Malware Analysis Report

2024-10-16 03:10

Sample ID 240610-fdwkksch88
Target 2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike
SHA256 7b42d2f25b67245f385a923ccb9aa28f1831d753087984c160b0b32d5721a503
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b42d2f25b67245f385a923ccb9aa28f1831d753087984c160b0b32d5721a503

Threat Level: Known bad

The file 2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

Cobaltstrike

XMRig Miner payload

Cobaltstrike family

xmrig

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:45

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 04:45

Reported

2024-06-10 04:50

Platform

win7-20240221-en

Max time kernel

133s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yULUIrw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aQVpZzK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hKJxSnF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZLZPjcl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hUeQLxX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FqvCKxF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zUMHIKO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ciKLhmF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eTesOkB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qPetckh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CRFwntD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qHRPASa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wuhkSgu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lrCicGD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FuqhzMh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EJXXzaQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kWtJMWy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LhAsFiu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NAQQZTQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\igXaePc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OwkBpUM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1896 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\qPetckh.exe
PID 1896 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\qPetckh.exe
PID 1896 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\qPetckh.exe
PID 1896 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRFwntD.exe
PID 1896 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRFwntD.exe
PID 1896 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRFwntD.exe
PID 1896 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\hKJxSnF.exe
PID 1896 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\hKJxSnF.exe
PID 1896 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\hKJxSnF.exe
PID 1896 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\LhAsFiu.exe
PID 1896 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\LhAsFiu.exe
PID 1896 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\LhAsFiu.exe
PID 1896 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAQQZTQ.exe
PID 1896 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAQQZTQ.exe
PID 1896 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAQQZTQ.exe
PID 1896 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\qHRPASa.exe
PID 1896 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\qHRPASa.exe
PID 1896 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\qHRPASa.exe
PID 1896 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\wuhkSgu.exe
PID 1896 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\wuhkSgu.exe
PID 1896 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\wuhkSgu.exe
PID 1896 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\zUMHIKO.exe
PID 1896 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\zUMHIKO.exe
PID 1896 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\zUMHIKO.exe
PID 1896 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZLZPjcl.exe
PID 1896 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZLZPjcl.exe
PID 1896 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZLZPjcl.exe
PID 1896 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\lrCicGD.exe
PID 1896 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\lrCicGD.exe
PID 1896 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\lrCicGD.exe
PID 1896 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\hUeQLxX.exe
PID 1896 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\hUeQLxX.exe
PID 1896 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\hUeQLxX.exe
PID 1896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\FqvCKxF.exe
PID 1896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\FqvCKxF.exe
PID 1896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\FqvCKxF.exe
PID 1896 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ciKLhmF.exe
PID 1896 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ciKLhmF.exe
PID 1896 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ciKLhmF.exe
PID 1896 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\eTesOkB.exe
PID 1896 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\eTesOkB.exe
PID 1896 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\eTesOkB.exe
PID 1896 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\yULUIrw.exe
PID 1896 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\yULUIrw.exe
PID 1896 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\yULUIrw.exe
PID 1896 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\igXaePc.exe
PID 1896 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\igXaePc.exe
PID 1896 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\igXaePc.exe
PID 1896 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\OwkBpUM.exe
PID 1896 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\OwkBpUM.exe
PID 1896 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\OwkBpUM.exe
PID 1896 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\EJXXzaQ.exe
PID 1896 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\EJXXzaQ.exe
PID 1896 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\EJXXzaQ.exe
PID 1896 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\aQVpZzK.exe
PID 1896 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\aQVpZzK.exe
PID 1896 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\aQVpZzK.exe
PID 1896 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\FuqhzMh.exe
PID 1896 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\FuqhzMh.exe
PID 1896 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\FuqhzMh.exe
PID 1896 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\kWtJMWy.exe
PID 1896 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\kWtJMWy.exe
PID 1896 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\kWtJMWy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qPetckh.exe

C:\Windows\System\qPetckh.exe

C:\Windows\System\CRFwntD.exe

C:\Windows\System\CRFwntD.exe

C:\Windows\System\hKJxSnF.exe

C:\Windows\System\hKJxSnF.exe

C:\Windows\System\LhAsFiu.exe

C:\Windows\System\LhAsFiu.exe

C:\Windows\System\NAQQZTQ.exe

C:\Windows\System\NAQQZTQ.exe

C:\Windows\System\qHRPASa.exe

C:\Windows\System\qHRPASa.exe

C:\Windows\System\wuhkSgu.exe

C:\Windows\System\wuhkSgu.exe

C:\Windows\System\zUMHIKO.exe

C:\Windows\System\zUMHIKO.exe

C:\Windows\System\ZLZPjcl.exe

C:\Windows\System\ZLZPjcl.exe

C:\Windows\System\lrCicGD.exe

C:\Windows\System\lrCicGD.exe

C:\Windows\System\hUeQLxX.exe

C:\Windows\System\hUeQLxX.exe

C:\Windows\System\FqvCKxF.exe

C:\Windows\System\FqvCKxF.exe

C:\Windows\System\ciKLhmF.exe

C:\Windows\System\ciKLhmF.exe

C:\Windows\System\eTesOkB.exe

C:\Windows\System\eTesOkB.exe

C:\Windows\System\yULUIrw.exe

C:\Windows\System\yULUIrw.exe

C:\Windows\System\igXaePc.exe

C:\Windows\System\igXaePc.exe

C:\Windows\System\OwkBpUM.exe

C:\Windows\System\OwkBpUM.exe

C:\Windows\System\EJXXzaQ.exe

C:\Windows\System\EJXXzaQ.exe

C:\Windows\System\aQVpZzK.exe

C:\Windows\System\aQVpZzK.exe

C:\Windows\System\FuqhzMh.exe

C:\Windows\System\FuqhzMh.exe

C:\Windows\System\kWtJMWy.exe

C:\Windows\System\kWtJMWy.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1896-0-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/1896-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\qPetckh.exe

MD5 6189332d86c9348ac47283258c190a7c
SHA1 f6dc39b5475af2c244c9eb8f9b55e8792aafbdc9
SHA256 594853168962cf940e5f3394f538ec6b6690fb74141ad89a6df4a0da6847c0bd
SHA512 c09892beeb9047d5dd9a0f03a5e6025e3c2c168ba1a3acbfd142eb29f854f5ffb58c9a01ce69eecc642fd7117c28ff5c94d718db7314620ef69105ff775889f3

C:\Windows\system\CRFwntD.exe

MD5 98ddbea8b700025cfea6cdb4aa3e43e8
SHA1 50ceb41fa98f8da019e896ed8b56fb815ade85c3
SHA256 f3d04b1b505bbd1edfc225f0ff843d2d6e124620e1863f1cebccc8fb38f1e763
SHA512 d10c79b9ffe04655d2ed28a606ef98f8550b5560c30acde63f1522d23a06ada25993e4c72d6366952d8876ac8ea72ef7e8996ba2e92abd973881f2d8a97c9a8a

C:\Windows\system\hKJxSnF.exe

MD5 0c4fa25607b4370165ec346f1ab5cf33
SHA1 e793a93cf0e5f3e380ba686a46b04e292ac07498
SHA256 f680fd2e7e49c6829b698cc5e2e48b3f3ec8ee78dfde1c28c492f9f7a1d1aa8a
SHA512 57cf1299c34833ccdb24babcc7aeb948098cf922afcd315f5a5058d132d8d7c108e23a581403cea07290b7bffcfee0f7a4aa118bae4b90c90b7ccd5b4bd86e46

C:\Windows\system\hKJxSnF.exe

MD5 b5d6c8b472f6137523570f20868f4041
SHA1 61a520c4e5802e3278d223745c0d5b53798489c3
SHA256 df7d971e23b4ededa31b1693094cae103f35c8a092bea9c558c1e9bba9ccc324
SHA512 310f2bca69858a022c70080fd06c881ff6459ee943f0afef48d3fc47591912fad27b5857e0c076a90ca0c03ab0f8ff278f0a7686305712014a6bb182fc4a4229

C:\Windows\system\NAQQZTQ.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

C:\Windows\system\LhAsFiu.exe

MD5 97670e65f1680ff81eb8df51e3d05a19
SHA1 fb3855e5edea54ee0b085846a58c839af4527392
SHA256 e7f2eb724c4956bea424be0998d301d17a7f50b9336cb82d2ee941cd2201fcbb
SHA512 acb88104ef3e253f89fb89fe1b28dc7bcb9c6e1a1df0e6387f0f0c205f704b0802eba1fe86cf90f9ffde967f235775bb86d085046fef92fd5b62fcaf42ea8d36

memory/1984-16-0x000000013F280000-0x000000013F5D4000-memory.dmp

C:\Windows\system\wuhkSgu.exe

MD5 5fa795b3b7fbfdb00bd1230752e0c717
SHA1 c04df1c0104752fc707883394c20b7a38d950291
SHA256 824077dfd6a62e9e36be5c206334d0508de5a3b956ad1bd496fa2e71eb9a9179
SHA512 de08f47b777576f6d8782f91ad503bcf8fdc3c8ebfac425ac7200b990be02ae05d557511a5745c3ce08c930b4d0fe264f704e0ed5826f20f19f9a35af8cd315a

C:\Windows\system\ciKLhmF.exe

MD5 2e820f8af7aa3bf225d37608a0a87341
SHA1 b813ceb09756bee341a57c9525bd3abdbe863ab8
SHA256 de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa
SHA512 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4

C:\Windows\system\igXaePc.exe

MD5 c640e7276248ae97642c2a7bf34e461f
SHA1 c86ee302e90005334c41f03ad1020133e971ca75
SHA256 487238a42789387dd63d77ce6301803af0e8b6b4838fe5e37fd3c7a1c6c8df9d
SHA512 39a62ff93da5786eb18c588fe52f317b9ac0af058cf8492aac9a86def4ed525a2902436231143b3b479d9567d6f9126d4bcd27fcc18427c127150dafae026ec6

C:\Windows\system\kWtJMWy.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

\Windows\system\kWtJMWy.exe

MD5 d1f135638dc4374f54c16a2e064cb07e
SHA1 9468b1b5db6c91110e844d2200e59e0ec34dc070
SHA256 83729fdc15adda77299e5d83e74c8ec61df7e73280b3c980fe671e8860674b11
SHA512 2994d556c682a89eb4e5ee05d99f8a967acaf9b482c14044f87300187360214567dca5c0ebd02617569bae4370c9a06d23f296634244c08f8d23e6af12cc8bc0

C:\Windows\system\FuqhzMh.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

\Windows\system\FuqhzMh.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

C:\Windows\system\aQVpZzK.exe

MD5 cd2955deacec5bcac8863a9361763e34
SHA1 4137af6a07d50f6878ee4cf5bb66b6d7e5608978
SHA256 e914e1eddbafb997430ddab6003407fe97a55d5e93d126b5f3bab557f28db2f2
SHA512 a1ae2ff1f589dfd72ba0dc794dddd6d14840ebdbfc3eb27dbee1e90345a0121d5c6b4f8214259aff2494bfc9f8ad15408db61825a59f771d192e92b2760f7a69

C:\Windows\system\EJXXzaQ.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

\Windows\system\EJXXzaQ.exe

MD5 64608890dcd212091a87599b2f0612b4
SHA1 642cba6fdd06687bf7b84652d1d79a4e1e6a2442
SHA256 b0713465db08a043a2fc63565826669db6692aab975c0e29a5185ae16112322b
SHA512 9bdeddb8d2b5d212ce44eb56a90491fbba59fad54bddc0d8b4b8bf820f02cd20cd341a5b8d7dee63bec0cc37a66e5649ab2d3fa0a94759da8902674545d3a347

C:\Windows\system\OwkBpUM.exe

MD5 85714472751594131947fac558962608
SHA1 a05b32aaada2e070d00cdfcbec88fbf67aaabf0e
SHA256 92c34106909f58c0120bc05675400c833638d8d332fece8b9a49a392214b13df
SHA512 e79aca615484a1f92992de3420cafa89b3132ddb953ec96d545f5e00e52da5b0793c0ee9437d0eb409242467ecdfd717653ae6b6798d32fbe8a75f5445c0e1ba

\Windows\system\igXaePc.exe

MD5 30ac98cd6ec57605801f546c6567c9ef
SHA1 6432a7a9703259b40c10be16db7b39adce1f130c
SHA256 1d79da8549c3799713a6109d1bea90e413cb0fc53e299dddf783bb6ae4dd26dd
SHA512 008fa4cea1ffdd4b38dc10823add1593d558af9d475052938882c7d1a85f52e714a536b08725eed77f52d0cd239c5e9bf7d392702d03009a532a7faeb1d5ef33

\Windows\system\yULUIrw.exe

MD5 cf26e0d9bd7a2d965883d0f1d159c45f
SHA1 b849d7d4f3d2d8072543ed7154069361d0c67e92
SHA256 7c98bf851775d40674541d1fe6d5d27a4faf48221d2ac15896c95daf459dbdba
SHA512 b98cbe03180fa5d6512490041a501e4ccc11c2019f9abc670b643db7545dad83c94ca89efb8a62f73f40fbe63edf29412523659921df7ef641af9c5acf6b5bc7

memory/2888-109-0x000000013FFD0000-0x0000000140324000-memory.dmp

C:\Windows\system\eTesOkB.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

memory/1896-110-0x000000013FB10000-0x000000013FE64000-memory.dmp

\Windows\system\eTesOkB.exe

MD5 c83a72fd32d1ea03c4c25e0b40a06534
SHA1 de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1
SHA256 c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359
SHA512 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c

memory/2088-116-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/1896-117-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/1896-115-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2644-118-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2384-120-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/1896-119-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2524-114-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/1896-125-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2852-126-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/1896-131-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/1896-130-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/1852-129-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/1896-128-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2820-127-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2428-124-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/1896-123-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2356-122-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2408-121-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2556-113-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2616-112-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/1896-111-0x000000013FD80000-0x00000001400D4000-memory.dmp

\Windows\system\FqvCKxF.exe

MD5 7714ececc84a592d7a9154c3fb31cb2e
SHA1 a16046ebfebdfbab8185480106746e6a16da82fc
SHA256 9dd5c6e62613d6169639255ec82cc443f0b9cc1238a3a32d153d7dda373a2b22
SHA512 18b148c513f6096f10d821cc4f19f65615647e4b0141ffd1cddcaa9f2ed0f375cf4d139ee9638520902b969facf7a00104c2d951b3a4a979cfd18831f0db2b1d

\Windows\system\hUeQLxX.exe

MD5 c5f33c208b8352c92ff94fbc2b599111
SHA1 0842e8833ca026da14c777f19216ac8823767900
SHA256 6fd2df6d3131682515e5fc159d81918ada218168622149be278bff78e6839f6f
SHA512 62f9100bcb029dacf5e5850ff2c364497a0db747c663dacd840839ef6bb501ef0b8fddc8b075af9a33043a07665b866db4f1c551c78513d6efa407abe8c56db5

C:\Windows\system\lrCicGD.exe

MD5 3c4936ba91eaa69f7fdbfccc9b857022
SHA1 d97c8ba6655ec64594f86192c6bdb9c832040c3a
SHA256 f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10
SHA512 327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9

\Windows\system\lrCicGD.exe

MD5 992e15ebc2245cf970acce9948576d6c
SHA1 3322f50d4aebf915abc8a5277cd07a23adf5f127
SHA256 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA512 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

C:\Windows\system\ZLZPjcl.exe

MD5 8a74009f7dd9c036cc12b3f189bd9ac6
SHA1 e53d33c260bb77d6ec7f4c05d6b7a52ccd5f9de0
SHA256 b349cfcd57c9962c2310b863621992c24963856bb8765a72596762e3d22c0932
SHA512 6b058797ebf39246aeec4041256bec3900d2fe258c40c7a628ad2f0a7c71cd84516d0e4598c1b869d273f2d776086698842e42f21ab1a8adea547d9c55a56876

\Windows\system\wuhkSgu.exe

MD5 17fc50ceee2e03d90dc66d1b696ae04c
SHA1 edb9bfabb63dae8151ef58d586ad8bd320e46954
SHA256 fc4616ed39d09901bce558c977cf8c1b0bb141044fdc081427724967ba6dd3fa
SHA512 d8c3393f993fa67b8b0595df5ee762653e8d56a623f080da9228a5a0d869ef0a7edc1d904724d72b970bf2e625e4a5f9c12c3697e318c3a3b3b8ac5cb30955dc

\Windows\system\qHRPASa.exe

MD5 67d7d0c360c2defa9a36a47a23af7dd6
SHA1 efd9d2994e80ef40cbaab5f7ef02420aebe17206
SHA256 0521cd0d1d60fc081a5e4d3f28f5a76a962e60920d871e29a2de526b0e72b791
SHA512 f5338aedc9e177da3d3af04e6946e9f03280307d40c8e1e2e21b270727d9ec57427c8f7861835c62a83f44226e722c786902eaaa4187cfaefc3a81305ca12e2b

\Windows\system\hKJxSnF.exe

MD5 6e20c1464f2f11359d03740e39e646c8
SHA1 e90209ae46e403e71a97b0f056c5611d8850af0f
SHA256 e9593ce32c1f94db36680e392134bf6ea24ae6d0ede4ec413f37566a5f2d14d1
SHA512 3c5d83e738534c4ac0713b5c116bdf631b564cab66985488e774409d89d4217b15f7b4d1125192155a4943ff3a81fa41e606de408ffb1a46a6a0a426634ea7fe

\Windows\system\NAQQZTQ.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

memory/1896-8-0x0000000002300000-0x0000000002654000-memory.dmp

memory/1896-132-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/1896-133-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/1984-134-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2888-135-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2556-136-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2524-138-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2616-137-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2644-140-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2384-141-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2088-139-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2408-142-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2356-143-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2428-144-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2852-145-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2820-146-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/1852-147-0x000000013FFC0000-0x0000000140314000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 04:45

Reported

2024-06-10 04:50

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ZLZPjcl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lrCicGD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hUeQLxX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OwkBpUM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aQVpZzK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qPetckh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EJXXzaQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kWtJMWy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hKJxSnF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NAQQZTQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zUMHIKO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yULUIrw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CRFwntD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LhAsFiu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qHRPASa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wuhkSgu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FqvCKxF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ciKLhmF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eTesOkB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\igXaePc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FuqhzMh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 944 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\qPetckh.exe
PID 944 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\qPetckh.exe
PID 944 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRFwntD.exe
PID 944 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRFwntD.exe
PID 944 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\hKJxSnF.exe
PID 944 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\hKJxSnF.exe
PID 944 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\LhAsFiu.exe
PID 944 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\LhAsFiu.exe
PID 944 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAQQZTQ.exe
PID 944 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAQQZTQ.exe
PID 944 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\qHRPASa.exe
PID 944 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\qHRPASa.exe
PID 944 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\wuhkSgu.exe
PID 944 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\wuhkSgu.exe
PID 944 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\zUMHIKO.exe
PID 944 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\zUMHIKO.exe
PID 944 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZLZPjcl.exe
PID 944 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZLZPjcl.exe
PID 944 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\lrCicGD.exe
PID 944 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\lrCicGD.exe
PID 944 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\hUeQLxX.exe
PID 944 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\hUeQLxX.exe
PID 944 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\FqvCKxF.exe
PID 944 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\FqvCKxF.exe
PID 944 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ciKLhmF.exe
PID 944 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\ciKLhmF.exe
PID 944 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\eTesOkB.exe
PID 944 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\eTesOkB.exe
PID 944 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\yULUIrw.exe
PID 944 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\yULUIrw.exe
PID 944 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\igXaePc.exe
PID 944 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\igXaePc.exe
PID 944 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\OwkBpUM.exe
PID 944 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\OwkBpUM.exe
PID 944 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\EJXXzaQ.exe
PID 944 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\EJXXzaQ.exe
PID 944 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\aQVpZzK.exe
PID 944 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\aQVpZzK.exe
PID 944 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\FuqhzMh.exe
PID 944 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\FuqhzMh.exe
PID 944 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\kWtJMWy.exe
PID 944 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe C:\Windows\System\kWtJMWy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_1fbba17986f6c4a61b407253e3e34c85_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qPetckh.exe

C:\Windows\System\qPetckh.exe

C:\Windows\System\CRFwntD.exe

C:\Windows\System\CRFwntD.exe

C:\Windows\System\hKJxSnF.exe

C:\Windows\System\hKJxSnF.exe

C:\Windows\System\LhAsFiu.exe

C:\Windows\System\LhAsFiu.exe

C:\Windows\System\NAQQZTQ.exe

C:\Windows\System\NAQQZTQ.exe

C:\Windows\System\qHRPASa.exe

C:\Windows\System\qHRPASa.exe

C:\Windows\System\wuhkSgu.exe

C:\Windows\System\wuhkSgu.exe

C:\Windows\System\zUMHIKO.exe

C:\Windows\System\zUMHIKO.exe

C:\Windows\System\ZLZPjcl.exe

C:\Windows\System\ZLZPjcl.exe

C:\Windows\System\lrCicGD.exe

C:\Windows\System\lrCicGD.exe

C:\Windows\System\hUeQLxX.exe

C:\Windows\System\hUeQLxX.exe

C:\Windows\System\FqvCKxF.exe

C:\Windows\System\FqvCKxF.exe

C:\Windows\System\ciKLhmF.exe

C:\Windows\System\ciKLhmF.exe

C:\Windows\System\eTesOkB.exe

C:\Windows\System\eTesOkB.exe

C:\Windows\System\yULUIrw.exe

C:\Windows\System\yULUIrw.exe

C:\Windows\System\igXaePc.exe

C:\Windows\System\igXaePc.exe

C:\Windows\System\OwkBpUM.exe

C:\Windows\System\OwkBpUM.exe

C:\Windows\System\EJXXzaQ.exe

C:\Windows\System\EJXXzaQ.exe

C:\Windows\System\aQVpZzK.exe

C:\Windows\System\aQVpZzK.exe

C:\Windows\System\FuqhzMh.exe

C:\Windows\System\FuqhzMh.exe

C:\Windows\System\kWtJMWy.exe

C:\Windows\System\kWtJMWy.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/944-0-0x00007FF63E150000-0x00007FF63E4A4000-memory.dmp

memory/944-1-0x0000012430A10000-0x0000012430A20000-memory.dmp

C:\Windows\System\qPetckh.exe

MD5 6189332d86c9348ac47283258c190a7c
SHA1 f6dc39b5475af2c244c9eb8f9b55e8792aafbdc9
SHA256 594853168962cf940e5f3394f538ec6b6690fb74141ad89a6df4a0da6847c0bd
SHA512 c09892beeb9047d5dd9a0f03a5e6025e3c2c168ba1a3acbfd142eb29f854f5ffb58c9a01ce69eecc642fd7117c28ff5c94d718db7314620ef69105ff775889f3

memory/752-6-0x00007FF735B10000-0x00007FF735E64000-memory.dmp

C:\Windows\System\hKJxSnF.exe

MD5 210dc6bdff74481cefd4b3ac65168815
SHA1 a6fe8913f5c544886bd742b6321219c79ee53bdb
SHA256 02f849832e15f12fd85d1231faa83aba742ab70ab9deba6e7635de9d13e81daf
SHA512 cc520bc1f8c6889549b3d769b4125b0666e899b538f02ae640a25ef3def38071f5d54da23a0b4c8c29bb1e5a4075d19935b74f4c8e64e43249cf037960ccf19a

C:\Windows\System\CRFwntD.exe

MD5 28b714814bd20a40fb5f5cd79ec90d33
SHA1 3025dde39423cbaa732f0a80fa65bd99cfeda6f8
SHA256 b566bf8245e42684615a7f68b265d5556ef466df20efd60a1870f0be3f15f588
SHA512 80cf781846291d355a5bc77b083784aea88d4600c76e912e2b9c0d92149c06a09e70c83459a50e023809c6567f05cd25dd34b29c461daf674bd7bcec26a149e9

memory/4860-20-0x00007FF64D8F0000-0x00007FF64DC44000-memory.dmp

C:\Windows\System\LhAsFiu.exe

MD5 97670e65f1680ff81eb8df51e3d05a19
SHA1 fb3855e5edea54ee0b085846a58c839af4527392
SHA256 e7f2eb724c4956bea424be0998d301d17a7f50b9336cb82d2ee941cd2201fcbb
SHA512 acb88104ef3e253f89fb89fe1b28dc7bcb9c6e1a1df0e6387f0f0c205f704b0802eba1fe86cf90f9ffde967f235775bb86d085046fef92fd5b62fcaf42ea8d36

C:\Windows\System\NAQQZTQ.exe

MD5 4e982d454be6a94412ccb93347ac561e
SHA1 45fdef1bab940d4d0c91ad50d4d9fb21bcf109e3
SHA256 e52c18bfb655dba63059a79b51dbded78554b85042544cf7e02767eeb6585b6f
SHA512 374ff404bfe25f99477cc81b9a1d35dae04c0e6e6e77381942a942928404cb1e96835713ab4b481b81b67266700b1ba61e7993a1b2a1e52e5e481415354544bb

C:\Windows\System\qHRPASa.exe

MD5 c8cfc1a4842f167de3c2fc30fa0fb9d7
SHA1 a6ebeadf6b4c4edc953619ad094c628be63fedcc
SHA256 cdf2a343b60a71f96ec526b8674c725e41eb8589125c2e1da2ed9bd18ade99b2
SHA512 bb63168c8f8460f0624d1e7ef26c0487fa2da43b7c2cc71a7eaef185822167ad9920efbbbfd35288804938da1a3b26b32c36fafb614af36a748e0615754179f8

C:\Windows\System\wuhkSgu.exe

MD5 0771f1aabae63a5e5112658969b6d5d1
SHA1 6bd2abb49c8a5058f37adaa9d7613a39a1a7267a
SHA256 1d3ae39eff8bcb6ff4c994afc210f9f2cea6c7be42b1407e8ac9153b27b6b7f6
SHA512 d612905276bb914e25f82621a980939d239138febd74a225f6e8bee2584457b6d687ddb3980ad390d6d4c0cbb65f0756f5a2dfbd8208e2427fceb26f390db8ea

C:\Windows\System\lrCicGD.exe

MD5 551ebd62c0edbd273085266cd43fc25a
SHA1 771a66a9f6c07916a93072c48e914480b3c74fe8
SHA256 f582d9240d9b31cbbcfb5de3d20e5921c6dd89bcf58562383b69b474cb01bdbb
SHA512 ff46377423de12cfb1836275d545b12e03567271a67d9138200ebc818a582664611a92c1025e8d29442d0d014ff2f8377b6bac8be5c865880b841e4598c200ea

C:\Windows\System\ZLZPjcl.exe

MD5 ca7874797c51af95160d66c61c9f3499
SHA1 1afc74ba045808b8836846b4696a8b35a0e6926d
SHA256 f205bc8e9396250dd82cc50f0baaab41b670eab42576ba91f25be292a499ac63
SHA512 ecdd1721bb7ae7b9674d87e489a654852440dc68f0126cb7012d5e59098be7f949279a9600f90223d3d157762957c16097453a68ee6fb43499e493a37ec267c2

memory/396-62-0x00007FF700950000-0x00007FF700CA4000-memory.dmp

memory/3612-58-0x00007FF66E000000-0x00007FF66E354000-memory.dmp

C:\Windows\System\zUMHIKO.exe

MD5 a3f9ca693d13f5fe11d9ab41cb0cdbcb
SHA1 82e936659f7724d4a51610c4343ca68ab5f0cd3d
SHA256 9c1eb011a09aff30488b084bef61b34d0c2074e570b3641c69c3e408bb8acbdb
SHA512 c20e1d8412f7db46b8c90dc2ed99ad67dbc1af2be452979b520345640278ed2910718bbc1bfa211c6b3406ceb7086d1faaed901f3636d882dc7850d6b01dc625

memory/3400-54-0x00007FF7871C0000-0x00007FF787514000-memory.dmp

memory/812-51-0x00007FF623880000-0x00007FF623BD4000-memory.dmp

memory/60-43-0x00007FF79BF00000-0x00007FF79C254000-memory.dmp

memory/1468-30-0x00007FF65F9F0000-0x00007FF65FD44000-memory.dmp

memory/1844-24-0x00007FF662BD0000-0x00007FF662F24000-memory.dmp

memory/4544-14-0x00007FF70B2A0000-0x00007FF70B5F4000-memory.dmp

C:\Windows\System\hUeQLxX.exe

MD5 641d52970116ac5f7622aae1407d1165
SHA1 aa24c85abfe4bb67b71c9a70a4dc1c64ac259ab8
SHA256 9e29c5b9a965b55c00eb0fc6e28ec6adc36b5c4d19623a6f78bf529204e9966e
SHA512 deebd96d990ff2f512ee36cb75a2302516c5eedadefacc08dd159b9f44c798508c2318ea53aa95501de43b491855c042375990b86a76ce6108f64797594a3f13

memory/2084-68-0x00007FF719DD0000-0x00007FF71A124000-memory.dmp

C:\Windows\System\FqvCKxF.exe

MD5 7714ececc84a592d7a9154c3fb31cb2e
SHA1 a16046ebfebdfbab8185480106746e6a16da82fc
SHA256 9dd5c6e62613d6169639255ec82cc443f0b9cc1238a3a32d153d7dda373a2b22
SHA512 18b148c513f6096f10d821cc4f19f65615647e4b0141ffd1cddcaa9f2ed0f375cf4d139ee9638520902b969facf7a00104c2d951b3a4a979cfd18831f0db2b1d

memory/2536-75-0x00007FF6CDC60000-0x00007FF6CDFB4000-memory.dmp

C:\Windows\System\ciKLhmF.exe

MD5 7befa4f2ec45d010a2ad2f246ba0d7a4
SHA1 39e394bb451871033bcdc821a19f2b4b0189b49b
SHA256 6b0cf2cf16e7747e6e8aeeab5f4af2ceec9a030dce0d21661a337a2d985e9154
SHA512 9e86719c60054ee63eec0d54d8173f698618bd31eafc8634246a7719b482de811f27b41c0bb7fd588ba18f4706b6d74d8d12c18c4c5bd71682b38e1515b9d8cf

C:\Windows\System\eTesOkB.exe

MD5 d72aa71a9ebfb4f322fbea9083e70474
SHA1 1da5361ab4de63c1e448f2276d3e3dd99ee0a4a1
SHA256 8dde8a8e9986490a3103fe38b912e80df5b56fe824914dec90ce2fe8cb4bc650
SHA512 af12ac250c7e5efd48de355dd58f0906316ffa218e2ed9ca2db26d98a21fa25e39774bb62e9a1c4fc8997b4b74159f36ea9c7ee8283fe5a24123efc2014f15e0

memory/1868-88-0x00007FF6FDB60000-0x00007FF6FDEB4000-memory.dmp

C:\Windows\System\yULUIrw.exe

MD5 193fc8ac1ff697a91e729ecd3eb15d21
SHA1 fa37723635307bbdd02e90db3873283563d8eae8
SHA256 b7cf926a9c24b68dd5997a5f0ac5f4cc905df138c20bd0274991a08c7790baf5
SHA512 85ba7119dfef6bd18d3a6164de9c77f2fbc5b61ce7e171aea20c8ba22e0dadeb82c61212b0483dd83316c0cf2f8dcad7bdfb359d918179a4df6731e9f3f87784

memory/4168-90-0x00007FF6DDFB0000-0x00007FF6DE304000-memory.dmp

memory/2472-85-0x00007FF74E110000-0x00007FF74E464000-memory.dmp

memory/752-82-0x00007FF735B10000-0x00007FF735E64000-memory.dmp

memory/944-72-0x00007FF63E150000-0x00007FF63E4A4000-memory.dmp

C:\Windows\System\igXaePc.exe

MD5 2253bb82793ce359f2ba5330ec91ced0
SHA1 3192761f8f37e51f0291f7f325bbb96b7703002b
SHA256 76b18316c68544505d436268b9e62e845b2809fa59326ce6b60702e37748e10e
SHA512 8657f9145ad1c3c0a04528cfda95b88400d5a13ce634da406b54683d6740ec5048d621ec9c5658fb3e59db53ee2b719c56e765d8fbc69d8b704023469e2e77bc

memory/3248-101-0x00007FF7AF870000-0x00007FF7AFBC4000-memory.dmp

C:\Windows\System\aQVpZzK.exe

MD5 0ece9f7e895f1525d3de17c6dab8c22c
SHA1 f0c7c9a063b9b11af11e173369157533f08c0452
SHA256 5eaf8f927d19929d4aab0b266512d7a49db5c2e7ee2c6d91f8d8ee651081f1b9
SHA512 2f96498bba26cab6077423d9e8b4f06c93cb7a0c69a5e2684f776c9d74c6d8b83f21037457d922a603947fed51c99d17c314157061c9545a44ddb3760f16da1e

C:\Windows\System\FuqhzMh.exe

MD5 7e941c6044f17b2521e01bdfe5c43a40
SHA1 65c436dde6add6baec22405b300f34af99fede1b
SHA256 7fd995ccbc10e29c11a0ff8ca7bc8ae1fc6e83d7fc2e63635c97b884f7282b77
SHA512 1482bc79cd6c68d3bc07c77a1eb8274b0319e32934a6f2a5252829cc96f591ee1f36813fc6578b92d43843798e4e6072a5db7e24ab1392d99cc4ae7ab4da2d59

memory/2752-124-0x00007FF684B00000-0x00007FF684E54000-memory.dmp

memory/3612-119-0x00007FF66E000000-0x00007FF66E354000-memory.dmp

memory/3400-117-0x00007FF7871C0000-0x00007FF787514000-memory.dmp

memory/2784-116-0x00007FF7C79E0000-0x00007FF7C7D34000-memory.dmp

memory/4380-113-0x00007FF6B4680000-0x00007FF6B49D4000-memory.dmp

C:\Windows\System\EJXXzaQ.exe

MD5 8865e8e21ff78d30b99f70e03d4e96ab
SHA1 8c1417e42dc109202b77533ed1e0ad73fd15f02c
SHA256 0ca986be3ac5bef3769c51c3d537c68b3abfcca2a3ddc9b19d5d898989ba94b5
SHA512 449ad25780ac39cf43747835151ad387145f51841b14cee76ffa7f645370e25e2343c105819afd1f7f7fcef2df33d090e92257a6d7b73c58108efa6d9f839003

memory/1468-109-0x00007FF65F9F0000-0x00007FF65FD44000-memory.dmp

C:\Windows\System\OwkBpUM.exe

MD5 85714472751594131947fac558962608
SHA1 a05b32aaada2e070d00cdfcbec88fbf67aaabf0e
SHA256 92c34106909f58c0120bc05675400c833638d8d332fece8b9a49a392214b13df
SHA512 e79aca615484a1f92992de3420cafa89b3132ddb953ec96d545f5e00e52da5b0793c0ee9437d0eb409242467ecdfd717653ae6b6798d32fbe8a75f5445c0e1ba

memory/1844-98-0x00007FF662BD0000-0x00007FF662F24000-memory.dmp

memory/2988-130-0x00007FF67E720000-0x00007FF67EA74000-memory.dmp

memory/396-128-0x00007FF700950000-0x00007FF700CA4000-memory.dmp

C:\Windows\System\kWtJMWy.exe

MD5 d1f135638dc4374f54c16a2e064cb07e
SHA1 9468b1b5db6c91110e844d2200e59e0ec34dc070
SHA256 83729fdc15adda77299e5d83e74c8ec61df7e73280b3c980fe671e8860674b11
SHA512 2994d556c682a89eb4e5ee05d99f8a967acaf9b482c14044f87300187360214567dca5c0ebd02617569bae4370c9a06d23f296634244c08f8d23e6af12cc8bc0

memory/1652-134-0x00007FF7682B0000-0x00007FF768604000-memory.dmp

memory/2536-135-0x00007FF6CDC60000-0x00007FF6CDFB4000-memory.dmp

memory/1868-136-0x00007FF6FDB60000-0x00007FF6FDEB4000-memory.dmp

memory/4168-137-0x00007FF6DDFB0000-0x00007FF6DE304000-memory.dmp

memory/3248-138-0x00007FF7AF870000-0x00007FF7AFBC4000-memory.dmp

memory/752-139-0x00007FF735B10000-0x00007FF735E64000-memory.dmp

memory/4544-140-0x00007FF70B2A0000-0x00007FF70B5F4000-memory.dmp

memory/4860-141-0x00007FF64D8F0000-0x00007FF64DC44000-memory.dmp

memory/1844-142-0x00007FF662BD0000-0x00007FF662F24000-memory.dmp

memory/60-143-0x00007FF79BF00000-0x00007FF79C254000-memory.dmp

memory/1468-144-0x00007FF65F9F0000-0x00007FF65FD44000-memory.dmp

memory/812-145-0x00007FF623880000-0x00007FF623BD4000-memory.dmp

memory/3400-146-0x00007FF7871C0000-0x00007FF787514000-memory.dmp

memory/3612-147-0x00007FF66E000000-0x00007FF66E354000-memory.dmp

memory/396-148-0x00007FF700950000-0x00007FF700CA4000-memory.dmp

memory/2084-149-0x00007FF719DD0000-0x00007FF71A124000-memory.dmp

memory/2536-150-0x00007FF6CDC60000-0x00007FF6CDFB4000-memory.dmp

memory/2472-151-0x00007FF74E110000-0x00007FF74E464000-memory.dmp

memory/1868-152-0x00007FF6FDB60000-0x00007FF6FDEB4000-memory.dmp

memory/4168-153-0x00007FF6DDFB0000-0x00007FF6DE304000-memory.dmp

memory/3248-154-0x00007FF7AF870000-0x00007FF7AFBC4000-memory.dmp

memory/4380-155-0x00007FF6B4680000-0x00007FF6B49D4000-memory.dmp

memory/2784-156-0x00007FF7C79E0000-0x00007FF7C7D34000-memory.dmp

memory/2988-157-0x00007FF67E720000-0x00007FF67EA74000-memory.dmp

memory/2752-158-0x00007FF684B00000-0x00007FF684E54000-memory.dmp

memory/1652-159-0x00007FF7682B0000-0x00007FF768604000-memory.dmp