Malware Analysis Report

2025-03-15 08:11

Sample ID 240529-zqdp3she7w
Target 2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike
SHA256 875402486c494101baa0b535acb3fb9ee73d4e55be9094327427592172fd65d8
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

875402486c494101baa0b535acb3fb9ee73d4e55be9094327427592172fd65d8

Threat Level: Known bad

The file 2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

xmrig

Cobaltstrike family

UPX dump on OEP (original entry point)

Xmrig family

Detects Reflective DLL injection artifacts

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 20:55

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 20:54

Reported

2024-05-29 20:57

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FCiOZbv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qZmstFD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZyqaGcP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zliRDKW.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TbrkopN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WbzbEej.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FzupgGq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mFekmPY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ldBwevM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JEYHItk.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WUuOzlP.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BSAcfwo.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UUJerys.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ogLydMJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SiFdHRG.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mKmYvEn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WRrcnbE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kqaBemO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cHLptxM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XTaKVPf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gSyuQuV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ogLydMJ.exe
PID 2436 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ogLydMJ.exe
PID 2436 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FCiOZbv.exe
PID 2436 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FCiOZbv.exe
PID 2436 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WbzbEej.exe
PID 2436 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WbzbEej.exe
PID 2436 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FzupgGq.exe
PID 2436 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FzupgGq.exe
PID 2436 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHLptxM.exe
PID 2436 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHLptxM.exe
PID 2436 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SiFdHRG.exe
PID 2436 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SiFdHRG.exe
PID 2436 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\mFekmPY.exe
PID 2436 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\mFekmPY.exe
PID 2436 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\mKmYvEn.exe
PID 2436 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\mKmYvEn.exe
PID 2436 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XTaKVPf.exe
PID 2436 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XTaKVPf.exe
PID 2436 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZmstFD.exe
PID 2436 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZmstFD.exe
PID 2436 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldBwevM.exe
PID 2436 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldBwevM.exe
PID 2436 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZyqaGcP.exe
PID 2436 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZyqaGcP.exe
PID 2436 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JEYHItk.exe
PID 2436 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\JEYHItk.exe
PID 2436 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WUuOzlP.exe
PID 2436 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WUuOzlP.exe
PID 2436 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BSAcfwo.exe
PID 2436 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BSAcfwo.exe
PID 2436 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gSyuQuV.exe
PID 2436 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gSyuQuV.exe
PID 2436 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WRrcnbE.exe
PID 2436 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WRrcnbE.exe
PID 2436 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\zliRDKW.exe
PID 2436 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\zliRDKW.exe
PID 2436 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TbrkopN.exe
PID 2436 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TbrkopN.exe
PID 2436 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kqaBemO.exe
PID 2436 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kqaBemO.exe
PID 2436 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UUJerys.exe
PID 2436 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UUJerys.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ogLydMJ.exe

C:\Windows\System\ogLydMJ.exe

C:\Windows\System\FCiOZbv.exe

C:\Windows\System\FCiOZbv.exe

C:\Windows\System\WbzbEej.exe

C:\Windows\System\WbzbEej.exe

C:\Windows\System\FzupgGq.exe

C:\Windows\System\FzupgGq.exe

C:\Windows\System\cHLptxM.exe

C:\Windows\System\cHLptxM.exe

C:\Windows\System\SiFdHRG.exe

C:\Windows\System\SiFdHRG.exe

C:\Windows\System\mFekmPY.exe

C:\Windows\System\mFekmPY.exe

C:\Windows\System\mKmYvEn.exe

C:\Windows\System\mKmYvEn.exe

C:\Windows\System\XTaKVPf.exe

C:\Windows\System\XTaKVPf.exe

C:\Windows\System\qZmstFD.exe

C:\Windows\System\qZmstFD.exe

C:\Windows\System\ldBwevM.exe

C:\Windows\System\ldBwevM.exe

C:\Windows\System\ZyqaGcP.exe

C:\Windows\System\ZyqaGcP.exe

C:\Windows\System\JEYHItk.exe

C:\Windows\System\JEYHItk.exe

C:\Windows\System\WUuOzlP.exe

C:\Windows\System\WUuOzlP.exe

C:\Windows\System\BSAcfwo.exe

C:\Windows\System\BSAcfwo.exe

C:\Windows\System\gSyuQuV.exe

C:\Windows\System\gSyuQuV.exe

C:\Windows\System\WRrcnbE.exe

C:\Windows\System\WRrcnbE.exe

C:\Windows\System\zliRDKW.exe

C:\Windows\System\zliRDKW.exe

C:\Windows\System\TbrkopN.exe

C:\Windows\System\TbrkopN.exe

C:\Windows\System\kqaBemO.exe

C:\Windows\System\kqaBemO.exe

C:\Windows\System\UUJerys.exe

C:\Windows\System\UUJerys.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
NL 52.111.243.31:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2436-0-0x00007FF65A1D0000-0x00007FF65A521000-memory.dmp

memory/2436-1-0x0000024AA0390000-0x0000024AA03A0000-memory.dmp

C:\Windows\System\ogLydMJ.exe

MD5 d431712c669fdda2a9efa1899d53f7f5
SHA1 682ec5556905b0380edca28cce5ada164f75a012
SHA256 cd9c6816381c86c6744486549e4379ea8315646d694ca99bc347988f26d20013
SHA512 4e9a8aeff091d00fc744e4bf93a274e03fde47114e06cf9313304f36faacb8c7a68dda7934b40ec31a71660270d7e3e2861a27e6eef626af4e7fd46d6721e821

memory/4604-8-0x00007FF662090000-0x00007FF6623E1000-memory.dmp

C:\Windows\System\WbzbEej.exe

MD5 9c16d803a7c590e5b742bc59bb1078c3
SHA1 b2032d75520d75bb87eba99b3cdce119a30699ff
SHA256 20374d95e56a8b74bd60c1f7f2cadf719534c22be5d3e0ca3f1e2bd3410b477a
SHA512 a7129fb7ce4f30656264ada5d8993faea359be152f9befe0acb9b359a72028155a8f97aec04a739bcd076f81d1899fb57086ab10e2e8ea672d832236eb69220e

C:\Windows\System\FzupgGq.exe

MD5 00862a608af64b39768b54522a4f0d78
SHA1 2eeadee677efd837987dcc1263128b662a65f8f8
SHA256 f10c3a6cf72f197f9b060dd23060598468e8460ff6856e47be377b280c973fca
SHA512 f6aebde56feab7cd59e45fc29beaf54e9f56d18299a1211afced75f0ab3451c0b98cd38b18605794e301030dc938312a68c1e3346352331adb31f2635d737d36

C:\Windows\System\SiFdHRG.exe

MD5 35952b90b5103f011c68c9ce595e813f
SHA1 5ce7dc4cf8afee8ae492483764a3a7b70a9691b1
SHA256 94c914fc87335a9615b7fa8bad2978d5c15ec0f99075586b373f83947d6631d3
SHA512 b75321a7dd515fe4444273288b1f156dfdc6a841807c4323b6cde9a12c0f88075069f8d5ca3e23626c2400ca3a763ddce927922270db99a8196e5b285e04e5b6

C:\Windows\System\qZmstFD.exe

MD5 5d3fe28b64395aa6f0be09badaed7047
SHA1 e680b989ac8604053648968b60c983e9e48bf55c
SHA256 3194f4cb839c5d558e8e4377edf58bd97c63837c42ead5d650d4879c2ac6af02
SHA512 c640fcf2aeb96f19d1bc00e3e7f034b831b1de778688fb7ee2b8a493463111f73dbc83f6c9ce951cb967f348032f673f27d837789f2f805267efb99ededfe633

C:\Windows\System\mFekmPY.exe

MD5 6f882a8a76639f0902dde88362fd0081
SHA1 61d4baa7ad68bca631440e257ed351a05e57c722
SHA256 8235de2a932da140afcfc73e1715d277deefb85a118f6df0b0fe6a6fafe9d744
SHA512 7167a47914cbd5710c9a2b461fda9928993106536f239f60014778a816d95c22f30efecfa9d76fe50a8c711a87cbd7deea568c73bd032f8c2f3d05b7beca76f6

C:\Windows\System\BSAcfwo.exe

MD5 8aa45d876fb81ee3d0435e98da0b4f9c
SHA1 2ad30ea7ac8af8223f5c39c30945a84554fa2b51
SHA256 e530f8207fcde8e52d39f08de111a99294187b1154a1e978bfcce652ce2776ef
SHA512 4f7ede61d2daffde3e452424f5efb31a3a94cce5a1ed4c31b73484343745635c45ff14f130bfa0a2d11fb5d8b0c4838f5d5554b150ba50e14e9db5da26233b86

C:\Windows\System\WRrcnbE.exe

MD5 41bbb08ac49ade1a8fd7c312ecfc0507
SHA1 fdf5f85acbedf649a26defd128044a7bd791a190
SHA256 cd90405a29879ff06d4b46587a0cf9bffdce7be77814c3c9df4acc5a01cd76d4
SHA512 2518c83ab649441ae093feca27e6be514f8797f26d66ca4719e5f6a1acc38cd4d8f370ca5398d0b630cca992a186c9891bb6e26722732c746eae4567e44f2ec1

C:\Windows\System\WUuOzlP.exe

MD5 b232b05c0f6891d6375f69c9442bd06a
SHA1 ab399343b5486ecca952fb55a138a415b26a2a2e
SHA256 526285f63a210f8f62d94440244176e1906d90502909a45fa6bf1bb1da8d6ebf
SHA512 9fce5e14432444403784fa284d4b12deb3357f7b7d718d6032b35c52ed3d458e39e1ca2f641cda838c7a0657020ebebcf92399ac1aefc36f9ff8cfeb0597b2c6

C:\Windows\System\kqaBemO.exe

MD5 1ff84e07c04b60ec169719e9313fb480
SHA1 8ec28e7fa8a82edb6c204ee859f77c9a4d7c4af6
SHA256 4b86e43b79e561cbf295d2ee520eca1c5f7026189daa961e484842e94db16a0f
SHA512 01a6bfd78f8d475f3f013c3967521c086eae5c5070d67d8f12ee12cf409291e65099989980e3e79f5422ed7a2e9a26cbee07dcaff579cdf08243df7d51cfd0c9

C:\Windows\System\UUJerys.exe

MD5 ec5c76fa91c4d0c50918fd22acfa4fc5
SHA1 2a0ace0bdcb4b8c4d0097138af78d3615c7e2133
SHA256 a0b145f2fee3ca14910e1de9632b716d02658136a994c0de6e983da41a3cf9ce
SHA512 a8aee27f8831a1f7892915e9e921c8b8c468bcea1f9fa96d88474a8dd2f107c178ad7fcada85dabbdd1ba7d4cdbeceefc887b1e5540cbba8388f37c3c1d85bd0

memory/2988-124-0x00007FF742BE0000-0x00007FF742F31000-memory.dmp

memory/4616-127-0x00007FF7D5660000-0x00007FF7D59B1000-memory.dmp

memory/4452-126-0x00007FF748560000-0x00007FF7488B1000-memory.dmp

memory/4808-125-0x00007FF684240000-0x00007FF684591000-memory.dmp

memory/4532-123-0x00007FF793B50000-0x00007FF793EA1000-memory.dmp

memory/932-122-0x00007FF731520000-0x00007FF731871000-memory.dmp

memory/2576-118-0x00007FF790D40000-0x00007FF791091000-memory.dmp

memory/840-117-0x00007FF6BF090000-0x00007FF6BF3E1000-memory.dmp

C:\Windows\System\zliRDKW.exe

MD5 5a4a47704c7282ddb4cd188a9745a0a9
SHA1 decabda3a76ae06b5626fbdf5b11e923fb88b2fb
SHA256 92d009cbd27f5c55b7d4e3dbd5342e30d7b4c9bac6bc1508fd4764588c1f9c03
SHA512 057ec4bfe7377793171eae7f7638d915705c7f34fa3f3cce54bfe1e9dc6cec0147ee5cea75b387ce761d611f61adec583b4680fe22ce16c16dd78fc0411b7432

C:\Windows\System\gSyuQuV.exe

MD5 b37bf14797121b9f67f339842618ef2a
SHA1 1d73c0678aa4368ba2ee7a0628fd59370e93472a
SHA256 82dc37c5140cd3c60ae630222e2a91c8a985edf149eb76c47cdc1f3d429450dd
SHA512 561e301552777158753d1663616d1ef122248253078976e5e171e1be795f99b911827c305a288b3ac36c59c1425a98bc8904da288ef53b571f64d4d54e9e3d3f

memory/2680-112-0x00007FF6CF9A0000-0x00007FF6CFCF1000-memory.dmp

C:\Windows\System\TbrkopN.exe

MD5 3ed894aff6c3974a0674e7dac10ba92d
SHA1 e4febc6b6df5aeda5c6422c2edc6b04735bee8f6
SHA256 2a4387bc4299ed24d662b7f414cb8f15dc8f8a161f02fafe018fda80b338012e
SHA512 4dc222565f40253e768660852ea0ab731ccb6b57bfbb78edabfafb831ddcb0f218aeed25a938772c3879f3e9affefe8a4b0336b251b82cba1c3a819f9667a46a

memory/5100-104-0x00007FF62DF70000-0x00007FF62E2C1000-memory.dmp

memory/3980-103-0x00007FF77D370000-0x00007FF77D6C1000-memory.dmp

C:\Windows\System\JEYHItk.exe

MD5 ce70868610aee82b3271df848f1eb24a
SHA1 e288baca20002bba998af6a8f22c0e9a74157825
SHA256 6702c0941eceb437aca560713a842cba061d73e9f05fd293f8cc7c03738dfef9
SHA512 8ab0391353a65df54560a620fe94528bff08d860640a37c6d7b7b50f8a39bcb0383a6407dbae014e0e58e7bb01b6024e2e357dc5600ff48131fb4b2868eae8a1

memory/2108-91-0x00007FF69BE70000-0x00007FF69C1C1000-memory.dmp

memory/4036-83-0x00007FF722E00000-0x00007FF723151000-memory.dmp

C:\Windows\System\ZyqaGcP.exe

MD5 a287527eeff9c17f58c7ef2c75d5f980
SHA1 c538fb442b63c6fbbc4d5f6c6e61d3f60eda87b1
SHA256 c096b875cea312d3124082f6be45e48da1f36547b2ea5cc797d125a9bc57cca1
SHA512 0ee619696b9d0178a89f031ed4dff8b22d4e0f5a9f20cf0880a47d0545046d9b63d1d7dec8af95c834b2e1738b187507a1d10b98cfed71a3c091e538bbf5cfdc

memory/1596-71-0x00007FF7BEBF0000-0x00007FF7BEF41000-memory.dmp

C:\Windows\System\XTaKVPf.exe

MD5 e1c825090657e3f5b600596b9e58510f
SHA1 a05683d293f7112fef53590c384f2c2696a2d5ec
SHA256 cb36bd63317dee56bd5aaee959ddedb622926067a6ad1469dea6b498f10dd787
SHA512 efe97e5ceeb59d9c09c625a79909a3f681433b440a18d9337e181bc9ca79333ba62cafc3f42d3395f2d90780759f8d4c821f1a3475111082f2b60a1ffb71b0de

C:\Windows\System\ldBwevM.exe

MD5 e5d5f4ea41207ed141e733d6f3e9c488
SHA1 63d865599960af56b3e793d0a1f8d6e6272f3f71
SHA256 221812bcdc7b8c9841f0efa617e954c7e964f8c18d7b8a5bea1423cc1d9982a5
SHA512 2d1f163beb1f06f6b54f2122f6499ac54496e672e8495b941be9e14542a05aea836d038d782c79ed6f6d2384580a716186102e8c50b3e1b3e5d108a826a47563

C:\Windows\System\mKmYvEn.exe

MD5 4c542877b55d03a4ea4ffe9d7576ad00
SHA1 9d4273d527a5504006e39342fbff32d30103a5b4
SHA256 91804fe21389e927a356842f7a988cef9ed19214f46e17102e45fdd17e2d223a
SHA512 ab249255382140cc2cb9b720def5144ed5a6af83842de0539b402018309ae594f15e2a6c08b69e2a1dce79beb7d63613e43d4cb2f6cb21647e0e60bb72d3c1c5

memory/1548-55-0x00007FF731430000-0x00007FF731781000-memory.dmp

memory/5036-66-0x00007FF7CFFA0000-0x00007FF7D02F1000-memory.dmp

memory/2504-48-0x00007FF6695D0000-0x00007FF669921000-memory.dmp

C:\Windows\System\cHLptxM.exe

MD5 5a4452f1095cf2d4e872499a358b18ff
SHA1 c959b2e6802847215647314bd09fc55b4691d17f
SHA256 2f290466bd6fcbaa96ffc04730363e8fbb62313326664ded79ae223d611fb6da
SHA512 251227406fd8b661640801a675ff5d5fee76157d01d25d411eb44fc22c1cea4edb2fe1cf26e7234e7f0dfc957ccf01d5df29fb2434d6991132c60bfb37099777

memory/2940-36-0x00007FF638F30000-0x00007FF639281000-memory.dmp

memory/400-22-0x00007FF63CA00000-0x00007FF63CD51000-memory.dmp

C:\Windows\System\FCiOZbv.exe

MD5 27365a44384057989f57b91cf2728531
SHA1 97bb72718a2336fbcc1384f9ce1777a8088c00c0
SHA256 327af3b7c75cdd1a3715dc175f2bc06e2b6c2be5bc10f36bfe5f3cad659b79b7
SHA512 6736c6e88f3e9297903aedc68597e64368ed493bd4f0158478a35319e662aac9e5ea735a025a62c0caf0a6a9c2848668e63f5ac3fede7552f17f4a508de43c7c

memory/2524-12-0x00007FF6463D0000-0x00007FF646721000-memory.dmp

memory/2436-128-0x00007FF65A1D0000-0x00007FF65A521000-memory.dmp

memory/2524-130-0x00007FF6463D0000-0x00007FF646721000-memory.dmp

memory/400-131-0x00007FF63CA00000-0x00007FF63CD51000-memory.dmp

memory/1548-136-0x00007FF731430000-0x00007FF731781000-memory.dmp

memory/5036-137-0x00007FF7CFFA0000-0x00007FF7D02F1000-memory.dmp

memory/2108-143-0x00007FF69BE70000-0x00007FF69C1C1000-memory.dmp

memory/4036-140-0x00007FF722E00000-0x00007FF723151000-memory.dmp

memory/1596-139-0x00007FF7BEBF0000-0x00007FF7BEF41000-memory.dmp

memory/840-141-0x00007FF6BF090000-0x00007FF6BF3E1000-memory.dmp

memory/2504-134-0x00007FF6695D0000-0x00007FF669921000-memory.dmp

memory/2940-132-0x00007FF638F30000-0x00007FF639281000-memory.dmp

memory/2436-150-0x00007FF65A1D0000-0x00007FF65A521000-memory.dmp

memory/2436-151-0x00007FF65A1D0000-0x00007FF65A521000-memory.dmp

memory/4604-198-0x00007FF662090000-0x00007FF6623E1000-memory.dmp

memory/2524-200-0x00007FF6463D0000-0x00007FF646721000-memory.dmp

memory/400-202-0x00007FF63CA00000-0x00007FF63CD51000-memory.dmp

memory/2940-204-0x00007FF638F30000-0x00007FF639281000-memory.dmp

memory/3980-206-0x00007FF77D370000-0x00007FF77D6C1000-memory.dmp

memory/5100-208-0x00007FF62DF70000-0x00007FF62E2C1000-memory.dmp

memory/1548-210-0x00007FF731430000-0x00007FF731781000-memory.dmp

memory/2504-212-0x00007FF6695D0000-0x00007FF669921000-memory.dmp

memory/2680-218-0x00007FF6CF9A0000-0x00007FF6CFCF1000-memory.dmp

memory/1596-216-0x00007FF7BEBF0000-0x00007FF7BEF41000-memory.dmp

memory/4036-215-0x00007FF722E00000-0x00007FF723151000-memory.dmp

memory/4808-223-0x00007FF684240000-0x00007FF684591000-memory.dmp

memory/5036-221-0x00007FF7CFFA0000-0x00007FF7D02F1000-memory.dmp

memory/840-234-0x00007FF6BF090000-0x00007FF6BF3E1000-memory.dmp

memory/4532-237-0x00007FF793B50000-0x00007FF793EA1000-memory.dmp

memory/4452-233-0x00007FF748560000-0x00007FF7488B1000-memory.dmp

memory/932-230-0x00007FF731520000-0x00007FF731871000-memory.dmp

memory/2988-228-0x00007FF742BE0000-0x00007FF742F31000-memory.dmp

memory/2108-226-0x00007FF69BE70000-0x00007FF69C1C1000-memory.dmp

memory/2576-225-0x00007FF790D40000-0x00007FF791091000-memory.dmp

memory/4616-238-0x00007FF7D5660000-0x00007FF7D59B1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 20:54

Reported

2024-05-29 20:57

Platform

win7-20240508-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\OrtYgQu.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rMiOqCe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zXImhNx.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YOyqEqv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TYDcmVL.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ToMtzkO.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hgMmmdq.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sdLRVuf.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Omgwnjh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hfyZUAX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OAdjMDw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wssTifm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pKzlCVU.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\foMSQhX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qyytaQw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FvBCPyd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VFxsbkl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lOnAvJn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VANIDEy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WbOyOPy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UBAWINe.exe C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YOyqEqv.exe
PID 2232 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YOyqEqv.exe
PID 2232 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\YOyqEqv.exe
PID 2232 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WbOyOPy.exe
PID 2232 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WbOyOPy.exe
PID 2232 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WbOyOPy.exe
PID 2232 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TYDcmVL.exe
PID 2232 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TYDcmVL.exe
PID 2232 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TYDcmVL.exe
PID 2232 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OrtYgQu.exe
PID 2232 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OrtYgQu.exe
PID 2232 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OrtYgQu.exe
PID 2232 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMiOqCe.exe
PID 2232 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMiOqCe.exe
PID 2232 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMiOqCe.exe
PID 2232 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXImhNx.exe
PID 2232 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXImhNx.exe
PID 2232 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXImhNx.exe
PID 2232 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wssTifm.exe
PID 2232 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wssTifm.exe
PID 2232 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wssTifm.exe
PID 2232 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKzlCVU.exe
PID 2232 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKzlCVU.exe
PID 2232 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKzlCVU.exe
PID 2232 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UBAWINe.exe
PID 2232 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UBAWINe.exe
PID 2232 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UBAWINe.exe
PID 2232 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ToMtzkO.exe
PID 2232 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ToMtzkO.exe
PID 2232 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ToMtzkO.exe
PID 2232 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VFxsbkl.exe
PID 2232 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VFxsbkl.exe
PID 2232 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VFxsbkl.exe
PID 2232 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgMmmdq.exe
PID 2232 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgMmmdq.exe
PID 2232 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgMmmdq.exe
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOnAvJn.exe
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOnAvJn.exe
PID 2232 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOnAvJn.exe
PID 2232 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdLRVuf.exe
PID 2232 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdLRVuf.exe
PID 2232 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdLRVuf.exe
PID 2232 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\Omgwnjh.exe
PID 2232 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\Omgwnjh.exe
PID 2232 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\Omgwnjh.exe
PID 2232 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\foMSQhX.exe
PID 2232 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\foMSQhX.exe
PID 2232 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\foMSQhX.exe
PID 2232 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\qyytaQw.exe
PID 2232 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\qyytaQw.exe
PID 2232 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\qyytaQw.exe
PID 2232 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FvBCPyd.exe
PID 2232 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FvBCPyd.exe
PID 2232 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FvBCPyd.exe
PID 2232 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfyZUAX.exe
PID 2232 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfyZUAX.exe
PID 2232 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfyZUAX.exe
PID 2232 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VANIDEy.exe
PID 2232 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VANIDEy.exe
PID 2232 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VANIDEy.exe
PID 2232 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OAdjMDw.exe
PID 2232 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OAdjMDw.exe
PID 2232 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OAdjMDw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-29_7f334cfdc9773fc0f97955dca8a860a2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\YOyqEqv.exe

C:\Windows\System\YOyqEqv.exe

C:\Windows\System\WbOyOPy.exe

C:\Windows\System\WbOyOPy.exe

C:\Windows\System\TYDcmVL.exe

C:\Windows\System\TYDcmVL.exe

C:\Windows\System\OrtYgQu.exe

C:\Windows\System\OrtYgQu.exe

C:\Windows\System\rMiOqCe.exe

C:\Windows\System\rMiOqCe.exe

C:\Windows\System\zXImhNx.exe

C:\Windows\System\zXImhNx.exe

C:\Windows\System\wssTifm.exe

C:\Windows\System\wssTifm.exe

C:\Windows\System\pKzlCVU.exe

C:\Windows\System\pKzlCVU.exe

C:\Windows\System\UBAWINe.exe

C:\Windows\System\UBAWINe.exe

C:\Windows\System\ToMtzkO.exe

C:\Windows\System\ToMtzkO.exe

C:\Windows\System\VFxsbkl.exe

C:\Windows\System\VFxsbkl.exe

C:\Windows\System\hgMmmdq.exe

C:\Windows\System\hgMmmdq.exe

C:\Windows\System\lOnAvJn.exe

C:\Windows\System\lOnAvJn.exe

C:\Windows\System\sdLRVuf.exe

C:\Windows\System\sdLRVuf.exe

C:\Windows\System\Omgwnjh.exe

C:\Windows\System\Omgwnjh.exe

C:\Windows\System\foMSQhX.exe

C:\Windows\System\foMSQhX.exe

C:\Windows\System\qyytaQw.exe

C:\Windows\System\qyytaQw.exe

C:\Windows\System\FvBCPyd.exe

C:\Windows\System\FvBCPyd.exe

C:\Windows\System\hfyZUAX.exe

C:\Windows\System\hfyZUAX.exe

C:\Windows\System\VANIDEy.exe

C:\Windows\System\VANIDEy.exe

C:\Windows\System\OAdjMDw.exe

C:\Windows\System\OAdjMDw.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2232-0-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2232-1-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\YOyqEqv.exe

MD5 33a2d1fd389083a19598bd74da2bcebf
SHA1 34101378dd2dfe7be49fe84306dcd28acc28224b
SHA256 04bb675257958e2a4860d2d9ef5766e564ceaa27d3ad302302a43089a90deb87
SHA512 ca963d3f2c9faeb0260ea91ae3f2d79e43f654133afb1bd8595db9d9c871b72ef8db1f7f3b9247cb35ddb7b2a500697e4c0894961bd2a3715b056aca96221eef

memory/2232-6-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2596-8-0x000000013FA00000-0x000000013FD51000-memory.dmp

C:\Windows\system\WbOyOPy.exe

MD5 90ba5826269e571fd44d433ac13779d1
SHA1 569ecf90d43e940e4dbc4f657fbc5bc5ec34f50b
SHA256 4f42d79df68b0c3465b85a906fd3291a4203cbfff0f541af6f64a3a1494f25c5
SHA512 58fe2c70039136eaf68ef61e92501388a7f5410e935cb72a5a1e2bc3ddde15ece7d1008cadc0e69ecaca01f79b08f9f4a8bbef640b3cf09f0ffcaeebe2072022

memory/2232-14-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2944-15-0x000000013F110000-0x000000013F461000-memory.dmp

C:\Windows\system\TYDcmVL.exe

MD5 e7c1ad43880aad343e68144135f676df
SHA1 aa6c20517a39060adaddf13582f31de28a3044c1
SHA256 f66c0946f6422d9aedc98b0edaa647cbde4b04f391df9adbe14eb52dde5e57db
SHA512 f525d6c72ddc445f8024ce205438cfd43225744e10b83d579082f57d4dc8fc9b7b7b2fe0307430d3d99365ebeeeee856d1912bc3ec95a065a01fdc0bae093f99

memory/2652-22-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2232-24-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2740-29-0x000000013FDA0000-0x00000001400F1000-memory.dmp

C:\Windows\system\OrtYgQu.exe

MD5 537d0ac235353094397982c3b51c53f4
SHA1 d9ee034aef9d0641d18560fb5738a0ee706b9811
SHA256 979269307722ade951875696398c8d6eddf4f5d7c7f3f5e47339aeeea834311f
SHA512 8a735151293468b3ebd874b6812948fa07fb4d977e4aa1ef19d4a0895cb6082c6c36175d2f074a93a855082212828232e3970c91735657f4047d79dae659f0f2

C:\Windows\system\zXImhNx.exe

MD5 5aaff2f3e4de2624ff57c9d943d2cafa
SHA1 9b8b0a8e37790c9d3944b54496a2565cd3f08135
SHA256 c91ae6921ad096822891d55a4b8859e2ee4ab4ac6262926264e23a6dc3fca807
SHA512 4c5020363c95c5ccac7b449c4c45c9c7d213bb3a570ea5acd7f2af01e95cc993535537437d57839b43ebebbe961464ea6f098ff2fb7b328d2d1fba6885852626

memory/2232-40-0x000000013F8E0000-0x000000013FC31000-memory.dmp

C:\Windows\system\rMiOqCe.exe

MD5 ad907c76044c36d14840cdd831049206
SHA1 bb302cac84b6a8bae27d5fa5e32e33bc0e32e561
SHA256 c1657529a8d07a73856a48a4ad221844c5242d2d4d7a650baed6a15bcd5ca453
SHA512 347cf3090fdc05e20fe227fff24d0ab7c975843b218391e5f6688f724a366a97b3de432ef02c75afb94c0e89b7b2d357a7ba516d337cedb7db5cc9090cb81742

memory/2596-54-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2132-55-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2944-56-0x000000013F110000-0x000000013F461000-memory.dmp

memory/1232-49-0x000000013F9C0000-0x000000013FD11000-memory.dmp

\Windows\system\ToMtzkO.exe

MD5 200e85a485f55adb897770eb1e8e91b9
SHA1 5c72e24a7bd438d0a46cf7ab5740c88f27c954fd
SHA256 822ecae00ccc7899c1074dd68395a302f4970d372243c0c9da9f0acf831c6046
SHA512 1787cfda7a1d00894c15715db5a768cf20548a7b3cfe3f4b559d49c1806e07f14a120bb3ed4b807f5d9ddcb43f6a74908d08294397a01881e8778e2d8b7730a6

C:\Windows\system\VFxsbkl.exe

MD5 6c10a7e66136650cc26e4a71be6d1ecf
SHA1 403a5875fe0f8779f01ba7fa5ee7eecf2e729e18
SHA256 6353151cded459b1efc530293826f4a1376379a4cb1fe31c37865dd21404abd6
SHA512 42b277d9922899dbf4e0c3bbd62bbb0fa82ffb7dfd77c8283527ecf117f9db65fe1068340a9d1f271a9e0e58a1ad6c7557fb7d709553c5320497980ac6c95faf

memory/3032-86-0x000000013FF80000-0x00000001402D1000-memory.dmp

C:\Windows\system\sdLRVuf.exe

MD5 a7cb2d4d4987574193d7891fbaf4e4f2
SHA1 0d0084c302c2a56d124fa4ce181c51d14c07d423
SHA256 1e7b1348b44ee10562bb623667fcb369325ddfc17f297de4fbab8b09d943cef7
SHA512 fbc5c99d480030bf6858827efea17714a46ce12642ffe9fe9cf33db2c713fa7190f428c648d804f47abf92ab8005bcd79d45f836b80f153575d3bd2248192ad7

memory/2880-102-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2368-94-0x000000013F780000-0x000000013FAD1000-memory.dmp

C:\Windows\system\qyytaQw.exe

MD5 80e32da2a959cf66892a6235afcfc9a8
SHA1 89225b3c6978fe08c1a3ce2c5e5a9a3e011da42f
SHA256 dd89f60e17332bcaca3f083ae08bafd8477f5c76435f67d06d51f807c6d13e87
SHA512 2cadb54e7c38ef782d5c8f875790eda3cb783c222db2f057dca80945e433e2defc6e0c58907b5917b2010abc530b5fe6fbb6d77e291026875944b63bbe7abd51

\Windows\system\OAdjMDw.exe

MD5 23b84a0af38c93fec3072aa16aaafc7e
SHA1 be3de13bf840391741901ac6d668960c818776a1
SHA256 8266ba34ccc75935bd094f0be4bf14dce42dce3798d15e69fb7755fc8f6d4f18
SHA512 2fb38cf65281c67371b00401478aa69332ee6e995780934594f80bc1e15d3fa08c071ea59c828e95c6a354ae22f409312e4853114dff53e3c926dad941cf9a97

C:\Windows\system\VANIDEy.exe

MD5 24ade996d92b482c6e5ecbc1867a25ba
SHA1 8c7cd7ae247c96918ad31bb388c2ba5f1482c048
SHA256 274d8af4216dda93698c686355c8975ea5648d7c79d704ef7467fbb1e70c9da5
SHA512 7a6a182720c67fcd5f3ce2da76c38afaea4852b056232e5359e58eb666e584e9d1dbc725281691744a328b922acda29247edea85730668a9a851f390457a4a3c

C:\Windows\system\hfyZUAX.exe

MD5 041161e56f433a1ca92aa105dc77a33a
SHA1 f58b1ea251e36d92430d6682f2b57eed683e19ef
SHA256 b39acb728e228fd51dbefbb1fb4b395edeaf0179de3a018f51bb60eb33a2b4bf
SHA512 172ce68c813fd35f15c31ff7ca62f7ec3ed5ceb17e806ba31083af9b29aa7dce4931249c3f240864f3ecaf6121b244e587255656850253209c258e6a2a9f0ed7

C:\Windows\system\FvBCPyd.exe

MD5 9bfc54910627d4dcfe5ce5cb96590f82
SHA1 ab03a7324f2a6f35015ac30d638ccf038f130863
SHA256 241df7309539daf8f414fea577c6b2e656a9dba75483ac53808240598ba6c65e
SHA512 be96dbdbcb23344a25570423669b4c8c803a797ce1bbc849011db6f23556b75acdd383d8cc06c395432708d222f9d6519e38380c58cba8a255eae8b1f06b52ec

C:\Windows\system\foMSQhX.exe

MD5 87453b62e76ed56b846a6fe8e5cb0321
SHA1 03aacebdc1b80c30f6a7cd93ac00bf9b9884992d
SHA256 e1fce56d85f903f7553ba0da960af360e7900396b217895834afc27e91d6a2e9
SHA512 b456c58e038b6fc3fdc1c00302a7ae66874c999e51a5035f5f2c4931ba24e631f07b2127690de101923de27d99818b16550348f2576472f9e5bc88530c06ed06

memory/2232-109-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/1232-108-0x000000013F9C0000-0x000000013FD11000-memory.dmp

C:\Windows\system\Omgwnjh.exe

MD5 91ad49ad045041d9076ed565ed0f65af
SHA1 76e59060063f2ad77436a002dfde3a9f1c13a194
SHA256 8de47242f593ec8ec92291261a5c4a90b8f74f103e0975a3a3bffb994b110ab2
SHA512 cf834f653619cab45537bed8588c4cc1a2f4448eba89e9668b0a687c48aad969e16c5e0c4d492af0f5a562183bcd6aca573b67e8e5eb0de30385e02b16951383

memory/2232-93-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2616-92-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2232-101-0x000000013F670000-0x000000013F9C1000-memory.dmp

C:\Windows\system\lOnAvJn.exe

MD5 686e4f778dd7be324d5f2663a7a3e48a
SHA1 576aaf98ab2f5967e5c9e53aade92c3ea40bcf45
SHA256 0b9522026e24392c5babb300284a26c972fdf39f492bc3b820388f31c1585d66
SHA512 0901240ba7fee2f79b78ea02f9f10e2a78030eb111a6ae16b22cab30e6b7dcc12984a1817283fc8206c1144e2cc4ef1e20d83d7141e9ede7694cabf2cf2bfe65

memory/2520-100-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2232-85-0x000000013FF80000-0x00000001402D1000-memory.dmp

C:\Windows\system\hgMmmdq.exe

MD5 c4fdd889d7050c9cb93e4fb17b1222c4
SHA1 8442ed3fb0d6a44d88b3ca6daa4330eadf1973f7
SHA256 3010aaafa4d98a679a61ac94944987e99e7245dfacac6253125070363d813616
SHA512 f8c138d91a8c987fa29033f3f7305a014c9860562ccea984c544912fcd778bb3612ba3d5c75de1faa05a27262673842cd1b55b5703471f6e336fe91d395aeea0

memory/3012-79-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2232-78-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2816-72-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2232-71-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2652-70-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2132-140-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2624-62-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2232-61-0x000000013F420000-0x000000013F771000-memory.dmp

C:\Windows\system\UBAWINe.exe

MD5 b9bbd07a570f51fcd30cfa4a537a2179
SHA1 e2ec4cb32506049a75c4c41f42a28a114c8f0462
SHA256 9988dd32881c04171a5c0489778cfebdb526f64534fccd096bc98a209c94b3f5
SHA512 f285f9d27fc9aec3f369e8853d0c365a72a32ab996034aaa9db237420147bc433b9b8955d993bd2f743ed30c1c27296131bc8a13088605739e255193afd8246d

C:\Windows\system\wssTifm.exe

MD5 a8ee833c2fa8e99a21df54811cd543ec
SHA1 b6f4fe6e68a2db5465b42347bca86b8985a653b7
SHA256 f246540697cfbbabb890dc6352f717a22fdb04bdc82d540e35f59a26f0403bf0
SHA512 ad5bd0a5ae29628c337e99eec2dfc3647afce44d13ecab97f8e1a1fc55f05d41118fcd33c4a4f333f5853e0b03a9104ff643eb05b13c0c07525fc817f431657a

memory/2232-47-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2616-35-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2232-34-0x000000013F570000-0x000000013F8C1000-memory.dmp

C:\Windows\system\pKzlCVU.exe

MD5 bdd189ffba8bfe3b17f9f339b028e323
SHA1 72bc6b370ce4e5e8745a80e7735f704375c780b1
SHA256 d6dbc929bda9e09ac6785884071d6734217f0f166e6e280736b18aa9fec5f0be
SHA512 8f5a194e034fed6c1fbffc39d3309a99e2cc08c0e040f84d45b6e53bec3b00184e0da712bb1a415165465a3ce8da60f1c47fe3995aaf06b5435cd7154301488e

memory/2520-41-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2232-20-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2232-142-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2616-147-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2232-153-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2624-154-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2816-152-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2880-158-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2784-160-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2908-164-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2232-166-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/804-165-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2892-163-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2248-161-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2788-159-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/2368-157-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/3032-156-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/1744-162-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/3012-155-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2232-167-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/2232-168-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2232-176-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2232-191-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2232-192-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/2596-216-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2944-218-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2740-220-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2520-224-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2652-223-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/1232-226-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2132-230-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2624-229-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2816-246-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/3012-248-0x000000013F300000-0x000000013F651000-memory.dmp

memory/3032-250-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/2368-252-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2880-254-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2616-265-0x000000013F570000-0x000000013F8C1000-memory.dmp