Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-eqx4hace63
Target 2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike
SHA256 b08d1158805d1abddb6cec41bf40af7b1164e2f6a54c1d41f01e557c37230628
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b08d1158805d1abddb6cec41bf40af7b1164e2f6a54c1d41f01e557c37230628

Threat Level: Known bad

The file 2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Xmrig family

Detects Reflective DLL injection artifacts

xmrig

Cobalt Strike reflective loader

Cobaltstrike

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:09

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 04:09

Reported

2024-06-10 04:12

Platform

win7-20240215-en

Max time kernel

132s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\srTMTyJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wjDyWPo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qPSpnCz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PMRKzSA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\brnvSNR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iZYYFOy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LeVAUxt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OJEBzxP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YkUTgJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zxyzwRz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HlsPfyy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hzyUfRw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YAPTYbF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wXIoSVW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\shHVpKl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LMIlbes.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QzCfvkc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YuyZrUN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vNOmxna.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IzpjUKd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zbdOiVf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\shHVpKl.exe
PID 2072 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\shHVpKl.exe
PID 2072 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\shHVpKl.exe
PID 2072 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\srTMTyJ.exe
PID 2072 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\srTMTyJ.exe
PID 2072 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\srTMTyJ.exe
PID 2072 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\LMIlbes.exe
PID 2072 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\LMIlbes.exe
PID 2072 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\LMIlbes.exe
PID 2072 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\LeVAUxt.exe
PID 2072 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\LeVAUxt.exe
PID 2072 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\LeVAUxt.exe
PID 2072 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\OJEBzxP.exe
PID 2072 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\OJEBzxP.exe
PID 2072 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\OJEBzxP.exe
PID 2072 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlsPfyy.exe
PID 2072 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlsPfyy.exe
PID 2072 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlsPfyy.exe
PID 2072 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjDyWPo.exe
PID 2072 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjDyWPo.exe
PID 2072 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjDyWPo.exe
PID 2072 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkUTgJJ.exe
PID 2072 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkUTgJJ.exe
PID 2072 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkUTgJJ.exe
PID 2072 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qPSpnCz.exe
PID 2072 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qPSpnCz.exe
PID 2072 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qPSpnCz.exe
PID 2072 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\hzyUfRw.exe
PID 2072 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\hzyUfRw.exe
PID 2072 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\hzyUfRw.exe
PID 2072 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzCfvkc.exe
PID 2072 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzCfvkc.exe
PID 2072 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzCfvkc.exe
PID 2072 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\YuyZrUN.exe
PID 2072 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\YuyZrUN.exe
PID 2072 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\YuyZrUN.exe
PID 2072 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMRKzSA.exe
PID 2072 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMRKzSA.exe
PID 2072 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMRKzSA.exe
PID 2072 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\YAPTYbF.exe
PID 2072 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\YAPTYbF.exe
PID 2072 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\YAPTYbF.exe
PID 2072 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vNOmxna.exe
PID 2072 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vNOmxna.exe
PID 2072 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vNOmxna.exe
PID 2072 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\brnvSNR.exe
PID 2072 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\brnvSNR.exe
PID 2072 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\brnvSNR.exe
PID 2072 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IzpjUKd.exe
PID 2072 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IzpjUKd.exe
PID 2072 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IzpjUKd.exe
PID 2072 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\wXIoSVW.exe
PID 2072 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\wXIoSVW.exe
PID 2072 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\wXIoSVW.exe
PID 2072 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxyzwRz.exe
PID 2072 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxyzwRz.exe
PID 2072 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxyzwRz.exe
PID 2072 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZYYFOy.exe
PID 2072 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZYYFOy.exe
PID 2072 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZYYFOy.exe
PID 2072 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\zbdOiVf.exe
PID 2072 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\zbdOiVf.exe
PID 2072 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\zbdOiVf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\shHVpKl.exe

C:\Windows\System\shHVpKl.exe

C:\Windows\System\srTMTyJ.exe

C:\Windows\System\srTMTyJ.exe

C:\Windows\System\LMIlbes.exe

C:\Windows\System\LMIlbes.exe

C:\Windows\System\LeVAUxt.exe

C:\Windows\System\LeVAUxt.exe

C:\Windows\System\OJEBzxP.exe

C:\Windows\System\OJEBzxP.exe

C:\Windows\System\HlsPfyy.exe

C:\Windows\System\HlsPfyy.exe

C:\Windows\System\wjDyWPo.exe

C:\Windows\System\wjDyWPo.exe

C:\Windows\System\YkUTgJJ.exe

C:\Windows\System\YkUTgJJ.exe

C:\Windows\System\qPSpnCz.exe

C:\Windows\System\qPSpnCz.exe

C:\Windows\System\hzyUfRw.exe

C:\Windows\System\hzyUfRw.exe

C:\Windows\System\QzCfvkc.exe

C:\Windows\System\QzCfvkc.exe

C:\Windows\System\YuyZrUN.exe

C:\Windows\System\YuyZrUN.exe

C:\Windows\System\PMRKzSA.exe

C:\Windows\System\PMRKzSA.exe

C:\Windows\System\YAPTYbF.exe

C:\Windows\System\YAPTYbF.exe

C:\Windows\System\vNOmxna.exe

C:\Windows\System\vNOmxna.exe

C:\Windows\System\brnvSNR.exe

C:\Windows\System\brnvSNR.exe

C:\Windows\System\IzpjUKd.exe

C:\Windows\System\IzpjUKd.exe

C:\Windows\System\wXIoSVW.exe

C:\Windows\System\wXIoSVW.exe

C:\Windows\System\zxyzwRz.exe

C:\Windows\System\zxyzwRz.exe

C:\Windows\System\iZYYFOy.exe

C:\Windows\System\iZYYFOy.exe

C:\Windows\System\zbdOiVf.exe

C:\Windows\System\zbdOiVf.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2072-1-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/2072-0-0x000000013FB80000-0x000000013FED4000-memory.dmp

C:\Windows\system\shHVpKl.exe

MD5 d15e768aef9d15055ec4b3034b3ccdef
SHA1 b7c0b851daab60d5ed2e36f0f5e9a905c65b707a
SHA256 0b4762eb910ef7585c273dabfc7111253fb9c93cbfba46de7a150a9f7baee65d
SHA512 a2606ecff46a037af8fa0063865efdce263c333c0e5bde0383461c49a0bd0911d38300c6b04983a624dbfb0d7fd41a41ea1330bc519d679feae00b2241c57598

memory/2072-12-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\srTMTyJ.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

C:\Windows\system\LMIlbes.exe

MD5 f097f237ea5dc9aa48e8bfa11fcd323e
SHA1 5cf3e03dadbb6c4aecd721b3361826bc7b9c5aec
SHA256 2ef5952f7b573a42dd453421d5a901b578f572d34fde34ba8ac8a6fa61983601
SHA512 f07f0ac84598447786cbcbe8c0c17f52d5736217a32c0939dd1b2044e01e2a2c935bf264fd3e2b6b6a5b9ed6d092c6f58f3b796bdf733a09346ce7e1aeda996c

\Windows\system\LeVAUxt.exe

MD5 992e15ebc2245cf970acce9948576d6c
SHA1 3322f50d4aebf915abc8a5277cd07a23adf5f127
SHA256 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA512 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

memory/2508-24-0x000000013F730000-0x000000013FA84000-memory.dmp

C:\Windows\system\LeVAUxt.exe

MD5 be943acf604cb7ea48faa2d1fa0b0ffd
SHA1 0aace86361c207d0b4b36483efeb236f2eac231a
SHA256 232ef48efa775eaae77be3e09f9800087a39a283528e58eaacbd231174ee2c72
SHA512 1945a54f5439e572527a727ebb2703852a519277c01c290901656c19c1e9e62c247db9e631c1ea0525d803762aaa63dd4ecc0335fc779ebf63d51be528ae65eb

memory/2072-21-0x000000013F730000-0x000000013FA84000-memory.dmp

C:\Windows\system\HlsPfyy.exe

MD5 4258090a2fca3e9a4bcd033515408571
SHA1 2da85a967dfb76aa8b9c664d1a75552128b29bd6
SHA256 e1883b961a33097a8c31bc03eac72fbcb2940a0f0b2e39c8982a8b87e1421c30
SHA512 d0880b7d2198a16c7023d2bd8727905958be2259d15a24791f827b669d868bd77eb4c6076295a513a551f42583f0f4fd2ccc540fbaf758dc0c19f528bd92790f

C:\Windows\system\wjDyWPo.exe

MD5 634f00228ff888f37f77695b200dccd9
SHA1 0d06f5fb784848205450b986e232f1434723e794
SHA256 45af8a1a8d4d4f515d3577e89db810f9f8a432876922f98070e1e1d2b27fa4f6
SHA512 35aeb6acc34a34ad37117e46091260f3d499958b9f8f0d430bdb19cf431860718a0809a84e618fe9a3ed9c820e0fc47fa4586ad700c1c0d9d82c2eadc28d9423

C:\Windows\system\YkUTgJJ.exe

MD5 da63e9321954d6ebca0976c42a3cc582
SHA1 2af573456146047be88147ba318d2b85b8e301e2
SHA256 9973876fe43d62cc46c034da187ae677d86511ba7248b118056cff2025067437
SHA512 637bf2b406c026939b3dff83b5fe469a4b6e52ce218187deb56785207678f5dab17537d27810b95b56ea33bb14f6cc3a03aabc8f8a3775d3e48e18c05ad77ffd

memory/2516-51-0x000000013F860000-0x000000013FBB4000-memory.dmp

C:\Windows\system\qPSpnCz.exe

MD5 2cfc662ee4084477eee44d52cd5e0757
SHA1 6690b6d33280fd528c9a463d61bfdac4a04ad1de
SHA256 2a7378f8632d32fa3649617ffa137a2c89e9a73f73c79d46030811e6d7435f58
SHA512 1c2e3298f8f0f33347b59ad90fdccc2f3e4f515fb7e9fdcde83b6c1590aceabc6959f1cef587079db381e0ce01bd320a10ed61ec094ef0e7febe9e16bf2a7fcf

C:\Windows\system\hzyUfRw.exe

MD5 c665d55523745ebd550a2c4296ad8ec9
SHA1 43f72a8e93454ded742dbec7a7c84f59cb0d6520
SHA256 4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b
SHA512 57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454

C:\Windows\system\vNOmxna.exe

MD5 d0b35a94ea7dd65e9c7d0f5ad30c19d7
SHA1 09c06dd0599811655ad16bf9fcc19663703e05ab
SHA256 810cd9e5773c5d802a821b3a2ae7e9b235d3f80675cc44375649197e679c64ed
SHA512 02d23d2528e477cbfde2b84285c244535c5339c942c3b8073a4977dcc8103363f5a57f140604aa768ba108b7205eb9abb77e57c07c4970366c62a490af4e252a

memory/2428-77-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2180-88-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2072-85-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2420-103-0x000000013F640000-0x000000013F994000-memory.dmp

\Windows\system\zbdOiVf.exe

MD5 5d817473d2ff2dab4cad9a09baa84fed
SHA1 fb12a426cc2a831e039fa9ad73a8692819c636ae
SHA256 a173ec32a5089928ec35141143f553c8254f0929025f9cc4771fe82929957cf0
SHA512 6092d1688b3e5bd95f9e028ac072e76bd0a19e28e292d4d8d10a099547e6dfb6ce85c160b34c94d3950de9dda4185e9e3fc122c452cbeaefe72e6e6bbc697d54

memory/2956-125-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2664-119-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2072-118-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2072-126-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2072-130-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2072-132-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2072-134-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2072-133-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2648-131-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2744-129-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2072-128-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/1992-127-0x000000013F7E0000-0x000000013FB34000-memory.dmp

\Windows\system\iZYYFOy.exe

MD5 e96e592164100e1a631d99faa141bfc6
SHA1 21d4f12d30e5a0b4ad11b15e40e0571bfce6e6ff
SHA256 ddcd704ae996251f32be7b33621f56cc763b31894a12ce4a40b2eb190a983cbe
SHA512 ee1b7ce3108f085731759f5a748a2b7b787784d7c15a732197691849a4b7f46c7a951453157ad00a704b93bcabcb84513ac319ede4b6198fd842a84bf7c8eada

C:\Windows\system\iZYYFOy.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

memory/2520-113-0x000000013F3C0000-0x000000013F714000-memory.dmp

\Windows\system\zxyzwRz.exe

MD5 c83a72fd32d1ea03c4c25e0b40a06534
SHA1 de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1
SHA256 c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359
SHA512 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c

C:\Windows\system\zxyzwRz.exe

MD5 6c5ec31357cd7491c758a41d8896b5e8
SHA1 9bd5b5c977a97280860eb4420aa9ad32fac8fcdc
SHA256 d48833917ad3afe2f68f43f0c4c143636211ba92df2e46d3742c28f6ae682a23
SHA512 f5e61d94c0973ae77df587dee0ccda709da3aad246b5d76d7ea494a2bf56ba4f17ea85bd655fec07033da1e4982427babc85170f378b607318ccffb504dcb2eb

memory/2072-109-0x000000013F3C0000-0x000000013F714000-memory.dmp

C:\Windows\system\wXIoSVW.exe

MD5 4c71e0d142daa2f0f7239144b818e5b0
SHA1 e7490fd37c685f25c6930071114c921e0a80e7f0
SHA256 4ed2886d7b943718acd7c29c8ba75b13fe1136bc220ee346576f03a36aad8dca
SHA512 1c9dc711cc38d1cd19e18324d0293f04a9aeccf46e6e5a3c02527d5a083543361cbdb14b9b96c18577c0615e5d756727b224dd04b43cade4d6d1a96e128f50e8

memory/2072-99-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2456-98-0x000000013FB60000-0x000000013FEB4000-memory.dmp

C:\Windows\system\IzpjUKd.exe

MD5 7d5be8475d00d2723ea4fb3a5fd6cd67
SHA1 c5dcad9bb680fa1799c617db100122c8ae1e2671
SHA256 9877cc2c0f3af6c79550d561f659094804b0ff3b226fba055204c66fb979788a
SHA512 10ed57370308f555ef31575d7676be6e0e612b42575952e0c871f1901b3d52093c2ad6b749f1e27698a6b362460204ddee25fdad27b4bdba932b25e9d4aaa43e

memory/2072-95-0x00000000023C0000-0x0000000002714000-memory.dmp

\Windows\system\brnvSNR.exe

MD5 18201d3b335ac963630d450f34dd55fa
SHA1 520e73a4de0aff7b3a903c8c986a6c6b07cdce35
SHA256 b0b17284e2641959968b4a1b4ac558b3d33f076db1066934c04d3cff720f31f9
SHA512 8595addfcd7771869b38fd7737e1ab55beddf7baa63249c41588a643ccf9c2f17eb0cf6113d286398e88623dbd0382eb0d997178aaadae8662f405019f3b3de2

C:\Windows\system\YAPTYbF.exe

MD5 8a33d9706aa4557fa43645257f9c1ae3
SHA1 b1dd4d20f52c3b74066615c12a75d89ed0a4573f
SHA256 22d9e83d9fc3ac46ce3d4466d77c16c8ba3f15570a8c404ea3f97d17424cb533
SHA512 8194f227b80970ffd92a5c91a00dd1d24fe199d3095770c55617dff8f43e581278513b635bff12cb3a3211b34adf9153ee39081758d5cf58a7daf08b5724a4ce

C:\Windows\system\PMRKzSA.exe

MD5 2c29c56557704a5af675ac862b6acadc
SHA1 8095e9a472d534a6ef5dc3ab384273149ae12d48
SHA256 ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d
SHA512 f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049

\Windows\system\PMRKzSA.exe

MD5 27325bfabbdc4972370e582028fa6156
SHA1 7bf9aac31d33eeee5fae91bb6b3889aad835f190
SHA256 f82f05155730b033b5fa2cf5570aa9cda5def0f4e5398910869c43aa58ff0106
SHA512 e810de03f3ddceefe7895ec2db05630fc207e13e70d442fbdec6b408c9badf729d24266be3abb56bc55a875303291d66198a7359c2c5be0b20a667d04cd4490f

C:\Windows\system\YuyZrUN.exe

MD5 ca2c8fc23ac2c4dd58545d16927e5bef
SHA1 b94b35150eb75787af3ce6aea401e04f2ec70fc4
SHA256 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef
SHA512 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce

\Windows\system\YuyZrUN.exe

MD5 52769ac9891e89581321c34c116b73ff
SHA1 4dafcc73f4b528e9b723d8c4b0953e36c597f220
SHA256 8cc69cbf71f024629c9896e810c997dcaeaa79574b5a43a1b2164fcb037540a7
SHA512 e9529663e360e161b413e00d1e906152ac2eb06cb5fb756d820da7003e815b27c550ffa12a717760a704e921e0627bfb00b96cf24dea633639a9f3c552b82aeb

\Windows\system\QzCfvkc.exe

MD5 ff9815bdf6526cdcf8140ddff6605969
SHA1 6775cd34e81ea55202e8e0e537f69c394383c95e
SHA256 7c796f7c5d32b2082eaf48464da879089c6aaf9658a1df78c15ae381d688c199
SHA512 2f1ac330e00c3a6bba7819a410b9caecb573f7214791765019f9136b1af232bbe715a1a0788620681d8ae902e5e182b2188f654c728c42f3e08db509e4fe1b76

\Windows\system\hzyUfRw.exe

MD5 e0dd38ffdcd50af0823a408c76338f93
SHA1 5fb539a1a0005fb4d8c6e57d29561ec782209155
SHA256 6e48360dcb977211a62de2c649bd86309e64d68c8acee20f1f330a0dfdd60d86
SHA512 2f9937804e20dbde6f9363a3e24bf1b297cf809141f71ba1b72211a3a1475e59375b0e0fb921b12a6571086074746e608172f6f121f780f3b5ede89c990d6b5c

\Windows\system\qPSpnCz.exe

MD5 93bacfc3d845f374627b012c3a61a1e5
SHA1 f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae
SHA256 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d
SHA512 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

memory/2524-38-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2072-36-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2588-30-0x000000013F810000-0x000000013FB64000-memory.dmp

C:\Windows\system\OJEBzxP.exe

MD5 5c18200a60b1175509e04c74ff572f08
SHA1 897bccc513a84fd24b23857830b75ab467b6ee95
SHA256 e75448d20c5eeedf80ab10704e7c8d8a153b2a43a5f15a1bd549e252c285edad
SHA512 1097e8c57f71fd78115aa3f348dc9960fb3cfd17d947c68dbaa73633b62e7d164bf6f7477d0280bbf660a8208a91234ec81c8a8e656e4a51e2c78e757bbd3342

\Windows\system\srTMTyJ.exe

MD5 c5f33c208b8352c92ff94fbc2b599111
SHA1 0842e8833ca026da14c777f19216ac8823767900
SHA256 6fd2df6d3131682515e5fc159d81918ada218168622149be278bff78e6839f6f
SHA512 62f9100bcb029dacf5e5850ff2c364497a0db747c663dacd840839ef6bb501ef0b8fddc8b075af9a33043a07665b866db4f1c551c78513d6efa407abe8c56db5

memory/2072-135-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2072-137-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2428-138-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2072-136-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2072-139-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2744-140-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2508-141-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2588-142-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2648-143-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2524-144-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2516-145-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2180-146-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2956-150-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2420-152-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2664-153-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/1992-151-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2520-149-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2428-148-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2456-147-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 04:09

Reported

2024-06-10 04:12

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HymQfSS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eJrPguN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iGykqmj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JBtYJbx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bIINYJt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AotCOYA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bFqIdbI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SdCBGbP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FjNNwhN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mWkIQQu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NAKVPxY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PNIrapP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LxrCHAg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JMBbjol.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IgALYyj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jsMSkAY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gsBfIVm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bDTNykW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TunsvIe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BAZMdDJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GSEwobt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3080 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGykqmj.exe
PID 3080 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGykqmj.exe
PID 3080 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\TunsvIe.exe
PID 3080 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\TunsvIe.exe
PID 3080 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\JBtYJbx.exe
PID 3080 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\JBtYJbx.exe
PID 3080 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\bIINYJt.exe
PID 3080 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\bIINYJt.exe
PID 3080 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\gsBfIVm.exe
PID 3080 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\gsBfIVm.exe
PID 3080 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\BAZMdDJ.exe
PID 3080 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\BAZMdDJ.exe
PID 3080 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAKVPxY.exe
PID 3080 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAKVPxY.exe
PID 3080 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\PNIrapP.exe
PID 3080 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\PNIrapP.exe
PID 3080 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\AotCOYA.exe
PID 3080 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\AotCOYA.exe
PID 3080 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFqIdbI.exe
PID 3080 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFqIdbI.exe
PID 3080 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\SdCBGbP.exe
PID 3080 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\SdCBGbP.exe
PID 3080 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\HymQfSS.exe
PID 3080 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\HymQfSS.exe
PID 3080 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJrPguN.exe
PID 3080 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJrPguN.exe
PID 3080 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\LxrCHAg.exe
PID 3080 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\LxrCHAg.exe
PID 3080 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\JMBbjol.exe
PID 3080 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\JMBbjol.exe
PID 3080 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\FjNNwhN.exe
PID 3080 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\FjNNwhN.exe
PID 3080 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IgALYyj.exe
PID 3080 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IgALYyj.exe
PID 3080 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\jsMSkAY.exe
PID 3080 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\jsMSkAY.exe
PID 3080 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\mWkIQQu.exe
PID 3080 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\mWkIQQu.exe
PID 3080 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\GSEwobt.exe
PID 3080 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\GSEwobt.exe
PID 3080 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\bDTNykW.exe
PID 3080 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe C:\Windows\System\bDTNykW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\iGykqmj.exe

C:\Windows\System\iGykqmj.exe

C:\Windows\System\TunsvIe.exe

C:\Windows\System\TunsvIe.exe

C:\Windows\System\JBtYJbx.exe

C:\Windows\System\JBtYJbx.exe

C:\Windows\System\bIINYJt.exe

C:\Windows\System\bIINYJt.exe

C:\Windows\System\gsBfIVm.exe

C:\Windows\System\gsBfIVm.exe

C:\Windows\System\BAZMdDJ.exe

C:\Windows\System\BAZMdDJ.exe

C:\Windows\System\NAKVPxY.exe

C:\Windows\System\NAKVPxY.exe

C:\Windows\System\PNIrapP.exe

C:\Windows\System\PNIrapP.exe

C:\Windows\System\AotCOYA.exe

C:\Windows\System\AotCOYA.exe

C:\Windows\System\bFqIdbI.exe

C:\Windows\System\bFqIdbI.exe

C:\Windows\System\SdCBGbP.exe

C:\Windows\System\SdCBGbP.exe

C:\Windows\System\HymQfSS.exe

C:\Windows\System\HymQfSS.exe

C:\Windows\System\eJrPguN.exe

C:\Windows\System\eJrPguN.exe

C:\Windows\System\LxrCHAg.exe

C:\Windows\System\LxrCHAg.exe

C:\Windows\System\JMBbjol.exe

C:\Windows\System\JMBbjol.exe

C:\Windows\System\FjNNwhN.exe

C:\Windows\System\FjNNwhN.exe

C:\Windows\System\IgALYyj.exe

C:\Windows\System\IgALYyj.exe

C:\Windows\System\jsMSkAY.exe

C:\Windows\System\jsMSkAY.exe

C:\Windows\System\mWkIQQu.exe

C:\Windows\System\mWkIQQu.exe

C:\Windows\System\GSEwobt.exe

C:\Windows\System\GSEwobt.exe

C:\Windows\System\bDTNykW.exe

C:\Windows\System\bDTNykW.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 142.250.179.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 106.179.250.142.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/3080-0-0x00007FF6C5CD0000-0x00007FF6C6024000-memory.dmp

memory/3080-1-0x00000244211A0000-0x00000244211B0000-memory.dmp

C:\Windows\System\iGykqmj.exe

MD5 8f3e042656ca2d15e2d3556b4210d8b8
SHA1 84923fde0b209ed9c9e5289d3a522f4d55a282f4
SHA256 3a3612ed95f2d16190ca3baec18edd71f2021b9b3329b51803c1be65d27dd725
SHA512 bb132ca894d52155be5c94160fd924e7e916630bda4147a0b3afeafd4e7f69f853a5e489474590008952145552660c581f521032b0a03bd038f7eb38fb3ff7fe

memory/1048-8-0x00007FF62A0B0000-0x00007FF62A404000-memory.dmp

C:\Windows\System\TunsvIe.exe

MD5 5509dafdd683d6904709f3a859d7d750
SHA1 dcafa2654b716ad83fe82b9b34dde528b3035e91
SHA256 8ab66799a6ba4ab4cf553be0addf5fa166d15d477cecc14785b3135724a43ce7
SHA512 c1f353ce29f57b53c27573959f00552510960dfade505c030f994b6a98a1956fd4184b42698a4d8c827122a70b239851adcf0e50fb0eddf68cc3a9045a4d97c9

memory/800-14-0x00007FF7C6220000-0x00007FF7C6574000-memory.dmp

C:\Windows\System\JBtYJbx.exe

MD5 62c8a44b95a7e1983c754847cbec6501
SHA1 ec12ff6489b4b6907409410db381dd6ab5138ace
SHA256 c9e00beee5c29d59c0435065557e64ffef35e5a3faba75842e641be9be948969
SHA512 d3f4bbec8f7d63377b070fe111cdc23720594a7126e8474af90e8fb51dbc811d40c1c1e9d4f18dda4f9cb4f8a761a597666fcdde79df35f6586ad733332a13fa

memory/220-20-0x00007FF71B520000-0x00007FF71B874000-memory.dmp

C:\Windows\System\bIINYJt.exe

MD5 ce07a533538d80bd815c0f0967fb1dbf
SHA1 dc4b8de84601ae7dd626c9e3f3df4de23c03cb94
SHA256 80cab21034fd1e2f31435e622084272f6aef8d590ed61bd086f992290f5b30cc
SHA512 c7b2d0d21fab5511bcea39e04ea3ca162e46f880f0812aa4461af45f37bb0d23e06afdc17e6ad60e1c10e30badb9efa2df7ddf71ea750d5f6b9d77df41836bf7

memory/2156-26-0x00007FF78B3C0000-0x00007FF78B714000-memory.dmp

C:\Windows\System\gsBfIVm.exe

MD5 2c9e4d7d7a3e08c35659dfb6ddc73b8b
SHA1 caf2abdd74991ef1932fcb4f20ecff5ee7e06110
SHA256 0e58b6c734b30388d54963b6167a4f0336b3e962fdbb10123573a5aa565d3420
SHA512 54f765c345591d14d8129f254b5e7633ca3a7ee009124d2b5f60e7b9a154bf0a81c371299b15c979cd0a957215279e39c01b8a1217c66853a7ce662783c50392

memory/3568-32-0x00007FF78CFF0000-0x00007FF78D344000-memory.dmp

C:\Windows\System\BAZMdDJ.exe

MD5 cf1d4532ce9b1598ebebf5ef5f5cd7ca
SHA1 b2ee9fc6ae0eab0bef84277b5cb071659b5f9d8a
SHA256 5dd137041bbd388451fa3b3018ea095e622d3f9616ef9a5e9189f3fd6553f21b
SHA512 166637c6d87511fb068a692a2eb290d5ac9eca8663ccb7f94f424ae67594be6080b24bc82b2cd67c05d73e1cf34c906582428945df353f4162b260fd33303e2a

memory/3732-38-0x00007FF764510000-0x00007FF764864000-memory.dmp

C:\Windows\System\NAKVPxY.exe

MD5 3cd5b5f9f531a8c99c67a4fef1589415
SHA1 a06d66b169ababb1208e67f7c7a80f4f7c0cfebb
SHA256 1698a04cc543045811cdf1c4ab63eecb0c7ed17e3403fa9cf448d6e1ea6daead
SHA512 eb10576a1c7f326b255a5677ca6653a3df1ee671360fd7ddfa478b335344ac158f88574fcbd7893ea753cbc7b5f761d9966e40ca1d06449d71d4a86a4bcc5e28

C:\Windows\System\PNIrapP.exe

MD5 947613ad51cd3ad91239a4ea8d2e68fa
SHA1 5435c7e7e98d20c618efd5236be29a6acc7dd9ba
SHA256 d6784ab251af6e1c5eda272a935ae68c4c4451f5fa64937265fb7ff0d718fb88
SHA512 bb46c82c53f96fbb8b22c27cc6a4747cdb071b3387ddefb4d33a0a60f91820b9ceb58b535066db927db78b239e2854bbd3bc6a3112058c1f804cc023ee37c404

C:\Windows\System\AotCOYA.exe

MD5 cf8434e53015f29f67bebe94a6aabf21
SHA1 43a48c1189f5b11914d6b95008e44e6f9b3bee0d
SHA256 bf12cfb0901560abcbd446470352fcd87ace7763cc873b971565fd120a4f49a9
SHA512 9844392bf13f8cc8dd2e41c3ef6a13efb044fb50f12f19df2c91e147c1174502da0e10252e4c5c13e8299d84daaf0bb86636caa85a754252917570ea3093c08c

memory/2432-56-0x00007FF634400000-0x00007FF634754000-memory.dmp

C:\Windows\System\SdCBGbP.exe

MD5 c3bf8d756603d1c4783bd33606ff8371
SHA1 42256bb6559b9d1d05fbcea7f0ae3248f8a1e577
SHA256 92553ba4110455a5c8bf7b881c53f6b061bd06c8f076d746af5531c3cb0ded5a
SHA512 37085c9b72fd3c0c65ad0bb6eba0ec7d11884f094bfcfb1ac514109f3ea4d458f62f97cc36a6ef3572693af0e4e2b60bf733e938b5320203267c1053f0a3f81f

C:\Windows\System\HymQfSS.exe

MD5 c2850bba1540684953609ac7f535b743
SHA1 659e1fdd3d53bd7c2af8948990a1a21b00a086ce
SHA256 335f515fbf4ab4ec4f49fa55edcb093c60b7019659dda87de1a07da8a7a7200b
SHA512 08dc87195d504b4f71e9d4f506f9adea58f59516dee9245c6ff5e494a4d4c67ff994d5b6be75b2dfdca089e20b53d8cb23d7014597b29056faeb046553c386b2

C:\Windows\System\eJrPguN.exe

MD5 bc3a81b298f53baec8f01b8c55cf4eec
SHA1 74dce05e28cacd40b7a0b093f6e0635ef835325c
SHA256 ddc8c87204f186f8fa4a09ba3048f0276ac56c04b6091ac7895405e9879b2036
SHA512 4261fdfcf4ad3260d9d0174654d5f8b5de0f511ff01f77d00889c09683606145245ed77b221d7f633c5702f72d25b491dc428759e86c28ac757d9466d8681905

C:\Windows\System\bFqIdbI.exe

MD5 785548e0e5157223ca5d336614511fff
SHA1 911cf5718900c80c4ccaeff80efeddcab52629cb
SHA256 1923f086e504da9eafc96636ae49e245327a494c12479168a81629c606e233cc
SHA512 25022405d666a3329523138a7e1a8a0d6574c87af6533dbf1f5852983a5e32f5216551a6efe0139f1bf79426731cd25270f499af496dfc06f269e993a4e59e10

C:\Windows\System\LxrCHAg.exe

MD5 6b80e4c4ed7edc6c8f90ef19482507b5
SHA1 0845b72f0e25432667cfcb197b891c8fd540689a
SHA256 efb933eab4130786a3bccd628c84718b9d20962e5a2d7273ed214d9af0be7b31
SHA512 8a3ec306d91f5fa2458bc38b11287339587c26e5ca4c6e3e5070e239dead776d68d592ed980c63f547fff09e80c06a16c76e959095f8eecff2d242b478124088

C:\Windows\System\JMBbjol.exe

MD5 cef1e7911b766587fa6f36ac308f55cf
SHA1 c5da13ff02381d59d5105bba6341e3c6da42624d
SHA256 a932da4fb0e2fccd17d992122ea4a4ea975f497e9eb4e5345d6a11fb366d6a95
SHA512 aa39ba80aa9237e7b509bd9b8f9ce8bd0f0059ac465c3ddd7caa4136ee97d4e3e37b4ae3c00b64286829e2ba30ac06cacf3c4641fb8f29b0f8a0889035ad7b55

C:\Windows\System\FjNNwhN.exe

MD5 2605df5d35d37a58f5d5ea88bcc9d523
SHA1 2e265a8ec493eca5753b257619f23d2caa35ffc4
SHA256 8770fbbb8d81c51f4f8395e2bf39714c7ca2ef3ea06a3b6ddfc5a973240b0dfc
SHA512 28d6e4f930f9ecd1576d604f981eea64b52e5f06551324f5c2f08ea34864001768b88cadd398e587fe7f6f4911b0dec9f51069c46c58af1c0fc8b2dde48b7acd

C:\Windows\System\IgALYyj.exe

MD5 5287d67f85f2eb537ef598d8db20e6ab
SHA1 302b40585cdfe93652784117482dd1f46dea1c22
SHA256 60f91f53b0b4213b73df3c33af2742132141ad235e9d6ee881a0f300a59590a4
SHA512 51458da86e0594dbfac7ce51d7096caa97862fb423ede71e604c9fd6977fdf1618516301ceb3646cd4a90614a53d9a68d6843bec1df5183aa5799c8c5602da07

C:\Windows\System\jsMSkAY.exe

MD5 ae6afaa32912b70bdcc84f0b7d34779b
SHA1 908e9b06f766fd97b706977e8d6e30e619d62a85
SHA256 6a33aad948c4d1e8237b9ea3a55d59ff87989786a97e3cd54b6db72419361f2b
SHA512 116a19cd752409175790e0166677c426735e6a14833a9c3ac4af4bc0f3135bfdf15116624b40d148ccfc742054bbe174c8d9c7aad1e4c775098146b7a97491c0

C:\Windows\System\mWkIQQu.exe

MD5 b6978e33b5fdb1a9afa9e93dc3e7ee42
SHA1 2f04ec6e321acb2d3239705e35a16dd2d34b3824
SHA256 99b6a84058da4904e544858783f233551821ba5807a7b64ee6d24414e44bee8f
SHA512 58233a4f4ee8ea68b5ddf91c952de4ec9c887b6dcbeb274ef73e28333f6212a41a129c96ad6920fb0cdd26c5d8b0dbc7c44b00f559660f783442149363884327

memory/4268-104-0x00007FF7FA6D0000-0x00007FF7FAA24000-memory.dmp

C:\Windows\System\GSEwobt.exe

MD5 8c70aa70071054f97c01052aaf940466
SHA1 0dad8414eb35d87415918a765779acef903c7811
SHA256 8f01ea63dc99d525e2cba7f2b5a61c4c534b3f7a4c0dc03519faed1db96c9508
SHA512 e42f5bf534a402f2b5d56e4cf5f6ceb2bc03eba83fa35d76866660e7b0a455edd2d200c7d5a0e1285484f61e881588d65e0d30e2401fa3814f614165992bec1b

memory/4296-121-0x00007FF68A870000-0x00007FF68ABC4000-memory.dmp

memory/4528-126-0x00007FF74C3C0000-0x00007FF74C714000-memory.dmp

memory/4088-127-0x00007FF605860000-0x00007FF605BB4000-memory.dmp

memory/1144-125-0x00007FF6C4E90000-0x00007FF6C51E4000-memory.dmp

memory/3068-124-0x00007FF709750000-0x00007FF709AA4000-memory.dmp

memory/1576-122-0x00007FF66CBB0000-0x00007FF66CF04000-memory.dmp

memory/1624-120-0x00007FF74B8E0000-0x00007FF74BC34000-memory.dmp

C:\Windows\System\bDTNykW.exe

MD5 b18155232f5a5bc3e2d0b00051cd8807
SHA1 3641d603139313c08f4383be46ee5f9a5bdc71d6
SHA256 f8f6978807169dc2b05026a3713c2e994e17d5a8af456050854fe7705b0c4f34
SHA512 8b4bd753021a2fdbe665be73dc968f12e88d81c8ab8ec7395bb132993b42b457ac7eb0bf2f48a5630629fe1936613aaa12be0f7e66aff704726634a50d1764a7

memory/2044-115-0x00007FF6D3010000-0x00007FF6D3364000-memory.dmp

memory/3420-114-0x00007FF69CE40000-0x00007FF69D194000-memory.dmp

memory/4116-108-0x00007FF672960000-0x00007FF672CB4000-memory.dmp

memory/3556-107-0x00007FF67F1C0000-0x00007FF67F514000-memory.dmp

memory/4828-103-0x00007FF72D870000-0x00007FF72DBC4000-memory.dmp

memory/1704-97-0x00007FF6E5B70000-0x00007FF6E5EC4000-memory.dmp

memory/3080-128-0x00007FF6C5CD0000-0x00007FF6C6024000-memory.dmp

memory/1048-129-0x00007FF62A0B0000-0x00007FF62A404000-memory.dmp

memory/800-130-0x00007FF7C6220000-0x00007FF7C6574000-memory.dmp

memory/220-131-0x00007FF71B520000-0x00007FF71B874000-memory.dmp

memory/2156-132-0x00007FF78B3C0000-0x00007FF78B714000-memory.dmp

memory/3568-133-0x00007FF78CFF0000-0x00007FF78D344000-memory.dmp

memory/2432-134-0x00007FF634400000-0x00007FF634754000-memory.dmp

memory/1048-135-0x00007FF62A0B0000-0x00007FF62A404000-memory.dmp

memory/4296-136-0x00007FF68A870000-0x00007FF68ABC4000-memory.dmp

memory/800-137-0x00007FF7C6220000-0x00007FF7C6574000-memory.dmp

memory/220-138-0x00007FF71B520000-0x00007FF71B874000-memory.dmp

memory/2156-139-0x00007FF78B3C0000-0x00007FF78B714000-memory.dmp

memory/3568-140-0x00007FF78CFF0000-0x00007FF78D344000-memory.dmp

memory/3732-141-0x00007FF764510000-0x00007FF764864000-memory.dmp

memory/2432-142-0x00007FF634400000-0x00007FF634754000-memory.dmp

memory/1576-143-0x00007FF66CBB0000-0x00007FF66CF04000-memory.dmp

memory/1704-144-0x00007FF6E5B70000-0x00007FF6E5EC4000-memory.dmp

memory/3068-145-0x00007FF709750000-0x00007FF709AA4000-memory.dmp

memory/4828-146-0x00007FF72D870000-0x00007FF72DBC4000-memory.dmp

memory/4268-147-0x00007FF7FA6D0000-0x00007FF7FAA24000-memory.dmp

memory/3556-148-0x00007FF67F1C0000-0x00007FF67F514000-memory.dmp

memory/3420-150-0x00007FF69CE40000-0x00007FF69D194000-memory.dmp

memory/2044-149-0x00007FF6D3010000-0x00007FF6D3364000-memory.dmp

memory/4116-151-0x00007FF672960000-0x00007FF672CB4000-memory.dmp

memory/1624-152-0x00007FF74B8E0000-0x00007FF74BC34000-memory.dmp

memory/4528-154-0x00007FF74C3C0000-0x00007FF74C714000-memory.dmp

memory/1144-153-0x00007FF6C4E90000-0x00007FF6C51E4000-memory.dmp

memory/4088-156-0x00007FF605860000-0x00007FF605BB4000-memory.dmp

memory/4296-155-0x00007FF68A870000-0x00007FF68ABC4000-memory.dmp