Malware Analysis Report

2024-10-16 03:05

Sample ID 240609-16bq4agc77
Target 2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike
SHA256 caf2386837d9f2670b1c1193fad18024967f873906578b473fa4bb11d75e41cb
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

caf2386837d9f2670b1c1193fad18024967f873906578b473fa4bb11d75e41cb

Threat Level: Known bad

The file 2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

Xmrig family

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 22:15

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 22:15

Reported

2024-06-09 22:17

Platform

win7-20240221-en

Max time kernel

137s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IlFeBlJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PSOqfuD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WuWisLo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OZLRABH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fRHPivY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ImJzHYm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pqtfAKu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vmuXMNV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AGfxFEo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GLlgGod.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UbEJChY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vMNEEoM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oUEiEfA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CxWzNpt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FqNCrKN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QHtflyw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wtLiTUA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uZDVQRV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IsLCUJp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rGpRnwQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\luiQdbn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\CxWzNpt.exe
PID 2968 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\CxWzNpt.exe
PID 2968 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\CxWzNpt.exe
PID 2968 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\UbEJChY.exe
PID 2968 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\UbEJChY.exe
PID 2968 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\UbEJChY.exe
PID 2968 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\FqNCrKN.exe
PID 2968 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\FqNCrKN.exe
PID 2968 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\FqNCrKN.exe
PID 2968 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vMNEEoM.exe
PID 2968 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vMNEEoM.exe
PID 2968 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vMNEEoM.exe
PID 2968 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\oUEiEfA.exe
PID 2968 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\oUEiEfA.exe
PID 2968 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\oUEiEfA.exe
PID 2968 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ImJzHYm.exe
PID 2968 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ImJzHYm.exe
PID 2968 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ImJzHYm.exe
PID 2968 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqtfAKu.exe
PID 2968 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqtfAKu.exe
PID 2968 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqtfAKu.exe
PID 2968 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IsLCUJp.exe
PID 2968 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IsLCUJp.exe
PID 2968 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IsLCUJp.exe
PID 2968 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmuXMNV.exe
PID 2968 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmuXMNV.exe
PID 2968 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmuXMNV.exe
PID 2968 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuWisLo.exe
PID 2968 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuWisLo.exe
PID 2968 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuWisLo.exe
PID 2968 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\OZLRABH.exe
PID 2968 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\OZLRABH.exe
PID 2968 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\OZLRABH.exe
PID 2968 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\rGpRnwQ.exe
PID 2968 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\rGpRnwQ.exe
PID 2968 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\rGpRnwQ.exe
PID 2968 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\fRHPivY.exe
PID 2968 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\fRHPivY.exe
PID 2968 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\fRHPivY.exe
PID 2968 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\luiQdbn.exe
PID 2968 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\luiQdbn.exe
PID 2968 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\luiQdbn.exe
PID 2968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\wtLiTUA.exe
PID 2968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\wtLiTUA.exe
PID 2968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\wtLiTUA.exe
PID 2968 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\AGfxFEo.exe
PID 2968 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\AGfxFEo.exe
PID 2968 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\AGfxFEo.exe
PID 2968 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IlFeBlJ.exe
PID 2968 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IlFeBlJ.exe
PID 2968 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IlFeBlJ.exe
PID 2968 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\GLlgGod.exe
PID 2968 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\GLlgGod.exe
PID 2968 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\GLlgGod.exe
PID 2968 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QHtflyw.exe
PID 2968 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QHtflyw.exe
PID 2968 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QHtflyw.exe
PID 2968 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZDVQRV.exe
PID 2968 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZDVQRV.exe
PID 2968 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZDVQRV.exe
PID 2968 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\PSOqfuD.exe
PID 2968 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\PSOqfuD.exe
PID 2968 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\PSOqfuD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\CxWzNpt.exe

C:\Windows\System\CxWzNpt.exe

C:\Windows\System\UbEJChY.exe

C:\Windows\System\UbEJChY.exe

C:\Windows\System\FqNCrKN.exe

C:\Windows\System\FqNCrKN.exe

C:\Windows\System\vMNEEoM.exe

C:\Windows\System\vMNEEoM.exe

C:\Windows\System\oUEiEfA.exe

C:\Windows\System\oUEiEfA.exe

C:\Windows\System\ImJzHYm.exe

C:\Windows\System\ImJzHYm.exe

C:\Windows\System\pqtfAKu.exe

C:\Windows\System\pqtfAKu.exe

C:\Windows\System\IsLCUJp.exe

C:\Windows\System\IsLCUJp.exe

C:\Windows\System\vmuXMNV.exe

C:\Windows\System\vmuXMNV.exe

C:\Windows\System\WuWisLo.exe

C:\Windows\System\WuWisLo.exe

C:\Windows\System\OZLRABH.exe

C:\Windows\System\OZLRABH.exe

C:\Windows\System\rGpRnwQ.exe

C:\Windows\System\rGpRnwQ.exe

C:\Windows\System\fRHPivY.exe

C:\Windows\System\fRHPivY.exe

C:\Windows\System\luiQdbn.exe

C:\Windows\System\luiQdbn.exe

C:\Windows\System\wtLiTUA.exe

C:\Windows\System\wtLiTUA.exe

C:\Windows\System\AGfxFEo.exe

C:\Windows\System\AGfxFEo.exe

C:\Windows\System\IlFeBlJ.exe

C:\Windows\System\IlFeBlJ.exe

C:\Windows\System\GLlgGod.exe

C:\Windows\System\GLlgGod.exe

C:\Windows\System\QHtflyw.exe

C:\Windows\System\QHtflyw.exe

C:\Windows\System\uZDVQRV.exe

C:\Windows\System\uZDVQRV.exe

C:\Windows\System\PSOqfuD.exe

C:\Windows\System\PSOqfuD.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2968-0-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2968-1-0x0000000001B20000-0x0000000001B30000-memory.dmp

\Windows\system\CxWzNpt.exe

MD5 e62fce9ea293de550b68269602e7a80d
SHA1 c66a9d83b47439db5b3b7dd8b2791bb548dc5f87
SHA256 bbbcf3a2952aaba523c36444e05af41f59a6f63af2055273b9e12137bf1ec914
SHA512 023f38e7a6a4d609ab082ec7f0e409e4f44aba6bd666ae5ec54794d9f73d94341b437c9b1e517cac17cf2333a92a1ac77da0b099f770982cab93a1d7ae38c8a6

memory/2968-8-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2512-9-0x000000013F690000-0x000000013F9E4000-memory.dmp

C:\Windows\system\UbEJChY.exe

MD5 105794a63cd9d040e67eea283d75f1a6
SHA1 da0d4a32c4b58f7f8ea2ad3637548f8f7a00057a
SHA256 1a357176e3cff250eb481ca59c348a488156e49f1bacd1893e0b49416f645dfc
SHA512 d8b7bc5c6b4b3f2b5b878e80910352b6732b06dca13896980497353ae97b083a58f18c61874cba98909edc439aedbc50fa5f9cfaa402a86023a7814a08d0e2c0

memory/2524-16-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2968-14-0x00000000022F0000-0x0000000002644000-memory.dmp

\Windows\system\FqNCrKN.exe

MD5 066348e5abd4780c16404b974cedcb4b
SHA1 349a6d0fd8fef59bdec42fdd91840cb0f31e8296
SHA256 30905c04ef799b82376d7690d1720e369c04eb7d171e976e7904329ef4be4b2c
SHA512 546fb534364f0262fddb7f2b40f300bd64a7fe22019338977ffee41f19f6c5cbbbc843f99210f3cfe8d5fe58d337fbfe51a23a014c598e278df6833817474e76

memory/2968-18-0x000000013F950000-0x000000013FCA4000-memory.dmp

\Windows\system\vMNEEoM.exe

MD5 8d4d255bd596be6fb881357ebcd5a911
SHA1 4f4677eaa803212850e428ba5bc236f7f1d13839
SHA256 5506259ecd38cca0d9f456daa10b61c9e3994a6d3ea251485967dd4628325ae5
SHA512 49033e54b52990a5205da9ff1c134482a6c84955fa7d19d064f864a3073d7f156ccb1ab623f8704018c2f1bd97fced9bb61bbd1ec35a6f614d71f1191dc7b8ee

memory/2548-29-0x000000013F1D0000-0x000000013F524000-memory.dmp

C:\Windows\system\oUEiEfA.exe

MD5 a3cfebeab0fd6e095d149fe724f7a63b
SHA1 742c6d8d55f6c9d8bfb8bb8baf82926e904bc265
SHA256 125b417565b5bc47921982091707aa1f33ece6c39f0957922beb3547fed2c300
SHA512 6c98c24aa7baff71af342726ecb36c1a01ac811bc5f3ca967d557507f91db9d88f4e747303bb6e84f21085f5b88d1f258cff7948b7473a6245f8121926cc66d6

C:\Windows\system\ImJzHYm.exe

MD5 bbe808bd48bc6019bd9b0214f6700d7a
SHA1 3f8a324fa9ed6c7454e999d7154b254bb4ec6ff3
SHA256 b17cde79c1c8e3b1891590cadc34b636962f9ea06c3eb6f921b1ecff3cd70773
SHA512 ba32e355e6125aa35cdd048025b83f998d8075773ab360870337414b3772928316e0c2a390fa9afb4b3d1e988c9ab2d3295a4b1044a3881fecc28260cfccb1a4

\Windows\system\pqtfAKu.exe

MD5 390245167a1b0550ace8ea4439225721
SHA1 a6695c3432c93b8efcc6497a24ac21373ee2e174
SHA256 b9eea21232a43d30ec775ae81fc09737cabcdc55532621e6ff865a32d6ff41f3
SHA512 8e0a5b13edcaea6a224f864bd53e2fbd74d43d4cdd29e5eef6443a6f655000916581b14d4a41c1e37f6468b8f2cac5e8fcc6bacc77f11ac43839054365cfcdaf

C:\Windows\system\IsLCUJp.exe

MD5 1149d3a50a81f932305c0e0d3f8b0e69
SHA1 91362cf88b241d8ae1d2509868d2f3c4f792181e
SHA256 87689faddfd19a4a376bd177582b331ae4fd917fb8b1c6590047fe5d8b90f688
SHA512 1e8676ce9774c9760e39d43634e0bbf0a8286143f3b225aa0f9589f8895af90eab9a018194a9cac97ebc9b9aa6c46182517f9351374fe761d0c7506bd0eb20e2

memory/2968-58-0x000000013F320000-0x000000013F674000-memory.dmp

\Windows\system\vmuXMNV.exe

MD5 6d9b9166fa9cdc928119e93b908a20db
SHA1 25ea26b588e1b45b3ea331c5afd3fa3e14e450db
SHA256 bf1b2de68e5ba2f090271cc5b675c64ab583975bd58b89d2f6fdcd78d42f469d
SHA512 8976814ea2df63968cf148aab3d1cedeea32f804e21046061f667d3c9acbc26d46a25328a7eaa4f877e0487f7a61ccaab1df29ebcec87a2168ac8af4c2658984

memory/2968-65-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\OZLRABH.exe

MD5 86967a84e99dc610623ec4159f9a58f4
SHA1 923ff0925e0feb3bf1dd5fcd228a1d6475803e2f
SHA256 c76ba36d8bf8c92cf43008997631c9585cc1d4a056a11764527fddd25431cfe8
SHA512 d3616af021a4123e86c78ac970fd9a05dc15022f838cbb5a1efda86abe188c8945f8656e2322fa09899b669cf1fad7fb159a82c8d75041e897cdef519e09cf5b

memory/2684-86-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2808-102-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/552-104-0x000000013F890000-0x000000013FBE4000-memory.dmp

C:\Windows\system\wtLiTUA.exe

MD5 b8a605976fc5af13e9f20b66e89d8359
SHA1 04a53cb787b5402b2387a853209a000ee0678233
SHA256 75c0b2ad2975aae802263d73889c94bb651d02384d00073c7adebd50fd64a4d2
SHA512 56c7cb6a50828993e8ce9aae658d57f8cd80a65a8d23d48168064701184067420554bc589719e4ded8a8d4d827c5e5ec655540a6ba21d0c363d3211d78700466

C:\Windows\system\GLlgGod.exe

MD5 72b6a8ff944f3ea8a0d55aafd0dd636b
SHA1 5358116031750063fc1507928f2313e99422180e
SHA256 1b258dda8c761d7dcca7e297c0438d766ae6aa1b01f30f1d2468ea49b4c85d2a
SHA512 6644b29ac14474f4c259207a5b25ca71e7fd0f83e4eee52f0b535df21b0991d527f747155a1ed8d792bc98ea5cb9df7044ad51880d067bf9d5c4fc12834c661d

C:\Windows\system\QHtflyw.exe

MD5 8e0e6bf93635d4c9e856c65d4c24c8e3
SHA1 cb118a12e15f45fc54dd6f6ad6ffc142f34c91ba
SHA256 a0c218e138e7bee3efe881c62e8854c0e33d49c79058ad2dfbe43367ca1d7435
SHA512 880d7b8567eaf1cda0adce6a9459ecc77f01958379efcc53aa8a7898bcc99910264510e208612e1799cab34b1c2192d7ca3c9446d027f0cbe6415896a4884c32

\Windows\system\PSOqfuD.exe

MD5 92bcc8e25e9ffd0715c471254e326671
SHA1 17548a8ebf742245fc22b7c17d7483d8f9a715da
SHA256 c27e30603ad99674905736159c88384e7ab9811aa6831925a69b608dd518c2ac
SHA512 a2049668dc16de2c189838a8dba901f2a4bbb524921d1639a082e4f72d7bc0fa01835324e1ef8b2fa2a29ab4aa71a7e1ba18180c01ee4e26883b9b08b895717c

C:\Windows\system\uZDVQRV.exe

MD5 b6793eedc79a47d861346b81a3d7c114
SHA1 08bcf356cede220a785298255f74b862c5ea7e21
SHA256 42b2a0e09e490fa0c8213fc69c2700315bfe97cf3225b48e2a34955fb135ab1e
SHA512 b14f7dec20b07d0e34133c283edfe0ac630d17b9394e1b6d96bffebe51cd8c9e29bb7c149c89ae8e7d9cc5cee51aa6ce0a1e65274e162d56eef8d18b44ce38a7

C:\Windows\system\IlFeBlJ.exe

MD5 0f964676f6b806c43aa6c28d14728428
SHA1 fecdbab3bf6489c2cd888fd21758ea9541921bae
SHA256 711a1695079d14d87e4ec0726c55db443ba74bd2c87aadb7249b485f75bf679b
SHA512 1a60b3be13dfb5f09780ac3a7ae13edb60aaf0b53b6ced5bdc6099576055b133c96d040b309b3314bee4e94688fbd8e30932afa5329f97aae96d3e23ea6e241f

C:\Windows\system\AGfxFEo.exe

MD5 1fc40020fc0860870a53f964aeb4c749
SHA1 29f97cc6999c29d47283b73907036e75c28356c8
SHA256 cad20314c9256e823f0bf577e35a194e4e1b77d56912a169702b921fc58b495a
SHA512 b723a2fa9886617160e47b7502e7c191c329ad363246582c213426de1f59a9fd07322911acab81589e52b1ad31540c337113ddf879fa0eb593c304fa7ad113e2

memory/2968-109-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2788-94-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2968-93-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\fRHPivY.exe

MD5 91e8051369de72e744dd4be3f6f87732
SHA1 66e0dfe98c1418c032736d9c5d250f3110bb9fa5
SHA256 2c45c340f9532f5ca0d1cbc0adfe469e40d618ffa142097bff374164dfc865c9
SHA512 7a320823eeac1538938ec0ce7d739feb4c0a33bd341a0d29963154abe71ce9ba6641b4c70c7acddc914de9f0be586dc14ed62d343663129eb3553175c5b27995

memory/2968-103-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2548-101-0x000000013F1D0000-0x000000013F524000-memory.dmp

C:\Windows\system\luiQdbn.exe

MD5 0e519c57ff10f97ab5579fdc007cf2df
SHA1 7dafa09598207dbaaf287d9aedb9442b5854c730
SHA256 1cad633c9e21f0f75921aa3d586b5aaca58e44334af1ce0ecfc09f2e605890f1
SHA512 60a163aa887aab7cd361d7ba69dd20b851db4e04a9ebd6770845b699dd0a682a4e692e4b4acd86c68e62cf39fc7a0d31918467ef3ba1cc0a7b9e3fb90ffe3352

memory/2968-85-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/1668-84-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2540-77-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2968-75-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2888-74-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2968-71-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2524-68-0x000000013F490000-0x000000013F7E4000-memory.dmp

C:\Windows\system\WuWisLo.exe

MD5 70f4e2da2545f7c1b1d480d30c795d97
SHA1 13d4228fe8a44eb3b6fa3ae4510ed3f59ddc64bd
SHA256 293b6a058cc7d41aac21732a21f8b504c869e173160b7fc084f2c323ef1fb0d0
SHA512 79ace437b1af747072038f2467457c2fb4258e9bfc3e950aa6fffc4e1ec9e943e5f292a0e0792149a272cb97e6f769ed530f7860bc5f714fbc3ce9470fecd557

memory/2660-83-0x000000013F950000-0x000000013FCA4000-memory.dmp

C:\Windows\system\rGpRnwQ.exe

MD5 177e887249e35d94794298f4aec5fb8f
SHA1 76aaf9e0001d62dcb8649a9cb16be344c2b7d7d6
SHA256 23fee6c024a143cf602bd09500e3100ab5616af6b1a04b1eb21b783a3d5ac8ff
SHA512 0e02a579560869b93d7bb5c1f33084c4e9fb7c62a1e80f8f798a210124f9a8f5efdc1cc8c5ef2c5f04ed1b65e80c7acff19db12269b271e35887789c365e634b

memory/2672-46-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2968-34-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2476-57-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2620-56-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2968-53-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2968-41-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2808-39-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2660-22-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2968-26-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2672-140-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2620-141-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2968-142-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2968-143-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2968-144-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/1668-145-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2684-146-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2788-147-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2968-148-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2968-149-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2512-150-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2524-151-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2660-152-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2548-153-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2808-154-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2672-155-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2476-157-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2620-156-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2888-158-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2540-159-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2684-160-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/1668-161-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/552-162-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2788-163-0x000000013F130000-0x000000013F484000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 22:15

Reported

2024-06-09 22:17

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FiqffQl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\giohIUR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EDtcZED.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KvnmVGy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rYlAbWz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EHQgONj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BJkzNOS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\klrinwC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nRwfOjk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZtLNXGo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bzwyZTL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dZYbCAS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NznvjGB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aLWFmFb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oSxJEIN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VMqWZYx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ybiPsAv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xWumsfX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iUoqBPQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JdUBUfj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BolrbRO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4156 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\FiqffQl.exe
PID 4156 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\FiqffQl.exe
PID 4156 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\oSxJEIN.exe
PID 4156 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\oSxJEIN.exe
PID 4156 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\giohIUR.exe
PID 4156 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\giohIUR.exe
PID 4156 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\VMqWZYx.exe
PID 4156 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\VMqWZYx.exe
PID 4156 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\EDtcZED.exe
PID 4156 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\EDtcZED.exe
PID 4156 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\KvnmVGy.exe
PID 4156 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\KvnmVGy.exe
PID 4156 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ybiPsAv.exe
PID 4156 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ybiPsAv.exe
PID 4156 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\bzwyZTL.exe
PID 4156 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\bzwyZTL.exe
PID 4156 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWumsfX.exe
PID 4156 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWumsfX.exe
PID 4156 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\iUoqBPQ.exe
PID 4156 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\iUoqBPQ.exe
PID 4156 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\klrinwC.exe
PID 4156 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\klrinwC.exe
PID 4156 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\rYlAbWz.exe
PID 4156 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\rYlAbWz.exe
PID 4156 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\dZYbCAS.exe
PID 4156 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\dZYbCAS.exe
PID 4156 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\NznvjGB.exe
PID 4156 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\NznvjGB.exe
PID 4156 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRwfOjk.exe
PID 4156 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRwfOjk.exe
PID 4156 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\JdUBUfj.exe
PID 4156 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\JdUBUfj.exe
PID 4156 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZtLNXGo.exe
PID 4156 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZtLNXGo.exe
PID 4156 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\EHQgONj.exe
PID 4156 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\EHQgONj.exe
PID 4156 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\BolrbRO.exe
PID 4156 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\BolrbRO.exe
PID 4156 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\BJkzNOS.exe
PID 4156 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\BJkzNOS.exe
PID 4156 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\aLWFmFb.exe
PID 4156 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe C:\Windows\System\aLWFmFb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_eb60089edd2fb6b4dca48305b6f0ecb8_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\FiqffQl.exe

C:\Windows\System\FiqffQl.exe

C:\Windows\System\oSxJEIN.exe

C:\Windows\System\oSxJEIN.exe

C:\Windows\System\giohIUR.exe

C:\Windows\System\giohIUR.exe

C:\Windows\System\VMqWZYx.exe

C:\Windows\System\VMqWZYx.exe

C:\Windows\System\EDtcZED.exe

C:\Windows\System\EDtcZED.exe

C:\Windows\System\KvnmVGy.exe

C:\Windows\System\KvnmVGy.exe

C:\Windows\System\ybiPsAv.exe

C:\Windows\System\ybiPsAv.exe

C:\Windows\System\bzwyZTL.exe

C:\Windows\System\bzwyZTL.exe

C:\Windows\System\xWumsfX.exe

C:\Windows\System\xWumsfX.exe

C:\Windows\System\iUoqBPQ.exe

C:\Windows\System\iUoqBPQ.exe

C:\Windows\System\klrinwC.exe

C:\Windows\System\klrinwC.exe

C:\Windows\System\rYlAbWz.exe

C:\Windows\System\rYlAbWz.exe

C:\Windows\System\dZYbCAS.exe

C:\Windows\System\dZYbCAS.exe

C:\Windows\System\NznvjGB.exe

C:\Windows\System\NznvjGB.exe

C:\Windows\System\nRwfOjk.exe

C:\Windows\System\nRwfOjk.exe

C:\Windows\System\JdUBUfj.exe

C:\Windows\System\JdUBUfj.exe

C:\Windows\System\ZtLNXGo.exe

C:\Windows\System\ZtLNXGo.exe

C:\Windows\System\EHQgONj.exe

C:\Windows\System\EHQgONj.exe

C:\Windows\System\BolrbRO.exe

C:\Windows\System\BolrbRO.exe

C:\Windows\System\BJkzNOS.exe

C:\Windows\System\BJkzNOS.exe

C:\Windows\System\aLWFmFb.exe

C:\Windows\System\aLWFmFb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/4156-0-0x00007FF66E830000-0x00007FF66EB84000-memory.dmp

memory/4156-1-0x0000017BBA880000-0x0000017BBA890000-memory.dmp

C:\Windows\System\FiqffQl.exe

MD5 3fcdb688e8c19b11905630a97d14e64d
SHA1 682c147ecb2c67af0eaeeada57e20ae71502a627
SHA256 66522fb45ecc823763520790ccc63f773a8ff28510b24158c548184d6cb596ca
SHA512 1f0e705bd50cdf112b3a91bc43a317b04a877e972d141495e17ffe29a293d870688a6842fbf13913a7b0ea4901ec0dcd931031f0caf6a3b087512ff78660c1d3

memory/3140-8-0x00007FF62AFA0000-0x00007FF62B2F4000-memory.dmp

C:\Windows\System\giohIUR.exe

MD5 a7ed7667814eb8e7a6190b3486aabc6f
SHA1 8d49c03c25cac356e0edb7e5e45d4be8bc43ffd4
SHA256 7aaefac107830970ead3c41d75d710cf826d6fad26c36ad8238d3637ab1f98a8
SHA512 d2f5c3cf495900f83e6290ac11a33871af239184a0d5ca837ebfc0989511e52d41389b84b8ab10af5f33026866bb74f50764ab0d5d677396cf9e805d1a9368a3

C:\Windows\System\oSxJEIN.exe

MD5 ede064d84359de4ee07e65722705d2fd
SHA1 8a0e14598130378d0b344b6b648a4fa7536cf78e
SHA256 c31358ad5eb0991bcc13a7f76124f2f471709e2cc0fcb94763eee829fae40a6e
SHA512 00d7fcfca1c0db0d5abc3878f381241fd2b3d17bf232a18a27912065c39858b635b5c03eb2b06831db95952c2af68c548f36883c60534b2113838f0401febf9c

memory/244-12-0x00007FF71CE90000-0x00007FF71D1E4000-memory.dmp

memory/224-20-0x00007FF64F670000-0x00007FF64F9C4000-memory.dmp

C:\Windows\System\VMqWZYx.exe

MD5 8290c7bcbe80af7f471a991d537172fc
SHA1 a09ef950016e4fef38b186e525054f9b867b209b
SHA256 0850bd596325d3c2036e23132e5a61b3cb8be714fc191b32cfbb5c5239611452
SHA512 c48b6174d2f7b01d5b105714e0da600450a8d4319a9e4ab2e6c650cfeb370dfd17d59a7252aa3b0899832b6cda2f349503810bf8d802ee22177f4908cc086aa9

C:\Windows\System\KvnmVGy.exe

MD5 68f72d23f7d4c62e0446d9fdc045f094
SHA1 78097509cbd72fda5d8c5a0996a4f54cb0911a22
SHA256 7b3afb37fc732d81887ac99aca1f264a42b774c4e886c0fe900fb6f7427b0ca7
SHA512 088e5f153ccfe940870977a1f8c17ba288e7153bb27e8960c96bf8a5ddf784e95abc10b21d90b5a1bc0ee111c8cd67c8bf83d181d9890b083817a7528ff0b57d

memory/1944-34-0x00007FF7C97C0000-0x00007FF7C9B14000-memory.dmp

C:\Windows\System\ybiPsAv.exe

MD5 1ea109b9fc02e36c88b67fb1adfd540b
SHA1 f49db66caef5308902f79ade2a9d585e9dd18027
SHA256 be70dcc3461a97d2b9a7cde953533f2acdfc40df4b514eb59f366d0f5cbc86ce
SHA512 af0a473cc9202e64cab6cf992c9242b226dd06a72707f2567cfabc788b869adc3ef28347bafcd6520a4b9d2c6111fcbbdb28019c208e6171cbf53304bbc7dd24

C:\Windows\System\bzwyZTL.exe

MD5 f94eb12e044152a51a64188b29f233b7
SHA1 9892193c2d1038f6d6a5395e68acbec4e62ab76e
SHA256 ee2a9309a5253ee70c70bf2decffdb46cdd9002fc55c2fe1b16b876c1ff0b95b
SHA512 c9a15557b61084faef2c3d869d7d98292d575aa682280498446f47ebdc77516092cf8f5ca38658e09fbb06d120c49fdd1d14f0a5a10d4ec0f9c23cad9c0c8610

memory/2740-44-0x00007FF7950B0000-0x00007FF795404000-memory.dmp

memory/3636-38-0x00007FF658B30000-0x00007FF658E84000-memory.dmp

memory/5000-37-0x00007FF6E1930000-0x00007FF6E1C84000-memory.dmp

C:\Windows\System\EDtcZED.exe

MD5 a77b9ceabdfa551e7c0a516ecb442111
SHA1 802158ba12838cb750e56ff409e79838da695431
SHA256 35a6d331fa87083cffc834b5cf008c4bbe154ed6deeb558612774e606c1c34cb
SHA512 2ab2b34205bf15ab074c882d9c5c24ec5fb01ef5bcab475edf6ff0278634a2f8f5836b3a03e59afa281cefaa4772f09e879ca524dfe312d6ff224d8ba292d829

memory/4604-50-0x00007FF7C6580000-0x00007FF7C68D4000-memory.dmp

memory/1596-54-0x00007FF65E6C0000-0x00007FF65EA14000-memory.dmp

C:\Windows\System\iUoqBPQ.exe

MD5 1b18454a976268517ad2a6ba71f6eb67
SHA1 714bbaa44b8135d05bedc68d361031624ec6bc1f
SHA256 2b0a4c5ddb456e4c2047aa081cccd416321254d01ca789b22932a9ff1addbc2d
SHA512 77c1b906e303618251596609fbe4a2364e02e9fdb7cc97e2ebf0d34567f898ceb24070e103aa010cf4a2eaa5abbf5813021430f3af4d2e57b056e0505488464f

C:\Windows\System\klrinwC.exe

MD5 f20af8cfcde9621f21b122a303eca69c
SHA1 5d22d7d25cf285047e36878ca6cf380b47e7893f
SHA256 80eb157659d933583570c5b1b1f809586275fb086ef997d66c9e7ef04e85b4bd
SHA512 40be42f9871b80b818269ceb5d2b6741a8b3ef930f18c4cc742881575d1f5ae1861e8e3a58038ac31777546404b135acfe9169530131932d365e9370e7423078

memory/1140-60-0x00007FF60FCF0000-0x00007FF610044000-memory.dmp

C:\Windows\System\xWumsfX.exe

MD5 7e1be4cc66c20f9e068f59070c032497
SHA1 3598dccd5870e7c153be099b8920e907b35ec36b
SHA256 009a65bc465a7596e3d8b20266f90f6f956b66f3fedbbaf927ac85a583dc8077
SHA512 20929b9147aa349f51823b3af194b6a040c7e0d52f355a9591c767dcf73357aa5dac6461304e18c429c10141c37e527f4b1559b8742bd65bf27fc4ba439591da

memory/2708-68-0x00007FF681AC0000-0x00007FF681E14000-memory.dmp

C:\Windows\System\dZYbCAS.exe

MD5 e094a75206bfdd76737ba7d4b20c6ee2
SHA1 24b5a87d710822e1c7a622c4e6daa855bfb54867
SHA256 fe0acdca7d49e82f21c811cbe6deaed5fff6df93c68f53a3f74a5c3d10d3d966
SHA512 fcd8f0c3a42aba1bdaaab16b37cc174da7098f7c10908f4f7d75db93e969d9bcd4a7deb28f24584f2cf21cb2526bf629d6143ea23e3bedf05e353e408ef14d68

memory/2580-74-0x00007FF7D2DA0000-0x00007FF7D30F4000-memory.dmp

memory/2124-81-0x00007FF7E7CE0000-0x00007FF7E8034000-memory.dmp

memory/4156-73-0x00007FF66E830000-0x00007FF66EB84000-memory.dmp

C:\Windows\System\rYlAbWz.exe

MD5 94fc334fb8350d99e4470a560d4469ca
SHA1 06921d0cede720cd8efb8dd950fc9e1aaf674473
SHA256 bd283379e58922992f10469fed3722ae1981f3ca473388d27c6fb393adeb9d8e
SHA512 7e86e7ad6abd5b573079c9cfd4e2f8f993a3fc0ddc028c380ff26eced8434c5388bbdeec52dc8a4fb65df94e986eb28048544d286c4a6fc19ae4db813cd6e8b4

C:\Windows\System\NznvjGB.exe

MD5 8053e15ea2032859e67e8d751b95f394
SHA1 ba789bf52447e5abb6644dc5039f5419d4de8106
SHA256 10a2091b8737cc3da57d3e4af13410d2475241129447c3dce7c1fd341a141014
SHA512 5fde367949f4419490c3ad11430a86ef7125733e307e5ac972f2ad2cf0dbd3b572a7fcd80685a1cd28fd030c5408c9655e429d2cfbbce65b215b22c0b7149a57

memory/244-87-0x00007FF71CE90000-0x00007FF71D1E4000-memory.dmp

memory/3952-88-0x00007FF7039D0000-0x00007FF703D24000-memory.dmp

C:\Windows\System\nRwfOjk.exe

MD5 a9a8d0ec3bdda959ca0d763252c128fe
SHA1 f99d9dac56cd71b7ccc08c1cd3d8cb7b5db67761
SHA256 62a336e0d8abe1d0acb1591ff938a07c5757557fe9eb36b5af7c25e76ab63c1b
SHA512 5432396a9748766d35116312e380409abce20b2bb012a3afcba2acd179911974335173fef92523c93b2970f29c2589d0787a9b57e041add985a93217485d7d77

C:\Windows\System\JdUBUfj.exe

MD5 a7cd07b0467453f3cfe2dff991aaaa99
SHA1 ed85251d0892ea751e419ca78690d2b1a245d209
SHA256 80af2ba38105d1ead4c337e3dfa5fe4f482ae2913be42a4633b9c0facb62eacd
SHA512 39f127d0e419f28f4ef5c3340651fa1d2cf8ff3b8755152d2df97d2db785f4235eaacea2194b1ae424b74fe6172a49553b4b2c2894afcb09e9edb3e48dd451bd

C:\Windows\System\ZtLNXGo.exe

MD5 7aebc169dbb211326da9218f3f587093
SHA1 538cb0c0554f1a637bbe9a64e6bc43773cd88918
SHA256 87cdd5571ffe340db5ac2ef548b6c7b0abf895d0b511f801748731f94aed9fde
SHA512 e0f5ab74e69d8fbc0a0dfd2043948343af9bdf40f48b24cb82a6932a5b0c6456b6fd1140a2da035f6586411fc53d34a921f1174f472dfe20b2edbe8177eb4846

memory/2740-108-0x00007FF7950B0000-0x00007FF795404000-memory.dmp

memory/1068-105-0x00007FF73C150000-0x00007FF73C4A4000-memory.dmp

C:\Windows\System\EHQgONj.exe

MD5 d311e8d4712f0de40f9c311d693c7508
SHA1 4ba8ca917ba38c207e5b4b91a5793a28d9e24053
SHA256 9e2c9f216ace53f10088364dac852828be0e7d0d73402a428ec27fd793f8abb0
SHA512 62a18202b566c15fc09c03c1b3f53119d7cdfaf2872ecb5c4e1fb7ba1c8221618510c37648d1da2a431bf8c2294d1843e9a5889002ad04a42fecde0cca319ec6

memory/1596-118-0x00007FF65E6C0000-0x00007FF65EA14000-memory.dmp

memory/5068-119-0x00007FF7AF030000-0x00007FF7AF384000-memory.dmp

C:\Windows\System\BolrbRO.exe

MD5 596c278f74380e3ef3ed2c794071aab5
SHA1 2894acb3a1e6cea4bddc4a399339555600ac2ed9
SHA256 4b7d9862651a7751cd2c82cf6f1eb85d0acfa9245c789a992ef1fd9b1170a85b
SHA512 9ce3f7946c9687c3896a91bef5c15ecbc020572dfd3379026f46ff30623ab61c45a00bcc81cc0bc99828938f3f2ff79f661883d5ca826b060232c51cb84c710a

C:\Windows\System\BJkzNOS.exe

MD5 69e4261080875204234e50a30ad19521
SHA1 ce0503f8f9e0dfcad17fcb3c8596b60cba59884a
SHA256 157d464eb8a83da100faa2c1225906b1fe9c057605e0cd35988f90cb9a29aefd
SHA512 80a3e48b6fee53c0227c70572565d1eb5abd486ddb6b562328ad43defa8a140710992fd94c0d2600f7d73afc346731e2be7ef5d2154ceec5b2d4cb86a856b2fb

memory/4040-126-0x00007FF675580000-0x00007FF6758D4000-memory.dmp

C:\Windows\System\aLWFmFb.exe

MD5 84edb66740a19e9bb03305bec9276a56
SHA1 72e67ea699165cc1dc54e5df68f3d88cdbd6e6af
SHA256 cfd7b9a1b2e86a544e683abd96631b444f4ce922784a6338701ff80bde99f5f8
SHA512 87a6d9acb8555037e676f5eec61598ac449929bcebeb5c81cc0367e86d71e18b91f00f6dbed62ea1bf3cbed16b4a1c2255b7e98d30c59cbab89b99b38e9f5c38

memory/1140-125-0x00007FF60FCF0000-0x00007FF610044000-memory.dmp

memory/4676-117-0x00007FF654880000-0x00007FF654BD4000-memory.dmp

memory/2312-104-0x00007FF750F30000-0x00007FF751284000-memory.dmp

memory/2840-97-0x00007FF68C7C0000-0x00007FF68CB14000-memory.dmp

memory/3636-94-0x00007FF658B30000-0x00007FF658E84000-memory.dmp

memory/5112-134-0x00007FF652C80000-0x00007FF652FD4000-memory.dmp

memory/2580-133-0x00007FF7D2DA0000-0x00007FF7D30F4000-memory.dmp

memory/1068-135-0x00007FF73C150000-0x00007FF73C4A4000-memory.dmp

memory/5068-136-0x00007FF7AF030000-0x00007FF7AF384000-memory.dmp

memory/4040-137-0x00007FF675580000-0x00007FF6758D4000-memory.dmp

memory/3140-138-0x00007FF62AFA0000-0x00007FF62B2F4000-memory.dmp

memory/244-139-0x00007FF71CE90000-0x00007FF71D1E4000-memory.dmp

memory/224-140-0x00007FF64F670000-0x00007FF64F9C4000-memory.dmp

memory/1944-141-0x00007FF7C97C0000-0x00007FF7C9B14000-memory.dmp

memory/5000-142-0x00007FF6E1930000-0x00007FF6E1C84000-memory.dmp

memory/4604-145-0x00007FF7C6580000-0x00007FF7C68D4000-memory.dmp

memory/2740-144-0x00007FF7950B0000-0x00007FF795404000-memory.dmp

memory/3636-143-0x00007FF658B30000-0x00007FF658E84000-memory.dmp

memory/1596-146-0x00007FF65E6C0000-0x00007FF65EA14000-memory.dmp

memory/1140-147-0x00007FF60FCF0000-0x00007FF610044000-memory.dmp

memory/2708-148-0x00007FF681AC0000-0x00007FF681E14000-memory.dmp

memory/2580-149-0x00007FF7D2DA0000-0x00007FF7D30F4000-memory.dmp

memory/2124-150-0x00007FF7E7CE0000-0x00007FF7E8034000-memory.dmp

memory/3952-151-0x00007FF7039D0000-0x00007FF703D24000-memory.dmp

memory/2840-152-0x00007FF68C7C0000-0x00007FF68CB14000-memory.dmp

memory/2312-153-0x00007FF750F30000-0x00007FF751284000-memory.dmp

memory/1068-155-0x00007FF73C150000-0x00007FF73C4A4000-memory.dmp

memory/4676-154-0x00007FF654880000-0x00007FF654BD4000-memory.dmp

memory/5068-156-0x00007FF7AF030000-0x00007FF7AF384000-memory.dmp

memory/4040-157-0x00007FF675580000-0x00007FF6758D4000-memory.dmp

memory/5112-158-0x00007FF652C80000-0x00007FF652FD4000-memory.dmp