Malware Analysis Report

2024-10-24 18:15

Sample ID 240607-cn1eqsha98
Target 2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike
SHA256 8ac8284327f888240ceea0fdc99a712f94a6f11b9cac8e60eff78799705fc23c
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ac8284327f888240ceea0fdc99a712f94a6f11b9cac8e60eff78799705fc23c

Threat Level: Known bad

The file 2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

Xmrig family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Cobaltstrike family

xmrig

XMRig Miner payload

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 02:14

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 02:14

Reported

2024-06-07 02:17

Platform

win7-20240419-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\TdMWKIo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TCGAhCs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YZxnvfh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DUmYMRW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ncHarem.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZvWkFKz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UXOBgKQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mylcZeG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JSKbIFg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cHROgXV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gwkfyIX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eWdYlck.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bcPscmw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WgchHzx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\avJvisO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QHlpmFJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EOyzXcJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SWYGisA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rRrCwOc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ohQmimU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lRGJBHz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\gwkfyIX.exe
PID 2100 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\gwkfyIX.exe
PID 2100 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\gwkfyIX.exe
PID 2100 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\eWdYlck.exe
PID 2100 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\eWdYlck.exe
PID 2100 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\eWdYlck.exe
PID 2100 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRrCwOc.exe
PID 2100 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRrCwOc.exe
PID 2100 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRrCwOc.exe
PID 2100 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\bcPscmw.exe
PID 2100 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\bcPscmw.exe
PID 2100 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\bcPscmw.exe
PID 2100 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZvWkFKz.exe
PID 2100 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZvWkFKz.exe
PID 2100 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZvWkFKz.exe
PID 2100 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\WgchHzx.exe
PID 2100 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\WgchHzx.exe
PID 2100 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\WgchHzx.exe
PID 2100 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\UXOBgKQ.exe
PID 2100 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\UXOBgKQ.exe
PID 2100 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\UXOBgKQ.exe
PID 2100 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdMWKIo.exe
PID 2100 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdMWKIo.exe
PID 2100 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdMWKIo.exe
PID 2100 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\avJvisO.exe
PID 2100 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\avJvisO.exe
PID 2100 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\avJvisO.exe
PID 2100 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCGAhCs.exe
PID 2100 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCGAhCs.exe
PID 2100 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCGAhCs.exe
PID 2100 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\mylcZeG.exe
PID 2100 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\mylcZeG.exe
PID 2100 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\mylcZeG.exe
PID 2100 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSKbIFg.exe
PID 2100 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSKbIFg.exe
PID 2100 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSKbIFg.exe
PID 2100 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\QHlpmFJ.exe
PID 2100 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\QHlpmFJ.exe
PID 2100 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\QHlpmFJ.exe
PID 2100 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\EOyzXcJ.exe
PID 2100 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\EOyzXcJ.exe
PID 2100 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\EOyzXcJ.exe
PID 2100 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZxnvfh.exe
PID 2100 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZxnvfh.exe
PID 2100 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZxnvfh.exe
PID 2100 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\DUmYMRW.exe
PID 2100 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\DUmYMRW.exe
PID 2100 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\DUmYMRW.exe
PID 2100 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohQmimU.exe
PID 2100 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohQmimU.exe
PID 2100 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohQmimU.exe
PID 2100 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\lRGJBHz.exe
PID 2100 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\lRGJBHz.exe
PID 2100 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\lRGJBHz.exe
PID 2100 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\ncHarem.exe
PID 2100 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\ncHarem.exe
PID 2100 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\ncHarem.exe
PID 2100 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHROgXV.exe
PID 2100 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHROgXV.exe
PID 2100 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHROgXV.exe
PID 2100 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\SWYGisA.exe
PID 2100 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\SWYGisA.exe
PID 2100 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\SWYGisA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\gwkfyIX.exe

C:\Windows\System\gwkfyIX.exe

C:\Windows\System\eWdYlck.exe

C:\Windows\System\eWdYlck.exe

C:\Windows\System\rRrCwOc.exe

C:\Windows\System\rRrCwOc.exe

C:\Windows\System\bcPscmw.exe

C:\Windows\System\bcPscmw.exe

C:\Windows\System\ZvWkFKz.exe

C:\Windows\System\ZvWkFKz.exe

C:\Windows\System\WgchHzx.exe

C:\Windows\System\WgchHzx.exe

C:\Windows\System\UXOBgKQ.exe

C:\Windows\System\UXOBgKQ.exe

C:\Windows\System\TdMWKIo.exe

C:\Windows\System\TdMWKIo.exe

C:\Windows\System\avJvisO.exe

C:\Windows\System\avJvisO.exe

C:\Windows\System\TCGAhCs.exe

C:\Windows\System\TCGAhCs.exe

C:\Windows\System\mylcZeG.exe

C:\Windows\System\mylcZeG.exe

C:\Windows\System\JSKbIFg.exe

C:\Windows\System\JSKbIFg.exe

C:\Windows\System\QHlpmFJ.exe

C:\Windows\System\QHlpmFJ.exe

C:\Windows\System\EOyzXcJ.exe

C:\Windows\System\EOyzXcJ.exe

C:\Windows\System\YZxnvfh.exe

C:\Windows\System\YZxnvfh.exe

C:\Windows\System\DUmYMRW.exe

C:\Windows\System\DUmYMRW.exe

C:\Windows\System\ohQmimU.exe

C:\Windows\System\ohQmimU.exe

C:\Windows\System\lRGJBHz.exe

C:\Windows\System\lRGJBHz.exe

C:\Windows\System\ncHarem.exe

C:\Windows\System\ncHarem.exe

C:\Windows\System\cHROgXV.exe

C:\Windows\System\cHROgXV.exe

C:\Windows\System\SWYGisA.exe

C:\Windows\System\SWYGisA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2100-0-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2100-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\gwkfyIX.exe

MD5 f4711f1aa8a0d8585a9b76ca54211a1f
SHA1 81905097b1cb32a0a371ce46f760b59a1f9ffd52
SHA256 b7c0d95fe4f41991d24014f2b2b5b5c66b64c646e7bce141fda667cebcaa10d1
SHA512 483c24a30770d22047bb3e9abdd4215133283a360a22d0585c59190e93f6b538a9a3d9bd82fd8ba0b2427fac7eaa66861d90d142db58a2a12994c460969a7fe9

C:\Windows\system\eWdYlck.exe

MD5 fb93b6951f4bd763c13942d38c5cb5a2
SHA1 4eeb2a90dd49fbebcfa0d577cc886d6c6875d018
SHA256 08364b9e2b8a4ad2b206ecad0c657f63dab46b5e4a41e8da0de9f7c9cdaa4edc
SHA512 bc6df6eede3d1d41265f4987dd60001ee3724cfb341e39a80658f172023227b5f53884f67cc2c72ea3c9c5d763d28eb06ff5f32b9a884cd3c269688362724a1b

memory/2100-10-0x000000013FFB0000-0x0000000140304000-memory.dmp

C:\Windows\system\bcPscmw.exe

MD5 9c2e235bee5fea01b034d6a1011ebdde
SHA1 d560c06b99d88d8435ee8d27471fe1af1a1b175e
SHA256 8c53287aea13f20bc0064a44bf26ba6c643d0d0f52e1e481cbe1a451cacf4dcc
SHA512 4d6b3371d3e1ed35231025dfabd603ce593982d5c9378bb80d733edf4347b9e1c7da90cb3a3e667b7c600ee5b551c83561a74a9f4374d4d3960c06af9a3e8533

memory/2956-30-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2904-29-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2100-27-0x000000013F0F0000-0x000000013F444000-memory.dmp

C:\Windows\system\ZvWkFKz.exe

MD5 1f120c960f2affbbde43d9ecf7d65c32
SHA1 628a98241c18ba9eebedcae5eca2dd569acad288
SHA256 78e93df1a1fab1fa79387e1506782c8866e23988ae8f24761d8716cd0ac1ec34
SHA512 e44cddabeffebe9681a3756b7f4a67e49a77c3fbdf3cc7e20e798b08bb29026bf041dde29daaa92c266acad28d536b653ed4ae05f3cc742802897db6f79b559e

memory/2624-36-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2100-35-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2840-25-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2100-21-0x0000000002320000-0x0000000002674000-memory.dmp

C:\Windows\system\rRrCwOc.exe

MD5 8c99e7e7dfd85a01db10c6ece0504fc6
SHA1 6d1230fb870d8d165ef43c0ef640802d8041c89e
SHA256 45cdbef961ab83176ce1c80a2b9762df5c0832f52aa0bf8540012f9fd9f4d602
SHA512 b214d5644f3b115f6983146cb8574bdebfc28b32ea38bed7e095c246e5da5249013ee6f0f0285bbbab93aa62d9118dcb7bf1fee8ad8af0537f2496745fde0c2c

memory/2100-18-0x0000000002320000-0x0000000002674000-memory.dmp

memory/1676-15-0x000000013FFB0000-0x0000000140304000-memory.dmp

C:\Windows\system\WgchHzx.exe

MD5 aa1b9bdb89973da31ab225ab77b258ee
SHA1 6f8ca40a6cbc804d483c06144420452149b427b3
SHA256 558a19e0fc3814dd9877fbd9d5bd4df13515d4be5dd089e350a51fd5fcff7c91
SHA512 8c86600e39567ddfdfb3aa8444136175703f3f439c1c06cf5b5058c0e5c81245c8602fbcdf4d3cfcfd81720e80a28e9b85cb4f1a31b7a49ebf5b25cd95e8dcd7

\Windows\system\TCGAhCs.exe

MD5 3564319bfe597b1f16a90ee1e8404dac
SHA1 b72555c56d356761be946ec9cf42670a7da8cb6a
SHA256 3f8dfe045644a8cd438e201467793d2a52e9ea65ec0236a6733122a2e1c97b47
SHA512 7850b931d572534275813296c20e0420105a47158770f93f1791b8b03063d1301d894de2345b94539139497edd92d09460d40d4da480cb2a15b5c3dac82ad6bd

\Windows\system\lRGJBHz.exe

MD5 61aa63c7817bb605cc1505199b9fdb51
SHA1 35bf3067ff2750f7a9fcfaa9c45af074dd2780ec
SHA256 b62372430947ce14c602c39a36f98d1d91b868f3bd925afde14fcd567c73f364
SHA512 4eb44fd921ed9d92cda495f1061c78298a23a4a79e7142fbc9af72aa8be4c75e4a5e712e7d9e9a5cd58e696e714ac5bdeddc1f61e69b6cd4fcdb0ac57217b811

C:\Windows\system\cHROgXV.exe

MD5 f4639319d82c37aadb1257bebcdbd3e7
SHA1 052f57eb8061529382bafca62329d371022a147c
SHA256 62562b2b913a0294d4774f16cbcead14da8a1db684304d044f663acb2616cd7f
SHA512 784bca4d5d25b5c2d4ddf5a6b334fdd2037342d6c2f15dee8108aaa9feb97ba02db3bd99cd8bf9dd7de658ca43090cebea0bb115e53460f5518065be56029a28

memory/2812-115-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2100-120-0x000000013F170000-0x000000013F4C4000-memory.dmp

C:\Windows\system\ncHarem.exe

MD5 209652d04f145c4ab64e34d687b5594e
SHA1 716079b4949d4922b5ff2e761005a609f0a7d295
SHA256 a3a6dce60793239f68f7675b40f8d2a01d4c9ffc5ade37c9959df2f0b09dca09
SHA512 415386f0e93c86a7e0d497b0e63134a835a920ae0fdaafdcfa81f2b23e5fc4d642d1d4aa81485a225e2c323d490b2201ec52fbd24f73feed9bf915ba1142d261

\Windows\system\SWYGisA.exe

MD5 a60d0f1995b2fcdc415515fe89bebfbe
SHA1 7dba5fa974f44a4d19010e6d9e931676b8224468
SHA256 1fa10e136c26049b83e7e9112366b23ef0c8e6d1d37c67fd6ddcac8765b200dd
SHA512 5ccb7371b34523f3700e829ac6db87053f9ae90faa571eb2bfcc09281db4a955939c0d682234f896affdcd1f80514b3931aa7b9b4339753be3284a7f313af7fe

C:\Windows\system\avJvisO.exe

MD5 72202a1b8e211616ec627ebcad1d238c
SHA1 ba2b66fdf2b9a533e110ac193170790c424d6344
SHA256 951f83f521c39cdce3bb4c755374a57f9036930507b4e13bd105fe6a97c5fbf4
SHA512 e0919eef66413d57fb8ea696962d7acadd92cf02d19b80c73d60c1f303f836e0ec67fa20bd1f74b5afb0c8baa18a60671c3e3bc1f358bc57070c73c6f058e948

memory/2100-95-0x000000013FDF0000-0x0000000140144000-memory.dmp

C:\Windows\system\DUmYMRW.exe

MD5 ae74e5ff8013bd682f119e62321bbcc7
SHA1 623ee45240ae2b832e019e61ba3a00cdb58f53df
SHA256 0dbbc31a411e052fb193cf86a9d6b7f10dda273363494a9db93bdddab726b765
SHA512 d10f037f2a0369724768f0fbebaf87758f8ca02ef9bc21b883694628b21cd031958fa370f50fa9d23d246e00ca97091a20aba6b72f31f2ae4362cf9fc383d99f

C:\Windows\system\EOyzXcJ.exe

MD5 810f453581e5643c1af42da99eddd354
SHA1 fc635be01443640fd204dffeaaaa9b0fb2e8032a
SHA256 91e18631ceaf2cacc9306b289343d4814b3ca79f3d5ebe941c8d4758a0aa5b10
SHA512 3ec84af2ae11d557c2328a3318ba397a133c26d9f114f3b79751423b5ebff4c70ed7c03dcbf987e6ece8b68bd4f5a3008f9871fad5898332244ef9e06e5cda44

C:\Windows\system\JSKbIFg.exe

MD5 04317a88aaec0315bcc8d331c5c9c028
SHA1 9552df9a5b4c08bea4cc6ab406748ffb61e94c82
SHA256 72945f518d6bb0a2ce6ea28f40feae0b7263b875b1a7085af9f140b2887c200b
SHA512 ff045214483d9766ca6420becb75500e0c2706a85e0be38dd691d7a4f2341e9197fc4a7f535853f75e7e9dfa360cfa29c9028a41b69c218dfc2bc83f709cac15

C:\Windows\system\TdMWKIo.exe

MD5 9ae907e7be48b1782ba2887ee4e03ec3
SHA1 64024f0e3c4f715f10202701f3d5bcadd315ecef
SHA256 bd69a67973579eb926054b0ca82d2c7a7156dccee8e183fa98656e3708f8ac28
SHA512 ee802fd11ea106e180ae870a9811de4de05714164ede5263ee2a988a7309e5ec135768b7f0b6e279952cb4429aa64b9eea89a55506e0d072a02c5a4237260344

\Windows\system\ohQmimU.exe

MD5 3cfdb205761a77afa4296842a24f2dac
SHA1 265a72f0874fafb5a4954468d6dc35a0f0db327a
SHA256 cd90ae3ca3de960ceb5002f0827b249a73b4ff79231888a283aee63c19e1de48
SHA512 cc5d0f9ddb50754d3936f211c18cc426450efa9b901ada7ecb7c49bce4d99a776f154b6afedf3b141f636340df6cba50b43202d55992614793f9557e7abad46e

\Windows\system\YZxnvfh.exe

MD5 480d3635c567e74d095293bfd86db640
SHA1 6079058b710bd07a6c4d38ee8705ab5895e00695
SHA256 06ba5767e4dd7ebe411f8afc3f4a9625c4f36c4b6cdbe638042c06b634231763
SHA512 2f0eb3c693ea9037661108c4df855984d13f61895ebd3a7b8d4d3ea02a9207e98b95d870075ba7eddc9f61fdf5247b0bc7dbc37b90db3451435fb5cd65aeea4c

memory/2100-121-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2100-119-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2100-118-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2776-114-0x000000013FC30000-0x000000013FF84000-memory.dmp

C:\Windows\system\QHlpmFJ.exe

MD5 0502f277e39492a525239eeb04ad4911
SHA1 b30a344b3b21cc737ed11a1cbf16283676275a33
SHA256 cae79c3036042a00261c3b99869d72a3fef99bab2b340bd26c37990eae60e12c
SHA512 cfdd6ee154de7b58e6ebc3f4959c8258b6f2b008e5f464b50f400d1e98ab5ea1823b48840dc57c806f7e21f2c584968955fb33dba96c4ebc2756495d0ddb2c16

memory/2856-109-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

C:\Windows\system\mylcZeG.exe

MD5 1c4b312da0df50ec18d06293197e54c5
SHA1 c6c3feb18f435800c545c11ac55b7de11ca4cffe
SHA256 d5b2f0ec763ee0ef452c380d11bdabf324a2776b9141daade8366db619015abe
SHA512 4bef741d00f8a96e57a4451818fe3bab12d656f36e97d7f31294fe86972a7db1095cef9a3293539a4cc79aaeb6af5ec8d3cc432cc86db1d18c344bcaabb7a0c4

memory/2100-78-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/2100-72-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2100-63-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2100-130-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2768-51-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2716-47-0x000000013F480000-0x000000013F7D4000-memory.dmp

C:\Windows\system\UXOBgKQ.exe

MD5 b69979f5dc8390499099cd8e8a99f5bf
SHA1 e7562538f58dfb3f3bae63f087de029bdcbbf322
SHA256 1c615521ef445d7ff0e76836e51012eba72ecd53ee28efc6caf6c152f58d10b6
SHA512 47fe55cedbb1fe79da2ecfbf7a24f53f9c332c01b09df0947c0f8afcaeee1572037e14c9424906cfdae73a792274c4d0cc54b5988af65c231287337eeb1155f7

memory/2716-131-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2768-133-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2624-132-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2100-134-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/2856-135-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2100-136-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/1676-137-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2840-138-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2904-139-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2956-140-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2624-141-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2716-142-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2768-143-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2856-146-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2812-145-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2776-144-0x000000013FC30000-0x000000013FF84000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 02:14

Reported

2024-06-07 02:17

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zdegSql.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ThDacIz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NlxJkDw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nSJSxaM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CwlPVEN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EAeIdhD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fTwDGdh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XjSjywS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HNIAYNk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IchQhdJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IXrTmOH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vttztRb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ViXkhcc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hkVCxqM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DnPcUHn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TRjkLJS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BEVDKaT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fkLVcUR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hPuULMX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pDexjHh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NmhRBDT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4984 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\NmhRBDT.exe
PID 4984 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\NmhRBDT.exe
PID 4984 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\XjSjywS.exe
PID 4984 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\XjSjywS.exe
PID 4984 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\DnPcUHn.exe
PID 4984 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\DnPcUHn.exe
PID 4984 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\NlxJkDw.exe
PID 4984 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\NlxJkDw.exe
PID 4984 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\HNIAYNk.exe
PID 4984 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\HNIAYNk.exe
PID 4984 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\TRjkLJS.exe
PID 4984 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\TRjkLJS.exe
PID 4984 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\BEVDKaT.exe
PID 4984 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\BEVDKaT.exe
PID 4984 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\IchQhdJ.exe
PID 4984 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\IchQhdJ.exe
PID 4984 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\fkLVcUR.exe
PID 4984 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\fkLVcUR.exe
PID 4984 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\IXrTmOH.exe
PID 4984 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\IXrTmOH.exe
PID 4984 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\hPuULMX.exe
PID 4984 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\hPuULMX.exe
PID 4984 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\ThDacIz.exe
PID 4984 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\ThDacIz.exe
PID 4984 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\vttztRb.exe
PID 4984 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\vttztRb.exe
PID 4984 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSJSxaM.exe
PID 4984 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSJSxaM.exe
PID 4984 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\zdegSql.exe
PID 4984 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\zdegSql.exe
PID 4984 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwlPVEN.exe
PID 4984 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwlPVEN.exe
PID 4984 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\pDexjHh.exe
PID 4984 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\pDexjHh.exe
PID 4984 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\EAeIdhD.exe
PID 4984 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\EAeIdhD.exe
PID 4984 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\ViXkhcc.exe
PID 4984 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\ViXkhcc.exe
PID 4984 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\hkVCxqM.exe
PID 4984 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\hkVCxqM.exe
PID 4984 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\fTwDGdh.exe
PID 4984 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe C:\Windows\System\fTwDGdh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\NmhRBDT.exe

C:\Windows\System\NmhRBDT.exe

C:\Windows\System\XjSjywS.exe

C:\Windows\System\XjSjywS.exe

C:\Windows\System\DnPcUHn.exe

C:\Windows\System\DnPcUHn.exe

C:\Windows\System\NlxJkDw.exe

C:\Windows\System\NlxJkDw.exe

C:\Windows\System\HNIAYNk.exe

C:\Windows\System\HNIAYNk.exe

C:\Windows\System\TRjkLJS.exe

C:\Windows\System\TRjkLJS.exe

C:\Windows\System\BEVDKaT.exe

C:\Windows\System\BEVDKaT.exe

C:\Windows\System\IchQhdJ.exe

C:\Windows\System\IchQhdJ.exe

C:\Windows\System\fkLVcUR.exe

C:\Windows\System\fkLVcUR.exe

C:\Windows\System\IXrTmOH.exe

C:\Windows\System\IXrTmOH.exe

C:\Windows\System\hPuULMX.exe

C:\Windows\System\hPuULMX.exe

C:\Windows\System\ThDacIz.exe

C:\Windows\System\ThDacIz.exe

C:\Windows\System\vttztRb.exe

C:\Windows\System\vttztRb.exe

C:\Windows\System\nSJSxaM.exe

C:\Windows\System\nSJSxaM.exe

C:\Windows\System\zdegSql.exe

C:\Windows\System\zdegSql.exe

C:\Windows\System\CwlPVEN.exe

C:\Windows\System\CwlPVEN.exe

C:\Windows\System\pDexjHh.exe

C:\Windows\System\pDexjHh.exe

C:\Windows\System\EAeIdhD.exe

C:\Windows\System\EAeIdhD.exe

C:\Windows\System\ViXkhcc.exe

C:\Windows\System\ViXkhcc.exe

C:\Windows\System\hkVCxqM.exe

C:\Windows\System\hkVCxqM.exe

C:\Windows\System\fTwDGdh.exe

C:\Windows\System\fTwDGdh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4984-0-0x00007FF73BD80000-0x00007FF73C0D4000-memory.dmp

memory/4984-1-0x0000021046DD0000-0x0000021046DE0000-memory.dmp

C:\Windows\System\XjSjywS.exe

MD5 67629d342ff7050b3735222d9c78d14b
SHA1 2deae3ae6621a236959d28eab33ffc05d026a79b
SHA256 4d55f08b352bc99e822ab868a92b140c08b743c551a0c216af5ad49bfdda47c4
SHA512 35f372461dfe2748b38aeed9b718219fa0d20d2c907d47d784877bf2236449be00d2534f7b49c92ccf3f2b840bb2cc8c31659b7047e5d4bad529cfa879ce6994

C:\Windows\System\DnPcUHn.exe

MD5 7891e24f2609f4256ee6c9f758a6432a
SHA1 b8ae70840bc4adda356a87a10442a90a60b0a4dd
SHA256 5c75c76b2c66582718f42887ce71f51442f397053751eba7cc65a70ff7a46a23
SHA512 fe3b98af74328f69a091a6541c63069ef2169bae2ac7f69065f3208faa062cb86001acbff8d834dc38bd0bc02e3f9ffc47a343c777bd033c6b471366677f0bcc

memory/2148-20-0x00007FF79E610000-0x00007FF79E964000-memory.dmp

memory/3612-26-0x00007FF6B2320000-0x00007FF6B2674000-memory.dmp

C:\Windows\System\HNIAYNk.exe

MD5 8accae566aab9da58b4aeef107d02918
SHA1 8f1ee777b03b99a2a9c8c11ed933af38b11b781e
SHA256 edca7de1352fe84bb1bd9722e1413faaf8b35b7cedc1ba327920f9e59975158a
SHA512 f3c7803cf64b5f9beae533f515cd6139eabb8f04ce793fddb846f1c9e8726961189b98f27622f3b18ffa48dedbcb311c4b4229d63fb5a0ec2c0133a304766511

C:\Windows\System\TRjkLJS.exe

MD5 303f172fb69b585c09f8a12cc3eb00a3
SHA1 32a233f25cbc21b1259f8e217cd146bea4a0893c
SHA256 2c92f40b35257e94bc90f2ea1b389ce06441cff6558f91aa686638d32e4a2ccb
SHA512 ddb36057801834080e75b28e1b04000362d5d0fcb5a3aa24fe8e2fd2319ba25ab3e726b4adb851a76472cd7c883f682cdfcbd5027916229478ef5fd778cec439

memory/4108-38-0x00007FF6DD1A0000-0x00007FF6DD4F4000-memory.dmp

C:\Windows\System\BEVDKaT.exe

MD5 8b92fefd22e99b2d4222337bd53e7487
SHA1 ae2ec85efaff2167728da9a570e7922a7e993994
SHA256 ebba6cf8c8f66975b88b010dcba635e9c7b192dcdfeeb44ef5c7f3aed7301230
SHA512 9673f3b79587d09dd0fef764df4703a9d1a1d91adac6e19c1439ee374782829d79b475ccf7f9bcde6e2163697e016d8751d2cfdf7f8e83b8b9a0dee79b1034ab

C:\Windows\System\BEVDKaT.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

C:\Windows\System\IchQhdJ.exe

MD5 992e15ebc2245cf970acce9948576d6c
SHA1 3322f50d4aebf915abc8a5277cd07a23adf5f127
SHA256 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA512 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

memory/4568-44-0x00007FF601C40000-0x00007FF601F94000-memory.dmp

C:\Windows\System\fkLVcUR.exe

MD5 5ae4eed7a593ff3f56c7ac5fcd00c4d1
SHA1 730b300cd0e998f81f52135b21d6a265749b0964
SHA256 db05b8b2745ae97ba68460cc47d128fcef999301332723637869245dea3b2412
SHA512 74006c05616848350bc7f837ba2005f90328b33943b7b71b03b501e5ba8a7cbd1ec2a7b295e5b39132194d8cc4a1642cb02a9234d02f3b75da738ce2cfd6dcc5

memory/4984-61-0x00007FF73BD80000-0x00007FF73C0D4000-memory.dmp

memory/4860-75-0x00007FF7B5950000-0x00007FF7B5CA4000-memory.dmp

C:\Windows\System\nSJSxaM.exe

MD5 56711c7cc945116d3533f8f0f0f92b6d
SHA1 4ccf479a2b798fd0d6569aa05b82252b9e6af619
SHA256 7903e96ed230aa6d4c6a7e2e44bcd4791553379e3e66dedbd0a3e56ec094ed61
SHA512 47fd5466efc0c61ff0f92e47c46f75e47067e3a9a43e39cf191aaebd72cc818463b7b06a3993ff20837b514ef41fa91ae9461c176f5f1304820b137dc7bc9b41

memory/1312-92-0x00007FF6CF080000-0x00007FF6CF3D4000-memory.dmp

memory/2316-99-0x00007FF6EBCC0000-0x00007FF6EC014000-memory.dmp

C:\Windows\System\CwlPVEN.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

memory/3464-98-0x00007FF7221E0000-0x00007FF722534000-memory.dmp

memory/768-97-0x00007FF669AC0000-0x00007FF669E14000-memory.dmp

C:\Windows\System\CwlPVEN.exe

MD5 14c0c501202ef989c5e7ec4e03c61323
SHA1 bded9d69e53fc3aafaf4dbc8c7e12d37782f30cd
SHA256 863491417c6ea22f4ce0af6ebd9081316de139748a1b9684de1179cf6e3ee774
SHA512 c496d7265307736640a049a4e8ba3b6dea75632dec5e76b5b8bac98718eb58b8e1e6548afba6d72407b5102640ed12ac193b6e207185d5a58095c625dbcd077c

C:\Windows\System\zdegSql.exe

MD5 355e2d36947e57df747f1e4763dae2c8
SHA1 19f41a82de4663509860b79c4acd4e364984aed1
SHA256 c35688fe448ffa0531b5b00249296c75825be9754157e8738f8b70c4a98d3c19
SHA512 324ae2be6738ad3113643aa7dbc16128544774a231033254428a55d7472c8b172ffce6f34c480cbda31e11d060a56997be8ff935b495e099fb85126330b54492

memory/4108-110-0x00007FF6DD1A0000-0x00007FF6DD4F4000-memory.dmp

C:\Windows\System\EAeIdhD.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

C:\Windows\System\hkVCxqM.exe

MD5 20885a1e82b980e480bdd9a1297b7d54
SHA1 ba4bfd697c59fd05587a0be77065afb5673a5fac
SHA256 9fdb8e352bd8da8a72baf57e250c6670ce46c29c7a9bd055bb8a040728707d2c
SHA512 9da153b66f616a6d5df57d156faf8a16a72679d5192113b0915127000b1754f13d093a6a5a0c05ae8c2549c342ed404d061b749078b05b165a844e484ab38d88

C:\Windows\System\fTwDGdh.exe

MD5 4e1978304498602f375c7f0171779b3b
SHA1 3f64a9376490cb8e749f4c335dc53ed55eca9b0c
SHA256 edb1772978ddefe11a3f0c3498a5da99df960a1b2a343f95ae14b7338132033a
SHA512 99cfd972f5a031ab61c109393f974f36973cfda4b92f7e156fbbec6acc42f2a0d468be1e617b3ababd78e41ff4e90649116e5069423bf48758e21db3576efa5d

C:\Windows\System\fTwDGdh.exe

MD5 c2630368f2b0f1676e4f1cfe1abe40fe
SHA1 1a1ea934cad8c04d2d7cb52f6d24efa72171b9bb
SHA256 ba2b6ec7283487518598a85cf876bd237f0f22469f9ddb98503daa3b393dd952
SHA512 0aab36dba19a00b9153d667bd13a12f0f52c3bc100eb4b39808efd5f028076649453c97409b4e3cd94bf4c0fd01aceb1a9a9bb93111ac83c147c79b204a0dec0

C:\Windows\System\ViXkhcc.exe

MD5 3626572e37bdbe37a41abf8c766599ed
SHA1 919cc1b646d8c5784b042a10078664d2a727f49f
SHA256 6e433e31caf2e450acd96df5f6315c69c3e4b693f3d3175e4af89da5c8d975ad
SHA512 de8a8dbe563771ab659ccf4476c498a766734ead5843f323f35fd299b2eefc1aad2cbf99797786c1a7fe4d827fdba82f366c064cb5b6de9212622081bb7a6067

memory/2172-112-0x00007FF603550000-0x00007FF6038A4000-memory.dmp

C:\Windows\System\EAeIdhD.exe

MD5 c2e2eb364720d85a13441b7c7e657e04
SHA1 2e4e5c515e17c9fb6d5d5edcc92a1b6b2344e1bb
SHA256 a3dfa0af332c6e533bb22dc8421e15479f3f51af46ad432958e9ce07d4f23233
SHA512 c79c3c1c985e774222ef73ccd8cbebe61ad4e40c7162d1387609b781797f4f020e2c6ee6c5069c39c4faa0c9a6d7b349697535f2eeb4d97169926869e4247041

C:\Windows\System\pDexjHh.exe

MD5 a3a1d1007fc84146c8a69ec68d283ebf
SHA1 177b59e56c09073a63fc5fb5b5af33faa4959d2f
SHA256 2c18046c2f46105b5d36a80b4a12814cd02e1826c9ee753e096ce0a2cdbed6da
SHA512 a8c08fc18b1354053fa2a6ba96847d27ba0c064fd8ef962a7edc27773bec68c600ad831c8790c73f32d083ace40b9267c5e0f5242dccc25a3bbf5d5eea49785d

C:\Windows\System\vttztRb.exe

MD5 ee29a6b53cfbe9ed13da73058af639d1
SHA1 57b7d190b7c70f98c15a3dfac9fc14d0037c5087
SHA256 5a0aca84eb58f9165eaf307a1beaddbc8d551115f8deaa587c8acafd07d33da3
SHA512 680a8c498af2bd5f11ec7e361d64cd83f667fdc49fc50a6dcd639f2fdb98af8617f7b587c1e152c13e53eae082e36f63a93e41aaa728bf58b59cb6a098ed752c

C:\Windows\System\nSJSxaM.exe

MD5 ce95ecfd82cad989d07f01bb5a4e0e62
SHA1 9c404e62c6a147d88e2c4214a4a0c1206972e9c1
SHA256 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576
SHA512 c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084

memory/3600-82-0x00007FF6E0810000-0x00007FF6E0B64000-memory.dmp

memory/3824-79-0x00007FF7845E0000-0x00007FF784934000-memory.dmp

C:\Windows\System\ThDacIz.exe

MD5 67a5ae984b7db2ab866e1943e34e183a
SHA1 b0e5dae93649604f7669893db8061c37bbdce562
SHA256 05ba064117846a4368ff545dad29f2640f4fdc3ccbfc79f79745d7e94d30d69c
SHA512 9349a1dfaaad966bb41f0b86570dc632e26eb4249ada7495571a94101fcf4af707520ee99c47dbd83d3742dd615b6f1e13ab003c53354883b331e091839b6398

memory/4236-69-0x00007FF71C430000-0x00007FF71C784000-memory.dmp

memory/4844-68-0x00007FF6A4940000-0x00007FF6A4C94000-memory.dmp

C:\Windows\System\hPuULMX.exe

MD5 64090638d2c164401be64511b1653920
SHA1 7a389409960d17f335325014339f50d0231114a7
SHA256 191bc44a70b8757cb053ed2a0218a11355b3a26b7171c721e65df4aa87a920fc
SHA512 b7a0fb72e3c1bb073454386153fe7e4fa392c9556e511a3c206500bbbbd46efe0038a625c4ce3886bee483f5064b7ec3873e70d5fa43cc2290ef612ef6c0b9dd

memory/2188-63-0x00007FF6AAEA0000-0x00007FF6AB1F4000-memory.dmp

C:\Windows\System\IXrTmOH.exe

MD5 250d8db05b6cb6049b338f6b383fbfd9
SHA1 ce2c6ab8465d0b9041cc8de957bbbed6a93833e0
SHA256 0b4bb40b19e9a25ea181d530f014e0e44beb08e1438e0855ff223fe7992a403a
SHA512 2aa6c6c92d32641f1317aa228177dcafb710d5bcd844fc86ea65028a70699cf20261d841c804016e594b915a6c9d85e1e9bbcef77ec264ae2915df4e1e546328

memory/492-130-0x00007FF79EA50000-0x00007FF79EDA4000-memory.dmp

memory/468-129-0x00007FF7F7D10000-0x00007FF7F8064000-memory.dmp

memory/2176-131-0x00007FF695B60000-0x00007FF695EB4000-memory.dmp

memory/4164-132-0x00007FF7394F0000-0x00007FF739844000-memory.dmp

memory/1620-54-0x00007FF672560000-0x00007FF6728B4000-memory.dmp

memory/2960-50-0x00007FF6FBDC0000-0x00007FF6FC114000-memory.dmp

C:\Windows\System\IchQhdJ.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

memory/3464-32-0x00007FF7221E0000-0x00007FF722534000-memory.dmp

C:\Windows\System\NlxJkDw.exe

MD5 d3667e7e04c2ec70f06af63a56f0f789
SHA1 33dee0679bcd2fd5d87e1821cdedcceb77405aa0
SHA256 4312dde1e624351aaa73110209d80258f6895f112610806b1f90c97c064797fa
SHA512 2da66b9d78b92a7b8a851f2770634abc95373be6ac7afcd4dc521eddafee56525ad9cd7f99bc35833f7fa90ecd4f51c64703e3b7171f9bf5006c143757cad890

memory/4860-14-0x00007FF7B5950000-0x00007FF7B5CA4000-memory.dmp

memory/4844-8-0x00007FF6A4940000-0x00007FF6A4C94000-memory.dmp

C:\Windows\System\NmhRBDT.exe

MD5 a7a6fc3b5ab329e478fd33474d432cf7
SHA1 00c235e83978df533a6b54e3672676a472300401
SHA256 a6edae496b561f21c0e4eab1f9dc940f3480b1107632f6119d43fe1d8f738519
SHA512 cc66a44a8ee9c4570819910313d769bda8ec8c185c5418c252f894211a3b2365c1e83ffb3f49759c5f2044dbb8c03f188d042c0992c20a97166c13c5e04c0880

memory/1620-133-0x00007FF672560000-0x00007FF6728B4000-memory.dmp

memory/3824-135-0x00007FF7845E0000-0x00007FF784934000-memory.dmp

memory/4236-134-0x00007FF71C430000-0x00007FF71C784000-memory.dmp

memory/768-137-0x00007FF669AC0000-0x00007FF669E14000-memory.dmp

memory/3600-136-0x00007FF6E0810000-0x00007FF6E0B64000-memory.dmp

memory/2316-138-0x00007FF6EBCC0000-0x00007FF6EC014000-memory.dmp

memory/4844-139-0x00007FF6A4940000-0x00007FF6A4C94000-memory.dmp

memory/4860-140-0x00007FF7B5950000-0x00007FF7B5CA4000-memory.dmp

memory/2148-141-0x00007FF79E610000-0x00007FF79E964000-memory.dmp

memory/3612-142-0x00007FF6B2320000-0x00007FF6B2674000-memory.dmp

memory/3464-143-0x00007FF7221E0000-0x00007FF722534000-memory.dmp

memory/4108-144-0x00007FF6DD1A0000-0x00007FF6DD4F4000-memory.dmp

memory/4568-145-0x00007FF601C40000-0x00007FF601F94000-memory.dmp

memory/2960-146-0x00007FF6FBDC0000-0x00007FF6FC114000-memory.dmp

memory/2188-148-0x00007FF6AAEA0000-0x00007FF6AB1F4000-memory.dmp

memory/4236-149-0x00007FF71C430000-0x00007FF71C784000-memory.dmp

memory/1620-147-0x00007FF672560000-0x00007FF6728B4000-memory.dmp

memory/3824-150-0x00007FF7845E0000-0x00007FF784934000-memory.dmp

memory/3600-151-0x00007FF6E0810000-0x00007FF6E0B64000-memory.dmp

memory/768-153-0x00007FF669AC0000-0x00007FF669E14000-memory.dmp

memory/2316-154-0x00007FF6EBCC0000-0x00007FF6EC014000-memory.dmp

memory/1312-152-0x00007FF6CF080000-0x00007FF6CF3D4000-memory.dmp

memory/2172-155-0x00007FF603550000-0x00007FF6038A4000-memory.dmp

memory/4164-157-0x00007FF7394F0000-0x00007FF739844000-memory.dmp

memory/468-156-0x00007FF7F7D10000-0x00007FF7F8064000-memory.dmp

memory/492-158-0x00007FF79EA50000-0x00007FF79EDA4000-memory.dmp

memory/2176-159-0x00007FF695B60000-0x00007FF695EB4000-memory.dmp