e77c27ddcedf3e936b20f8

C:\Windows\system\eLcFmDU.exe

MD5 8668217a051186533eb48f234a811744
SHA1 1b2b61ce8dfd73bb4795e257c3cc956799d3ca73
SHA256 345a350d464fa543ec0988d6575351b290f856747e6dd96f54dbba4d2032f2ac
SHA512 9a6ede279f49e0de6358e2fa9afa4adba94d83024b1f39683de723afd0da0f7c730754060f54d9ad72a17372fdf5a62c5224139df1f40ce5fb84f852d36ce8ec

memory/1664-138-0x00000000022E0000-0x0000000002634000-memory.dmp

memory/2404-140-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/1664-141-0x00000000022E0000-0x0000000002634000-memory.dmp

memory/628-142-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/1060-143-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/1664-144-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/1864-145-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/2628-146-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2944-147-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2608-148-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2456-149-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2160-150-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2488-151-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/2876-152-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2364-153-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2372-154-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2620-155-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/628-156-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/1060-157-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/1864-158-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/2404-159-0x000000013F350000-0x000000013F6A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 13:48

Reported

2024-06-06 13:51

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ZKmYLHc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VlBljyN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oLgBzDl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DYOQXiA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\usHPJhH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RZjTlqA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xVwuXUp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZalUaOc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zdLSbJY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dbdMNIv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FvZnjBZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EgPmlJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PVLFVuB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GXVOKzH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zzsMAME.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rnVaXcW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JNkYqdY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GhsWRnX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PEkaofb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VdWVCmm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lbSpZhR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZKmYLHc.exe
PID 3392 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZKmYLHc.exe
PID 3392 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\rnVaXcW.exe
PID 3392 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\rnVaXcW.exe
PID 3392 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlBljyN.exe
PID 3392 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlBljyN.exe
PID 3392 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xVwuXUp.exe
PID 3392 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xVwuXUp.exe
PID 3392 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZalUaOc.exe
PID 3392 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZalUaOc.exe
PID 3392 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oLgBzDl.exe
PID 3392 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oLgBzDl.exe
PID 3392 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DYOQXiA.exe
PID 3392 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DYOQXiA.exe
PID 3392 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zdLSbJY.exe
PID 3392 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zdLSbJY.exe
PID 3392 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JNkYqdY.exe
PID 3392 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JNkYqdY.exe
PID 3392 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\dbdMNIv.exe
PID 3392 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\dbdMNIv.exe
PID 3392 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GhsWRnX.exe
PID 3392 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GhsWRnX.exe
PID 3392 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PEkaofb.exe
PID 3392 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PEkaofb.exe
PID 3392 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VdWVCmm.exe
PID 3392 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VdWVCmm.exe
PID 3392 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\usHPJhH.exe
PID 3392 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\usHPJhH.exe
PID 3392 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EgPmlJJ.exe
PID 3392 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EgPmlJJ.exe
PID 3392 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PVLFVuB.exe
PID 3392 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PVLFVuB.exe
PID 3392 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbSpZhR.exe
PID 3392 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbSpZhR.exe
PID 3392 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FvZnjBZ.exe
PID 3392 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FvZnjBZ.exe
PID 3392 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GXVOKzH.exe
PID 3392 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GXVOKzH.exe
PID 3392 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zzsMAME.exe
PID 3392 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zzsMAME.exe
PID 3392 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RZjTlqA.exe
PID 3392 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RZjTlqA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ZKmYLHc.exe

C:\Windows\System\ZKmYLHc.exe

C:\Windows\System\rnVaXcW.exe

C:\Windows\System\rnVaXcW.exe

C:\Windows\System\VlBljyN.exe

C:\Windows\System\VlBljyN.exe

C:\Windows\System\xVwuXUp.exe

C:\Windows\System\xVwuXUp.exe

C:\Windows\System\ZalUaOc.exe

C:\Windows\System\ZalUaOc.exe

C:\Windows\System\oLgBzDl.exe

C:\Windows\System\oLgBzDl.exe

C:\Windows\System\DYOQXiA.exe

C:\Windows\System\DYOQXiA.exe

C:\Windows\System\zdLSbJY.exe

C:\Windows\System\zdLSbJY.exe

C:\Windows\System\JNkYqdY.exe

C:\Windows\System\JNkYqdY.exe

C:\Windows\System\dbdMNIv.exe

C:\Windows\System\dbdMNIv.exe

C:\Windows\System\GhsWRnX.exe

C:\Windows\System\GhsWRnX.exe

C:\Windows\System\PEkaofb.exe

C:\Windows\System\PEkaofb.exe

C:\Windows\System\VdWVCmm.exe

C:\Windows\System\VdWVCmm.exe

C:\Windows\System\usHPJhH.exe

C:\Windows\System\usHPJhH.exe

C:\Windows\System\EgPmlJJ.exe

C:\Windows\System\EgPmlJJ.exe

C:\Windows\System\PVLFVuB.exe

C:\Windows\System\PVLFVuB.exe

C:\Windows\System\lbSpZhR.exe

C:\Windows\System\lbSpZhR.exe

C:\Windows\System\FvZnjBZ.exe

C:\Windows\System\FvZnjBZ.exe

C:\Windows\System\GXVOKzH.exe

C:\Windows\System\GXVOKzH.exe

C:\Windows\System\zzsMAME.exe

C:\Windows\System\zzsMAME.exe

C:\Windows\System\RZjTlqA.exe

C:\Windows\System\RZjTlqA.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3392-0-0x00007FF6821A0000-0x00007FF6824F4000-memory.dmp

memory/3392-1-0x00000242AA5A0000-0x00000242AA5B0000-memory.dmp

C:\Windows\System\ZKmYLHc.exe

MD5 0807945374ac8f8de64fbffc5dc6238a
SHA1 58a6f3a144105f7bf2081ca23b60b57265fbb835
SHA256 0dfb4e2b7eed5bae14e219a6b630cd89ad0b4d564ddec10fc8b6cedeaac04ef6
SHA512 ab2086fad471d15ce8518fd296e834b99d6cdb21e3eca7bbe518aff43891969effcf012028dbda8f1aa5f94b05df27658c16fe84e37c61aae26db98346b5144c

C:\Windows\System\rnVaXcW.exe

MD5 a4fdc1ab565e1cd4d7202493bd722437
SHA1 a4cd923361ccc3a1e9a465857326d2d37b4337eb
SHA256 ef2595b3c234dc3e89525e55c1fe0ffe02e6c84e3f440a57c5dece17f537a388
SHA512 06c94116b8ae178dfddcda66e0811bf6ef4c3667446649cd72b5a17c6f3064f4efbd17c2696158b5dfbf42dd5a22c3a963add9573e477f1855bf8f2c1276584a

C:\Windows\System\VlBljyN.exe

MD5 da74c2af7937f8430a00959cba7fa0dd
SHA1 25882fa6b330a5ce992077e31752aa58aa54eac6
SHA256 666c21dc6ec8e6773a5c62295164259b1f1bcba8507fd2b7c7076b85f959f3dc
SHA512 ba4ddc80e5e091e8815db996a5d3473d149eb56a85446f72649b52e74ac00e94e962efb7ec4a5b734b9e8325bcc8d4023eb974399b6c8676404ba22a31d4cfd2

memory/4636-15-0x00007FF6CF0C0000-0x00007FF6CF414000-memory.dmp

memory/728-6-0x00007FF646690000-0x00007FF6469E4000-memory.dmp

memory/4340-20-0x00007FF690AC0000-0x00007FF690E14000-memory.dmp

C:\Windows\System\xVwuXUp.exe

MD5 cc3b52a74365e1450e7b60e38e97fe4b
SHA1 b1be9f602b736f920cc4f0610fba9dba25c5871f
SHA256 8246721644f9c803a68338dd73a6d0d01ab5b794f6cae3349749cc5912265b0e
SHA512 8fe3b5db8000eaf730629dddc0de32f65e43002563b9fafb83649ed46cb748693f1420954d181da251a28725319f89a3e03962247ca1464f8d68caf272014e48

memory/1208-27-0x00007FF7C7CB0000-0x00007FF7C8004000-memory.dmp

C:\Windows\System\ZalUaOc.exe

MD5 51507ae40ef3b39fc68a2df12c75f10e
SHA1 93720b4890e180be1e9e61c15bd8328f0105f90d
SHA256 ef740cf9ddd75459b5e9de8d8e5bf93471cd9687b3e5e79dc59eed98e99dd0e1
SHA512 0ce6883a1a85dbc1c44d9b6bbfbedaeb0f98654cff74d789fd980823620ecf52a1926138db7f24b247cf19e2772831bf867972c48753b3bf9781a4ca4cb5a3a7

C:\Windows\System\oLgBzDl.exe

MD5 541c7c79cd70e73e584de9bedbcdd664
SHA1 6a259573e5d382520b5a46c827cfc0dda2e8c8ce
SHA256 6c183f06f8887cfeae5eb4d505d08e2ce50bb65f7c1592ef3c2dfd9d2a448475
SHA512 4df6ffc14d91a4579497044f1933ad63a1f470ec3cd4b346e3326d88eb105fbcca70c1fe1baa528c6d55fc55bb4a4d27c2c51a21e28816914d38f7524da00a36

memory/3104-36-0x00007FF7C8E20000-0x00007FF7C9174000-memory.dmp

memory/2920-32-0x00007FF659680000-0x00007FF6599D4000-memory.dmp

C:\Windows\System\DYOQXiA.exe

MD5 7acfbe38ff0c34ed39e9a5e66b43ab42
SHA1 63c99a1fb1782d83a13165c8d889626d87e90d3f
SHA256 3f0ab3a2222ed72a567ca0cba388297bfacf276e28a61ade9aa1e8962a4c3fc2
SHA512 7c4da0ed71ebb0f34ea0921cee6a38770a3491de6bec8bab5569f9cdf0bdbff5a671e04ebe60f0134648fe326cbd0d74a128870062e6dd45ba1adebb38d225fe

memory/3800-47-0x00007FF67DA60000-0x00007FF67DDB4000-memory.dmp

C:\Windows\System\zdLSbJY.exe

MD5 cce167957b8e1fa53a5fd303426898e0
SHA1 31c0547b879b8dff842a97ae991e592e9388b8ff
SHA256 92a7c9a0e4f68d90c2d2be26837482bd6799fd6db71887cf9f75156106668943
SHA512 572ad5a20852efdaa61abf05de62394e92e478836f8a92ad37becbf50c4dda70ac42ed3742d5e73837f87874ff1714f8743745330f637c51574968614e90da01

C:\Windows\System\JNkYqdY.exe

MD5 a6360fe92deb7bae5f5b04ec07f5bc30
SHA1 32f03ce5e786f8269cd9031dbd192fc7bdbe48d0
SHA256 34db40a2cd4ab9d1f39eccaab60557deb00067d254f09fde77fb6f630ebd8c12
SHA512 b42a9abf6b66563780c73d5cdf2425e821b756b5053655afe10129300a0b29529fb6c9f4e0e5123ec468525c46068cb5c5adddbc5cbfbd828b07f464c0323d6c

memory/3648-50-0x00007FF6996B0000-0x00007FF699A04000-memory.dmp

memory/4280-52-0x00007FF6D5C00000-0x00007FF6D5F54000-memory.dmp

C:\Windows\System\dbdMNIv.exe

MD5 5c76c8ac16af4727b6cfb97c5074b48c
SHA1 7ef37aeebaa3a68975fba31ab9ee3f891ccd7572
SHA256 7f3c63322a21d57dabea6df32c444170f587556b5c64e0c50db6f90d953bf0e3
SHA512 3ec81128354ebe1e9874c44dd7975342c2d1635edba86d42676f343536e8cef3753f5e3bc97122abd6795f44e90c0397d8a238a2c8d51e49c854a12753e7f3b0

C:\Windows\System\GhsWRnX.exe

MD5 2bf25c61bc90991fe2633252c7e09552
SHA1 6d518795b6633aee4d6174638839683e7a8da026
SHA256 9d9f656e6fae7a95d539b62f92870365c085b468a54efd661a9a937635fe6daa
SHA512 03be5c35dc0a5fa798f8cfbbae7a4852eb87759f3846a87e468a6e5e881de6208375e7c6fa8a607bd2abfb50e4c983d950b501114d51a0b8b30b0101f14ddbdc

C:\Windows\System\PEkaofb.exe

MD5 f4031a662d0ba414281cc0406e7356f1
SHA1 14c028e8bb3552f0f6aa82cb6e7c38d7486b7eb4
SHA256 18a67b2455fee4c963e9598d56e40fe8f73225140c54cfee40589f76e1cf6747
SHA512 dbfc7a36b3318baaaf1581430ebd10273477c8e5de755deb3e901ee12a2ab15f1a00127bcbaeae37272069c0f2761889d98b48c97d5bfe1a7d9b27249842d443

memory/4908-77-0x00007FF78F0E0000-0x00007FF78F434000-memory.dmp

C:\Windows\System\VdWVCmm.exe

MD5 9b39234d84ae74c988aa9772fcc941d0
SHA1 67e629a5d34af1fb4f878f20097d8204915160bb
SHA256 05efaa26f271703f293651bcc8bc3da2b27c304aaff6b16fa53d2cb3b4e87d08
SHA512 25aa1345f5c5cbfc52ce683225d05925e3b0aa0906426178e51aee3912e1b8bef0d93b40e28f5745cd8f62d4a0fe4190bcca4260ec0593eb87a4992ec4f8e9ec

memory/4060-82-0x00007FF771520000-0x00007FF771874000-memory.dmp

C:\Windows\System\usHPJhH.exe

MD5 a6b1e07f30012e8fc51bdca15f7b39ec
SHA1 b1f17cd3a217d3d846ab6e3d65c107a17fa97c5f
SHA256 bfad9c52198ded45a70b1324710381c590993aca07079687e21f4217e3b57a30
SHA512 9b383ec08d851e843a82fb188d1798181cba353e1492663bbbda1e9dee2d61e6d87063c23e11fffaa8576f0cbcce27b7d27c92d31896cb5261fe6ec8cc88c0f3

memory/728-73-0x00007FF646690000-0x00007FF6469E4000-memory.dmp

memory/1264-65-0x00007FF71AED0000-0x00007FF71B224000-memory.dmp

memory/3392-64-0x00007FF6821A0000-0x00007FF6824F4000-memory.dmp

C:\Windows\System\PVLFVuB.exe

MD5 e60999b9649c6e0ca35747f24844896a
SHA1 2498fa0f8e8620fa3e3a034ba544cd133b9f4907
SHA256 eadd39ccfb3e58772b591cf9b398bbabc5c2ec6f709fdeab13655b0b6a7747b7
SHA512 ac47d253c142a104a2b0a72854a8701074b52c47fe57feefe188317a67231fe71b8ba9ed0530f8ff3e0083379d60dc49e6487419528397fbaa16a910afe044a7

C:\Windows\System\lbSpZhR.exe

MD5 419ff44afdb1452abb587ade5fc46722
SHA1 4754e935aff461e5b505d8c0b3e5f8aa082b9d5e
SHA256 f8f431f833a0c664180abe8679696af61d09f955a0e87e35f578b2f0c17f3b2a
SHA512 f507629ccc2a7b79882c21f83764493df1abf0c8a6e5c1e8af0892f567f94149cd01dea96ca2e329602bb6d8b9222043ab03d3d73f1460d794a595f2ccd7a68c

C:\Windows\System\FvZnjBZ.exe

MD5 27c05d9550f206e099cee0578289db1f
SHA1 87d55872e15a1e46501d17840a56276ee2630d58
SHA256 4d32913e29dd9303af72961ad73cfeea8adcac3e880e18773020d3b8bfc3e0bf
SHA512 69118c8e9c83393b6b6b36967deff4c298cbaa996d315b4bc74bc9bff88675c64669a380465a1db654cf0ec1edb615432adc0e9c42acd461646ff13976af6faf

C:\Windows\System\GXVOKzH.exe

MD5 11e19b871df3f59a0583062bd1f9e47c
SHA1 cdbf8dee04c46347d1d4559e62589e2c3948c4d6
SHA256 ed27084e374ad890b243f9cdadcd3d72e7d29c29ea2bebd2a31e253479ad9eec
SHA512 a91f3b2dfb6f5a0d060ee3cb4360c9ddfc9fac2647d5687e355ca41bcc50297fc481221e61f36ef5f720a55d50fc16434e38acf481c14378c97e88ee68f20a49

memory/3904-113-0x00007FF795A40000-0x00007FF795D94000-memory.dmp

memory/2920-109-0x00007FF659680000-0x00007FF6599D4000-memory.dmp

memory/2736-108-0x00007FF7F7D80000-0x00007FF7F80D4000-memory.dmp

memory/1208-104-0x00007FF7C7CB0000-0x00007FF7C8004000-memory.dmp

memory/4684-103-0x00007FF7C12B0000-0x00007FF7C1604000-memory.dmp

C:\Windows\System\EgPmlJJ.exe

MD5 6091ee407b838de07984e94a8afdd980
SHA1 4d4b0ac6e4dddacc6309f25503eaf5f4c8b30843
SHA256 078d068715f838b4ada3b82e5faf123ecef5aad20d7e6dec8a3782ceb9a35e06
SHA512 632e04d79a601ffd0ea3ee831cf149423f7690c29713b2328aeb5bceb02f4a28dfea967280d88085ccbaad643ad36193dce4cf6ac656c7c43597315a2e5b89e9

memory/2140-98-0x00007FF7D9320000-0x00007FF7D9674000-memory.dmp

memory/4504-94-0x00007FF746730000-0x00007FF746A84000-memory.dmp

memory/544-89-0x00007FF6787C0000-0x00007FF678B14000-memory.dmp

memory/4636-88-0x00007FF6CF0C0000-0x00007FF6CF414000-memory.dmp

memory/3104-121-0x00007FF7C8E20000-0x00007FF7C9174000-memory.dmp

memory/4912-122-0x00007FF7B55B0000-0x00007FF7B5904000-memory.dmp

C:\Windows\System\zzsMAME.exe

MD5 ecf7d036269a17401e4e8a8ee4fff9cf
SHA1 9da814a6f78d364d580747f38d04b145e5bf3356
SHA256 9e2a2d6b55dd0db1e7fc9ce0eeaf473fe038f90347713f7417c68185c7edc409
SHA512 ddbc63061b07c84bfc53849141915dde11621a9a59012137e7af807cd1cfaea25c603e66db989c3a2153dbc8f7c1cafaa7bc6d4b70741a496df46224b0878ba8

C:\Windows\System\RZjTlqA.exe

MD5 e72acb81d2455e0346983b0842025fa9
SHA1 739c691fde67a6708c19a912853d11723b3c815f
SHA256 e112b747d876e075b9735c4ae99dbe11ec8277efbf387a9f93aa42d7ce3c4cb4
SHA512 fbe64d84a29790f048d093d56b8805852d071115d9d93366f03a91ac46de659903038ca443320c2d3be2f26022c543d3a70661ab24abe306fc903d268eaa6d8f

memory/3648-133-0x00007FF6996B0000-0x00007FF699A04000-memory.dmp

memory/2188-134-0x00007FF7F8F90000-0x00007FF7F92E4000-memory.dmp

memory/1860-132-0x00007FF77CA50000-0x00007FF77CDA4000-memory.dmp

memory/4280-135-0x00007FF6D5C00000-0x00007FF6D5F54000-memory.dmp

memory/4060-136-0x00007FF771520000-0x00007FF771874000-memory.dmp

memory/2140-137-0x00007FF7D9320000-0x00007FF7D9674000-memory.dmp

memory/4684-138-0x00007FF7C12B0000-0x00007FF7C1604000-memory.dmp

memory/2736-139-0x00007FF7F7D80000-0x00007FF7F80D4000-memory.dmp

memory/3904-140-0x00007FF795A40000-0x00007FF795D94000-memory.dmp

memory/728-141-0x00007FF646690000-0x00007FF6469E4000-memory.dmp

memory/4340-143-0x00007FF690AC0000-0x00007FF690E14000-memory.dmp

memory/4636-142-0x00007FF6CF0C0000-0x00007FF6CF414000-memory.dmp

memory/1208-144-0x00007FF7C7CB0000-0x00007FF7C8004000-memory.dmp

memory/2920-145-0x00007FF659680000-0x00007FF6599D4000-memory.dmp

memory/3104-146-0x00007FF7C8E20000-0x00007FF7C9174000-memory.dmp

memory/3800-147-0x00007FF67DA60000-0x00007FF67DDB4000-memory.dmp

memory/3648-148-0x00007FF6996B0000-0x00007FF699A04000-memory.dmp

memory/4280-149-0x00007FF6D5C00000-0x00007FF6D5F54000-memory.dmp

memory/1264-150-0x00007FF71AED0000-0x00007FF71B224000-memory.dmp

memory/4060-152-0x00007FF771520000-0x00007FF771874000-memory.dmp

memory/544-151-0x00007FF6787C0000-0x00007FF678B14000-memory.dmp

memory/4908-153-0x00007FF78F0E0000-0x00007FF78F434000-memory.dmp

memory/4684-155-0x00007FF7C12B0000-0x00007FF7C1604000-memory.dmp

memory/4504-154-0x00007FF746730000-0x00007FF746A84000-memory.dmp

memory/2140-156-0x00007FF7D9320000-0x00007FF7D9674000-memory.dmp

memory/3904-157-0x00007FF795A40000-0x00007FF795D94000-memory.dmp

memory/4912-159-0x00007FF7B55B0000-0x00007FF7B5904000-memory.dmp

memory/2736-158-0x00007FF7F7D80000-0x00007FF7F80D4000-memory.dmp

memory/1860-160-0x00007FF77CA50000-0x00007FF77CDA4000-memory.dmp

memory/2188-161-0x00007FF7F8F90000-0x00007FF7F92E4000-memory.dmp