Malware Analysis Report

2025-01-22 19:52

Sample ID 240601-avrp3abh87
Target 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike
SHA256 cca4bfa4f0a43fda6b2362704760d62e9bbc9c7fa60d66dd73b29f70f450d1ce
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cca4bfa4f0a43fda6b2362704760d62e9bbc9c7fa60d66dd73b29f70f450d1ce

Threat Level: Known bad

The file 2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike

xmrig

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Xmrig family

XMRig Miner payload

Cobalt Strike reflective loader

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 00:32

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 00:32

Reported

2024-06-01 00:34

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rPAPjPI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oXIFNVU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nteFmYg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lzdgTZH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IwQpjtY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gXnETnq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zjHMvUc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mjuHzQK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YNfGhGY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ICrOyOp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dBSTeWl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IMGfHfd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OMCymCG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OXivdMJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sNccuAy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\obJvWOq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kDeQZSW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KzHuCuY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dAzmTul.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bHKntbb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IACfwoW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\IMGfHfd.exe
PID 2968 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\IMGfHfd.exe
PID 2968 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\zjHMvUc.exe
PID 2968 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\zjHMvUc.exe
PID 2968 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPAPjPI.exe
PID 2968 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPAPjPI.exe
PID 2968 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\mjuHzQK.exe
PID 2968 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\mjuHzQK.exe
PID 2968 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\KzHuCuY.exe
PID 2968 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\KzHuCuY.exe
PID 2968 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\dAzmTul.exe
PID 2968 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\dAzmTul.exe
PID 2968 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\oXIFNVU.exe
PID 2968 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\oXIFNVU.exe
PID 2968 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\OMCymCG.exe
PID 2968 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\OMCymCG.exe
PID 2968 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\nteFmYg.exe
PID 2968 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\nteFmYg.exe
PID 2968 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXivdMJ.exe
PID 2968 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXivdMJ.exe
PID 2968 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\YNfGhGY.exe
PID 2968 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\YNfGhGY.exe
PID 2968 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\sNccuAy.exe
PID 2968 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\sNccuAy.exe
PID 2968 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\obJvWOq.exe
PID 2968 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\obJvWOq.exe
PID 2968 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\kDeQZSW.exe
PID 2968 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\kDeQZSW.exe
PID 2968 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\ICrOyOp.exe
PID 2968 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\ICrOyOp.exe
PID 2968 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\bHKntbb.exe
PID 2968 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\bHKntbb.exe
PID 2968 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzdgTZH.exe
PID 2968 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzdgTZH.exe
PID 2968 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBSTeWl.exe
PID 2968 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBSTeWl.exe
PID 2968 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\IACfwoW.exe
PID 2968 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\IACfwoW.exe
PID 2968 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwQpjtY.exe
PID 2968 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwQpjtY.exe
PID 2968 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\gXnETnq.exe
PID 2968 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\gXnETnq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\IMGfHfd.exe

C:\Windows\System\IMGfHfd.exe

C:\Windows\System\zjHMvUc.exe

C:\Windows\System\zjHMvUc.exe

C:\Windows\System\rPAPjPI.exe

C:\Windows\System\rPAPjPI.exe

C:\Windows\System\mjuHzQK.exe

C:\Windows\System\mjuHzQK.exe

C:\Windows\System\KzHuCuY.exe

C:\Windows\System\KzHuCuY.exe

C:\Windows\System\dAzmTul.exe

C:\Windows\System\dAzmTul.exe

C:\Windows\System\oXIFNVU.exe

C:\Windows\System\oXIFNVU.exe

C:\Windows\System\OMCymCG.exe

C:\Windows\System\OMCymCG.exe

C:\Windows\System\nteFmYg.exe

C:\Windows\System\nteFmYg.exe

C:\Windows\System\OXivdMJ.exe

C:\Windows\System\OXivdMJ.exe

C:\Windows\System\YNfGhGY.exe

C:\Windows\System\YNfGhGY.exe

C:\Windows\System\sNccuAy.exe

C:\Windows\System\sNccuAy.exe

C:\Windows\System\obJvWOq.exe

C:\Windows\System\obJvWOq.exe

C:\Windows\System\kDeQZSW.exe

C:\Windows\System\kDeQZSW.exe

C:\Windows\System\ICrOyOp.exe

C:\Windows\System\ICrOyOp.exe

C:\Windows\System\bHKntbb.exe

C:\Windows\System\bHKntbb.exe

C:\Windows\System\lzdgTZH.exe

C:\Windows\System\lzdgTZH.exe

C:\Windows\System\dBSTeWl.exe

C:\Windows\System\dBSTeWl.exe

C:\Windows\System\IACfwoW.exe

C:\Windows\System\IACfwoW.exe

C:\Windows\System\IwQpjtY.exe

C:\Windows\System\IwQpjtY.exe

C:\Windows\System\gXnETnq.exe

C:\Windows\System\gXnETnq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2968-0-0x00007FF6A6920000-0x00007FF6A6C74000-memory.dmp

memory/2968-1-0x00000208A8050000-0x00000208A8060000-memory.dmp

C:\Windows\System\IMGfHfd.exe

MD5 4ec11e717d41f5f11f382fda587e6940
SHA1 55568acedea52eec497a2bde9e2e8a92e6719728
SHA256 8844199e1d64d1086bb52d4cb773443c104ad71d8f1e9952c1935e2b5604fb4c
SHA512 bc3e7f31a07faf522c5631d2a6fe92bffbcb0b18169124219c8ef5b8e9a692a535a124973301188238f5ec1a714484ee86573dd1f285a9a93638c6a3be452758

C:\Windows\System\zjHMvUc.exe

MD5 3c01e170710c2ca1b72b34439eef8be6
SHA1 307d51a6856c3046cae3527691fe463e147e45d8
SHA256 fb49ee3c01386c618592e6ba6f9d1b50e8ea6e464e68aaa3dbdcb78dacdbaf97
SHA512 f8decc6c9c390bd003230bf5e620bcc11368b931b58ddd75cc1d8193cf42e2171fc179406df815e36b97b387d060a93a713295171f0c51e804715e4217b15e97

C:\Windows\System\rPAPjPI.exe

MD5 44f7eb60c3ec02ba3be8f2fab7de5487
SHA1 fd978fa62ee5c26567e49f97cdd921af50248c85
SHA256 aefd3efb296d0ac39ef0f55203d9499b9aaf13072fe2e00d9eed82495f7ce731
SHA512 b139b71ad988890557d792d6d0ac62c2f623765c30c509f4bfffb09d136d9c5af27a879e235c06158554be9bae87a1cec54dfcdaee8c02721303039212be018d

memory/3740-25-0x00007FF7828E0000-0x00007FF782C34000-memory.dmp

C:\Windows\System\mjuHzQK.exe

MD5 3b1f5000148f4a6d8bfdfcfc73c51f4a
SHA1 0b1115cd58dfa0fbbb974be41066f36a0058a29f
SHA256 85858479a938fa748cc87e153968a78b87cbc48ef66f65c293172a986d38ef6b
SHA512 1803e1c6fe25820544cefcad52687dad7674ed364bc056e0afc7e00e4ecdd460bd4ca61adaa05d876bbdf6a0bb44a29ac7c8aac5cb1e9f86c6da63b911df8e09

C:\Windows\System\dAzmTul.exe

MD5 60a6c3fee6862201e6dac742cd1feeee
SHA1 b3b8b9fe1bb4fd317baa0f036d8dbd8a0ec85f4c
SHA256 3b2e20cf90537c01ba8d5b545df6b17d2804f869fc2723c03b557a578ed44988
SHA512 57456d10c544e7d77568039215a9ae8108b610ebf1731918eb503915c0e0a6c6e576cbea9f4c90fedbb5fdfaea62e57b598278d26cfa73bae3f21e448a84036f

C:\Windows\System\oXIFNVU.exe

MD5 c9a1d13b355164b12ba61b9314c281a8
SHA1 66c4777dd4a9e20aa265fd5027287e416f155154
SHA256 0b0512a16dd97d7b82b8a00504e985480577253ac6559ffeb3d63a9a20aec8f3
SHA512 a675063ec7ff1ebf70b7e32f97fe81d5168bb7ffc6a11477af9bacdb74e8bbfb1534cbae171f6f7ec13fa34f9f8c04586b9d2fb02a580e208ce967ebd43f7054

C:\Windows\System\nteFmYg.exe

MD5 f2f3260cc76592544cb6b5d9f2b28c1f
SHA1 915c9bd39465f829f702961dc1334dfb8bcee443
SHA256 7a3e75430ceee7090d5742f149f4d30f0246ea191ee502f5a0673e4fc706b75a
SHA512 6761095833cfcab93645006a222e12db9a728f5bccd0824b08ab54aa5c4ff748061748c2c552f62ea2609454db81c601173b6a870fdc6508776231db951d352f

memory/4512-54-0x00007FF7F2000000-0x00007FF7F2354000-memory.dmp

memory/4904-53-0x00007FF745930000-0x00007FF745C84000-memory.dmp

C:\Windows\System\OMCymCG.exe

MD5 d3a6c1b14106368e95adf2aa86cd6717
SHA1 ccf737b534eba31f840cae357651a2545ea4caa1
SHA256 9398037d4c76ee236694afc027f06a79152f97060c6df6c3ebd39f89c82148e0
SHA512 35c836cb74f51ed1d994d2d5ee413f4b8ee32d8e08293f3f43172a1fdb39fabe97a8ce6bf4154f91bcde4c96628bd627d99825ddd336bc1ac5359fe8c0862583

memory/2940-48-0x00007FF634EF0000-0x00007FF635244000-memory.dmp

memory/3840-44-0x00007FF6CFC80000-0x00007FF6CFFD4000-memory.dmp

memory/564-42-0x00007FF7E13C0000-0x00007FF7E1714000-memory.dmp

memory/3592-41-0x00007FF7BF660000-0x00007FF7BF9B4000-memory.dmp

C:\Windows\System\KzHuCuY.exe

MD5 e57762736c9536c18a0d4e99e75fadd4
SHA1 4255b7ae160ef5f9cd60004fb3e666c494f45ec9
SHA256 cc1c16b42b05cb7216f5b3fb53789dab9e75eca21db12987dba00d776d12ef69
SHA512 d4c8a4dfab3125e4daff952f3d2415d0ddc77dbbef64838dcfb470a541ed168ce4547d5e3fe15ef757c1654ae140525e571a0024cc642098577b985b9d660fc5

memory/4932-21-0x00007FF78DEE0000-0x00007FF78E234000-memory.dmp

memory/4768-15-0x00007FF7AEB10000-0x00007FF7AEE64000-memory.dmp

C:\Windows\System\OXivdMJ.exe

MD5 4ff731363d840945a35397940d49a14b
SHA1 60fe36c99226d090e4d9b7eee525f2613eb1c53d
SHA256 6fb3ec50e6f594314cdc067b0a70b264f673554ecee8d4d33f97f7745d16dc93
SHA512 8e15516554471bfa872f62e501f56d40a7db7514a525c0cd6a35bd8502f1bb5ccea274667e9444b00790a90995b1717c6d8a767fb84836f20b578465a7eb6966

memory/3348-60-0x00007FF6A0A70000-0x00007FF6A0DC4000-memory.dmp

C:\Windows\System\YNfGhGY.exe

MD5 f2de52387f86444895abf431220b2ce1
SHA1 5c10000a4f08f3e6cd292c857064874824f49403
SHA256 ab103f09f8a371532168214375ea7f1d53c83e102aa009f544c0751978ce7126
SHA512 ad0d4d2499a9a06c7348c7dea7c1d34d7dce555bb393d970821b2485efdaecc8c11b170f6209cab3a3455f17230e806468aa184bb53622c13f25c04623c2c9f7

memory/1228-66-0x00007FF666D00000-0x00007FF667054000-memory.dmp

C:\Windows\System\sNccuAy.exe

MD5 d7afe95a0e90ca8fa1fcfa71522bbf80
SHA1 73d49a2164b71daf3aa73ce83505008a2a1a04e3
SHA256 2752e057c4d0bb20c29d634afa30b22d6a51bbfafbcbf87891e9c2633bb49011
SHA512 48c0dc9bd4d0c7d10f5c8122219b2cb37e7a52c991d48050dccf66442b0c0465306e3ff9b5e8aa127913bfd4f8302511f57dddef0e1e32cc43b12e7383e02eba

memory/1216-74-0x00007FF6D0DB0000-0x00007FF6D1104000-memory.dmp

C:\Windows\System\obJvWOq.exe

MD5 cdb320bb855d23ae8b19f70e5c668c44
SHA1 cdcd2a52d6faf9fc490eee8fcdfad6e16f6c7139
SHA256 d4f5d75deb40d2bad3d91998ee13f56089e822ebeed1a4dbbb5cd571bacbb705
SHA512 3360afa4137f07ca485dff204af3b2ae2882c66eac746f648e3cab5b4bab28fd1bd03e1df0b9d799a8a2b4ce3c4e5e872fc849379185fc704f05cee078d50ba4

memory/704-80-0x00007FF706460000-0x00007FF7067B4000-memory.dmp

C:\Windows\System\kDeQZSW.exe

MD5 42ea0c9d2295c1d067a23eb5292ae1a5
SHA1 cbfe6f7606a333c60063d91cd5a2f94e700f61c8
SHA256 16b45e7e650e88f8c8a14311f6e1939c08b8b366a12b578c4057001991ae5c3f
SHA512 528dbdbb4593c0c2005297fd49522665d58d549caf09bd63c77d8e05b79b249b3c3547c1b3857b9fea09e6f01a465914cea85d2780b4d609d7c22574b7bcc266

C:\Windows\System\lzdgTZH.exe

MD5 1e12f7d3aea495c9e6f3dc1b94009b2c
SHA1 f13b7c56a991151b8079988c3c3566f5a5d35584
SHA256 e660ec83d5e7221f936bf7c24dfc8a71408b60e450a0aac6e51e27d04158a5eb
SHA512 a082b973d45d51ae36db5454d97a0da3fe25b5caef9f80636d493d1cc2609acc7d1c0f511ac776d3c29602de9aba314d0d312cd7479a739939d4a6004c1504d6

C:\Windows\System\bHKntbb.exe

MD5 2b340e898d947006fe0b4c296c2bc6de
SHA1 3defae3b5213f674ddf642fd4fbe298a5450d379
SHA256 27dbd43af11a0ca7bf30a7501ac7a50851bdcd2960a568f96d0e53fc8372d767
SHA512 71d01e71b05d3c88f1338a7f0d02fccad4f95d44dd98aefbea71fd547461eaf718abc1696297272b144213723dcac8a0b670d329d8ba22caf0ba22b6923aa864

C:\Windows\System\dBSTeWl.exe

MD5 ebb32630365a7d6730550d8197b8741c
SHA1 a19ac6ad7553ddc55848d65f372eebcf238b7748
SHA256 00a3404738eeb9fdb63ca4700ffa0c1acb00c7043df389feb626f26511e2f1c7
SHA512 8357c899e54c0feb5a22ccab57e2df2553932c1ec3a2220da2a2f730e89722e94ed8170217fbd2d5a4f1c32548d017ee17fd05477076569e9020af847bc26b82

memory/1924-109-0x00007FF722670000-0x00007FF7229C4000-memory.dmp

C:\Windows\System\IACfwoW.exe

MD5 4108c5d7740e8f70d359e7554d79c782
SHA1 9411c95287c41db5af312cc3afd02066b34d173e
SHA256 414578a5bcc69fa9b550735b68c3bad4b0dadbce6cdd2c65d131453c4a604e4a
SHA512 8f3e7b87ed9634fe0b0e65f77c1b079a0d47bb889c5a7c6275653e6bfaa4840ff13fd3fc189b10d2f1eb911efdc6776095c29612d77ede4c24e8f9cc89d59bb3

memory/2596-116-0x00007FF761F80000-0x00007FF7622D4000-memory.dmp

C:\Windows\System\gXnETnq.exe

MD5 c138c7c2e8febbe1e31975ae82fc44cf
SHA1 7dfa7bef0ef3906fa124c82b4a76a95b31f3f527
SHA256 e60fd70c639b948e2f3b72584b655b5c0dc44e25924f96812722752917a27c5c
SHA512 4959006274f926b4b574f02710b569d1178b2c41c92cadb6cf1638f5eeb48e262752b383f69202e397afd071c11cac02cf87838cee40dc5913cdc2a2aed7a1e9

C:\Windows\System\IwQpjtY.exe

MD5 03bcc13922121dd6b7dfc0791f17132d
SHA1 27a9b6e7059a23cb710747cb5f27a74ef02c05a3
SHA256 c945ffc9a464fa721cc2b5eca0b489727edf4c06c2ca34bf3928ed7722690732
SHA512 21fe2295dd58cef199cca4c4b5cf5fc01c10c4e7f3f46bb5c2b5144bc077dfffa981b50f99611351b7110dbddd5d6df383dc309d9ad63901b28a037fc96f8ea3

memory/1692-120-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp

memory/1592-112-0x00007FF633910000-0x00007FF633C64000-memory.dmp

memory/1296-108-0x00007FF688150000-0x00007FF6884A4000-memory.dmp

memory/3344-100-0x00007FF698230000-0x00007FF698584000-memory.dmp

C:\Windows\System\ICrOyOp.exe

MD5 7606e4a28cb007e97ca502c595822637
SHA1 0a597ae9c7f0e0279b4d2696dcce407bab308a0a
SHA256 f85f1d6f5d1492af6204966887fe02ffb8b2a0691957408798bfdc2ae33cfecd
SHA512 33f6ba2d496148af5d308146949540dec8a94b06163e410687a981a6da52edf5d5584371db850cdd0b7d932897abf8bfefda9bc793ecc6882ce8e8838ada6b3b

memory/2968-91-0x00007FF6A6920000-0x00007FF6A6C74000-memory.dmp

memory/4932-94-0x00007FF78DEE0000-0x00007FF78E234000-memory.dmp

memory/4904-127-0x00007FF745930000-0x00007FF745C84000-memory.dmp

memory/1392-129-0x00007FF68DAD0000-0x00007FF68DE24000-memory.dmp

memory/4008-128-0x00007FF698130000-0x00007FF698484000-memory.dmp

memory/3840-131-0x00007FF6CFC80000-0x00007FF6CFFD4000-memory.dmp

memory/4512-132-0x00007FF7F2000000-0x00007FF7F2354000-memory.dmp

memory/3348-133-0x00007FF6A0A70000-0x00007FF6A0DC4000-memory.dmp

memory/1228-134-0x00007FF666D00000-0x00007FF667054000-memory.dmp

memory/1296-135-0x00007FF688150000-0x00007FF6884A4000-memory.dmp

memory/1924-136-0x00007FF722670000-0x00007FF7229C4000-memory.dmp

memory/1592-137-0x00007FF633910000-0x00007FF633C64000-memory.dmp

memory/1692-138-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp

memory/4008-139-0x00007FF698130000-0x00007FF698484000-memory.dmp

memory/4768-140-0x00007FF7AEB10000-0x00007FF7AEE64000-memory.dmp

memory/3740-141-0x00007FF7828E0000-0x00007FF782C34000-memory.dmp

memory/4932-142-0x00007FF78DEE0000-0x00007FF78E234000-memory.dmp

memory/3592-143-0x00007FF7BF660000-0x00007FF7BF9B4000-memory.dmp

memory/2940-144-0x00007FF634EF0000-0x00007FF635244000-memory.dmp

memory/564-145-0x00007FF7E13C0000-0x00007FF7E1714000-memory.dmp

memory/4904-147-0x00007FF745930000-0x00007FF745C84000-memory.dmp

memory/4512-146-0x00007FF7F2000000-0x00007FF7F2354000-memory.dmp

memory/3840-148-0x00007FF6CFC80000-0x00007FF6CFFD4000-memory.dmp

memory/3348-149-0x00007FF6A0A70000-0x00007FF6A0DC4000-memory.dmp

memory/1216-150-0x00007FF6D0DB0000-0x00007FF6D1104000-memory.dmp

memory/1228-151-0x00007FF666D00000-0x00007FF667054000-memory.dmp

memory/704-152-0x00007FF706460000-0x00007FF7067B4000-memory.dmp

memory/3344-153-0x00007FF698230000-0x00007FF698584000-memory.dmp

memory/2596-154-0x00007FF761F80000-0x00007FF7622D4000-memory.dmp

memory/1924-155-0x00007FF722670000-0x00007FF7229C4000-memory.dmp

memory/1296-156-0x00007FF688150000-0x00007FF6884A4000-memory.dmp

memory/1692-158-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp

memory/1392-157-0x00007FF68DAD0000-0x00007FF68DE24000-memory.dmp

memory/1592-159-0x00007FF633910000-0x00007FF633C64000-memory.dmp

memory/4008-160-0x00007FF698130000-0x00007FF698484000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 00:32

Reported

2024-06-01 00:34

Platform

win7-20240419-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gxnLWxf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FkmAxEk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uYSzhNe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TrUyFMZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vFQCpAl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sJmqyGe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uoRnUIg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VyPpxEc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BEjTuwT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mmKVVfK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hTljCJw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SbWbmsY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PaJSGVF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CBzqmLd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nAOEtln.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QYYkaEF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MbRxepY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\svglGRI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HyYlTuI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JeGQDzF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UefhLkZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkmAxEk.exe
PID 2068 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkmAxEk.exe
PID 2068 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkmAxEk.exe
PID 2068 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\nAOEtln.exe
PID 2068 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\nAOEtln.exe
PID 2068 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\nAOEtln.exe
PID 2068 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\QYYkaEF.exe
PID 2068 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\QYYkaEF.exe
PID 2068 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\QYYkaEF.exe
PID 2068 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\MbRxepY.exe
PID 2068 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\MbRxepY.exe
PID 2068 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\MbRxepY.exe
PID 2068 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\uYSzhNe.exe
PID 2068 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\uYSzhNe.exe
PID 2068 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\uYSzhNe.exe
PID 2068 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\TrUyFMZ.exe
PID 2068 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\TrUyFMZ.exe
PID 2068 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\TrUyFMZ.exe
PID 2068 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\mmKVVfK.exe
PID 2068 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\mmKVVfK.exe
PID 2068 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\mmKVVfK.exe
PID 2068 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFQCpAl.exe
PID 2068 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFQCpAl.exe
PID 2068 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFQCpAl.exe
PID 2068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\sJmqyGe.exe
PID 2068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\sJmqyGe.exe
PID 2068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\sJmqyGe.exe
PID 2068 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoRnUIg.exe
PID 2068 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoRnUIg.exe
PID 2068 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\uoRnUIg.exe
PID 2068 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\CBzqmLd.exe
PID 2068 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\CBzqmLd.exe
PID 2068 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\CBzqmLd.exe
PID 2068 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\svglGRI.exe
PID 2068 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\svglGRI.exe
PID 2068 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\svglGRI.exe
PID 2068 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\hTljCJw.exe
PID 2068 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\hTljCJw.exe
PID 2068 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\hTljCJw.exe
PID 2068 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\HyYlTuI.exe
PID 2068 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\HyYlTuI.exe
PID 2068 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\HyYlTuI.exe
PID 2068 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeGQDzF.exe
PID 2068 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeGQDzF.exe
PID 2068 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeGQDzF.exe
PID 2068 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\SbWbmsY.exe
PID 2068 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\SbWbmsY.exe
PID 2068 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\SbWbmsY.exe
PID 2068 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyPpxEc.exe
PID 2068 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyPpxEc.exe
PID 2068 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyPpxEc.exe
PID 2068 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\gxnLWxf.exe
PID 2068 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\gxnLWxf.exe
PID 2068 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\gxnLWxf.exe
PID 2068 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\PaJSGVF.exe
PID 2068 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\PaJSGVF.exe
PID 2068 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\PaJSGVF.exe
PID 2068 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\BEjTuwT.exe
PID 2068 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\BEjTuwT.exe
PID 2068 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\BEjTuwT.exe
PID 2068 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\UefhLkZ.exe
PID 2068 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\UefhLkZ.exe
PID 2068 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe C:\Windows\System\UefhLkZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\FkmAxEk.exe

C:\Windows\System\FkmAxEk.exe

C:\Windows\System\nAOEtln.exe

C:\Windows\System\nAOEtln.exe

C:\Windows\System\QYYkaEF.exe

C:\Windows\System\QYYkaEF.exe

C:\Windows\System\MbRxepY.exe

C:\Windows\System\MbRxepY.exe

C:\Windows\System\uYSzhNe.exe

C:\Windows\System\uYSzhNe.exe

C:\Windows\System\TrUyFMZ.exe

C:\Windows\System\TrUyFMZ.exe

C:\Windows\System\mmKVVfK.exe

C:\Windows\System\mmKVVfK.exe

C:\Windows\System\vFQCpAl.exe

C:\Windows\System\vFQCpAl.exe

C:\Windows\System\sJmqyGe.exe

C:\Windows\System\sJmqyGe.exe

C:\Windows\System\uoRnUIg.exe

C:\Windows\System\uoRnUIg.exe

C:\Windows\System\CBzqmLd.exe

C:\Windows\System\CBzqmLd.exe

C:\Windows\System\svglGRI.exe

C:\Windows\System\svglGRI.exe

C:\Windows\System\hTljCJw.exe

C:\Windows\System\hTljCJw.exe

C:\Windows\System\HyYlTuI.exe

C:\Windows\System\HyYlTuI.exe

C:\Windows\System\JeGQDzF.exe

C:\Windows\System\JeGQDzF.exe

C:\Windows\System\SbWbmsY.exe

C:\Windows\System\SbWbmsY.exe

C:\Windows\System\VyPpxEc.exe

C:\Windows\System\VyPpxEc.exe

C:\Windows\System\gxnLWxf.exe

C:\Windows\System\gxnLWxf.exe

C:\Windows\System\PaJSGVF.exe

C:\Windows\System\PaJSGVF.exe

C:\Windows\System\BEjTuwT.exe

C:\Windows\System\BEjTuwT.exe

C:\Windows\System\UefhLkZ.exe

C:\Windows\System\UefhLkZ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2068-0-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2068-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\FkmAxEk.exe

MD5 2fa3fb4c1fc35c70b917e4c935ae08fb
SHA1 b42b6dadf98b0a9f22c3a8da10fcb0ddc1940a8f
SHA256 e3433dfb9bbc873ecb4fa9e9d0af814888a889a2b36b8031a9a1efe4e0cbd9ab
SHA512 e3fd48448ac35fcb5ea5e14cca489d1f8a45b52f4b8d67d08061c2e40891173ad401d5671b071bc189b709673a1f29dc8c3413061e4103fe713738dafceb9a56

memory/2068-7-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/1664-9-0x000000013F040000-0x000000013F394000-memory.dmp

\Windows\system\nAOEtln.exe

MD5 f33b4dddfe72b1eb6825eadcbcb3f746
SHA1 5fa7f4edfa48ec6367f078546cd250a00ed9d887
SHA256 11528cbb4c1d8ed1931421bfc4848b8d268ea5b455721936510e0d726153fdf7
SHA512 0c1d8a63a5de62969fa1d810b0f221ba75f6f3f77c6aac0410a61773833e5b58cca56263d70106915f81abb39cc4921cefc79cfb1dea6e84b42190b58ca0b39e

memory/2068-13-0x000000013F860000-0x000000013FBB4000-memory.dmp

C:\Windows\system\QYYkaEF.exe

MD5 b971d7a0d33d39f947e9eea7f72f59b6
SHA1 37b813cfe76bcfb02b460d5541b755da1039f181
SHA256 63920a860cb2a2b81a7e5964133323c7343ff428802f974de937afc54d39d363
SHA512 834fd22707f0c8f91b7b38dd22909e99f58065bad3214f8ead12b564d8427d18334677e98bbac4458404263105310ae6ed9e4b926751486adfd02dfb42ed82a2

memory/2928-35-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2452-33-0x000000013F050000-0x000000013F3A4000-memory.dmp

C:\Windows\system\uYSzhNe.exe

MD5 d6b920a896c8e68105e436db589a081a
SHA1 4a617256a85ef98bb6d219fac1e21d109657f354
SHA256 e8f648e5c0ac7768050db1704f7da44d7f9c3f2f3bb3ee13e4f79f80cf922f89
SHA512 aebfc47c80db9c7975bd692d01dbc2d27994cc55736006b72fd245f99ef986c02f3ee0662ea13cbdcb63e253dfc8748f07bf1259617d9233707c29b477e4b89c

C:\Windows\system\MbRxepY.exe

MD5 4d92dd77d7b93a26aff1db9dc0ce6fc1
SHA1 f5876b93651d3fb1cb1da81861402fb61bdcd215
SHA256 cd65824bdb9df17d47ceebb672c95510ca254658172cff393fb2eb85b46a04de
SHA512 a89b9ed588e2524be10258a0463d1e317cb26fb847fee7a723df93ae6990de4f689cc18dcfe692b8cb6569def30c2e26fc24a7f5709ac81435f1c1307cd04cfa

memory/2068-29-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/2916-25-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2780-15-0x000000013F860000-0x000000013FBB4000-memory.dmp

C:\Windows\system\TrUyFMZ.exe

MD5 026145a1e02d70adc5c3037c82206d84
SHA1 72af845368177641507cdad91bb4de2a6281d66b
SHA256 008fca83f42787bd8cba30930bc98d78f84602dc3a3db16732ce1c38c1a94933
SHA512 6fe299a55f239cfb0c7727bbc59c2fa86f6752a9c05f1fc1e546aa6457bdf824642b9386879244c5538a07a9a0dabd30f222349bc1adc882f1c6e5ed8df02033

memory/2068-40-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/2668-41-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2068-55-0x000000013FFF0000-0x0000000140344000-memory.dmp

\Windows\system\uoRnUIg.exe

MD5 3a4af91ef29297f29bf1409fd348a66a
SHA1 feca1fffe27114b34ee0bfefa19343875833b303
SHA256 0a7888f7453e62735bafcc9375adf12f78be97f87d908d2c59f1af87fec34585
SHA512 523a5188030731f7efa5e801a4c6f2980ca65bcbf7bd3a1533914c96a5d1f3f9ae9eea846cdd32703349753dd7c413520f76793b77b8990d4d9a52cf8ee9318e

\Windows\system\mmKVVfK.exe

MD5 24236efda85f76b9955e8311c627aa99
SHA1 ba54e1daafc761a6815361c514e891e0fff3b4df
SHA256 0afcb9ce81096a23f5262506e12d34ca7dbd0bba9e3792769ddf12ce1d0a315f
SHA512 28657e0633cebb82e6e1a2c00f45efad1fb9e945c23c0f7c77d7c3633ae5f294f1bb40abc59a99dcfe0630f5f29765bb183838924eea3b42199f9597dad478b7

memory/2068-54-0x000000013F330000-0x000000013F684000-memory.dmp

C:\Windows\system\vFQCpAl.exe

MD5 eb1a3e8b66d8c37bfcc47aa86ee3f62e
SHA1 79f2cc6c21ebe7eac33627f7d92c1070bbc88a50
SHA256 53966012b3269d4ccfd2e787da5d01a424a4730d094483828561cd2f98b41d06
SHA512 744a295fba7dc234a4bc58bcc21398caed645548d038fc5e2cfdd08a0cf205680fc2187dc1a3272e1e12debea93d7221de2db04e9e599114ba1eb3ab7afd2557

C:\Windows\system\CBzqmLd.exe

MD5 a933b963295c79358766d57ad5ac6034
SHA1 4f838409cc78082438f39f09dab926fd7fcb3fe9
SHA256 60bdb1f264890f38a92ea7f09b8ac11764924bb5794072db2b6a74f2c7d38c62
SHA512 9d415b76325b270b226e1fa0db12428922daf69d3db5a891a6582973f105cab9cccd234d15e5888686d2143f19355519de76b7a7da16e5b13ccf510aa08b4175

memory/2068-80-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2916-79-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/3004-75-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2836-74-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2780-73-0x000000013F860000-0x000000013FBB4000-memory.dmp

C:\Windows\system\sJmqyGe.exe

MD5 e58f4bbe6e35c515c399cbc2762f8d64
SHA1 6ab8c0fc0564847bf7a6216be3b047f4586dd554
SHA256 04f88c0a032db0d7dabbee95bb7de8fc03edb5dc247e87f8c1feb5b1eea8f5e3
SHA512 d9950590a3f7875639865eb20b125abf5186c408f0e95feda5616a32ccab8b28a86ca801544302e6bb095721eea86961a91644294f8c5de9fd9cc3fc0093195b

memory/2068-69-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2656-66-0x000000013F9B0000-0x000000013FD04000-memory.dmp

\Windows\system\svglGRI.exe

MD5 4b01037ecb53788672ac5aca7e009191
SHA1 9ef2d12264c092ef12059a5b54a225c33ef53617
SHA256 7c6cb53e802603841a064c8340d12a5b63d4af482116c0fc8fb8d5a7aa0be18e
SHA512 07d1efa478f9b4e6a09f8fbb5d425cfcea2ad0c1fc2902931cbf36e50e517f91fc8dec90dff443ff99ce95a4b066a85a921a0157bbd080bb4963b3361c95e605

memory/2420-85-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2452-95-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2068-96-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/2940-91-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2068-90-0x000000013FD20000-0x0000000140074000-memory.dmp

C:\Windows\system\hTljCJw.exe

MD5 d87f9f56a8a7acd109668aeceb10197a
SHA1 d02cac39e8fe0b85a97ca4d9a6221381cbd98bc8
SHA256 df63815eb86c09e36a58e83851014c4cb06ecb4bc00bc8211b6a5ed678e4249b
SHA512 5fa52d382ecb36aecfcb2b7147a0e7e5a9c1169bf72b1319ff5951f249f1ec3d93da481b54193baaa26c35c9e1cc2478c4ac01702a3306d5fbe7f3d455522a04

memory/1052-97-0x000000013F620000-0x000000013F974000-memory.dmp

C:\Windows\system\HyYlTuI.exe

MD5 4d4a55d4c5a67e31948746f611235129
SHA1 519177a2bcca1df365f306d87b155aa92b92dfa0
SHA256 01194ef15d03543b103dd042c260fb5f4fd6638c46ea2a14570b2c354bf3781b
SHA512 88366d6ebdf2fe1ad959cbd513d714ea8ae8bb5546c0cf11df62ad4d3a0c6511d6779ef2e4031c1cfd174f0c4fdac4f56f3c386014d06de402f39cdaf0558e20

\Windows\system\UefhLkZ.exe

MD5 107a542680a3cac679459f9c76d3bd32
SHA1 f995be0a376cded62343a481c8316b3d8ef8a40a
SHA256 f2e02d332fccdb846c3cf1fb3815a26b82fb637805b0d7805fef4e8546eb9e7a
SHA512 ec8a4e45fa00f4f1290bab361632cdc6b8dfe9d87d87f3cb4c5ce955990ee99379d5d6f5b71a65e21d5c88babaf8882b08c05c69e05fa0c5fc5897bb957edc6a

C:\Windows\system\PaJSGVF.exe

MD5 7a985fb91afcb086bc82c5e42b273d88
SHA1 217cff9360aea03e8188cc93dbe0487b4dff1c3a
SHA256 9d7355a7bd58dd8958e061d2306eaa9daa4777405fc801a120e4e23e8c676e09
SHA512 ac667426476b1d69efd8b4109ff5bc5d63ba1d17788d5546fcc6b800f3e7db4173d4995bee715771af19a91af2538d2f159f9704aaada3ecb67d107f9b6d5208

C:\Windows\system\BEjTuwT.exe

MD5 9bb976c5e11ce23370a83c19dd3621d4
SHA1 09e090b82989cfeb19c80e27df2fe7202830227b
SHA256 83dcde576e01acd8b5ab5fb84678a5f54ff3c4dc161101bea00bafdc53fb8ef2
SHA512 2a487339bd0246d68d21f473610380947de70b181d82e137cc2ca7aef25ee1e0aa6ea7e3b7bed3285e713dfdaf57733eb61f02cad3b6cc6dd77faada176ea961

C:\Windows\system\VyPpxEc.exe

MD5 48c2b12e1fb7f27e17e16d8d14b3e71f
SHA1 3081e20a33c35064ba4ec45104686fdcf79b92e2
SHA256 43fb81a57099ddf3c046b892896fdbc60e463d03d94e3441969f8841c8ecc31c
SHA512 0958fab851b541a05f98c97c98c3586fc71b6ea510c856af56124b9a2bf742b575f19b04beeb4d8e5c92d2b1d86ac6d054ee23f60888c80a5b0062ead3d3bd72

C:\Windows\system\gxnLWxf.exe

MD5 03a41ce0ad6b16aea26aade8ae2100d3
SHA1 7fc9032a13710592b1b9e60efbbf3842a335a25a
SHA256 c5ffe0baf99f13e6d4bc40e500afdcf74ce506d0650f59472879a7372a451c84
SHA512 d197d7a0b07d15b2e76b5a41042cc456be5eb551830005b24291055d43c8dc6c0c1eecb426c78b70f1b74964755ef11b14332e9b9d4256761bf971850ca10274

memory/2068-104-0x00000000021E0000-0x0000000002534000-memory.dmp

C:\Windows\system\SbWbmsY.exe

MD5 13381a96e5a5b9c7ab0406bca980cdcd
SHA1 482ebb11c01b6626bbb37d74e0a7c55101cdb816
SHA256 636c79f86fff413525e030478212443ae4209a463524564f655ea66404ba7b20
SHA512 e1a80e385dd3af6dabac10a42ad8d0a281ae7b08ce6b111dab4c7b179dc4b06dfc1117a603a1d525d234b6f5b779c33ae560511b5e0396034dcaac716f32687b

memory/2668-103-0x000000013F530000-0x000000013F884000-memory.dmp

C:\Windows\system\JeGQDzF.exe

MD5 42c44e7d9f98eb898828396688adb76e
SHA1 a195c6ce85fc700d881c0eaf8ebf0273fd421129
SHA256 dc940099b270941a29b5181a7e9ba7819e2f5046df985add3261b0a61569051b
SHA512 49ec42c13e3a5a7f9c6e21cf37603a263b19cad849269bf4adf52c042c3c55e0a4a04ef11f3f979a9ec7d5f77e317a3f12ceaf894867b4fff5d5aeb9b1efa3ec

memory/2776-137-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2528-136-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2776-59-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2528-48-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2068-47-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2068-138-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2656-139-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2836-141-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/3004-142-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2068-143-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2068-144-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2940-145-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2068-146-0x00000000021E0000-0x0000000002534000-memory.dmp

memory/1052-147-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1664-148-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2916-149-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2780-150-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2452-151-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2928-152-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2668-153-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2528-154-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2776-155-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2656-156-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2836-158-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/3004-157-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2420-159-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/1052-160-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2940-161-0x000000013FD20000-0x0000000140074000-memory.dmp