Malware Analysis Report

2024-10-16 03:08

Sample ID 240608-pmccqsce36
Target 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike
SHA256 a92b581c614e7c5ab32dcece872208efda7708e7b2357f182e5c3610c95c5c95
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a92b581c614e7c5ab32dcece872208efda7708e7b2357f182e5c3610c95c5c95

Threat Level: Known bad

The file 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike

Cobalt Strike reflective loader

xmrig

Detects Reflective DLL injection artifacts

Xmrig family

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 12:26

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 12:26

Reported

2024-06-08 12:29

Platform

win7-20240508-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\jZRFwEU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yQJFBVW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QwfcrpB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iNCzGSC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yFnvZBn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aRNCLmh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rHnUquP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tSYCHQB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eeQkvkc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uCxxAos.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LCYQVfN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tdQgUIX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pelcpiD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dhdrFkn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ugZzhKb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tbJhpLU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WzIlBQJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jhPqurN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ifvuHeS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NAaZSnm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IKzYbtG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\iNCzGSC.exe
PID 2972 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\iNCzGSC.exe
PID 2972 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\iNCzGSC.exe
PID 2972 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\yFnvZBn.exe
PID 2972 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\yFnvZBn.exe
PID 2972 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\yFnvZBn.exe
PID 2972 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\jZRFwEU.exe
PID 2972 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\jZRFwEU.exe
PID 2972 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\jZRFwEU.exe
PID 2972 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdQgUIX.exe
PID 2972 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdQgUIX.exe
PID 2972 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdQgUIX.exe
PID 2972 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\WzIlBQJ.exe
PID 2972 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\WzIlBQJ.exe
PID 2972 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\WzIlBQJ.exe
PID 2972 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\aRNCLmh.exe
PID 2972 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\aRNCLmh.exe
PID 2972 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\aRNCLmh.exe
PID 2972 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\jhPqurN.exe
PID 2972 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\jhPqurN.exe
PID 2972 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\jhPqurN.exe
PID 2972 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifvuHeS.exe
PID 2972 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifvuHeS.exe
PID 2972 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifvuHeS.exe
PID 2972 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAaZSnm.exe
PID 2972 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAaZSnm.exe
PID 2972 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAaZSnm.exe
PID 2972 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\pelcpiD.exe
PID 2972 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\pelcpiD.exe
PID 2972 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\pelcpiD.exe
PID 2972 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHnUquP.exe
PID 2972 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHnUquP.exe
PID 2972 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHnUquP.exe
PID 2972 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\dhdrFkn.exe
PID 2972 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\dhdrFkn.exe
PID 2972 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\dhdrFkn.exe
PID 2972 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQJFBVW.exe
PID 2972 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQJFBVW.exe
PID 2972 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQJFBVW.exe
PID 2972 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugZzhKb.exe
PID 2972 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugZzhKb.exe
PID 2972 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\ugZzhKb.exe
PID 2972 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSYCHQB.exe
PID 2972 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSYCHQB.exe
PID 2972 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSYCHQB.exe
PID 2972 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\QwfcrpB.exe
PID 2972 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\QwfcrpB.exe
PID 2972 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\QwfcrpB.exe
PID 2972 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\tbJhpLU.exe
PID 2972 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\tbJhpLU.exe
PID 2972 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\tbJhpLU.exe
PID 2972 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\eeQkvkc.exe
PID 2972 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\eeQkvkc.exe
PID 2972 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\eeQkvkc.exe
PID 2972 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\uCxxAos.exe
PID 2972 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\uCxxAos.exe
PID 2972 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\uCxxAos.exe
PID 2972 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKzYbtG.exe
PID 2972 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKzYbtG.exe
PID 2972 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKzYbtG.exe
PID 2972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\LCYQVfN.exe
PID 2972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\LCYQVfN.exe
PID 2972 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\LCYQVfN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\iNCzGSC.exe

C:\Windows\System\iNCzGSC.exe

C:\Windows\System\yFnvZBn.exe

C:\Windows\System\yFnvZBn.exe

C:\Windows\System\jZRFwEU.exe

C:\Windows\System\jZRFwEU.exe

C:\Windows\System\tdQgUIX.exe

C:\Windows\System\tdQgUIX.exe

C:\Windows\System\WzIlBQJ.exe

C:\Windows\System\WzIlBQJ.exe

C:\Windows\System\aRNCLmh.exe

C:\Windows\System\aRNCLmh.exe

C:\Windows\System\jhPqurN.exe

C:\Windows\System\jhPqurN.exe

C:\Windows\System\ifvuHeS.exe

C:\Windows\System\ifvuHeS.exe

C:\Windows\System\NAaZSnm.exe

C:\Windows\System\NAaZSnm.exe

C:\Windows\System\pelcpiD.exe

C:\Windows\System\pelcpiD.exe

C:\Windows\System\rHnUquP.exe

C:\Windows\System\rHnUquP.exe

C:\Windows\System\dhdrFkn.exe

C:\Windows\System\dhdrFkn.exe

C:\Windows\System\yQJFBVW.exe

C:\Windows\System\yQJFBVW.exe

C:\Windows\System\ugZzhKb.exe

C:\Windows\System\ugZzhKb.exe

C:\Windows\System\tSYCHQB.exe

C:\Windows\System\tSYCHQB.exe

C:\Windows\System\QwfcrpB.exe

C:\Windows\System\QwfcrpB.exe

C:\Windows\System\tbJhpLU.exe

C:\Windows\System\tbJhpLU.exe

C:\Windows\System\eeQkvkc.exe

C:\Windows\System\eeQkvkc.exe

C:\Windows\System\uCxxAos.exe

C:\Windows\System\uCxxAos.exe

C:\Windows\System\IKzYbtG.exe

C:\Windows\System\IKzYbtG.exe

C:\Windows\System\LCYQVfN.exe

C:\Windows\System\LCYQVfN.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2972-0-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2972-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\iNCzGSC.exe

MD5 90e69951485f0bb3c1bf4f949de6106d
SHA1 db95e5a117cd7d818575604fa811ad9a36829a02
SHA256 27a201766ece763dde900c442af719ff131fea401bd6f0bd364c80033a0bad37
SHA512 4b68af358ae57fa592f8ff1a28c6f536177e3e76310a1917fe308330a638357f6c48ea1b1a65b33d535c85b015085a85232976d3ef1bcfd5d7881fb1dc9e42be

C:\Windows\system\jZRFwEU.exe

MD5 4ae083a6b4718985abd5dfdf40f7aad6
SHA1 01997fabf7115bbc5b1245b8b8e0fbb956efac0e
SHA256 d6400e5de4ec2c02d4b0645de28c87dc890eb3de96fb5f83cc250a4a28b52fbb
SHA512 a74f8f37205374a5748fe478c6fda5bd514713c9ebdbc75cd1cfe2457a4c147b06ec62da4009bb80f7c0e31326c2e61bef6c0b9b3ac08295f339ed3de2a35bd1

C:\Windows\system\tdQgUIX.exe

MD5 c2f2cc5c541cfdbbb7775fab47ee3ec8
SHA1 8a5bb7c9db9b3378ec0192708be582b7c73ca8c4
SHA256 587028af1a24d1af37cdff6f53f5928f8c993d80e7c30d1b7b59a7d3fa34b15e
SHA512 38740ca3a786b57be4b93e55050906776eaa4b2950bf2c4978fab185a5fd3b9f2ede8e216ee94f595cfabdb1e40f7f6fd427642ec8b24e85851059a8bf9745c6

C:\Windows\system\ifvuHeS.exe

MD5 9273ab9b4d9e65d031e05dc4c6270794
SHA1 0b83e1bd74b0e20f90ebe4b7a3e4a267e13df0a4
SHA256 7b9f92de44c4ee1d5e9231ba8e4bc15b396a4379e0b162e3ea1e4465b3bbccd5
SHA512 8415761f36ef7c438406b28669e0069e5f567e2c97f81780ac0bcd579d522ceb3dbdb4675ee569a8c5a782e5bf1860ae591066302d44f520ed8ca5836d2f2d6a

C:\Windows\system\rHnUquP.exe

MD5 813990620918b10b69fc589ff6ce7cef
SHA1 7d6aa4cfb858fdd4873481186ecf7c22b33faa2c
SHA256 020d44a835754f30b493a4811c09d0fb498a8837f3101d8112013caa9f5d2d9e
SHA512 5ec283567e6debe9d99ec84804e8b48291a962af369fd07b2876625bcbe671ddb723abc09082804dc5d5b863dc6379a15d4107c352f68816717ab6344fa3a20c

C:\Windows\system\tbJhpLU.exe

MD5 def8ecb7e32d64885cfd985f0e95653e
SHA1 e627f417e194af756b56f020e83ffd9dc2078e8d
SHA256 34da9da346c303c75e21d39408fd1c112c27ed96452e43b64733b7a3d23301e4
SHA512 fec4d27994864d6410d1dfa7b40d65517f3e62cb8210784a84b9a0b497f5ea5cd38dc6fe57b5c51a88fb8bb240f97116c155eb58eadaf577946d76f1b7282a9a

\Windows\system\LCYQVfN.exe

MD5 992e15ebc2245cf970acce9948576d6c
SHA1 3322f50d4aebf915abc8a5277cd07a23adf5f127
SHA256 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA512 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

C:\Windows\system\LCYQVfN.exe

MD5 7f8a17e87204865cb8294f992f62a8b7
SHA1 965d240fdcaff71315ed72fa19a6fb7bcd0cc41b
SHA256 d2f6d40eee8aa5eeee364047b92c58e82120eddca6fa2b326a9430322de1d86a
SHA512 e3007370624881b1cea1ef29a5575f7be06f05e38d2f7953b9be734b7627ef9829b6897833b5db61638ee69bd5e7c8c0e83d30482dc7ed493651dab40519ecb6

C:\Windows\system\IKzYbtG.exe

MD5 68feab46483015e28152696c66456b6d
SHA1 6d26a93457378a77e89a0efd9e831e867aa98d23
SHA256 ab35a255a22ce36e9a21e0c6876cf779983f5b3f326f66228e7c464024bfd9ae
SHA512 131bdea08da06f581d491b9b0d22891b31365a580841627bdd2b50d802f142fa8d90cdfa8dfd2094bf5166931b577183267187d5433b482fe4f004bacfc37388

C:\Windows\system\uCxxAos.exe

MD5 4c89a570703394d57f179e9d3b5b4259
SHA1 df94796a3dc473d9a617fbd524ff794ed2d00a11
SHA256 12580a187336f0462bdbd08521ad01c5d3fa7a21a526bbe475e250d01fae0f90
SHA512 9e12ef4a3effe39ab5098d65ef4cf25b71a461ec1e68c81263db12863061e797dd563f01cd9035a4c75309c54b8396949ee5a7ebca8c39d3d1ca447c9e7a8134

C:\Windows\system\eeQkvkc.exe

MD5 d2038aace393c2b9f8bcbdafb94cbd87
SHA1 fd600884a88cebac326a7e7913d0e0f9f6a83ebe
SHA256 9dcf7c6b26bcba96c9bd3a062979c43efe3a50e5409c7256faae119945ca2440
SHA512 218ee4173d477d590b4d35eeb444cb47f199e5fb4fd2114a46b5d4a9acaae5df749050a64ed46b09bc6e62aa2d527dabbd8dc4c5dcfe68e37ebedfdccd88cf40

C:\Windows\system\QwfcrpB.exe

MD5 4923a775c514f3ae0e09865704a76aa9
SHA1 fac0cec58bd3556095fbf0e402a5c2a46ed6f41c
SHA256 d06e71a7242ab6b20e7ec280322c9d2e8c0dd1445fbd1628a3c5c5cd66930c85
SHA512 b6e03ba2f19f231ad0fc573579b9f74d1b09ecf94301bee5cb10099639f08bf588d6844a53aa68ea446ca35de8bd4299766175b0aa4cc66d53e22afc7fdb9f5e

C:\Windows\system\tSYCHQB.exe

MD5 5c1ace3cb22fd62e009f274f93254bac
SHA1 f4e15bd75d5dfd9ce8919650512849d4e0ed41e7
SHA256 2c70f77d3aeba4be2b64d1342a5ad9d822e4f70743ba03893d2cfeeac9496f23
SHA512 fec1f3bd0a3d1bb0ec1cbbb093c90ddc13afd3701d9693353edf4b5bc3e14c187849db896783e9378e3d8f4031062afb6b0b07cf171178100f19c1fea57c8213

memory/2972-93-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2100-99-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2928-103-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2728-107-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2972-112-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2972-114-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2584-113-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2516-111-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2632-110-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2972-109-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2772-108-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2768-106-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2972-105-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2788-104-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2972-102-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2936-101-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2720-100-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2972-98-0x00000000024B0000-0x0000000002804000-memory.dmp

memory/2612-97-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2972-96-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/1884-95-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2792-94-0x000000013FD50000-0x00000001400A4000-memory.dmp

C:\Windows\system\ugZzhKb.exe

MD5 2fcd1ca99b353281ccdb294a4aa1fd61
SHA1 c557cd70f6a1a1d99755ddaa4525f6d471ac7aa3
SHA256 2a2e633cbfc7a98b13520c5f43884d9826b4d1517852a2ce4f7e4da9e3635a50
SHA512 55b05c37dce0b50fbd70ef67374cc1f6d65d1ee5b2189a2c4ab505d843a0f5d56c3f0f41804d6dd8209330baed10f02a15ea3149dc1b14618bce60849a22adb3

C:\Windows\system\yQJFBVW.exe

MD5 3a46674e5968382f9f4318ac3b0c5c5f
SHA1 bc36760ae81497f271790a3adca6cae18cb4163e
SHA256 200ad4e4b0adca70a8425d706a1b1efd0c812206cb8a53cda104270cf914f877
SHA512 5655642287582fc2a330ab6abdaee31103aeca0e8c7b2de44ba0366a56af25dfd13dd50decdcbe87970c46879291d3fef2cb0f73e1c67a8b3a4bead13dabfc7e

C:\Windows\system\dhdrFkn.exe

MD5 787eb7e69ad35aabdeb5368e6da76f1a
SHA1 cb322befd7f9c168958d53bc2f49dca2cdbe84bc
SHA256 0bf2ae8409c5346b5c7add6eb6f765af178d7d736962e27ffea40ddaccbb2cee
SHA512 afbec0b4ded7fea46eaa8d902bdf97979f8c4ae6f8d4d1b0faa7cc2bf31c53eb5c13ef7bd105b1c1a5f390acb69261c5d317c7908e7b5003836d4ecea1fd5ab3

C:\Windows\system\pelcpiD.exe

MD5 db6851f18e18c9d331f14a4ab2784110
SHA1 343a598202ed2f17e2de3198d7447fa9d2ec39d8
SHA256 ef2f3df8740a17ce7647e34f1fe24e22393b91262174963e835e0a0d0bc0b86d
SHA512 05ec16504a167f3e7f39f35393e5ccf8ed0b2d70289f4ff042de697edc939f30414b06ce7ccd589c8fb3148bb42125e014347b22d4007793a3589025c7cb302b

C:\Windows\system\NAaZSnm.exe

MD5 60e0014f58b4f1b8f563b273d2275660
SHA1 ea56b85c58ad530b20aa8a599d51724437d905e4
SHA256 7a4d89304b2e357e923da059f321e6fc27b507123592d53291ed0e94bdb7faf3
SHA512 f29536663b613bd367688f883738a167008d1d5ad181f351d03b4943b811e69d2f9575e6d9afa73a32f1a238ed7ea0073a0567ed1d7d2f84824b806315a32a7f

C:\Windows\system\jhPqurN.exe

MD5 b1280a310a974f5ae27fbd448d80fbbf
SHA1 6dfd05afd5a95953942dbb825b503209427225bf
SHA256 97a3d604858127b62202356c2348b3b15e5b74a0deebc433005358b59228794d
SHA512 0d9827e0d17fd0a75fe1b9b5890967b518cb03736cfd13326b6e1bfd5cbacd988b2c3db9e2751519a69c5b18ef4e5dc48b40417d082c339aecc546724530ae6f

C:\Windows\system\aRNCLmh.exe

MD5 9866d867ab99dc887d727af1e531b2c0
SHA1 0a6b886ed9c77abd3b2e4fc40cdd90ed1bd31ecc
SHA256 8a3205dd0f60c2683f0da291ea45de167939215f0f96a6f039e7d5b9e828be04
SHA512 417f6d96cc5331bedda96ba0524cbd3074861417e9213be3c66050d39690af78c8f3174ab43962bf193a653b6b507bf9b64fffa19ece2070a81fa36cfa065b6e

C:\Windows\system\WzIlBQJ.exe

MD5 39ae60141b97c03da8c9c1167cd0ec6c
SHA1 60453bac515d089278de350bbafda296d9a53c43
SHA256 1f8be7204df6b0c8e0e79816be05ebb3f3b08a30160d763c6f1abfbba20f1153
SHA512 13716d490eba984f8e212fac2f68004c486c0a3b369cc4ac2d72d80e9942d46ba8443c76918e050a0722db5ff0e7dda30d516aa81d66b3fb089af1adee8a2a0c

C:\Windows\system\yFnvZBn.exe

MD5 486a613836a4be0e0605adf2faecdb5b
SHA1 9f984e08e12c8eb76363d99bb260c8bae38a3942
SHA256 6534b8b59a89db9de36215b6284699238b047c6e4ee0ae9a1a9c542a649eb4f3
SHA512 cfa80b1180e16b74ab0dde3d33c30e502c1a2181a3995dec56ea5b62fee89625aa2e38574a0d3a6a688035bcfa57b1dd85336b590135eb1ec4ffe95bcf65d288

memory/2972-129-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2928-130-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2788-131-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2772-133-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2516-135-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2584-136-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2632-134-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2768-132-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2792-137-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/1884-138-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2100-139-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2720-140-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2936-141-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2612-142-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2728-143-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2788-144-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2928-146-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2772-148-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2768-147-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2632-145-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2584-149-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2516-150-0x000000013F9D0000-0x000000013FD24000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 12:26

Reported

2024-06-08 12:29

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\sIluhPk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uunMMKR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cbDyTqo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hilcfLP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AJYtNUo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TdmVzgd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PQKyJcx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LYjCmVk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tZRufxB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BhiaftR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VvUTgea.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lHhBZJE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HRzYkGy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JcxkJWT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fcaMnrK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QIiOxEV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SbTUbnM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MoHDDzV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dWtnWSy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GQLqgqP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZwSOBJM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\fcaMnrK.exe
PID 1684 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\fcaMnrK.exe
PID 1684 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\dWtnWSy.exe
PID 1684 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\dWtnWSy.exe
PID 1684 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\BhiaftR.exe
PID 1684 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\BhiaftR.exe
PID 1684 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdmVzgd.exe
PID 1684 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdmVzgd.exe
PID 1684 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\GQLqgqP.exe
PID 1684 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\GQLqgqP.exe
PID 1684 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\QIiOxEV.exe
PID 1684 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\QIiOxEV.exe
PID 1684 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZwSOBJM.exe
PID 1684 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZwSOBJM.exe
PID 1684 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\PQKyJcx.exe
PID 1684 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\PQKyJcx.exe
PID 1684 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\LYjCmVk.exe
PID 1684 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\LYjCmVk.exe
PID 1684 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\VvUTgea.exe
PID 1684 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\VvUTgea.exe
PID 1684 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\MoHDDzV.exe
PID 1684 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\MoHDDzV.exe
PID 1684 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\lHhBZJE.exe
PID 1684 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\lHhBZJE.exe
PID 1684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\sIluhPk.exe
PID 1684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\sIluhPk.exe
PID 1684 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\SbTUbnM.exe
PID 1684 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\SbTUbnM.exe
PID 1684 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\uunMMKR.exe
PID 1684 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\uunMMKR.exe
PID 1684 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\HRzYkGy.exe
PID 1684 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\HRzYkGy.exe
PID 1684 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\cbDyTqo.exe
PID 1684 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\cbDyTqo.exe
PID 1684 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\hilcfLP.exe
PID 1684 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\hilcfLP.exe
PID 1684 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\JcxkJWT.exe
PID 1684 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\JcxkJWT.exe
PID 1684 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\tZRufxB.exe
PID 1684 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\tZRufxB.exe
PID 1684 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\AJYtNUo.exe
PID 1684 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe C:\Windows\System\AJYtNUo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\fcaMnrK.exe

C:\Windows\System\fcaMnrK.exe

C:\Windows\System\dWtnWSy.exe

C:\Windows\System\dWtnWSy.exe

C:\Windows\System\BhiaftR.exe

C:\Windows\System\BhiaftR.exe

C:\Windows\System\TdmVzgd.exe

C:\Windows\System\TdmVzgd.exe

C:\Windows\System\GQLqgqP.exe

C:\Windows\System\GQLqgqP.exe

C:\Windows\System\QIiOxEV.exe

C:\Windows\System\QIiOxEV.exe

C:\Windows\System\ZwSOBJM.exe

C:\Windows\System\ZwSOBJM.exe

C:\Windows\System\PQKyJcx.exe

C:\Windows\System\PQKyJcx.exe

C:\Windows\System\LYjCmVk.exe

C:\Windows\System\LYjCmVk.exe

C:\Windows\System\VvUTgea.exe

C:\Windows\System\VvUTgea.exe

C:\Windows\System\MoHDDzV.exe

C:\Windows\System\MoHDDzV.exe

C:\Windows\System\lHhBZJE.exe

C:\Windows\System\lHhBZJE.exe

C:\Windows\System\sIluhPk.exe

C:\Windows\System\sIluhPk.exe

C:\Windows\System\SbTUbnM.exe

C:\Windows\System\SbTUbnM.exe

C:\Windows\System\uunMMKR.exe

C:\Windows\System\uunMMKR.exe

C:\Windows\System\HRzYkGy.exe

C:\Windows\System\HRzYkGy.exe

C:\Windows\System\cbDyTqo.exe

C:\Windows\System\cbDyTqo.exe

C:\Windows\System\hilcfLP.exe

C:\Windows\System\hilcfLP.exe

C:\Windows\System\JcxkJWT.exe

C:\Windows\System\JcxkJWT.exe

C:\Windows\System\tZRufxB.exe

C:\Windows\System\tZRufxB.exe

C:\Windows\System\AJYtNUo.exe

C:\Windows\System\AJYtNUo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1684-0-0x00007FF7618E0000-0x00007FF761C34000-memory.dmp

memory/1684-1-0x000001E74FA70000-0x000001E74FA80000-memory.dmp

C:\Windows\System\fcaMnrK.exe

MD5 713af1935395ff66a17d307ffdf79144
SHA1 9dfaee6de3c6299bd25a52404b1495fffa29e998
SHA256 77f11a51ec29212a08da6ea5c821527411a040f93dbb87d9465ca5a2366db359
SHA512 0f9277fbda2ccc4fe91d672e55e410dd695bba365921bcd85e94185ab8fff346737cc57382a115e1451f9926133d9427aaf67ea3ed03e2c8bf0bdea5c997db69

memory/2724-8-0x00007FF624D40000-0x00007FF625094000-memory.dmp

C:\Windows\System\dWtnWSy.exe

MD5 3efe7d2e4d7fb8fc3ba1967359d1126a
SHA1 942bba9800064288c43c09dbc9fe21b98721edf0
SHA256 eba527c3a174d0ed84146acb735e1247e7bc06f7dbd79fd5ffaa7fed1f5afc0c
SHA512 bd045589f3d2b67a1979a3b1c9c90ff5f96873b5944d94dfb35a851ab6384e241825497cad18b3f6f2ab80ba1ff4286a589b5fb43805fa503e13becd54a1bda2

memory/3008-13-0x00007FF6FF290000-0x00007FF6FF5E4000-memory.dmp

C:\Windows\System\BhiaftR.exe

MD5 ff4db18711c9bf38c6f3a696b28ab7c8
SHA1 2df49d537eb8d37264a13df058fc60ebe713e2b3
SHA256 e310975158a7ab1d3c89613974c03252200f1c423a03dde13a0f71c105d2e748
SHA512 270e9e7f07d8b299b1e22b592b45acf631bcfa41a7f898a2b5d86e5becb3e0cb5ccfc934d7a54a8d557235d45272769bd213e72b734951ac7df90342144ca88e

C:\Windows\System\TdmVzgd.exe

MD5 9d93820652c17073526f19a05de18a55
SHA1 78f1fb6bad468caec96811720bef8fa6c084623a
SHA256 dc05cb31229069870ace0c9e41a510d7da0360219ebd42afd6993ebb668d5f31
SHA512 1ec3b949420bcea117efcc5bb71bc823af5d102668f04ce419bf82112c168cb5d2f5e0a27e720a81388fb0d5eeafdd8a1024fba84d614b659dac081acf6c430d

C:\Windows\System\GQLqgqP.exe

MD5 074d154230c8d557020972b9ac682cf9
SHA1 846aee67244d8f4deab043d5a0ccb18883a414fd
SHA256 f51209c19bf84b08a447f3545df2396d9ffcee8d741c9fe6457b05bb22cee3e9
SHA512 33f7cb51f186642575f16252a539f7441259f123cdcc5b893de5ff687728754d7c05e613f4ac892cbec0d71e2816b07ad11005419617ab034388854d4ef095c1

memory/2116-32-0x00007FF64FC30000-0x00007FF64FF84000-memory.dmp

memory/740-26-0x00007FF6A2F60000-0x00007FF6A32B4000-memory.dmp

C:\Windows\System\QIiOxEV.exe

MD5 fee59e00940f6dba2b75f346e6940dd1
SHA1 22c5075b8efae119f0ce6baf092c078cba746c0a
SHA256 d80f37732f21abc4d2b2a8deb29598e23f58f23cd3e1b66ceb2966076e3ac7c4
SHA512 e9642b6cd2117143c164b50627699989960a70965289398db384ca6abf6b4045379f2e27febd126d5f44156bbfca655b18d52afc91530eddaea781e877f8822b

memory/2528-38-0x00007FF752DA0000-0x00007FF7530F4000-memory.dmp

memory/3960-20-0x00007FF768F10000-0x00007FF769264000-memory.dmp

C:\Windows\System\ZwSOBJM.exe

MD5 e72f4b640595a82aedc9747a91995907
SHA1 4111e1ab7068699e7ab7e94519245e150390f11a
SHA256 086b948e5c6c9f3f9eb4486515bc776f464c76866c017f7c3dd7d3a5ba7762e6
SHA512 8f31e42d2efc7a72f976d5a1a71dfb29a8a10e2b6333c1ac2f276a3dce35452aac3f96a42ee33616fccc98d8f63d724d7f6292dfdd240cdfac38a1cef290c8e0

memory/2800-44-0x00007FF70DDC0000-0x00007FF70E114000-memory.dmp

C:\Windows\System\PQKyJcx.exe

MD5 7b5900c3397bcfa82fe40355a5e41b7f
SHA1 016c041081df8242b8da7311f9a1bc7066278f3f
SHA256 2f31dab544f8e8b75e518846da3802ce34a55a98465d4847e99322416b6934a5
SHA512 16482785b368dbe6ca945b2ce76f78c999e9f394ab9e4af1c936c9b758aab7548df48c964926a8c78d02d587348e816ee25c37f796d508f989a47d2cb8a4102f

C:\Windows\System\LYjCmVk.exe

MD5 9114416b15e563a7f8810d9f91770df8
SHA1 4dca297b403e4f18c35a7a6950780f8e59da973f
SHA256 666ecb4b3be75ec8537afaf1cdb74405f7da892bb9cc90483641eee5a0fcc1ac
SHA512 918c03be08b98e8053f61cdcbac94ac81f894a15f6d2e374e3be3cccf8d5082a508fe9bc0b515b7309babce3f5a97868e74d37c3f27d93cddf155bbde8b5e660

C:\Windows\System\VvUTgea.exe

MD5 f91e42b1269611774dbb6ded078bb02f
SHA1 86a7592e67a478372b3c28ed5d0d5fe6cbb79562
SHA256 c22f05139f33a3c7b86314f21e8b75c04ccec7a81b283a4a8a9c100c8a71d3b5
SHA512 17b25b81efb319a840c341662766bb73d4e4aa15504e01c17ba7a035c520066a402d3144da23d1bcc9576341f55a79d74fb28f496183db0b59aeb03f488bceaa

memory/2820-55-0x00007FF7BA880000-0x00007FF7BABD4000-memory.dmp

memory/1556-62-0x00007FF65C820000-0x00007FF65CB74000-memory.dmp

memory/1684-61-0x00007FF7618E0000-0x00007FF761C34000-memory.dmp

C:\Windows\System\MoHDDzV.exe

MD5 8f7ad8d50a1c8e76dbb9a8e6467cbd6e
SHA1 9fe1cf6ba137d13a2a97f15dfa8eb909f630fbb3
SHA256 5761408a045a9c8770c8f0f05d01b890fb5e5264611d61cc51f8312ac4494836
SHA512 e4f910e6f84b915d35226075ca0ce9d6e63ce57e5b80430775a8f25ae5ad96cf99e0fe2ef804e80294a0a61348b02ed51fc0e5ee965cbb13bc398a81dafb9f60

memory/2424-50-0x00007FF769570000-0x00007FF7698C4000-memory.dmp

memory/2724-69-0x00007FF624D40000-0x00007FF625094000-memory.dmp

C:\Windows\System\SbTUbnM.exe

MD5 8aab2f7a0e5f9de2b2a20a52ad5d341f
SHA1 021d3af044a86221f11fc1a0fe67b8f5d98122ca
SHA256 8f6c01bfe50106968a8daa8f29db314fcefbee3ff7ad59c6fc728d8d1ed56b85
SHA512 b815c29372ab136c644fad49af7e786366b7f321d0c27230801e9146e307b69c83e902664d9485c51979b24658d2f461073ab7430fbe6b18d2f5db92ba56feda

C:\Windows\System\SbTUbnM.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

C:\Windows\System\uunMMKR.exe

MD5 bd5ca8baf000c9081593cb685aa32eb5
SHA1 4a49b809751f88a416a225e524872060e708619f
SHA256 8089d89a42bfd175fcb6a98b173c4eebaa4803d0968c8f2c6314cc40b970cf34
SHA512 204206f27efe94074df4370bbe87cd2d942231d6908fde8bdc51120741ca1cfed291104ec7711abc791695527190617f7783ce4ecf1a9121510f5c638fe17d72

memory/3328-91-0x00007FF720CF0000-0x00007FF721044000-memory.dmp

memory/2780-86-0x00007FF71B540000-0x00007FF71B894000-memory.dmp

C:\Windows\System\sIluhPk.exe

MD5 edcb13e228b691faefa72220e914225a
SHA1 50ea50eaef4e0c2903f305328877dd1280aaeff0
SHA256 6f3140063813be4cf54362184fdb63d7bb4e1290104a8952a7538442e58884e6
SHA512 d447b7a2ae2bb1b444ec74852daba2130a4d64b2ece9a3c90b30e040eaa72ae73ffa868387181b8ff5770d27b8208ea5c33ed4e9c370f9245044d9d2534a7c4d

memory/2980-78-0x00007FF640240000-0x00007FF640594000-memory.dmp

C:\Windows\System\HRzYkGy.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

memory/2116-112-0x00007FF64FC30000-0x00007FF64FF84000-memory.dmp

C:\Windows\System\JcxkJWT.exe

MD5 4340d610b2784a6376382f7021f797b6
SHA1 bd81e4c48c18bb403cf684bd2dffd81baf480f36
SHA256 cbbc31b4990274001568328fa61f8beac03eff8d1f2580d84c243b6ff82d7929
SHA512 c5c801294facd833d9ceb9e57eecc216027644c3309a3e6a05dbeb45118639714c0546e1d91a95157e6a839267febf2320dff2d5f4fc318374b6e70f8b3c48ff

C:\Windows\System\tZRufxB.exe

MD5 dc35b9fe00fc82181bcfedd4ffcf6f18
SHA1 ff0914018859329ff355485e0b2ebace3d6e5f31
SHA256 2783321511320a92abed62e0b60f3bd4722f3a0d38c277b885cebcf7476fa921
SHA512 d12f5963befe639f3ccd75bbad573b3a75b28874465ede1f7128dcc1c93e9c4a22dc8c15e241c38576046e4908baad30a63decd41c2c668d9e182730923fefc5

C:\Windows\System\AJYtNUo.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

C:\Windows\System\AJYtNUo.exe

MD5 f1b352a2a74553ff8f8404d494fb1771
SHA1 c278f2d0e535eb94cf060c93a37a1b69cfceaeda
SHA256 484bdbb063ce0faf9a0fff7d2c6a999215b738e675f5e52db6376b542dd2b09a
SHA512 d029031ccbc2b4ea0e73896e6c149fc3367d227add796665862716a85049a089a78a2c21a585ddc25506562f1822f6084c81a63ea9f4b67a1be09e850c1cb93b

C:\Windows\System\hilcfLP.exe

MD5 959db281250f57b66e4ba7b423029ff8
SHA1 3c8468e1ec6bd303f49961cd8f2ddfec98b16c30
SHA256 fcef73bbff8391a88acd38e735bf6bda0b0dd33918162807c5feacf1548da7e2
SHA512 ecafd6daeda1321ad3895dc9ae6a2f97d9e6e9d05eeaaea3668fb2ec579b351be0c72de5fab68446403f122bbb88c7994a0b782c329fcbfeca24e455dc67ad51

C:\Windows\System\cbDyTqo.exe

MD5 22645b8821d57b046e2b094cc85361ce
SHA1 2b37223dca5b33bebcc10d6317701f92c0c5ed95
SHA256 ed52cb7ca79d40291a173a7c605355b9991e34e3c33dd99c102151cfeea79c44
SHA512 4e3f69e26fbc98a33cf0115124d1709b979ad37bb4ed0a707dbbd7485228c668cefeccc59a2db7dda78110a137fcd80e47327237db1e906fff2bef0d47de61a1

memory/1824-106-0x00007FF731110000-0x00007FF731464000-memory.dmp

memory/2016-105-0x00007FF604A00000-0x00007FF604D54000-memory.dmp

C:\Windows\System\HRzYkGy.exe

MD5 5a97df0c15e4a2ad914fbfabab30e908
SHA1 46d5bd73d9e69859d175664ce773e3473f8d4685
SHA256 60e086c79bb2935937ce6e36957b2f80af114328476002d440d0c5cabcd2a8cf
SHA512 7f9571c9f6c8fd9759f537be9513c9472763dd047445a40330ef93dd0501ba552ba693f51252fa41931890185bb4f37fce821fad1c83b58e240998b31dcfca82

C:\Windows\System\lHhBZJE.exe

MD5 0c184f45f5ba9725f50686b4048f9300
SHA1 10827ac90f12eaceecc301bc51298a9e640ece92
SHA256 0e6cb78add8b8752cf9b256a5c9b0c423a0839997bdfff8ce66d9b869f1299e6
SHA512 4048f53c0d11b582fa26f971fb6d7c738d5961d0f6d2c0ca5829d8215a14f11ab484fbe6f3f1ce313a9a825ec8d3db65debdec86b4e35baf193db1e0f7861ed2

memory/3008-75-0x00007FF6FF290000-0x00007FF6FF5E4000-memory.dmp

memory/2720-70-0x00007FF6511B0000-0x00007FF651504000-memory.dmp

memory/2860-127-0x00007FF704620000-0x00007FF704974000-memory.dmp

memory/3064-128-0x00007FF7899E0000-0x00007FF789D34000-memory.dmp

memory/4428-131-0x00007FF747850000-0x00007FF747BA4000-memory.dmp

memory/3084-130-0x00007FF6FB450000-0x00007FF6FB7A4000-memory.dmp

memory/3424-129-0x00007FF6645E0000-0x00007FF664934000-memory.dmp

memory/2820-132-0x00007FF7BA880000-0x00007FF7BABD4000-memory.dmp

memory/2980-133-0x00007FF640240000-0x00007FF640594000-memory.dmp

memory/2016-135-0x00007FF604A00000-0x00007FF604D54000-memory.dmp

memory/3328-134-0x00007FF720CF0000-0x00007FF721044000-memory.dmp

memory/2860-136-0x00007FF704620000-0x00007FF704974000-memory.dmp

memory/2724-137-0x00007FF624D40000-0x00007FF625094000-memory.dmp

memory/3008-138-0x00007FF6FF290000-0x00007FF6FF5E4000-memory.dmp

memory/3960-139-0x00007FF768F10000-0x00007FF769264000-memory.dmp

memory/740-140-0x00007FF6A2F60000-0x00007FF6A32B4000-memory.dmp

memory/2528-142-0x00007FF752DA0000-0x00007FF7530F4000-memory.dmp

memory/2116-141-0x00007FF64FC30000-0x00007FF64FF84000-memory.dmp

memory/2800-143-0x00007FF70DDC0000-0x00007FF70E114000-memory.dmp

memory/2424-144-0x00007FF769570000-0x00007FF7698C4000-memory.dmp

memory/1556-146-0x00007FF65C820000-0x00007FF65CB74000-memory.dmp

memory/2820-145-0x00007FF7BA880000-0x00007FF7BABD4000-memory.dmp

memory/2720-147-0x00007FF6511B0000-0x00007FF651504000-memory.dmp

memory/2780-149-0x00007FF71B540000-0x00007FF71B894000-memory.dmp

memory/2980-148-0x00007FF640240000-0x00007FF640594000-memory.dmp

memory/3328-150-0x00007FF720CF0000-0x00007FF721044000-memory.dmp

memory/1824-151-0x00007FF731110000-0x00007FF731464000-memory.dmp

memory/2016-152-0x00007FF604A00000-0x00007FF604D54000-memory.dmp

memory/3064-154-0x00007FF7899E0000-0x00007FF789D34000-memory.dmp

memory/4428-156-0x00007FF747850000-0x00007FF747BA4000-memory.dmp

memory/3424-155-0x00007FF6645E0000-0x00007FF664934000-memory.dmp

memory/3084-157-0x00007FF6FB450000-0x00007FF6FB7A4000-memory.dmp

memory/2860-153-0x00007FF704620000-0x00007FF704974000-memory.dmp