Malware Analysis Report

2024-10-24 18:16

Sample ID 240607-cantsaff9t
Target 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike
SHA256 8e5d6082b7103146bc343199029aed207ffd798d7dcc8992ee744d2679904dec
Tags
miner upx 0 xmrig cobaltstrike
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e5d6082b7103146bc343199029aed207ffd798d7dcc8992ee744d2679904dec

Threat Level: Known bad

The file 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

xmrig

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 01:53

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 01:52

Reported

2024-06-07 01:57

Platform

win7-20240221-en

Max time kernel

135s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\onfpLXs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YYVqlGE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LdTQyrQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JJtAWMB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oWryuDN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ARLdpiW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\USaqKKr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vivtBiR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\corhpyj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VKYpRrg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HWdxlSA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QAFUoDX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DYcUzMp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QnNkuAb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KkguQsP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FwJoEgE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FwuIolP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZchojoU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HqLKwQo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FqmDbgm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NPRABMN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HWdxlSA.exe
PID 2168 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HWdxlSA.exe
PID 2168 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HWdxlSA.exe
PID 2168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJtAWMB.exe
PID 2168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJtAWMB.exe
PID 2168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJtAWMB.exe
PID 2168 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\oWryuDN.exe
PID 2168 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\oWryuDN.exe
PID 2168 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\oWryuDN.exe
PID 2168 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZchojoU.exe
PID 2168 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZchojoU.exe
PID 2168 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZchojoU.exe
PID 2168 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ARLdpiW.exe
PID 2168 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ARLdpiW.exe
PID 2168 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ARLdpiW.exe
PID 2168 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DYcUzMp.exe
PID 2168 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DYcUzMp.exe
PID 2168 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\DYcUzMp.exe
PID 2168 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QnNkuAb.exe
PID 2168 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QnNkuAb.exe
PID 2168 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QnNkuAb.exe
PID 2168 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkguQsP.exe
PID 2168 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkguQsP.exe
PID 2168 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkguQsP.exe
PID 2168 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\USaqKKr.exe
PID 2168 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\USaqKKr.exe
PID 2168 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\USaqKKr.exe
PID 2168 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NPRABMN.exe
PID 2168 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NPRABMN.exe
PID 2168 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NPRABMN.exe
PID 2168 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vivtBiR.exe
PID 2168 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vivtBiR.exe
PID 2168 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vivtBiR.exe
PID 2168 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqLKwQo.exe
PID 2168 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqLKwQo.exe
PID 2168 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqLKwQo.exe
PID 2168 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\corhpyj.exe
PID 2168 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\corhpyj.exe
PID 2168 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\corhpyj.exe
PID 2168 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKYpRrg.exe
PID 2168 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKYpRrg.exe
PID 2168 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKYpRrg.exe
PID 2168 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwJoEgE.exe
PID 2168 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwJoEgE.exe
PID 2168 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwJoEgE.exe
PID 2168 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LdTQyrQ.exe
PID 2168 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LdTQyrQ.exe
PID 2168 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LdTQyrQ.exe
PID 2168 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\onfpLXs.exe
PID 2168 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\onfpLXs.exe
PID 2168 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\onfpLXs.exe
PID 2168 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwuIolP.exe
PID 2168 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwuIolP.exe
PID 2168 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwuIolP.exe
PID 2168 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FqmDbgm.exe
PID 2168 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FqmDbgm.exe
PID 2168 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FqmDbgm.exe
PID 2168 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\YYVqlGE.exe
PID 2168 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\YYVqlGE.exe
PID 2168 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\YYVqlGE.exe
PID 2168 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QAFUoDX.exe
PID 2168 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QAFUoDX.exe
PID 2168 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QAFUoDX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\HWdxlSA.exe

C:\Windows\System\HWdxlSA.exe

C:\Windows\System\JJtAWMB.exe

C:\Windows\System\JJtAWMB.exe

C:\Windows\System\oWryuDN.exe

C:\Windows\System\oWryuDN.exe

C:\Windows\System\ZchojoU.exe

C:\Windows\System\ZchojoU.exe

C:\Windows\System\ARLdpiW.exe

C:\Windows\System\ARLdpiW.exe

C:\Windows\System\DYcUzMp.exe

C:\Windows\System\DYcUzMp.exe

C:\Windows\System\QnNkuAb.exe

C:\Windows\System\QnNkuAb.exe

C:\Windows\System\KkguQsP.exe

C:\Windows\System\KkguQsP.exe

C:\Windows\System\USaqKKr.exe

C:\Windows\System\USaqKKr.exe

C:\Windows\System\NPRABMN.exe

C:\Windows\System\NPRABMN.exe

C:\Windows\System\vivtBiR.exe

C:\Windows\System\vivtBiR.exe

C:\Windows\System\HqLKwQo.exe

C:\Windows\System\HqLKwQo.exe

C:\Windows\System\corhpyj.exe

C:\Windows\System\corhpyj.exe

C:\Windows\System\VKYpRrg.exe

C:\Windows\System\VKYpRrg.exe

C:\Windows\System\FwJoEgE.exe

C:\Windows\System\FwJoEgE.exe

C:\Windows\System\LdTQyrQ.exe

C:\Windows\System\LdTQyrQ.exe

C:\Windows\System\onfpLXs.exe

C:\Windows\System\onfpLXs.exe

C:\Windows\System\FwuIolP.exe

C:\Windows\System\FwuIolP.exe

C:\Windows\System\FqmDbgm.exe

C:\Windows\System\FqmDbgm.exe

C:\Windows\System\YYVqlGE.exe

C:\Windows\System\YYVqlGE.exe

C:\Windows\System\QAFUoDX.exe

C:\Windows\System\QAFUoDX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2168-0-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2168-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\HWdxlSA.exe

MD5 4a486a2a371d8db348dc0ad03e9fd9f0
SHA1 edd912c5d606628022dc3216eaf2db7c93554ff7
SHA256 93ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b
SHA512 deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b

C:\Windows\system\HWdxlSA.exe

MD5 0642442db4acbbfb6037e06789624264
SHA1 923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA256 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA512 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

\Windows\system\JJtAWMB.exe

MD5 7ce4ba1725e83a50f64ba525f8815dcf
SHA1 b1714a2d23cfc42c18c37e1546ac0908d8252c04
SHA256 9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908
SHA512 2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

C:\Windows\system\oWryuDN.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

C:\Windows\system\DYcUzMp.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

memory/2536-69-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2168-86-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2168-91-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2168-93-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2884-121-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2168-126-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2168-132-0x0000000002450000-0x00000000027A4000-memory.dmp

memory/2168-134-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2028-133-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2952-131-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2168-130-0x0000000002450000-0x00000000027A4000-memory.dmp

memory/2168-129-0x0000000002450000-0x00000000027A4000-memory.dmp

memory/2168-128-0x0000000002450000-0x00000000027A4000-memory.dmp

memory/2808-127-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2424-125-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2440-124-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2168-123-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2168-122-0x0000000002450000-0x00000000027A4000-memory.dmp

C:\Windows\system\FqmDbgm.exe

MD5 6b5887af4274a78686a788865765637c
SHA1 5afc15e6fcbc11377bbabbda47ff43f6ebedd369
SHA256 ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006
SHA512 4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

memory/2648-114-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2656-112-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2732-99-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2592-77-0x000000013FA70000-0x000000013FDC4000-memory.dmp

\Windows\system\corhpyj.exe

MD5 096410221e55421e5c4c4275c7d21513
SHA1 a9a3350bb5b616aee4d0c922dc225694f8027702
SHA256 1162e04ab5acff6cf895e753ad87619013ecfffc06f47ed477cf1c201c040e66
SHA512 b442b0d589e49e95f8c072f6f97ae946c91e082ea0e6557eeef4f55282d6675cb325a5ba42eb1799fb9bff049919d0eef469abfd200cb35fe59f78974905588c

memory/2168-68-0x0000000002450000-0x00000000027A4000-memory.dmp

memory/2168-57-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2716-47-0x000000013F7C0000-0x000000013FB14000-memory.dmp

\Windows\system\DYcUzMp.exe

MD5 9d367348bc2b0a338371873ab92b5ce0
SHA1 7f656575ff1e475fc391f43341a8d5f4ac819b19
SHA256 54a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309
SHA512 8ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454

memory/1680-20-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2084-14-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2168-8-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2168-135-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2168-136-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2168-138-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2168-137-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2168-139-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2084-140-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/1680-141-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2716-142-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2536-145-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2592-144-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2952-143-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2884-149-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2028-150-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2440-151-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2424-152-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2808-153-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2648-148-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2656-147-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2732-146-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 01:52

Reported

2024-06-07 01:56

Platform

win10v2004-20240426-en

Max time kernel

132s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\myzQTtL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UKsAFWU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mUsllMp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dpfeffn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CMExTev.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PsMOgFF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\luDAmTl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\onPIisn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GPxMKKM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rVUCoWs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BdWUwxG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kPpAqSD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ieShFZp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\slxIers.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HlSUxKL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pwBVfjl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\waCvjvL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gIRcBwH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TRJGwow.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CIolLis.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pijlJFE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5084 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKsAFWU.exe
PID 5084 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKsAFWU.exe
PID 5084 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ieShFZp.exe
PID 5084 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ieShFZp.exe
PID 5084 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TRJGwow.exe
PID 5084 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TRJGwow.exe
PID 5084 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\mUsllMp.exe
PID 5084 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\mUsllMp.exe
PID 5084 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\dpfeffn.exe
PID 5084 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\dpfeffn.exe
PID 5084 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CMExTev.exe
PID 5084 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CMExTev.exe
PID 5084 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PsMOgFF.exe
PID 5084 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PsMOgFF.exe
PID 5084 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kPpAqSD.exe
PID 5084 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kPpAqSD.exe
PID 5084 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CIolLis.exe
PID 5084 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CIolLis.exe
PID 5084 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\slxIers.exe
PID 5084 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\slxIers.exe
PID 5084 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlSUxKL.exe
PID 5084 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlSUxKL.exe
PID 5084 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pijlJFE.exe
PID 5084 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pijlJFE.exe
PID 5084 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\luDAmTl.exe
PID 5084 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\luDAmTl.exe
PID 5084 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pwBVfjl.exe
PID 5084 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pwBVfjl.exe
PID 5084 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\onPIisn.exe
PID 5084 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\onPIisn.exe
PID 5084 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\myzQTtL.exe
PID 5084 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\myzQTtL.exe
PID 5084 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GPxMKKM.exe
PID 5084 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GPxMKKM.exe
PID 5084 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rVUCoWs.exe
PID 5084 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rVUCoWs.exe
PID 5084 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdWUwxG.exe
PID 5084 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdWUwxG.exe
PID 5084 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\waCvjvL.exe
PID 5084 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\waCvjvL.exe
PID 5084 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIRcBwH.exe
PID 5084 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIRcBwH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UKsAFWU.exe

C:\Windows\System\UKsAFWU.exe

C:\Windows\System\ieShFZp.exe

C:\Windows\System\ieShFZp.exe

C:\Windows\System\TRJGwow.exe

C:\Windows\System\TRJGwow.exe

C:\Windows\System\mUsllMp.exe

C:\Windows\System\mUsllMp.exe

C:\Windows\System\dpfeffn.exe

C:\Windows\System\dpfeffn.exe

C:\Windows\System\CMExTev.exe

C:\Windows\System\CMExTev.exe

C:\Windows\System\PsMOgFF.exe

C:\Windows\System\PsMOgFF.exe

C:\Windows\System\kPpAqSD.exe

C:\Windows\System\kPpAqSD.exe

C:\Windows\System\CIolLis.exe

C:\Windows\System\CIolLis.exe

C:\Windows\System\slxIers.exe

C:\Windows\System\slxIers.exe

C:\Windows\System\HlSUxKL.exe

C:\Windows\System\HlSUxKL.exe

C:\Windows\System\pijlJFE.exe

C:\Windows\System\pijlJFE.exe

C:\Windows\System\luDAmTl.exe

C:\Windows\System\luDAmTl.exe

C:\Windows\System\pwBVfjl.exe

C:\Windows\System\pwBVfjl.exe

C:\Windows\System\onPIisn.exe

C:\Windows\System\onPIisn.exe

C:\Windows\System\myzQTtL.exe

C:\Windows\System\myzQTtL.exe

C:\Windows\System\GPxMKKM.exe

C:\Windows\System\GPxMKKM.exe

C:\Windows\System\rVUCoWs.exe

C:\Windows\System\rVUCoWs.exe

C:\Windows\System\BdWUwxG.exe

C:\Windows\System\BdWUwxG.exe

C:\Windows\System\waCvjvL.exe

C:\Windows\System\waCvjvL.exe

C:\Windows\System\gIRcBwH.exe

C:\Windows\System\gIRcBwH.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5084-0-0x00007FF6CE790000-0x00007FF6CEAE4000-memory.dmp

memory/5084-1-0x000001F85B4F0000-0x000001F85B500000-memory.dmp

memory/5112-8-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp

memory/3384-14-0x00007FF72D580000-0x00007FF72D8D4000-memory.dmp

memory/5068-20-0x00007FF7AC660000-0x00007FF7AC9B4000-memory.dmp

memory/4952-26-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp

C:\Windows\System\CIolLis.exe

MD5 2b325ba998218e1724cf0adeb30ee980
SHA1 91c91f972b93ca21c02dbae5cc375d4e1212c0a0
SHA256 3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9
SHA512 d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5

C:\Windows\System\slxIers.exe

MD5 0642442db4acbbfb6037e06789624264
SHA1 923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA256 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA512 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

memory/4272-76-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp

memory/5068-81-0x00007FF7AC660000-0x00007FF7AC9B4000-memory.dmp

memory/4952-88-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp

memory/3056-102-0x00007FF6AFE70000-0x00007FF6B01C4000-memory.dmp

C:\Windows\System\GPxMKKM.exe

MD5 7ce4ba1725e83a50f64ba525f8815dcf
SHA1 b1714a2d23cfc42c18c37e1546ac0908d8252c04
SHA256 9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908
SHA512 2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

C:\Windows\System\waCvjvL.exe

MD5 3ee04f109da47a1ec064d84e674f1c93
SHA1 644e873cc5a86065097d9d560d0304443e10d64c
SHA256 47d2b26167d01487e92054b74706d3bb25cfa0aef4e9803e369f3581631dce9f
SHA512 9c1889d4f1db6f15c9ccdb0cc3595e9e8bef5c6661b045295c1ca732b72cf3d8471e82ed02a643342a0e821733243b7d4452a48031e235b596a8367158163fa4

memory/2624-127-0x00007FF6B3F30000-0x00007FF6B4284000-memory.dmp

C:\Windows\System\gIRcBwH.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

memory/2640-132-0x00007FF763F60000-0x00007FF7642B4000-memory.dmp

memory/864-120-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp

memory/2936-116-0x00007FF6E9A90000-0x00007FF6E9DE4000-memory.dmp

memory/4076-108-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp

memory/3700-103-0x00007FF7EEB00000-0x00007FF7EEE54000-memory.dmp

memory/2428-97-0x00007FF7C1890000-0x00007FF7C1BE4000-memory.dmp

memory/2992-91-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp

C:\Windows\System\pwBVfjl.exe

MD5 6b5887af4274a78686a788865765637c
SHA1 5afc15e6fcbc11377bbabbda47ff43f6ebedd369
SHA256 ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006
SHA512 4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

memory/3888-84-0x00007FF77D320000-0x00007FF77D674000-memory.dmp

memory/3536-70-0x00007FF7F71B0000-0x00007FF7F7504000-memory.dmp

memory/5112-69-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp

C:\Windows\System\HlSUxKL.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

memory/1456-63-0x00007FF7C5440000-0x00007FF7C5794000-memory.dmp

memory/5084-62-0x00007FF6CE790000-0x00007FF6CEAE4000-memory.dmp

memory/3280-56-0x00007FF612DC0000-0x00007FF613114000-memory.dmp

memory/3656-50-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp

memory/960-44-0x00007FF7E6B30000-0x00007FF7E6E84000-memory.dmp

C:\Windows\System\PsMOgFF.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

memory/3056-38-0x00007FF6AFE70000-0x00007FF6B01C4000-memory.dmp

memory/5064-32-0x00007FF7E0D20000-0x00007FF7E1074000-memory.dmp

C:\Windows\System\TRJGwow.exe

MD5 0b1dc771469fa6753e7aace834956918
SHA1 ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA256 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA512 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

memory/3888-133-0x00007FF77D320000-0x00007FF77D674000-memory.dmp

memory/2992-134-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp

memory/4076-135-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp

memory/864-136-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp

memory/5112-137-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp

memory/3384-138-0x00007FF72D580000-0x00007FF72D8D4000-memory.dmp

memory/5068-139-0x00007FF7AC660000-0x00007FF7AC9B4000-memory.dmp

memory/4952-140-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp

memory/5064-141-0x00007FF7E0D20000-0x00007FF7E1074000-memory.dmp

memory/3056-142-0x00007FF6AFE70000-0x00007FF6B01C4000-memory.dmp

memory/960-143-0x00007FF7E6B30000-0x00007FF7E6E84000-memory.dmp

memory/3656-144-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp

memory/3280-145-0x00007FF612DC0000-0x00007FF613114000-memory.dmp

memory/1456-146-0x00007FF7C5440000-0x00007FF7C5794000-memory.dmp

memory/3536-147-0x00007FF7F71B0000-0x00007FF7F7504000-memory.dmp

memory/4272-148-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp

memory/3888-149-0x00007FF77D320000-0x00007FF77D674000-memory.dmp

memory/3700-152-0x00007FF7EEB00000-0x00007FF7EEE54000-memory.dmp

memory/2428-151-0x00007FF7C1890000-0x00007FF7C1BE4000-memory.dmp

memory/2936-154-0x00007FF6E9A90000-0x00007FF6E9DE4000-memory.dmp

memory/864-155-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp

memory/2624-156-0x00007FF6B3F30000-0x00007FF6B4284000-memory.dmp

memory/4076-153-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp

memory/2640-157-0x00007FF763F60000-0x00007FF7642B4000-memory.dmp

memory/2992-150-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp