Malware Analysis Report

2024-10-16 03:09

Sample ID 240608-verqcaed44
Target 2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike
SHA256 4b358f051e3017a53a4c6f72dc065a1ecf6e86dcdd367e30625a575179c1174a
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b358f051e3017a53a4c6f72dc065a1ecf6e86dcdd367e30625a575179c1174a

Threat Level: Known bad

The file 2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike

XMRig Miner payload

xmrig

Detects Reflective DLL injection artifacts

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 16:55

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 16:54

Reported

2024-06-08 17:04

Platform

win7-20240221-en

Max time kernel

136s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JYFbVVu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YZLxLwc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SqnoudW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LpXLQVv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lOrTlGK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RkJVgob.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\heUpzGF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hGCPkkM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ByUgkol.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WvPtODh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FCeAmjI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jQBREVA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\duYCpur.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MdxjttG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PQfZGcy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WkdWMjO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CPvxWCZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NcHSNEx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SJLKuIe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hpUfSnK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EvtgZpS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WkdWMjO.exe
PID 2872 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WkdWMjO.exe
PID 2872 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WkdWMjO.exe
PID 2872 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ByUgkol.exe
PID 2872 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ByUgkol.exe
PID 2872 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ByUgkol.exe
PID 2872 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\EvtgZpS.exe
PID 2872 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\EvtgZpS.exe
PID 2872 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\EvtgZpS.exe
PID 2872 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvPtODh.exe
PID 2872 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvPtODh.exe
PID 2872 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvPtODh.exe
PID 2872 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FCeAmjI.exe
PID 2872 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FCeAmjI.exe
PID 2872 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FCeAmjI.exe
PID 2872 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPvxWCZ.exe
PID 2872 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPvxWCZ.exe
PID 2872 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPvxWCZ.exe
PID 2872 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jQBREVA.exe
PID 2872 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jQBREVA.exe
PID 2872 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jQBREVA.exe
PID 2872 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkJVgob.exe
PID 2872 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkJVgob.exe
PID 2872 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkJVgob.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\duYCpur.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\duYCpur.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\duYCpur.exe
PID 2872 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JYFbVVu.exe
PID 2872 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JYFbVVu.exe
PID 2872 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JYFbVVu.exe
PID 2872 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NcHSNEx.exe
PID 2872 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NcHSNEx.exe
PID 2872 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NcHSNEx.exe
PID 2872 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MdxjttG.exe
PID 2872 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MdxjttG.exe
PID 2872 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MdxjttG.exe
PID 2872 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZLxLwc.exe
PID 2872 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZLxLwc.exe
PID 2872 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZLxLwc.exe
PID 2872 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\SJLKuIe.exe
PID 2872 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\SJLKuIe.exe
PID 2872 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\SJLKuIe.exe
PID 2872 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hGCPkkM.exe
PID 2872 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hGCPkkM.exe
PID 2872 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hGCPkkM.exe
PID 2872 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hpUfSnK.exe
PID 2872 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hpUfSnK.exe
PID 2872 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hpUfSnK.exe
PID 2872 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqnoudW.exe
PID 2872 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqnoudW.exe
PID 2872 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqnoudW.exe
PID 2872 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\PQfZGcy.exe
PID 2872 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\PQfZGcy.exe
PID 2872 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\PQfZGcy.exe
PID 2872 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpXLQVv.exe
PID 2872 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpXLQVv.exe
PID 2872 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpXLQVv.exe
PID 2872 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOrTlGK.exe
PID 2872 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOrTlGK.exe
PID 2872 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOrTlGK.exe
PID 2872 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\heUpzGF.exe
PID 2872 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\heUpzGF.exe
PID 2872 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\heUpzGF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\WkdWMjO.exe

C:\Windows\System\WkdWMjO.exe

C:\Windows\System\ByUgkol.exe

C:\Windows\System\ByUgkol.exe

C:\Windows\System\EvtgZpS.exe

C:\Windows\System\EvtgZpS.exe

C:\Windows\System\WvPtODh.exe

C:\Windows\System\WvPtODh.exe

C:\Windows\System\FCeAmjI.exe

C:\Windows\System\FCeAmjI.exe

C:\Windows\System\CPvxWCZ.exe

C:\Windows\System\CPvxWCZ.exe

C:\Windows\System\jQBREVA.exe

C:\Windows\System\jQBREVA.exe

C:\Windows\System\RkJVgob.exe

C:\Windows\System\RkJVgob.exe

C:\Windows\System\duYCpur.exe

C:\Windows\System\duYCpur.exe

C:\Windows\System\JYFbVVu.exe

C:\Windows\System\JYFbVVu.exe

C:\Windows\System\NcHSNEx.exe

C:\Windows\System\NcHSNEx.exe

C:\Windows\System\MdxjttG.exe

C:\Windows\System\MdxjttG.exe

C:\Windows\System\YZLxLwc.exe

C:\Windows\System\YZLxLwc.exe

C:\Windows\System\SJLKuIe.exe

C:\Windows\System\SJLKuIe.exe

C:\Windows\System\hGCPkkM.exe

C:\Windows\System\hGCPkkM.exe

C:\Windows\System\hpUfSnK.exe

C:\Windows\System\hpUfSnK.exe

C:\Windows\System\SqnoudW.exe

C:\Windows\System\SqnoudW.exe

C:\Windows\System\PQfZGcy.exe

C:\Windows\System\PQfZGcy.exe

C:\Windows\System\LpXLQVv.exe

C:\Windows\System\LpXLQVv.exe

C:\Windows\System\lOrTlGK.exe

C:\Windows\System\lOrTlGK.exe

C:\Windows\System\heUpzGF.exe

C:\Windows\System\heUpzGF.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2872-0-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2872-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\ByUgkol.exe

MD5 520306f0af217a723b94881629ed2c1f
SHA1 edfebe61571cd3958f1312a9985e7616d97f5058
SHA256 753b1655c90b67a0e9ef8ac7f9ad5137a5f68ca7523e64de621b55f82736ad40
SHA512 9ac6a96dd03c1ec975477a89483a2d662a3a654c6c49304a4eef6675c320419be317a4ea86000c6b38c10beb98f86f51309fa6427a10328bb6e8081fbc42222e

memory/2872-15-0x0000000002410000-0x0000000002764000-memory.dmp

memory/2964-14-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/1760-13-0x000000013FA90000-0x000000013FDE4000-memory.dmp

\Windows\system\ByUgkol.exe

MD5 d479494dd3bb17c9f155351274b80dd5
SHA1 6780be4daa0fbc347fe0ed08916bea88525b4c8e
SHA256 9c710b650c8652300c2aa060cbc01b03bfd705f151a92b3697a395d19ffb0d81
SHA512 adb5514f54367db7e49ad2b15f8d942e09efcb0b1e729c18781b7c496d8d134fb03195a1d1e439e6222dc1673e7aef7009ce21e9d3d25a336fa415307c6f0cfc

memory/2872-8-0x000000013FA90000-0x000000013FDE4000-memory.dmp

C:\Windows\system\WkdWMjO.exe

MD5 189015c450e5bedf3b473fb3ac8cfadd
SHA1 eada62e17cccd51370f60f158849cc11e05b9086
SHA256 c79ca2adcf7720d669c17c936b2e435ccbf32f29e170b0e2262cf551a5283ea4
SHA512 eaac48dd74e638ea0c16a3c59cab84dcc5c06dca68aeeff858bb3c90bc35f45623c3723081384985459648116ef2a0efd51efd545c65b9b3f460b9745a32626e

memory/2872-24-0x000000013F9E0000-0x000000013FD34000-memory.dmp

\Windows\system\WvPtODh.exe

MD5 182702f8c189f2105671b3b193ea01bd
SHA1 5cbe4a492c7f661166b4ece7955c0ec73fadc31d
SHA256 a26e7690e7bc3ea344b69a7055744b04ab0a6a6f5efc215cd98698c2786c3f7f
SHA512 81af6029078315813c434ae562db848bfccfd0ce021093ded729c0431bbbdfab770bb5cf5e5e10bac76b9afc8886a0732e92ae0912c9dff147628a2530f045d1

C:\Windows\system\EvtgZpS.exe

MD5 4903b877151908608f2740d717079050
SHA1 8df8f98c29f1108dea62b593e7d304a17c2e6e08
SHA256 fd4d03314a53a0453fc41eaee9219ab09798d6b5b4f2adb1c93226fcb9cbc0da
SHA512 22881b646f0bdcee053b961f7c1a6c76b9a499a9482b668c2d9f25d07857e740c1b24ed4c27c740304e990e03c53d82aeaee5594741dbdad104b3b4a3d0fc8f9

memory/2592-28-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2640-35-0x000000013F630000-0x000000013F984000-memory.dmp

C:\Windows\system\FCeAmjI.exe

MD5 cf26e0d9bd7a2d965883d0f1d159c45f
SHA1 b849d7d4f3d2d8072543ed7154069361d0c67e92
SHA256 7c98bf851775d40674541d1fe6d5d27a4faf48221d2ac15896c95daf459dbdba
SHA512 b98cbe03180fa5d6512490041a501e4ccc11c2019f9abc670b643db7545dad83c94ca89efb8a62f73f40fbe63edf29412523659921df7ef641af9c5acf6b5bc7

memory/2656-32-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2872-31-0x000000013F300000-0x000000013F654000-memory.dmp

C:\Windows\system\WvPtODh.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

\Windows\system\FCeAmjI.exe

MD5 cc5c75432f56a46288c038387d994e4f
SHA1 844f0499312dcaa5cca9ebab08b9587de5c3c871
SHA256 1729c576e0679236f26ce7ef13c1c1be25b9de89cd41245f32e4401841281dc0
SHA512 0c12788cbe5c927c3f67a34fe1f320a2a3c1493f930ebc8790039ddf81ea0f2d706d074ac29db716be16deebb292322095afd6656374794d38c19000fa4ed393

C:\Windows\system\EvtgZpS.exe

MD5 f505e9632fbd4a5d58adc9e4173d1271
SHA1 1bde162a3fb4ccb17e2151f596876ce0481e68a3
SHA256 470c9e84848117759613eb687b446759f7d07a7f41d04dc436b012f7f509e2e6
SHA512 e198372dce29bd351d9034837bc88bf336ab45518f945c233b0df8303eb7db6dfe81aa40e79300136ac6bc7ee0344b1f19f04eb515a02bbb33d814e047faaccf

\Windows\system\EvtgZpS.exe

MD5 17fc50ceee2e03d90dc66d1b696ae04c
SHA1 edb9bfabb63dae8151ef58d586ad8bd320e46954
SHA256 fc4616ed39d09901bce558c977cf8c1b0bb141044fdc081427724967ba6dd3fa
SHA512 d8c3393f993fa67b8b0595df5ee762653e8d56a623f080da9228a5a0d869ef0a7edc1d904724d72b970bf2e625e4a5f9c12c3697e318c3a3b3b8ac5cb30955dc

C:\Windows\system\CPvxWCZ.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

\Windows\system\CPvxWCZ.exe

MD5 03686cfd6bbb43c8ac4dc50889b137b9
SHA1 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee
SHA256 ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471
SHA512 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2

memory/2872-42-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2736-43-0x000000013F970000-0x000000013FCC4000-memory.dmp

C:\Windows\system\jQBREVA.exe

MD5 4e77e5b0d3e1f7e95208469762b9de9f
SHA1 0a5a009be862764615777c1b707d36edbc11ff21
SHA256 f92c26d020b7221553156425eb37df2d0419664ed1b1dfec4bcc6dd4844b43e4
SHA512 dda02ecff4425b741e8db0fc2114ffa66fea763a1c1005abb22eb8a9df84cf46de8481047ea55594255e59f8002d15f025c5315e413a202ba4d0fe32fa539aee

\Windows\system\jQBREVA.exe

MD5 e8c4508a392ccf08590d3627a36cc3c3
SHA1 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256 cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512 f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

memory/2872-55-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2460-58-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2872-57-0x0000000002410000-0x0000000002764000-memory.dmp

C:\Windows\system\RkJVgob.exe

MD5 5fa795b3b7fbfdb00bd1230752e0c717
SHA1 c04df1c0104752fc707883394c20b7a38d950291
SHA256 824077dfd6a62e9e36be5c206334d0508de5a3b956ad1bd496fa2e71eb9a9179
SHA512 de08f47b777576f6d8782f91ad503bcf8fdc3c8ebfac425ac7200b990be02ae05d557511a5745c3ce08c930b4d0fe264f704e0ed5826f20f19f9a35af8cd315a

\Windows\system\RkJVgob.exe

MD5 180ec18cff675908ea09fb02b8edeae7
SHA1 908a0fde6e66598e819044f800d2fb12a2c2d5e4
SHA256 35e0571c2720559fc2e392ef1ac01a4890a7f5a52de790fe0560ba1ddb8b0978
SHA512 f4efca4f8c80307ac309f06271cca1b553bd93330b442aaa71749f3ce5f3d47dab778dbee66162c088762bb8f4726a65ed8e5313f9bd8da09d951b910b9f8e49

memory/2872-49-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2216-50-0x000000013F730000-0x000000013FA84000-memory.dmp

\Windows\system\duYCpur.exe

MD5 ffafad94c04d076c16e861ff07a4cb57
SHA1 c3501d64aef8c1b093200710a06e749c69db782a
SHA256 8937d79446003663139b48fb488b397b86db6056b10f97b4b51376a75074f295
SHA512 64f6a6b1b0b877c82172b2c14c03c94dd8e19ddfeb29793c31f8e0d87bb2bb2fc63432b7cfddd5451417062117de8a69817c2cc596bd537558b9b01636a48700

memory/2964-68-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2512-71-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2872-72-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2020-77-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2872-96-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2872-98-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2656-94-0x000000013F300000-0x000000013F654000-memory.dmp

C:\Windows\system\SJLKuIe.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

C:\Windows\system\hGCPkkM.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

C:\Windows\system\hpUfSnK.exe

MD5 93bacfc3d845f374627b012c3a61a1e5
SHA1 f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae
SHA256 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d
SHA512 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

C:\Windows\system\SqnoudW.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

\Windows\system\heUpzGF.exe

MD5 ca2c8fc23ac2c4dd58545d16927e5bef
SHA1 b94b35150eb75787af3ce6aea401e04f2ec70fc4
SHA256 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef
SHA512 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce

C:\Windows\system\heUpzGF.exe

MD5 cefe7ebbcbdc6a5e5023e2ad8530b25b
SHA1 6e0d7ab1a6ddd7ee739d050791a70816c80e15a8
SHA256 6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475
SHA512 93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844

C:\Windows\system\lOrTlGK.exe

MD5 0642442db4acbbfb6037e06789624264
SHA1 923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA256 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA512 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

\Windows\system\lOrTlGK.exe

MD5 469aca0e2abc33bcc5100f89b3196890
SHA1 b77c2be76b0bcd5c1640c82143bf4ae8abf6ed35
SHA256 8e4d419e754f89fae1d30741df9483d06709f6d20541cbce976b97c6b74f264f
SHA512 bb8f27156094a7b200e5c1844466de9827240ad5c62598ca983899918fcfddc76480438ab7ff457f4059655d26f5dee65f9d3ba57dc850a7e0c1c267d7e2bdae

C:\Windows\system\LpXLQVv.exe

MD5 8277fedbd3255e17ffda30a6804ad507
SHA1 c32c09de51b706fec128d9564a25a53385cea3fd
SHA256 d43f6e9d0972eb990827edb5a308943ead0705d18dde6862ac212f02acb082bc
SHA512 a30d613628f706b740c6aabb343211e2503cbb8767b966ec9ed17f9d484b9271d2ffdfdc7d123cde9df707e49f67b1b427d4473764aa073d1c3b78c01ea789ed

C:\Windows\system\PQfZGcy.exe

MD5 90be846177ebce09b1bfa8b40630684a
SHA1 43a2c66ff47d9e295f18f8c18fe76b69e8850154
SHA256 2237948f07e37d90442b50a92836356588f3ae1e31ae0d8dac227315cf2c7f65
SHA512 f4ff566c9eaa4a50bcad3cfa87bbb92d072dc2249f94ae304b8cb104e61cee98dba9f3ef0ceebfe48bef05c9c2df36d9188d043c7aa83ca58742993e634b68a6

\Windows\system\SqnoudW.exe

MD5 d872631fef320bcfe95799f5b4c466cb
SHA1 451a1400f207f69d35ba907e243aed76879dcd2c
SHA256 2c35d06862247b330fc3f8d9e6af582fea555fda1909ac568685a45fc440b438
SHA512 2386867492e72b11ef633226d6bd8e4694f30ef287e4120da56c256823abf746800962069c455536682137d30dfdae1f3be9dfc70d5390788973809462de138d

memory/2548-108-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2872-105-0x0000000002410000-0x0000000002764000-memory.dmp

memory/2640-104-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2432-103-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2484-102-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2872-88-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

\Windows\system\SJLKuIe.exe

MD5 170dd624fc04fc3839f9c4b66a089ce7
SHA1 689050489367e9d7989856de58d7dae4b3e867bb
SHA256 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b
SHA512 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a

memory/2592-74-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2700-84-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2872-82-0x000000013FA40000-0x000000013FD94000-memory.dmp

C:\Windows\system\MdxjttG.exe

MD5 0b1dc771469fa6753e7aace834956918
SHA1 ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA256 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA512 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

memory/2872-63-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2872-140-0x0000000002410000-0x0000000002764000-memory.dmp

memory/2872-141-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2872-142-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2700-143-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2872-144-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2872-145-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2548-146-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/1760-147-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2592-149-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2656-150-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2964-148-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2640-151-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2736-152-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2216-153-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2460-154-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2020-156-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2512-155-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2700-157-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2432-159-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2484-158-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2548-160-0x000000013F1E0000-0x000000013F534000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 16:54

Reported

2024-06-08 17:04

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\tPmpOGN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EwTEZJE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AGSBbkt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UTGzhzg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JYkbMrF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WHCJXmn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\trZvslp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dfXLqxO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JrjraSf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fLzyHep.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BlXWlPj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VKffFxA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bBBQgVP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jYiUPop.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ALxRsKz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BXbQpTN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ErWoTeC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\btQwaEb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eYTTxhd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZrawzLM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YhApZTw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 656 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\tPmpOGN.exe
PID 656 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\tPmpOGN.exe
PID 656 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrawzLM.exe
PID 656 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrawzLM.exe
PID 656 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhApZTw.exe
PID 656 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhApZTw.exe
PID 656 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKffFxA.exe
PID 656 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKffFxA.exe
PID 656 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHCJXmn.exe
PID 656 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHCJXmn.exe
PID 656 wrote to memory of 5604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBBQgVP.exe
PID 656 wrote to memory of 5604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBBQgVP.exe
PID 656 wrote to memory of 5556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\trZvslp.exe
PID 656 wrote to memory of 5556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\trZvslp.exe
PID 656 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AGSBbkt.exe
PID 656 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AGSBbkt.exe
PID 656 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYiUPop.exe
PID 656 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYiUPop.exe
PID 656 wrote to memory of 5396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\UTGzhzg.exe
PID 656 wrote to memory of 5396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\UTGzhzg.exe
PID 656 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\dfXLqxO.exe
PID 656 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\dfXLqxO.exe
PID 656 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwTEZJE.exe
PID 656 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwTEZJE.exe
PID 656 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JYkbMrF.exe
PID 656 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JYkbMrF.exe
PID 656 wrote to memory of 5944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALxRsKz.exe
PID 656 wrote to memory of 5944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALxRsKz.exe
PID 656 wrote to memory of 5976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrjraSf.exe
PID 656 wrote to memory of 5976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrjraSf.exe
PID 656 wrote to memory of 5828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXbQpTN.exe
PID 656 wrote to memory of 5828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXbQpTN.exe
PID 656 wrote to memory of 5508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fLzyHep.exe
PID 656 wrote to memory of 5508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fLzyHep.exe
PID 656 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ErWoTeC.exe
PID 656 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ErWoTeC.exe
PID 656 wrote to memory of 5524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\btQwaEb.exe
PID 656 wrote to memory of 5524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\btQwaEb.exe
PID 656 wrote to memory of 5564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\eYTTxhd.exe
PID 656 wrote to memory of 5564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\eYTTxhd.exe
PID 656 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlXWlPj.exe
PID 656 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlXWlPj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\tPmpOGN.exe

C:\Windows\System\tPmpOGN.exe

C:\Windows\System\ZrawzLM.exe

C:\Windows\System\ZrawzLM.exe

C:\Windows\System\YhApZTw.exe

C:\Windows\System\YhApZTw.exe

C:\Windows\System\VKffFxA.exe

C:\Windows\System\VKffFxA.exe

C:\Windows\System\WHCJXmn.exe

C:\Windows\System\WHCJXmn.exe

C:\Windows\System\bBBQgVP.exe

C:\Windows\System\bBBQgVP.exe

C:\Windows\System\trZvslp.exe

C:\Windows\System\trZvslp.exe

C:\Windows\System\AGSBbkt.exe

C:\Windows\System\AGSBbkt.exe

C:\Windows\System\jYiUPop.exe

C:\Windows\System\jYiUPop.exe

C:\Windows\System\UTGzhzg.exe

C:\Windows\System\UTGzhzg.exe

C:\Windows\System\dfXLqxO.exe

C:\Windows\System\dfXLqxO.exe

C:\Windows\System\EwTEZJE.exe

C:\Windows\System\EwTEZJE.exe

C:\Windows\System\JYkbMrF.exe

C:\Windows\System\JYkbMrF.exe

C:\Windows\System\ALxRsKz.exe

C:\Windows\System\ALxRsKz.exe

C:\Windows\System\JrjraSf.exe

C:\Windows\System\JrjraSf.exe

C:\Windows\System\BXbQpTN.exe

C:\Windows\System\BXbQpTN.exe

C:\Windows\System\fLzyHep.exe

C:\Windows\System\fLzyHep.exe

C:\Windows\System\ErWoTeC.exe

C:\Windows\System\ErWoTeC.exe

C:\Windows\System\btQwaEb.exe

C:\Windows\System\btQwaEb.exe

C:\Windows\System\eYTTxhd.exe

C:\Windows\System\eYTTxhd.exe

C:\Windows\System\BlXWlPj.exe

C:\Windows\System\BlXWlPj.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3908 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/656-0-0x00007FF77A1B0000-0x00007FF77A504000-memory.dmp

memory/656-1-0x0000021DD1660000-0x0000021DD1670000-memory.dmp

C:\Windows\System\tPmpOGN.exe

MD5 b3b1fe37c6b55c4273902588f2685ff8
SHA1 71ad244e9e2c19b72d1c45f2aeadf3518dc0ef84
SHA256 267656baa6a684319f36bdfcd1584f253c9b2e5ee5e0f7709536344dfa499c43
SHA512 f8d77ba42ca53496e1c29dc121fe83301324eee6dc7598e3ded0a87fafda9bb9aebe55bc7c58aa96a9121d983c8918fa7732c627deaf5206ffd54e1d1aa6c2c1

memory/2484-6-0x00007FF647820000-0x00007FF647B74000-memory.dmp

C:\Windows\System\ZrawzLM.exe

MD5 7334a878e18a5fe90359835a65a36a6b
SHA1 b730baad0144bac05e690ac9ebad98ea72ca8c09
SHA256 de5499c715ef081146dcecf24a717ce3840ca1317b6f29b20d795fc8c7d33d35
SHA512 1f5d0ce0ccebada7c069e7ca1428b0177623c7014da9b8b4bc804414e9736b197eec63fe79179582fc31610390ea989e9f8f2003d0ca7069d27be63f79ecc077

memory/3760-14-0x00007FF7C1DA0000-0x00007FF7C20F4000-memory.dmp

C:\Windows\System\YhApZTw.exe

MD5 a9ed10c4d9adcd66d669237c746b4d92
SHA1 40409d47bfa47895c75eb5d6f56ef159b9d3880b
SHA256 487e1d6438c3927a85931b43ff9710281dd3d0c9ee5b3171b83644ce34c5d63d
SHA512 72af9bd4b84121912a8ba98548d32ecca019268fcb783148d66b70db1de66fb13e78d6d92e0cf5b64e1ab21a638be1ea96b6184c94b92b07f8e581ec13fc990f

C:\Windows\System\YhApZTw.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

memory/4972-20-0x00007FF6E8790000-0x00007FF6E8AE4000-memory.dmp

C:\Windows\System\VKffFxA.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

C:\Windows\System\VKffFxA.exe

MD5 e7dc03299a54a0e73ae4cb12a36c8ac3
SHA1 4df1ee54bbb439e8e6b5659650ccd94b95f037a4
SHA256 0166ed63424269f5c75d340dfaf1b6736fb181a01ea2b4334789fe366755a13f
SHA512 38472391455372d3e7af7e24edefdfefd65bf6cb41fcbbc6b6d02aaa6a92abea7fc6e4330380150d49ff4fa070f6abec5f62b2d7f25a990313f3ef4741ba5efc

memory/3536-26-0x00007FF75F800000-0x00007FF75FB54000-memory.dmp

C:\Windows\System\WHCJXmn.exe

MD5 7dbc387b266e3dcee3cfe42d437ffad8
SHA1 0022a88ded2abecb5730fa4431c4a75f4946de27
SHA256 3013feeae5414f9551c9afc865f0b791e76c8e298d06fe2a4090a52bae1466c9
SHA512 ccf079590870a1f9c79b8531812aae51fd795d54ff9a31c0a8fb738b44c02b3441519b485ea198891e5852e48dbc73b2bfe05885d35dbe6e78e96eb7f4e9dce6

memory/2556-30-0x00007FF69A0F0000-0x00007FF69A444000-memory.dmp

C:\Windows\System\WHCJXmn.exe

MD5 1d3a027708a48a3c73a911f7d1532fca
SHA1 f960fd40bf0cf951600c386a6a9501a01e54ab51
SHA256 f4e703d98029a56b7200ca63aefb85a455d5792cd9407b54a0dc1c4762419eda
SHA512 4c0f2e25c98d407f27d4b0d85d2fe06ea754e657bc939feb907f00109c3d9db11707e7ca2d3e02171201afd527ee2b1673e434c274c030dde555dbb27b53e539

C:\Windows\System\bBBQgVP.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

C:\Windows\System\bBBQgVP.exe

MD5 03686cfd6bbb43c8ac4dc50889b137b9
SHA1 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee
SHA256 ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471
SHA512 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2

memory/5604-38-0x00007FF6FBA10000-0x00007FF6FBD64000-memory.dmp

C:\Windows\System\trZvslp.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

memory/5556-44-0x00007FF766440000-0x00007FF766794000-memory.dmp

C:\Windows\System\trZvslp.exe

MD5 170dd624fc04fc3839f9c4b66a089ce7
SHA1 689050489367e9d7989856de58d7dae4b3e867bb
SHA256 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b
SHA512 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a

memory/1964-50-0x00007FF7C8310000-0x00007FF7C8664000-memory.dmp

memory/5328-56-0x00007FF630320000-0x00007FF630674000-memory.dmp

C:\Windows\System\jYiUPop.exe

MD5 0b1dc771469fa6753e7aace834956918
SHA1 ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA256 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA512 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

memory/656-61-0x00007FF77A1B0000-0x00007FF77A504000-memory.dmp

memory/5396-63-0x00007FF6D6FE0000-0x00007FF6D7334000-memory.dmp

memory/2484-67-0x00007FF647820000-0x00007FF647B74000-memory.dmp

memory/4476-69-0x00007FF6A2AF0000-0x00007FF6A2E44000-memory.dmp

C:\Windows\System\EwTEZJE.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

memory/3760-76-0x00007FF7C1DA0000-0x00007FF7C20F4000-memory.dmp

C:\Windows\System\EwTEZJE.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

memory/4360-79-0x00007FF7AF450000-0x00007FF7AF7A4000-memory.dmp

C:\Windows\System\JYkbMrF.exe

MD5 64608890dcd212091a87599b2f0612b4
SHA1 642cba6fdd06687bf7b84652d1d79a4e1e6a2442
SHA256 b0713465db08a043a2fc63565826669db6692aab975c0e29a5185ae16112322b
SHA512 9bdeddb8d2b5d212ce44eb56a90491fbba59fad54bddc0d8b4b8bf820f02cd20cd341a5b8d7dee63bec0cc37a66e5649ab2d3fa0a94759da8902674545d3a347

memory/4972-83-0x00007FF6E8790000-0x00007FF6E8AE4000-memory.dmp

C:\Windows\System\JYkbMrF.exe

MD5 ce95ecfd82cad989d07f01bb5a4e0e62
SHA1 9c404e62c6a147d88e2c4214a4a0c1206972e9c1
SHA256 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576
SHA512 c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084

memory/4544-86-0x00007FF6C61F0000-0x00007FF6C6544000-memory.dmp

memory/3536-89-0x00007FF75F800000-0x00007FF75FB54000-memory.dmp

C:\Windows\System\ALxRsKz.exe

MD5 e8c4508a392ccf08590d3627a36cc3c3
SHA1 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256 cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512 f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

memory/5944-91-0x00007FF7AE790000-0x00007FF7AEAE4000-memory.dmp

C:\Windows\System\JrjraSf.exe

MD5 ca2c8fc23ac2c4dd58545d16927e5bef
SHA1 b94b35150eb75787af3ce6aea401e04f2ec70fc4
SHA256 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef
SHA512 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce

memory/2556-97-0x00007FF69A0F0000-0x00007FF69A444000-memory.dmp

memory/5976-98-0x00007FF770C90000-0x00007FF770FE4000-memory.dmp

C:\Windows\System\JrjraSf.exe

MD5 93bacfc3d845f374627b012c3a61a1e5
SHA1 f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae
SHA256 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d
SHA512 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

C:\Windows\System\BXbQpTN.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

memory/5828-104-0x00007FF7C7170000-0x00007FF7C74C4000-memory.dmp

C:\Windows\System\fLzyHep.exe

MD5 2b325ba998218e1724cf0adeb30ee980
SHA1 91c91f972b93ca21c02dbae5cc375d4e1212c0a0
SHA256 3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9
SHA512 d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5

memory/5508-110-0x00007FF74E0F0000-0x00007FF74E444000-memory.dmp

memory/1600-116-0x00007FF77F9E0000-0x00007FF77FD34000-memory.dmp

C:\Windows\System\btQwaEb.exe

MD5 0642442db4acbbfb6037e06789624264
SHA1 923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA256 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA512 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

C:\Windows\System\eYTTxhd.exe

MD5 6b5887af4274a78686a788865765637c
SHA1 5afc15e6fcbc11377bbabbda47ff43f6ebedd369
SHA256 ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006
SHA512 4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

memory/5524-125-0x00007FF6564A0000-0x00007FF6567F4000-memory.dmp

memory/5564-126-0x00007FF7ADAD0000-0x00007FF7ADE24000-memory.dmp

memory/2316-133-0x00007FF72A200000-0x00007FF72A554000-memory.dmp

memory/4476-131-0x00007FF6A2AF0000-0x00007FF6A2E44000-memory.dmp

C:\Windows\System\eYTTxhd.exe

MD5 2543c4760bd9af7f70b7834411ab61af
SHA1 ed963cb76a076b222f6cdae99e8563d4444f6351
SHA256 c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001
SHA512 37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56

memory/5976-135-0x00007FF770C90000-0x00007FF770FE4000-memory.dmp

memory/5564-136-0x00007FF7ADAD0000-0x00007FF7ADE24000-memory.dmp

memory/2484-137-0x00007FF647820000-0x00007FF647B74000-memory.dmp

memory/2316-138-0x00007FF72A200000-0x00007FF72A554000-memory.dmp

memory/3760-139-0x00007FF7C1DA0000-0x00007FF7C20F4000-memory.dmp

memory/4972-140-0x00007FF6E8790000-0x00007FF6E8AE4000-memory.dmp

memory/3536-141-0x00007FF75F800000-0x00007FF75FB54000-memory.dmp

memory/2556-142-0x00007FF69A0F0000-0x00007FF69A444000-memory.dmp

memory/5604-143-0x00007FF6FBA10000-0x00007FF6FBD64000-memory.dmp

memory/5556-144-0x00007FF766440000-0x00007FF766794000-memory.dmp

memory/1964-145-0x00007FF7C8310000-0x00007FF7C8664000-memory.dmp

memory/5328-146-0x00007FF630320000-0x00007FF630674000-memory.dmp

memory/5396-147-0x00007FF6D6FE0000-0x00007FF6D7334000-memory.dmp

memory/4476-148-0x00007FF6A2AF0000-0x00007FF6A2E44000-memory.dmp

memory/4360-149-0x00007FF7AF450000-0x00007FF7AF7A4000-memory.dmp

memory/4544-150-0x00007FF6C61F0000-0x00007FF6C6544000-memory.dmp

memory/5944-151-0x00007FF7AE790000-0x00007FF7AEAE4000-memory.dmp

memory/5976-152-0x00007FF770C90000-0x00007FF770FE4000-memory.dmp

memory/5828-153-0x00007FF7C7170000-0x00007FF7C74C4000-memory.dmp

memory/5508-154-0x00007FF74E0F0000-0x00007FF74E444000-memory.dmp

memory/1600-155-0x00007FF77F9E0000-0x00007FF77FD34000-memory.dmp

memory/5524-156-0x00007FF6564A0000-0x00007FF6567F4000-memory.dmp

memory/5564-157-0x00007FF7ADAD0000-0x00007FF7ADE24000-memory.dmp

memory/2316-158-0x00007FF72A200000-0x00007FF72A554000-memory.dmp