Malware Analysis Report

2024-10-24 18:16

Sample ID 240606-wvb59shg3y
Target 2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike
SHA256 f5851138c90455555ea2f0f1e55b7447069c83f70bd40963159d9b4ccd84c68c
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5851138c90455555ea2f0f1e55b7447069c83f70bd40963159d9b4ccd84c68c

Threat Level: Known bad

The file 2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Xmrig family

Cobaltstrike

xmrig

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 18:14

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 18:14

Reported

2024-06-06 18:16

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HUmevNu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yzlBTfj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JxVsfaC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OfdYZqW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CNSTUKt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WEHXHaU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JJuBjvb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bSqUJLZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qpixQxX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LsvOVqL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SRurGDz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DHBJBLI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GoQspZl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KXvoIRx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CSXATNF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eCNnNMX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tZgJruj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LRPECIp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pWTEXyL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aqOwWKa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PaJOKez.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qpixQxX.exe
PID 3068 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qpixQxX.exe
PID 3068 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qpixQxX.exe
PID 3068 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUmevNu.exe
PID 3068 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUmevNu.exe
PID 3068 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUmevNu.exe
PID 3068 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yzlBTfj.exe
PID 3068 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yzlBTfj.exe
PID 3068 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yzlBTfj.exe
PID 3068 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsvOVqL.exe
PID 3068 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsvOVqL.exe
PID 3068 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsvOVqL.exe
PID 3068 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXvoIRx.exe
PID 3068 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXvoIRx.exe
PID 3068 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXvoIRx.exe
PID 3068 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxVsfaC.exe
PID 3068 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxVsfaC.exe
PID 3068 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxVsfaC.exe
PID 3068 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfdYZqW.exe
PID 3068 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfdYZqW.exe
PID 3068 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfdYZqW.exe
PID 3068 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CSXATNF.exe
PID 3068 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CSXATNF.exe
PID 3068 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CSXATNF.exe
PID 3068 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CNSTUKt.exe
PID 3068 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CNSTUKt.exe
PID 3068 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CNSTUKt.exe
PID 3068 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRurGDz.exe
PID 3068 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRurGDz.exe
PID 3068 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRurGDz.exe
PID 3068 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eCNnNMX.exe
PID 3068 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eCNnNMX.exe
PID 3068 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eCNnNMX.exe
PID 3068 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DHBJBLI.exe
PID 3068 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DHBJBLI.exe
PID 3068 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DHBJBLI.exe
PID 3068 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tZgJruj.exe
PID 3068 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tZgJruj.exe
PID 3068 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tZgJruj.exe
PID 3068 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRPECIp.exe
PID 3068 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRPECIp.exe
PID 3068 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRPECIp.exe
PID 3068 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WEHXHaU.exe
PID 3068 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WEHXHaU.exe
PID 3068 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WEHXHaU.exe
PID 3068 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GoQspZl.exe
PID 3068 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GoQspZl.exe
PID 3068 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GoQspZl.exe
PID 3068 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWTEXyL.exe
PID 3068 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWTEXyL.exe
PID 3068 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWTEXyL.exe
PID 3068 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJuBjvb.exe
PID 3068 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJuBjvb.exe
PID 3068 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJuBjvb.exe
PID 3068 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aqOwWKa.exe
PID 3068 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aqOwWKa.exe
PID 3068 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aqOwWKa.exe
PID 3068 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PaJOKez.exe
PID 3068 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PaJOKez.exe
PID 3068 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PaJOKez.exe
PID 3068 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\bSqUJLZ.exe
PID 3068 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\bSqUJLZ.exe
PID 3068 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\bSqUJLZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qpixQxX.exe

C:\Windows\System\qpixQxX.exe

C:\Windows\System\HUmevNu.exe

C:\Windows\System\HUmevNu.exe

C:\Windows\System\yzlBTfj.exe

C:\Windows\System\yzlBTfj.exe

C:\Windows\System\LsvOVqL.exe

C:\Windows\System\LsvOVqL.exe

C:\Windows\System\KXvoIRx.exe

C:\Windows\System\KXvoIRx.exe

C:\Windows\System\JxVsfaC.exe

C:\Windows\System\JxVsfaC.exe

C:\Windows\System\OfdYZqW.exe

C:\Windows\System\OfdYZqW.exe

C:\Windows\System\CSXATNF.exe

C:\Windows\System\CSXATNF.exe

C:\Windows\System\CNSTUKt.exe

C:\Windows\System\CNSTUKt.exe

C:\Windows\System\SRurGDz.exe

C:\Windows\System\SRurGDz.exe

C:\Windows\System\eCNnNMX.exe

C:\Windows\System\eCNnNMX.exe

C:\Windows\System\DHBJBLI.exe

C:\Windows\System\DHBJBLI.exe

C:\Windows\System\tZgJruj.exe

C:\Windows\System\tZgJruj.exe

C:\Windows\System\LRPECIp.exe

C:\Windows\System\LRPECIp.exe

C:\Windows\System\WEHXHaU.exe

C:\Windows\System\WEHXHaU.exe

C:\Windows\System\GoQspZl.exe

C:\Windows\System\GoQspZl.exe

C:\Windows\System\pWTEXyL.exe

C:\Windows\System\pWTEXyL.exe

C:\Windows\System\JJuBjvb.exe

C:\Windows\System\JJuBjvb.exe

C:\Windows\System\aqOwWKa.exe

C:\Windows\System\aqOwWKa.exe

C:\Windows\System\PaJOKez.exe

C:\Windows\System\PaJOKez.exe

C:\Windows\System\bSqUJLZ.exe

C:\Windows\System\bSqUJLZ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3068-0-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/3068-1-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\qpixQxX.exe

MD5 ccaf4e90192a9858556c520c247e79eb
SHA1 69eaa98bf6d52fb62fbbfbd66a3dcd437369d7bd
SHA256 c760786be003a4f612779cd1dc048b72e5055c991112957c75b111b2db7c3d13
SHA512 7bfbe1c40d15d96b3f2c3d49aa1152b4f2403d51b5f9bcb9fde60ee4ae6cb40831c8149e7c923918f458f7a14301a71fa1f75e1cdf7bf7dd3a37c8568311aad1

memory/2452-9-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/3068-8-0x0000000002200000-0x0000000002554000-memory.dmp

C:\Windows\system\HUmevNu.exe

MD5 d2229139cd32dd4fac4953970d9d768f
SHA1 329527597e6be7dd58b8468135d28babdf0cfd64
SHA256 5493b32b67819f729c87c3dd0c524c72e798975605404c01fea5b0db01a3849c
SHA512 42c6a7c7b0fd0aa350a97191bbb425fda4f0eebc148ef3a5be8dbf9f94fa53a46e9b271e5f5e43a99127f785c2e579655e1857a4aef2b010c941c3da88f6705f

memory/2616-16-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/3068-14-0x0000000002200000-0x0000000002554000-memory.dmp

C:\Windows\system\yzlBTfj.exe

MD5 b63deba39dbd2b702753b9782070f573
SHA1 e9585ef68f5937821dee77478b0799c8c06f182e
SHA256 51bf5a8171b0f17bccc47644879824b9e69f4b5b921029a7a7854271564a99d1
SHA512 8881cc26b1986b8218d531051cd210474bb0dbce5966417d8c6f85e937cd1050fb367ccac5dc7f0db49f5d188e92d2061bc7a00078aa83a689da258c56fcab8f

memory/2848-23-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/3068-22-0x000000013F9C0000-0x000000013FD14000-memory.dmp

C:\Windows\system\LsvOVqL.exe

MD5 6dc667d9bf240a0592c6301038a1a6ec
SHA1 0553cbeaad552ff751405dc6c66db8714ee1ef0b
SHA256 f6021be748336443bf6913ab0f2ce7352b1342b12aed284e98298c5141df7c37
SHA512 6d17b46034a41e83a8d20bcb61904608651c865a5550435d348a413165fee9d678d8b72f3a623dbf994cbaa60a976d2db0d3a7d79a1c67ecae931a75c7236f33

memory/3068-28-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/3068-38-0x0000000002200000-0x0000000002554000-memory.dmp

memory/3068-48-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/3068-49-0x000000013F7C0000-0x000000013FB14000-memory.dmp

C:\Windows\system\CSXATNF.exe

MD5 b5374ffa6569776bb6011531dfe87342
SHA1 9552ed6ce1b15b956e67c4c3c3a90607d66571c9
SHA256 3bbf4f35112443bc051732b77fb932a64c76cef70731dc5f24c72545222d1ae9
SHA512 99e7e6a62c181e74d8f15e43df56a61ba99ee4c4d8975f823eca6486c1479d6e6e8ed0c715026662d4b8bdebb3f8e6bef114b7220a2f99d1e1b98e806527e6d3

memory/2068-55-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2800-44-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2548-69-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/3068-78-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2064-84-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2864-94-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/3068-107-0x0000000002200000-0x0000000002554000-memory.dmp

C:\Windows\system\bSqUJLZ.exe

MD5 b1564c52505d29223a90fb302f7c13a2
SHA1 9101a9fa85ceb0e92e88911b4c9cfa7290604392
SHA256 07cb90c8f64845b70f0b2366c5ca0f60c14fccdeb9d9494268384d95c529a687
SHA512 17f7c59d27c569257c8c4315bdd5489d44e3a2332be960e4735d248d67613e82ee804b1d1e4cdede975707e69e104c359e9707d9ef53e7d99893cc0ad102a35d

C:\Windows\system\PaJOKez.exe

MD5 ff2dd77b8f04008c10c2132c43408685
SHA1 d91c2e822bcee5072886765d18a0ff3f6ea2ea58
SHA256 0c17e508b6a6a0d91e60fcbc2d36ac6b903ce5af25995077bb1e6350d3b6666a
SHA512 1323bf5d3600fe7434ea1d1afdf40276a45742c9011845e55da7851f9490a82f85a3bb866adcc992f95001d273512a40102db18e16e66bb5e2852496c0dfeb56

C:\Windows\system\aqOwWKa.exe

MD5 9337a012ba05203d06d18075ff0c4687
SHA1 816292621a19f9807041b20f28a27c2a5be89e23
SHA256 d03122ee592580ace32cc81b0b8f6873a85569ebda64f326e1fae04a109a78e7
SHA512 3019842227f5d72b351d2824215bfa3b229b26334c674528ddea521d5fb86e10414075be0aba1655799f74384cd9f39fe94e10b2eeeac352c0fe797279b51e48

C:\Windows\system\JJuBjvb.exe

MD5 68042017754a70fab8583cf47b3a8295
SHA1 1b7c40c26d555ad71af1ed83c1ddc1e0d5bc4b02
SHA256 3fddc7131ebd4fdaccb8f3d1a858fc9b9054ece9dbeb8629ad27908f521ca202
SHA512 c3323903ff1760ff6e50f579cb12cd5673697873afa0f07d1a892405106dbc7cb5738806649b2b20308dab0fa500daf402d8ac1a491760d6a057ec447b2604f1

C:\Windows\system\pWTEXyL.exe

MD5 b647e19ad40a6bdd2f275bf8caec5dc6
SHA1 65418a28dfc1057768b90b3f6bd7621a381305c2
SHA256 5b5e2b99c97018a0e23bf989745ddf6b3980d49ea9a8f12c102a1434bb3d71f0
SHA512 2ef0e9240e58fd4e5ac5cc9b77400217181a92fa10a6d73c3706f0f45aa9cd4a10d84d913298baaeb0fcb801f781915823a480e2ed16ea5c00f35e7a3dc64a05

C:\Windows\system\GoQspZl.exe

MD5 84fce61e7ba8f17cf2f0ec8c8240e5e2
SHA1 a47e54fb2840ba0c149a2bbf3df97bd501b241b1
SHA256 444244ef6981af02beeef1f9eea9c0bf23912eadc8f65212fbed60b8e41405bf
SHA512 7e75d660d44b6eb7f935771da59bc33ce14f645d364e98ea42419be6d48925ca2203f91749ba2bf2dfcf08439d07c8fdc7ceeeefd1a2f3bf8c3bacd04724123e

memory/2088-138-0x000000013F510000-0x000000013F864000-memory.dmp

C:\Windows\system\WEHXHaU.exe

MD5 e7c95bd4618e7a8acdcde6297005f170
SHA1 eabdad799e65c6f38df4b04ada0a1b2ebf119b2d
SHA256 f9610fd2337b82b0964249f74fbc29c7557129d5866a327333c0a5e9a7ca9573
SHA512 3bdc15439f16cd8a5a77d72e18e1ebc2a8524653b4d7d832d791fe265278c1e730f91a8063993f3fea27b820778a83da66a1787f0431368253c79ecc878ad071

memory/2980-102-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/3068-93-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2812-92-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2800-91-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/3068-101-0x0000000002200000-0x0000000002554000-memory.dmp

C:\Windows\system\LRPECIp.exe

MD5 899b1fce7fb37a42022b8d75813b97d0
SHA1 8e4879c9f8514226d3035b6dbc56edc79af9ea90
SHA256 d6135fc7fff4377aaabdca4b789f248b8b753e092cbd2b7bd41f5bb4828847a9
SHA512 08eca19b4f9031fe98c6669cc4ee7167e505da402ade17b1d47f7cb0227bf39a076abed21b9cba6a9e878f6ae8a2c1c97f3ddb5baf9d0d75cc2f43557856c381

memory/2640-90-0x000000013FBD0000-0x000000013FF24000-memory.dmp

C:\Windows\system\tZgJruj.exe

MD5 2ed99325ab13dde528d6dd1b7fb6c9be
SHA1 25f5e2ced6ce5780a1418cd852f4e9bd5a39ab07
SHA256 e7f836806d3381ff76ca3f90a96dd9da6ed13305c891003ee3dbd8e6b2852fbe
SHA512 2947b562b5b08b7400b755e85fdc9c69903680b90539660506473e6b1b16895d124359d50e5474b9aa99699856156a7c9af8f6fa5f74b986ce3d83176967fb73

C:\Windows\system\eCNnNMX.exe

MD5 2ab8dfa292dbdd3aee4763a866c04652
SHA1 306a48c5b524535767ddbc046fc7c513685b3506
SHA256 d551188e636b9989c2fc86185915106bbb7459426fe3dc21f039248814673173
SHA512 f2857580e8cc494cf808c7f47ffd4cad91b3927aebfa60a2ce4f03b2b9de252ec0b995133ab64fccc230bccda8a03cc455e1fde602de8212823b22095d04ff72

memory/3068-83-0x000000013F9C0000-0x000000013FD14000-memory.dmp

C:\Windows\system\DHBJBLI.exe

MD5 4a4614a664745cb9ee93255551da96bb
SHA1 accf224c060f24c7f7ca07f3cc619ba664a23496
SHA256 e9ce730e075eccea4d5d7c95f14fdffb807b76b22a53ba30d1da5d83a5daaba4
SHA512 e50d8ebc9ae816ee6ab29270f99b9df436222bf1cc667dfd896788ede046cd43d25c3c8e966cf00eff1ee473db66cb5b9e272f700032e0b9ab605540fd45c70d

memory/2992-77-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2576-63-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/3068-68-0x0000000002200000-0x0000000002554000-memory.dmp

memory/3068-62-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

C:\Windows\system\CNSTUKt.exe

MD5 d937132312c5dea21fe720f2c5a9df6d
SHA1 73c327cdf9882e8515fb0a3aff08bcd014c6371d
SHA256 846a3b84dcc2a022f175b9c5fcd219c3a5018e4a1865867e1737b8136b39d3d8
SHA512 0adeb912af242096daae513eb488a0257d73ae6c5ac01daca556be2194cb035688a01442de5318678be35185205ce9c63c9b60261c0778703a357ab6b11d4bce

C:\Windows\system\SRurGDz.exe

MD5 4f56e87d624ad22f4c4604cde1e6268f
SHA1 fdd7cc82322fceb92783b5b7287edad7e5199324
SHA256 4550037008da7afef1bb7d498e72726c7eda97140acf005e47a1822cb71f7c3a
SHA512 107646bb65c40e12b6e64418d5180be8aef0d07b2bb00329f31c475a62ac370449198a6ab1e026bfc13493b5b149f6e45a9be2b59093fc3885576693dfe926ea

C:\Windows\system\JxVsfaC.exe

MD5 77b7a2d75c0e6050d032690b38375586
SHA1 13d92975a8aa18d6c65a6607242832ecdc04c091
SHA256 f52db8f02644663a4906f18cbe46c489b8bd1c07f4b6500a7f55fef4561798dd
SHA512 6418016e838b8e8b48d35baf0e40e0d93a82eaf3708384164dfef255f86ed266338ebea5d3e849ea4c2ab8acb3f6400f5e2cb2fcff793cfbb06bc8dcab557d49

\Windows\system\OfdYZqW.exe

MD5 f571b9ed97a788b3058d7e60d7eba399
SHA1 4ef080c30c85f7ae8ec825eb0feb9f511407ea4f
SHA256 f3f1eed909d3bc50145cc32041abc681ea75a9c940aec3cd1a52a2f4ff91e0cf
SHA512 4f775e5d8d53ed19ee899d586ff22d2fbe04f0fec4908438d8d56ae46f3f805612aeceb9fd55b8fe40839501b80074a6353355e8ae2df4da756bdd1b40f5527c

C:\Windows\system\KXvoIRx.exe

MD5 4d91ef979e52aaad2a5a988b54c2957f
SHA1 4e2b33e9738ec359bf4353349e859362ced84c1f
SHA256 e8e3083edbaf868c44dc7f7e838702866f6ae731670b59c5fd530f45326f9f2b
SHA512 8c8b2e6990743c7ddeb935f69ff12a06b302b6ce39534d0dd9e6719acbfe6ede950fa0b09318b634ebb8f6509073d229d07de8186642fab652d707434b5f24ca

memory/2088-56-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2812-47-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2640-29-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2548-139-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2992-140-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/3068-141-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2064-142-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/3068-143-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2864-144-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/3068-145-0x0000000002200000-0x0000000002554000-memory.dmp

memory/2452-146-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2616-147-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2848-148-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2640-149-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2800-150-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2812-151-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2068-152-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2576-153-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2548-154-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2088-155-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2992-156-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2064-157-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2864-158-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2980-159-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 18:14

Reported

2024-06-06 18:16

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yzlBTfj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eCNnNMX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LRPECIp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WEHXHaU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pWTEXyL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KXvoIRx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JxVsfaC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GoQspZl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JJuBjvb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aqOwWKa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tZgJruj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bSqUJLZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qpixQxX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LsvOVqL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CSXATNF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CNSTUKt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DHBJBLI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HUmevNu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OfdYZqW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SRurGDz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PaJOKez.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qpixQxX.exe
PID 1216 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qpixQxX.exe
PID 1216 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUmevNu.exe
PID 1216 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUmevNu.exe
PID 1216 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yzlBTfj.exe
PID 1216 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yzlBTfj.exe
PID 1216 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsvOVqL.exe
PID 1216 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsvOVqL.exe
PID 1216 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXvoIRx.exe
PID 1216 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXvoIRx.exe
PID 1216 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxVsfaC.exe
PID 1216 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxVsfaC.exe
PID 1216 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfdYZqW.exe
PID 1216 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfdYZqW.exe
PID 1216 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CSXATNF.exe
PID 1216 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CSXATNF.exe
PID 1216 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CNSTUKt.exe
PID 1216 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CNSTUKt.exe
PID 1216 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRurGDz.exe
PID 1216 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRurGDz.exe
PID 1216 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eCNnNMX.exe
PID 1216 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eCNnNMX.exe
PID 1216 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DHBJBLI.exe
PID 1216 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DHBJBLI.exe
PID 1216 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tZgJruj.exe
PID 1216 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tZgJruj.exe
PID 1216 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRPECIp.exe
PID 1216 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LRPECIp.exe
PID 1216 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WEHXHaU.exe
PID 1216 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WEHXHaU.exe
PID 1216 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GoQspZl.exe
PID 1216 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GoQspZl.exe
PID 1216 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWTEXyL.exe
PID 1216 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWTEXyL.exe
PID 1216 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJuBjvb.exe
PID 1216 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJuBjvb.exe
PID 1216 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aqOwWKa.exe
PID 1216 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aqOwWKa.exe
PID 1216 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PaJOKez.exe
PID 1216 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PaJOKez.exe
PID 1216 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\bSqUJLZ.exe
PID 1216 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe C:\Windows\System\bSqUJLZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qpixQxX.exe

C:\Windows\System\qpixQxX.exe

C:\Windows\System\HUmevNu.exe

C:\Windows\System\HUmevNu.exe

C:\Windows\System\yzlBTfj.exe

C:\Windows\System\yzlBTfj.exe

C:\Windows\System\LsvOVqL.exe

C:\Windows\System\LsvOVqL.exe

C:\Windows\System\KXvoIRx.exe

C:\Windows\System\KXvoIRx.exe

C:\Windows\System\JxVsfaC.exe

C:\Windows\System\JxVsfaC.exe

C:\Windows\System\OfdYZqW.exe

C:\Windows\System\OfdYZqW.exe

C:\Windows\System\CSXATNF.exe

C:\Windows\System\CSXATNF.exe

C:\Windows\System\CNSTUKt.exe

C:\Windows\System\CNSTUKt.exe

C:\Windows\System\SRurGDz.exe

C:\Windows\System\SRurGDz.exe

C:\Windows\System\eCNnNMX.exe

C:\Windows\System\eCNnNMX.exe

C:\Windows\System\DHBJBLI.exe

C:\Windows\System\DHBJBLI.exe

C:\Windows\System\tZgJruj.exe

C:\Windows\System\tZgJruj.exe

C:\Windows\System\LRPECIp.exe

C:\Windows\System\LRPECIp.exe

C:\Windows\System\WEHXHaU.exe

C:\Windows\System\WEHXHaU.exe

C:\Windows\System\GoQspZl.exe

C:\Windows\System\GoQspZl.exe

C:\Windows\System\pWTEXyL.exe

C:\Windows\System\pWTEXyL.exe

C:\Windows\System\JJuBjvb.exe

C:\Windows\System\JJuBjvb.exe

C:\Windows\System\aqOwWKa.exe

C:\Windows\System\aqOwWKa.exe

C:\Windows\System\PaJOKez.exe

C:\Windows\System\PaJOKez.exe

C:\Windows\System\bSqUJLZ.exe

C:\Windows\System\bSqUJLZ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1216-0-0x00007FF76A510000-0x00007FF76A864000-memory.dmp

memory/1216-1-0x0000026A0A9F0000-0x0000026A0AA00000-memory.dmp

C:\Windows\System\qpixQxX.exe

MD5 ccaf4e90192a9858556c520c247e79eb
SHA1 69eaa98bf6d52fb62fbbfbd66a3dcd437369d7bd
SHA256 c760786be003a4f612779cd1dc048b72e5055c991112957c75b111b2db7c3d13
SHA512 7bfbe1c40d15d96b3f2c3d49aa1152b4f2403d51b5f9bcb9fde60ee4ae6cb40831c8149e7c923918f458f7a14301a71fa1f75e1cdf7bf7dd3a37c8568311aad1

memory/896-7-0x00007FF6102C0000-0x00007FF610614000-memory.dmp

C:\Windows\System\yzlBTfj.exe

MD5 b63deba39dbd2b702753b9782070f573
SHA1 e9585ef68f5937821dee77478b0799c8c06f182e
SHA256 51bf5a8171b0f17bccc47644879824b9e69f4b5b921029a7a7854271564a99d1
SHA512 8881cc26b1986b8218d531051cd210474bb0dbce5966417d8c6f85e937cd1050fb367ccac5dc7f0db49f5d188e92d2061bc7a00078aa83a689da258c56fcab8f

C:\Windows\System\HUmevNu.exe

MD5 d2229139cd32dd4fac4953970d9d768f
SHA1 329527597e6be7dd58b8468135d28babdf0cfd64
SHA256 5493b32b67819f729c87c3dd0c524c72e798975605404c01fea5b0db01a3849c
SHA512 42c6a7c7b0fd0aa350a97191bbb425fda4f0eebc148ef3a5be8dbf9f94fa53a46e9b271e5f5e43a99127f785c2e579655e1857a4aef2b010c941c3da88f6705f

C:\Windows\System\LsvOVqL.exe

MD5 6dc667d9bf240a0592c6301038a1a6ec
SHA1 0553cbeaad552ff751405dc6c66db8714ee1ef0b
SHA256 f6021be748336443bf6913ab0f2ce7352b1342b12aed284e98298c5141df7c37
SHA512 6d17b46034a41e83a8d20bcb61904608651c865a5550435d348a413165fee9d678d8b72f3a623dbf994cbaa60a976d2db0d3a7d79a1c67ecae931a75c7236f33

memory/4552-28-0x00007FF6AC6D0000-0x00007FF6ACA24000-memory.dmp

C:\Windows\System\KXvoIRx.exe

MD5 4d91ef979e52aaad2a5a988b54c2957f
SHA1 4e2b33e9738ec359bf4353349e859362ced84c1f
SHA256 e8e3083edbaf868c44dc7f7e838702866f6ae731670b59c5fd530f45326f9f2b
SHA512 8c8b2e6990743c7ddeb935f69ff12a06b302b6ce39534d0dd9e6719acbfe6ede950fa0b09318b634ebb8f6509073d229d07de8186642fab652d707434b5f24ca

memory/4100-22-0x00007FF66B4A0000-0x00007FF66B7F4000-memory.dmp

memory/1580-14-0x00007FF78AC00000-0x00007FF78AF54000-memory.dmp

memory/2872-32-0x00007FF6BD0B0000-0x00007FF6BD404000-memory.dmp

C:\Windows\System\JxVsfaC.exe

MD5 77b7a2d75c0e6050d032690b38375586
SHA1 13d92975a8aa18d6c65a6607242832ecdc04c091
SHA256 f52db8f02644663a4906f18cbe46c489b8bd1c07f4b6500a7f55fef4561798dd
SHA512 6418016e838b8e8b48d35baf0e40e0d93a82eaf3708384164dfef255f86ed266338ebea5d3e849ea4c2ab8acb3f6400f5e2cb2fcff793cfbb06bc8dcab557d49

memory/3688-38-0x00007FF674D20000-0x00007FF675074000-memory.dmp

C:\Windows\System\OfdYZqW.exe

MD5 f571b9ed97a788b3058d7e60d7eba399
SHA1 4ef080c30c85f7ae8ec825eb0feb9f511407ea4f
SHA256 f3f1eed909d3bc50145cc32041abc681ea75a9c940aec3cd1a52a2f4ff91e0cf
SHA512 4f775e5d8d53ed19ee899d586ff22d2fbe04f0fec4908438d8d56ae46f3f805612aeceb9fd55b8fe40839501b80074a6353355e8ae2df4da756bdd1b40f5527c

memory/2532-44-0x00007FF68F790000-0x00007FF68FAE4000-memory.dmp

C:\Windows\System\CSXATNF.exe

MD5 b5374ffa6569776bb6011531dfe87342
SHA1 9552ed6ce1b15b956e67c4c3c3a90607d66571c9
SHA256 3bbf4f35112443bc051732b77fb932a64c76cef70731dc5f24c72545222d1ae9
SHA512 99e7e6a62c181e74d8f15e43df56a61ba99ee4c4d8975f823eca6486c1479d6e6e8ed0c715026662d4b8bdebb3f8e6bef114b7220a2f99d1e1b98e806527e6d3

memory/3088-48-0x00007FF633270000-0x00007FF6335C4000-memory.dmp

C:\Windows\System\CNSTUKt.exe

MD5 d937132312c5dea21fe720f2c5a9df6d
SHA1 73c327cdf9882e8515fb0a3aff08bcd014c6371d
SHA256 846a3b84dcc2a022f175b9c5fcd219c3a5018e4a1865867e1737b8136b39d3d8
SHA512 0adeb912af242096daae513eb488a0257d73ae6c5ac01daca556be2194cb035688a01442de5318678be35185205ce9c63c9b60261c0778703a357ab6b11d4bce

C:\Windows\System\SRurGDz.exe

MD5 4f56e87d624ad22f4c4604cde1e6268f
SHA1 fdd7cc82322fceb92783b5b7287edad7e5199324
SHA256 4550037008da7afef1bb7d498e72726c7eda97140acf005e47a1822cb71f7c3a
SHA512 107646bb65c40e12b6e64418d5180be8aef0d07b2bb00329f31c475a62ac370449198a6ab1e026bfc13493b5b149f6e45a9be2b59093fc3885576693dfe926ea

C:\Windows\System\eCNnNMX.exe

MD5 2ab8dfa292dbdd3aee4763a866c04652
SHA1 306a48c5b524535767ddbc046fc7c513685b3506
SHA256 d551188e636b9989c2fc86185915106bbb7459426fe3dc21f039248814673173
SHA512 f2857580e8cc494cf808c7f47ffd4cad91b3927aebfa60a2ce4f03b2b9de252ec0b995133ab64fccc230bccda8a03cc455e1fde602de8212823b22095d04ff72

C:\Windows\System\DHBJBLI.exe

MD5 4a4614a664745cb9ee93255551da96bb
SHA1 accf224c060f24c7f7ca07f3cc619ba664a23496
SHA256 e9ce730e075eccea4d5d7c95f14fdffb807b76b22a53ba30d1da5d83a5daaba4
SHA512 e50d8ebc9ae816ee6ab29270f99b9df436222bf1cc667dfd896788ede046cd43d25c3c8e966cf00eff1ee473db66cb5b9e272f700032e0b9ab605540fd45c70d

memory/5092-71-0x00007FF716370000-0x00007FF7166C4000-memory.dmp

memory/3096-72-0x00007FF607E90000-0x00007FF6081E4000-memory.dmp

memory/5020-76-0x00007FF7C9D00000-0x00007FF7CA054000-memory.dmp

C:\Windows\System\LRPECIp.exe

MD5 899b1fce7fb37a42022b8d75813b97d0
SHA1 8e4879c9f8514226d3035b6dbc56edc79af9ea90
SHA256 d6135fc7fff4377aaabdca4b789f248b8b753e092cbd2b7bd41f5bb4828847a9
SHA512 08eca19b4f9031fe98c6669cc4ee7167e505da402ade17b1d47f7cb0227bf39a076abed21b9cba6a9e878f6ae8a2c1c97f3ddb5baf9d0d75cc2f43557856c381

memory/2252-88-0x00007FF7F5D50000-0x00007FF7F60A4000-memory.dmp

memory/896-90-0x00007FF6102C0000-0x00007FF610614000-memory.dmp

C:\Windows\System\WEHXHaU.exe

MD5 e7c95bd4618e7a8acdcde6297005f170
SHA1 eabdad799e65c6f38df4b04ada0a1b2ebf119b2d
SHA256 f9610fd2337b82b0964249f74fbc29c7557129d5866a327333c0a5e9a7ca9573
SHA512 3bdc15439f16cd8a5a77d72e18e1ebc2a8524653b4d7d832d791fe265278c1e730f91a8063993f3fea27b820778a83da66a1787f0431368253c79ecc878ad071

memory/4428-91-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp

memory/4620-89-0x00007FF6E4590000-0x00007FF6E48E4000-memory.dmp

memory/548-86-0x00007FF72E780000-0x00007FF72EAD4000-memory.dmp

memory/1216-82-0x00007FF76A510000-0x00007FF76A864000-memory.dmp

C:\Windows\System\tZgJruj.exe

MD5 2ed99325ab13dde528d6dd1b7fb6c9be
SHA1 25f5e2ced6ce5780a1418cd852f4e9bd5a39ab07
SHA256 e7f836806d3381ff76ca3f90a96dd9da6ed13305c891003ee3dbd8e6b2852fbe
SHA512 2947b562b5b08b7400b755e85fdc9c69903680b90539660506473e6b1b16895d124359d50e5474b9aa99699856156a7c9af8f6fa5f74b986ce3d83176967fb73

C:\Windows\System\GoQspZl.exe

MD5 84fce61e7ba8f17cf2f0ec8c8240e5e2
SHA1 a47e54fb2840ba0c149a2bbf3df97bd501b241b1
SHA256 444244ef6981af02beeef1f9eea9c0bf23912eadc8f65212fbed60b8e41405bf
SHA512 7e75d660d44b6eb7f935771da59bc33ce14f645d364e98ea42419be6d48925ca2203f91749ba2bf2dfcf08439d07c8fdc7ceeeefd1a2f3bf8c3bacd04724123e

memory/544-100-0x00007FF619AC0000-0x00007FF619E14000-memory.dmp

C:\Windows\System\pWTEXyL.exe

MD5 b647e19ad40a6bdd2f275bf8caec5dc6
SHA1 65418a28dfc1057768b90b3f6bd7621a381305c2
SHA256 5b5e2b99c97018a0e23bf989745ddf6b3980d49ea9a8f12c102a1434bb3d71f0
SHA512 2ef0e9240e58fd4e5ac5cc9b77400217181a92fa10a6d73c3706f0f45aa9cd4a10d84d913298baaeb0fcb801f781915823a480e2ed16ea5c00f35e7a3dc64a05

C:\Windows\System\JJuBjvb.exe

MD5 68042017754a70fab8583cf47b3a8295
SHA1 1b7c40c26d555ad71af1ed83c1ddc1e0d5bc4b02
SHA256 3fddc7131ebd4fdaccb8f3d1a858fc9b9054ece9dbeb8629ad27908f521ca202
SHA512 c3323903ff1760ff6e50f579cb12cd5673697873afa0f07d1a892405106dbc7cb5738806649b2b20308dab0fa500daf402d8ac1a491760d6a057ec447b2604f1

C:\Windows\System\aqOwWKa.exe

MD5 9337a012ba05203d06d18075ff0c4687
SHA1 816292621a19f9807041b20f28a27c2a5be89e23
SHA256 d03122ee592580ace32cc81b0b8f6873a85569ebda64f326e1fae04a109a78e7
SHA512 3019842227f5d72b351d2824215bfa3b229b26334c674528ddea521d5fb86e10414075be0aba1655799f74384cd9f39fe94e10b2eeeac352c0fe797279b51e48

memory/1760-114-0x00007FF68F270000-0x00007FF68F5C4000-memory.dmp

memory/4552-113-0x00007FF6AC6D0000-0x00007FF6ACA24000-memory.dmp

memory/556-107-0x00007FF7FCE10000-0x00007FF7FD164000-memory.dmp

C:\Windows\System\PaJOKez.exe

MD5 ff2dd77b8f04008c10c2132c43408685
SHA1 d91c2e822bcee5072886765d18a0ff3f6ea2ea58
SHA256 0c17e508b6a6a0d91e60fcbc2d36ac6b903ce5af25995077bb1e6350d3b6666a
SHA512 1323bf5d3600fe7434ea1d1afdf40276a45742c9011845e55da7851f9490a82f85a3bb866adcc992f95001d273512a40102db18e16e66bb5e2852496c0dfeb56

memory/3584-128-0x00007FF6D0360000-0x00007FF6D06B4000-memory.dmp

C:\Windows\System\bSqUJLZ.exe

MD5 b1564c52505d29223a90fb302f7c13a2
SHA1 9101a9fa85ceb0e92e88911b4c9cfa7290604392
SHA256 07cb90c8f64845b70f0b2366c5ca0f60c14fccdeb9d9494268384d95c529a687
SHA512 17f7c59d27c569257c8c4315bdd5489d44e3a2332be960e4735d248d67613e82ee804b1d1e4cdede975707e69e104c359e9707d9ef53e7d99893cc0ad102a35d

memory/3688-126-0x00007FF674D20000-0x00007FF675074000-memory.dmp

memory/2728-122-0x00007FF7D8750000-0x00007FF7D8AA4000-memory.dmp

memory/1580-99-0x00007FF78AC00000-0x00007FF78AF54000-memory.dmp

memory/4900-132-0x00007FF7EF240000-0x00007FF7EF594000-memory.dmp

memory/3088-133-0x00007FF633270000-0x00007FF6335C4000-memory.dmp

memory/4428-134-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp

memory/544-135-0x00007FF619AC0000-0x00007FF619E14000-memory.dmp

memory/3584-136-0x00007FF6D0360000-0x00007FF6D06B4000-memory.dmp

memory/896-137-0x00007FF6102C0000-0x00007FF610614000-memory.dmp

memory/1580-138-0x00007FF78AC00000-0x00007FF78AF54000-memory.dmp

memory/4100-139-0x00007FF66B4A0000-0x00007FF66B7F4000-memory.dmp

memory/4552-140-0x00007FF6AC6D0000-0x00007FF6ACA24000-memory.dmp

memory/2872-141-0x00007FF6BD0B0000-0x00007FF6BD404000-memory.dmp

memory/3688-142-0x00007FF674D20000-0x00007FF675074000-memory.dmp

memory/2532-143-0x00007FF68F790000-0x00007FF68FAE4000-memory.dmp

memory/3088-145-0x00007FF633270000-0x00007FF6335C4000-memory.dmp

memory/5092-144-0x00007FF716370000-0x00007FF7166C4000-memory.dmp

memory/5020-146-0x00007FF7C9D00000-0x00007FF7CA054000-memory.dmp

memory/548-147-0x00007FF72E780000-0x00007FF72EAD4000-memory.dmp

memory/3096-148-0x00007FF607E90000-0x00007FF6081E4000-memory.dmp

memory/4620-149-0x00007FF6E4590000-0x00007FF6E48E4000-memory.dmp

memory/2252-150-0x00007FF7F5D50000-0x00007FF7F60A4000-memory.dmp

memory/4428-151-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp

memory/556-152-0x00007FF7FCE10000-0x00007FF7FD164000-memory.dmp

memory/544-153-0x00007FF619AC0000-0x00007FF619E14000-memory.dmp

memory/2728-154-0x00007FF7D8750000-0x00007FF7D8AA4000-memory.dmp

memory/1760-155-0x00007FF68F270000-0x00007FF68F5C4000-memory.dmp

memory/3584-156-0x00007FF6D0360000-0x00007FF6D06B4000-memory.dmp

memory/4900-157-0x00007FF7EF240000-0x00007FF7EF594000-memory.dmp